From 0045ddc7572e27bb70d9d7006b07a747a9fa1b2b Mon Sep 17 00:00:00 2001 From: Timofei Larkin Date: Tue, 25 Mar 2025 09:41:10 +0300 Subject: [PATCH] Update ingress-nginx to mitigate CVE-2025-1974 Closes #709 Signed-off-by: Timofei Larkin --- .../charts/ingress-nginx/Chart.yaml | 8 +-- .../ingress-nginx/charts/ingress-nginx/OWNERS | 6 -- .../charts/ingress-nginx/README.md | 42 ++++++++++---- .../charts/ingress-nginx/README.md.gotmpl | 18 ++++++ ...mission-webhooks-cert-manager-values.yaml} | 8 ++- ...ler-admission-tls-cert-manager-values.yaml | 6 -- ...ontroller-configmap-addheaders-values.yaml | 11 ++++ ...troller-configmap-proxyheaders-values.yaml | 11 ++++ ....yaml => controller-configmap-values.yaml} | 9 ++- .../controller-custom-ingressclass-flags.yaml | 7 --- ...roller-daemonset-extra-modules-values.yaml | 30 ++++++++++ ... controller-daemonset-metrics-values.yaml} | 9 ++- ...oller-daemonset-opentelemetry-values.yaml} | 4 ++ ...ller-daemonset-podannotations-values.yaml} | 13 ++--- ....yaml => controller-daemonset-values.yaml} | 4 +- ...oller-deployment-extra-modules-values.yaml | 30 ++++++++++ ...controller-deployment-metrics-values.yaml} | 8 ++- ...ller-deployment-opentelemetry-values.yaml} | 10 ++-- ...ler-deployment-podannotations-values.yaml} | 12 ++-- .../ci/controller-deployment-values.yaml | 10 ++++ ...values.yaml => controller-hpa-values.yaml} | 12 ++-- .../ci/controller-ingressclass-values.yaml | 15 +++++ ...> controller-service-internal-values.yaml} | 5 +- ...es.yaml => controller-service-values.yaml} | 10 ++-- .../ci/daemonset-customconfig-values.yaml | 14 ----- .../ci/daemonset-customnodeport-values.yaml | 22 -------- .../ci/daemonset-extra-modules.yaml | 13 ----- .../ci/daemonset-headers-values.yaml | 14 ----- .../ci/daemonset-nodeport-values.yaml | 10 ---- ...set-tcp-udp-configMapNamespace-values.yaml | 20 ------- ...emonset-tcp-udp-portNamePrefix-values.yaml | 18 ------ .../ci/daemonset-tcp-udp-values.yaml | 16 ------ .../ci/daemonset-tcp-values.yaml | 14 ----- .../ci/deamonset-metrics-values.yaml | 12 ---- .../ci/deployment-autoscaling-values.yaml | 11 ---- ...modules-default-container-sec-context.yaml | 15 ----- ...odules-specific-container-sec-context.yaml | 15 ----- .../ci/deployment-extra-modules.yaml | 13 ----- .../ci/deployment-headers-values.yaml | 13 ----- .../ci/deployment-internal-lb-values.yaml | 19 ------- .../ci/deployment-nodeport-values.yaml | 9 --- ...ent-tcp-udp-configMapNamespace-values.yaml | 19 ------- ...loyment-tcp-udp-portNamePrefix-values.yaml | 17 ------ .../ci/deployment-tcp-udp-values.yaml | 15 ----- .../ci/deployment-tcp-values.yaml | 11 ---- .../deployment-webhook-extraEnvs-values.yaml | 12 ---- .../deployment-webhook-resources-values.yaml | 23 -------- .../ingress-nginx/templates/_helpers.tpl | 11 +--- .../validating-webhook.yaml | 1 + .../templates/controller-daemonset.yaml | 1 - .../templates/controller-deployment.yaml | 1 - ...es.yaml => controller-prometheusrule.yaml} | 0 .../templates/controller-service-webhook.yaml | 2 +- .../templates/controller-servicemonitor.yaml | 55 +++++++++---------- .../templates/default-backend-deployment.yaml | 2 +- .../default-backend-poddisruptionbudget.yaml | 6 +- .../default-backend-serviceaccount.yaml | 4 +- .../job-patch/serviceaccount_test.yaml | 2 +- .../validating-webhook_test.yaml | 32 +++++++++++ .../tests/controller-configmap_test.yaml | 16 +++--- .../tests/controller-daemonset_test.yaml | 32 +++++++++++ .../tests/controller-deployment_test.yaml | 29 ++++++++++ .../controller-poddisruptionbudget_test.yaml | 16 ++++++ .../tests/controller-prometheusrule_test.yaml | 17 ++++++ .../controller-service-webhook_test.yaml | 32 +++++++++++ .../tests/controller-serviceaccount_test.yaml | 47 ++++++++++++++++ .../tests/controller-servicemonitor_test.yaml | 29 ++++++++++ .../default-backend-deployment_test.yaml | 32 +++++++++++ ...ault-backend-poddisruptionbudget_test.yaml | 48 ++++++++++++++++ .../default-backend-serviceaccount_test.yaml | 51 +++++++++++++++++ .../charts/ingress-nginx/values.yaml | 28 +++++++--- packages/system/ingress-nginx/values.yaml | 8 +-- 72 files changed, 654 insertions(+), 491 deletions(-) rename packages/system/ingress-nginx/charts/ingress-nginx/ci/{deamonset-default-values.yaml => admission-webhooks-cert-manager-values.yaml} (79%) delete mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-admission-tls-cert-manager-values.yaml create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-configmap-addheaders-values.yaml create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-configmap-proxyheaders-values.yaml rename packages/system/ingress-nginx/charts/ingress-nginx/ci/{deployment-customconfig-values.yaml => controller-configmap-values.yaml} (70%) delete mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-custom-ingressclass-flags.yaml create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-daemonset-extra-modules-values.yaml rename packages/system/ingress-nginx/charts/ingress-nginx/ci/{deamonset-webhook-values.yaml => controller-daemonset-metrics-values.yaml} (89%) rename packages/system/ingress-nginx/charts/ingress-nginx/ci/{deployment-opentelemetry-customregistry-values.yaml => controller-daemonset-opentelemetry-values.yaml} (88%) rename packages/system/ingress-nginx/charts/ingress-nginx/ci/{daemonset-podannotations-values.yaml => controller-daemonset-podannotations-values.yaml} (81%) rename packages/system/ingress-nginx/charts/ingress-nginx/ci/{deployment-default-values.yaml => controller-daemonset-values.yaml} (78%) create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-deployment-extra-modules-values.yaml rename packages/system/ingress-nginx/charts/ingress-nginx/ci/{deployment-webhook-values.yaml => controller-deployment-metrics-values.yaml} (82%) rename packages/system/ingress-nginx/charts/ingress-nginx/ci/{deployment-metrics-values.yaml => controller-deployment-opentelemetry-values.yaml} (74%) rename packages/system/ingress-nginx/charts/ingress-nginx/ci/{deployment-podannotations-values.yaml => controller-deployment-podannotations-values.yaml} (80%) create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-deployment-values.yaml rename packages/system/ingress-nginx/charts/ingress-nginx/ci/{deployment-autoscaling-behavior-values.yaml => controller-hpa-values.yaml} (71%) create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-ingressclass-values.yaml rename packages/system/ingress-nginx/charts/ingress-nginx/ci/{daemonset-internal-lb-values.yaml => controller-service-internal-values.yaml} (81%) rename packages/system/ingress-nginx/charts/ingress-nginx/ci/{deployment-customnodeport-values.yaml => controller-service-values.yaml} (69%) delete mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-customconfig-values.yaml delete mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-customnodeport-values.yaml delete mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-extra-modules.yaml delete mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-headers-values.yaml delete mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-nodeport-values.yaml delete mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-tcp-udp-configMapNamespace-values.yaml delete mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-tcp-udp-portNamePrefix-values.yaml delete mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-tcp-udp-values.yaml delete mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-tcp-values.yaml delete mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/deamonset-metrics-values.yaml delete mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-autoscaling-values.yaml delete mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-extra-modules-default-container-sec-context.yaml delete mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-extra-modules-specific-container-sec-context.yaml delete mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-extra-modules.yaml delete mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-headers-values.yaml delete mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-internal-lb-values.yaml delete mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-nodeport-values.yaml delete mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-tcp-udp-configMapNamespace-values.yaml delete mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-tcp-udp-portNamePrefix-values.yaml delete mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-tcp-udp-values.yaml delete mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-tcp-values.yaml delete mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-webhook-extraEnvs-values.yaml delete mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-webhook-resources-values.yaml rename packages/system/ingress-nginx/charts/ingress-nginx/templates/{controller-prometheusrules.yaml => controller-prometheusrule.yaml} (100%) create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/tests/admission-webhooks/validating-webhook_test.yaml create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-prometheusrule_test.yaml create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-service-webhook_test.yaml create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-serviceaccount_test.yaml create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-servicemonitor_test.yaml create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/tests/default-backend-poddisruptionbudget_test.yaml create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/tests/default-backend-serviceaccount_test.yaml diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/Chart.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/Chart.yaml index 62c880fc..39142ef4 100644 --- a/packages/system/ingress-nginx/charts/ingress-nginx/Chart.yaml +++ b/packages/system/ingress-nginx/charts/ingress-nginx/Chart.yaml @@ -1,9 +1,9 @@ annotations: artifacthub.io/changes: | - - Update Ingress-Nginx version controller-v1.11.1 + - Update Ingress-Nginx version controller-v1.11.5 artifacthub.io/prerelease: "false" apiVersion: v2 -appVersion: 1.11.1 +appVersion: 1.11.5 description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer home: https://github.com/kubernetes/ingress-nginx @@ -15,11 +15,9 @@ kubeVersion: '>=1.21.0-0' maintainers: - name: cpanato - name: Gacko -- name: puerco -- name: rikatz - name: strongjz - name: tao12345666333 name: ingress-nginx sources: - https://github.com/kubernetes/ingress-nginx -version: 4.11.1 +version: 4.11.5 diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/OWNERS b/packages/system/ingress-nginx/charts/ingress-nginx/OWNERS index d588ede6..428474f6 100644 --- a/packages/system/ingress-nginx/charts/ingress-nginx/OWNERS +++ b/packages/system/ingress-nginx/charts/ingress-nginx/OWNERS @@ -1,10 +1,4 @@ # See the OWNERS docs: https://www.kubernetes.dev/docs/guide/owners -approvers: -- ingress-nginx-helm-maintainers - -reviewers: -- ingress-nginx-helm-reviewers - labels: - area/helm diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/README.md b/packages/system/ingress-nginx/charts/ingress-nginx/README.md index 0acf3da9..d36a564c 100644 --- a/packages/system/ingress-nginx/charts/ingress-nginx/README.md +++ b/packages/system/ingress-nginx/charts/ingress-nginx/README.md @@ -2,7 +2,7 @@ [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer -![Version: 4.11.1](https://img.shields.io/badge/Version-4.11.1-informational?style=flat-square) ![AppVersion: 1.11.1](https://img.shields.io/badge/AppVersion-1.11.1-informational?style=flat-square) +![Version: 4.11.5](https://img.shields.io/badge/Version-4.11.5-informational?style=flat-square) ![AppVersion: 1.11.5](https://img.shields.io/badge/AppVersion-1.11.5-informational?style=flat-square) To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources. @@ -229,6 +229,24 @@ Detail of how and why are in [this issue](https://github.com/helm/charts/pull/13 As of version `1.26.0` of this chart, by simply not providing any clusterIP value, `invalid: spec.clusterIP: Invalid value: "": field is immutable` will no longer occur since `clusterIP: ""` will not be rendered. +### Pod Security Admission + +You can use Pod Security Admission by applying labels to the `ingress-nginx` namespace as instructed by the [documentation](https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-namespace-labels). + +Example: + +```yaml +apiVersion: v1 +kind: Namespace +metadata: + name: ingress-nginx + labels: + kubernetes.io/metadata.name: ingress-nginx + name: ingress-nginx + pod-security.kubernetes.io/enforce: restricted + pod-security.kubernetes.io/enforce-version: v1.31 +``` + ## Values | Key | Type | Default | Description | @@ -253,11 +271,11 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.admissionWebhooks.namespaceSelector | object | `{}` | | | controller.admissionWebhooks.objectSelector | object | `{}` | | | controller.admissionWebhooks.patch.enabled | bool | `true` | | -| controller.admissionWebhooks.patch.image.digest | string | `"sha256:36d05b4077fb8e3d13663702fa337f124675ba8667cbd949c03a8e8ea6fa4366"` | | +| controller.admissionWebhooks.patch.image.digest | string | `"sha256:e8825994b7a2c7497375a9b945f386506ca6a3eda80b89b74ef2db743f66a5ea"` | | | controller.admissionWebhooks.patch.image.image | string | `"ingress-nginx/kube-webhook-certgen"` | | | controller.admissionWebhooks.patch.image.pullPolicy | string | `"IfNotPresent"` | | | controller.admissionWebhooks.patch.image.registry | string | `"registry.k8s.io"` | | -| controller.admissionWebhooks.patch.image.tag | string | `"v1.4.1"` | | +| controller.admissionWebhooks.patch.image.tag | string | `"v1.5.2"` | | | controller.admissionWebhooks.patch.labels | object | `{}` | Labels to be added to patch job resources | | controller.admissionWebhooks.patch.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not | | controller.admissionWebhooks.patch.nodeSelector."kubernetes.io/os" | string | `"linux"` | | @@ -325,8 +343,8 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.hostname | object | `{}` | Optionally customize the pod hostname. | | controller.image.allowPrivilegeEscalation | bool | `false` | | | controller.image.chroot | bool | `false` | | -| controller.image.digest | string | `"sha256:e6439a12b52076965928e83b7b56aae6731231677b01e81818bce7fa5c60161a"` | | -| controller.image.digestChroot | string | `"sha256:7cabe4bd7558bfdf5b707976d7be56fd15ffece735d7c90fc238b6eda290fd8d"` | | +| controller.image.digest | string | `"sha256:a1cbad75b0a7098bf9325132794dddf9eef917e8a7fe246749a4cea7ff6f01eb"` | | +| controller.image.digestChroot | string | `"sha256:ec9df3eb6b06563a079ee46045da94cbf750f7dbb16fdbcb9e3265b551ed72ad"` | | | controller.image.image | string | `"ingress-nginx/controller"` | | | controller.image.pullPolicy | string | `"IfNotPresent"` | | | controller.image.readOnlyRootFilesystem | bool | `false` | | @@ -334,7 +352,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.image.runAsNonRoot | bool | `true` | | | controller.image.runAsUser | int | `101` | | | controller.image.seccompProfile.type | string | `"RuntimeDefault"` | | -| controller.image.tag | string | `"v1.11.1"` | | +| controller.image.tag | string | `"v1.11.5"` | | | controller.ingressClass | string | `"nginx"` | For backwards compatibility with ingress.class annotation, use ingressClass. Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation | | controller.ingressClassByName | bool | `false` | Process IngressClass per name (additionally as per spec.controller). | | controller.ingressClassResource | object | `{"aliases":[],"annotations":{},"controllerValue":"k8s.io/ingress-nginx","default":false,"enabled":true,"name":"nginx","parameters":{}}` | This section refers to the creation of the IngressClass resource. IngressClasses are immutable and cannot be changed after creation. We do not support namespaced IngressClasses, yet, so a ClusterRole and a ClusterRoleBinding is required. | @@ -366,7 +384,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.livenessProbe.periodSeconds | int | `10` | | | controller.livenessProbe.successThreshold | int | `1` | | | controller.livenessProbe.timeoutSeconds | int | `1` | | -| controller.maxmindLicenseKey | string | `""` | Maxmind license key to download GeoLite2 Databases. # https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases | +| controller.maxmindLicenseKey | string | `""` | Maxmind license key to download GeoLite2 Databases. # https://blog.maxmind.com/2019/12/significant-changes-to-accessing-and-using-geolite2-databases/ | | controller.metrics.enabled | bool | `false` | | | controller.metrics.port | int | `10254` | | | controller.metrics.portName | string | `"metrics"` | | @@ -380,7 +398,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.metrics.service.servicePort | int | `10254` | | | controller.metrics.service.type | string | `"ClusterIP"` | | | controller.metrics.serviceMonitor.additionalLabels | object | `{}` | | -| controller.metrics.serviceMonitor.annotations | object | `{}` | | +| controller.metrics.serviceMonitor.annotations | object | `{}` | Annotations to be added to the ServiceMonitor. | | controller.metrics.serviceMonitor.enabled | bool | `false` | | | controller.metrics.serviceMonitor.metricRelabelings | list | `[]` | | | controller.metrics.serviceMonitor.namespace | string | `""` | | @@ -400,11 +418,11 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.opentelemetry.containerSecurityContext.runAsUser | int | `65532` | The image's default user, inherited from its base image `cgr.dev/chainguard/static`. | | controller.opentelemetry.containerSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` | | | controller.opentelemetry.enabled | bool | `false` | | -| controller.opentelemetry.image.digest | string | `"sha256:13bee3f5223883d3ca62fee7309ad02d22ec00ff0d7033e3e9aca7a9f60fd472"` | | +| controller.opentelemetry.image.digest | string | `"sha256:f7604ac0547ed64d79b98d92133234e66c2c8aade3c1f4809fed5eec1fb7f922"` | | | controller.opentelemetry.image.distroless | bool | `true` | | -| controller.opentelemetry.image.image | string | `"ingress-nginx/opentelemetry"` | | +| controller.opentelemetry.image.image | string | `"ingress-nginx/opentelemetry-1.25.3"` | | | controller.opentelemetry.image.registry | string | `"registry.k8s.io"` | | -| controller.opentelemetry.image.tag | string | `"v20230721-3e2062ee5"` | | +| controller.opentelemetry.image.tag | string | `"v20240813-b933310d"` | | | controller.opentelemetry.name | string | `"opentelemetry"` | | | controller.opentelemetry.resources | object | `{}` | | | controller.podAnnotations | object | `{}` | Annotations to be added to controller pods # | @@ -515,7 +533,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | defaultBackend.livenessProbe.periodSeconds | int | `10` | | | defaultBackend.livenessProbe.successThreshold | int | `1` | | | defaultBackend.livenessProbe.timeoutSeconds | int | `5` | | -| defaultBackend.minAvailable | int | `1` | | +| defaultBackend.minAvailable | int | `1` | Minimum available pods set in PodDisruptionBudget. | | defaultBackend.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready # | | defaultBackend.name | string | `"defaultbackend"` | | | defaultBackend.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not | diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/README.md.gotmpl b/packages/system/ingress-nginx/charts/ingress-nginx/README.md.gotmpl index 17b029bb..3cb9d565 100644 --- a/packages/system/ingress-nginx/charts/ingress-nginx/README.md.gotmpl +++ b/packages/system/ingress-nginx/charts/ingress-nginx/README.md.gotmpl @@ -226,4 +226,22 @@ Detail of how and why are in [this issue](https://github.com/helm/charts/pull/13 As of version `1.26.0` of this chart, by simply not providing any clusterIP value, `invalid: spec.clusterIP: Invalid value: "": field is immutable` will no longer occur since `clusterIP: ""` will not be rendered. +### Pod Security Admission + +You can use Pod Security Admission by applying labels to the `ingress-nginx` namespace as instructed by the [documentation](https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-namespace-labels). + +Example: + +```yaml +apiVersion: v1 +kind: Namespace +metadata: + name: ingress-nginx + labels: + kubernetes.io/metadata.name: ingress-nginx + name: ingress-nginx + pod-security.kubernetes.io/enforce: restricted + pod-security.kubernetes.io/enforce-version: v1.31 +``` + {{ template "chart.valuesSection" . }} diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deamonset-default-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/admission-webhooks-cert-manager-values.yaml similarity index 79% rename from packages/system/ingress-nginx/charts/ingress-nginx/ci/deamonset-default-values.yaml rename to packages/system/ingress-nginx/charts/ingress-nginx/ci/admission-webhooks-cert-manager-values.yaml index 82fa23e8..7eafd0c5 100644 --- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deamonset-default-values.yaml +++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/admission-webhooks-cert-manager-values.yaml @@ -1,10 +1,12 @@ controller: - kind: DaemonSet image: repository: ingress-controller/controller tag: 1.0.0-dev digest: null - admissionWebhooks: - enabled: false + service: type: ClusterIP + + admissionWebhooks: + certManager: + enabled: true diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-admission-tls-cert-manager-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-admission-tls-cert-manager-values.yaml deleted file mode 100644 index a13241cd..00000000 --- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-admission-tls-cert-manager-values.yaml +++ /dev/null @@ -1,6 +0,0 @@ -controller: - admissionWebhooks: - certManager: - enabled: true - service: - type: ClusterIP diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-configmap-addheaders-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-configmap-addheaders-values.yaml new file mode 100644 index 00000000..460a610b --- /dev/null +++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-configmap-addheaders-values.yaml @@ -0,0 +1,11 @@ +controller: + image: + repository: ingress-controller/controller + tag: 1.0.0-dev + digest: null + + service: + type: ClusterIP + + addHeaders: + X-Frame-Options: deny diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-configmap-proxyheaders-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-configmap-proxyheaders-values.yaml new file mode 100644 index 00000000..e23a13c0 --- /dev/null +++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-configmap-proxyheaders-values.yaml @@ -0,0 +1,11 @@ +controller: + image: + repository: ingress-controller/controller + tag: 1.0.0-dev + digest: null + + service: + type: ClusterIP + + proxySetHeaders: + X-Forwarded-Proto: https diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-customconfig-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-configmap-values.yaml similarity index 70% rename from packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-customconfig-values.yaml rename to packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-configmap-values.yaml index 17494184..a7029895 100644 --- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-customconfig-values.yaml +++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-configmap-values.yaml @@ -3,10 +3,9 @@ controller: repository: ingress-controller/controller tag: 1.0.0-dev digest: null - config: - use-proxy-protocol: "true" - allowSnippetAnnotations: false - admissionWebhooks: - enabled: false + service: type: ClusterIP + + config: + use-proxy-protocol: "true" diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-custom-ingressclass-flags.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-custom-ingressclass-flags.yaml deleted file mode 100644 index b28a2326..00000000 --- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-custom-ingressclass-flags.yaml +++ /dev/null @@ -1,7 +0,0 @@ -controller: - watchIngressWithoutClass: true - ingressClassResource: - name: custom-nginx - enabled: true - default: true - controllerValue: "k8s.io/custom-nginx" diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-daemonset-extra-modules-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-daemonset-extra-modules-values.yaml new file mode 100644 index 00000000..edf12e77 --- /dev/null +++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-daemonset-extra-modules-values.yaml @@ -0,0 +1,30 @@ +controller: + image: + repository: ingress-controller/controller + tag: 1.0.0-dev + digest: null + + service: + type: ClusterIP + + kind: DaemonSet + + extraModules: + - name: opentelemetry + image: + registry: registry.k8s.io + image: ingress-nginx/opentelemetry-1.25.3 + tag: v20240813-b933310d + digest: sha256:f7604ac0547ed64d79b98d92133234e66c2c8aade3c1f4809fed5eec1fb7f922 + distroless: true + containerSecurityContext: + runAsNonRoot: true + runAsUser: 65532 + runAsGroup: 65532 + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deamonset-webhook-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-daemonset-metrics-values.yaml similarity index 89% rename from packages/system/ingress-nginx/charts/ingress-nginx/ci/deamonset-webhook-values.yaml rename to packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-daemonset-metrics-values.yaml index 54d364df..7a98580c 100644 --- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deamonset-webhook-values.yaml +++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-daemonset-metrics-values.yaml @@ -1,10 +1,13 @@ controller: - kind: DaemonSet image: repository: ingress-controller/controller tag: 1.0.0-dev digest: null - admissionWebhooks: - enabled: true + service: type: ClusterIP + + kind: DaemonSet + + metrics: + enabled: true diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-opentelemetry-customregistry-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-daemonset-opentelemetry-values.yaml similarity index 88% rename from packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-opentelemetry-customregistry-values.yaml rename to packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-daemonset-opentelemetry-values.yaml index fb3ef444..179ab2a8 100644 --- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-opentelemetry-customregistry-values.yaml +++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-daemonset-opentelemetry-values.yaml @@ -3,7 +3,11 @@ controller: repository: ingress-controller/controller tag: 1.0.0-dev digest: null + service: type: ClusterIP + + kind: DaemonSet + opentelemetry: enabled: true diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-podannotations-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-daemonset-podannotations-values.yaml similarity index 81% rename from packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-podannotations-values.yaml rename to packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-daemonset-podannotations-values.yaml index 0b55306a..405992ef 100644 --- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-podannotations-values.yaml +++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-daemonset-podannotations-values.yaml @@ -1,17 +1,16 @@ controller: - kind: DaemonSet image: repository: ingress-controller/controller tag: 1.0.0-dev digest: null - admissionWebhooks: - enabled: false - metrics: - enabled: true + service: type: ClusterIP + + kind: DaemonSet + podAnnotations: - prometheus.io/path: /metrics + prometheus.io/scrape: "true" prometheus.io/port: "10254" prometheus.io/scheme: http - prometheus.io/scrape: "true" + prometheus.io/path: /metrics diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-default-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-daemonset-values.yaml similarity index 78% rename from packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-default-values.yaml rename to packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-daemonset-values.yaml index 9f46b4e7..d34025c8 100644 --- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-default-values.yaml +++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-daemonset-values.yaml @@ -1,8 +1,10 @@ -# Left blank to test default values controller: image: repository: ingress-controller/controller tag: 1.0.0-dev digest: null + service: type: ClusterIP + + kind: DaemonSet diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-deployment-extra-modules-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-deployment-extra-modules-values.yaml new file mode 100644 index 00000000..d4083cc3 --- /dev/null +++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-deployment-extra-modules-values.yaml @@ -0,0 +1,30 @@ +controller: + image: + repository: ingress-controller/controller + tag: 1.0.0-dev + digest: null + + service: + type: ClusterIP + + kind: Deployment + + extraModules: + - name: opentelemetry + image: + registry: registry.k8s.io + image: ingress-nginx/opentelemetry-1.25.3 + tag: v20240813-b933310d + digest: sha256:f7604ac0547ed64d79b98d92133234e66c2c8aade3c1f4809fed5eec1fb7f922 + distroless: true + containerSecurityContext: + runAsNonRoot: true + runAsUser: 65532 + runAsGroup: 65532 + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-webhook-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-deployment-metrics-values.yaml similarity index 82% rename from packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-webhook-values.yaml rename to packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-deployment-metrics-values.yaml index 76669a53..9c95d347 100644 --- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-webhook-values.yaml +++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-deployment-metrics-values.yaml @@ -3,7 +3,11 @@ controller: repository: ingress-controller/controller tag: 1.0.0-dev digest: null - admissionWebhooks: - enabled: true + service: type: ClusterIP + + kind: Deployment + + metrics: + enabled: true diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-metrics-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-deployment-opentelemetry-values.yaml similarity index 74% rename from packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-metrics-values.yaml rename to packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-deployment-opentelemetry-values.yaml index 9209ad5a..9443ddef 100644 --- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-metrics-values.yaml +++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-deployment-opentelemetry-values.yaml @@ -3,9 +3,11 @@ controller: repository: ingress-controller/controller tag: 1.0.0-dev digest: null - admissionWebhooks: - enabled: false - metrics: - enabled: true + service: type: ClusterIP + + kind: Deployment + + opentelemetry: + enabled: true diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-podannotations-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-deployment-podannotations-values.yaml similarity index 80% rename from packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-podannotations-values.yaml rename to packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-deployment-podannotations-values.yaml index b48d93c4..cf1f2611 100644 --- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-podannotations-values.yaml +++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-deployment-podannotations-values.yaml @@ -3,14 +3,14 @@ controller: repository: ingress-controller/controller tag: 1.0.0-dev digest: null - admissionWebhooks: - enabled: false - metrics: - enabled: true + service: type: ClusterIP + + kind: Deployment + podAnnotations: - prometheus.io/path: /metrics + prometheus.io/scrape: "true" prometheus.io/port: "10254" prometheus.io/scheme: http - prometheus.io/scrape: "true" + prometheus.io/path: /metrics diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-deployment-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-deployment-values.yaml new file mode 100644 index 00000000..1b092dc0 --- /dev/null +++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-deployment-values.yaml @@ -0,0 +1,10 @@ +controller: + image: + repository: ingress-controller/controller + tag: 1.0.0-dev + digest: null + + service: + type: ClusterIP + + kind: Deployment diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-autoscaling-behavior-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-hpa-values.yaml similarity index 71% rename from packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-autoscaling-behavior-values.yaml rename to packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-hpa-values.yaml index dca3f35f..54a0d2f7 100644 --- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-autoscaling-behavior-values.yaml +++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-hpa-values.yaml @@ -1,4 +1,12 @@ controller: + image: + repository: ingress-controller/controller + tag: 1.0.0-dev + digest: null + + service: + type: ClusterIP + autoscaling: enabled: true behavior: @@ -8,7 +16,3 @@ controller: - type: Pods value: 1 periodSeconds: 180 - admissionWebhooks: - enabled: false - service: - type: ClusterIP diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-ingressclass-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-ingressclass-values.yaml new file mode 100644 index 00000000..c06429f9 --- /dev/null +++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-ingressclass-values.yaml @@ -0,0 +1,15 @@ +controller: + image: + repository: ingress-controller/controller + tag: 1.0.0-dev + digest: null + + service: + type: ClusterIP + + ingressClassResource: + name: custom-nginx + default: true + controllerValue: k8s.io/custom-nginx + + watchIngressWithoutClass: true diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-internal-lb-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-service-internal-values.yaml similarity index 81% rename from packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-internal-lb-values.yaml rename to packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-service-internal-values.yaml index 0a200a74..11108fbc 100644 --- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-internal-lb-values.yaml +++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-service-internal-values.yaml @@ -1,13 +1,12 @@ controller: - kind: DaemonSet image: repository: ingress-controller/controller tag: 1.0.0-dev digest: null - admissionWebhooks: - enabled: false + service: type: ClusterIP + internal: enabled: true annotations: diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-customnodeport-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-service-values.yaml similarity index 69% rename from packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-customnodeport-values.yaml rename to packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-service-values.yaml index a564eaf9..9039368c 100644 --- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-customnodeport-values.yaml +++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-service-values.yaml @@ -3,18 +3,20 @@ controller: repository: ingress-controller/controller tag: 1.0.0-dev digest: null - admissionWebhooks: - enabled: false + service: type: NodePort + nodePorts: tcp: 9000: 30090 udp: 9001: 30091 +portNamePrefix: port + tcp: - 9000: "default/test:8080" + 9000: default/test:8080 udp: - 9001: "default/test:8080" + 9001: default/test:8080 diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-customconfig-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-customconfig-values.yaml deleted file mode 100644 index 4393a5bc..00000000 --- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-customconfig-values.yaml +++ /dev/null @@ -1,14 +0,0 @@ -controller: - image: - repository: ingress-controller/controller - tag: 1.0.0-dev - digest: null - kind: DaemonSet - allowSnippetAnnotations: false - admissionWebhooks: - enabled: false - service: - type: ClusterIP - - config: - use-proxy-protocol: "true" diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-customnodeport-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-customnodeport-values.yaml deleted file mode 100644 index 1d94be21..00000000 --- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-customnodeport-values.yaml +++ /dev/null @@ -1,22 +0,0 @@ -controller: - kind: DaemonSet - image: - repository: ingress-controller/controller - tag: 1.0.0-dev - digest: null - admissionWebhooks: - enabled: false - - service: - type: NodePort - nodePorts: - tcp: - 9000: 30090 - udp: - 9001: 30091 - -tcp: - 9000: "default/test:8080" - -udp: - 9001: "default/test:8080" diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-extra-modules.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-extra-modules.yaml deleted file mode 100644 index 52a32fcb..00000000 --- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-extra-modules.yaml +++ /dev/null @@ -1,13 +0,0 @@ -controller: - kind: DaemonSet - image: - repository: ingress-controller/controller - tag: 1.0.0-dev - service: - type: ClusterIP - extraModules: - - name: opentelemetry - image: - registry: registry.k8s.io - image: busybox - tag: latest diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-headers-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-headers-values.yaml deleted file mode 100644 index ab7d47bd..00000000 --- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-headers-values.yaml +++ /dev/null @@ -1,14 +0,0 @@ -controller: - kind: DaemonSet - image: - repository: ingress-controller/controller - tag: 1.0.0-dev - digest: null - admissionWebhooks: - enabled: false - addHeaders: - X-Frame-Options: deny - proxySetHeaders: - X-Forwarded-Proto: https - service: - type: ClusterIP diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-nodeport-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-nodeport-values.yaml deleted file mode 100644 index 3b7aa2fc..00000000 --- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-nodeport-values.yaml +++ /dev/null @@ -1,10 +0,0 @@ -controller: - kind: DaemonSet - image: - repository: ingress-controller/controller - tag: 1.0.0-dev - digest: null - admissionWebhooks: - enabled: false - service: - type: NodePort diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-tcp-udp-configMapNamespace-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-tcp-udp-configMapNamespace-values.yaml deleted file mode 100644 index acd86a77..00000000 --- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-tcp-udp-configMapNamespace-values.yaml +++ /dev/null @@ -1,20 +0,0 @@ -controller: - kind: DaemonSet - image: - repository: ingress-controller/controller - tag: 1.0.0-dev - digest: null - admissionWebhooks: - enabled: false - service: - type: ClusterIP - tcp: - configMapNamespace: default - udp: - configMapNamespace: default - -tcp: - 9000: "default/test:8080" - -udp: - 9001: "default/test:8080" diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-tcp-udp-portNamePrefix-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-tcp-udp-portNamePrefix-values.yaml deleted file mode 100644 index 90b0f57a..00000000 --- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-tcp-udp-portNamePrefix-values.yaml +++ /dev/null @@ -1,18 +0,0 @@ -controller: - kind: DaemonSet - image: - repository: ingress-controller/controller - tag: 1.0.0-dev - digest: null - admissionWebhooks: - enabled: false - service: - type: ClusterIP - -tcp: - 9000: "default/test:8080" - -udp: - 9001: "default/test:8080" - -portNamePrefix: "port" diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-tcp-udp-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-tcp-udp-values.yaml deleted file mode 100644 index 25ee64d8..00000000 --- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-tcp-udp-values.yaml +++ /dev/null @@ -1,16 +0,0 @@ -controller: - kind: DaemonSet - image: - repository: ingress-controller/controller - tag: 1.0.0-dev - digest: null - admissionWebhooks: - enabled: false - service: - type: ClusterIP - -tcp: - 9000: "default/test:8080" - -udp: - 9001: "default/test:8080" diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-tcp-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-tcp-values.yaml deleted file mode 100644 index 380c8b4b..00000000 --- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-tcp-values.yaml +++ /dev/null @@ -1,14 +0,0 @@ -controller: - kind: DaemonSet - image: - repository: ingress-controller/controller - tag: 1.0.0-dev - digest: null - admissionWebhooks: - enabled: false - service: - type: ClusterIP - -tcp: - 9000: "default/test:8080" - 9001: "default/test:8080" diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deamonset-metrics-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deamonset-metrics-values.yaml deleted file mode 100644 index cb3cb54b..00000000 --- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deamonset-metrics-values.yaml +++ /dev/null @@ -1,12 +0,0 @@ -controller: - kind: DaemonSet - image: - repository: ingress-controller/controller - tag: 1.0.0-dev - digest: null - admissionWebhooks: - enabled: false - metrics: - enabled: true - service: - type: ClusterIP diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-autoscaling-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-autoscaling-values.yaml deleted file mode 100644 index b8b3ac68..00000000 --- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-autoscaling-values.yaml +++ /dev/null @@ -1,11 +0,0 @@ -controller: - image: - repository: ingress-controller/controller - tag: 1.0.0-dev - digest: null - autoscaling: - enabled: true - admissionWebhooks: - enabled: false - service: - type: ClusterIP diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-extra-modules-default-container-sec-context.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-extra-modules-default-container-sec-context.yaml deleted file mode 100644 index 91b1b98a..00000000 --- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-extra-modules-default-container-sec-context.yaml +++ /dev/null @@ -1,15 +0,0 @@ -controller: - image: - repository: ingress-controller/controller - tag: 1.0.0-dev - digest: null - service: - type: ClusterIP - containerSecurityContext: - allowPrivilegeEscalation: false - extraModules: - - name: opentelemetry - image: - registry: registry.k8s.io - image: busybox - tag: latest diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-extra-modules-specific-container-sec-context.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-extra-modules-specific-container-sec-context.yaml deleted file mode 100644 index b6013c7d..00000000 --- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-extra-modules-specific-container-sec-context.yaml +++ /dev/null @@ -1,15 +0,0 @@ -controller: - image: - repository: ingress-controller/controller - tag: 1.0.0-dev - digest: null - service: - type: ClusterIP - extraModules: - - name: opentelemetry - image: - registry: registry.k8s.io - image: busybox - tag: latest - containerSecurityContext: - allowPrivilegeEscalation: false diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-extra-modules.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-extra-modules.yaml deleted file mode 100644 index 2fbe1cc0..00000000 --- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-extra-modules.yaml +++ /dev/null @@ -1,13 +0,0 @@ -controller: - image: - repository: ingress-controller/controller - tag: 1.0.0-dev - digest: null - service: - type: ClusterIP - extraModules: - - name: opentelemetry - image: - registry: registry.k8s.io - image: busybox - tag: latest diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-headers-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-headers-values.yaml deleted file mode 100644 index 17a11ac3..00000000 --- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-headers-values.yaml +++ /dev/null @@ -1,13 +0,0 @@ -controller: - image: - repository: ingress-controller/controller - tag: 1.0.0-dev - digest: null - admissionWebhooks: - enabled: false - addHeaders: - X-Frame-Options: deny - proxySetHeaders: - X-Forwarded-Proto: https - service: - type: ClusterIP diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-internal-lb-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-internal-lb-values.yaml deleted file mode 100644 index 663ccb9d..00000000 --- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-internal-lb-values.yaml +++ /dev/null @@ -1,19 +0,0 @@ -controller: - image: - repository: ingress-controller/controller - tag: 1.0.0-dev - digest: null - admissionWebhooks: - enabled: false - service: - type: ClusterIP - internal: - enabled: true - annotations: - service.beta.kubernetes.io/aws-load-balancer-internal: "true" - ports: - http: 443 - https: 80 - targetPorts: - http: 443 - https: 80 diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-nodeport-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-nodeport-values.yaml deleted file mode 100644 index cd9b3235..00000000 --- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-nodeport-values.yaml +++ /dev/null @@ -1,9 +0,0 @@ -controller: - image: - repository: ingress-controller/controller - tag: 1.0.0-dev - digest: null - admissionWebhooks: - enabled: false - service: - type: NodePort diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-tcp-udp-configMapNamespace-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-tcp-udp-configMapNamespace-values.yaml deleted file mode 100644 index c51a4e91..00000000 --- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-tcp-udp-configMapNamespace-values.yaml +++ /dev/null @@ -1,19 +0,0 @@ -controller: - image: - repository: ingress-controller/controller - tag: 1.0.0-dev - digest: null - admissionWebhooks: - enabled: false - service: - type: ClusterIP - tcp: - configMapNamespace: default - udp: - configMapNamespace: default - -tcp: - 9000: "default/test:8080" - -udp: - 9001: "default/test:8080" diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-tcp-udp-portNamePrefix-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-tcp-udp-portNamePrefix-values.yaml deleted file mode 100644 index 56323c5e..00000000 --- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-tcp-udp-portNamePrefix-values.yaml +++ /dev/null @@ -1,17 +0,0 @@ -controller: - image: - repository: ingress-controller/controller - tag: 1.0.0-dev - digest: null - admissionWebhooks: - enabled: false - service: - type: ClusterIP - -tcp: - 9000: "default/test:8080" - -udp: - 9001: "default/test:8080" - -portNamePrefix: "port" diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-tcp-udp-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-tcp-udp-values.yaml deleted file mode 100644 index 5b45b69d..00000000 --- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-tcp-udp-values.yaml +++ /dev/null @@ -1,15 +0,0 @@ -controller: - image: - repository: ingress-controller/controller - tag: 1.0.0-dev - digest: null - admissionWebhooks: - enabled: false - service: - type: ClusterIP - -tcp: - 9000: "default/test:8080" - -udp: - 9001: "default/test:8080" diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-tcp-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-tcp-values.yaml deleted file mode 100644 index ac0b6e60..00000000 --- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-tcp-values.yaml +++ /dev/null @@ -1,11 +0,0 @@ -controller: - image: - repository: ingress-controller/controller - tag: 1.0.0-dev - digest: null - service: - type: ClusterIP - -tcp: - 9000: "default/test:8080" - 9001: "default/test:8080" diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-webhook-extraEnvs-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-webhook-extraEnvs-values.yaml deleted file mode 100644 index 95487b07..00000000 --- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-webhook-extraEnvs-values.yaml +++ /dev/null @@ -1,12 +0,0 @@ -controller: - service: - type: ClusterIP - admissionWebhooks: - enabled: true - extraEnvs: - - name: FOO - value: foo - - name: TEST - value: test - patch: - enabled: true diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-webhook-resources-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-webhook-resources-values.yaml deleted file mode 100644 index 49ebbb02..00000000 --- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-webhook-resources-values.yaml +++ /dev/null @@ -1,23 +0,0 @@ -controller: - service: - type: ClusterIP - admissionWebhooks: - enabled: true - createSecretJob: - resources: - limits: - cpu: 10m - memory: 20Mi - requests: - cpu: 10m - memory: 20Mi - patchWebhookJob: - resources: - limits: - cpu: 10m - memory: 20Mi - requests: - cpu: 10m - memory: 20Mi - patch: - enabled: true diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/templates/_helpers.tpl b/packages/system/ingress-nginx/charts/ingress-nginx/templates/_helpers.tpl index 0c6a3e20..24cfd14a 100644 --- a/packages/system/ingress-nginx/charts/ingress-nginx/templates/_helpers.tpl +++ b/packages/system/ingress-nginx/charts/ingress-nginx/templates/_helpers.tpl @@ -203,7 +203,7 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this {{- end -}} {{/* -Create the name of the backend service account to use - only used when podsecuritypolicy is also enabled +Create the name of the default backend service account to use */}} {{- define "ingress-nginx.defaultBackend.serviceAccountName" -}} {{- if .Values.defaultBackend.serviceAccount.create -}} @@ -244,15 +244,6 @@ Return the appropriate apiGroup for PodSecurityPolicy. {{- end -}} {{- end -}} -{{/* -Check the ingress controller version tag is at most three versions behind the last release -*/}} -{{- define "isControllerTagValid" -}} -{{- if not (semverCompare ">=0.27.0-0" .Values.controller.image.tag) -}} -{{- fail "Controller container image tag should be 0.27.0 or higher" -}} -{{- end -}} -{{- end -}} - {{/* Extra modules. */}} diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/templates/admission-webhooks/validating-webhook.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/templates/admission-webhooks/validating-webhook.yaml index 4cd36a62..0949cea7 100644 --- a/packages/system/ingress-nginx/charts/ingress-nginx/templates/admission-webhooks/validating-webhook.yaml +++ b/packages/system/ingress-nginx/charts/ingress-nginx/templates/admission-webhooks/validating-webhook.yaml @@ -40,6 +40,7 @@ webhooks: service: name: {{ include "ingress-nginx.controller.fullname" . }}-admission namespace: {{ include "ingress-nginx.namespace" . }} + port: {{ .Values.controller.admissionWebhooks.service.servicePort }} path: /networking/v1/ingresses {{- if .Values.controller.admissionWebhooks.timeoutSeconds }} timeoutSeconds: {{ .Values.controller.admissionWebhooks.timeoutSeconds }} diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-daemonset.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-daemonset.yaml index 80ad656b..6ab68fbd 100644 --- a/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-daemonset.yaml +++ b/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-daemonset.yaml @@ -1,5 +1,4 @@ {{- if eq .Values.controller.kind "DaemonSet" -}} -{{- include "isControllerTagValid" . -}} apiVersion: apps/v1 kind: DaemonSet metadata: diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-deployment.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-deployment.yaml index e2915a76..bddde891 100644 --- a/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-deployment.yaml +++ b/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-deployment.yaml @@ -1,5 +1,4 @@ {{- if eq .Values.controller.kind "Deployment" -}} -{{- include "isControllerTagValid" . -}} apiVersion: apps/v1 kind: Deployment metadata: diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-prometheusrules.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-prometheusrule.yaml similarity index 100% rename from packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-prometheusrules.yaml rename to packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-prometheusrule.yaml diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-service-webhook.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-service-webhook.yaml index 6dcf1a10..67aac0d9 100644 --- a/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-service-webhook.yaml +++ b/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-service-webhook.yaml @@ -29,7 +29,7 @@ spec: {{- end }} ports: - name: https-webhook - port: 443 + port: {{ .Values.controller.admissionWebhooks.service.servicePort }} targetPort: webhook {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} appProtocol: https diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-servicemonitor.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-servicemonitor.yaml index 62301da4..93ab4d24 100644 --- a/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-servicemonitor.yaml +++ b/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-servicemonitor.yaml @@ -3,51 +3,48 @@ apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: name: {{ include "ingress-nginx.controller.fullname" . }} -{{- if .Values.controller.metrics.serviceMonitor.namespace }} + {{- if .Values.controller.metrics.serviceMonitor.namespace }} namespace: {{ .Values.controller.metrics.serviceMonitor.namespace }} -{{- else }} + {{- else }} namespace: {{ include "ingress-nginx.namespace" . }} -{{- end }} + {{- end }} labels: {{- include "ingress-nginx.labels" . | nindent 4 }} app.kubernetes.io/component: controller - {{- if .Values.controller.metrics.serviceMonitor.additionalLabels }} + {{- if .Values.controller.metrics.serviceMonitor.additionalLabels }} {{- toYaml .Values.controller.metrics.serviceMonitor.additionalLabels | nindent 4 }} - {{- end }} + {{- end }} {{- if .Values.controller.metrics.serviceMonitor.annotations }} annotations: {{ toYaml .Values.controller.metrics.serviceMonitor.annotations | nindent 4 }} {{- end }} spec: - endpoints: - - port: {{ .Values.controller.metrics.portName }} - interval: {{ .Values.controller.metrics.serviceMonitor.scrapeInterval }} - {{- if .Values.controller.metrics.serviceMonitor.honorLabels }} - honorLabels: true - {{- end }} - {{- if .Values.controller.metrics.serviceMonitor.relabelings }} - relabelings: {{ toYaml .Values.controller.metrics.serviceMonitor.relabelings | nindent 8 }} - {{- end }} - {{- if .Values.controller.metrics.serviceMonitor.metricRelabelings }} - metricRelabelings: {{ toYaml .Values.controller.metrics.serviceMonitor.metricRelabelings | nindent 8 }} - {{- end }} -{{- if .Values.controller.metrics.serviceMonitor.jobLabel }} - jobLabel: {{ .Values.controller.metrics.serviceMonitor.jobLabel | quote }} -{{- end }} -{{- if .Values.controller.metrics.serviceMonitor.namespaceSelector }} + {{- if .Values.controller.metrics.serviceMonitor.namespaceSelector }} namespaceSelector: {{ toYaml .Values.controller.metrics.serviceMonitor.namespaceSelector | nindent 4 }} -{{- else }} + {{- else }} namespaceSelector: matchNames: - - {{ include "ingress-nginx.namespace" . }} -{{- end }} -{{- if .Values.controller.metrics.serviceMonitor.targetLabels }} - targetLabels: - {{- range .Values.controller.metrics.serviceMonitor.targetLabels }} - - {{ . }} + - {{ include "ingress-nginx.namespace" . }} {{- end }} -{{- end }} selector: matchLabels: {{- include "ingress-nginx.selectorLabels" . | nindent 6 }} app.kubernetes.io/component: controller + endpoints: + - port: {{ .Values.controller.metrics.portName }} + interval: {{ .Values.controller.metrics.serviceMonitor.scrapeInterval }} + {{- if .Values.controller.metrics.serviceMonitor.honorLabels }} + honorLabels: true + {{- end }} + {{- if .Values.controller.metrics.serviceMonitor.relabelings }} + relabelings: {{ toYaml .Values.controller.metrics.serviceMonitor.relabelings | nindent 4 }} + {{- end }} + {{- if .Values.controller.metrics.serviceMonitor.metricRelabelings }} + metricRelabelings: {{ toYaml .Values.controller.metrics.serviceMonitor.metricRelabelings | nindent 4 }} + {{- end }} + {{- if .Values.controller.metrics.serviceMonitor.jobLabel }} + jobLabel: {{ .Values.controller.metrics.serviceMonitor.jobLabel | quote }} + {{- end }} + {{- if .Values.controller.metrics.serviceMonitor.targetLabels }} + targetLabels: {{ toYaml .Values.controller.metrics.serviceMonitor.targetLabels | nindent 2 }} + {{- end }} {{- end }} diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/templates/default-backend-deployment.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/templates/default-backend-deployment.yaml index c6ccdd5c..6755e237 100644 --- a/packages/system/ingress-nginx/charts/ingress-nginx/templates/default-backend-deployment.yaml +++ b/packages/system/ingress-nginx/charts/ingress-nginx/templates/default-backend-deployment.yaml @@ -102,7 +102,7 @@ spec: {{- if .Values.defaultBackend.nodeSelector }} nodeSelector: {{ toYaml .Values.defaultBackend.nodeSelector | nindent 8 }} {{- end }} - serviceAccountName: {{ template "ingress-nginx.defaultBackend.serviceAccountName" . }} + serviceAccountName: {{ include "ingress-nginx.defaultBackend.serviceAccountName" . }} {{- if .Values.defaultBackend.tolerations }} tolerations: {{ toYaml .Values.defaultBackend.tolerations | nindent 8 }} {{- end }} diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml index f869e453..c8363fd4 100644 --- a/packages/system/ingress-nginx/charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml +++ b/packages/system/ingress-nginx/charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml @@ -1,5 +1,9 @@ {{- if .Values.defaultBackend.enabled -}} -{{- if or (gt (.Values.defaultBackend.replicaCount | int) 1) (gt (.Values.defaultBackend.autoscaling.minReplicas | int) 1) }} +{{- $replicas := .Values.defaultBackend.replicaCount }} +{{- if .Values.defaultBackend.autoscaling.enabled }} +{{- $replicas = .Values.defaultBackend.autoscaling.minReplicas }} +{{- end }} +{{- if gt ($replicas | int) 1 }} apiVersion: {{ ternary "policy/v1" "policy/v1beta1" (semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version) }} kind: PodDisruptionBudget metadata: diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/templates/default-backend-serviceaccount.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/templates/default-backend-serviceaccount.yaml index 2afaf0c0..6fd2d623 100644 --- a/packages/system/ingress-nginx/charts/ingress-nginx/templates/default-backend-serviceaccount.yaml +++ b/packages/system/ingress-nginx/charts/ingress-nginx/templates/default-backend-serviceaccount.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.defaultBackend.enabled .Values.defaultBackend.serviceAccount.create -}} +{{- if and .Values.defaultBackend.enabled .Values.defaultBackend.serviceAccount.create -}} apiVersion: v1 kind: ServiceAccount metadata: @@ -8,7 +8,7 @@ metadata: {{- with .Values.defaultBackend.labels }} {{- toYaml . | nindent 4 }} {{- end }} - name: {{ template "ingress-nginx.defaultBackend.serviceAccountName" . }} + name: {{ include "ingress-nginx.defaultBackend.serviceAccountName" . }} namespace: {{ include "ingress-nginx.namespace" . }} automountServiceAccountToken: {{ .Values.defaultBackend.serviceAccount.automountServiceAccountToken }} {{- end }} diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/tests/admission-webhooks/job-patch/serviceaccount_test.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/tests/admission-webhooks/job-patch/serviceaccount_test.yaml index 7c30d1e6..f72bc438 100644 --- a/packages/system/ingress-nginx/charts/ingress-nginx/tests/admission-webhooks/job-patch/serviceaccount_test.yaml +++ b/packages/system/ingress-nginx/charts/ingress-nginx/tests/admission-webhooks/job-patch/serviceaccount_test.yaml @@ -20,7 +20,7 @@ tests: of: ServiceAccount - equal: path: metadata.name - value: ingress-nginx-admission + value: RELEASE-NAME-ingress-nginx-admission - it: should create a ServiceAccount with specified name if `controller.admissionWebhooks.patch.serviceAccount.name` is set set: diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/tests/admission-webhooks/validating-webhook_test.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/tests/admission-webhooks/validating-webhook_test.yaml new file mode 100644 index 00000000..47b6b687 --- /dev/null +++ b/packages/system/ingress-nginx/charts/ingress-nginx/tests/admission-webhooks/validating-webhook_test.yaml @@ -0,0 +1,32 @@ +suite: Admission Webhooks > ValidatingWebhookConfiguration +templates: + - admission-webhooks/validating-webhook.yaml + +tests: + - it: should not create a ValidatingWebhookConfiguration if `controller.admissionWebhooks.enabled` is false + set: + controller.admissionWebhooks.enabled: false + asserts: + - hasDocuments: + count: 0 + + - it: should create a ValidatingWebhookConfiguration if `controller.admissionWebhooks.enabled` is true + set: + controller.admissionWebhooks.enabled: true + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ValidatingWebhookConfiguration + - equal: + path: metadata.name + value: RELEASE-NAME-ingress-nginx-admission + + - it: should create a ValidatingWebhookConfiguration with a custom port if `controller.admissionWebhooks.service.servicePort` is set + set: + controller.admissionWebhooks.enabled: true + controller.admissionWebhooks.service.servicePort: 9443 + asserts: + - equal: + path: webhooks[0].clientConfig.service.port + value: 9443 diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-configmap_test.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-configmap_test.yaml index 9cfea980..168b657d 100644 --- a/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-configmap_test.yaml +++ b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-configmap_test.yaml @@ -16,16 +16,16 @@ tests: - it: should create a ConfigMap with templated values if `controller.config` contains templates set: controller.config: - global-rate-limit-memcached-host: "memcached.{{ .Release.Namespace }}.svc.kubernetes.local" - global-rate-limit-memcached-port: 11211 - use-gzip: true + template: "test.{{ .Release.Namespace }}.svc.kubernetes.local" + integer: 12345 + boolean: true asserts: - equal: - path: data.global-rate-limit-memcached-host - value: memcached.NAMESPACE.svc.kubernetes.local + path: data.template + value: test.NAMESPACE.svc.kubernetes.local - equal: - path: data.global-rate-limit-memcached-port - value: "11211" + path: data.integer + value: "12345" - equal: - path: data.use-gzip + path: data.boolean value: "true" diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-daemonset_test.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-daemonset_test.yaml index 6ee794af..81d067bb 100644 --- a/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-daemonset_test.yaml +++ b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-daemonset_test.yaml @@ -138,3 +138,35 @@ tests: values: - controller topologyKey: kubernetes.io/hostname + + - it: should create a DaemonSet with a custom registry if `controller.image.registry` is set + set: + controller.kind: DaemonSet + controller.image.registry: custom.registry.io + controller.image.tag: v1.0.0-dev + controller.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd + asserts: + - equal: + path: spec.template.spec.containers[0].image + value: custom.registry.io/ingress-nginx/controller:v1.0.0-dev@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd + + - it: should create a DaemonSet with a custom image if `controller.image.image` is set + set: + controller.kind: DaemonSet + controller.image.image: custom-repo/custom-image + controller.image.tag: v1.0.0-dev + controller.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd + asserts: + - equal: + path: spec.template.spec.containers[0].image + value: registry.k8s.io/custom-repo/custom-image:v1.0.0-dev@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd + + - it: should create a DaemonSet with a custom tag if `controller.image.tag` is set + set: + controller.kind: DaemonSet + controller.image.tag: custom-tag + controller.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd + asserts: + - equal: + path: spec.template.spec.containers[0].image + value: registry.k8s.io/ingress-nginx/controller:custom-tag@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-deployment_test.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-deployment_test.yaml index 82b97a0f..382aecd7 100644 --- a/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-deployment_test.yaml +++ b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-deployment_test.yaml @@ -160,3 +160,32 @@ tests: values: - controller topologyKey: kubernetes.io/hostname + + - it: should create a Deployment with a custom registry if `controller.image.registry` is set + set: + controller.image.registry: custom.registry.io + controller.image.tag: v1.0.0-dev + controller.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd + asserts: + - equal: + path: spec.template.spec.containers[0].image + value: custom.registry.io/ingress-nginx/controller:v1.0.0-dev@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd + + - it: should create a Deployment with a custom image if `controller.image.image` is set + set: + controller.image.image: custom-repo/custom-image + controller.image.tag: v1.0.0-dev + controller.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd + asserts: + - equal: + path: spec.template.spec.containers[0].image + value: registry.k8s.io/custom-repo/custom-image:v1.0.0-dev@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd + + - it: should create a Deployment with a custom tag if `controller.image.tag` is set + set: + controller.image.tag: custom-tag + controller.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd + asserts: + - equal: + path: spec.template.spec.containers[0].image + value: registry.k8s.io/ingress-nginx/controller:custom-tag@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-poddisruptionbudget_test.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-poddisruptionbudget_test.yaml index 48b4fafc..f215f352 100644 --- a/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-poddisruptionbudget_test.yaml +++ b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-poddisruptionbudget_test.yaml @@ -71,3 +71,19 @@ tests: asserts: - hasDocuments: count: 0 + + - it: should create a PodDisruptionBudget without `minAvailable` and with `maxUnavailable` if `controller.minAvailable` and `controller.maxUnavailable` are set + set: + controller.replicaCount: 2 + controller.minAvailable: 1 + controller.maxUnavailable: 1 + asserts: + - hasDocuments: + count: 1 + - isKind: + of: PodDisruptionBudget + - notExists: + path: spec.minAvailable + - equal: + path: spec.maxUnavailable + value: 1 diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-prometheusrule_test.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-prometheusrule_test.yaml new file mode 100644 index 00000000..d60a9831 --- /dev/null +++ b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-prometheusrule_test.yaml @@ -0,0 +1,17 @@ +suite: Controller > PrometheusRule +templates: + - controller-prometheusrule.yaml + +tests: + - it: should create a PrometheusRule if `controller.metrics.prometheusRule.enabled` is true + set: + controller.metrics.enabled: true + controller.metrics.prometheusRule.enabled: true + asserts: + - hasDocuments: + count: 1 + - isKind: + of: PrometheusRule + - equal: + path: metadata.name + value: RELEASE-NAME-ingress-nginx-controller diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-service-webhook_test.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-service-webhook_test.yaml new file mode 100644 index 00000000..1c759edb --- /dev/null +++ b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-service-webhook_test.yaml @@ -0,0 +1,32 @@ +suite: Controller > Service > Webhook +templates: + - controller-service-webhook.yaml + +tests: + - it: should not create a webhook Service if `controller.admissionWebhooks.enabled` is false + set: + controller.admissionWebhooks.enabled: false + asserts: + - hasDocuments: + count: 0 + + - it: should create a webhook Service if `controller.admissionWebhooks.enabled` is true + set: + controller.admissionWebhooks.enabled: true + asserts: + - hasDocuments: + count: 1 + - isKind: + of: Service + - equal: + path: metadata.name + value: RELEASE-NAME-ingress-nginx-controller-admission + + - it: should create a webhook Service with a custom port if `controller.admissionWebhooks.service.servicePort` is set + set: + controller.admissionWebhooks.enabled: true + controller.admissionWebhooks.service.servicePort: 9443 + asserts: + - equal: + path: spec.ports[0].port + value: 9443 diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-serviceaccount_test.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-serviceaccount_test.yaml new file mode 100644 index 00000000..928e5377 --- /dev/null +++ b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-serviceaccount_test.yaml @@ -0,0 +1,47 @@ +suite: Controller > ServiceAccount +templates: + - controller-serviceaccount.yaml + +tests: + - it: should not create a ServiceAccount if `serviceAccount.create` is false + set: + serviceAccount.create: false + asserts: + - hasDocuments: + count: 0 + + - it: should create a ServiceAccount if `serviceAccount.create` is true + set: + serviceAccount.create: true + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ServiceAccount + - equal: + path: metadata.name + value: RELEASE-NAME-ingress-nginx + + - it: should create a ServiceAccount with specified name if `serviceAccount.name` is set + set: + serviceAccount.name: ingress-nginx-admission-test-sa + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ServiceAccount + - equal: + path: metadata.name + value: ingress-nginx-admission-test-sa + + - it: should create a ServiceAccount with token auto-mounting disabled if `serviceAccount.automountServiceAccountToken` is false + set: + serviceAccount.automountServiceAccountToken: false + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ServiceAccount + - equal: + path: automountServiceAccountToken + value: false diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-servicemonitor_test.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-servicemonitor_test.yaml new file mode 100644 index 00000000..310097c1 --- /dev/null +++ b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-servicemonitor_test.yaml @@ -0,0 +1,29 @@ +suite: Controller > ServiceMonitor +templates: + - controller-servicemonitor.yaml + +tests: + - it: should create a ServiceMonitor if `controller.metrics.serviceMonitor.enabled` is true + set: + controller.metrics.enabled: true + controller.metrics.serviceMonitor.enabled: true + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ServiceMonitor + - equal: + path: metadata.name + value: RELEASE-NAME-ingress-nginx-controller + + - it: should create a ServiceMonitor with annotations if `controller.metrics.serviceMonitor.annotations` is set + set: + controller.metrics.enabled: true + controller.metrics.serviceMonitor.enabled: true + controller.metrics.serviceMonitor.annotations: + my-little-annotation: test-value + asserts: + - equal: + path: metadata.annotations + value: + my-little-annotation: test-value diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/tests/default-backend-deployment_test.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/tests/default-backend-deployment_test.yaml index e237fe7e..4ba4b03d 100644 --- a/packages/system/ingress-nginx/charts/ingress-nginx/tests/default-backend-deployment_test.yaml +++ b/packages/system/ingress-nginx/charts/ingress-nginx/tests/default-backend-deployment_test.yaml @@ -135,3 +135,35 @@ tests: values: - default-backend topologyKey: kubernetes.io/hostname + + - it: should create a Deployment with a custom registry if `defaultBackend.image.registry` is set + set: + defaultBackend.enabled: true + defaultBackend.image.registry: custom.registry.io + defaultBackend.image.tag: v1.0.0-dev + defaultBackend.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd + asserts: + - equal: + path: spec.template.spec.containers[0].image + value: custom.registry.io/defaultbackend-amd64:v1.0.0-dev@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd + + - it: should create a Deployment with a custom image if `defaultBackend.image.image` is set + set: + defaultBackend.enabled: true + defaultBackend.image.image: custom-repo/custom-image + defaultBackend.image.tag: v1.0.0-dev + defaultBackend.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd + asserts: + - equal: + path: spec.template.spec.containers[0].image + value: registry.k8s.io/custom-repo/custom-image:v1.0.0-dev@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd + + - it: should create a Deployment with a custom tag if `defaultBackend.image.tag` is set + set: + defaultBackend.enabled: true + defaultBackend.image.tag: custom-tag + defaultBackend.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd + asserts: + - equal: + path: spec.template.spec.containers[0].image + value: registry.k8s.io/defaultbackend-amd64:custom-tag@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/tests/default-backend-poddisruptionbudget_test.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/tests/default-backend-poddisruptionbudget_test.yaml new file mode 100644 index 00000000..09580186 --- /dev/null +++ b/packages/system/ingress-nginx/charts/ingress-nginx/tests/default-backend-poddisruptionbudget_test.yaml @@ -0,0 +1,48 @@ +suite: Default Backend > PodDisruptionBudget +templates: + - default-backend-poddisruptionbudget.yaml + +tests: + - it: should create a PodDisruptionBudget if `defaultBackend.replicaCount` is greater than 1 + set: + defaultBackend.enabled: true + defaultBackend.replicaCount: 2 + asserts: + - hasDocuments: + count: 1 + - isKind: + of: PodDisruptionBudget + - equal: + path: metadata.name + value: RELEASE-NAME-ingress-nginx-defaultbackend + + - it: should not create a PodDisruptionBudget if `defaultBackend.replicaCount` is less than or equal 1 + set: + defaultBackend.enabled: true + defaultBackend.replicaCount: 1 + asserts: + - hasDocuments: + count: 0 + + - it: should create a PodDisruptionBudget if `defaultBackend.autoscaling.enabled` is true and `defaultBackend.autoscaling.minReplicas` is greater than 1 + set: + defaultBackend.enabled: true + defaultBackend.autoscaling.enabled: true + defaultBackend.autoscaling.minReplicas: 2 + asserts: + - hasDocuments: + count: 1 + - isKind: + of: PodDisruptionBudget + - equal: + path: metadata.name + value: RELEASE-NAME-ingress-nginx-defaultbackend + + - it: should not create a PodDisruptionBudget if `defaultBackend.autoscaling.enabled` is true and `defaultBackend.autoscaling.minReplicas` is less than or equal 1 + set: + defaultBackend.enabled: true + defaultBackend.autoscaling.enabled: true + defaultBackend.autoscaling.minReplicas: 1 + asserts: + - hasDocuments: + count: 0 diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/tests/default-backend-serviceaccount_test.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/tests/default-backend-serviceaccount_test.yaml new file mode 100644 index 00000000..05a815d0 --- /dev/null +++ b/packages/system/ingress-nginx/charts/ingress-nginx/tests/default-backend-serviceaccount_test.yaml @@ -0,0 +1,51 @@ +suite: Default Backend > ServiceAccount +templates: + - default-backend-serviceaccount.yaml + +tests: + - it: should not create a ServiceAccount if `defaultBackend.serviceAccount.create` is false + set: + defaultBackend.enabled: true + defaultBackend.serviceAccount.create: false + asserts: + - hasDocuments: + count: 0 + + - it: should create a ServiceAccount if `defaultBackend.serviceAccount.create` is true + set: + defaultBackend.enabled: true + defaultBackend.serviceAccount.create: true + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ServiceAccount + - equal: + path: metadata.name + value: RELEASE-NAME-ingress-nginx-backend + + - it: should create a ServiceAccount with specified name if `defaultBackend.serviceAccount.name` is set + set: + defaultBackend.enabled: true + defaultBackend.serviceAccount.name: ingress-nginx-admission-test-sa + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ServiceAccount + - equal: + path: metadata.name + value: ingress-nginx-admission-test-sa + + - it: should create a ServiceAccount with token auto-mounting disabled if `defaultBackend.serviceAccount.automountServiceAccountToken` is false + set: + defaultBackend.enabled: true + defaultBackend.serviceAccount.automountServiceAccountToken: false + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ServiceAccount + - equal: + path: automountServiceAccountToken + value: false diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/values.yaml index 92735d2a..1c9f1c58 100644 --- a/packages/system/ingress-nginx/charts/ingress-nginx/values.yaml +++ b/packages/system/ingress-nginx/charts/ingress-nginx/values.yaml @@ -26,9 +26,9 @@ controller: ## for backwards compatibility consider setting the full image url via the repository value below ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail ## repository: - tag: "v1.11.1" - digest: sha256:e6439a12b52076965928e83b7b56aae6731231677b01e81818bce7fa5c60161a - digestChroot: sha256:7cabe4bd7558bfdf5b707976d7be56fd15ffece735d7c90fc238b6eda290fd8d + tag: "v1.11.5" + digest: sha256:a1cbad75b0a7098bf9325132794dddf9eef917e8a7fe246749a4cea7ff6f01eb + digestChroot: sha256:ec9df3eb6b06563a079ee46045da94cbf750f7dbb16fdbcb9e3265b551ed72ad pullPolicy: IfNotPresent runAsNonRoot: true # www-data -> uid 101 @@ -194,7 +194,7 @@ controller: # -- Annotations to be added to the udp config configmap annotations: {} # -- Maxmind license key to download GeoLite2 Databases. - ## https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases + ## https://blog.maxmind.com/2019/12/significant-changes-to-accessing-and-using-geolite2-databases/ maxmindLicenseKey: "" # -- Additional command line arguments to pass to Ingress-Nginx Controller # E.g. to specify the default SSL certificate you can use @@ -299,6 +299,8 @@ controller: # app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}' # app.kubernetes.io/instance: '{{ .Release.Name }}' # app.kubernetes.io/component: controller + # matchLabelKeys: + # - pod-template-hash # topologyKey: topology.kubernetes.io/zone # maxSkew: 1 # whenUnsatisfiable: ScheduleAnyway @@ -307,6 +309,8 @@ controller: # app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}' # app.kubernetes.io/instance: '{{ .Release.Name }}' # app.kubernetes.io/component: controller + # matchLabelKeys: + # - pod-template-hash # topologyKey: kubernetes.io/hostname # maxSkew: 1 # whenUnsatisfiable: ScheduleAnyway @@ -706,12 +710,12 @@ controller: name: opentelemetry image: registry: registry.k8s.io - image: ingress-nginx/opentelemetry + image: ingress-nginx/opentelemetry-1.25.3 ## for backwards compatibility consider setting the full image url via the repository value below ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail ## repository: - tag: "v20230721-3e2062ee5" - digest: sha256:13bee3f5223883d3ca62fee7309ad02d22ec00ff0d7033e3e9aca7a9f60fd472 + tag: v20240813-b933310d + digest: sha256:f7604ac0547ed64d79b98d92133234e66c2c8aade3c1f4809fed5eec1fb7f922 distroless: true containerSecurityContext: runAsNonRoot: true @@ -804,8 +808,8 @@ controller: ## for backwards compatibility consider setting the full image url via the repository value below ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail ## repository: - tag: v1.4.1 - digest: sha256:36d05b4077fb8e3d13663702fa337f124675ba8667cbd949c03a8e8ea6fa4366 + tag: v1.5.2 + digest: sha256:e8825994b7a2c7497375a9b945f386506ca6a3eda80b89b74ef2db743f66a5ea pullPolicy: IfNotPresent # -- Provide a priority class name to the webhook patching job ## @@ -873,6 +877,7 @@ controller: serviceMonitor: enabled: false additionalLabels: {} + # -- Annotations to be added to the ServiceMonitor. annotations: {} ## The label to use to retrieve the job name from. ## jobLabel: "app.kubernetes.io/name" @@ -1062,6 +1067,8 @@ defaultBackend: # app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}' # app.kubernetes.io/instance: '{{ .Release.Name }}' # app.kubernetes.io/component: default-backend + # matchLabelKeys: + # - pod-template-hash # topologyKey: topology.kubernetes.io/zone # maxSkew: 1 # whenUnsatisfiable: ScheduleAnyway @@ -1070,6 +1077,8 @@ defaultBackend: # app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}' # app.kubernetes.io/instance: '{{ .Release.Name }}' # app.kubernetes.io/component: default-backend + # matchLabelKeys: + # - pod-template-hash # topologyKey: kubernetes.io/hostname # maxSkew: 1 # whenUnsatisfiable: ScheduleAnyway @@ -1090,6 +1099,7 @@ defaultBackend: ## podAnnotations: {} replicaCount: 1 + # -- Minimum available pods set in PodDisruptionBudget. minAvailable: 1 resources: {} # limits: diff --git a/packages/system/ingress-nginx/values.yaml b/packages/system/ingress-nginx/values.yaml index 3515968a..b20d647b 100644 --- a/packages/system/ingress-nginx/values.yaml +++ b/packages/system/ingress-nginx/values.yaml @@ -4,9 +4,9 @@ ingress-nginx: enable-ssl-passthrough: "" image: registry: ghcr.io - image: kvaps/ingress-nginx-with-protobuf-exporter/controller - tag: v1.11.2 - digest: sha256:e80856ece4e30e9646d65c8d92c25a3446a0bba1c2468cd026f17df9e60d2c0f + image: cozystack/ingress-nginx-with-protobuf-exporter/controller + tag: v1.11.5 + digest: sha256:b78ae118129a9417d4126744cab2fc2f777b3a9ac460d74caa4b57a479b98ead allowSnippetAnnotations: true replicaCount: 2 admissionWebhooks: @@ -16,7 +16,7 @@ ingress-nginx: enabled: true extraContainers: - name: protobuf-exporter - image: ghcr.io/kvaps/ingress-nginx-with-protobuf-exporter/protobuf-exporter:v1.11.2@sha256:25ed6a5f508bbc59134ad786f1e765d1c2187742075a4e828d68ef3f07a78e52 + image: ghcr.io/cozystack/ingress-nginx-with-protobuf-exporter/protobuf-exporter:v1.11.5@sha256:1e60d53324c2028d6f20136cdd5553ebf2d1288aefc5900b96cd379680fc25dc args: - --server.telemetry-address=0.0.0.0:9090 - --server.exporter-address=0.0.0.0:9091