mirror of
https://github.com/outbackdingo/cozystack.git
synced 2026-01-27 18:18:41 +00:00
Merge pull request #710 from cozystack/709-update-ingress-nginx
Update ingress-nginx to mitigate CVE-2025-1974
This commit is contained in:
Timofei Larkin
@@ -1,9 +1,9 @@
|
||||
annotations:
|
||||
artifacthub.io/changes: |
|
||||
- Update Ingress-Nginx version controller-v1.11.1
|
||||
- Update Ingress-Nginx version controller-v1.11.5
|
||||
artifacthub.io/prerelease: "false"
|
||||
apiVersion: v2
|
||||
appVersion: 1.11.1
|
||||
appVersion: 1.11.5
|
||||
description: Ingress controller for Kubernetes using NGINX as a reverse proxy and
|
||||
load balancer
|
||||
home: https://github.com/kubernetes/ingress-nginx
|
||||
@@ -15,11 +15,9 @@ kubeVersion: '>=1.21.0-0'
|
||||
maintainers:
|
||||
- name: cpanato
|
||||
- name: Gacko
|
||||
- name: puerco
|
||||
- name: rikatz
|
||||
- name: strongjz
|
||||
- name: tao12345666333
|
||||
name: ingress-nginx
|
||||
sources:
|
||||
- https://github.com/kubernetes/ingress-nginx
|
||||
version: 4.11.1
|
||||
version: 4.11.5
|
||||
|
||||
@@ -1,10 +1,4 @@
|
||||
# See the OWNERS docs: https://www.kubernetes.dev/docs/guide/owners
|
||||
|
||||
approvers:
|
||||
- ingress-nginx-helm-maintainers
|
||||
|
||||
reviewers:
|
||||
- ingress-nginx-helm-reviewers
|
||||
|
||||
labels:
|
||||
- area/helm
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
|
||||
[ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
|
||||
|
||||
 
|
||||
 
|
||||
|
||||
To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources.
|
||||
|
||||
@@ -229,6 +229,24 @@ Detail of how and why are in [this issue](https://github.com/helm/charts/pull/13
|
||||
|
||||
As of version `1.26.0` of this chart, by simply not providing any clusterIP value, `invalid: spec.clusterIP: Invalid value: "": field is immutable` will no longer occur since `clusterIP: ""` will not be rendered.
|
||||
|
||||
### Pod Security Admission
|
||||
|
||||
You can use Pod Security Admission by applying labels to the `ingress-nginx` namespace as instructed by the [documentation](https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-namespace-labels).
|
||||
|
||||
Example:
|
||||
|
||||
```yaml
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: ingress-nginx
|
||||
labels:
|
||||
kubernetes.io/metadata.name: ingress-nginx
|
||||
name: ingress-nginx
|
||||
pod-security.kubernetes.io/enforce: restricted
|
||||
pod-security.kubernetes.io/enforce-version: v1.31
|
||||
```
|
||||
|
||||
## Values
|
||||
|
||||
| Key | Type | Default | Description |
|
||||
@@ -253,11 +271,11 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
|
||||
| controller.admissionWebhooks.namespaceSelector | object | `{}` | |
|
||||
| controller.admissionWebhooks.objectSelector | object | `{}` | |
|
||||
| controller.admissionWebhooks.patch.enabled | bool | `true` | |
|
||||
| controller.admissionWebhooks.patch.image.digest | string | `"sha256:36d05b4077fb8e3d13663702fa337f124675ba8667cbd949c03a8e8ea6fa4366"` | |
|
||||
| controller.admissionWebhooks.patch.image.digest | string | `"sha256:e8825994b7a2c7497375a9b945f386506ca6a3eda80b89b74ef2db743f66a5ea"` | |
|
||||
| controller.admissionWebhooks.patch.image.image | string | `"ingress-nginx/kube-webhook-certgen"` | |
|
||||
| controller.admissionWebhooks.patch.image.pullPolicy | string | `"IfNotPresent"` | |
|
||||
| controller.admissionWebhooks.patch.image.registry | string | `"registry.k8s.io"` | |
|
||||
| controller.admissionWebhooks.patch.image.tag | string | `"v1.4.1"` | |
|
||||
| controller.admissionWebhooks.patch.image.tag | string | `"v1.5.2"` | |
|
||||
| controller.admissionWebhooks.patch.labels | object | `{}` | Labels to be added to patch job resources |
|
||||
| controller.admissionWebhooks.patch.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not |
|
||||
| controller.admissionWebhooks.patch.nodeSelector."kubernetes.io/os" | string | `"linux"` | |
|
||||
@@ -325,8 +343,8 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
|
||||
| controller.hostname | object | `{}` | Optionally customize the pod hostname. |
|
||||
| controller.image.allowPrivilegeEscalation | bool | `false` | |
|
||||
| controller.image.chroot | bool | `false` | |
|
||||
| controller.image.digest | string | `"sha256:e6439a12b52076965928e83b7b56aae6731231677b01e81818bce7fa5c60161a"` | |
|
||||
| controller.image.digestChroot | string | `"sha256:7cabe4bd7558bfdf5b707976d7be56fd15ffece735d7c90fc238b6eda290fd8d"` | |
|
||||
| controller.image.digest | string | `"sha256:a1cbad75b0a7098bf9325132794dddf9eef917e8a7fe246749a4cea7ff6f01eb"` | |
|
||||
| controller.image.digestChroot | string | `"sha256:ec9df3eb6b06563a079ee46045da94cbf750f7dbb16fdbcb9e3265b551ed72ad"` | |
|
||||
| controller.image.image | string | `"ingress-nginx/controller"` | |
|
||||
| controller.image.pullPolicy | string | `"IfNotPresent"` | |
|
||||
| controller.image.readOnlyRootFilesystem | bool | `false` | |
|
||||
@@ -334,7 +352,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
|
||||
| controller.image.runAsNonRoot | bool | `true` | |
|
||||
| controller.image.runAsUser | int | `101` | |
|
||||
| controller.image.seccompProfile.type | string | `"RuntimeDefault"` | |
|
||||
| controller.image.tag | string | `"v1.11.1"` | |
|
||||
| controller.image.tag | string | `"v1.11.5"` | |
|
||||
| controller.ingressClass | string | `"nginx"` | For backwards compatibility with ingress.class annotation, use ingressClass. Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation |
|
||||
| controller.ingressClassByName | bool | `false` | Process IngressClass per name (additionally as per spec.controller). |
|
||||
| controller.ingressClassResource | object | `{"aliases":[],"annotations":{},"controllerValue":"k8s.io/ingress-nginx","default":false,"enabled":true,"name":"nginx","parameters":{}}` | This section refers to the creation of the IngressClass resource. IngressClasses are immutable and cannot be changed after creation. We do not support namespaced IngressClasses, yet, so a ClusterRole and a ClusterRoleBinding is required. |
|
||||
@@ -366,7 +384,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
|
||||
| controller.livenessProbe.periodSeconds | int | `10` | |
|
||||
| controller.livenessProbe.successThreshold | int | `1` | |
|
||||
| controller.livenessProbe.timeoutSeconds | int | `1` | |
|
||||
| controller.maxmindLicenseKey | string | `""` | Maxmind license key to download GeoLite2 Databases. # https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases |
|
||||
| controller.maxmindLicenseKey | string | `""` | Maxmind license key to download GeoLite2 Databases. # https://blog.maxmind.com/2019/12/significant-changes-to-accessing-and-using-geolite2-databases/ |
|
||||
| controller.metrics.enabled | bool | `false` | |
|
||||
| controller.metrics.port | int | `10254` | |
|
||||
| controller.metrics.portName | string | `"metrics"` | |
|
||||
@@ -380,7 +398,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
|
||||
| controller.metrics.service.servicePort | int | `10254` | |
|
||||
| controller.metrics.service.type | string | `"ClusterIP"` | |
|
||||
| controller.metrics.serviceMonitor.additionalLabels | object | `{}` | |
|
||||
| controller.metrics.serviceMonitor.annotations | object | `{}` | |
|
||||
| controller.metrics.serviceMonitor.annotations | object | `{}` | Annotations to be added to the ServiceMonitor. |
|
||||
| controller.metrics.serviceMonitor.enabled | bool | `false` | |
|
||||
| controller.metrics.serviceMonitor.metricRelabelings | list | `[]` | |
|
||||
| controller.metrics.serviceMonitor.namespace | string | `""` | |
|
||||
@@ -400,11 +418,11 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
|
||||
| controller.opentelemetry.containerSecurityContext.runAsUser | int | `65532` | The image's default user, inherited from its base image `cgr.dev/chainguard/static`. |
|
||||
| controller.opentelemetry.containerSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
|
||||
| controller.opentelemetry.enabled | bool | `false` | |
|
||||
| controller.opentelemetry.image.digest | string | `"sha256:13bee3f5223883d3ca62fee7309ad02d22ec00ff0d7033e3e9aca7a9f60fd472"` | |
|
||||
| controller.opentelemetry.image.digest | string | `"sha256:f7604ac0547ed64d79b98d92133234e66c2c8aade3c1f4809fed5eec1fb7f922"` | |
|
||||
| controller.opentelemetry.image.distroless | bool | `true` | |
|
||||
| controller.opentelemetry.image.image | string | `"ingress-nginx/opentelemetry"` | |
|
||||
| controller.opentelemetry.image.image | string | `"ingress-nginx/opentelemetry-1.25.3"` | |
|
||||
| controller.opentelemetry.image.registry | string | `"registry.k8s.io"` | |
|
||||
| controller.opentelemetry.image.tag | string | `"v20230721-3e2062ee5"` | |
|
||||
| controller.opentelemetry.image.tag | string | `"v20240813-b933310d"` | |
|
||||
| controller.opentelemetry.name | string | `"opentelemetry"` | |
|
||||
| controller.opentelemetry.resources | object | `{}` | |
|
||||
| controller.podAnnotations | object | `{}` | Annotations to be added to controller pods # |
|
||||
@@ -515,7 +533,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
|
||||
| defaultBackend.livenessProbe.periodSeconds | int | `10` | |
|
||||
| defaultBackend.livenessProbe.successThreshold | int | `1` | |
|
||||
| defaultBackend.livenessProbe.timeoutSeconds | int | `5` | |
|
||||
| defaultBackend.minAvailable | int | `1` | |
|
||||
| defaultBackend.minAvailable | int | `1` | Minimum available pods set in PodDisruptionBudget. |
|
||||
| defaultBackend.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready # |
|
||||
| defaultBackend.name | string | `"defaultbackend"` | |
|
||||
| defaultBackend.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not |
|
||||
|
||||
@@ -226,4 +226,22 @@ Detail of how and why are in [this issue](https://github.com/helm/charts/pull/13
|
||||
|
||||
As of version `1.26.0` of this chart, by simply not providing any clusterIP value, `invalid: spec.clusterIP: Invalid value: "": field is immutable` will no longer occur since `clusterIP: ""` will not be rendered.
|
||||
|
||||
### Pod Security Admission
|
||||
|
||||
You can use Pod Security Admission by applying labels to the `ingress-nginx` namespace as instructed by the [documentation](https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-namespace-labels).
|
||||
|
||||
Example:
|
||||
|
||||
```yaml
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: ingress-nginx
|
||||
labels:
|
||||
kubernetes.io/metadata.name: ingress-nginx
|
||||
name: ingress-nginx
|
||||
pod-security.kubernetes.io/enforce: restricted
|
||||
pod-security.kubernetes.io/enforce-version: v1.31
|
||||
```
|
||||
|
||||
{{ template "chart.valuesSection" . }}
|
||||
|
||||
@@ -1,10 +1,12 @@
|
||||
controller:
|
||||
kind: DaemonSet
|
||||
image:
|
||||
repository: ingress-controller/controller
|
||||
tag: 1.0.0-dev
|
||||
digest: null
|
||||
admissionWebhooks:
|
||||
enabled: false
|
||||
|
||||
service:
|
||||
type: ClusterIP
|
||||
|
||||
admissionWebhooks:
|
||||
certManager:
|
||||
enabled: true
|
||||
@@ -1,6 +0,0 @@
|
||||
controller:
|
||||
admissionWebhooks:
|
||||
certManager:
|
||||
enabled: true
|
||||
service:
|
||||
type: ClusterIP
|
||||
@@ -0,0 +1,11 @@
|
||||
controller:
|
||||
image:
|
||||
repository: ingress-controller/controller
|
||||
tag: 1.0.0-dev
|
||||
digest: null
|
||||
|
||||
service:
|
||||
type: ClusterIP
|
||||
|
||||
addHeaders:
|
||||
X-Frame-Options: deny
|
||||
@@ -0,0 +1,11 @@
|
||||
controller:
|
||||
image:
|
||||
repository: ingress-controller/controller
|
||||
tag: 1.0.0-dev
|
||||
digest: null
|
||||
|
||||
service:
|
||||
type: ClusterIP
|
||||
|
||||
proxySetHeaders:
|
||||
X-Forwarded-Proto: https
|
||||
@@ -3,10 +3,9 @@ controller:
|
||||
repository: ingress-controller/controller
|
||||
tag: 1.0.0-dev
|
||||
digest: null
|
||||
config:
|
||||
use-proxy-protocol: "true"
|
||||
allowSnippetAnnotations: false
|
||||
admissionWebhooks:
|
||||
enabled: false
|
||||
|
||||
service:
|
||||
type: ClusterIP
|
||||
|
||||
config:
|
||||
use-proxy-protocol: "true"
|
||||
@@ -1,7 +0,0 @@
|
||||
controller:
|
||||
watchIngressWithoutClass: true
|
||||
ingressClassResource:
|
||||
name: custom-nginx
|
||||
enabled: true
|
||||
default: true
|
||||
controllerValue: "k8s.io/custom-nginx"
|
||||
@@ -0,0 +1,30 @@
|
||||
controller:
|
||||
image:
|
||||
repository: ingress-controller/controller
|
||||
tag: 1.0.0-dev
|
||||
digest: null
|
||||
|
||||
service:
|
||||
type: ClusterIP
|
||||
|
||||
kind: DaemonSet
|
||||
|
||||
extraModules:
|
||||
- name: opentelemetry
|
||||
image:
|
||||
registry: registry.k8s.io
|
||||
image: ingress-nginx/opentelemetry-1.25.3
|
||||
tag: v20240813-b933310d
|
||||
digest: sha256:f7604ac0547ed64d79b98d92133234e66c2c8aade3c1f4809fed5eec1fb7f922
|
||||
distroless: true
|
||||
containerSecurityContext:
|
||||
runAsNonRoot: true
|
||||
runAsUser: 65532
|
||||
runAsGroup: 65532
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
@@ -1,10 +1,13 @@
|
||||
controller:
|
||||
kind: DaemonSet
|
||||
image:
|
||||
repository: ingress-controller/controller
|
||||
tag: 1.0.0-dev
|
||||
digest: null
|
||||
admissionWebhooks:
|
||||
enabled: true
|
||||
|
||||
service:
|
||||
type: ClusterIP
|
||||
|
||||
kind: DaemonSet
|
||||
|
||||
metrics:
|
||||
enabled: true
|
||||
@@ -3,7 +3,11 @@ controller:
|
||||
repository: ingress-controller/controller
|
||||
tag: 1.0.0-dev
|
||||
digest: null
|
||||
|
||||
service:
|
||||
type: ClusterIP
|
||||
|
||||
kind: DaemonSet
|
||||
|
||||
opentelemetry:
|
||||
enabled: true
|
||||
@@ -1,17 +1,16 @@
|
||||
controller:
|
||||
kind: DaemonSet
|
||||
image:
|
||||
repository: ingress-controller/controller
|
||||
tag: 1.0.0-dev
|
||||
digest: null
|
||||
admissionWebhooks:
|
||||
enabled: false
|
||||
metrics:
|
||||
enabled: true
|
||||
|
||||
service:
|
||||
type: ClusterIP
|
||||
|
||||
kind: DaemonSet
|
||||
|
||||
podAnnotations:
|
||||
prometheus.io/path: /metrics
|
||||
prometheus.io/scrape: "true"
|
||||
prometheus.io/port: "10254"
|
||||
prometheus.io/scheme: http
|
||||
prometheus.io/scrape: "true"
|
||||
prometheus.io/path: /metrics
|
||||
@@ -1,8 +1,10 @@
|
||||
# Left blank to test default values
|
||||
controller:
|
||||
image:
|
||||
repository: ingress-controller/controller
|
||||
tag: 1.0.0-dev
|
||||
digest: null
|
||||
|
||||
service:
|
||||
type: ClusterIP
|
||||
|
||||
kind: DaemonSet
|
||||
@@ -0,0 +1,30 @@
|
||||
controller:
|
||||
image:
|
||||
repository: ingress-controller/controller
|
||||
tag: 1.0.0-dev
|
||||
digest: null
|
||||
|
||||
service:
|
||||
type: ClusterIP
|
||||
|
||||
kind: Deployment
|
||||
|
||||
extraModules:
|
||||
- name: opentelemetry
|
||||
image:
|
||||
registry: registry.k8s.io
|
||||
image: ingress-nginx/opentelemetry-1.25.3
|
||||
tag: v20240813-b933310d
|
||||
digest: sha256:f7604ac0547ed64d79b98d92133234e66c2c8aade3c1f4809fed5eec1fb7f922
|
||||
distroless: true
|
||||
containerSecurityContext:
|
||||
runAsNonRoot: true
|
||||
runAsUser: 65532
|
||||
runAsGroup: 65532
|
||||
allowPrivilegeEscalation: false
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
readOnlyRootFilesystem: true
|
||||
@@ -3,7 +3,11 @@ controller:
|
||||
repository: ingress-controller/controller
|
||||
tag: 1.0.0-dev
|
||||
digest: null
|
||||
admissionWebhooks:
|
||||
enabled: true
|
||||
|
||||
service:
|
||||
type: ClusterIP
|
||||
|
||||
kind: Deployment
|
||||
|
||||
metrics:
|
||||
enabled: true
|
||||
@@ -3,9 +3,11 @@ controller:
|
||||
repository: ingress-controller/controller
|
||||
tag: 1.0.0-dev
|
||||
digest: null
|
||||
admissionWebhooks:
|
||||
enabled: false
|
||||
metrics:
|
||||
enabled: true
|
||||
|
||||
service:
|
||||
type: ClusterIP
|
||||
|
||||
kind: Deployment
|
||||
|
||||
opentelemetry:
|
||||
enabled: true
|
||||
@@ -3,14 +3,14 @@ controller:
|
||||
repository: ingress-controller/controller
|
||||
tag: 1.0.0-dev
|
||||
digest: null
|
||||
admissionWebhooks:
|
||||
enabled: false
|
||||
metrics:
|
||||
enabled: true
|
||||
|
||||
service:
|
||||
type: ClusterIP
|
||||
|
||||
kind: Deployment
|
||||
|
||||
podAnnotations:
|
||||
prometheus.io/path: /metrics
|
||||
prometheus.io/scrape: "true"
|
||||
prometheus.io/port: "10254"
|
||||
prometheus.io/scheme: http
|
||||
prometheus.io/scrape: "true"
|
||||
prometheus.io/path: /metrics
|
||||
@@ -0,0 +1,10 @@
|
||||
controller:
|
||||
image:
|
||||
repository: ingress-controller/controller
|
||||
tag: 1.0.0-dev
|
||||
digest: null
|
||||
|
||||
service:
|
||||
type: ClusterIP
|
||||
|
||||
kind: Deployment
|
||||
@@ -1,4 +1,12 @@
|
||||
controller:
|
||||
image:
|
||||
repository: ingress-controller/controller
|
||||
tag: 1.0.0-dev
|
||||
digest: null
|
||||
|
||||
service:
|
||||
type: ClusterIP
|
||||
|
||||
autoscaling:
|
||||
enabled: true
|
||||
behavior:
|
||||
@@ -8,7 +16,3 @@ controller:
|
||||
- type: Pods
|
||||
value: 1
|
||||
periodSeconds: 180
|
||||
admissionWebhooks:
|
||||
enabled: false
|
||||
service:
|
||||
type: ClusterIP
|
||||
@@ -0,0 +1,15 @@
|
||||
controller:
|
||||
image:
|
||||
repository: ingress-controller/controller
|
||||
tag: 1.0.0-dev
|
||||
digest: null
|
||||
|
||||
service:
|
||||
type: ClusterIP
|
||||
|
||||
ingressClassResource:
|
||||
name: custom-nginx
|
||||
default: true
|
||||
controllerValue: k8s.io/custom-nginx
|
||||
|
||||
watchIngressWithoutClass: true
|
||||
@@ -1,13 +1,12 @@
|
||||
controller:
|
||||
kind: DaemonSet
|
||||
image:
|
||||
repository: ingress-controller/controller
|
||||
tag: 1.0.0-dev
|
||||
digest: null
|
||||
admissionWebhooks:
|
||||
enabled: false
|
||||
|
||||
service:
|
||||
type: ClusterIP
|
||||
|
||||
internal:
|
||||
enabled: true
|
||||
annotations:
|
||||
@@ -3,18 +3,20 @@ controller:
|
||||
repository: ingress-controller/controller
|
||||
tag: 1.0.0-dev
|
||||
digest: null
|
||||
admissionWebhooks:
|
||||
enabled: false
|
||||
|
||||
service:
|
||||
type: NodePort
|
||||
|
||||
nodePorts:
|
||||
tcp:
|
||||
9000: 30090
|
||||
udp:
|
||||
9001: 30091
|
||||
|
||||
portNamePrefix: port
|
||||
|
||||
tcp:
|
||||
9000: "default/test:8080"
|
||||
9000: default/test:8080
|
||||
|
||||
udp:
|
||||
9001: "default/test:8080"
|
||||
9001: default/test:8080
|
||||
@@ -1,14 +0,0 @@
|
||||
controller:
|
||||
image:
|
||||
repository: ingress-controller/controller
|
||||
tag: 1.0.0-dev
|
||||
digest: null
|
||||
kind: DaemonSet
|
||||
allowSnippetAnnotations: false
|
||||
admissionWebhooks:
|
||||
enabled: false
|
||||
service:
|
||||
type: ClusterIP
|
||||
|
||||
config:
|
||||
use-proxy-protocol: "true"
|
||||
@@ -1,22 +0,0 @@
|
||||
controller:
|
||||
kind: DaemonSet
|
||||
image:
|
||||
repository: ingress-controller/controller
|
||||
tag: 1.0.0-dev
|
||||
digest: null
|
||||
admissionWebhooks:
|
||||
enabled: false
|
||||
|
||||
service:
|
||||
type: NodePort
|
||||
nodePorts:
|
||||
tcp:
|
||||
9000: 30090
|
||||
udp:
|
||||
9001: 30091
|
||||
|
||||
tcp:
|
||||
9000: "default/test:8080"
|
||||
|
||||
udp:
|
||||
9001: "default/test:8080"
|
||||
@@ -1,13 +0,0 @@
|
||||
controller:
|
||||
kind: DaemonSet
|
||||
image:
|
||||
repository: ingress-controller/controller
|
||||
tag: 1.0.0-dev
|
||||
service:
|
||||
type: ClusterIP
|
||||
extraModules:
|
||||
- name: opentelemetry
|
||||
image:
|
||||
registry: registry.k8s.io
|
||||
image: busybox
|
||||
tag: latest
|
||||
@@ -1,14 +0,0 @@
|
||||
controller:
|
||||
kind: DaemonSet
|
||||
image:
|
||||
repository: ingress-controller/controller
|
||||
tag: 1.0.0-dev
|
||||
digest: null
|
||||
admissionWebhooks:
|
||||
enabled: false
|
||||
addHeaders:
|
||||
X-Frame-Options: deny
|
||||
proxySetHeaders:
|
||||
X-Forwarded-Proto: https
|
||||
service:
|
||||
type: ClusterIP
|
||||
@@ -1,10 +0,0 @@
|
||||
controller:
|
||||
kind: DaemonSet
|
||||
image:
|
||||
repository: ingress-controller/controller
|
||||
tag: 1.0.0-dev
|
||||
digest: null
|
||||
admissionWebhooks:
|
||||
enabled: false
|
||||
service:
|
||||
type: NodePort
|
||||
@@ -1,20 +0,0 @@
|
||||
controller:
|
||||
kind: DaemonSet
|
||||
image:
|
||||
repository: ingress-controller/controller
|
||||
tag: 1.0.0-dev
|
||||
digest: null
|
||||
admissionWebhooks:
|
||||
enabled: false
|
||||
service:
|
||||
type: ClusterIP
|
||||
tcp:
|
||||
configMapNamespace: default
|
||||
udp:
|
||||
configMapNamespace: default
|
||||
|
||||
tcp:
|
||||
9000: "default/test:8080"
|
||||
|
||||
udp:
|
||||
9001: "default/test:8080"
|
||||
@@ -1,18 +0,0 @@
|
||||
controller:
|
||||
kind: DaemonSet
|
||||
image:
|
||||
repository: ingress-controller/controller
|
||||
tag: 1.0.0-dev
|
||||
digest: null
|
||||
admissionWebhooks:
|
||||
enabled: false
|
||||
service:
|
||||
type: ClusterIP
|
||||
|
||||
tcp:
|
||||
9000: "default/test:8080"
|
||||
|
||||
udp:
|
||||
9001: "default/test:8080"
|
||||
|
||||
portNamePrefix: "port"
|
||||
@@ -1,16 +0,0 @@
|
||||
controller:
|
||||
kind: DaemonSet
|
||||
image:
|
||||
repository: ingress-controller/controller
|
||||
tag: 1.0.0-dev
|
||||
digest: null
|
||||
admissionWebhooks:
|
||||
enabled: false
|
||||
service:
|
||||
type: ClusterIP
|
||||
|
||||
tcp:
|
||||
9000: "default/test:8080"
|
||||
|
||||
udp:
|
||||
9001: "default/test:8080"
|
||||
@@ -1,14 +0,0 @@
|
||||
controller:
|
||||
kind: DaemonSet
|
||||
image:
|
||||
repository: ingress-controller/controller
|
||||
tag: 1.0.0-dev
|
||||
digest: null
|
||||
admissionWebhooks:
|
||||
enabled: false
|
||||
service:
|
||||
type: ClusterIP
|
||||
|
||||
tcp:
|
||||
9000: "default/test:8080"
|
||||
9001: "default/test:8080"
|
||||
@@ -1,12 +0,0 @@
|
||||
controller:
|
||||
kind: DaemonSet
|
||||
image:
|
||||
repository: ingress-controller/controller
|
||||
tag: 1.0.0-dev
|
||||
digest: null
|
||||
admissionWebhooks:
|
||||
enabled: false
|
||||
metrics:
|
||||
enabled: true
|
||||
service:
|
||||
type: ClusterIP
|
||||
@@ -1,11 +0,0 @@
|
||||
controller:
|
||||
image:
|
||||
repository: ingress-controller/controller
|
||||
tag: 1.0.0-dev
|
||||
digest: null
|
||||
autoscaling:
|
||||
enabled: true
|
||||
admissionWebhooks:
|
||||
enabled: false
|
||||
service:
|
||||
type: ClusterIP
|
||||
@@ -1,15 +0,0 @@
|
||||
controller:
|
||||
image:
|
||||
repository: ingress-controller/controller
|
||||
tag: 1.0.0-dev
|
||||
digest: null
|
||||
service:
|
||||
type: ClusterIP
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
extraModules:
|
||||
- name: opentelemetry
|
||||
image:
|
||||
registry: registry.k8s.io
|
||||
image: busybox
|
||||
tag: latest
|
||||
@@ -1,15 +0,0 @@
|
||||
controller:
|
||||
image:
|
||||
repository: ingress-controller/controller
|
||||
tag: 1.0.0-dev
|
||||
digest: null
|
||||
service:
|
||||
type: ClusterIP
|
||||
extraModules:
|
||||
- name: opentelemetry
|
||||
image:
|
||||
registry: registry.k8s.io
|
||||
image: busybox
|
||||
tag: latest
|
||||
containerSecurityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
@@ -1,13 +0,0 @@
|
||||
controller:
|
||||
image:
|
||||
repository: ingress-controller/controller
|
||||
tag: 1.0.0-dev
|
||||
digest: null
|
||||
service:
|
||||
type: ClusterIP
|
||||
extraModules:
|
||||
- name: opentelemetry
|
||||
image:
|
||||
registry: registry.k8s.io
|
||||
image: busybox
|
||||
tag: latest
|
||||
@@ -1,13 +0,0 @@
|
||||
controller:
|
||||
image:
|
||||
repository: ingress-controller/controller
|
||||
tag: 1.0.0-dev
|
||||
digest: null
|
||||
admissionWebhooks:
|
||||
enabled: false
|
||||
addHeaders:
|
||||
X-Frame-Options: deny
|
||||
proxySetHeaders:
|
||||
X-Forwarded-Proto: https
|
||||
service:
|
||||
type: ClusterIP
|
||||
@@ -1,19 +0,0 @@
|
||||
controller:
|
||||
image:
|
||||
repository: ingress-controller/controller
|
||||
tag: 1.0.0-dev
|
||||
digest: null
|
||||
admissionWebhooks:
|
||||
enabled: false
|
||||
service:
|
||||
type: ClusterIP
|
||||
internal:
|
||||
enabled: true
|
||||
annotations:
|
||||
service.beta.kubernetes.io/aws-load-balancer-internal: "true"
|
||||
ports:
|
||||
http: 443
|
||||
https: 80
|
||||
targetPorts:
|
||||
http: 443
|
||||
https: 80
|
||||
@@ -1,9 +0,0 @@
|
||||
controller:
|
||||
image:
|
||||
repository: ingress-controller/controller
|
||||
tag: 1.0.0-dev
|
||||
digest: null
|
||||
admissionWebhooks:
|
||||
enabled: false
|
||||
service:
|
||||
type: NodePort
|
||||
@@ -1,19 +0,0 @@
|
||||
controller:
|
||||
image:
|
||||
repository: ingress-controller/controller
|
||||
tag: 1.0.0-dev
|
||||
digest: null
|
||||
admissionWebhooks:
|
||||
enabled: false
|
||||
service:
|
||||
type: ClusterIP
|
||||
tcp:
|
||||
configMapNamespace: default
|
||||
udp:
|
||||
configMapNamespace: default
|
||||
|
||||
tcp:
|
||||
9000: "default/test:8080"
|
||||
|
||||
udp:
|
||||
9001: "default/test:8080"
|
||||
@@ -1,17 +0,0 @@
|
||||
controller:
|
||||
image:
|
||||
repository: ingress-controller/controller
|
||||
tag: 1.0.0-dev
|
||||
digest: null
|
||||
admissionWebhooks:
|
||||
enabled: false
|
||||
service:
|
||||
type: ClusterIP
|
||||
|
||||
tcp:
|
||||
9000: "default/test:8080"
|
||||
|
||||
udp:
|
||||
9001: "default/test:8080"
|
||||
|
||||
portNamePrefix: "port"
|
||||
@@ -1,15 +0,0 @@
|
||||
controller:
|
||||
image:
|
||||
repository: ingress-controller/controller
|
||||
tag: 1.0.0-dev
|
||||
digest: null
|
||||
admissionWebhooks:
|
||||
enabled: false
|
||||
service:
|
||||
type: ClusterIP
|
||||
|
||||
tcp:
|
||||
9000: "default/test:8080"
|
||||
|
||||
udp:
|
||||
9001: "default/test:8080"
|
||||
@@ -1,11 +0,0 @@
|
||||
controller:
|
||||
image:
|
||||
repository: ingress-controller/controller
|
||||
tag: 1.0.0-dev
|
||||
digest: null
|
||||
service:
|
||||
type: ClusterIP
|
||||
|
||||
tcp:
|
||||
9000: "default/test:8080"
|
||||
9001: "default/test:8080"
|
||||
@@ -1,12 +0,0 @@
|
||||
controller:
|
||||
service:
|
||||
type: ClusterIP
|
||||
admissionWebhooks:
|
||||
enabled: true
|
||||
extraEnvs:
|
||||
- name: FOO
|
||||
value: foo
|
||||
- name: TEST
|
||||
value: test
|
||||
patch:
|
||||
enabled: true
|
||||
@@ -1,23 +0,0 @@
|
||||
controller:
|
||||
service:
|
||||
type: ClusterIP
|
||||
admissionWebhooks:
|
||||
enabled: true
|
||||
createSecretJob:
|
||||
resources:
|
||||
limits:
|
||||
cpu: 10m
|
||||
memory: 20Mi
|
||||
requests:
|
||||
cpu: 10m
|
||||
memory: 20Mi
|
||||
patchWebhookJob:
|
||||
resources:
|
||||
limits:
|
||||
cpu: 10m
|
||||
memory: 20Mi
|
||||
requests:
|
||||
cpu: 10m
|
||||
memory: 20Mi
|
||||
patch:
|
||||
enabled: true
|
||||
@@ -203,7 +203,7 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create the name of the backend service account to use - only used when podsecuritypolicy is also enabled
|
||||
Create the name of the default backend service account to use
|
||||
*/}}
|
||||
{{- define "ingress-nginx.defaultBackend.serviceAccountName" -}}
|
||||
{{- if .Values.defaultBackend.serviceAccount.create -}}
|
||||
@@ -244,15 +244,6 @@ Return the appropriate apiGroup for PodSecurityPolicy.
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Check the ingress controller version tag is at most three versions behind the last release
|
||||
*/}}
|
||||
{{- define "isControllerTagValid" -}}
|
||||
{{- if not (semverCompare ">=0.27.0-0" .Values.controller.image.tag) -}}
|
||||
{{- fail "Controller container image tag should be 0.27.0 or higher" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Extra modules.
|
||||
*/}}
|
||||
|
||||
@@ -40,6 +40,7 @@ webhooks:
|
||||
service:
|
||||
name: {{ include "ingress-nginx.controller.fullname" . }}-admission
|
||||
namespace: {{ include "ingress-nginx.namespace" . }}
|
||||
port: {{ .Values.controller.admissionWebhooks.service.servicePort }}
|
||||
path: /networking/v1/ingresses
|
||||
{{- if .Values.controller.admissionWebhooks.timeoutSeconds }}
|
||||
timeoutSeconds: {{ .Values.controller.admissionWebhooks.timeoutSeconds }}
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
{{- if eq .Values.controller.kind "DaemonSet" -}}
|
||||
{{- include "isControllerTagValid" . -}}
|
||||
apiVersion: apps/v1
|
||||
kind: DaemonSet
|
||||
metadata:
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
{{- if eq .Values.controller.kind "Deployment" -}}
|
||||
{{- include "isControllerTagValid" . -}}
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
|
||||
@@ -29,7 +29,7 @@ spec:
|
||||
{{- end }}
|
||||
ports:
|
||||
- name: https-webhook
|
||||
port: 443
|
||||
port: {{ .Values.controller.admissionWebhooks.service.servicePort }}
|
||||
targetPort: webhook
|
||||
{{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }}
|
||||
appProtocol: https
|
||||
|
||||
@@ -3,51 +3,48 @@ apiVersion: monitoring.coreos.com/v1
|
||||
kind: ServiceMonitor
|
||||
metadata:
|
||||
name: {{ include "ingress-nginx.controller.fullname" . }}
|
||||
{{- if .Values.controller.metrics.serviceMonitor.namespace }}
|
||||
{{- if .Values.controller.metrics.serviceMonitor.namespace }}
|
||||
namespace: {{ .Values.controller.metrics.serviceMonitor.namespace }}
|
||||
{{- else }}
|
||||
{{- else }}
|
||||
namespace: {{ include "ingress-nginx.namespace" . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
labels:
|
||||
{{- include "ingress-nginx.labels" . | nindent 4 }}
|
||||
app.kubernetes.io/component: controller
|
||||
{{- if .Values.controller.metrics.serviceMonitor.additionalLabels }}
|
||||
{{- if .Values.controller.metrics.serviceMonitor.additionalLabels }}
|
||||
{{- toYaml .Values.controller.metrics.serviceMonitor.additionalLabels | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.controller.metrics.serviceMonitor.annotations }}
|
||||
annotations: {{ toYaml .Values.controller.metrics.serviceMonitor.annotations | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
endpoints:
|
||||
- port: {{ .Values.controller.metrics.portName }}
|
||||
interval: {{ .Values.controller.metrics.serviceMonitor.scrapeInterval }}
|
||||
{{- if .Values.controller.metrics.serviceMonitor.honorLabels }}
|
||||
honorLabels: true
|
||||
{{- end }}
|
||||
{{- if .Values.controller.metrics.serviceMonitor.relabelings }}
|
||||
relabelings: {{ toYaml .Values.controller.metrics.serviceMonitor.relabelings | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.controller.metrics.serviceMonitor.metricRelabelings }}
|
||||
metricRelabelings: {{ toYaml .Values.controller.metrics.serviceMonitor.metricRelabelings | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.controller.metrics.serviceMonitor.jobLabel }}
|
||||
jobLabel: {{ .Values.controller.metrics.serviceMonitor.jobLabel | quote }}
|
||||
{{- end }}
|
||||
{{- if .Values.controller.metrics.serviceMonitor.namespaceSelector }}
|
||||
{{- if .Values.controller.metrics.serviceMonitor.namespaceSelector }}
|
||||
namespaceSelector: {{ toYaml .Values.controller.metrics.serviceMonitor.namespaceSelector | nindent 4 }}
|
||||
{{- else }}
|
||||
{{- else }}
|
||||
namespaceSelector:
|
||||
matchNames:
|
||||
- {{ include "ingress-nginx.namespace" . }}
|
||||
{{- end }}
|
||||
{{- if .Values.controller.metrics.serviceMonitor.targetLabels }}
|
||||
targetLabels:
|
||||
{{- range .Values.controller.metrics.serviceMonitor.targetLabels }}
|
||||
- {{ . }}
|
||||
- {{ include "ingress-nginx.namespace" . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
selector:
|
||||
matchLabels:
|
||||
{{- include "ingress-nginx.selectorLabels" . | nindent 6 }}
|
||||
app.kubernetes.io/component: controller
|
||||
endpoints:
|
||||
- port: {{ .Values.controller.metrics.portName }}
|
||||
interval: {{ .Values.controller.metrics.serviceMonitor.scrapeInterval }}
|
||||
{{- if .Values.controller.metrics.serviceMonitor.honorLabels }}
|
||||
honorLabels: true
|
||||
{{- end }}
|
||||
{{- if .Values.controller.metrics.serviceMonitor.relabelings }}
|
||||
relabelings: {{ toYaml .Values.controller.metrics.serviceMonitor.relabelings | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.controller.metrics.serviceMonitor.metricRelabelings }}
|
||||
metricRelabelings: {{ toYaml .Values.controller.metrics.serviceMonitor.metricRelabelings | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.controller.metrics.serviceMonitor.jobLabel }}
|
||||
jobLabel: {{ .Values.controller.metrics.serviceMonitor.jobLabel | quote }}
|
||||
{{- end }}
|
||||
{{- if .Values.controller.metrics.serviceMonitor.targetLabels }}
|
||||
targetLabels: {{ toYaml .Values.controller.metrics.serviceMonitor.targetLabels | nindent 2 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
@@ -102,7 +102,7 @@ spec:
|
||||
{{- if .Values.defaultBackend.nodeSelector }}
|
||||
nodeSelector: {{ toYaml .Values.defaultBackend.nodeSelector | nindent 8 }}
|
||||
{{- end }}
|
||||
serviceAccountName: {{ template "ingress-nginx.defaultBackend.serviceAccountName" . }}
|
||||
serviceAccountName: {{ include "ingress-nginx.defaultBackend.serviceAccountName" . }}
|
||||
{{- if .Values.defaultBackend.tolerations }}
|
||||
tolerations: {{ toYaml .Values.defaultBackend.tolerations | nindent 8 }}
|
||||
{{- end }}
|
||||
|
||||
@@ -1,5 +1,9 @@
|
||||
{{- if .Values.defaultBackend.enabled -}}
|
||||
{{- if or (gt (.Values.defaultBackend.replicaCount | int) 1) (gt (.Values.defaultBackend.autoscaling.minReplicas | int) 1) }}
|
||||
{{- $replicas := .Values.defaultBackend.replicaCount }}
|
||||
{{- if .Values.defaultBackend.autoscaling.enabled }}
|
||||
{{- $replicas = .Values.defaultBackend.autoscaling.minReplicas }}
|
||||
{{- end }}
|
||||
{{- if gt ($replicas | int) 1 }}
|
||||
apiVersion: {{ ternary "policy/v1" "policy/v1beta1" (semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version) }}
|
||||
kind: PodDisruptionBudget
|
||||
metadata:
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
{{- if and .Values.defaultBackend.enabled .Values.defaultBackend.serviceAccount.create -}}
|
||||
{{- if and .Values.defaultBackend.enabled .Values.defaultBackend.serviceAccount.create -}}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
@@ -8,7 +8,7 @@ metadata:
|
||||
{{- with .Values.defaultBackend.labels }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
name: {{ template "ingress-nginx.defaultBackend.serviceAccountName" . }}
|
||||
name: {{ include "ingress-nginx.defaultBackend.serviceAccountName" . }}
|
||||
namespace: {{ include "ingress-nginx.namespace" . }}
|
||||
automountServiceAccountToken: {{ .Values.defaultBackend.serviceAccount.automountServiceAccountToken }}
|
||||
{{- end }}
|
||||
|
||||
@@ -20,7 +20,7 @@ tests:
|
||||
of: ServiceAccount
|
||||
- equal:
|
||||
path: metadata.name
|
||||
value: ingress-nginx-admission
|
||||
value: RELEASE-NAME-ingress-nginx-admission
|
||||
|
||||
- it: should create a ServiceAccount with specified name if `controller.admissionWebhooks.patch.serviceAccount.name` is set
|
||||
set:
|
||||
|
||||
@@ -0,0 +1,32 @@
|
||||
suite: Admission Webhooks > ValidatingWebhookConfiguration
|
||||
templates:
|
||||
- admission-webhooks/validating-webhook.yaml
|
||||
|
||||
tests:
|
||||
- it: should not create a ValidatingWebhookConfiguration if `controller.admissionWebhooks.enabled` is false
|
||||
set:
|
||||
controller.admissionWebhooks.enabled: false
|
||||
asserts:
|
||||
- hasDocuments:
|
||||
count: 0
|
||||
|
||||
- it: should create a ValidatingWebhookConfiguration if `controller.admissionWebhooks.enabled` is true
|
||||
set:
|
||||
controller.admissionWebhooks.enabled: true
|
||||
asserts:
|
||||
- hasDocuments:
|
||||
count: 1
|
||||
- isKind:
|
||||
of: ValidatingWebhookConfiguration
|
||||
- equal:
|
||||
path: metadata.name
|
||||
value: RELEASE-NAME-ingress-nginx-admission
|
||||
|
||||
- it: should create a ValidatingWebhookConfiguration with a custom port if `controller.admissionWebhooks.service.servicePort` is set
|
||||
set:
|
||||
controller.admissionWebhooks.enabled: true
|
||||
controller.admissionWebhooks.service.servicePort: 9443
|
||||
asserts:
|
||||
- equal:
|
||||
path: webhooks[0].clientConfig.service.port
|
||||
value: 9443
|
||||
@@ -16,16 +16,16 @@ tests:
|
||||
- it: should create a ConfigMap with templated values if `controller.config` contains templates
|
||||
set:
|
||||
controller.config:
|
||||
global-rate-limit-memcached-host: "memcached.{{ .Release.Namespace }}.svc.kubernetes.local"
|
||||
global-rate-limit-memcached-port: 11211
|
||||
use-gzip: true
|
||||
template: "test.{{ .Release.Namespace }}.svc.kubernetes.local"
|
||||
integer: 12345
|
||||
boolean: true
|
||||
asserts:
|
||||
- equal:
|
||||
path: data.global-rate-limit-memcached-host
|
||||
value: memcached.NAMESPACE.svc.kubernetes.local
|
||||
path: data.template
|
||||
value: test.NAMESPACE.svc.kubernetes.local
|
||||
- equal:
|
||||
path: data.global-rate-limit-memcached-port
|
||||
value: "11211"
|
||||
path: data.integer
|
||||
value: "12345"
|
||||
- equal:
|
||||
path: data.use-gzip
|
||||
path: data.boolean
|
||||
value: "true"
|
||||
|
||||
@@ -138,3 +138,35 @@ tests:
|
||||
values:
|
||||
- controller
|
||||
topologyKey: kubernetes.io/hostname
|
||||
|
||||
- it: should create a DaemonSet with a custom registry if `controller.image.registry` is set
|
||||
set:
|
||||
controller.kind: DaemonSet
|
||||
controller.image.registry: custom.registry.io
|
||||
controller.image.tag: v1.0.0-dev
|
||||
controller.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
|
||||
asserts:
|
||||
- equal:
|
||||
path: spec.template.spec.containers[0].image
|
||||
value: custom.registry.io/ingress-nginx/controller:v1.0.0-dev@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
|
||||
|
||||
- it: should create a DaemonSet with a custom image if `controller.image.image` is set
|
||||
set:
|
||||
controller.kind: DaemonSet
|
||||
controller.image.image: custom-repo/custom-image
|
||||
controller.image.tag: v1.0.0-dev
|
||||
controller.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
|
||||
asserts:
|
||||
- equal:
|
||||
path: spec.template.spec.containers[0].image
|
||||
value: registry.k8s.io/custom-repo/custom-image:v1.0.0-dev@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
|
||||
|
||||
- it: should create a DaemonSet with a custom tag if `controller.image.tag` is set
|
||||
set:
|
||||
controller.kind: DaemonSet
|
||||
controller.image.tag: custom-tag
|
||||
controller.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
|
||||
asserts:
|
||||
- equal:
|
||||
path: spec.template.spec.containers[0].image
|
||||
value: registry.k8s.io/ingress-nginx/controller:custom-tag@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
|
||||
|
||||
@@ -160,3 +160,32 @@ tests:
|
||||
values:
|
||||
- controller
|
||||
topologyKey: kubernetes.io/hostname
|
||||
|
||||
- it: should create a Deployment with a custom registry if `controller.image.registry` is set
|
||||
set:
|
||||
controller.image.registry: custom.registry.io
|
||||
controller.image.tag: v1.0.0-dev
|
||||
controller.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
|
||||
asserts:
|
||||
- equal:
|
||||
path: spec.template.spec.containers[0].image
|
||||
value: custom.registry.io/ingress-nginx/controller:v1.0.0-dev@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
|
||||
|
||||
- it: should create a Deployment with a custom image if `controller.image.image` is set
|
||||
set:
|
||||
controller.image.image: custom-repo/custom-image
|
||||
controller.image.tag: v1.0.0-dev
|
||||
controller.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
|
||||
asserts:
|
||||
- equal:
|
||||
path: spec.template.spec.containers[0].image
|
||||
value: registry.k8s.io/custom-repo/custom-image:v1.0.0-dev@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
|
||||
|
||||
- it: should create a Deployment with a custom tag if `controller.image.tag` is set
|
||||
set:
|
||||
controller.image.tag: custom-tag
|
||||
controller.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
|
||||
asserts:
|
||||
- equal:
|
||||
path: spec.template.spec.containers[0].image
|
||||
value: registry.k8s.io/ingress-nginx/controller:custom-tag@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
|
||||
|
||||
@@ -71,3 +71,19 @@ tests:
|
||||
asserts:
|
||||
- hasDocuments:
|
||||
count: 0
|
||||
|
||||
- it: should create a PodDisruptionBudget without `minAvailable` and with `maxUnavailable` if `controller.minAvailable` and `controller.maxUnavailable` are set
|
||||
set:
|
||||
controller.replicaCount: 2
|
||||
controller.minAvailable: 1
|
||||
controller.maxUnavailable: 1
|
||||
asserts:
|
||||
- hasDocuments:
|
||||
count: 1
|
||||
- isKind:
|
||||
of: PodDisruptionBudget
|
||||
- notExists:
|
||||
path: spec.minAvailable
|
||||
- equal:
|
||||
path: spec.maxUnavailable
|
||||
value: 1
|
||||
|
||||
@@ -0,0 +1,17 @@
|
||||
suite: Controller > PrometheusRule
|
||||
templates:
|
||||
- controller-prometheusrule.yaml
|
||||
|
||||
tests:
|
||||
- it: should create a PrometheusRule if `controller.metrics.prometheusRule.enabled` is true
|
||||
set:
|
||||
controller.metrics.enabled: true
|
||||
controller.metrics.prometheusRule.enabled: true
|
||||
asserts:
|
||||
- hasDocuments:
|
||||
count: 1
|
||||
- isKind:
|
||||
of: PrometheusRule
|
||||
- equal:
|
||||
path: metadata.name
|
||||
value: RELEASE-NAME-ingress-nginx-controller
|
||||
@@ -0,0 +1,32 @@
|
||||
suite: Controller > Service > Webhook
|
||||
templates:
|
||||
- controller-service-webhook.yaml
|
||||
|
||||
tests:
|
||||
- it: should not create a webhook Service if `controller.admissionWebhooks.enabled` is false
|
||||
set:
|
||||
controller.admissionWebhooks.enabled: false
|
||||
asserts:
|
||||
- hasDocuments:
|
||||
count: 0
|
||||
|
||||
- it: should create a webhook Service if `controller.admissionWebhooks.enabled` is true
|
||||
set:
|
||||
controller.admissionWebhooks.enabled: true
|
||||
asserts:
|
||||
- hasDocuments:
|
||||
count: 1
|
||||
- isKind:
|
||||
of: Service
|
||||
- equal:
|
||||
path: metadata.name
|
||||
value: RELEASE-NAME-ingress-nginx-controller-admission
|
||||
|
||||
- it: should create a webhook Service with a custom port if `controller.admissionWebhooks.service.servicePort` is set
|
||||
set:
|
||||
controller.admissionWebhooks.enabled: true
|
||||
controller.admissionWebhooks.service.servicePort: 9443
|
||||
asserts:
|
||||
- equal:
|
||||
path: spec.ports[0].port
|
||||
value: 9443
|
||||
@@ -0,0 +1,47 @@
|
||||
suite: Controller > ServiceAccount
|
||||
templates:
|
||||
- controller-serviceaccount.yaml
|
||||
|
||||
tests:
|
||||
- it: should not create a ServiceAccount if `serviceAccount.create` is false
|
||||
set:
|
||||
serviceAccount.create: false
|
||||
asserts:
|
||||
- hasDocuments:
|
||||
count: 0
|
||||
|
||||
- it: should create a ServiceAccount if `serviceAccount.create` is true
|
||||
set:
|
||||
serviceAccount.create: true
|
||||
asserts:
|
||||
- hasDocuments:
|
||||
count: 1
|
||||
- isKind:
|
||||
of: ServiceAccount
|
||||
- equal:
|
||||
path: metadata.name
|
||||
value: RELEASE-NAME-ingress-nginx
|
||||
|
||||
- it: should create a ServiceAccount with specified name if `serviceAccount.name` is set
|
||||
set:
|
||||
serviceAccount.name: ingress-nginx-admission-test-sa
|
||||
asserts:
|
||||
- hasDocuments:
|
||||
count: 1
|
||||
- isKind:
|
||||
of: ServiceAccount
|
||||
- equal:
|
||||
path: metadata.name
|
||||
value: ingress-nginx-admission-test-sa
|
||||
|
||||
- it: should create a ServiceAccount with token auto-mounting disabled if `serviceAccount.automountServiceAccountToken` is false
|
||||
set:
|
||||
serviceAccount.automountServiceAccountToken: false
|
||||
asserts:
|
||||
- hasDocuments:
|
||||
count: 1
|
||||
- isKind:
|
||||
of: ServiceAccount
|
||||
- equal:
|
||||
path: automountServiceAccountToken
|
||||
value: false
|
||||
@@ -0,0 +1,29 @@
|
||||
suite: Controller > ServiceMonitor
|
||||
templates:
|
||||
- controller-servicemonitor.yaml
|
||||
|
||||
tests:
|
||||
- it: should create a ServiceMonitor if `controller.metrics.serviceMonitor.enabled` is true
|
||||
set:
|
||||
controller.metrics.enabled: true
|
||||
controller.metrics.serviceMonitor.enabled: true
|
||||
asserts:
|
||||
- hasDocuments:
|
||||
count: 1
|
||||
- isKind:
|
||||
of: ServiceMonitor
|
||||
- equal:
|
||||
path: metadata.name
|
||||
value: RELEASE-NAME-ingress-nginx-controller
|
||||
|
||||
- it: should create a ServiceMonitor with annotations if `controller.metrics.serviceMonitor.annotations` is set
|
||||
set:
|
||||
controller.metrics.enabled: true
|
||||
controller.metrics.serviceMonitor.enabled: true
|
||||
controller.metrics.serviceMonitor.annotations:
|
||||
my-little-annotation: test-value
|
||||
asserts:
|
||||
- equal:
|
||||
path: metadata.annotations
|
||||
value:
|
||||
my-little-annotation: test-value
|
||||
@@ -135,3 +135,35 @@ tests:
|
||||
values:
|
||||
- default-backend
|
||||
topologyKey: kubernetes.io/hostname
|
||||
|
||||
- it: should create a Deployment with a custom registry if `defaultBackend.image.registry` is set
|
||||
set:
|
||||
defaultBackend.enabled: true
|
||||
defaultBackend.image.registry: custom.registry.io
|
||||
defaultBackend.image.tag: v1.0.0-dev
|
||||
defaultBackend.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
|
||||
asserts:
|
||||
- equal:
|
||||
path: spec.template.spec.containers[0].image
|
||||
value: custom.registry.io/defaultbackend-amd64:v1.0.0-dev@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
|
||||
|
||||
- it: should create a Deployment with a custom image if `defaultBackend.image.image` is set
|
||||
set:
|
||||
defaultBackend.enabled: true
|
||||
defaultBackend.image.image: custom-repo/custom-image
|
||||
defaultBackend.image.tag: v1.0.0-dev
|
||||
defaultBackend.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
|
||||
asserts:
|
||||
- equal:
|
||||
path: spec.template.spec.containers[0].image
|
||||
value: registry.k8s.io/custom-repo/custom-image:v1.0.0-dev@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
|
||||
|
||||
- it: should create a Deployment with a custom tag if `defaultBackend.image.tag` is set
|
||||
set:
|
||||
defaultBackend.enabled: true
|
||||
defaultBackend.image.tag: custom-tag
|
||||
defaultBackend.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
|
||||
asserts:
|
||||
- equal:
|
||||
path: spec.template.spec.containers[0].image
|
||||
value: registry.k8s.io/defaultbackend-amd64:custom-tag@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
|
||||
|
||||
@@ -0,0 +1,48 @@
|
||||
suite: Default Backend > PodDisruptionBudget
|
||||
templates:
|
||||
- default-backend-poddisruptionbudget.yaml
|
||||
|
||||
tests:
|
||||
- it: should create a PodDisruptionBudget if `defaultBackend.replicaCount` is greater than 1
|
||||
set:
|
||||
defaultBackend.enabled: true
|
||||
defaultBackend.replicaCount: 2
|
||||
asserts:
|
||||
- hasDocuments:
|
||||
count: 1
|
||||
- isKind:
|
||||
of: PodDisruptionBudget
|
||||
- equal:
|
||||
path: metadata.name
|
||||
value: RELEASE-NAME-ingress-nginx-defaultbackend
|
||||
|
||||
- it: should not create a PodDisruptionBudget if `defaultBackend.replicaCount` is less than or equal 1
|
||||
set:
|
||||
defaultBackend.enabled: true
|
||||
defaultBackend.replicaCount: 1
|
||||
asserts:
|
||||
- hasDocuments:
|
||||
count: 0
|
||||
|
||||
- it: should create a PodDisruptionBudget if `defaultBackend.autoscaling.enabled` is true and `defaultBackend.autoscaling.minReplicas` is greater than 1
|
||||
set:
|
||||
defaultBackend.enabled: true
|
||||
defaultBackend.autoscaling.enabled: true
|
||||
defaultBackend.autoscaling.minReplicas: 2
|
||||
asserts:
|
||||
- hasDocuments:
|
||||
count: 1
|
||||
- isKind:
|
||||
of: PodDisruptionBudget
|
||||
- equal:
|
||||
path: metadata.name
|
||||
value: RELEASE-NAME-ingress-nginx-defaultbackend
|
||||
|
||||
- it: should not create a PodDisruptionBudget if `defaultBackend.autoscaling.enabled` is true and `defaultBackend.autoscaling.minReplicas` is less than or equal 1
|
||||
set:
|
||||
defaultBackend.enabled: true
|
||||
defaultBackend.autoscaling.enabled: true
|
||||
defaultBackend.autoscaling.minReplicas: 1
|
||||
asserts:
|
||||
- hasDocuments:
|
||||
count: 0
|
||||
@@ -0,0 +1,51 @@
|
||||
suite: Default Backend > ServiceAccount
|
||||
templates:
|
||||
- default-backend-serviceaccount.yaml
|
||||
|
||||
tests:
|
||||
- it: should not create a ServiceAccount if `defaultBackend.serviceAccount.create` is false
|
||||
set:
|
||||
defaultBackend.enabled: true
|
||||
defaultBackend.serviceAccount.create: false
|
||||
asserts:
|
||||
- hasDocuments:
|
||||
count: 0
|
||||
|
||||
- it: should create a ServiceAccount if `defaultBackend.serviceAccount.create` is true
|
||||
set:
|
||||
defaultBackend.enabled: true
|
||||
defaultBackend.serviceAccount.create: true
|
||||
asserts:
|
||||
- hasDocuments:
|
||||
count: 1
|
||||
- isKind:
|
||||
of: ServiceAccount
|
||||
- equal:
|
||||
path: metadata.name
|
||||
value: RELEASE-NAME-ingress-nginx-backend
|
||||
|
||||
- it: should create a ServiceAccount with specified name if `defaultBackend.serviceAccount.name` is set
|
||||
set:
|
||||
defaultBackend.enabled: true
|
||||
defaultBackend.serviceAccount.name: ingress-nginx-admission-test-sa
|
||||
asserts:
|
||||
- hasDocuments:
|
||||
count: 1
|
||||
- isKind:
|
||||
of: ServiceAccount
|
||||
- equal:
|
||||
path: metadata.name
|
||||
value: ingress-nginx-admission-test-sa
|
||||
|
||||
- it: should create a ServiceAccount with token auto-mounting disabled if `defaultBackend.serviceAccount.automountServiceAccountToken` is false
|
||||
set:
|
||||
defaultBackend.enabled: true
|
||||
defaultBackend.serviceAccount.automountServiceAccountToken: false
|
||||
asserts:
|
||||
- hasDocuments:
|
||||
count: 1
|
||||
- isKind:
|
||||
of: ServiceAccount
|
||||
- equal:
|
||||
path: automountServiceAccountToken
|
||||
value: false
|
||||
@@ -26,9 +26,9 @@ controller:
|
||||
## for backwards compatibility consider setting the full image url via the repository value below
|
||||
## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
|
||||
## repository:
|
||||
tag: "v1.11.1"
|
||||
digest: sha256:e6439a12b52076965928e83b7b56aae6731231677b01e81818bce7fa5c60161a
|
||||
digestChroot: sha256:7cabe4bd7558bfdf5b707976d7be56fd15ffece735d7c90fc238b6eda290fd8d
|
||||
tag: "v1.11.5"
|
||||
digest: sha256:a1cbad75b0a7098bf9325132794dddf9eef917e8a7fe246749a4cea7ff6f01eb
|
||||
digestChroot: sha256:ec9df3eb6b06563a079ee46045da94cbf750f7dbb16fdbcb9e3265b551ed72ad
|
||||
pullPolicy: IfNotPresent
|
||||
runAsNonRoot: true
|
||||
# www-data -> uid 101
|
||||
@@ -194,7 +194,7 @@ controller:
|
||||
# -- Annotations to be added to the udp config configmap
|
||||
annotations: {}
|
||||
# -- Maxmind license key to download GeoLite2 Databases.
|
||||
## https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases
|
||||
## https://blog.maxmind.com/2019/12/significant-changes-to-accessing-and-using-geolite2-databases/
|
||||
maxmindLicenseKey: ""
|
||||
# -- Additional command line arguments to pass to Ingress-Nginx Controller
|
||||
# E.g. to specify the default SSL certificate you can use
|
||||
@@ -299,6 +299,8 @@ controller:
|
||||
# app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}'
|
||||
# app.kubernetes.io/instance: '{{ .Release.Name }}'
|
||||
# app.kubernetes.io/component: controller
|
||||
# matchLabelKeys:
|
||||
# - pod-template-hash
|
||||
# topologyKey: topology.kubernetes.io/zone
|
||||
# maxSkew: 1
|
||||
# whenUnsatisfiable: ScheduleAnyway
|
||||
@@ -307,6 +309,8 @@ controller:
|
||||
# app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}'
|
||||
# app.kubernetes.io/instance: '{{ .Release.Name }}'
|
||||
# app.kubernetes.io/component: controller
|
||||
# matchLabelKeys:
|
||||
# - pod-template-hash
|
||||
# topologyKey: kubernetes.io/hostname
|
||||
# maxSkew: 1
|
||||
# whenUnsatisfiable: ScheduleAnyway
|
||||
@@ -706,12 +710,12 @@ controller:
|
||||
name: opentelemetry
|
||||
image:
|
||||
registry: registry.k8s.io
|
||||
image: ingress-nginx/opentelemetry
|
||||
image: ingress-nginx/opentelemetry-1.25.3
|
||||
## for backwards compatibility consider setting the full image url via the repository value below
|
||||
## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
|
||||
## repository:
|
||||
tag: "v20230721-3e2062ee5"
|
||||
digest: sha256:13bee3f5223883d3ca62fee7309ad02d22ec00ff0d7033e3e9aca7a9f60fd472
|
||||
tag: v20240813-b933310d
|
||||
digest: sha256:f7604ac0547ed64d79b98d92133234e66c2c8aade3c1f4809fed5eec1fb7f922
|
||||
distroless: true
|
||||
containerSecurityContext:
|
||||
runAsNonRoot: true
|
||||
@@ -804,8 +808,8 @@ controller:
|
||||
## for backwards compatibility consider setting the full image url via the repository value below
|
||||
## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
|
||||
## repository:
|
||||
tag: v1.4.1
|
||||
digest: sha256:36d05b4077fb8e3d13663702fa337f124675ba8667cbd949c03a8e8ea6fa4366
|
||||
tag: v1.5.2
|
||||
digest: sha256:e8825994b7a2c7497375a9b945f386506ca6a3eda80b89b74ef2db743f66a5ea
|
||||
pullPolicy: IfNotPresent
|
||||
# -- Provide a priority class name to the webhook patching job
|
||||
##
|
||||
@@ -873,6 +877,7 @@ controller:
|
||||
serviceMonitor:
|
||||
enabled: false
|
||||
additionalLabels: {}
|
||||
# -- Annotations to be added to the ServiceMonitor.
|
||||
annotations: {}
|
||||
## The label to use to retrieve the job name from.
|
||||
## jobLabel: "app.kubernetes.io/name"
|
||||
@@ -1062,6 +1067,8 @@ defaultBackend:
|
||||
# app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}'
|
||||
# app.kubernetes.io/instance: '{{ .Release.Name }}'
|
||||
# app.kubernetes.io/component: default-backend
|
||||
# matchLabelKeys:
|
||||
# - pod-template-hash
|
||||
# topologyKey: topology.kubernetes.io/zone
|
||||
# maxSkew: 1
|
||||
# whenUnsatisfiable: ScheduleAnyway
|
||||
@@ -1070,6 +1077,8 @@ defaultBackend:
|
||||
# app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}'
|
||||
# app.kubernetes.io/instance: '{{ .Release.Name }}'
|
||||
# app.kubernetes.io/component: default-backend
|
||||
# matchLabelKeys:
|
||||
# - pod-template-hash
|
||||
# topologyKey: kubernetes.io/hostname
|
||||
# maxSkew: 1
|
||||
# whenUnsatisfiable: ScheduleAnyway
|
||||
@@ -1090,6 +1099,7 @@ defaultBackend:
|
||||
##
|
||||
podAnnotations: {}
|
||||
replicaCount: 1
|
||||
# -- Minimum available pods set in PodDisruptionBudget.
|
||||
minAvailable: 1
|
||||
resources: {}
|
||||
# limits:
|
||||
|
||||
@@ -4,9 +4,9 @@ ingress-nginx:
|
||||
enable-ssl-passthrough: ""
|
||||
image:
|
||||
registry: ghcr.io
|
||||
image: kvaps/ingress-nginx-with-protobuf-exporter/controller
|
||||
tag: v1.11.2
|
||||
digest: sha256:e80856ece4e30e9646d65c8d92c25a3446a0bba1c2468cd026f17df9e60d2c0f
|
||||
image: cozystack/ingress-nginx-with-protobuf-exporter/controller
|
||||
tag: v1.11.5
|
||||
digest: sha256:b78ae118129a9417d4126744cab2fc2f777b3a9ac460d74caa4b57a479b98ead
|
||||
allowSnippetAnnotations: true
|
||||
replicaCount: 2
|
||||
admissionWebhooks:
|
||||
@@ -16,7 +16,7 @@ ingress-nginx:
|
||||
enabled: true
|
||||
extraContainers:
|
||||
- name: protobuf-exporter
|
||||
image: ghcr.io/kvaps/ingress-nginx-with-protobuf-exporter/protobuf-exporter:v1.11.2@sha256:25ed6a5f508bbc59134ad786f1e765d1c2187742075a4e828d68ef3f07a78e52
|
||||
image: ghcr.io/cozystack/ingress-nginx-with-protobuf-exporter/protobuf-exporter:v1.11.5@sha256:1e60d53324c2028d6f20136cdd5553ebf2d1288aefc5900b96cd379680fc25dc
|
||||
args:
|
||||
- --server.telemetry-address=0.0.0.0:9090
|
||||
- --server.exporter-address=0.0.0.0:9091
|
||||
|
||||
Reference in New Issue
Block a user