diff --git a/.github/actions/mkdocs/Dockerfile b/.github/actions/mkdocs/Dockerfile index f00584d321..c42f6d6f03 100644 --- a/.github/actions/mkdocs/Dockerfile +++ b/.github/actions/mkdocs/Dockerfile @@ -1,4 +1,4 @@ -FROM squidfunk/mkdocs-material:9.4.5 +FROM squidfunk/mkdocs-material:9.6.16 COPY action.sh /action.sh diff --git a/.github/workflows/chart.yaml b/.github/workflows/chart.yaml index d0f4b4e8ef..f782734e83 100644 --- a/.github/workflows/chart.yaml +++ b/.github/workflows/chart.yaml @@ -23,15 +23,17 @@ jobs: steps: - name: Set up Python - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: 3.x - name: Set up Helm - uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4.3.0 + uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1 + with: + version: v4.1.3 - name: Set up Helm Chart Testing - uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b # v2.7.0 + uses: helm/chart-testing-action@6ec842c01de15ebb84c8627d2744a0c2f2755c9f - name: Set up Artifact Hub run: | @@ -45,7 +47,7 @@ jobs: git config --global user.email "${GITHUB_ACTOR}@users.noreply.github.com" - name: Checkout code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 939fbf3102..9a8c0fd402 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -47,7 +47,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 id: filter @@ -81,7 +81,7 @@ jobs: (needs.changes.outputs.lua == 'true') || ${{ github.event.workflow_dispatch.run_e2e == 'true' }} steps: - name: Checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Lint Lua uses: lunarmodules/luacheck@v1 @@ -95,14 +95,14 @@ jobs: (needs.changes.outputs.go == 'true') || ${{ github.event.workflow_dispatch.run_e2e == 'true' }} steps: - name: Checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Get go version run: echo "GOLANG_VERSION=$(cat GOLANG_VERSION)" >> $GITHUB_ENV - name: Set up Go id: go - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 + uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 with: go-version: ${{ env.GOLANG_VERSION }} check-latest: true @@ -119,12 +119,12 @@ jobs: (needs.changes.outputs.go == 'true') || (needs.changes.outputs.docs == 'true') || ${{ github.event.workflow_dispatch.run_e2e == 'true' }} steps: - name: Checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Get go version run: echo "GOLANG_VERSION=$(cat GOLANG_VERSION)" >> $GITHUB_ENV - name: Set up Go id: go - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 + uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 with: go-version: ${{ env.GOLANG_VERSION }} check-latest: true @@ -144,7 +144,7 @@ jobs: PLATFORMS: linux/amd64 steps: - name: Checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Get go version id: golangversion @@ -153,17 +153,17 @@ jobs: - name: Set up Go id: go - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 + uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 with: go-version: ${{ steps.golangversion.outputs.version }} check-latest: true - name: Set up QEMU - uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 + uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 - name: Set up Docker Buildx id: buildx - uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 with: version: latest @@ -172,7 +172,7 @@ jobs: - name: Prepare Host run: | - curl -LO https://dl.k8s.io/release/v1.33.1/bin/linux/amd64/kubectl + curl -LO https://dl.k8s.io/release/v1.35.3/bin/linux/amd64/kubectl chmod +x ./kubectl sudo mv ./kubectl /usr/local/bin/kubectl @@ -202,7 +202,7 @@ jobs: | gzip > docker.tar.gz - name: cache - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: docker.tar.gz path: docker.tar.gz @@ -218,15 +218,17 @@ jobs: steps: - name: Set up Python - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: 3.x - name: Set up Helm - uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4.3.0 + uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1 + with: + version: v4.1.3 - name: Set up Helm Chart Testing - uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b # v2.7.0 + uses: helm/chart-testing-action@6ec842c01de15ebb84c8627d2744a0c2f2755c9f - name: Set up Artifact Hub run: | @@ -238,10 +240,10 @@ jobs: uses: gabe565/setup-helm-docs-action@d5c35bdc9133cfbea3b671acadf50a29029e87c2 # v1.0.4 - name: Set up Helm Unit Test - run: helm plugin install https://github.com/helm-unittest/helm-unittest + run: helm plugin install https://github.com/helm-unittest/helm-unittest --verify=false - name: Checkout code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 @@ -271,14 +273,14 @@ jobs: strategy: fail-fast: false matrix: - k8s: [v1.29.14, v1.30.13, v1.31.9, v1.32.5, v1.33.1] + k8s: [v1.31.14, v1.32.11, v1.33.7, v1.34.3, v1.35.1] steps: - name: Checkout code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Download cache - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: docker.tar.gz @@ -303,7 +305,7 @@ jobs: strategy: fail-fast: false matrix: - k8s: [v1.29.14, v1.30.13, v1.31.9, v1.32.5, v1.33.1] + k8s: [v1.31.14, v1.32.11, v1.33.7, v1.34.3, v1.35.1] uses: ./.github/workflows/zz-tmpl-k8s-e2e.yaml with: k8s-version: ${{ matrix.k8s }} @@ -318,7 +320,7 @@ jobs: strategy: fail-fast: false matrix: - k8s: [v1.29.14, v1.30.13, v1.31.9, v1.32.5, v1.33.1] + k8s: [v1.31.14, v1.32.11, v1.33.7, v1.34.3, v1.35.1] uses: ./.github/workflows/zz-tmpl-k8s-e2e.yaml with: k8s-version: ${{ matrix.k8s }} diff --git a/.github/workflows/depreview.yaml b/.github/workflows/depreview.yaml index 5b8c5aa822..9e3b183731 100644 --- a/.github/workflows/depreview.yaml +++ b/.github/workflows/depreview.yaml @@ -9,6 +9,6 @@ jobs: runs-on: ubuntu-latest steps: - name: 'Checkout Repository' - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: 'Dependency Review' - uses: actions/dependency-review-action@da24556b548a50705dd671f47852072ea4c105d9 # v4.7.1 + uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0 diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml index 40ccba2784..44b7a1e09b 100644 --- a/.github/workflows/docs.yaml +++ b/.github/workflows/docs.yaml @@ -23,7 +23,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 id: filter @@ -47,7 +47,7 @@ jobs: steps: - name: Checkout master - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Deploy uses: ./.github/actions/mkdocs diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml index 8120876ac3..de50b36089 100644 --- a/.github/workflows/golangci-lint.yml +++ b/.github/workflows/golangci-lint.yml @@ -15,19 +15,19 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Get go version run: echo "GOLANG_VERSION=$(cat GOLANG_VERSION)" >> $GITHUB_ENV - name: Set up Go id: go - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 + uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 with: go-version: ${{ env.GOLANG_VERSION }} check-latest: true - name: golangci-lint - uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0 + uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0 with: only-new-issues: true diff --git a/.github/workflows/images.yaml b/.github/workflows/images.yaml index e28604ba20..f1c296b42c 100644 --- a/.github/workflows/images.yaml +++ b/.github/workflows/images.yaml @@ -39,7 +39,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 id: filter with: @@ -136,17 +136,17 @@ jobs: strategy: fail-fast: false matrix: - k8s: [v1.29.14, v1.30.13, v1.31.9, v1.32.5, v1.33.1] + k8s: [v1.31.14, v1.32.11, v1.33.7, v1.34.3, v1.35.1] steps: - name: Checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Get go version run: echo "GOLANG_VERSION=$(cat GOLANG_VERSION)" >> $GITHUB_ENV - name: Set up Go id: go - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 + uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 with: go-version: ${{ env.GOLANG_VERSION }} check-latest: true @@ -173,17 +173,17 @@ jobs: PLATFORMS: linux/amd64,linux/arm,linux/arm64 steps: - name: Checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up QEMU - uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 + uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 - name: Set up Docker Buildx id: buildx - uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 with: version: latest platforms: ${{ env.PLATFORMS }} - name: Login to GitHub Container Registry - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 + uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} diff --git a/.github/workflows/junit-reports.yaml b/.github/workflows/junit-reports.yaml index 17abcc8c72..369236ee06 100644 --- a/.github/workflows/junit-reports.yaml +++ b/.github/workflows/junit-reports.yaml @@ -13,7 +13,7 @@ jobs: report: runs-on: ubuntu-latest steps: - - uses: dorny/test-reporter@890a17cecf52a379fc869ab770a71657660be727 # v2.1.0 + - uses: dorny/test-reporter@3d76b34a4535afbd0600d347b09a6ee5deb3ed7f # v2.6.0 with: artifact: /e2e-test-reports-(.*)/ name: JEST Tests $1 # Name of the check run which will be created diff --git a/.github/workflows/perftest.yaml b/.github/workflows/perftest.yaml index de22d53d96..b3c21b4f32 100644 --- a/.github/workflows/perftest.yaml +++ b/.github/workflows/perftest.yaml @@ -19,7 +19,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install K6 run: | diff --git a/.github/workflows/plugin.yaml b/.github/workflows/plugin.yaml index bc200ef2be..a41ff61551 100644 --- a/.github/workflows/plugin.yaml +++ b/.github/workflows/plugin.yaml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 @@ -20,14 +20,14 @@ jobs: run: echo "GOLANG_VERSION=$(cat GOLANG_VERSION)" >> $GITHUB_ENV - name: Set up Go - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 + uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 with: go-version: ${{ env.GOLANG_VERSION }} check-latest: true - name: Run GoReleaser Snapshot if: ${{ ! startsWith(github.ref, 'refs/tags/') }} - uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0 + uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0 with: version: "~> v2" args: release --snapshot --clean @@ -36,7 +36,7 @@ jobs: - name: Run GoReleaser if: ${{ startsWith(github.ref, 'refs/tags/') }} - uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0 + uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0 with: version: "~> v2" args: release --clean @@ -45,6 +45,6 @@ jobs: - name: Update new version in krew-index if: ${{ startsWith(github.ref, 'refs/tags/') }} - uses: rajatjindal/krew-release-bot@3d9faef30a82761d610544f62afddca00993eef9 # v0.0.47 + uses: rajatjindal/krew-release-bot@c970b8a8f6dbc2f2285a26e3ae160903b87002c3 # v0.0.51 with: krew_template_file: cmd/plugin/krew.yaml diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index aad8cfe4d8..dc95af3f9f 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -27,12 +27,12 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1 + uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3 with: results_file: results.sarif results_format: sarif @@ -51,7 +51,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: SARIF file path: results.sarif @@ -59,6 +59,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18 + uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0 with: sarif_file: results.sarif diff --git a/.github/workflows/stale.yaml b/.github/workflows/stale.yaml deleted file mode 100644 index 45a7cd320d..0000000000 --- a/.github/workflows/stale.yaml +++ /dev/null @@ -1,24 +0,0 @@ -name: 'Stale Issues and PRs' - -on: - schedule: - - cron: '30 1 * * *' - -jobs: - stale: - runs-on: ubuntu-latest - - permissions: - issues: write - pull-requests: write - - steps: - - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0 - with: - stale-issue-message: "This is stale, but we won't close it automatically, just bare in mind the maintainers may be busy with other tasks and will reach your issue ASAP. If you have any question or request to prioritize this, please reach `#ingress-nginx-dev` on Kubernetes Slack." - stale-pr-message: "This is stale, but we won't close it automatically, just bare in mind the maintainers may be busy with other tasks and will reach your issue ASAP. If you have any question or request to prioritize this, please reach `#ingress-nginx-dev` on Kubernetes Slack." - stale-issue-label: lifecycle/frozen - stale-pr-label: lifecycle/frozen - days-before-issue-stale: 30 - days-before-pr-stale: 45 - days-before-close: -1 # dont not close issues/prs diff --git a/.github/workflows/vulnerability-scans.yaml b/.github/workflows/vulnerability-scans.yaml index 3b344b6e15..de46af86cf 100644 --- a/.github/workflows/vulnerability-scans.yaml +++ b/.github/workflows/vulnerability-scans.yaml @@ -22,7 +22,7 @@ jobs: versions: ${{ steps.version.outputs.TAGS }} steps: - name: Checkout code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 @@ -52,7 +52,7 @@ jobs: versions: ${{ fromJSON(needs.version.outputs.versions) }} steps: - name: Checkout code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - shell: bash id: test @@ -60,7 +60,7 @@ jobs: - name: Scan image with AquaSec/Trivy id: scan - uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 # v0.30.0 + uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 with: image-ref: registry.k8s.io/ingress-nginx/controller:${{ matrix.versions }} format: 'sarif' @@ -75,7 +75,7 @@ jobs: # This step checks out a copy of your repository. - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18 + uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0 with: token: ${{ github.token }} # Path to SARIF file relative to the root of the repository diff --git a/.github/workflows/zz-tmpl-images.yaml b/.github/workflows/zz-tmpl-images.yaml index f937d6f276..aa93a80c1e 100644 --- a/.github/workflows/zz-tmpl-images.yaml +++ b/.github/workflows/zz-tmpl-images.yaml @@ -31,7 +31,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 id: filter with: @@ -48,7 +48,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Build run: | @@ -67,10 +67,10 @@ jobs: PLATFORMS: ${{ inputs.platforms-publish }} steps: - name: Checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Login to GitHub Container Registry - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 + uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} diff --git a/.github/workflows/zz-tmpl-k8s-e2e.yaml b/.github/workflows/zz-tmpl-k8s-e2e.yaml index e2382340dc..6362487331 100644 --- a/.github/workflows/zz-tmpl-k8s-e2e.yaml +++ b/.github/workflows/zz-tmpl-k8s-e2e.yaml @@ -20,10 +20,10 @@ jobs: steps: - name: Checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: cache - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: docker.tar.gz @@ -49,7 +49,7 @@ jobs: make kind-e2e-test - name: Upload e2e junit-reports ${{ inputs.variation }} - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 if: success() || failure() with: name: e2e-test-reports-${{ inputs.k8s-version }}${{ inputs.variation }} diff --git a/.golangci.yml b/.golangci.yml index a510e774cd..1bdfdee09d 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -91,7 +91,6 @@ linters: - sloppyReassign - sloppyTypeAssert - sortSlice - - sprintfQuotedString - sqlQuery - syncMapLoadAndDelete - truncateCmp diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index a11435aef2..89518fe167 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -6,7 +6,7 @@ Note that this guide refers to contributing to actual sources of the repository. ## Contributor License Agreements -We'd love to accept your patches! Before we can take them, we have to jump a couple of legal hurdles. +This project is [being retired](https://www.kubernetes.io/blog/2025/11/11/ingress-nginx-retirement/), so only a [very limited set of patches will be accepted](https://www.kubernetes.io/blog/2025/11/11/ingress-nginx-retirement/#current-state-and-next-steps). Before we can take them, we have to jump a couple of legal hurdles. Please fill out either the individual or corporate Contributor License Agreement (CLA). @@ -17,12 +17,6 @@ Follow either of the two links above to access the appropriate CLA and instructi ***NOTE***: Only original source code from you and other people that have signed the CLA can be accepted into the main repository. -## Finding Issues That Need Help - -If you're new to the project and want to help, but don't know where to start, we have a semi-curated list of issues that should not need deep knowledge of the system. [Have a look and see if anything sounds interesting](https://github.com/kubernetes/ingress-nginx/issues?utf8=%E2%9C%93&q=is%3Aopen%20is%3Aissue%20label%3A%22help+wanted%22). - -Alternatively, search for the label [`triage-accepted`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+is%3Aissue+label%3Atriage%2Faccepted+) if you have some experience with ingress-nginx. Note, that it could make sense to grab issues with higher priority first. - ## Contributing a Patch 1. If you haven't already done so, sign a Contributor License Agreement (see details above). @@ -32,6 +26,8 @@ Alternatively, search for the label [`triage-accepted`](https://github.com/kuber All changes must be code reviewed. Coding conventions and standards are explained in the official [developer docs](https://github.com/kubernetes/community/tree/master/contributors/devel). Expect reviewers to request that you avoid common [go style mistakes](https://github.com/golang/go/wiki/CodeReviewComments) in your PRs. +Note that new feature work will not be accepted. + ### Merge Approval Ingress Nginx collaborators may add "/lgtm" (Looks Good To Me) to indicate that a PR is acceptable. Any change requires at least one LGTM. No pull requests can be merged until at least one Ingress Nginx collaborator signs off with an LGTM. Adding the "/lgtm" comment result in the prow bot adding the `lgtm` label. Note that a pull request still needs an `approve` label from one of the owners. diff --git a/GOLANG_VERSION b/GOLANG_VERSION index ae96cc7310..dd43a143f0 100644 --- a/GOLANG_VERSION +++ b/GOLANG_VERSION @@ -1 +1 @@ -1.24.3 +1.26.1 diff --git a/Makefile b/Makefile index dc7f0a204b..3f55f41d16 100644 --- a/Makefile +++ b/Makefile @@ -110,7 +110,7 @@ clean-chroot-image: ## Removes local image .PHONY: build build: ## Build ingress controller, debug tool and pre-stop hook. - E2E_IMAGE=golang:$(GO_VERSION)-alpine3.21 USE_SHELL=/bin/sh build/run-in-docker.sh \ + E2E_IMAGE=golang:$(GO_VERSION)-alpine3.23 USE_SHELL=/bin/sh build/run-in-docker.sh \ MAC_OS=$(MAC_OS) \ PKG=$(PKG) \ ARCH=$(ARCH) \ @@ -156,6 +156,10 @@ test: ## Run go unit tests. GOFLAGS="-buildvcs=false" \ test/test.sh +.PHONY: helm-test +helm-test: ## Run helm unit tests. + helm unittest charts/ingress-nginx --file "tests/**/*_test.yaml" + .PHONY: lua-test lua-test: ## Run lua unit tests. @build/run-in-docker.sh \ diff --git a/NEW_CONTRIBUTOR.md b/NEW_CONTRIBUTOR.md index c9668430c3..c25fcb413c 100644 --- a/NEW_CONTRIBUTOR.md +++ b/NEW_CONTRIBUTOR.md @@ -53,12 +53,12 @@ Let's begin with creating a [Kind](https://kind.sigs.k8s.io/docs/user/quick-star ``` This will create a cluster called `kind`, to view the clusters type ``` -# kind get clusters    +# kind get clusters kind ``` Kind ships with `kubectl`, so we can use that to communicate with our clusters. ``` -# kubectl get no -o wide    +# kubectl get no -o wide NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME kind-control-plane Ready control-plane 5d23h v1.24.1 172.18.0.2 Ubuntu 21.10 5.18.12-arch1-1 containerd://1.6.4 ``` @@ -85,7 +85,7 @@ Output Relevance: From the above output, we can see that our nginx pod is being Command: The pod has an IP as shown below ``` -# kubectl get po -o wide   +# kubectl get po -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES nginx-6c8b449b8f-pdvdk 1/1 Running 1 (32h ago) 4d8h 10.244.0.5 kind-control-plane ``` @@ -111,9 +111,9 @@ font-family: Tahoma, Verdana, Arial, sans-serif; } working. Further configuration is required.

For online documentation and support please refer to -nginx.org.
+nginx.org.
Commercial support is available at -nginx.com.

+nginx.com.

Thank you for using nginx.

@@ -224,7 +224,7 @@ If we do a docker `exec` we can enter the container, we can also see the network ``` When we run `curl 172.18.0.2:32329` on the laptop it first needs to figure out where `172.18.0.2`, to do this it refers to the host routing table. ``` -sudo netstat -rn    main  +sudo netstat -rn   main Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 192.168.31.1 0.0.0.0 UG 0 0 0 ethbr0 @@ -337,7 +337,7 @@ minikube start Next we will get the Node IP. ``` -$ kubectl get no -o wide   +$ kubectl get no -o wide NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME minikube Ready control-plane,master 25d v1.23.3 192.168.39.57 Buildroot 2021.02.4 4.19.202 docker://20.10.12 ``` @@ -370,7 +370,7 @@ service/nginx-new exposed ``` Command: Now we can see that the service has been exposed. ``` -# kubectl get svc -o wide    main  +# kubectl get svc -o wide   main NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR kubernetes ClusterIP 10.96.0.1 443/TCP 25d nginx-minikube NodePort 10.97.44.4 80:32007/TCP 45h app=nginx-minikube @@ -404,9 +404,9 @@ font-family: Tahoma, Verdana, Arial, sans-serif; } working. Further configuration is required.

For online documentation and support please refer to -nginx.org.
+nginx.org.
Commercial support is available at -nginx.com.

+nginx.com.

Thank you for using nginx.

@@ -525,7 +525,7 @@ So, as we can see that kube proxy handles the network rules required to aid the Command: ``` -# minikube ssh   +# minikube ssh _ _ _ _ ( ) ( ) ___ ___ (_) ___ (_)| |/') _ _ | |_ __ diff --git a/NGINX_BASE b/NGINX_BASE index c87724e4ae..8b9cecca24 100644 --- a/NGINX_BASE +++ b/NGINX_BASE @@ -1 +1 @@ -registry.k8s.io/ingress-nginx/nginx:v2.1.1@sha256:248a0d3e77c244b5a5478ecf3163b1d8d8baf7a517aef46006d5b09c6f0bcf76 +registry.k8s.io/ingress-nginx/nginx:v2.2.8@sha256:1c31dc6ffa7427b7a2128ce66e356f3b0ff743b90494272612b1742c9326b8b2 diff --git a/README.md b/README.md index c4415824ed..c78f41f4f1 100644 --- a/README.md +++ b/README.md @@ -1,29 +1,39 @@ +# Ingress NGINX Retirement + +## Retiring + +[What You Need to Know about Ingress NGINX Retirement](https://www.kubernetes.io/blog/2025/11/11/ingress-nginx-retirement/): + +* Best-effort maintenance will continue until March 2026. +* Afterward, there will be no further releases, no bugfixes, and no updates to resolve any security vulnerabilities that may be discovered. +* Existing deployments of Ingress NGINX will not be broken. + * Existing project artifacts such as Helm charts and container images will remain available. + # Ingress NGINX Controller [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/5691/badge)](https://bestpractices.coreinfrastructure.org/projects/5691) [![Go Report Card](https://goreportcard.com/badge/github.com/kubernetes/ingress-nginx)](https://goreportcard.com/report/github.com/kubernetes/ingress-nginx) [![GitHub license](https://img.shields.io/github/license/kubernetes/ingress-nginx.svg)](https://github.com/kubernetes/ingress-nginx/blob/main/LICENSE) [![GitHub stars](https://img.shields.io/github/stars/kubernetes/ingress-nginx.svg)](https://github.com/kubernetes/ingress-nginx/stargazers) -[![GitHub stars](https://img.shields.io/badge/contributions-welcome-orange.svg)](https://github.com/kubernetes/ingress-nginx/blob/main/CONTRIBUTING.md) ## Overview -ingress-nginx is an Ingress controller for Kubernetes using [NGINX](https://www.nginx.org/) as a reverse proxy and load +ingress-nginx was an Ingress controller for Kubernetes using [NGINX](https://www.nginx.org/) as a reverse proxy and load balancer. [Learn more about Ingress on the Kubernetes documentation site](https://kubernetes.io/docs/concepts/services-networking/ingress/). -## Get started +## Usage warnings -See the [Getting Started](https://kubernetes.github.io/ingress-nginx/deploy/) document. +If you are not already using ingress-nginx, you should not be deploying it as it is [not being developed](#retiring). Instead you should identify a [Gateway API](https://gateway-api.sigs.k8s.io/guides/) implementation and use it. Do not use in multi-tenant Kubernetes production installations. This project assumes that users that can create Ingress objects are administrators of the cluster. See the [FAQ](https://kubernetes.github.io/ingress-nginx/faq/#faq) for more. ## Troubleshooting If you encounter issues, review the [troubleshooting docs](docs/troubleshooting.md), -[file an issue](https://github.com/kubernetes/ingress-nginx/issues), or talk to us on the -[#ingress-nginx channel](https://kubernetes.slack.com/messages/ingress-nginx) on the Kubernetes Slack server. +[search for an issue](https://github.com/kubernetes/ingress-nginx/issues), or talk to us on the +[#ingress-nginx-users channel](https://kubernetes.slack.com/messages/ingress-nginx-users) on the Kubernetes Slack server. ## Changelog @@ -39,24 +49,48 @@ the versions listed. Ingress-Nginx versions **may** work on older versions, but | Supported | Ingress-NGINX version | k8s supported version | Alpine Version | Nginx Version | Helm Chart Version | | :-------: | --------------------- | ----------------------------- | -------------- | ------------- | ------------------ | -| 🔄 | **v1.12.2** | 1.32, 1.31, 1.30, 1.29, 1.28 | 3.21.3 | 1.25.5 | 4.12.2 | -| 🔄 | **v1.12.1** | 1.32, 1.31, 1.30, 1.29, 1.28 | 3.21.3 | 1.25.5 | 4.12.1 | -| 🔄 | **v1.12.0** | 1.32, 1.31, 1.30, 1.29, 1.28 | 3.21.0 | 1.25.5 | 4.12.0 | -| 🔄 | **v1.12.0-beta.0** | 1.32, 1.31, 1.30, 1.29, 1.28 | 3.20.3 | 1.25.5 | 4.12.0-beta.0 | -| 🔄 | **v1.11.6** | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.21.3 | 1.25.5 | 4.11.6 | -| 🔄 | **v1.11.5** | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.21.3 | 1.25.5 | 4.11.5 | -| 🔄 | **v1.11.4** | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.21.0 | 1.25.5 | 4.11.4 | -| 🔄 | **v1.11.3** | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.20.3 | 1.25.5 | 4.11.3 | -| 🔄 | **v1.11.2** | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.20.0 | 1.25.5 | 4.11.2 | -| 🔄 | **v1.11.1** | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.20.0 | 1.25.5 | 4.11.1 | -| 🔄 | **v1.11.0** | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.20.0 | 1.25.5 | 4.11.0 | -| | **v1.10.6** | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.21.0 | 1.25.5 | 4.10.6 | -| | **v1.10.5** | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.20.3 | 1.25.5 | 4.10.5 | -| | **v1.10.4** | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.20.0 | 1.25.5 | 4.10.4 | -| | **v1.10.3** | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.20.0 | 1.25.5 | 4.10.3 | -| | **v1.10.2** | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.20.0 | 1.25.5 | 4.10.2 | -| | **v1.10.1** | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.19.1 | 1.25.3 | 4.10.1 | -| | **v1.10.0** | 1.29, 1.28, 1.27, 1.26 | 3.19.1 | 1.25.3 | 4.10.0 | +| 🔄 | **v1.15.1** | 1.35, 1.34, 1.33, 1.32, 1.31 | 3.23.3 | 1.27.1 | 4.15.1 | +| 🔄 | **v1.15.0** | 1.35, 1.34, 1.33, 1.32, 1.31 | 3.23.3 | 1.27.1 | 4.15.0 | +| 🔄 | **v1.14.4** | 1.34, 1.33, 1.32, 1.31, 1.30 | 3.23.3 | 1.27.1 | 4.14.4 | +| 🔄 | **v1.14.3** | 1.34, 1.33, 1.32, 1.31, 1.30 | 3.23.2 | 1.27.1 | 4.14.3 | +| 🔄 | **v1.14.2** | 1.34, 1.33, 1.32, 1.31, 1.30 | 3.23.2 | 1.27.1 | 4.14.2 | +| 🔄 | **v1.14.1** | 1.34, 1.33, 1.32, 1.31, 1.30 | 3.22.2 | 1.27.1 | 4.14.1 | +| 🔄 | **v1.14.0** | 1.34, 1.33, 1.32, 1.31, 1.30 | 3.22.2 | 1.27.1 | 4.14.0 | +| 🔄 | **v1.13.8** | 1.33, 1.32, 1.31, 1.30, 1.29 | 3.23.3 | 1.27.1 | 4.13.8 | +| 🔄 | **v1.13.7** | 1.33, 1.32, 1.31, 1.30, 1.29 | 3.23.2 | 1.27.1 | 4.13.7 | +| 🔄 | **v1.13.6** | 1.33, 1.32, 1.31, 1.30, 1.29 | 3.23.2 | 1.27.1 | 4.13.6 | +| 🔄 | **v1.13.5** | 1.33, 1.32, 1.31, 1.30, 1.29 | 3.22.2 | 1.27.1 | 4.13.5 | +| 🔄 | **v1.13.4** | 1.33, 1.32, 1.31, 1.30, 1.29 | 3.22.2 | 1.27.1 | 4.13.4 | +| 🔄 | **v1.13.3** | 1.33, 1.32, 1.31, 1.30, 1.29 | 3.22.1 | 1.27.1 | 4.13.3 | +| 🔄 | **v1.13.2** | 1.33, 1.32, 1.31, 1.30, 1.29 | 3.22.1 | 1.27.1 | 4.13.2 | +| 🔄 | **v1.13.1** | 1.33, 1.32, 1.31, 1.30, 1.29 | 3.22.1 | 1.27.1 | 4.13.1 | +| 🔄 | **v1.13.0** | 1.33, 1.32, 1.31, 1.30, 1.29 | 3.22.0 | 1.27.1 | 4.13.0 | +| | v1.12.8 | 1.32, 1.31, 1.30, 1.29, 1.28 | 3.22.2 | 1.25.5 | 4.12.8 | +| | v1.12.7 | 1.32, 1.31, 1.30, 1.29, 1.28 | 3.22.1 | 1.25.5 | 4.12.7 | +| | v1.12.6 | 1.32, 1.31, 1.30, 1.29, 1.28 | 3.22.1 | 1.25.5 | 4.12.6 | +| | v1.12.5 | 1.32, 1.31, 1.30, 1.29, 1.28 | 3.22.1 | 1.25.5 | 4.12.5 | +| | v1.12.4 | 1.32, 1.31, 1.30, 1.29, 1.28 | 3.22.0 | 1.25.5 | 4.12.4 | +| | v1.12.3 | 1.32, 1.31, 1.30, 1.29, 1.28 | 3.21.3 | 1.25.5 | 4.12.3 | +| | v1.12.2 | 1.32, 1.31, 1.30, 1.29, 1.28 | 3.21.3 | 1.25.5 | 4.12.2 | +| | v1.12.1 | 1.32, 1.31, 1.30, 1.29, 1.28 | 3.21.3 | 1.25.5 | 4.12.1 | +| | v1.12.0 | 1.32, 1.31, 1.30, 1.29, 1.28 | 3.21.0 | 1.25.5 | 4.12.0 | +| | v1.12.0-beta.0 | 1.32, 1.31, 1.30, 1.29, 1.28 | 3.20.3 | 1.25.5 | 4.12.0-beta.0 | +| | v1.11.8 | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.22.0 | 1.25.5 | 4.11.8 | +| | v1.11.7 | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.21.3 | 1.25.5 | 4.11.7 | +| | v1.11.6 | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.21.3 | 1.25.5 | 4.11.6 | +| | v1.11.5 | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.21.3 | 1.25.5 | 4.11.5 | +| | v1.11.4 | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.21.0 | 1.25.5 | 4.11.4 | +| | v1.11.3 | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.20.3 | 1.25.5 | 4.11.3 | +| | v1.11.2 | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.20.0 | 1.25.5 | 4.11.2 | +| | v1.11.1 | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.20.0 | 1.25.5 | 4.11.1 | +| | v1.11.0 | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.20.0 | 1.25.5 | 4.11.0 | +| | v1.10.6 | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.21.0 | 1.25.5 | 4.10.6 | +| | v1.10.5 | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.20.3 | 1.25.5 | 4.10.5 | +| | v1.10.4 | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.20.0 | 1.25.5 | 4.10.4 | +| | v1.10.3 | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.20.0 | 1.25.5 | 4.10.3 | +| | v1.10.2 | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.20.0 | 1.25.5 | 4.10.2 | +| | v1.10.1 | 1.30, 1.29, 1.28, 1.27, 1.26 | 3.19.1 | 1.25.3 | 4.10.1 | +| | v1.10.0 | 1.29, 1.28, 1.27, 1.26 | 3.19.1 | 1.25.3 | 4.10.0 | | | v1.9.6 | 1.29, 1.28, 1.27, 1.26, 1.25 | 3.19.0 | 1.21.6 | 4.9.1 | | | v1.9.5 | 1.28, 1.27, 1.26, 1.25 | 3.18.4 | 1.21.6 | 4.9.0 | | | v1.9.4 | 1.28, 1.27, 1.26, 1.25 | 3.18.4 | 1.21.6 | 4.8.3 | @@ -70,8 +104,8 @@ the versions listed. Ingress-Nginx versions **may** work on older versions, but | | v1.4.0 | 1.25, 1.24, 1.23, 1.22 | 3.16.2 | 1.19.10† | 4.3.0 | | | v1.3.1 | 1.24, 1.23, 1.22, 1.21, 1.20 | 3.16.2 | 1.19.10† | 4.2.5 | -See [this article](https://kubernetes.io/blog/2021/07/26/update-with-ingress-nginx/) if you want upgrade to the stable -Ingress API. +See [Updating NGINX-Ingress to use the stable Ingress API (July 26, 2021)](https://kubernetes.io/blog/2021/07/26/update-with-ingress-nginx/) +to upgrade to the stable Ingress API before upgrading to Kubernetes 1.22. ## Get Involved @@ -79,19 +113,18 @@ Thanks for taking the time to join our community and start contributing! - This project adheres to the [Kubernetes Community Code of Conduct](https://git.k8s.io/community/code-of-conduct.md). By participating in this project, you agree to abide by its terms. -- **Contributing**: Contributions of all kinds are welcome! +- **Contributing**: Documentation contributions are welcome. - - Read [`CONTRIBUTING.md`](CONTRIBUTING.md) for information about setting up your environment, the workflow that we - expect, and instructions on the developer certificate of origin that we require. + - Read [`CONTRIBUTING.md`](CONTRIBUTING.md) for information about the workflow that we + expect and instructions on the developer certificate of origin that we require. - Join our Kubernetes Slack channel for developer discussion : [#ingress-nginx-dev](https://kubernetes.slack.com/archives/C021E147ZA4). - - Submit GitHub issues for any feature enhancements, bugs, or documentation problems. + - Submit GitHub issues for documentation problems. - Please make sure to read the [Issue Reporting Checklist](https://github.com/kubernetes/ingress-nginx/blob/main/CONTRIBUTING.md#issue-reporting-guidelines) before opening an issue. Issues not conforming to the guidelines **may be closed immediately**. - - Join our [ingress-nginx-dev mailing list](https://groups.google.com/a/kubernetes.io/g/ingress-nginx-dev/c/ebbBMo-zX-w) + - **Support**: - Join the [#ingress-nginx-users](https://kubernetes.slack.com/messages/CANQGM8BA/) channel inside the [Kubernetes Slack](http://slack.kubernetes.io/) to ask questions or get support from the maintainers and other users. - The [GitHub issues](https://github.com/kubernetes/ingress-nginx/issues) in the repository are **exclusively** for bug reports and feature requests. - - **Discuss**: Tweet using the `#IngressNginx` hashtag or sharing with us [@IngressNginx](https://twitter.com/IngressNGINX). ## License diff --git a/TAG b/TAG index 41de27dfab..5257626a69 100644 --- a/TAG +++ b/TAG @@ -1 +1 @@ -v1.12.2 +v1.15.1 diff --git a/build/dev-env.sh b/build/dev-env.sh index f1b170916a..500293edb7 100755 --- a/build/dev-env.sh +++ b/build/dev-env.sh @@ -64,7 +64,7 @@ echo "[dev-env] building image" make build image docker tag "${REGISTRY}/controller:${TAG}" "${DEV_IMAGE}" -export K8S_VERSION=${K8S_VERSION:-v1.33.1@sha256:050072256b9a903bd914c0b2866828150cb229cea0efe5892e2b644d5dd3b34f} +export K8S_VERSION=${K8S_VERSION:-v1.35.1@sha256:05d7bcdefbda08b4e038f644c4df690cdac3fba8b06f8289f30e10026720a1ab} KIND_CLUSTER_NAME="ingress-nginx-dev" diff --git a/build/run-in-docker.sh b/build/run-in-docker.sh index b55323ec01..eaa670fe01 100755 --- a/build/run-in-docker.sh +++ b/build/run-in-docker.sh @@ -41,7 +41,7 @@ function cleanup { } trap cleanup EXIT -E2E_IMAGE=${E2E_IMAGE:-registry.k8s.io/ingress-nginx/e2e-test-runner:v2.1.1@sha256:01201e647bae6c805c00e1b532734c48798c4577bde12ccfb3eca3c0d00b10fd} +E2E_IMAGE=${E2E_IMAGE:-registry.k8s.io/ingress-nginx/e2e-test-runner:v2.2.9@sha256:6eda6a8d17ff65c5af647abb0714b882047b77d18161712d77daf5f610fd4020} if [[ "$RUNTIME" == podman ]]; then # Podman does not support both tag and digest @@ -79,7 +79,7 @@ if [[ "$DOCKER_IN_DOCKER_ENABLED" == "true" ]]; then echo "..reached DIND check TRUE block, inside run-in-docker.sh" echo "FLAGS=$FLAGS" #go env - go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo@v2.23.4 + go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo@v2.28.1 find / -type f -name ginkgo 2>/dev/null which ginkgo /bin/bash -c "${FLAGS}" diff --git a/changelog/controller-1.11.7.md b/changelog/controller-1.11.7.md new file mode 100644 index 0000000000..db17634d10 --- /dev/null +++ b/changelog/controller-1.11.7.md @@ -0,0 +1,53 @@ +# Changelog + +### controller-v1.11.7 + +Images: + +* registry.k8s.io/ingress-nginx/controller:v1.11.7@sha256:016a25cf89bf7f930869ccd7cb3dd4acbe106cd4da1419804951ef9c8636f053 +* registry.k8s.io/ingress-nginx/controller-chroot:v1.11.7@sha256:62d251b0e402fd4b3b06196c9a8c5639f9eba06999499851d1b449fe4be562b1 + +### All changes: + +* Images: Trigger controller build. (#13465) +* Chart: Bump Kube Webhook CertGen. (#13462) +* Tests & Docs: Bump images. (#13461) +* Docs: Add OpenTelemetry defaults. (#13456) +* Images: Trigger other builds (2/2). (#13443) +* Images: Trigger other builds (1/2). (#13440) +* Tests: Bump Test Runner to v1.3.5. (#13437) +* Images: Trigger Test Runner build. (#13433) +* Lua: Fix `ExternalName` services without endpoints. (#13430) +* Images: Bump NGINX to v0.3.5. (#13428) +* Images: Trigger NGINX build. (#13425) +* Go: Update dependencies. (#13421) +* Images: Build Go gRPC Greeter Server from scratch. (#13410) +* Chart: Remove validation for removed API. (#13408) +* Go: Update dependencies. (#13400) +* Images: Bump GCB Docker GCloud to v20250513-9264efb079. (#13397) +* CI: Update Kubernetes. (#13396) +* Fix 🐛: Markdown requires nested content inside a list item to be indented (#13391) +* Tests: Bump Test Runner to v1.3.4. (#13356) +* Images: Trigger Test Runner build. (#13349) +* Go: Bump to v1.24.3. (#13343) +* Images: Bump NGINX to v0.3.4. (#13347) +* Images: Trigger NGINX build. (#13340) +* Go: Update dependencies. (#13328) +* Go: Update dependencies. (#13323) + +### Dependency updates: + +* Bump ossf/scorecard-action from 2.4.1 to 2.4.2 in the actions group (#13452) +* Bump the go group across 2 directories with 1 update (#13418) +* Bump sigs.k8s.io/controller-runtime from 0.20.4 to 0.21.0 (#13416) +* Bump the actions group with 3 updates (#13387) +* Bump github.com/prometheus/common from 0.63.0 to 0.64.0 (#13385) +* Bump the go group across 4 directories with 10 updates (#13383) +* Bump golang.org/x/crypto from 0.37.0 to 0.38.0 (#13369) +* Bump the actions group with 2 updates (#13368) +* Bump golang.org/x/oauth2 from 0.29.0 to 0.30.0 (#13364) +* Bump dario.cat/mergo from 1.0.1 to 1.0.2 in the go group across 1 directory (#13366) +* Bump github/codeql-action from 3.28.16 to 3.28.17 in the actions group (#13335) +* Bump golangci/golangci-lint-action from 7.0.0 to 8.0.0 (#13333) + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.11.6...controller-v1.11.7 diff --git a/changelog/controller-1.11.8.md b/changelog/controller-1.11.8.md new file mode 100644 index 0000000000..db76e5d075 --- /dev/null +++ b/changelog/controller-1.11.8.md @@ -0,0 +1,43 @@ +# Changelog + +### controller-v1.11.8 + +Images: + +* registry.k8s.io/ingress-nginx/controller:v1.11.8@sha256:695d79381ee6af00c7f5c9fd434f50851d7d32838ad5b2c507e416cf2084fc79 +* registry.k8s.io/ingress-nginx/controller-chroot:v1.11.8@sha256:aa8719c133a0b491586341aa19d3ec9afe61bb6210cb295e752df1daa31f2df1 + +### All changes: + +* Images: Trigger controller build. (#13587) +* Chart: Bump Kube Webhook CertGen. (#13584) +* Tests & Docs: Bump images. (#13583) +* Images: Trigger other builds (2/2). (#13572) +* Images: Trigger other builds (1/2). (#13569) +* Tests: Bump Test Runner to v1.4.0. (#13563) +* Images: Trigger Test Runner build. (#13561) +* Images: Bump NGINX to v0.4.0. (#13558) +* Images: Trigger NGINX build. (#13553) +* Go: Update dependencies. (#13550) +* Go: Update dependencies. (#13544) +* CI: Update Kubernetes to v1.33.2. (#13541) +* NGINX: Bump to OpenResty v1.25.3.2. (#13531) +* Go: Update dependencies. (#13522) +* Docs: Fix function names in comments. (#13519) +* Go: Update dependencies. (#13512) +* Go: Bump to v1.24.4. (#13495) +* Images: Bump Alpine to v3.22. (#13492) +* Images: Update LuaRocks to v3.12.0. (#13489) +* Images: Fix LuaRocks. (#13478) + +### Dependency updates: + +* Bump github/codeql-action from 3.29.0 to 3.29.1 in the actions group (#13578) +* Bump docker/setup-buildx-action from 3.10.0 to 3.11.1 in the actions group (#13547) +* Bump github/codeql-action from 3.28.19 to 3.29.0 in the actions group (#13527) +* Bump google.golang.org/grpc from 1.72.2 to 1.73.0 (#13509) +* Bump google.golang.org/grpc from 1.72.2 to 1.73.0 in /images/go-grpc-greeter-server/rootfs (#13507) +* Bump golang.org/x/crypto from 0.38.0 to 0.39.0 (#13505) +* Bump the actions group with 2 updates (#13503) + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.11.7...controller-v1.11.8 diff --git a/changelog/controller-1.12.3.md b/changelog/controller-1.12.3.md new file mode 100644 index 0000000000..2e962bfdfa --- /dev/null +++ b/changelog/controller-1.12.3.md @@ -0,0 +1,53 @@ +# Changelog + +### controller-v1.12.3 + +Images: + +* registry.k8s.io/ingress-nginx/controller:v1.12.3@sha256:ac444cd9515af325ba577b596fe4f27a34be1aa330538e8b317ad9d6c8fb94ee +* registry.k8s.io/ingress-nginx/controller-chroot:v1.12.3@sha256:d830fba93e9e0f5ef1462f5fe8a7cd7b167178b79e6c10c041c7da19f1ac66ab + +### All changes: + +* Images: Trigger controller build. (#13464) +* Chart: Bump Kube Webhook CertGen. (#13460) +* Tests & Docs: Bump images. (#13459) +* Docs: Add OpenTelemetry defaults. (#13455) +* Images: Trigger other builds (2/2). (#13442) +* Images: Trigger other builds (1/2). (#13439) +* Tests: Bump Test Runner to v1.3.5. (#13436) +* Images: Trigger Test Runner build. (#13432) +* Lua: Fix `ExternalName` services without endpoints. (#13429) +* Images: Bump NGINX to v1.2.5. (#13427) +* Images: Trigger NGINX build. (#13424) +* Go: Update dependencies. (#13420) +* Images: Build Go gRPC Greeter Server from scratch. (#13409) +* Chart: Remove validation for removed API. (#13407) +* Go: Update dependencies. (#13399) +* Images: Bump GCB Docker GCloud to v20250513-9264efb079. (#13395) +* CI: Update Kubernetes. (#13394) +* Fix 🐛: Markdown requires nested content inside a list item to be indented (#13390) +* Tests: Bump Test Runner to v1.3.4. (#13355) +* Images: Trigger Test Runner build. (#13350) +* Go: Bump to v1.24.3. (#13342) +* Images: Bump NGINX to v1.2.4. (#13346) +* Images: Trigger NGINX build. (#13339) +* Go: Update dependencies. (#13327) +* Go: Update dependencies. (#13322) + +### Dependency updates: + +* Bump ossf/scorecard-action from 2.4.1 to 2.4.2 in the actions group (#13451) +* Bump the go group across 2 directories with 1 update (#13417) +* Bump sigs.k8s.io/controller-runtime from 0.20.4 to 0.21.0 (#13415) +* Bump the actions group with 3 updates (#13386) +* Bump github.com/prometheus/common from 0.63.0 to 0.64.0 (#13384) +* Bump the go group across 4 directories with 10 updates (#13382) +* Bump golang.org/x/crypto from 0.37.0 to 0.38.0 (#13370) +* Bump the actions group with 2 updates (#13367) +* Bump golang.org/x/oauth2 from 0.29.0 to 0.30.0 (#13363) +* Bump dario.cat/mergo from 1.0.1 to 1.0.2 in the go group across 1 directory (#13365) +* Bump github/codeql-action from 3.28.16 to 3.28.17 in the actions group (#13336) +* Bump golangci/golangci-lint-action from 7.0.0 to 8.0.0 (#13334) + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.12.2...controller-v1.12.3 diff --git a/changelog/controller-1.12.4.md b/changelog/controller-1.12.4.md new file mode 100644 index 0000000000..cb4e9160f6 --- /dev/null +++ b/changelog/controller-1.12.4.md @@ -0,0 +1,43 @@ +# Changelog + +### controller-v1.12.4 + +Images: + +* registry.k8s.io/ingress-nginx/controller:v1.12.4@sha256:05890cb25d37aa5cfe086614104f798f55e1eeec8dda26d9fd6f6acf0e1554a0 +* registry.k8s.io/ingress-nginx/controller-chroot:v1.12.4@sha256:0873534e85a765ef4958ba4fbc5c970a3644dca0f5eee7caff93d830b9a8bb8b + +### All changes: + +* Images: Trigger controller build. (#13586) +* Chart: Bump Kube Webhook CertGen. (#13582) +* Tests & Docs: Bump images. (#13581) +* Images: Trigger other builds (2/2). (#13571) +* Images: Trigger other builds (1/2). (#13574) +* Tests: Bump Test Runner to v1.4.0. (#13562) +* Images: Trigger Test Runner build. (#13560) +* Images: Bump NGINX to v1.3.0. (#13557) +* Images: Trigger NGINX build. (#13552) +* Go: Update dependencies. (#13549) +* Go: Update dependencies. (#13543) +* CI: Update Kubernetes to v1.33.2. (#13540) +* NGINX: Bump to OpenResty v1.25.3.2. (#13530) +* Go: Update dependencies. (#13521) +* Docs: Fix function names in comments. (#13518) +* Go: Update dependencies. (#13511) +* Go: Bump to v1.24.4. (#13494) +* Images: Bump Alpine to v3.22. (#13491) +* Images: Update LuaRocks to v3.12.0. (#13487) +* Images: Fix LuaRocks. (#13477) + +### Dependency updates: + +* Bump github/codeql-action from 3.29.0 to 3.29.1 in the actions group (#13577) +* Bump docker/setup-buildx-action from 3.10.0 to 3.11.1 in the actions group (#13546) +* Bump github/codeql-action from 3.28.19 to 3.29.0 in the actions group (#13526) +* Bump google.golang.org/grpc from 1.72.2 to 1.73.0 (#13508) +* Bump google.golang.org/grpc from 1.72.2 to 1.73.0 in /images/go-grpc-greeter-server/rootfs (#13506) +* Bump golang.org/x/crypto from 0.38.0 to 0.39.0 (#13504) +* Bump the actions group with 2 updates (#13502) + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.12.3...controller-v1.12.4 diff --git a/changelog/controller-1.12.5.md b/changelog/controller-1.12.5.md new file mode 100644 index 0000000000..54b861bb3d --- /dev/null +++ b/changelog/controller-1.12.5.md @@ -0,0 +1,56 @@ +# Changelog + +### controller-v1.12.5 + +Images: + +* registry.k8s.io/ingress-nginx/controller:v1.12.5@sha256:f4a204a39ce99e7d297c54b02e64e421d872675c5ee29ab1b6edb62d4d69be5c +* registry.k8s.io/ingress-nginx/controller-chroot:v1.12.5@sha256:5bee417e81f5478b166e35b66b62824275fba150cb737adf665ba05c61ff4632 + +### All changes: + +* Images: Trigger controller build. (#13768) +* Chart: Bump Kube Webhook CertGen. (#13764) +* Tests & Docs: Bump images. (#13763) +* Go: Update dependencies. (#13751) +* Images: Remove redundant ModSecurity-nginx patch. (#13748) +* Tests: Add `ssl-session-*` config values tests. (#13746) +* Docs: Bump mkdocs to v9.6.16, fix links. (#13744) +* Docs: Fix default config values and links. (#13739) +* Images: Trigger other builds (2/2). (#13734) +* Images: Trigger other builds (1/2). (#13733) +* Tests: Bump Test Runner to v1.4.1. (#13728) +* Images: Trigger Test Runner build. (#13723) +* Go: Bump to v1.24.6. (#13720) +* Images: Bump NGINX to v1.3.1. (#13717) +* Images: Trigger NGINX build. (#13712) +* Annotations: Quote auth proxy headers. (#13709) +* Go: Update dependencies. (#13702) +* CI: Fix typo. (#13699) +* Chart: Push to OCI registry. (#13696) +* Docs: Remove `X-XSS-Protection` header from hardening guide. (#13687) +* Controller: Fix nil pointer in path validation. (#13682) +* Go: Update dependencies. (#13677) +* NGINX: Disable mimalloc's architecture specific optimizations. (#13670) +* Controller: Fix SSL session ticket path. (#13668) +* Docs: Use HTTPS for NGINX links. (#13664) +* Docs: Fix links and formatting in user guide. (#13662) +* Make: Add `helm-test` target. (#13660) +* Docs: Update prerequisites in `getting-started.md`. (#13658) +* Hack: Bump `golangci-lint` to v2.3.0. (#13656) +* CI: Update KIND to v1.33.2. (#13648) +* Docs: Improve `opentelemetry-trust-incoming-span`. (#13637) +* Go: Update dependencies. (#13626) +* CI: Update Kubernetes to v1.33.3. (#13632) +* Go: Bump to v1.24.5. (#13631) +* Bye bye, v1.11. (#13616) + +### Dependency updates: + +* Bump the actions group with 3 updates (#13757) +* Bump actions/download-artifact from 4.3.0 to 5.0.0 (#13756) +* Bump github/codeql-action from 3.29.3 to 3.29.5 in the actions group (#13707) +* Bump github/codeql-action from 3.29.2 to 3.29.3 in the actions group across 1 directory (#13644) +* Bump the actions group with 3 updates (#13641) + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.12.4...controller-v1.12.5 diff --git a/changelog/controller-1.12.6.md b/changelog/controller-1.12.6.md new file mode 100644 index 0000000000..b2728f98a8 --- /dev/null +++ b/changelog/controller-1.12.6.md @@ -0,0 +1,43 @@ +# Changelog + +### controller-v1.12.6 + +Images: + +* registry.k8s.io/ingress-nginx/controller:v1.12.6@sha256:c371fbf42b4f23584ce879d99303463131f4f31612f0875482b983354eeca7e6 +* registry.k8s.io/ingress-nginx/controller-chroot:v1.12.6@sha256:7ff9cdb081b18f9431b84d4c3ccd3db9d921ed5f5b7682a45f6a351bfc4ceed4 + +### All changes: + +* Images: Trigger controller build. (#13864) +* Metrics: Fix `nginx_ingress_controller_config_last_reload_successful`. (#13859) +* Chart: Bump Kube Webhook CertGen. (#13858) +* Tests & Docs: Bump images. (#13857) +* Docs: Remove `datadog` ConfigMap options. (#13852) +* Images: Trigger other builds (2/2). (#13849) +* Images: Trigger other builds (1/2). (#13848) +* Tests: Bump Test Runner to v1.4.2. (#13843) +* Images: Trigger Test Runner build. (#13840) +* Images: Bump NGINX to v1.3.2. (#13837) +* Images: Trigger NGINX build. (#13834) +* Go: Update dependencies. (#13829) +* Annotations/AuthTLS: Allow named redirects. (#13820) +* Tests: Bump Ginkgo to v2.25.1. (#13817) +* Docs: Replace no-break spaces (U+A0). (#13814) +* Tests: Bump Ginkgo to v2.25.0. (#13808) +* Tests: Bump Ginkgo to v2.24.0. (#13803) +* Ingresses: Allow `.` in `Exact` and `Prefix` paths. (#13800) +* Tests: Enable default backend access logging tests. (#13789) +* Security: Harden socket creation and validate error code input. (#13786) +* Tests: Enhance SSL Proxy. (#13784) +* Chores: Migrate deprecated `wait.Poll*` to context-aware equivalents. (#13782) +* Go: Update dependencies. (#13779) +* CI: Update Kubernetes to v1.33.4. (#13777) + +### Dependency updates: + +* Bump the actions group with 3 updates (#13826) +* Bump actions/checkout from 4.3.0 to 5.0.0 (#13797) +* Bump the actions group with 2 updates (#13795) + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.12.5...controller-v1.12.6 diff --git a/changelog/controller-1.12.7.md b/changelog/controller-1.12.7.md new file mode 100644 index 0000000000..a75423bef3 --- /dev/null +++ b/changelog/controller-1.12.7.md @@ -0,0 +1,50 @@ +# Changelog + +### controller-v1.12.7 + +Images: + +* registry.k8s.io/ingress-nginx/controller:v1.12.7@sha256:6ca5f62d18ac6b2e57484ecde310dccd3079b545acecff01c4c71eb5fb222438 +* registry.k8s.io/ingress-nginx/controller-chroot:v1.12.7@sha256:1d20779a1f805fa2820a2631929fb53da59cb9ce023395fae681a60b17ed771f + +### All changes: + +* Images: Trigger controller build. (#13985) +* Chart: Bump Kube Webhook CertGen. (#13983) +* Tests & Docs: Bump images. (#13982) +* Images: Trigger other builds (2/2). (#13977) +* Images: Trigger other builds (1/2). (#13976) +* Tests: Bump Test Runner to v1.4.3. (#13965) +* Images: Trigger Test Runner build. (#13962) +* Go: Update dependencies. (#13956) +* Images: Bump NGINX to v1.3.3. (#13959) +* Images: Trigger NGINX build. (#13953) +* Docs: Update link to Kubernetes controller documentation. (#13947) +* Go: Update dependencies. (#13936) +* CI: Update Helm to v3.19.0. (#13939) +* Plugin: Change `rewriteTargetWithoutCaptureGroup` lint to include any numbered capture group. (#13933) +* Go: Update dependencies. (#13929) +* CI: Update Kubernetes to v1.34.1. (#13926) +* Go: Update dependencies. (#13909) +* Tests: Bump Ginkgo to v2.25.3. (#13904) +* Go: Update dependencies. (#13901) +* Go: Bump to v1.25.1. (#13898) +* GitHub: Remove 'Stale Issues and PRs' workflow. (#13893) +* Go: Update dependencies. (#13890) +* Tests: Bump Ginkgo to v2.25.2. (#13886) +* CI: Update Helm to v3.18.6. (#13883) +* CI: Update Kubernetes to v1.34.0. (#13880) +* CI: Update KIND to v1.34.0. (#13879) +* Go: Bump to v1.25.0. (#13874) +* Images: Use Alpine v3.22.1. (#13871) + +### Dependency updates: + +* Bump docker/login-action from 3.5.0 to 3.6.0 in the actions group across 1 directory (#13996) +* Bump the actions group with 2 updates (#13990) +* Bump github/codeql-action from 3.30.1 to 3.30.3 in the actions group (#13941) +* Bump actions/setup-go from 5.5.0 to 6.0.0 (#13919) +* Bump the actions group with 3 updates (#13917) +* Bump actions/setup-python from 5.6.0 to 6.0.0 (#13915) + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.12.6...controller-v1.12.7 diff --git a/changelog/controller-1.12.8.md b/changelog/controller-1.12.8.md new file mode 100644 index 0000000000..4159dab5d9 --- /dev/null +++ b/changelog/controller-1.12.8.md @@ -0,0 +1,43 @@ +# Changelog + +### controller-v1.12.8 + +Images: + +* registry.k8s.io/ingress-nginx/controller:v1.12.8@sha256:8f8343060688fb2a85752b7345a988d0d3c890d774e18e80b9e8730756e5b530 +* registry.k8s.io/ingress-nginx/controller-chroot:v1.12.8@sha256:07c743429b823dfba7c2e5d399351ef0e43816abab48343ca7c01d00fd6517e3 + +### All changes: + +* GitHub: Bump Chart Testing action. (#14117) +* Images: Trigger controller build. (#14108) +* Annotations: Respect changes to `auth-proxy-set-headers`. (#14105) +* Images: Bump other images. (#14101) +* Images: Trigger other builds (2/2). (#14096) +* Images: Trigger other builds (1/2). (#14095) +* Tests: Bump Test Runner to v1.4.4. (#14076) +* Images: Trigger Test Runner build. (#14072) +* Images: Bump NGINX to v1.3.4. (#14068) +* Images: Trigger NGINX build. (#14065) +* Store: Handle panics in service deletion handler. (#14058) +* Go: Bump to v1.25.3. (#14045) +* Go: Update dependencies. (#14028) +* Images: Bump Alpine to v3.22.2. (#14025) +* Go: Bump to v1.25.2. (#14021) +* Go: Update dependencies. (#14013) +* Controller: Fix `limit_req_zone` sorting. (#14007) +* Annotations: Fix log format. (#14003) + +### Dependency updates: + +* Bump actions/download-artifact from 5.0.0 to 6.0.0 (#14086) +* Bump github/codeql-action from 4.30.9 to 4.31.0 in the actions group (#14085) +* Bump actions/upload-artifact from 4.6.2 to 5.0.0 (#14083) +* Bump github.com/onsi/ginkgo/v2 from 2.26.0 to 2.27.1 (#14062) +* Bump github/codeql-action from 4.30.8 to 4.30.9 in the actions group (#14054) +* Bump sigs.k8s.io/controller-runtime from 0.22.2 to 0.22.3 in the go group across 1 directory (#14040) +* Bump actions/dependency-review-action from 4.8.0 to 4.8.1 in the actions group (#14037) +* Bump github/codeql-action from 3.30.6 to 4.30.8 (#14035) +* Bump the actions group with 2 updates (#14016) + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.12.7...controller-v1.12.8 diff --git a/changelog/controller-1.13.0.md b/changelog/controller-1.13.0.md new file mode 100644 index 0000000000..0d9c192d75 --- /dev/null +++ b/changelog/controller-1.13.0.md @@ -0,0 +1,239 @@ +# Changelog + +### controller-v1.13.0 + +Images: + +* registry.k8s.io/ingress-nginx/controller:v1.13.0@sha256:dc75a7baec7a3b827a5d7ab0acd10ab507904c7dad692365b3e3b596eca1afd2 +* registry.k8s.io/ingress-nginx/controller-chroot:v1.13.0@sha256:af6264394cfa61d21f644d87372823064804e64de737b0747e86c86348b29c9f + +### All changes: + +* Images: Trigger controller build. (#13585) +* Chart: Bump Kube Webhook CertGen. (#13580) +* Tests & Docs: Bump images. (#13579) +* Images: Trigger other builds (2/2). (#13570) +* Images: Trigger other builds (1/2). (#13567) +* Tests: Bump Test Runner to v2.2.0. (#13564) +* Images: Trigger Test Runner build. (#13559) +* Images: Bump NGINX to v2.2.0. (#13556) +* Images: Trigger NGINX build. (#13554) +* Go: Update dependencies. (#13548) +* Go: Update dependencies. (#13542) +* CI: Update Kubernetes to v1.33.2. (#13539) +* NGINX: Bump to OpenResty v1.27.1.2. (#13524) +* Go: Update dependencies. (#13520) +* Docs: Fix function names in comments. (#13517) +* Chart: Add `activeDeadlineSeconds`. (#13497) +* Go: Update dependencies. (#13510) +* Go: Bump to v1.24.4. (#13493) +* Images: Bump Alpine to v3.22. (#13490) +* Images: Update LuaRocks to v3.12.0. (#13486) +* Images: Fix LuaRocks. (#13476) +* Release controller v1.12.3/v1.11.7 & chart v4.12.3/v4.11.7. (#13470) +* Images: Trigger controller build. (#13463) +* Chart: Bump Kube Webhook CertGen. (#13458) +* Tests & Docs: Bump images. (#13457) +* Docs: Add OpenTelemetry defaults. (#13454) +* Images: Trigger other builds (2/2). (#13441) +* Images: Trigger other builds (1/2). (#13438) +* Tests: Bump Test Runner to v2.1.1. (#13435) +* Images: Trigger Test Runner build. (#13431) +* NGINX: Correctly determine client IP. (#12768) +* Lua: Fix `ExternalName` services without endpoints. (#13154) +* Images: Bump NGINX to v2.1.1. (#13426) +* Controller: Add traffic distribution support. (#12974) +* NGINX: Add X-Original-Forwarded-Host header. (#12999) +* Images: Trigger NGINX build. (#13423) +* Go: Update dependencies. (#13419) +* Images: Build Go gRPC Greeter Server from scratch. (#13405) +* Chart: Remove validation for removed API. (#13406) +* Go: Update dependencies. (#13398) +* Images: Bump GCB Docker GCloud to v20250513-9264efb079. (#13393) +* CI: Update Kubernetes. (#13392) +* Fix 🐛: Markdown requires nested content inside a list item to be indented (#13388) +* Chart: Implement `runtimeClassName`. (#13381) +* Tests: Bump Test Runner to v2.1.0. (#13354) +* Images: Trigger Test Runner build. (#13348) +* Go: Bump to v1.24.3. (#13341) +* Images: Bump NGINX to v2.1.0. (#13345) +* Images: Trigger NGINX build. (#13337) +* NGINX: Add NJS. (#13324) +* Go: Update dependencies. (#13326) +* Go: Update dependencies. (#13321) +* Release controller v1.12.2/v1.11.6 & chart v4.12.2/v4.11.6. (#13318) +* Chart: Bump Kube Webhook CertGen. (#13310) +* Tests & Docs: Bump images. (#13307) +* Images: Trigger other builds (2/2). (#13292) +* Images: Trigger other builds (1/2). (#13289) +* Tests: Bump Test Runner to v2.0.3. (#13286) +* Go: Update dependencies. (#13282) +* Images: Trigger Test Runner build. (#13268) +* Images: Bump NGINX to v2.0.3. (#13265) +* Images: Trigger NGINX build. (#13261) +* Go: Update dependencies. (#13257) +* CI: Update Kubernetes to v1.32.4. (#13254) +* Docs: How to modify NLB TCP timeout. (#13242) +* Go: Update dependencies. (#13245) +* Docs: Improve formatting in `monitoring.md`. (#13239) +* Docs: Enable metrics in manifest-based deployments. (#13171) +* Tests: Bump Test Runner to v2.0.2. (#13232) +* Images: Trigger Test Runner build. (#13224) +* Images: Bump `NGINX_BASE` to v2.0.2. (#13221) +* Images: Trigger NGINX build. (#13218) +* Go: Update dependencies. (#13209) +* Docs: Fix link in installation instructions. (#13190) +* Go: Update dependencies. (#13147) +* Go: Bump to v1.24.2. (#13146) +* Annotations: Allow ciphers with underscores. (#13110) +* CI: Do not fail fast. (#13120) +* Images: Fix FromAsCasing. (#13117) +* Images: Extract modules. (#13114) +* Plugin: Improve error handling. (#13102) +* Docs: Fix OpenTelemetry listing. (#13106) +* Tests: Fallback to `yq`. (#13079) +* Go: Fix Mage. (#13077) +* Release controller v1.12.1/v1.11.5 & chart v4.12.1/v4.11.5. (#13075) +* Controller: Several security fixes. (#13068) +* Chart: Bump Kube Webhook CertGen. (#13063) +* Tests & Docs: Bump images. (#13062) +* Images: Trigger other builds (2/2). (#13057) +* Images: Trigger other builds (1/2). (#13056) +* Tests: Bump Test Runner to v2.0.1. (#13047) +* Images: Trigger Test Runner build. (#13043) +* Images: Bump `NGINX_BASE` to v2.0.1. (#13042) +* Images: Trigger NGINX build. (#13038) +* Go: Update dependencies. (#13035) +* CI: Update KIND to v1.32.3. (#13022) +* CI: Update Kubernetes to v1.32.3. (#13021) +* Images: Rework. (3/3) (#13010) +* Images: Rework. (2/3) (#13013) +* Images: Rework. (1/3) (#13008) +* Custom Error Pages: Accept first of many MIME types. (#13005) +* Docs: Use `enable-global-auth` annotation instead of non-existing ConfigMap option. (#12976) +* Go: Update dependencies. (#12962) +* Docs: Update link to `values.yaml`. (#12947) +* fix DNS issues with unresolvable backends with ExternalName (#10989) +* Go: Bump to v1.24.1. (#12935) +* CI: Update KIND images. (#12907) +* Test: Remove gRPC Fortune Teller. (#12928) +* Chart: Add `controller.admissionWebhooks.certManager.*.revisionHistoryLimit`. (#12906) +* NGINX: Update ModSecurity. (#12914) +* Development: Update KIND images. (#12908) +* Network: Rework IPv6 check. (#12905) +* Config: Remove notes about future defaults. (#12896) +* Images: Update `kubectl` to v1.32.2. (#12845) +* Development: Update Kubernetes to v1.32.0. (#12848) +* CI: Update `kubectl` to v1.32.2. (#12844) +* Images: Migrate to AR. (2/2) (#12840) +* Images: Migrate to AR. (1/2) (#12839) +* Docs: Migrate to AR. (#12807) +* Docs: Enable code copy button. (#12804) +* Go: Bump to v1.23.6. (#12799) +* CI: Update Artifact Hub to v1.20.0. (#12785) +* Images: Update `kubectl` to v1.31.5. (#12788) +* CI: Update `kubectl` to v1.31.5. (#12786) +* Development: Bump Kubernetes to v1.31.4. (#12782) +* Go: Replace `golang.org/x/exp/slices` with `slices`. (#12779) +* Docs: Fix character format. (#12770) +* Docs: Improve bare-metal setup. (#12743) +* Chart: Add `controller.service.external.labels` & `controller.service.internal.labels`. (#12704) +* Build: Always use local `tmp` dir on macOS. (#12734) +* Development: Bump Kubernetes to v1.31.4. (#12733) +* Images: Bump `gcb-docker-gcloud` to v20250116-2a05ea7e3d. (#12718) +* Go: Bump to v1.23.5. (#12717) +* Docs: Clarify rate limits are per ingress controller replica. (#12714) +* Go: Stop using workspace. (#12703) +* Chart: Bump Kube Webhook CertGen. (#12693) +* Tests & Docs: Bump images. (#12692) +* Images: Trigger other builds (2/2). (#12689) +* Images: Trigger other builds (1/2). (#12686) +* Tests: Bump Test Runner to v20250112-a188f4eb. (#12683) +* Images: Trigger Test Runner build. (#12680) +* Images: Bump `NGINX_BASE` to v2.0.0. (#12676) +* Images: Trigger NGINX build. (#12672) +* NGINX: Align quotes. (#12669) +* Annotations: Deny newlines. (#12640) +* Chart: Add `controller.service.trafficDistribution`. (#12571) +* NGINX: Bump to OpenResty v1.27.1.1. (#12229) +* Annotations: Reload on custom header changes. (#11709) +* NGINX: Bump ModSecurity. (#12641) +* NGINX: Bump OpenTelemetry. (#12371) +* NGINX: Remove unused substitutions module. (#12449) + +### Dependency updates: + +* Bump github/codeql-action from 3.29.0 to 3.29.1 in the actions group (#13576) +* Bump docker/setup-buildx-action from 3.10.0 to 3.11.1 in the actions group (#13545) +* Bump github/codeql-action from 3.28.19 to 3.29.0 in the actions group (#13525) +* Bump google.golang.org/grpc from 1.72.2 to 1.73.0 (#13499) +* Bump google.golang.org/grpc from 1.72.2 to 1.73.0 in /images/go-grpc-greeter-server/rootfs (#13501) +* Bump golang.org/x/crypto from 0.38.0 to 0.39.0 (#13500) +* Bump the actions group with 2 updates (#13498) +* Bump ossf/scorecard-action from 2.4.1 to 2.4.2 in the actions group (#13449) +* Bump the go group across 2 directories with 1 update (#13413) +* Bump sigs.k8s.io/controller-runtime from 0.20.4 to 0.21.0 (#13412) +* Bump the actions group with 3 updates (#13379) +* Bump github.com/prometheus/common from 0.63.0 to 0.64.0 (#13378) +* Bump the go group across 4 directories with 10 updates (#13377) +* Bump golang.org/x/crypto from 0.37.0 to 0.38.0 (#13361) +* Bump the actions group with 2 updates (#13362) +* Bump golang.org/x/oauth2 from 0.29.0 to 0.30.0 (#13360) +* Bump dario.cat/mergo from 1.0.1 to 1.0.2 in the go group across 1 directory (#13359) +* Bump github/codeql-action from 3.28.16 to 3.28.17 in the actions group (#13331) +* Bump golangci/golangci-lint-action from 7.0.0 to 8.0.0 (#13330) +* Bump actions/download-artifact from 4.2.1 to 4.3.0 in the actions group (#13303) +* Bump the actions group with 2 updates (#13279) +* Bump github.com/onsi/ginkgo/v2 from 2.23.3 to 2.23.4 (#13212) +* Bump the go group across 2 directories with 1 update (#13196) +* Bump github.com/prometheus/client_golang from 1.21.1 to 1.22.0 (#13199) +* Bump github/codeql-action from 3.28.14 to 3.28.15 in the actions group (#13198) +* Bump github.com/prometheus/client_golang from 1.21.1 to 1.22.0 in /images/custom-error-pages/rootfs (#13197) +* Bump golang.org/x/oauth2 from 0.28.0 to 0.29.0 (#13168) +* Bump the go group across 2 directories with 1 update (#13169) +* Bump github.com/fsnotify/fsnotify from 1.8.0 to 1.9.0 (#13170) +* Bump golang.org/x/crypto from 0.36.0 to 0.37.0 (#13167) +* Bump the actions group with 2 updates (#13166) +* Bump goreleaser/goreleaser-action from 6.2.1 to 6.3.0 in the actions group (#13132) +* Bump golangci/golangci-lint-action from 6.5.2 to 7.0.0 (#13116) +* Bump the actions group with 2 updates (#13115) +* Bump github.com/opencontainers/runc from 1.2.5 to 1.2.6 in the go group across 1 directory (#13032) +* Bump github.com/onsi/ginkgo/v2 from 2.23.0 to 2.23.3 (#13020) +* Bump the actions group with 5 updates (#13019) +* Bump dorny/test-reporter from 1.9.1 to 2.0.0 (#12982) +* Bump github.com/prometheus/common from 0.62.0 to 0.63.0 (#12980) +* Bump the go group across 3 directories with 9 updates (#12979) +* Bump the actions group with 3 updates (#12981) +* Bump github/codeql-action from 3.28.10 to 3.28.11 in the actions group (#12965) +* Bump github.com/onsi/ginkgo/v2 from 2.22.2 to 2.23.0 (#12953) +* Bump golang.org/x/crypto from 0.35.0 to 0.36.0 (#12954) +* Bump the go group across 2 directories with 1 update (#12933) +* Bump google.golang.org/grpc from 1.70.0 to 1.71.0 (#12934) +* Bump golang.org/x/crypto from 0.34.0 to 0.35.0 (#12920) +* Bump the actions group with 3 updates (#12919) +* Bump github.com/prometheus/client_golang from 1.20.5 to 1.21.0 (#12887) +* Bump golang.org/x/crypto from 0.33.0 to 0.34.0 (#12888) +* Bump github.com/prometheus/client_golang from 1.20.5 to 1.21.0 in /images/custom-error-pages/rootfs (#12886) +* Bump the actions group with 4 updates (#12885) +* Bump github.com/spf13/cobra from 1.8.1 to 1.9.1 (#12859) +* Bump the go group across 3 directories with 11 updates (#12857) +* Bump the actions group with 2 updates (#12860) +* Bump github.com/spf13/cobra from 1.8.1 to 1.9.1 in /images/kube-webhook-certgen/rootfs (#12858) +* Bump the actions group with 4 updates (#12811) +* Bump golang.org/x/crypto from 0.32.0 to 0.33.0 (#12810) +* Bump the actions group with 2 updates (#12772) +* Bump the go group across 2 directories with 1 update (#12771) +* Bump google.golang.org/grpc from 1.69.4 to 1.70.0 (#12755) +* Bump sigs.k8s.io/controller-runtime from 0.20.0 to 0.20.1 in the go group across 1 directory (#12754) +* Bump the actions group with 5 updates (#12753) +* Bump sigs.k8s.io/controller-runtime from 0.19.4 to 0.20.0 (#12723) +* Bump github.com/prometheus/common from 0.61.0 to 0.62.0 (#12722) +* Bump the go group across 3 directories with 9 updates (#12721) +* Bump golangci/golangci-lint-action from 6.1.1 to 6.2.0 in the actions group (#12720) +* Bump google.golang.org/grpc from 1.69.2 to 1.69.4 in the go group across 1 directory (#12698) +* Bump the actions group with 3 updates (#12659) +* Bump the go group across 1 directory with 3 updates (#12657) +* Bump golang.org/x/crypto from 0.31.0 to 0.32.0 (#12658) +* Bump github.com/onsi/ginkgo/v2 from 2.22.1 to 2.22.2 (#12627) + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.12.0...controller-v1.13.0 diff --git a/changelog/controller-1.13.1.md b/changelog/controller-1.13.1.md new file mode 100644 index 0000000000..1ed18a7838 --- /dev/null +++ b/changelog/controller-1.13.1.md @@ -0,0 +1,58 @@ +# Changelog + +### controller-v1.13.1 + +Images: + +* registry.k8s.io/ingress-nginx/controller:v1.13.1@sha256:37e489b22ac77576576e52e474941cd7754238438847c1ee795ad6d59c02b12a +* registry.k8s.io/ingress-nginx/controller-chroot:v1.13.1@sha256:cace9bc8ad1914e817e5b461d691a00caab652347002ba811077189b85009d7f + +### All changes: + +* Images: Trigger controller build. (#13767) +* Chart: Bump Kube Webhook CertGen. (#13762) +* Tests & Docs: Bump images. (#13761) +* Go: Update dependencies. (#13750) +* Images: Remove redundant ModSecurity-nginx patch. (#13747) +* Tests: Add `ssl-session-*` config values tests. (#13745) +* Docs: Bump mkdocs to v9.6.16, fix links. (#13743) +* Docs: Fix default config values and links. (#13738) +* Images: Trigger other builds (2/2). (#13735) +* Images: Trigger other builds (1/2). (#13731) +* Tests: Bump Test Runner to v2.2.1. (#13727) +* Images: Trigger Test Runner build. (#13722) +* Go: Bump to v1.24.6. (#13719) +* Images: Bump NGINX to v2.2.1. (#13716) +* Images: Trigger NGINX build. (#13713) +* Annotations: Quote auth proxy headers. (#13708) +* Go: Update dependencies. (#13701) +* CI: Fix typo. (#13698) +* Chart: Push to OCI registry. (#13695) +* Docs: Remove `X-XSS-Protection` header from hardening guide. (#13686) +* Controller: Fix nil pointer in path validation. (#13681) +* Go: Update dependencies. (#13676) +* NGINX: Disable mimalloc's architecture specific optimizations. (#13671) +* Controller: Fix SSL session ticket path. (#13667) +* Docs: Use HTTPS for NGINX links. (#13663) +* Docs: Fix links and formatting in user guide. (#13661) +* Make: Add `helm-test` target. (#13659) +* Docs: Update prerequisites in `getting-started.md`. (#13657) +* Hack: Bump `golangci-lint` to v2.3.0. (#13655) +* CI: Update KIND to v1.33.2. (#13647) +* Config/Annotations: Fix `proxy-busy-buffers-size`. (#13638) +* Docs: Improve `opentelemetry-trust-incoming-span`. (#13636) +* Chart: Remove trailing whitespace. (#13634) +* Go: Update dependencies. (#13625) +* CI: Update Kubernetes to v1.33.3. (#13630) +* Go: Bump to v1.24.5. (#13629) +* Bye bye, v1.11. (#13615) + +### Dependency updates: + +* Bump the actions group with 3 updates (#13758) +* Bump actions/download-artifact from 4.3.0 to 5.0.0 (#13755) +* Bump github/codeql-action from 3.29.3 to 3.29.5 in the actions group (#13706) +* Bump github/codeql-action from 3.29.2 to 3.29.3 in the actions group across 1 directory (#13643) +* Bump the actions group with 3 updates (#13640) + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.13.0...controller-v1.13.1 diff --git a/changelog/controller-1.13.2.md b/changelog/controller-1.13.2.md new file mode 100644 index 0000000000..0fbd70847b --- /dev/null +++ b/changelog/controller-1.13.2.md @@ -0,0 +1,44 @@ +# Changelog + +### controller-v1.13.2 + +Images: + +* registry.k8s.io/ingress-nginx/controller:v1.13.2@sha256:1f7eaeb01933e719c8a9f4acd8181e555e582330c7d50f24484fb64d2ba9b2ef +* registry.k8s.io/ingress-nginx/controller-chroot:v1.13.2@sha256:2beb2139c53d6bcb9c8b11d68b412a6a1aa1de3a7e6040695848b0ce997b2be8 + +### All changes: + +* Images: Trigger controller build. (#13863) +* Metrics: Fix `nginx_ingress_controller_config_last_reload_successful`. (#13860) +* Chart: Bump Kube Webhook CertGen. (#13856) +* Tests & Docs: Bump images. (#13855) +* Docs: Remove `datadog` ConfigMap options. (#13851) +* Images: Trigger other builds (2/2). (#13847) +* Images: Trigger other builds (1/2). (#13846) +* Tests: Bump Test Runner to v2.2.2. (#13842) +* Images: Trigger Test Runner build. (#13839) +* Images: Bump NGINX to v2.2.2. (#13836) +* Images: Trigger NGINX build. (#13833) +* Go: Update dependencies. (#13828) +* Annotations/AuthTLS: Allow named redirects. (#13819) +* Tests: Bump Ginkgo to v2.25.1. (#13816) +* Docs: Replace no-break spaces (U+A0). (#13813) +* Tests: Bump Ginkgo to v2.25.0. (#13807) +* Tests: Bump Ginkgo to v2.24.0. (#13802) +* Ingresses: Allow `.` in `Exact` and `Prefix` paths. (#13799) +* Config/Annotations: Remove `proxy-busy-buffers-size` default value. (#13790) +* Tests: Enable default backend access logging tests. (#13788) +* Security: Harden socket creation and validate error code input. (#13785) +* Tests: Enhance SSL Proxy. (#13783) +* Chores: Migrate deprecated `wait.Poll*` to context-aware equivalents. (#13781) +* Go: Update dependencies. (#13778) +* CI: Update Kubernetes to v1.33.4. (#13776) + +### Dependency updates: + +* Bump the actions group with 3 updates (#13825) +* Bump actions/checkout from 4.3.0 to 5.0.0 (#13796) +* Bump the actions group with 2 updates (#13794) + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.13.1...controller-v1.13.2 diff --git a/changelog/controller-1.13.3.md b/changelog/controller-1.13.3.md new file mode 100644 index 0000000000..023f2f342e --- /dev/null +++ b/changelog/controller-1.13.3.md @@ -0,0 +1,50 @@ +# Changelog + +### controller-v1.13.3 + +Images: + +* registry.k8s.io/ingress-nginx/controller:v1.13.3@sha256:1b044f6dcac3afbb59e05d98463f1dec6f3d3fb99940bc12ca5d80270358e3bd +* registry.k8s.io/ingress-nginx/controller-chroot:v1.13.3@sha256:27de15aea4ec7639f7cec6ae96bff11ce57bb1171040351a0b0eedf66655d0dd + +### All changes: + +* Images: Trigger controller build. (#13984) +* Chart: Bump Kube Webhook CertGen. (#13981) +* Tests & Docs: Bump images. (#13980) +* Images: Trigger other builds (2/2). (#13975) +* Images: Trigger other builds (1/2). (#13974) +* Tests: Bump Test Runner to v2.2.3. (#13964) +* Images: Trigger Test Runner build. (#13961) +* Go: Update dependencies. (#13955) +* Images: Bump NGINX to v2.2.3. (#13958) +* Images: Trigger NGINX build. (#13952) +* Docs: Update link to Kubernetes controller documentation. (#13948) +* Go: Update dependencies. (#13935) +* CI: Update Helm to v3.19.0. (#13938) +* Plugin: Change `rewriteTargetWithoutCaptureGroup` lint to include any numbered capture group. (#13932) +* Go: Update dependencies. (#13928) +* CI: Update Kubernetes to v1.34.1. (#13925) +* Go: Update dependencies. (#13908) +* Tests: Bump Ginkgo to v2.25.3. (#13903) +* Go: Update dependencies. (#13900) +* Go: Bump to v1.25.1. (#13897) +* GitHub: Remove 'Stale Issues and PRs' workflow. (#13892) +* Go: Update dependencies. (#13889) +* Tests: Bump Ginkgo to v2.25.2. (#13885) +* CI: Update Helm to v3.18.6. (#13882) +* CI: Update Kubernetes to v1.34.0. (#13878) +* CI: Update KIND to v1.34.0. (#13877) +* Go: Bump to v1.25.0. (#13873) +* Images: Use Alpine v3.22.1. (#13870) + +### Dependency updates: + +* Bump docker/login-action from 3.5.0 to 3.6.0 in the actions group across 1 directory (#13995) +* Bump the actions group with 2 updates (#13989) +* Bump github/codeql-action from 3.30.1 to 3.30.3 in the actions group (#13942) +* Bump actions/setup-go from 5.5.0 to 6.0.0 (#13918) +* Bump the actions group with 3 updates (#13916) +* Bump actions/setup-python from 5.6.0 to 6.0.0 (#13914) + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.13.2...controller-v1.13.3 diff --git a/changelog/controller-1.13.4.md b/changelog/controller-1.13.4.md new file mode 100644 index 0000000000..f635c47383 --- /dev/null +++ b/changelog/controller-1.13.4.md @@ -0,0 +1,43 @@ +# Changelog + +### controller-v1.13.4 + +Images: + +* registry.k8s.io/ingress-nginx/controller:v1.13.4@sha256:4042ae3c512c5d7bcf9682b0fdff96cd7b46a23dcbe15a762349094cd8087be7 +* registry.k8s.io/ingress-nginx/controller-chroot:v1.13.4@sha256:49fc51d0767efb4d5c871bcd9bd70684fdcbdd34f9e4164bdf9c9d890db19791 + +### All changes: + +* GitHub: Bump Chart Testing action. (#14116) +* Images: Trigger controller build. (#14107) +* Annotations: Respect changes to `auth-proxy-set-headers`. (#14104) +* Images: Bump other images. (#14100) +* Images: Trigger other builds (2/2). (#14094) +* Images: Trigger other builds (1/2). (#14093) +* Tests: Bump Test Runner to v2.2.4. (#14075) +* Images: Trigger Test Runner build. (#14073) +* Images: Bump NGINX to v2.2.4. (#14067) +* Images: Trigger NGINX build. (#14064) +* Store: Handle panics in service deletion handler. (#14057) +* Go: Bump to v1.25.3. (#14044) +* Go: Update dependencies. (#14027) +* Images: Bump Alpine to v3.22.2. (#14024) +* Go: Bump to v1.25.2. (#14020) +* Go: Update dependencies. (#14012) +* Controller: Fix `limit_req_zone` sorting. (#14006) +* Annotations: Fix log format. (#14002) + +### Dependency updates: + +* Bump actions/download-artifact from 5.0.0 to 6.0.0 (#14087) +* Bump github/codeql-action from 4.30.9 to 4.31.0 in the actions group (#14084) +* Bump actions/upload-artifact from 4.6.2 to 5.0.0 (#14082) +* Bump github.com/onsi/ginkgo/v2 from 2.26.0 to 2.27.1 (#14061) +* Bump github/codeql-action from 4.30.8 to 4.30.9 in the actions group (#14053) +* Bump sigs.k8s.io/controller-runtime from 0.22.2 to 0.22.3 in the go group across 1 directory (#14039) +* Bump actions/dependency-review-action from 4.8.0 to 4.8.1 in the actions group (#14036) +* Bump github/codeql-action from 3.30.6 to 4.30.8 (#14034) +* Bump the actions group with 2 updates (#14015) + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.13.3...controller-v1.13.4 diff --git a/changelog/controller-1.13.5.md b/changelog/controller-1.13.5.md new file mode 100644 index 0000000000..6818a3e49c --- /dev/null +++ b/changelog/controller-1.13.5.md @@ -0,0 +1,53 @@ +# Changelog + +### controller-v1.13.5 + +Images: + +* registry.k8s.io/ingress-nginx/controller:v1.13.5@sha256:5b346855be6752fa2a40f91983fa35a0c004b41493f36be6068a3d4350e69db8 +* registry.k8s.io/ingress-nginx/controller-chroot:v1.13.5@sha256:eb6665ca10761ac2b5d1b94959b5cf77e2f6d2bb54178fca16c194933b44c770 + +### All changes: + +* Images: Trigger controller build. (#14245) +* Images: Bump other images. (#14239) +* Images: Update LuaRocks to v3.12.2. (#14236) +* Images: Trigger other builds (2/2). (#14233) +* Images: Trigger other builds (1/2). (#14230) +* CI: Pin Helm version. (#14227) +* Tests: Bump Test Runner to v2.2.5. (#14223) +* Images: Trigger Test Runner build. (#14220) +* Images: Bump NGINX to v2.2.5. (#14217) +* Images: Trigger NGINX build. (#14214) +* Go: Update dependencies. (#14211) +* Docs: Fix typo. (#14187) +* CI: Update Helm to v3.19.2. (#14175) +* Go: Update dependencies. (#14173) +* CI: Update Kubernetes to v1.34.2. (#14171) +* CI: Update Helm to v3.19.1. (#14166) +* Custom Error Pages: Do not write status code too soon. (#14163) +* Images: Bump GCB Docker GCloud to v20251110-7ccd542560. (#14157) +* Go: Update dependencies. (#14160) +* Tests: Bump Ginkgo to v2.27.2. (#14154) +* Go: Bump to v1.25.4. (#14134) +* Controller: Fix host/path overlap detection for multiple rules. (#14131) +* Bye bye, v1.12. (#14127) + +### Dependency updates: + +* Bump the actions group with 3 updates (#14243) +* Bump google.golang.org/grpc from 1.76.0 to 1.77.0 (#14207) +* Bump google.golang.org/grpc from 1.76.0 to 1.77.0 in /images/go-grpc-greeter-server/rootfs (#14205) +* Bump github.com/prometheus/common from 0.67.2 to 0.67.4 in /images/custom-error-pages/rootfs in the go group across 1 directory (#14203) +* Bump actions/checkout from 5.0.0 to 6.0.0 (#14201) +* Bump the actions group with 3 updates (#14199) +* Bump golang.org/x/crypto from 0.44.0 to 0.45.0 (#14190) +* Bump the actions group with 3 updates (#14184) +* Bump golang.org/x/oauth2 from 0.32.0 to 0.33.0 (#14151) +* Bump golangci/golangci-lint-action from 8.0.0 to 9.0.0 (#14149) +* Bump helm/chart-testing-action from e27de75c91e0f939bbffea4638c3c70430d7b857 to 6ec842c01de15ebb84c8627d2744a0c2f2755c9f (#14147) +* Bump docker/setup-qemu-action from 3.6.0 to 3.7.0 in the actions group (#14145) +* Bump the go group across 1 directory with 4 updates (#14130) +* Bump github/codeql-action from 4.31.0 to 4.31.2 in the actions group (#14126) + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.13.4...controller-v1.13.5 diff --git a/changelog/controller-1.13.6.md b/changelog/controller-1.13.6.md new file mode 100644 index 0000000000..8c223ceea8 --- /dev/null +++ b/changelog/controller-1.13.6.md @@ -0,0 +1,69 @@ +# Changelog + +### controller-v1.13.6 + +Images: + +* registry.k8s.io/ingress-nginx/controller:v1.13.6@sha256:4b85724d716a545f38338cb99f0e07c83d16780adb0911e0e4d6218c7e5944a8 +* registry.k8s.io/ingress-nginx/controller-chroot:v1.13.6@sha256:819eed119e9c4c735ae1762679e439ada1e3ef1b47b6cdc1b22e5f36578e476b + +### All changes: + +* Images: Trigger controller build. (#14433) +* Images: Bump other images. (#14431) +* Images: Trigger other builds (2/2). (#14427) +* Images: Trigger other builds (1/2). (#14424) +* Tests: Bump Test Runner to v2.2.6. (#14421) +* Images: Trigger Test Runner build. (#14415) +* Images: Bump NGINX to v2.2.6. (#14412) +* Go: Update dependencies. (#14409) +* CI: Update Helm to v4.0.5. (#14406) +* Go: Bump to v1.25.6. (#14403) +* Docs: Fix typos. (#14395) +* Go: Update dependencies. (#14389) +* Images: Bump GCB Docker GCloud to v20260108-7f313c340e. (#14386) +* Tests: Bump Ginkgo to v2.27.5. (#14383) +* Docs: Remove duplicate in log format. (#14376) +* Update documentation to highlight that the project is retiring (#14373) +* Images: Trigger NGINX build. (#14358) +* Go: Update dependencies. (#14355) +* Docs: Add retirement blog post. (#14352) +* Docs: Clarify regex docs. (#14338) +* Go: Update dependencies. (#14335) +* Images: Bump GCB Docker GCloud to v20251222-9ed298b43e. (#14332) +* CI: Update Kubernetes to v1.35.0. (#14313) +* Images: Bump Alpine to v3.23.2. (#14310) +* CI: Update KIND to v1.34.3. (#14307) +* CI: Update Helm to v4.0.4. (#14295) +* CI: Update KIND to v1.34.2. (#14292) +* Images: Bump GCB Docker GCloud to v20251211-4c812d4cd8. (#14289) +* CI: Update Helm to v4.0.2. (#14286) +* CI: Update Kubernetes to v1.34.3. (#14283) +* Go: Update dependencies. (#14280) +* Images: Bump GCB Docker GCloud to v20251110-7ccd542560. (#14277) +* Tests: Bump Ginkgo to v2.27.3. (#14270) +* CI: Disable verification for Helm Unit Test. (#14273) +* CI: Update Helm to v4.0.1. (#14257) +* Bye bye, v1.12 - fr! (#14267) +* Images: Bump Alpine to v3.23.0. (#14251) +* Go: Bump to v1.25.5. (#14254) + +### Dependency updates: + +* Bump the go group across 2 directories with 2 updates (#14400) +* Bump the actions group with 2 updates (#14398) +* Bump the go group across 1 directory with 2 updates (#14378) +* Bump dorny/test-reporter from 2.3.0 to 2.5.0 in the actions group (#14363) +* Bump google.golang.org/grpc from 1.77.0 to 1.78.0 (#14349) +* Bump google.golang.org/grpc from 1.77.0 to 1.78.0 in /images/go-grpc-greeter-server/rootfs (#14347) +* Bump k8s.io/apiextensions-apiserver from 0.34.3 to 0.35.0 (#14329) +* Bump k8s.io/kube-aggregator from 0.34.3 to 0.35.0 in /images/kube-webhook-certgen/rootfs (#14327) +* Bump k8s.io/apimachinery from 0.34.3 to 0.35.0 in /images/ext-auth-example-authsvc/rootfs (#14325) +* Bump the actions group with 2 updates (#14323) +* Bump github/codeql-action from 4.31.7 to 4.31.8 in the actions group (#14304) +* Bump actions/upload-artifact from 5.0.0 to 6.0.0 (#14302) +* Bump actions/download-artifact from 6.0.0 to 7.0.0 (#14300) +* Bump the go group across 2 directories with 1 update (#14264) +* Bump the actions group with 3 updates (#14262) + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.13.5...controller-v1.13.6 diff --git a/changelog/controller-1.13.7.md b/changelog/controller-1.13.7.md new file mode 100644 index 0000000000..e6f1e1b82a --- /dev/null +++ b/changelog/controller-1.13.7.md @@ -0,0 +1,36 @@ +# Changelog + +### controller-v1.13.7 + +Images: + +* registry.k8s.io/ingress-nginx/controller:v1.13.7@sha256:13db2f8aca4bb71ae7f727288620c4569b01bab4911b01fa3917995ff7755de8 +* registry.k8s.io/ingress-nginx/controller-chroot:v1.13.7@sha256:ecc934a4653d3b8c17100882b58cc16c59a697930c3598acda02227edfc41c34 + +### All changes: + +* Images: Trigger controller build. (#14509) +* Annotations: Add `^` and `$` to auth method regex. (#14506) +* Template: Quote all `location` and `server_name` directives, and escape quotes and backslashes. (#14503) +* Controller: Verify UIDs. (#14500) +* Template: Bypass custom error pages when handling auth URL requests. (#14497) +* Admission Controller: Use 9 MB limit. (#14494) +* Images: Bump other images. (#14485) +* Images: Trigger other builds (2/2). (#14481) +* Images: Trigger other builds (1/2). (#14478) +* Tests: Bump Test Runner to v2.2.7. (#14472) +* Images: Trigger Test Runner build. (#14469) +* Images: Bump NGINX to v2.2.7. (#14466) +* Images: Trigger NGINX build. (#14463) +* Go: Update dependencies. (#14460) +* Images: Bump GCB Docker GCloud to v20260127-c1affcc8de. (#14457) +* CI: Update Helm to v4.1.0. (#14454) +* Controller: Fix sync for when host clock jumps to future. (#14450) +* Util: Fix panic for empty `cpu.max` file. (#14449) +* NGINX: Update OWASP CRS to v4.22.0. (#14418) + +### Dependency updates: + +* Bump the actions group with 2 updates (#14491) + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.13.6...controller-v1.13.7 diff --git a/changelog/controller-1.13.8.md b/changelog/controller-1.13.8.md new file mode 100644 index 0000000000..c6676bfd34 --- /dev/null +++ b/changelog/controller-1.13.8.md @@ -0,0 +1,65 @@ +# Changelog + +### controller-v1.13.8 + +Images: + +* registry.k8s.io/ingress-nginx/controller:v1.13.8@sha256:0e7fad5de70f55c7f5fb61858be5ba6794d61091ad0874e963a61851e43edf99 +* registry.k8s.io/ingress-nginx/controller-chroot:v1.13.8@sha256:5269537aba95892bad7849ef06f0d0d9883cc586af74a0408fa8173835bd2ea1 + +### All changes: + +* Images: Trigger controller build. (#14672) +* Template: Quote `proxy_pass`. (#14669) +* Annotations: Consider aliases in risk evaluation. (#14666) +* Images: Bump other images. (#14663) +* Images: Trigger other builds (2/2). (#14660) +* Images: Trigger other builds (1/2). (#14657) +* Tests: Bump Test Runner to v2.2.8. (#14642) +* Images: Trigger Test Runner build. (#14639) +* Go: Update dependencies. (#14636) +* Images: Bump NGINX to v2.2.8. (#14633) +* Images: Trigger NGINX build. (#14630) +* Go: Update dependencies. (#14627) +* Go: Bump to v1.26.1. (#14624) +* CI: Update Kubernetes to v1.35.2. (#14607) +* Admission Controller: Remove obsolete error log. (#14602) +* Mage: Rewrite `updateChartValue` to obsolete outdated libraries. (#14601) +* Go: Update dependencies. (#14597) +* Go: Update dependencies. (#14586) +* CI: Update KIND to v1.35.1. (#14566) +* CI: Update Kubernetes to v1.35.1. (#14563) +* Docs: Clarify PROXY protocol is not supported on GKE default load balancer. (#14560) +* Controller: Enable SSL Passthrough when requested on before HTTP-only hosts. (#14557) +* CI: Update Helm to v4.1.1. (#14554) +* Annotations: Use dedicated regular expression for `proxy-cookie-domain`. (#14551) +* Docs: Add retirement notice to website. (#14542) +* Template: Use `RawURLEncoding` instead of `URLEncoding` with padding removal. (#14538) +* Docs: Clarify valid values for `proxy-request-buffering`. (#14533) +* Go: Bump to v1.25.7. (#14527) +* Go: Update dependencies. (#14524) +* Tests: Bump Ginkgo to v2.28.1. (#14521) +* Images: Bump Alpine to v3.23.3. (#14518) +* Lua: Fix type mismatch. (#14515) + +### Dependency updates: + +* Bump docker/setup-buildx-action from 3.12.0 to 4.0.0 (#14654) +* Bump docker/login-action from 3.7.0 to 4.0.0 (#14651) +* Bump docker/setup-qemu-action from 3.7.0 to 4.0.0 (#14650) +* Bump the actions group with 5 updates (#14648) +* Bump actions/download-artifact from 7.0.0 to 8.0.0 (#14620) +* Bump the go group across 3 directories with 9 updates (#14618) +* Bump actions/upload-artifact from 6.0.0 to 7.0.0 (#14616) +* Bump actions/setup-go from 6.2.0 to 6.3.0 in the actions group (#14613) +* Bump goreleaser/goreleaser-action from 6.4.0 to 7.0.0 (#14594) +* Bump the actions group with 4 updates (#14592) +* Bump google.golang.org/grpc from 1.78.0 to 1.79.1 (#14583) +* Bump the go group across 3 directories with 9 updates (#14581) +* Bump the actions group with 2 updates (#14578) +* Bump golang.org/x/crypto from 0.47.0 to 0.48.0 (#14576) +* Bump google.golang.org/grpc from 1.78.0 to 1.79.1 in /images/go-grpc-greeter-server/rootfs (#14574) +* Bump github/codeql-action from 4.32.0 to 4.32.2 in the actions group (#14549) +* Bump golang.org/x/oauth2 from 0.34.0 to 0.35.0 (#14547) + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.13.7...controller-v1.13.8 diff --git a/changelog/controller-1.14.0.md b/changelog/controller-1.14.0.md new file mode 100644 index 0000000000..ff8006ae84 --- /dev/null +++ b/changelog/controller-1.14.0.md @@ -0,0 +1,155 @@ +# Changelog + +### controller-v1.14.0 + +Images: + +* registry.k8s.io/ingress-nginx/controller:v1.14.0@sha256:e4127065d0317bd11dc64c4dd38dcf7fb1c3d72e468110b4086e636dbaac943d +* registry.k8s.io/ingress-nginx/controller-chroot:v1.14.0@sha256:d0158a50630981a945325c15a638e52c2d0691bc528caf5c04d2cf2051c5665f + +### All changes: + +* GitHub: Bump Chart Testing action. (#14115) +* Images: Trigger controller build. (#14106) +* Annotations: Respect changes to `auth-proxy-set-headers`. (#14103) +* Images: Bump other images. (#14099) +* Images: Trigger other builds (2/2). (#14092) +* Images: Trigger other builds (1/2). (#14091) +* Tests: Bump Test Runner to v2.2.4. (#14074) +* Images: Trigger Test Runner build. (#14071) +* Chart: Make extra init containers templatable. (#14070) +* Images: Bump NGINX to v2.2.4. (#14066) +* Images: Trigger NGINX build. (#14063) +* Store: Handle panics in service deletion handler. (#14056) +* Status: Add support for multiple Node IP addresses. (#14049) +* Go: Bump to v1.25.3. (#14043) +* Go: Update dependencies. (#14026) +* Images: Bump Alpine to v3.22.2. (#14023) +* Go: Bump to v1.25.2. (#14019) +* Chart: Add `controller.metrics.serviceMonitor.scrapeTimeout`. (#14018) +* Go: Update dependencies. (#14011) +* Controller: Fix `limit_req_zone` sorting. (#14005) +* Annotations: Fix log format. (#13998) +* Release controller v1.13.3/v1.12.7 & chart v4.13.3/v4.12.7. (#14001) +* Chart: Bump Kube Webhook CertGen. (#13979) +* Tests & Docs: Bump images. (#13978) +* Images: Trigger other builds (2/2). (#13973) +* Images: Trigger other builds (1/2). (#13972) +* Tests: Bump Test Runner to v2.2.3. (#13963) +* Images: Trigger Test Runner build. (#13960) +* Go: Update dependencies. (#13954) +* Images: Bump NGINX to v2.2.3. (#13957) +* Images: Trigger NGINX build. (#13951) +* Docs: Update link to Kubernetes controller documentation. (#13946) +* Go: Update dependencies. (#13934) +* CI: Update Helm to v3.19.0. (#13937) +* Plugin: Change `rewriteTargetWithoutCaptureGroup` lint to include any numbered capture group. (#13931) +* Go: Update dependencies. (#13927) +* CI: Update Kubernetes to v1.34.1. (#13924) +* Config: Use stronger ciphers first. (#13921) +* Chart: Add resize policy. (#13906) +* Go: Update dependencies. (#13907) +* SSL Proxy: Support PROXY protocol v2. (#13861) +* Tests: Bump Ginkgo to v2.25.3. (#13902) +* Go: Update dependencies. (#13899) +* Go: Bump to v1.25.1. (#13896) +* GitHub: Remove 'Stale Issues and PRs' workflow. (#13891) +* Go: Update dependencies. (#13888) +* Tests: Bump Ginkgo to v2.25.2. (#13884) +* CI: Update Helm to v3.18.6. (#13881) +* CI: Update Kubernetes to v1.34.0. (#13876) +* CI: Update KIND to v1.34.0. (#13875) +* Go: Bump to v1.25.0. (#13872) +* Images: Use Alpine v3.22.1. (#13869) +* Release controller v1.13.2/v1.12.6 & chart v4.13.2/v4.12.6. (#13867) +* Metrics: Fix `nginx_ingress_controller_config_last_reload_successful`. (#13830) +* Chart: Bump Kube Webhook CertGen. (#13854) +* Tests & Docs: Bump images. (#13853) +* Docs: Remove `datadog` ConfigMap options. (#13850) +* Images: Trigger other builds (2/2). (#13845) +* Images: Trigger other builds (1/2). (#13844) +* Tests: Bump Test Runner to v2.2.2. (#13841) +* Images: Trigger Test Runner build. (#13838) +* Images: Bump NGINX to v2.2.2. (#13835) +* Images: Trigger NGINX build. (#13832) +* Chart: Add volumes for webhook patch job. (#13811) +* Go: Update dependencies. (#13827) +* Annotations/AuthTLS: Allow named redirects. (#13752) +* Tests: Bump Ginkgo to v2.25.1. (#13815) +* Docs: Replace no-break spaces (U+A0). (#13812) +* Tests: Bump Ginkgo to v2.25.0. (#13806) +* Tests: Bump Ginkgo to v2.24.0. (#13801) +* Ingresses: Allow `.` in `Exact` and `Prefix` paths. (#13798) +* Config/Annotations: Remove `proxy-busy-buffers-size` default value. (#13780) +* Tests: Enable default backend access logging tests. (#13787) +* Security: Harden socket creation and validate error code input. (#13765) +* Tests: Enhance SSL Proxy. (#13769) +* Chores: Migrate deprecated `wait.Poll*` to context-aware equivalents. (#13766) +* Go: Update dependencies. (#13775) +* CI: Update Kubernetes to v1.33.4. (#13774) +* Release controller v1.13.1/v1.12.5 & chart v4.13.1/v4.12.5. (#13772) +* Chart: Bump Kube Webhook CertGen. (#13759) +* Tests & Docs: Bump images. (#13760) +* Go: Update dependencies. (#13749) +* Images: Remove redundant ModSecurity-nginx patch. (#13740) +* Tests: Add `ssl-session-*` config values tests. (#13742) +* Docs: Bump mkdocs to v9.6.16, fix links. (#13741) +* Docs: Fix default config values and links. (#13737) +* Images: Trigger other builds (2/2). (#13730) +* Images: Trigger other builds (1/2). (#13729) +* Tests: Bump Test Runner to v2.2.1. (#13726) +* Images: Trigger Test Runner build. (#13721) +* Go: Bump to v1.24.6. (#13718) +* Images: Bump NGINX to v2.2.1. (#13715) +* Images: Trigger NGINX build. (#13710) +* Annotations: Quote auth proxy headers. (#13371) +* Go: Update dependencies. (#13700) +* CI: Fix typo. (#13697) +* Chart: Push to OCI registry. (#13680) +* Docs: Remove `X-XSS-Protection` header from hardening guide. (#13685) +* Controller: Fix nil pointer in path validation. (#13679) +* Go: Update dependencies. (#13675) +* NGINX: Disable mimalloc's architecture specific optimizations. (#13669) +* Controller: Fix SSL session ticket path. (#13665) +* Docs: Use HTTPS for NGINX links. (#13653) +* Docs: Fix links and formatting in user guide. (#13654) +* Make: Add `helm-test` target. (#13652) +* Docs: Update prerequisites in `getting-started.md`. (#13651) +* Hack: Bump `golangci-lint` to v2.3.0. (#13650) +* CI: Update KIND to v1.33.2. (#13646) +* Chart: Template default backend extra volumes. (#13596) +* Config/Annotations: Fix `proxy-busy-buffers-size`. (#13610) +* Docs: Improve `opentelemetry-trust-incoming-span`. (#13606) +* Chart: Remove trailing whitespace. (#13633) +* Go: Update dependencies. (#13624) +* CI: Update Kubernetes to v1.33.3. (#13628) +* Go: Bump to v1.24.5. (#13627) +* Bye bye, v1.11. (#13614) + +### Dependency updates: + +* Bump actions/download-artifact from 5.0.0 to 6.0.0 (#14081) +* Bump github/codeql-action from 4.30.9 to 4.31.0 in the actions group (#14080) +* Bump actions/upload-artifact from 4.6.2 to 5.0.0 (#14079) +* Bump github.com/onsi/ginkgo/v2 from 2.26.0 to 2.27.1 (#14060) +* Bump github/codeql-action from 4.30.8 to 4.30.9 in the actions group (#14052) +* Bump sigs.k8s.io/controller-runtime from 0.22.2 to 0.22.3 in the go group across 1 directory (#14033) +* Bump actions/dependency-review-action from 4.8.0 to 4.8.1 in the actions group (#14032) +* Bump github/codeql-action from 3.30.6 to 4.30.8 (#14031) +* Bump the actions group with 2 updates (#14014) +* Bump docker/login-action from 3.5.0 to 3.6.0 in the actions group across 1 directory (#13994) +* Bump the actions group with 2 updates (#13988) +* Bump github/codeql-action from 3.30.1 to 3.30.3 in the actions group (#13940) +* Bump actions/setup-go from 5.5.0 to 6.0.0 (#13913) +* Bump the actions group with 3 updates (#13912) +* Bump actions/setup-python from 5.6.0 to 6.0.0 (#13911) +* Bump the actions group with 3 updates (#13822) +* Bump actions/checkout from 4.3.0 to 5.0.0 (#13792) +* Bump the actions group with 2 updates (#13793) +* Bump the actions group with 3 updates (#13754) +* Bump actions/download-artifact from 4.3.0 to 5.0.0 (#13753) +* Bump github/codeql-action from 3.29.3 to 3.29.5 in the actions group (#13705) +* Bump github/codeql-action from 3.29.2 to 3.29.3 in the actions group across 1 directory (#13642) +* Bump the actions group with 3 updates (#13639) + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.13.0...controller-v1.14.0 diff --git a/changelog/controller-1.14.1.md b/changelog/controller-1.14.1.md new file mode 100644 index 0000000000..f8d4ac2b98 --- /dev/null +++ b/changelog/controller-1.14.1.md @@ -0,0 +1,53 @@ +# Changelog + +### controller-v1.14.1 + +Images: + +* registry.k8s.io/ingress-nginx/controller:v1.14.1@sha256:f95a79b85fb93ac3de752c71a5c27d5ceae10a18b61904dec224c1c6a4581e47 +* registry.k8s.io/ingress-nginx/controller-chroot:v1.14.1@sha256:29840e06768457b82ef0a9f70bdde03b3b9c42e84a9d78dd6f179326848c1a88 + +### All changes: + +* Images: Trigger controller build. (#14244) +* Images: Bump other images. (#14238) +* Images: Update LuaRocks to v3.12.2. (#14235) +* Images: Trigger other builds (2/2). (#14232) +* Images: Trigger other builds (1/2). (#14229) +* CI: Pin Helm version. (#14226) +* Tests: Bump Test Runner to v2.2.5. (#14222) +* Images: Trigger Test Runner build. (#14219) +* Images: Bump NGINX to v2.2.5. (#14216) +* Images: Trigger NGINX build. (#14213) +* Go: Update dependencies. (#14210) +* Docs: Fix typo. (#14186) +* CI: Update Helm to v3.19.2. (#14174) +* Go: Update dependencies. (#14172) +* CI: Update Kubernetes to v1.34.2. (#14170) +* CI: Update Helm to v3.19.1. (#14165) +* Custom Error Pages: Do not write status code too soon. (#14162) +* Images: Bump GCB Docker GCloud to v20251110-7ccd542560. (#14156) +* Go: Update dependencies. (#14159) +* Tests: Bump Ginkgo to v2.27.2. (#14153) +* Go: Bump to v1.25.4. (#14135) +* Controller: Fix host/path overlap detection for multiple rules. (#14132) +* Bye bye, v1.12. (#14124) + +### Dependency updates: + +* Bump the actions group with 3 updates (#14242) +* Bump google.golang.org/grpc from 1.76.0 to 1.77.0 (#14208) +* Bump google.golang.org/grpc from 1.76.0 to 1.77.0 in /images/go-grpc-greeter-server/rootfs (#14206) +* Bump github.com/prometheus/common from 0.67.2 to 0.67.4 in /images/custom-error-pages/rootfs in the go group across 1 directory (#14204) +* Bump actions/checkout from 5.0.0 to 6.0.0 (#14202) +* Bump the actions group with 3 updates (#14200) +* Bump golang.org/x/crypto from 0.44.0 to 0.45.0 (#14189) +* Bump the actions group with 3 updates (#14183) +* Bump golang.org/x/oauth2 from 0.32.0 to 0.33.0 (#14150) +* Bump golangci/golangci-lint-action from 8.0.0 to 9.0.0 (#14148) +* Bump helm/chart-testing-action from e27de75c91e0f939bbffea4638c3c70430d7b857 to 6ec842c01de15ebb84c8627d2744a0c2f2755c9f (#14146) +* Bump docker/setup-qemu-action from 3.6.0 to 3.7.0 in the actions group (#14144) +* Bump the go group across 1 directory with 4 updates (#14129) +* Bump github/codeql-action from 4.31.0 to 4.31.2 in the actions group (#14125) + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.14.0...controller-v1.14.1 diff --git a/changelog/controller-1.14.2.md b/changelog/controller-1.14.2.md new file mode 100644 index 0000000000..03037e4bcc --- /dev/null +++ b/changelog/controller-1.14.2.md @@ -0,0 +1,69 @@ +# Changelog + +### controller-v1.14.2 + +Images: + +* registry.k8s.io/ingress-nginx/controller:v1.14.2@sha256:fb3e5c0bdff6a498dd5192b11a09ace0739baa9fe6ba519bf5b22425871ce490 +* registry.k8s.io/ingress-nginx/controller-chroot:v1.14.2@sha256:c46f14a73fb06f2ac2d85d2e576a39563c874fa182076c1ced8b44e24247a80b + +### All changes: + +* Images: Trigger controller build. (#14432) +* Images: Bump other images. (#14430) +* Images: Trigger other builds (2/2). (#14426) +* Images: Trigger other builds (1/2). (#14423) +* Tests: Bump Test Runner to v2.2.6. (#14420) +* Images: Trigger Test Runner build. (#14414) +* Images: Bump NGINX to v2.2.6. (#14411) +* Go: Update dependencies. (#14408) +* CI: Update Helm to v4.0.5. (#14405) +* Go: Bump to v1.25.6. (#14402) +* Docs: Fix typos. (#14396) +* Go: Update dependencies. (#14388) +* Images: Bump GCB Docker GCloud to v20260108-7f313c340e. (#14385) +* Tests: Bump Ginkgo to v2.27.5. (#14382) +* Docs: Remove duplicate in log format. (#14375) +* Update documentation to highlight that the project is retiring (#14372) +* Images: Trigger NGINX build. (#14357) +* Go: Update dependencies. (#14354) +* Docs: Add retirement blog post. (#14351) +* Docs: Clarify regex docs. (#14337) +* Go: Update dependencies. (#14334) +* Images: Bump GCB Docker GCloud to v20251222-9ed298b43e. (#14331) +* CI: Update Kubernetes to v1.35.0. (#14312) +* Images: Bump Alpine to v3.23.2. (#14309) +* CI: Update KIND to v1.34.3. (#14306) +* CI: Update Helm to v4.0.4. (#14294) +* CI: Update KIND to v1.34.2. (#14291) +* Images: Bump GCB Docker GCloud to v20251211-4c812d4cd8. (#14288) +* CI: Update Helm to v4.0.2. (#14285) +* CI: Update Kubernetes to v1.34.3. (#14282) +* Go: Update dependencies. (#14279) +* Images: Bump GCB Docker GCloud to v20251110-7ccd542560. (#14276) +* Tests: Bump Ginkgo to v2.27.3. (#14269) +* CI: Disable verification for Helm Unit Test. (#14272) +* CI: Update Helm to v4.0.1. (#14256) +* Bye bye, v1.12 - fr! (#14266) +* Images: Bump Alpine to v3.23.0. (#14250) +* Go: Bump to v1.25.5. (#14253) + +### Dependency updates: + +* Bump the go group across 2 directories with 2 updates (#14399) +* Bump the actions group with 2 updates (#14397) +* Bump the go group across 1 directory with 2 updates (#14377) +* Bump dorny/test-reporter from 2.3.0 to 2.5.0 in the actions group (#14362) +* Bump google.golang.org/grpc from 1.77.0 to 1.78.0 (#14348) +* Bump google.golang.org/grpc from 1.77.0 to 1.78.0 in /images/go-grpc-greeter-server/rootfs (#14346) +* Bump k8s.io/apiextensions-apiserver from 0.34.3 to 0.35.0 (#14328) +* Bump k8s.io/kube-aggregator from 0.34.3 to 0.35.0 in /images/kube-webhook-certgen/rootfs (#14326) +* Bump k8s.io/apimachinery from 0.34.3 to 0.35.0 in /images/ext-auth-example-authsvc/rootfs (#14324) +* Bump the actions group with 2 updates (#14322) +* Bump github/codeql-action from 4.31.7 to 4.31.8 in the actions group (#14303) +* Bump actions/upload-artifact from 5.0.0 to 6.0.0 (#14301) +* Bump actions/download-artifact from 6.0.0 to 7.0.0 (#14299) +* Bump the go group across 2 directories with 1 update (#14263) +* Bump the actions group with 3 updates (#14261) + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.14.1...controller-v1.14.2 diff --git a/changelog/controller-1.14.3.md b/changelog/controller-1.14.3.md new file mode 100644 index 0000000000..e36e7c5c5c --- /dev/null +++ b/changelog/controller-1.14.3.md @@ -0,0 +1,36 @@ +# Changelog + +### controller-v1.14.3 + +Images: + +* registry.k8s.io/ingress-nginx/controller:v1.14.3@sha256:82917be97c0939f6ada1717bb39aa7e66c229d6cfb10dcfc8f1bd42f9efe0f81 +* registry.k8s.io/ingress-nginx/controller-chroot:v1.14.3@sha256:ffdab64d0e0556f810d82d618a0fa97c4fc8dc2bc5717c51bfe83b5d4252c73e + +### All changes: + +* Images: Trigger controller build. (#14508) +* Annotations: Add `^` and `$` to auth method regex. (#14505) +* Template: Quote all `location` and `server_name` directives, and escape quotes and backslashes. (#14502) +* Controller: Verify UIDs. (#14499) +* Template: Bypass custom error pages when handling auth URL requests. (#14496) +* Admission Controller: Use 9 MB limit. (#14493) +* Images: Bump other images. (#14484) +* Images: Trigger other builds (2/2). (#14480) +* Images: Trigger other builds (1/2). (#14477) +* Tests: Bump Test Runner to v2.2.7. (#14471) +* Images: Trigger Test Runner build. (#14468) +* Images: Bump NGINX to v2.2.7. (#14465) +* Images: Trigger NGINX build. (#14462) +* Go: Update dependencies. (#14459) +* Images: Bump GCB Docker GCloud to v20260127-c1affcc8de. (#14456) +* CI: Update Helm to v4.1.0. (#14453) +* Controller: Fix sync for when host clock jumps to future. (#14451) +* Util: Fix panic for empty `cpu.max` file. (#14448) +* NGINX: Update OWASP CRS to v4.22.0. (#14417) + +### Dependency updates: + +* Bump the actions group with 2 updates (#14490) + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.14.2...controller-v1.14.3 diff --git a/changelog/controller-1.14.4.md b/changelog/controller-1.14.4.md new file mode 100644 index 0000000000..de19f3aef9 --- /dev/null +++ b/changelog/controller-1.14.4.md @@ -0,0 +1,67 @@ +# Changelog + +### controller-v1.14.4 + +Images: + +* registry.k8s.io/ingress-nginx/controller:v1.14.4@sha256:f8c7959ed0cc0c1dd6060f291fc50ccaf27a5497d182bbb6bc4ffed943616f23 +* registry.k8s.io/ingress-nginx/controller-chroot:v1.14.4@sha256:d03d78b6b3a1efa21e02d4d0e9771d07c3e8f0e4a97c5156b12f5c7bd1fc5460 + +### All changes: + +* Images: Trigger controller build. (#14671) +* Template: Quote `proxy_pass`. (#14668) +* Annotations: Consider aliases in risk evaluation. (#14665) +* Images: Bump other images. (#14662) +* Images: Trigger other builds (2/2). (#14659) +* Images: Trigger other builds (1/2). (#14656) +* Tests: Bump Test Runner to v2.2.8. (#14641) +* Images: Trigger Test Runner build. (#14638) +* Go: Update dependencies. (#14635) +* Images: Bump NGINX to v2.2.8. (#14632) +* Images: Trigger NGINX build. (#14629) +* Go: Update dependencies. (#14626) +* Go: Bump to v1.26.1. (#14623) +* CI: Update Kubernetes to v1.35.2. (#14606) +* Admission Controller: Remove obsolete error log. (#14603) +* Mage: Rewrite `updateChartValue` to obsolete outdated libraries. (#14600) +* Go: Update dependencies. (#14596) +* Go: Update dependencies. (#14585) +* CI: Update KIND to v1.35.1. (#14565) +* CI: Update Kubernetes to v1.35.1. (#14562) +* Docs: Clarify PROXY protocol is not supported on GKE default load balancer. (#14559) +* Controller: Enable SSL Passthrough when requested on before HTTP-only hosts. (#14556) +* CI: Update Helm to v4.1.1. (#14553) +* Annotations: Use dedicated regular expression for `proxy-cookie-domain`. (#14550) +* Controller: Use 4KiB buffers for PROXY protocol parsing in TLS passthrough. (#14543) +* Docs: Add retirement notice to website. (#14541) +* Template: Use `RawURLEncoding` instead of `URLEncoding` with padding removal. (#14537) +* Docs: Clarify valid values for `proxy-request-buffering`. (#14534) +* Go: Bump to v1.25.7. (#14526) +* Go: Update dependencies. (#14523) +* Tests: Bump Ginkgo to v2.28.1. (#14520) +* Images: Bump Alpine to v3.23.3. (#14517) +* Lua: Fix type mismatch. (#14514) + +### Dependency updates: + +* Bump docker/setup-buildx-action from 3.12.0 to 4.0.0 (#14653) +* Bump docker/login-action from 3.7.0 to 4.0.0 (#14652) +* Bump docker/setup-qemu-action from 3.7.0 to 4.0.0 (#14649) +* Bump the actions group with 5 updates (#14647) +* Bump actions/download-artifact from 7.0.0 to 8.0.0 (#14619) +* Bump the go group across 3 directories with 9 updates (#14617) +* Bump actions/upload-artifact from 6.0.0 to 7.0.0 (#14615) +* Bump actions/setup-go from 6.2.0 to 6.3.0 in the actions group (#14614) +* Bump goreleaser/goreleaser-action from 6.4.0 to 7.0.0 (#14593) +* Bump the actions group with 4 updates (#14591) +* Bump google.golang.org/grpc from 1.78.0 to 1.79.1 (#14582) +* Bump the go group across 3 directories with 9 updates (#14580) +* Bump github.com/pires/go-proxyproto from 0.10.0 to 0.11.0 (#14579) +* Bump the actions group with 2 updates (#14577) +* Bump golang.org/x/crypto from 0.47.0 to 0.48.0 (#14575) +* Bump google.golang.org/grpc from 1.78.0 to 1.79.1 in /images/go-grpc-greeter-server/rootfs (#14573) +* Bump github/codeql-action from 4.32.0 to 4.32.2 in the actions group (#14548) +* Bump golang.org/x/oauth2 from 0.34.0 to 0.35.0 (#14546) + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.14.3...controller-v1.14.4 diff --git a/changelog/controller-1.15.0.md b/changelog/controller-1.15.0.md new file mode 100644 index 0000000000..37c174e36e --- /dev/null +++ b/changelog/controller-1.15.0.md @@ -0,0 +1,180 @@ +# Changelog + +### controller-v1.15.0 + +Images: + +* registry.k8s.io/ingress-nginx/controller:v1.15.0@sha256:4eea9a4cc2cb6ddcb7da14d377aaf452e68bd3dbe87fe280755d225c4d5e7e4e +* registry.k8s.io/ingress-nginx/controller-chroot:v1.15.0@sha256:8f3634837abc5c739baff6527934e08131e095317d69bf64d168e07aef53ac12 + +### All changes: + +* Images: Trigger controller build. (#14670) +* Template: Quote `proxy_pass`. (#14667) +* Annotations: Consider aliases in risk evaluation. (#14664) +* Images: Bump other images. (#14661) +* Images: Trigger other builds (2/2). (#14658) +* Images: Trigger other builds (1/2). (#14655) +* Tests: Bump Test Runner to v2.2.8. (#14640) +* Images: Trigger Test Runner build. (#14637) +* Go: Update dependencies. (#14634) +* Images: Bump NGINX to v2.2.8. (#14631) +* Images: Trigger NGINX build. (#14628) +* Go: Update dependencies. (#14625) +* Go: Bump to v1.26.1. (#14622) +* CI: Update Kubernetes to v1.35.2. (#14605) +* Admission Controller: Remove obsolete error log. (#14599) +* Mage: Rewrite `updateChartValue` to obsolete outdated libraries. (#14598) +* Go: Update dependencies. (#14595) +* Go: Update dependencies. (#14584) +* CI: Update KIND to v1.35.1. (#14564) +* CI: Update Kubernetes to v1.35.1. (#14561) +* Docs: Clarify PROXY protocol is not supported on GKE default load balancer. (#14558) +* Controller: Enable SSL Passthrough when requested on before HTTP-only hosts. (#14555) +* CI: Update Helm to v4.1.1. (#14552) +* Annotations: Use dedicated regular expression for `proxy-cookie-domain`. (#14536) +* Controller: Use 4KiB buffers for PROXY protocol parsing in TLS passthrough. (#14540) +* Docs: Add retirement notice to website. (#14539) +* Template: Use `RawURLEncoding` instead of `URLEncoding` with padding removal. (#14535) +* Docs: Clarify valid values for `proxy-request-buffering`. (#14532) +* Go: Bump to v1.25.7. (#14525) +* Go: Update dependencies. (#14522) +* Tests: Bump Ginkgo to v2.28.1. (#14519) +* Images: Bump Alpine to v3.23.3. (#14516) +* Lua: Fix type mismatch. (#14513) +* Release controller v1.14.3/v1.13.7 & chart v4.14.3/v4.13.7. (#14512) +* Annotations: Add `^` and `$` to auth method regex. (#14504) +* Template: Quote all `location` and `server_name` directives, and escape quotes and backslashes. (#14501) +* Controller: Verify UIDs. (#14498) +* Template: Bypass custom error pages when handling auth URL requests. (#14495) +* Admission Controller: Use 9 MB limit. (#14492) +* Images: Bump other images. (#14483) +* Images: Trigger other builds (2/2). (#14479) +* Images: Trigger other builds (1/2). (#14476) +* Tests: Bump Test Runner to v2.2.7. (#14470) +* Images: Trigger Test Runner build. (#14467) +* Images: Bump NGINX to v2.2.7. (#14464) +* Images: Trigger NGINX build. (#14461) +* Go: Update dependencies. (#14458) +* Images: Bump GCB Docker GCloud to v20260127-c1affcc8de. (#14455) +* CI: Update Helm to v4.1.0. (#14452) +* Controller: Fix sync for when host clock jumps to future. (#14440) +* Util: Fix panic for empty `cpu.max` file. (#14441) +* Release controller v1.14.2/v1.13.6 & chart v4.14.2/v4.13.6. (#14436) +* Repository: Remove `netlify.toml`. (#14437) +* Images: Bump other images. (#14429) +* Images: Trigger other builds (2/2). (#14425) +* Images: Trigger other builds (1/2). (#14422) +* Tests: Bump Test Runner to v2.2.6. (#14419) +* NGINX: Update OWASP CRS to v4.22.0. (#14416) +* Images: Trigger Test Runner build. (#14413) +* Images: Bump NGINX to v2.2.6. (#14410) +* Go: Update dependencies. (#14407) +* CI: Update Helm to v4.0.5. (#14404) +* Go: Bump to v1.25.6. (#14401) +* Docs: Fix typos. (#14391) +* Go: Update dependencies. (#14387) +* Images: Bump GCB Docker GCloud to v20260108-7f313c340e. (#14384) +* Tests: Bump Ginkgo to v2.27.5. (#14381) +* Docs: Remove duplicate in log format. (#14365) +* Update documentation to highlight that the project is retiring (#14364) +* Images: Trigger NGINX build. (#14356) +* Go: Update dependencies. (#14353) +* Docs: Add retirement blog post. (#14350) +* Docs: Clarify regex docs. (#14336) +* Go: Update dependencies. (#14333) +* Images: Bump GCB Docker GCloud to v20251222-9ed298b43e. (#14330) +* CI: Update Kubernetes to v1.35.0. (#14311) +* Images: Bump Alpine to v3.23.2. (#14308) +* CI: Update KIND to v1.34.3. (#14305) +* CI: Update Helm to v4.0.4. (#14293) +* CI: Update KIND to v1.34.2. (#14290) +* Images: Bump GCB Docker GCloud to v20251211-4c812d4cd8. (#14287) +* CI: Update Helm to v4.0.2. (#14284) +* CI: Update Kubernetes to v1.34.3. (#14281) +* Go: Update dependencies. (#14278) +* Images: Bump GCB Docker GCloud to v20251110-7ccd542560. (#14275) +* Tests: Bump Ginkgo to v2.27.3. (#14268) +* CI: Disable verification for Helm Unit Test. (#14271) +* CI: Update Helm to v4.0.1. (#14255) +* Bye bye, v1.12 - fr! (#14265) +* Images: Bump Alpine to v3.23.0. (#14249) +* Go: Bump to v1.25.5. (#14252) +* Release controller v1.14.1/v1.13.5 & chart v4.14.1/v4.13.5. (#14246) +* Images: Bump other images. (#14237) +* Images: Update LuaRocks to v3.12.2. (#14234) +* Images: Trigger other builds (2/2). (#14231) +* Images: Trigger other builds (1/2). (#14228) +* CI: Pin Helm version. (#14225) +* Tests: Bump Test Runner to v2.2.5. (#14221) +* Images: Trigger Test Runner build. (#14218) +* Images: Bump NGINX to v2.2.5. (#14215) +* Images: Trigger NGINX build. (#14212) +* Go: Update dependencies. (#14209) +* Docs: Fix typo. (#14185) +* CI: Update Helm to v3.19.2. (#14169) +* Go: Update dependencies. (#14168) +* CI: Update Kubernetes to v1.34.2. (#14167) +* CI: Update Helm to v3.19.1. (#14164) +* Custom Error Pages: Do not write status code too soon. (#14161) +* Images: Bump GCB Docker GCloud to v20251110-7ccd542560. (#14155) +* Go: Update dependencies. (#14158) +* Tests: Bump Ginkgo to v2.27.2. (#14152) +* Go: Bump to v1.25.4. (#14133) +* Controller: Fix host/path overlap detection for multiple rules. (#13162) +* Bye bye, v1.12. (#14124) + +### Dependency updates: + +* Bump docker/setup-buildx-action from 3.12.0 to 4.0.0 (#14646) +* Bump docker/login-action from 3.7.0 to 4.0.0 (#14645) +* Bump docker/setup-qemu-action from 3.7.0 to 4.0.0 (#14644) +* Bump the actions group with 5 updates (#14643) +* Bump actions/download-artifact from 7.0.0 to 8.0.0 (#14610) +* Bump the go group across 3 directories with 9 updates (#14612) +* Bump actions/upload-artifact from 6.0.0 to 7.0.0 (#14611) +* Bump actions/setup-go from 6.2.0 to 6.3.0 in the actions group (#14609) +* Bump goreleaser/goreleaser-action from 6.4.0 to 7.0.0 (#14589) +* Bump the actions group with 4 updates (#14588) +* Bump google.golang.org/grpc from 1.78.0 to 1.79.1 (#14571) +* Bump the go group across 3 directories with 9 updates (#14568) +* Bump github.com/pires/go-proxyproto from 0.10.0 to 0.11.0 (#14570) +* Bump the actions group with 2 updates (#14567) +* Bump golang.org/x/crypto from 0.47.0 to 0.48.0 (#14572) +* Bump google.golang.org/grpc from 1.78.0 to 1.79.1 in /images/go-grpc-greeter-server/rootfs (#14569) +* Bump github/codeql-action from 4.32.0 to 4.32.2 in the actions group (#14544) +* Bump golang.org/x/oauth2 from 0.34.0 to 0.35.0 (#14545) +* Bump the actions group with 2 updates (#14486) +* Bump github.com/pires/go-proxyproto from 0.8.1 to 0.9.1 (#14443) +* Bump the actions group with 3 updates (#14442) +* Bump the go group across 2 directories with 2 updates (#14394) +* Bump the actions group with 2 updates (#14393) +* Bump the go group across 1 directory with 2 updates (#14371) +* Bump dorny/test-reporter from 2.3.0 to 2.5.0 in the actions group (#14361) +* Bump google.golang.org/grpc from 1.77.0 to 1.78.0 (#14345) +* Bump google.golang.org/grpc from 1.77.0 to 1.78.0 in /images/go-grpc-greeter-server/rootfs (#14344) +* Bump k8s.io/apiextensions-apiserver from 0.34.3 to 0.35.0 (#14319) +* Bump k8s.io/kube-aggregator from 0.34.3 to 0.35.0 in /images/kube-webhook-certgen/rootfs (#14316) +* Bump k8s.io/apimachinery from 0.34.3 to 0.35.0 in /images/ext-auth-example-authsvc/rootfs (#14315) +* Bump the actions group with 2 updates (#14314) +* Bump github/codeql-action from 4.31.7 to 4.31.8 in the actions group (#14296) +* Bump actions/upload-artifact from 5.0.0 to 6.0.0 (#14298) +* Bump actions/download-artifact from 6.0.0 to 7.0.0 (#14297) +* Bump the go group across 2 directories with 1 update (#14260) +* Bump the actions group with 3 updates (#14258) +* Bump the actions group with 3 updates (#14241) +* Bump google.golang.org/grpc from 1.76.0 to 1.77.0 (#14198) +* Bump google.golang.org/grpc from 1.76.0 to 1.77.0 in /images/go-grpc-greeter-server/rootfs (#14197) +* Bump github.com/prometheus/common from 0.67.2 to 0.67.4 in /images/custom-error-pages/rootfs in the go group across 1 directory (#14196) +* Bump actions/checkout from 5.0.0 to 6.0.0 (#14195) +* Bump the actions group with 3 updates (#14194) +* Bump golang.org/x/crypto from 0.44.0 to 0.45.0 (#14188) +* Bump the actions group with 3 updates (#14182) +* Bump golang.org/x/oauth2 from 0.32.0 to 0.33.0 (#14143) +* Bump golangci/golangci-lint-action from 8.0.0 to 9.0.0 (#14142) +* Bump helm/chart-testing-action from e27de75c91e0f939bbffea4638c3c70430d7b857 to 6ec842c01de15ebb84c8627d2744a0c2f2755c9f (#14141) +* Bump docker/setup-qemu-action from 3.6.0 to 3.7.0 in the actions group (#14140) +* Bump the go group across 1 directory with 4 updates (#14128) +* Bump github/codeql-action from 4.31.0 to 4.31.2 in the actions group (#14113) + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.14.0...controller-v1.15.0 diff --git a/changelog/controller-1.15.1.md b/changelog/controller-1.15.1.md new file mode 100644 index 0000000000..b7d9c7fb84 --- /dev/null +++ b/changelog/controller-1.15.1.md @@ -0,0 +1,30 @@ +# Changelog + +### controller-v1.15.1 + +Images: + +* registry.k8s.io/ingress-nginx/controller:v1.15.1@sha256:594ceea76b01c592858f803f9ff4d2cb40542cae2060410b2c95f75907d659e1 +* registry.k8s.io/ingress-nginx/controller-chroot:v1.15.1@sha256:af31d00c9d82c612896b380a9003bd36843b7647b98e4588251c66325317bc72 + +### All changes: + +* Images: Trigger controller build. (#14732) +* Template: Remove path from comment. (#14729) +* Images: Bump other images. (#14725) +* Images: Trigger other builds (2/2). (#14721) +* Images: Trigger other builds (1/2). (#14717) +* Tests: Bump Test Runner to v2.2.9. (#14713) +* Images: Trigger Test Runner build. (#14709) +* Go: Update dependencies. (#14705) +* CI: Update Kubernetes to v1.35.3. (#14701) +* Images: Trigger NGINX build. (#14697) +* Go: Update dependencies. (#14693) +* CI: Update Helm to v4.1.3. (#14689) + +### Dependency updates: + +* Bump the actions group with 2 updates (#14685) +* Bump the go group across 1 directory with 2 updates (#14682) + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.15.0...controller-v1.15.1 diff --git a/charts/Makefile b/charts/Makefile new file mode 100644 index 0000000000..5c95d90261 --- /dev/null +++ b/charts/Makefile @@ -0,0 +1,30 @@ +# Copyright 2025 The Kubernetes Authors. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +NAME ?= + +REGISTRY ?= us-central1-docker.pkg.dev/k8s-staging-images/ingress-nginx +REPOSITORY ?= $(REGISTRY)/charts + +.PHONY: helm +helm: + command -v helm || go install helm.sh/helm/v4/cmd/helm@v4.1.3 + +.PHONY: package +package: helm + helm package $(NAME) + +.PHONY: push +push: package + helm push $(NAME)-*.tgz oci://$(REPOSITORY) diff --git a/charts/ingress-nginx/Chart.yaml b/charts/ingress-nginx/Chart.yaml index 06faa41706..347c57370f 100644 --- a/charts/ingress-nginx/Chart.yaml +++ b/charts/ingress-nginx/Chart.yaml @@ -1,9 +1,9 @@ annotations: artifacthub.io/changes: | - - Update Ingress-Nginx version controller-v1.12.2 + - Update Ingress-Nginx version controller-v1.15.1 artifacthub.io/prerelease: "false" apiVersion: v2 -appVersion: 1.12.2 +appVersion: 1.15.1 description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer home: https://github.com/kubernetes/ingress-nginx @@ -20,4 +20,4 @@ maintainers: name: ingress-nginx sources: - https://github.com/kubernetes/ingress-nginx -version: 4.12.2 +version: 4.15.1 diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index c415c2b899..71e4062491 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -2,7 +2,7 @@ [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer -![Version: 4.12.2](https://img.shields.io/badge/Version-4.12.2-informational?style=flat-square) ![AppVersion: 1.12.2](https://img.shields.io/badge/AppVersion-1.12.2-informational?style=flat-square) +![Version: 4.15.1](https://img.shields.io/badge/Version-4.15.1-informational?style=flat-square) ![AppVersion: 1.15.1](https://img.shields.io/badge/AppVersion-1.15.1-informational?style=flat-square) To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources. @@ -260,9 +260,12 @@ metadata: | controller.admissionWebhooks.certManager.rootCert.duration | string | `""` | | | controller.admissionWebhooks.certManager.rootCert.revisionHistoryLimit | int | `0` | Revision history limit of the root certificate. Ref.: https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec | | controller.admissionWebhooks.certificate | string | `"/usr/local/certificates/cert"` | | +| controller.admissionWebhooks.createSecretJob.activeDeadlineSeconds | int | `0` | Deadline in seconds for the job to complete. Must be greater than 0 to enforce. If unset or 0, no deadline is enforced. | | controller.admissionWebhooks.createSecretJob.name | string | `"create"` | | | controller.admissionWebhooks.createSecretJob.resources | object | `{}` | | | controller.admissionWebhooks.createSecretJob.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsGroup":65532,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for secret creation containers | +| controller.admissionWebhooks.createSecretJob.volumeMounts | list | `[]` | Volume mounts for secret creation containers | +| controller.admissionWebhooks.createSecretJob.volumes | list | `[]` | Volumes for secret creation pod | | controller.admissionWebhooks.enabled | bool | `true` | | | controller.admissionWebhooks.extraEnvs | list | `[]` | Additional environment variables to set | | controller.admissionWebhooks.failurePolicy | string | `"Fail"` | Admission Webhook failure policy to use | @@ -272,10 +275,10 @@ metadata: | controller.admissionWebhooks.namespaceSelector | object | `{}` | | | controller.admissionWebhooks.objectSelector | object | `{}` | | | controller.admissionWebhooks.patch.enabled | bool | `true` | | -| controller.admissionWebhooks.patch.image.digest | string | `"sha256:2cf4ebfa82a37c357455458f6dfc334aea1392d508270b2517795a9933a02524"` | | +| controller.admissionWebhooks.patch.image.digest | string | `"sha256:01038e7de14b78d702d2849c3aad72fd25903c4765af63cf16aa3398f5d5f2dd"` | | | controller.admissionWebhooks.patch.image.image | string | `"ingress-nginx/kube-webhook-certgen"` | | | controller.admissionWebhooks.patch.image.pullPolicy | string | `"IfNotPresent"` | | -| controller.admissionWebhooks.patch.image.tag | string | `"v1.5.3"` | | +| controller.admissionWebhooks.patch.image.tag | string | `"v1.6.9"` | | | controller.admissionWebhooks.patch.labels | object | `{}` | Labels to be added to patch job resources | | controller.admissionWebhooks.patch.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not | | controller.admissionWebhooks.patch.nodeSelector."kubernetes.io/os" | string | `"linux"` | | @@ -290,9 +293,12 @@ metadata: | controller.admissionWebhooks.patch.serviceAccount.create | bool | `true` | Create a service account or not | | controller.admissionWebhooks.patch.serviceAccount.name | string | `""` | Custom service account name | | controller.admissionWebhooks.patch.tolerations | list | `[]` | | +| controller.admissionWebhooks.patchWebhookJob.activeDeadlineSeconds | int | `0` | Deadline in seconds for the job to complete. Must be greater than 0 to enforce. If unset or 0, no deadline is enforced. | | controller.admissionWebhooks.patchWebhookJob.name | string | `"patch"` | | | controller.admissionWebhooks.patchWebhookJob.resources | object | `{}` | | | controller.admissionWebhooks.patchWebhookJob.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsGroup":65532,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for webhook patch containers | +| controller.admissionWebhooks.patchWebhookJob.volumeMounts | list | `[]` | Volume mounts for webhook patch containers | +| controller.admissionWebhooks.patchWebhookJob.volumes | list | `[]` | Volumes for webhook patch pod | | controller.admissionWebhooks.port | int | `8443` | | | controller.admissionWebhooks.service.annotations | object | `{}` | | | controller.admissionWebhooks.service.externalIPs | list | `[]` | | @@ -329,7 +335,7 @@ metadata: | controller.extraArgs | object | `{}` | Additional command line arguments to pass to Ingress-Nginx Controller E.g. to specify the default SSL certificate you can use | | controller.extraContainers | list | `[]` | Additional containers to be added to the controller pod. See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example. | | controller.extraEnvs | list | `[]` | Additional environment variables to set | -| controller.extraInitContainers | list | `[]` | Containers, which are run before the app containers are started. | +| controller.extraInitContainers | list | `[]` | Containers, which are run before the app containers are started. Values may contain Helm templates. | | controller.extraModules | list | `[]` | Modules, which are mounted into the core nginx image. | | controller.extraVolumeMounts | list | `[]` | Additional volumeMounts to the controller main container. | | controller.extraVolumes | list | `[]` | Additional volumes to the controller pod. | @@ -343,8 +349,8 @@ metadata: | controller.hostname | object | `{}` | Optionally customize the pod hostname. | | controller.image.allowPrivilegeEscalation | bool | `false` | | | controller.image.chroot | bool | `false` | | -| controller.image.digest | string | `"sha256:03497ee984628e95eca9b2279e3f3a3c1685dd48635479e627d219f00c8eefa9"` | | -| controller.image.digestChroot | string | `"sha256:a697e2bfa419768315250d079ccbbca45f6099c60057769702b912d20897a574"` | | +| controller.image.digest | string | `"sha256:594ceea76b01c592858f803f9ff4d2cb40542cae2060410b2c95f75907d659e1"` | | +| controller.image.digestChroot | string | `"sha256:af31d00c9d82c612896b380a9003bd36843b7647b98e4588251c66325317bc72"` | | | controller.image.image | string | `"ingress-nginx/controller"` | | | controller.image.pullPolicy | string | `"IfNotPresent"` | | | controller.image.readOnlyRootFilesystem | bool | `false` | | @@ -352,7 +358,7 @@ metadata: | controller.image.runAsNonRoot | bool | `true` | | | controller.image.runAsUser | int | `101` | This value must not be changed using the official image. uid=101(www-data) gid=82(www-data) groups=82(www-data) | | controller.image.seccompProfile.type | string | `"RuntimeDefault"` | | -| controller.image.tag | string | `"v1.12.2"` | | +| controller.image.tag | string | `"v1.15.1"` | | | controller.ingressClass | string | `"nginx"` | For backwards compatibility with ingress.class annotation, use ingressClass. Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation | | controller.ingressClassByName | bool | `false` | Process IngressClass per name (additionally as per spec.controller). | | controller.ingressClassResource | object | `{"aliases":[],"annotations":{},"controllerValue":"k8s.io/ingress-nginx","default":false,"enabled":true,"name":"nginx","parameters":{}}` | This section refers to the creation of the IngressClass resource. IngressClasses are immutable and cannot be changed after creation. We do not support namespaced IngressClasses, yet, so a ClusterRole and a ClusterRoleBinding is required. | @@ -411,6 +417,7 @@ metadata: | controller.metrics.serviceMonitor.relabelings | list | `[]` | | | controller.metrics.serviceMonitor.sampleLimit | int | `0` | Defines a per-scrape limit on the number of scraped samples that will be accepted. | | controller.metrics.serviceMonitor.scrapeInterval | string | `"30s"` | | +| controller.metrics.serviceMonitor.scrapeTimeout | string | `""` | Timeout after which the scrape is ended. Not being set if empty and therefore defaults to the global Prometheus scrape timeout. | | controller.metrics.serviceMonitor.targetLabels | list | `[]` | | | controller.metrics.serviceMonitor.targetLimit | int | `0` | Defines a limit on the number of scraped targets that will be accepted. | | controller.minAvailable | int | `1` | Minimum available pods set in PodDisruptionBudget. Define either 'minAvailable' or 'maxUnavailable', never both. | @@ -437,6 +444,7 @@ metadata: | controller.readinessProbe.timeoutSeconds | int | `1` | | | controller.replicaCount | int | `1` | | | controller.reportNodeInternalIp | bool | `false` | Bare-metal considerations via the host network https://kubernetes.github.io/ingress-nginx/deploy/baremetal/#via-the-host-network Ingress status was blank because there is no Service exposing the Ingress-Nginx Controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply | +| controller.resizePolicy | list | `[]` | Resize policy for controller containers. Ref: https://kubernetes.io/docs/tasks/configure-pod-container/resize-container-resources | | controller.resources.requests.cpu | string | `"100m"` | | | controller.resources.requests.memory | string | `"90Mi"` | | | controller.runtimeClassName | string | `""` | Instruct the kubelet to use the named RuntimeClass to run the pod | diff --git a/charts/ingress-nginx/changelog/helm-chart-4.11.7.md b/charts/ingress-nginx/changelog/helm-chart-4.11.7.md new file mode 100644 index 0000000000..28f88c559d --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-4.11.7.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.11.7 + +* Update Ingress-Nginx version controller-v1.11.7 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.11.6...helm-chart-4.11.7 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.11.8.md b/charts/ingress-nginx/changelog/helm-chart-4.11.8.md new file mode 100644 index 0000000000..902b49e36b --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-4.11.8.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.11.8 + +* Update Ingress-Nginx version controller-v1.11.8 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.11.7...helm-chart-4.11.8 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.12.3.md b/charts/ingress-nginx/changelog/helm-chart-4.12.3.md new file mode 100644 index 0000000000..83501691c8 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-4.12.3.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.12.3 + +* Update Ingress-Nginx version controller-v1.12.3 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.12.2...helm-chart-4.12.3 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.12.4.md b/charts/ingress-nginx/changelog/helm-chart-4.12.4.md new file mode 100644 index 0000000000..43472aef72 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-4.12.4.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.12.4 + +* Update Ingress-Nginx version controller-v1.12.4 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.12.3...helm-chart-4.12.4 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.12.5.md b/charts/ingress-nginx/changelog/helm-chart-4.12.5.md new file mode 100644 index 0000000000..9d7eb96d38 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-4.12.5.md @@ -0,0 +1,10 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.12.5 + +* Make: Add `helm-test` target. (#13660) +* Update Ingress-Nginx version controller-v1.12.5 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.12.4...helm-chart-4.12.5 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.12.6.md b/charts/ingress-nginx/changelog/helm-chart-4.12.6.md new file mode 100644 index 0000000000..50c0a0d17a --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-4.12.6.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.12.6 + +* Update Ingress-Nginx version controller-v1.12.6 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.12.5...helm-chart-4.12.6 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.12.7.md b/charts/ingress-nginx/changelog/helm-chart-4.12.7.md new file mode 100644 index 0000000000..9b7460ae3c --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-4.12.7.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.12.7 + +* Update Ingress-Nginx version controller-v1.12.7 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.12.7...helm-chart-4.12.7 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.12.8.md b/charts/ingress-nginx/changelog/helm-chart-4.12.8.md new file mode 100644 index 0000000000..ec4d5605ac --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-4.12.8.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.12.8 + +* Update Ingress-Nginx version controller-v1.12.8 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.12.7...helm-chart-4.12.8 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.13.0.md b/charts/ingress-nginx/changelog/helm-chart-4.13.0.md new file mode 100644 index 0000000000..41fc9b5d50 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-4.13.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.13.0 + +* Update Ingress-Nginx version controller-v1.13.0 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.12.0...helm-chart-4.13.0 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.13.1.md b/charts/ingress-nginx/changelog/helm-chart-4.13.1.md new file mode 100644 index 0000000000..6a85c540da --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-4.13.1.md @@ -0,0 +1,10 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.13.1 + +* Make: Add `helm-test` target. (#13659) +* Update Ingress-Nginx version controller-v1.13.1 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.13.0...helm-chart-4.13.1 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.13.2.md b/charts/ingress-nginx/changelog/helm-chart-4.13.2.md new file mode 100644 index 0000000000..931159b39f --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-4.13.2.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.13.2 + +* Update Ingress-Nginx version controller-v1.13.2 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.13.1...helm-chart-4.13.2 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.13.3.md b/charts/ingress-nginx/changelog/helm-chart-4.13.3.md new file mode 100644 index 0000000000..25abec80b3 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-4.13.3.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.13.3 + +* Update Ingress-Nginx version controller-v1.13.3 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.13.2...helm-chart-4.13.3 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.13.4.md b/charts/ingress-nginx/changelog/helm-chart-4.13.4.md new file mode 100644 index 0000000000..5242b31e72 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-4.13.4.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.13.4 + +* Update Ingress-Nginx version controller-v1.13.4 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.13.3...helm-chart-4.13.4 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.13.5.md b/charts/ingress-nginx/changelog/helm-chart-4.13.5.md new file mode 100644 index 0000000000..41a117b480 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-4.13.5.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.13.5 + +* Update Ingress-Nginx version controller-v1.13.5 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.13.4...helm-chart-4.13.5 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.13.6.md b/charts/ingress-nginx/changelog/helm-chart-4.13.6.md new file mode 100644 index 0000000000..1610c3b1b9 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-4.13.6.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.13.6 + +* Update Ingress-Nginx version controller-v1.13.6 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.13.5...helm-chart-4.13.6 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.13.7.md b/charts/ingress-nginx/changelog/helm-chart-4.13.7.md new file mode 100644 index 0000000000..5c25460b06 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-4.13.7.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.13.7 + +* Update Ingress-Nginx version controller-v1.13.7 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.13.6...helm-chart-4.13.7 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.13.8.md b/charts/ingress-nginx/changelog/helm-chart-4.13.8.md new file mode 100644 index 0000000000..bb62d8d0dc --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-4.13.8.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.13.8 + +* Update Ingress-Nginx version controller-v1.13.8 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.13.7...helm-chart-4.13.8 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.14.0.md b/charts/ingress-nginx/changelog/helm-chart-4.14.0.md new file mode 100644 index 0000000000..cae539a6ca --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-4.14.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.14.0 + +* Update Ingress-Nginx version controller-v1.14.0 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.13.3...helm-chart-4.14.0 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.14.1.md b/charts/ingress-nginx/changelog/helm-chart-4.14.1.md new file mode 100644 index 0000000000..3a3be9405c --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-4.14.1.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.14.1 + +* Update Ingress-Nginx version controller-v1.14.1 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.14.0...helm-chart-4.14.1 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.14.2.md b/charts/ingress-nginx/changelog/helm-chart-4.14.2.md new file mode 100644 index 0000000000..3c756b5211 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-4.14.2.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.14.2 + +* Update Ingress-Nginx version controller-v1.14.2 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.14.2...helm-chart-4.14.2 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.14.3.md b/charts/ingress-nginx/changelog/helm-chart-4.14.3.md new file mode 100644 index 0000000000..d93925f11c --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-4.14.3.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.14.3 + +* Update Ingress-Nginx version controller-v1.14.3 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.14.2...helm-chart-4.14.3 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.14.4.md b/charts/ingress-nginx/changelog/helm-chart-4.14.4.md new file mode 100644 index 0000000000..3647c9885a --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-4.14.4.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.14.4 + +* Update Ingress-Nginx version controller-v1.14.4 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.14.3...helm-chart-4.14.4 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.15.0.md b/charts/ingress-nginx/changelog/helm-chart-4.15.0.md new file mode 100644 index 0000000000..47cb77a19e --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-4.15.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.15.0 + +* Update Ingress-Nginx version controller-v1.15.0 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.14.0...helm-chart-4.15.0 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.15.1.md b/charts/ingress-nginx/changelog/helm-chart-4.15.1.md new file mode 100644 index 0000000000..95dc80f988 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-4.15.1.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.15.1 + +* Update Ingress-Nginx version controller-v1.15.1 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.15.0...helm-chart-4.15.1 diff --git a/charts/ingress-nginx/cloudbuild.yaml b/charts/ingress-nginx/cloudbuild.yaml new file mode 100644 index 0000000000..0adfceb0c3 --- /dev/null +++ b/charts/ingress-nginx/cloudbuild.yaml @@ -0,0 +1,11 @@ +options: + # Ignore Prow provided substitutions. + substitution_option: ALLOW_LOOSE +steps: +- name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20260127-c1affcc8de + dir: charts + env: + - NAME=ingress-nginx + entrypoint: make + args: + - push diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml index 83e71b48ba..f0df819d2d 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml @@ -18,6 +18,9 @@ metadata: {{- end }} spec: ttlSecondsAfterFinished: 0 +{{- if gt (int .Values.controller.admissionWebhooks.createSecretJob.activeDeadlineSeconds) 0 }} + activeDeadlineSeconds: {{ .Values.controller.admissionWebhooks.createSecretJob.activeDeadlineSeconds }} +{{- end }} template: metadata: name: {{ include "ingress-nginx.admissionWebhooks.createSecretJob.fullname" . }} @@ -65,6 +68,9 @@ spec: {{- if .Values.controller.admissionWebhooks.createSecretJob.resources }} resources: {{ toYaml .Values.controller.admissionWebhooks.createSecretJob.resources | nindent 12 }} {{- end }} + {{- if .Values.controller.admissionWebhooks.createSecretJob.volumeMounts }} + volumeMounts: {{- toYaml .Values.controller.admissionWebhooks.createSecretJob.volumeMounts | nindent 12 }} + {{- end }} restartPolicy: OnFailure serviceAccountName: {{ include "ingress-nginx.admissionWebhooks.patch.serviceAccountName" . }} automountServiceAccountToken: {{ .Values.controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken }} @@ -77,4 +83,7 @@ spec: {{- if .Values.controller.admissionWebhooks.patch.securityContext }} securityContext: {{ toYaml .Values.controller.admissionWebhooks.patch.securityContext | nindent 8 }} {{- end }} + {{- if .Values.controller.admissionWebhooks.createSecretJob.volumes }} + volumes: {{- toYaml .Values.controller.admissionWebhooks.createSecretJob.volumes | nindent 8 }} + {{- end }} {{- end }} diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml index a2538ec269..cd05f704bb 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml @@ -18,6 +18,9 @@ metadata: {{- end }} spec: ttlSecondsAfterFinished: 0 +{{- if gt (int .Values.controller.admissionWebhooks.patchWebhookJob.activeDeadlineSeconds) 0 }} + activeDeadlineSeconds: {{ .Values.controller.admissionWebhooks.patchWebhookJob.activeDeadlineSeconds }} +{{- end }} template: metadata: name: {{ include "ingress-nginx.admissionWebhooks.patchWebhookJob.fullname" . }} @@ -67,6 +70,9 @@ spec: {{- if .Values.controller.admissionWebhooks.patchWebhookJob.resources }} resources: {{ toYaml .Values.controller.admissionWebhooks.patchWebhookJob.resources | nindent 12 }} {{- end }} + {{- if .Values.controller.admissionWebhooks.patchWebhookJob.volumeMounts }} + volumeMounts: {{- toYaml .Values.controller.admissionWebhooks.patchWebhookJob.volumeMounts | nindent 12 }} + {{- end }} restartPolicy: OnFailure serviceAccountName: {{ include "ingress-nginx.admissionWebhooks.patch.serviceAccountName" . }} automountServiceAccountToken: {{ .Values.controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken }} @@ -79,4 +85,7 @@ spec: {{- if .Values.controller.admissionWebhooks.patch.securityContext }} securityContext: {{ toYaml .Values.controller.admissionWebhooks.patch.securityContext | nindent 8 }} {{- end }} + {{- if .Values.controller.admissionWebhooks.patchWebhookJob.volumes }} + volumes: {{- toYaml .Values.controller.admissionWebhooks.patchWebhookJob.volumes | nindent 8 }} + {{- end }} {{- end }} diff --git a/charts/ingress-nginx/templates/controller-daemonset.yaml b/charts/ingress-nginx/templates/controller-daemonset.yaml index a9a3dee399..3cc1520e2d 100644 --- a/charts/ingress-nginx/templates/controller-daemonset.yaml +++ b/charts/ingress-nginx/templates/controller-daemonset.yaml @@ -174,13 +174,18 @@ spec: {{- if .Values.controller.resources }} resources: {{ toYaml .Values.controller.resources | nindent 12 }} {{- end }} + {{- if semverCompare ">=1.33.0-0" .Capabilities.KubeVersion.Version }} + {{- if .Values.controller.resizePolicy }} + resizePolicy: {{ toYaml .Values.controller.resizePolicy | nindent 12 }} + {{- end }} + {{- end }} {{- if .Values.controller.extraContainers }} {{- toYaml .Values.controller.extraContainers | nindent 8 }} {{- end }} {{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules) }} initContainers: {{- if .Values.controller.extraInitContainers }} - {{- toYaml .Values.controller.extraInitContainers | nindent 8 }} + {{- tpl (toYaml .Values.controller.extraInitContainers) $ | nindent 8 }} {{- end }} {{- if .Values.controller.extraModules }} {{- range .Values.controller.extraModules }} diff --git a/charts/ingress-nginx/templates/controller-deployment.yaml b/charts/ingress-nginx/templates/controller-deployment.yaml index 224694d1b3..a20b417bee 100644 --- a/charts/ingress-nginx/templates/controller-deployment.yaml +++ b/charts/ingress-nginx/templates/controller-deployment.yaml @@ -180,13 +180,18 @@ spec: {{- if .Values.controller.resources }} resources: {{ toYaml .Values.controller.resources | nindent 12 }} {{- end }} + {{- if semverCompare ">=1.33.0-0" .Capabilities.KubeVersion.Version }} + {{- if .Values.controller.resizePolicy }} + resizePolicy: {{ toYaml .Values.controller.resizePolicy | nindent 12 }} + {{- end }} + {{- end }} {{- if .Values.controller.extraContainers }} {{- toYaml .Values.controller.extraContainers | nindent 8 }} {{- end }} {{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules) }} initContainers: {{- if .Values.controller.extraInitContainers }} - {{- toYaml .Values.controller.extraInitContainers | nindent 8 }} + {{- tpl (toYaml .Values.controller.extraInitContainers) $ | nindent 8 }} {{- end }} {{- if .Values.controller.extraModules }} {{- range .Values.controller.extraModules }} diff --git a/charts/ingress-nginx/templates/controller-servicemonitor.yaml b/charts/ingress-nginx/templates/controller-servicemonitor.yaml index 85bb84186a..defdf00f03 100644 --- a/charts/ingress-nginx/templates/controller-servicemonitor.yaml +++ b/charts/ingress-nginx/templates/controller-servicemonitor.yaml @@ -32,6 +32,9 @@ spec: endpoints: - port: {{ .Values.controller.metrics.portName }} interval: {{ .Values.controller.metrics.serviceMonitor.scrapeInterval }} + {{- if .Values.controller.metrics.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ .Values.controller.metrics.serviceMonitor.scrapeTimeout }} + {{- end }} {{- if .Values.controller.metrics.serviceMonitor.honorLabels }} honorLabels: true {{- end }} diff --git a/charts/ingress-nginx/templates/default-backend-deployment.yaml b/charts/ingress-nginx/templates/default-backend-deployment.yaml index 75c3d09cbf..a25dd4e247 100644 --- a/charts/ingress-nginx/templates/default-backend-deployment.yaml +++ b/charts/ingress-nginx/templates/default-backend-deployment.yaml @@ -118,6 +118,6 @@ spec: {{- end }} terminationGracePeriodSeconds: 60 {{- if .Values.defaultBackend.extraVolumes }} - volumes: {{ toYaml .Values.defaultBackend.extraVolumes | nindent 8 }} + volumes: {{ tpl (toYaml .Values.defaultBackend.extraVolumes) $ | nindent 8 }} {{- end }} {{- end }} diff --git a/charts/ingress-nginx/tests/admission-webhooks/job-patch/job-createSecret_test.yaml b/charts/ingress-nginx/tests/admission-webhooks/job-patch/job-createSecret_test.yaml index b5272553b2..752e68c427 100644 --- a/charts/ingress-nginx/tests/admission-webhooks/job-patch/job-createSecret_test.yaml +++ b/charts/ingress-nginx/tests/admission-webhooks/job-patch/job-createSecret_test.yaml @@ -10,3 +10,69 @@ tests: - equal: path: spec.template.spec.automountServiceAccountToken value: false + + - it: should create a Job with `activeDeadlineSeconds` if `controller.admissionWebhooks.createSecretJob.activeDeadlineSeconds ` is set + set: + controller.admissionWebhooks.createSecretJob.activeDeadlineSeconds: 1 + asserts: + - equal: + path: spec.activeDeadlineSeconds + value: 1 + + - it: should create a Job with custom volumes and volume mounts if `controller.admissionWebhooks.createSecretJob.volumes` and `controller.admissionWebhooks.createSecretJob.volumeMounts` are set + set: + controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken: false + controller.admissionWebhooks.createSecretJob.volumeMounts: + - name: kube-api-access + mountPath: /var/run/secrets/kubernetes.io/serviceaccount + readOnly: true + controller.admissionWebhooks.createSecretJob.volumes: + - name: kube-api-access + projected: + defaultMode: 0444 + sources: + - serviceAccountToken: + path: token + expirationSeconds: 3600 + - configMap: + name: kube-root-ca.crt + items: + - key: ca.crt + path: ca.crt + - downwardAPI: + items: + - path: namespace + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + asserts: + - equal: + path: spec.template.spec.automountServiceAccountToken + value: false + - equal: + path: spec.template.spec.containers[0].volumeMounts + value: + - name: kube-api-access + mountPath: /var/run/secrets/kubernetes.io/serviceaccount + readOnly: true + - equal: + path: spec.template.spec.volumes + value: + - name: kube-api-access + projected: + defaultMode: 0444 + sources: + - serviceAccountToken: + path: token + expirationSeconds: 3600 + - configMap: + name: kube-root-ca.crt + items: + - key: ca.crt + path: ca.crt + - downwardAPI: + items: + - path: namespace + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace diff --git a/charts/ingress-nginx/tests/admission-webhooks/job-patch/job-patchWebhook_test.yaml b/charts/ingress-nginx/tests/admission-webhooks/job-patch/job-patchWebhook_test.yaml index ca4c6b4c21..2ad589b711 100644 --- a/charts/ingress-nginx/tests/admission-webhooks/job-patch/job-patchWebhook_test.yaml +++ b/charts/ingress-nginx/tests/admission-webhooks/job-patch/job-patchWebhook_test.yaml @@ -10,3 +10,69 @@ tests: - equal: path: spec.template.spec.automountServiceAccountToken value: false + + - it: should create a Job with `activeDeadlineSeconds` if `controller.admissionWebhooks.patchWebhookJob.activeDeadlineSeconds ` is set + set: + controller.admissionWebhooks.patchWebhookJob.activeDeadlineSeconds: 1 + asserts: + - equal: + path: spec.activeDeadlineSeconds + value: 1 + + - it: should create a Job with custom volumes and volume mounts if `controller.admissionWebhooks.patchWebhookJob.volumes` and `controller.admissionWebhooks.patchWebhookJob.volumeMounts` are set + set: + controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken: false + controller.admissionWebhooks.patchWebhookJob.volumeMounts: + - name: kube-api-access + mountPath: /var/run/secrets/kubernetes.io/serviceaccount + readOnly: true + controller.admissionWebhooks.patchWebhookJob.volumes: + - name: kube-api-access + projected: + defaultMode: 0444 + sources: + - serviceAccountToken: + path: token + expirationSeconds: 3600 + - configMap: + name: kube-root-ca.crt + items: + - key: ca.crt + path: ca.crt + - downwardAPI: + items: + - path: namespace + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + asserts: + - equal: + path: spec.template.spec.automountServiceAccountToken + value: false + - equal: + path: spec.template.spec.containers[0].volumeMounts + value: + - name: kube-api-access + mountPath: /var/run/secrets/kubernetes.io/serviceaccount + readOnly: true + - equal: + path: spec.template.spec.volumes + value: + - name: kube-api-access + projected: + defaultMode: 0444 + sources: + - serviceAccountToken: + path: token + expirationSeconds: 3600 + - configMap: + name: kube-root-ca.crt + items: + - key: ca.crt + path: ca.crt + - downwardAPI: + items: + - path: namespace + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace diff --git a/charts/ingress-nginx/tests/controller-daemonset_test.yaml b/charts/ingress-nginx/tests/controller-daemonset_test.yaml index 9f79a3b23d..4366082ff3 100644 --- a/charts/ingress-nginx/tests/controller-daemonset_test.yaml +++ b/charts/ingress-nginx/tests/controller-daemonset_test.yaml @@ -96,6 +96,24 @@ tests: maxSkew: 1 whenUnsatisfiable: ScheduleAnyway + - it: should create a DaemonSet with templated init containers if `controller.extraInitContainers` contains Helm templates + set: + controller.kind: DaemonSet + controller.extraInitContainers: + - name: '{{ .Release.Name }}-init' + image: busybox + command: + - sh + - -c + - echo '{{ .Release.Namespace }}'; + asserts: + - equal: + path: spec.template.spec.initContainers[0].name + value: RELEASE-NAME-init + - contains: + path: spec.template.spec.initContainers[0].command + content: echo 'NAMESPACE'; + - it: should create a DaemonSet with affinity if `controller.affinity` is set set: controller.kind: DaemonSet @@ -208,3 +226,23 @@ tests: - equal: path: spec.template.spec.runtimeClassName value: myClass + + - it: should create a DaemonSet with resize policy if `controller.resizePolicy` is set + capabilities: + majorVersion: 1 + minorVersion: 33 + set: + controller.kind: DaemonSet + controller.resizePolicy: + - resourceName: cpu + restartPolicy: NotRequired + - resourceName: memory + restartPolicy: RestartContainer + asserts: + - equal: + path: spec.template.spec.containers[0].resizePolicy + value: + - resourceName: cpu + restartPolicy: NotRequired + - resourceName: memory + restartPolicy: RestartContainer diff --git a/charts/ingress-nginx/tests/controller-deployment_test.yaml b/charts/ingress-nginx/tests/controller-deployment_test.yaml index 37b6908853..38431ccbed 100644 --- a/charts/ingress-nginx/tests/controller-deployment_test.yaml +++ b/charts/ingress-nginx/tests/controller-deployment_test.yaml @@ -119,6 +119,23 @@ tests: maxSkew: 1 whenUnsatisfiable: ScheduleAnyway + - it: should create a Deployment with templated init containers if `controller.extraInitContainers` contains Helm templates + set: + controller.extraInitContainers: + - name: '{{ .Release.Name }}-init' + image: busybox + command: + - sh + - -c + - echo '{{ .Release.Namespace }}'; + asserts: + - equal: + path: spec.template.spec.initContainers[0].name + value: RELEASE-NAME-init + - contains: + path: spec.template.spec.initContainers[0].command + content: echo 'NAMESPACE'; + - it: should create a Deployment with affinity if `controller.affinity` is set set: controller.affinity: @@ -231,3 +248,22 @@ tests: - equal: path: spec.template.spec.runtimeClassName value: myClass + + - it: should create a Deployment with resize policy if `controller.resizePolicy` is set + capabilities: + majorVersion: 1 + minorVersion: 33 + set: + controller.resizePolicy: + - resourceName: cpu + restartPolicy: NotRequired + - resourceName: memory + restartPolicy: RestartContainer + asserts: + - equal: + path: spec.template.spec.containers[0].resizePolicy + value: + - resourceName: cpu + restartPolicy: NotRequired + - resourceName: memory + restartPolicy: RestartContainer diff --git a/charts/ingress-nginx/tests/controller-service-internal_test.yaml b/charts/ingress-nginx/tests/controller-service-internal_test.yaml index c0ece07d54..a44d974817 100644 --- a/charts/ingress-nginx/tests/controller-service-internal_test.yaml +++ b/charts/ingress-nginx/tests/controller-service-internal_test.yaml @@ -63,7 +63,7 @@ tests: value: PreferClose - it: should create a Service with labels if `controller.service.internal.labels` is set - set: + set: controller.service.internal.enabled: true controller.service.internal.annotations: test.annotation: "true" diff --git a/charts/ingress-nginx/tests/controller-servicemonitor_test.yaml b/charts/ingress-nginx/tests/controller-servicemonitor_test.yaml index 7edee98c54..2fed3bc425 100644 --- a/charts/ingress-nginx/tests/controller-servicemonitor_test.yaml +++ b/charts/ingress-nginx/tests/controller-servicemonitor_test.yaml @@ -77,3 +77,22 @@ tests: - equal: path: spec.targetLimit value: 100 + + - it: should create a ServiceMonitor with `scrapeTimeout` if `controller.metrics.serviceMonitor.scrapeTimeout` is set + set: + controller.metrics.enabled: true + controller.metrics.serviceMonitor.enabled: true + controller.metrics.serviceMonitor.scrapeTimeout: 60s + asserts: + - equal: + path: spec.endpoints[0].scrapeTimeout + value: 60s + + - it: should create a ServiceMonitor without `scrapeTimeout` if `controller.metrics.serviceMonitor.scrapeTimeout` is unset + set: + controller.metrics.enabled: true + controller.metrics.serviceMonitor.enabled: true + controller.metrics.serviceMonitor.scrapeTimeout: "" + asserts: + - notExists: + path: spec.endpoints[0].scrapeTimeout diff --git a/charts/ingress-nginx/tests/default-backend-deployment_test.yaml b/charts/ingress-nginx/tests/default-backend-deployment_test.yaml index 11d400c462..ed3bb87417 100644 --- a/charts/ingress-nginx/tests/default-backend-deployment_test.yaml +++ b/charts/ingress-nginx/tests/default-backend-deployment_test.yaml @@ -196,3 +196,26 @@ tests: - equal: path: spec.template.spec.automountServiceAccountToken value: false + + - it: should create a Deployment with extra volumes if `defaultBackend.extraVolumes` is set + set: + defaultBackend.enabled: true + defaultBackend.extraVolumes: + - name: extra-volume + configMap: + name: '{{ .Release.Name }}' + defaultBackend.extraVolumeMounts: + - name: extra-volume + mountPath: /extra + asserts: + - equal: + path: spec.template.spec.volumes + value: + - name: extra-volume + configMap: + name: RELEASE-NAME + - equal: + path: spec.template.spec.containers[0].volumeMounts + value: + - name: extra-volume + mountPath: /extra diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index 15152afd64..70679feb51 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -30,9 +30,9 @@ controller: ## for backwards compatibility consider setting the full image url via the repository value below ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail ## repository: - tag: "v1.12.2" - digest: sha256:03497ee984628e95eca9b2279e3f3a3c1685dd48635479e627d219f00c8eefa9 - digestChroot: sha256:a697e2bfa419768315250d079ccbbca45f6099c60057769702b912d20897a574 + tag: "v1.15.1" + digest: sha256:594ceea76b01c592858f803f9ff4d2cb40542cae2060410b2c95f75907d659e1 + digestChroot: sha256:af31d00c9d82c612896b380a9003bd36843b7647b98e4588251c66325317bc72 pullPolicy: IfNotPresent runAsNonRoot: true # -- This value must not be changed using the official image. @@ -401,6 +401,13 @@ controller: requests: cpu: 100m memory: 90Mi + # -- Resize policy for controller containers. + # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/resize-container-resources + resizePolicy: [] + # - resourceName: cpu + # restartPolicy: NotRequired + # - resourceName: memory + # restartPolicy: RestartContainer # Mutually exclusive with keda autoscaling autoscaling: enabled: false @@ -534,7 +541,6 @@ controller: # -- Traffic distribution policy of the external controller service. Set to "PreferClose" to route traffic to endpoints that are topologically closer to the client. # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#traffic-distribution trafficDistribution: "" - # -- Represents the dual-stack capabilities of the external controller service. Possible values are SingleStack, PreferDualStack or RequireDualStack. # Fields `ipFamilies` and `clusterIP` depend on the value of this field. # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services @@ -624,7 +630,6 @@ controller: # -- Traffic distribution policy of the internal controller service. Set to "PreferClose" to route traffic to endpoints that are topologically closer to the client. # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#traffic-distribution trafficDistribution: "" - # -- Represents the dual-stack capabilities of the internal controller service. Possible values are SingleStack, PreferDualStack or RequireDualStack. # Fields `ipFamilies` and `clusterIP` depend on the value of this field. # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services @@ -704,11 +709,17 @@ controller: # - name: copy-portal-skins # emptyDir: {} - # -- Containers, which are run before the app containers are started. + # -- Containers, which are run before the app containers are started. Values may contain Helm templates. extraInitContainers: [] # - name: init-myservice # image: busybox # command: ['sh', '-c', 'until nslookup myservice; do echo waiting for myservice; sleep 2; done;'] + # - name: init-dynamic + # image: busybox + # command: + # - sh + # - -c + # - echo "Release={{ .Release.Name }} Namespace={{ .Release.Namespace }}" # -- Modules, which are mounted into the core nginx image. extraModules: [] @@ -776,6 +787,8 @@ controller: type: ClusterIP createSecretJob: name: create + # -- Deadline in seconds for the job to complete. Must be greater than 0 to enforce. If unset or 0, no deadline is enforced. + activeDeadlineSeconds: 0 # -- Security context for secret creation containers securityContext: runAsNonRoot: true @@ -795,8 +808,20 @@ controller: # requests: # cpu: 10m # memory: 20Mi + # -- Volume mounts for secret creation containers + volumeMounts: [] + # - name: certs + # mountPath: /etc/webhook/certs + # readOnly: true + # -- Volumes for secret creation pod + volumes: [] + # - name: certs + # secret: + # secretName: my-webhook-secret patchWebhookJob: name: patch + # -- Deadline in seconds for the job to complete. Must be greater than 0 to enforce. If unset or 0, no deadline is enforced. + activeDeadlineSeconds: 0 # -- Security context for webhook patch containers securityContext: runAsNonRoot: true @@ -810,6 +835,16 @@ controller: - ALL readOnlyRootFilesystem: true resources: {} + # -- Volume mounts for webhook patch containers + volumeMounts: [] + # - name: certs + # mountPath: /etc/webhook/certs + # readOnly: true + # -- Volumes for webhook patch pod + volumes: [] + # - name: certs + # secret: + # secretName: my-webhook-secret patch: enabled: true image: @@ -818,8 +853,8 @@ controller: ## for backwards compatibility consider setting the full image url via the repository value below ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail ## repository: - tag: v1.5.3 - digest: sha256:2cf4ebfa82a37c357455458f6dfc334aea1392d508270b2517795a9933a02524 + tag: v1.6.9 + digest: sha256:01038e7de14b78d702d2849c3aad72fd25903c4765af63cf16aa3398f5d5f2dd pullPolicy: IfNotPresent # -- Provide a priority class name to the webhook patching job ## @@ -908,6 +943,8 @@ controller: ## namespaceSelector: ## any: true scrapeInterval: 30s + # -- Timeout after which the scrape is ended. Not being set if empty and therefore defaults to the global Prometheus scrape timeout. + scrapeTimeout: "" # honorLabels: true targetLabels: [] relabelings: [] @@ -1189,7 +1226,6 @@ defaultBackend: # This value is immutable. Set once, it can not be changed without deleting and re-creating the service. # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address clusterIPs: [] - # -- List of IP addresses at which the default backend service is available ## Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips ## diff --git a/cloudbuild.yaml b/cloudbuild.yaml index e19be6bc90..5c3f779433 100644 --- a/cloudbuild.yaml +++ b/cloudbuild.yaml @@ -2,7 +2,7 @@ options: # Ignore Prow provided substitutions. substitution_option: ALLOW_LOOSE steps: -- name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20250513-9264efb079 +- name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20260127-c1affcc8de env: - REPO_INFO=https://github.com/kubernetes/ingress-nginx - COMMIT_SHA=${_PULL_BASE_SHA} diff --git a/cmd/plugin/lints/ingress.go b/cmd/plugin/lints/ingress.go index d5ad42e2cd..b844deb05e 100644 --- a/cmd/plugin/lints/ingress.go +++ b/cmd/plugin/lints/ingress.go @@ -18,6 +18,7 @@ package lints import ( "fmt" + "regexp" "strings" networking "k8s.io/api/networking/v1" @@ -126,7 +127,7 @@ func annotationPrefixIsNginxOrg(ing *networking.Ingress) bool { func rewriteTargetWithoutCaptureGroup(ing *networking.Ingress) bool { for name, val := range ing.Annotations { - if strings.HasSuffix(name, "/rewrite-target") && !strings.Contains(val, "$1") { + if strings.HasSuffix(name, "/rewrite-target") && !regexp.MustCompile(`\$\d+`).MatchString(val) { return true } } diff --git a/cmd/plugin/util/util.go b/cmd/plugin/util/util.go index 7457b8c536..8504975ce7 100644 --- a/cmd/plugin/util/util.go +++ b/cmd/plugin/util/util.go @@ -34,7 +34,7 @@ const ( DefaultIngressContainerName = "controller" ) -// IssuePrefix is the github url that we can append an issue number to to link to it +// IssuePrefix is the github url that we can append an issue number to link to it const IssuePrefix = "https://github.com/kubernetes/ingress-nginx/issues/" var versionRegex = regexp.MustCompile(`(\d)+\.(\d)+\.(\d)+.*`) diff --git a/deploy/static/provider/aws/deploy.yaml b/deploy/static/provider/aws/deploy.yaml index e938124a0e..fe5c83660a 100644 --- a/deploy/static/provider/aws/deploy.yaml +++ b/deploy/static/provider/aws/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx namespace: ingress-nginx --- @@ -28,7 +28,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -40,7 +40,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx namespace: ingress-nginx rules: @@ -130,7 +130,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -149,7 +149,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx rules: - apiGroups: @@ -231,7 +231,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission rules: - apiGroups: @@ -250,7 +250,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -270,7 +270,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -289,7 +289,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -308,7 +308,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -328,7 +328,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -344,7 +344,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -377,7 +377,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -400,7 +400,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -422,8 +422,9 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 spec: + automountServiceAccountToken: true containers: - args: - /nginx-ingress-controller @@ -446,7 +447,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.12.2@sha256:03497ee984628e95eca9b2279e3f3a3c1685dd48635479e627d219f00c8eefa9 + image: registry.k8s.io/ingress-nginx/controller:v1.15.1@sha256:594ceea76b01c592858f803f9ff4d2cb40542cae2060410b2c95f75907d659e1 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -523,7 +524,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -534,9 +535,10 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission-create spec: + automountServiceAccountToken: true containers: - args: - create @@ -548,7 +550,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.5.3@sha256:2cf4ebfa82a37c357455458f6dfc334aea1392d508270b2517795a9933a02524 + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.6.9@sha256:01038e7de14b78d702d2849c3aad72fd25903c4765af63cf16aa3398f5d5f2dd imagePullPolicy: IfNotPresent name: create securityContext: @@ -566,6 +568,7 @@ spec: kubernetes.io/os: linux restartPolicy: OnFailure serviceAccountName: ingress-nginx-admission + ttlSecondsAfterFinished: 0 --- apiVersion: batch/v1 kind: Job @@ -575,7 +578,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -586,9 +589,10 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission-patch spec: + automountServiceAccountToken: true containers: - args: - patch @@ -602,7 +606,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.5.3@sha256:2cf4ebfa82a37c357455458f6dfc334aea1392d508270b2517795a9933a02524 + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.6.9@sha256:01038e7de14b78d702d2849c3aad72fd25903c4765af63cf16aa3398f5d5f2dd imagePullPolicy: IfNotPresent name: patch securityContext: @@ -620,6 +624,7 @@ spec: kubernetes.io/os: linux restartPolicy: OnFailure serviceAccountName: ingress-nginx-admission + ttlSecondsAfterFinished: 0 --- apiVersion: networking.k8s.io/v1 kind: IngressClass @@ -629,7 +634,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: nginx spec: controller: k8s.io/ingress-nginx @@ -642,7 +647,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml b/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml index 0a9e643729..7fabdc7310 100644 --- a/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml +++ b/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx namespace: ingress-nginx --- @@ -28,7 +28,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -40,7 +40,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx namespace: ingress-nginx rules: @@ -130,7 +130,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -149,7 +149,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx rules: - apiGroups: @@ -231,7 +231,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission rules: - apiGroups: @@ -250,7 +250,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -270,7 +270,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -289,7 +289,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -308,7 +308,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -335,7 +335,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -353,7 +353,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -386,7 +386,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -409,7 +409,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -431,8 +431,9 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 spec: + automountServiceAccountToken: true containers: - args: - /nginx-ingress-controller @@ -455,7 +456,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.12.2@sha256:03497ee984628e95eca9b2279e3f3a3c1685dd48635479e627d219f00c8eefa9 + image: registry.k8s.io/ingress-nginx/controller:v1.15.1@sha256:594ceea76b01c592858f803f9ff4d2cb40542cae2060410b2c95f75907d659e1 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -535,7 +536,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -546,9 +547,10 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission-create spec: + automountServiceAccountToken: true containers: - args: - create @@ -560,7 +562,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.5.3@sha256:2cf4ebfa82a37c357455458f6dfc334aea1392d508270b2517795a9933a02524 + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.6.9@sha256:01038e7de14b78d702d2849c3aad72fd25903c4765af63cf16aa3398f5d5f2dd imagePullPolicy: IfNotPresent name: create securityContext: @@ -578,6 +580,7 @@ spec: kubernetes.io/os: linux restartPolicy: OnFailure serviceAccountName: ingress-nginx-admission + ttlSecondsAfterFinished: 0 --- apiVersion: batch/v1 kind: Job @@ -587,7 +590,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -598,9 +601,10 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission-patch spec: + automountServiceAccountToken: true containers: - args: - patch @@ -614,7 +618,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.5.3@sha256:2cf4ebfa82a37c357455458f6dfc334aea1392d508270b2517795a9933a02524 + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.6.9@sha256:01038e7de14b78d702d2849c3aad72fd25903c4765af63cf16aa3398f5d5f2dd imagePullPolicy: IfNotPresent name: patch securityContext: @@ -632,6 +636,7 @@ spec: kubernetes.io/os: linux restartPolicy: OnFailure serviceAccountName: ingress-nginx-admission + ttlSecondsAfterFinished: 0 --- apiVersion: networking.k8s.io/v1 kind: IngressClass @@ -641,7 +646,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: nginx spec: controller: k8s.io/ingress-nginx @@ -654,7 +659,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/baremetal/deploy.yaml b/deploy/static/provider/baremetal/deploy.yaml index 71d9531d96..d8913fded6 100644 --- a/deploy/static/provider/baremetal/deploy.yaml +++ b/deploy/static/provider/baremetal/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx namespace: ingress-nginx --- @@ -28,7 +28,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -40,7 +40,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx namespace: ingress-nginx rules: @@ -130,7 +130,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -149,7 +149,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx rules: - apiGroups: @@ -231,7 +231,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission rules: - apiGroups: @@ -250,7 +250,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -270,7 +270,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -289,7 +289,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -308,7 +308,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -328,7 +328,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -340,7 +340,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -372,7 +372,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -395,7 +395,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -417,8 +417,9 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 spec: + automountServiceAccountToken: true containers: - args: - /nginx-ingress-controller @@ -440,7 +441,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.12.2@sha256:03497ee984628e95eca9b2279e3f3a3c1685dd48635479e627d219f00c8eefa9 + image: registry.k8s.io/ingress-nginx/controller:v1.15.1@sha256:594ceea76b01c592858f803f9ff4d2cb40542cae2060410b2c95f75907d659e1 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -517,7 +518,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -528,9 +529,10 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission-create spec: + automountServiceAccountToken: true containers: - args: - create @@ -542,7 +544,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.5.3@sha256:2cf4ebfa82a37c357455458f6dfc334aea1392d508270b2517795a9933a02524 + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.6.9@sha256:01038e7de14b78d702d2849c3aad72fd25903c4765af63cf16aa3398f5d5f2dd imagePullPolicy: IfNotPresent name: create securityContext: @@ -560,6 +562,7 @@ spec: kubernetes.io/os: linux restartPolicy: OnFailure serviceAccountName: ingress-nginx-admission + ttlSecondsAfterFinished: 0 --- apiVersion: batch/v1 kind: Job @@ -569,7 +572,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -580,9 +583,10 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission-patch spec: + automountServiceAccountToken: true containers: - args: - patch @@ -596,7 +600,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.5.3@sha256:2cf4ebfa82a37c357455458f6dfc334aea1392d508270b2517795a9933a02524 + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.6.9@sha256:01038e7de14b78d702d2849c3aad72fd25903c4765af63cf16aa3398f5d5f2dd imagePullPolicy: IfNotPresent name: patch securityContext: @@ -614,6 +618,7 @@ spec: kubernetes.io/os: linux restartPolicy: OnFailure serviceAccountName: ingress-nginx-admission + ttlSecondsAfterFinished: 0 --- apiVersion: networking.k8s.io/v1 kind: IngressClass @@ -623,7 +628,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: nginx spec: controller: k8s.io/ingress-nginx @@ -636,7 +641,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/cloud/deploy.yaml b/deploy/static/provider/cloud/deploy.yaml index 432a364f69..7caa359e2c 100644 --- a/deploy/static/provider/cloud/deploy.yaml +++ b/deploy/static/provider/cloud/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx namespace: ingress-nginx --- @@ -28,7 +28,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -40,7 +40,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx namespace: ingress-nginx rules: @@ -130,7 +130,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -149,7 +149,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx rules: - apiGroups: @@ -231,7 +231,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission rules: - apiGroups: @@ -250,7 +250,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -270,7 +270,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -289,7 +289,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -308,7 +308,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -328,7 +328,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -340,7 +340,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -373,7 +373,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -396,7 +396,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -418,8 +418,9 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 spec: + automountServiceAccountToken: true containers: - args: - /nginx-ingress-controller @@ -442,7 +443,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.12.2@sha256:03497ee984628e95eca9b2279e3f3a3c1685dd48635479e627d219f00c8eefa9 + image: registry.k8s.io/ingress-nginx/controller:v1.15.1@sha256:594ceea76b01c592858f803f9ff4d2cb40542cae2060410b2c95f75907d659e1 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -519,7 +520,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -530,9 +531,10 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission-create spec: + automountServiceAccountToken: true containers: - args: - create @@ -544,7 +546,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.5.3@sha256:2cf4ebfa82a37c357455458f6dfc334aea1392d508270b2517795a9933a02524 + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.6.9@sha256:01038e7de14b78d702d2849c3aad72fd25903c4765af63cf16aa3398f5d5f2dd imagePullPolicy: IfNotPresent name: create securityContext: @@ -562,6 +564,7 @@ spec: kubernetes.io/os: linux restartPolicy: OnFailure serviceAccountName: ingress-nginx-admission + ttlSecondsAfterFinished: 0 --- apiVersion: batch/v1 kind: Job @@ -571,7 +574,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -582,9 +585,10 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission-patch spec: + automountServiceAccountToken: true containers: - args: - patch @@ -598,7 +602,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.5.3@sha256:2cf4ebfa82a37c357455458f6dfc334aea1392d508270b2517795a9933a02524 + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.6.9@sha256:01038e7de14b78d702d2849c3aad72fd25903c4765af63cf16aa3398f5d5f2dd imagePullPolicy: IfNotPresent name: patch securityContext: @@ -616,6 +620,7 @@ spec: kubernetes.io/os: linux restartPolicy: OnFailure serviceAccountName: ingress-nginx-admission + ttlSecondsAfterFinished: 0 --- apiVersion: networking.k8s.io/v1 kind: IngressClass @@ -625,7 +630,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: nginx spec: controller: k8s.io/ingress-nginx @@ -638,7 +643,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/do/deploy.yaml b/deploy/static/provider/do/deploy.yaml index 6ed8688b9f..d9f6b92834 100644 --- a/deploy/static/provider/do/deploy.yaml +++ b/deploy/static/provider/do/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx namespace: ingress-nginx --- @@ -28,7 +28,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -40,7 +40,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx namespace: ingress-nginx rules: @@ -130,7 +130,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -149,7 +149,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx rules: - apiGroups: @@ -231,7 +231,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission rules: - apiGroups: @@ -250,7 +250,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -270,7 +270,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -289,7 +289,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -308,7 +308,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -329,7 +329,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -343,7 +343,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -376,7 +376,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -399,7 +399,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -421,8 +421,9 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 spec: + automountServiceAccountToken: true containers: - args: - /nginx-ingress-controller @@ -445,7 +446,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.12.2@sha256:03497ee984628e95eca9b2279e3f3a3c1685dd48635479e627d219f00c8eefa9 + image: registry.k8s.io/ingress-nginx/controller:v1.15.1@sha256:594ceea76b01c592858f803f9ff4d2cb40542cae2060410b2c95f75907d659e1 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -522,7 +523,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -533,9 +534,10 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission-create spec: + automountServiceAccountToken: true containers: - args: - create @@ -547,7 +549,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.5.3@sha256:2cf4ebfa82a37c357455458f6dfc334aea1392d508270b2517795a9933a02524 + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.6.9@sha256:01038e7de14b78d702d2849c3aad72fd25903c4765af63cf16aa3398f5d5f2dd imagePullPolicy: IfNotPresent name: create securityContext: @@ -565,6 +567,7 @@ spec: kubernetes.io/os: linux restartPolicy: OnFailure serviceAccountName: ingress-nginx-admission + ttlSecondsAfterFinished: 0 --- apiVersion: batch/v1 kind: Job @@ -574,7 +577,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -585,9 +588,10 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission-patch spec: + automountServiceAccountToken: true containers: - args: - patch @@ -601,7 +605,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.5.3@sha256:2cf4ebfa82a37c357455458f6dfc334aea1392d508270b2517795a9933a02524 + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.6.9@sha256:01038e7de14b78d702d2849c3aad72fd25903c4765af63cf16aa3398f5d5f2dd imagePullPolicy: IfNotPresent name: patch securityContext: @@ -619,6 +623,7 @@ spec: kubernetes.io/os: linux restartPolicy: OnFailure serviceAccountName: ingress-nginx-admission + ttlSecondsAfterFinished: 0 --- apiVersion: networking.k8s.io/v1 kind: IngressClass @@ -628,7 +633,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: nginx spec: controller: k8s.io/ingress-nginx @@ -641,7 +646,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/exoscale/deploy.yaml b/deploy/static/provider/exoscale/deploy.yaml index 07d9c96bc1..0d6eb0a248 100644 --- a/deploy/static/provider/exoscale/deploy.yaml +++ b/deploy/static/provider/exoscale/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx namespace: ingress-nginx --- @@ -28,7 +28,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -40,7 +40,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx namespace: ingress-nginx rules: @@ -130,7 +130,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -149,7 +149,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx rules: - apiGroups: @@ -231,7 +231,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission rules: - apiGroups: @@ -250,7 +250,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -270,7 +270,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -289,7 +289,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -308,7 +308,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -328,7 +328,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -349,7 +349,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -382,7 +382,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -405,7 +405,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -423,8 +423,9 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 spec: + automountServiceAccountToken: true containers: - args: - /nginx-ingress-controller @@ -447,7 +448,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.12.2@sha256:03497ee984628e95eca9b2279e3f3a3c1685dd48635479e627d219f00c8eefa9 + image: registry.k8s.io/ingress-nginx/controller:v1.15.1@sha256:594ceea76b01c592858f803f9ff4d2cb40542cae2060410b2c95f75907d659e1 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -528,7 +529,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -539,9 +540,10 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission-create spec: + automountServiceAccountToken: true containers: - args: - create @@ -553,7 +555,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.5.3@sha256:2cf4ebfa82a37c357455458f6dfc334aea1392d508270b2517795a9933a02524 + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.6.9@sha256:01038e7de14b78d702d2849c3aad72fd25903c4765af63cf16aa3398f5d5f2dd imagePullPolicy: IfNotPresent name: create securityContext: @@ -571,6 +573,7 @@ spec: kubernetes.io/os: linux restartPolicy: OnFailure serviceAccountName: ingress-nginx-admission + ttlSecondsAfterFinished: 0 --- apiVersion: batch/v1 kind: Job @@ -580,7 +583,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -591,9 +594,10 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission-patch spec: + automountServiceAccountToken: true containers: - args: - patch @@ -607,7 +611,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.5.3@sha256:2cf4ebfa82a37c357455458f6dfc334aea1392d508270b2517795a9933a02524 + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.6.9@sha256:01038e7de14b78d702d2849c3aad72fd25903c4765af63cf16aa3398f5d5f2dd imagePullPolicy: IfNotPresent name: patch securityContext: @@ -625,6 +629,7 @@ spec: kubernetes.io/os: linux restartPolicy: OnFailure serviceAccountName: ingress-nginx-admission + ttlSecondsAfterFinished: 0 --- apiVersion: networking.k8s.io/v1 kind: IngressClass @@ -634,7 +639,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: nginx spec: controller: k8s.io/ingress-nginx @@ -647,7 +652,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/kind/deploy.yaml b/deploy/static/provider/kind/deploy.yaml index 0e84ece112..14c0fec3b8 100644 --- a/deploy/static/provider/kind/deploy.yaml +++ b/deploy/static/provider/kind/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx namespace: ingress-nginx --- @@ -28,7 +28,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -40,7 +40,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx namespace: ingress-nginx rules: @@ -130,7 +130,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -149,7 +149,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx rules: - apiGroups: @@ -231,7 +231,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission rules: - apiGroups: @@ -250,7 +250,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -270,7 +270,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -289,7 +289,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -308,7 +308,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -328,7 +328,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -340,7 +340,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -362,7 +362,7 @@ spec: app.kubernetes.io/component: controller app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx - type: NodePort + type: LoadBalancer --- apiVersion: v1 kind: Service @@ -372,7 +372,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -395,7 +395,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -417,8 +417,9 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 spec: + automountServiceAccountToken: true containers: - args: - /nginx-ingress-controller @@ -442,7 +443,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.12.2@sha256:03497ee984628e95eca9b2279e3f3a3c1685dd48635479e627d219f00c8eefa9 + image: registry.k8s.io/ingress-nginx/controller:v1.15.1@sha256:594ceea76b01c592858f803f9ff4d2cb40542cae2060410b2c95f75907d659e1 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -505,7 +506,6 @@ spec: readOnly: true dnsPolicy: ClusterFirst nodeSelector: - ingress-ready: "true" kubernetes.io/os: linux serviceAccountName: ingress-nginx terminationGracePeriodSeconds: 0 @@ -529,7 +529,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -540,9 +540,10 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission-create spec: + automountServiceAccountToken: true containers: - args: - create @@ -554,7 +555,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.5.3@sha256:2cf4ebfa82a37c357455458f6dfc334aea1392d508270b2517795a9933a02524 + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.6.9@sha256:01038e7de14b78d702d2849c3aad72fd25903c4765af63cf16aa3398f5d5f2dd imagePullPolicy: IfNotPresent name: create securityContext: @@ -572,6 +573,7 @@ spec: kubernetes.io/os: linux restartPolicy: OnFailure serviceAccountName: ingress-nginx-admission + ttlSecondsAfterFinished: 0 --- apiVersion: batch/v1 kind: Job @@ -581,7 +583,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -592,9 +594,10 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission-patch spec: + automountServiceAccountToken: true containers: - args: - patch @@ -608,7 +611,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.5.3@sha256:2cf4ebfa82a37c357455458f6dfc334aea1392d508270b2517795a9933a02524 + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.6.9@sha256:01038e7de14b78d702d2849c3aad72fd25903c4765af63cf16aa3398f5d5f2dd imagePullPolicy: IfNotPresent name: patch securityContext: @@ -626,6 +629,7 @@ spec: kubernetes.io/os: linux restartPolicy: OnFailure serviceAccountName: ingress-nginx-admission + ttlSecondsAfterFinished: 0 --- apiVersion: networking.k8s.io/v1 kind: IngressClass @@ -635,7 +639,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: nginx spec: controller: k8s.io/ingress-nginx @@ -648,7 +652,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/oracle/deploy.yaml b/deploy/static/provider/oracle/deploy.yaml index 2cbc512a31..5cf2ff902c 100644 --- a/deploy/static/provider/oracle/deploy.yaml +++ b/deploy/static/provider/oracle/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx namespace: ingress-nginx --- @@ -28,7 +28,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -40,7 +40,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx namespace: ingress-nginx rules: @@ -130,7 +130,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -149,7 +149,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx rules: - apiGroups: @@ -231,7 +231,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission rules: - apiGroups: @@ -250,7 +250,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -270,7 +270,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -289,7 +289,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -308,7 +308,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -328,7 +328,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -344,7 +344,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -377,7 +377,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -400,7 +400,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -422,8 +422,9 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 spec: + automountServiceAccountToken: true containers: - args: - /nginx-ingress-controller @@ -446,7 +447,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.12.2@sha256:03497ee984628e95eca9b2279e3f3a3c1685dd48635479e627d219f00c8eefa9 + image: registry.k8s.io/ingress-nginx/controller:v1.15.1@sha256:594ceea76b01c592858f803f9ff4d2cb40542cae2060410b2c95f75907d659e1 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -523,7 +524,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -534,9 +535,10 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission-create spec: + automountServiceAccountToken: true containers: - args: - create @@ -548,7 +550,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.5.3@sha256:2cf4ebfa82a37c357455458f6dfc334aea1392d508270b2517795a9933a02524 + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.6.9@sha256:01038e7de14b78d702d2849c3aad72fd25903c4765af63cf16aa3398f5d5f2dd imagePullPolicy: IfNotPresent name: create securityContext: @@ -566,6 +568,7 @@ spec: kubernetes.io/os: linux restartPolicy: OnFailure serviceAccountName: ingress-nginx-admission + ttlSecondsAfterFinished: 0 --- apiVersion: batch/v1 kind: Job @@ -575,7 +578,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -586,9 +589,10 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission-patch spec: + automountServiceAccountToken: true containers: - args: - patch @@ -602,7 +606,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.5.3@sha256:2cf4ebfa82a37c357455458f6dfc334aea1392d508270b2517795a9933a02524 + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.6.9@sha256:01038e7de14b78d702d2849c3aad72fd25903c4765af63cf16aa3398f5d5f2dd imagePullPolicy: IfNotPresent name: patch securityContext: @@ -620,6 +624,7 @@ spec: kubernetes.io/os: linux restartPolicy: OnFailure serviceAccountName: ingress-nginx-admission + ttlSecondsAfterFinished: 0 --- apiVersion: networking.k8s.io/v1 kind: IngressClass @@ -629,7 +634,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: nginx spec: controller: k8s.io/ingress-nginx @@ -642,7 +647,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/scw/deploy.yaml b/deploy/static/provider/scw/deploy.yaml index a649161020..7963ef4584 100644 --- a/deploy/static/provider/scw/deploy.yaml +++ b/deploy/static/provider/scw/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx namespace: ingress-nginx --- @@ -28,7 +28,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -40,7 +40,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx namespace: ingress-nginx rules: @@ -130,7 +130,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -149,7 +149,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx rules: - apiGroups: @@ -231,7 +231,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission rules: - apiGroups: @@ -250,7 +250,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -270,7 +270,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -289,7 +289,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -308,7 +308,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -329,7 +329,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -343,7 +343,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -376,7 +376,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -399,7 +399,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -421,8 +421,9 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 spec: + automountServiceAccountToken: true containers: - args: - /nginx-ingress-controller @@ -445,7 +446,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.12.2@sha256:03497ee984628e95eca9b2279e3f3a3c1685dd48635479e627d219f00c8eefa9 + image: registry.k8s.io/ingress-nginx/controller:v1.15.1@sha256:594ceea76b01c592858f803f9ff4d2cb40542cae2060410b2c95f75907d659e1 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -522,7 +523,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -533,9 +534,10 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission-create spec: + automountServiceAccountToken: true containers: - args: - create @@ -547,7 +549,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.5.3@sha256:2cf4ebfa82a37c357455458f6dfc334aea1392d508270b2517795a9933a02524 + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.6.9@sha256:01038e7de14b78d702d2849c3aad72fd25903c4765af63cf16aa3398f5d5f2dd imagePullPolicy: IfNotPresent name: create securityContext: @@ -565,6 +567,7 @@ spec: kubernetes.io/os: linux restartPolicy: OnFailure serviceAccountName: ingress-nginx-admission + ttlSecondsAfterFinished: 0 --- apiVersion: batch/v1 kind: Job @@ -574,7 +577,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -585,9 +588,10 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission-patch spec: + automountServiceAccountToken: true containers: - args: - patch @@ -601,7 +605,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.5.3@sha256:2cf4ebfa82a37c357455458f6dfc334aea1392d508270b2517795a9933a02524 + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.6.9@sha256:01038e7de14b78d702d2849c3aad72fd25903c4765af63cf16aa3398f5d5f2dd imagePullPolicy: IfNotPresent name: patch securityContext: @@ -619,6 +623,7 @@ spec: kubernetes.io/os: linux restartPolicy: OnFailure serviceAccountName: ingress-nginx-admission + ttlSecondsAfterFinished: 0 --- apiVersion: networking.k8s.io/v1 kind: IngressClass @@ -628,7 +633,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: nginx spec: controller: k8s.io/ingress-nginx @@ -641,7 +646,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.12.2 + app.kubernetes.io/version: 1.15.1 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/docs/deploy/baremetal.md b/docs/deploy/baremetal.md index 077d1e758d..7f74ee3ee8 100644 --- a/docs/deploy/baremetal.md +++ b/docs/deploy/baremetal.md @@ -261,7 +261,7 @@ for generating redirect URLs that take into account the URL used by external cli Location: https://myapp.example.com/ #-> missing NodePort in HTTPS redirect ``` -[install-baremetal]: ./index.md#bare-metal +[install-baremetal]: ./index.md#bare-metal-clusters [install-quickstart]: ./index.md#quick-start [nodeport-def]: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport [nodeport-nat]: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-type-nodeport diff --git a/docs/deploy/hardening-guide.md b/docs/deploy/hardening-guide.md index 2726b1a071..bd8264ae67 100644 --- a/docs/deploy/hardening-guide.md +++ b/docs/deploy/hardening-guide.md @@ -109,9 +109,8 @@ This guide refers to chapters in the CIS Benchmark. For full explanation you sho | __5.3 Browser Security__||| | | 5.3.1 Ensure X-Frame-Options header is configured and enabled (Scored)| ACTION NEEDED| Header not set by default| Several ways to implement this - with the helm charts it works via controller.add-headers | | 5.3.2 Ensure X-Content-Type-Options header is configured and enabled (Scored) | ACTION NEEDED| See previous answer| See previous answer | -| 5.3.3 Ensure the X-XSS-Protection Header is enabled and configured properly (Scored)| ACTION NEEDED| See previous answer| See previous answer | -| 5.3.4 Ensure that Content Security Policy (CSP) is enabled and configured properly (Not Scored) | ACTION NEEDED| See previous answer| See previous answer | -| 5.3.5 Ensure the Referrer Policy is enabled and configured properly (Not Scored)| ACTION NEEDED | Depends on application. It should be handled in the applications webserver itself, not in the load balancing ingress | check backend webserver | +| 5.3.3 Ensure that Content Security Policy (CSP) is enabled and configured properly (Not Scored) | ACTION NEEDED| See previous answer| See previous answer | +| 5.3.4 Ensure the Referrer Policy is enabled and configured properly (Not Scored)| ACTION NEEDED | Depends on application. It should be handled in the applications webserver itself, not in the load balancing ingress | check backend webserver | | ||| | | __6 Mandatory Access Control__| n/a| too high level, depends on backends | | diff --git a/docs/deploy/index.md b/docs/deploy/index.md index 051c7f2831..40b13641c1 100644 --- a/docs/deploy/index.md +++ b/docs/deploy/index.md @@ -92,7 +92,7 @@ helm show values ingress-nginx --repo https://kubernetes.github.io/ingress-nginx **If you don't have Helm** or if you prefer to use a YAML manifest, you can run the following command instead: ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.12.2/deploy/static/provider/cloud/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.15.1/deploy/static/provider/cloud/deploy.yaml ``` !!! info @@ -100,7 +100,7 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/cont resources as if you had used Helm to install the controller. !!! attention - If you are running an old version of Kubernetes (1.18 or earlier), please read [this paragraph](#running-on-Kubernetes-versions-older-than-1.19) for specific instructions. + If you are running an old version of Kubernetes (1.18 or earlier), please read [this paragraph](#running-on-kubernetes-versions-older-than-119) for specific instructions. Because of api deprecations, the default manifest may not work on your cluster. Specific manifests for supported Kubernetes versions are available within a sub-folder of each provider. @@ -274,7 +274,7 @@ In AWS, we use a Network load balancer (NLB) to expose the Ingress-Nginx Control ##### Network Load Balancer (NLB) ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.12.2/deploy/static/provider/aws/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.15.1/deploy/static/provider/aws/deploy.yaml ``` ##### TLS termination in AWS Load Balancer (NLB) @@ -282,10 +282,10 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/cont By default, TLS is terminated in the ingress controller. But it is also possible to terminate TLS in the Load Balancer. This section explains how to do that on AWS using an NLB. -1. Download the [deploy.yaml](https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.12.2/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml) template +1. Download the [deploy.yaml](https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.15.1/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml) template ```console - wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.12.2/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml + wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.15.1/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml ``` 2. Edit the file and change the VPC CIDR in use for the Kubernetes cluster: @@ -323,6 +323,9 @@ More information with regard to timeouts can be found in the #### GCE-GKE +> **Note:** The default GKE LoadBalancer (Service type `LoadBalancer`) does not support the PROXY protocol. +> Enabling `use-proxy-protocol` will not work when using the default GKE load balancer. + First, your user needs to have `cluster-admin` permissions on the cluster. This can be done with the following command: ```console @@ -334,7 +337,7 @@ kubectl create clusterrolebinding cluster-admin-binding \ Then, the ingress controller can be installed like this: ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.12.2/deploy/static/provider/cloud/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.15.1/deploy/static/provider/cloud/deploy.yaml ``` !!! warning @@ -351,7 +354,7 @@ Proxy-protocol is supported in GCE check the [Official Documentations on how to #### Azure ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.12.2/deploy/static/provider/cloud/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.15.1/deploy/static/provider/cloud/deploy.yaml ``` More information with regard to Azure annotations for ingress controller can be found in the [official AKS documentation](https://docs.microsoft.com/en-us/azure/aks/ingress-internal-ip#create-an-ingress-controller). @@ -359,7 +362,7 @@ More information with regard to Azure annotations for ingress controller can be #### Digital Ocean ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.12.2/deploy/static/provider/do/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.15.1/deploy/static/provider/do/deploy.yaml ``` - By default the service object of the ingress-nginx-controller for Digital-Ocean, only configures one annotation. Its this one `service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: "true"`. While this makes the service functional, it was reported that the Digital-Ocean LoadBalancer graphs shows `no data`, unless a few other annotations are also configured. Some of these other annotations require values that can not be generic and hence not forced in a out-of-the-box installation. These annotations and a discussion on them is well documented in [this issue](https://github.com/kubernetes/ingress-nginx/issues/8965). Please refer to the issue to add annotations, with values specific to user, to get graphs of the DO-LB populated with data. @@ -367,7 +370,7 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/cont #### Scaleway ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.12.2/deploy/static/provider/scw/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.15.1/deploy/static/provider/scw/deploy.yaml ``` Refer to the [dedicated tutorial](https://www.scaleway.com/en/docs/tutorials/proxy-protocol-v2-load-balancer/#configuring-proxy-protocol-for-ingress-nginx) in the Scaleway documentation for configuring the proxy protocol for ingress-nginx with the Scaleway load balancer. @@ -384,7 +387,7 @@ The full list of annotations supported by Exoscale is available in the Exoscale #### Oracle Cloud Infrastructure ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.12.2/deploy/static/provider/cloud/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.15.1/deploy/static/provider/cloud/deploy.yaml ``` A @@ -411,7 +414,7 @@ For quick testing, you can use a This should work on almost every cluster, but it will typically use a port in the range 30000-32767. ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.12.2/deploy/static/provider/baremetal/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.15.1/deploy/static/provider/baremetal/deploy.yaml ``` For more information about bare metal deployments (and how to use port 80 instead of a random port in the 30000-32767 range), diff --git a/docs/developer-guide/getting-started.md b/docs/developer-guide/getting-started.md index e4bb661d43..07a05fda03 100644 --- a/docs/developer-guide/getting-started.md +++ b/docs/developer-guide/getting-started.md @@ -15,7 +15,7 @@ http request, termination of connection, reverseproxy etc. etc., you can skip th Install [Go 1.14](https://golang.org/dl/) or later. !!! note - The project uses [Go Modules](https://github.com/golang/go/wiki/Modules) + The project uses [Go Modules](https://go.dev/wiki/Modules#modules) Install [Docker](https://docs.docker.com/engine/install/) (v19.03.0 or later with experimental feature on) @@ -23,6 +23,12 @@ Install [kubectl](https://kubernetes.io/docs/tasks/tools/) (1.24.0 or higher) Install [Kind](https://kind.sigs.k8s.io/) +Install [Helm](https://helm.sh/) + +Install jq + +Install make + !!! important The majority of make tasks run as docker containers @@ -82,6 +88,12 @@ Valid values are defined in the describe definition of the e2e tests like [Defau The complete list of tests can be found [here](../e2e-tests.md) +**Run Helm unit tests** + +```console +make helm-test +``` + ### Custom docker image In some cases, it can be useful to build a docker image and publish such an image to a private or custom registry location. diff --git a/docs/e2e-tests.md b/docs/e2e-tests.md index 56b94e03d2..fcf452bd08 100644 --- a/docs/e2e-tests.md +++ b/docs/e2e-tests.md @@ -6,18 +6,20 @@ Do not try to edit it manually. # e2e test suite for [Ingress NGINX Controller](https://github.com/kubernetes/ingress-nginx/tree/main/) -### [[Admission] admission controller](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L38) -- [should not allow overlaps of host and paths without canary annotations](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L46) -- [should allow overlaps of host and paths with canary annotation](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L63) -- [should block ingress with invalid path](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L84) -- [should return an error if there is an error validating the ingress definition](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L103) -- [should return an error if there is an invalid value in some annotation](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L118) -- [should return an error if there is a forbidden value in some annotation](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L132) -- [should return an error if there is an invalid path and wrong pathType is set](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L146) -- [should not return an error if the Ingress V1 definition is valid with Ingress Class](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L180) -- [should not return an error if the Ingress V1 definition is valid with IngressClass annotation](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L196) -- [should return an error if the Ingress V1 definition contains invalid annotations](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L214) -- [should not return an error for an invalid Ingress when it has unknown class](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L229) +### [[Admission] admission controller](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L39) +- [should not allow REALLY large ingresses](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L47) +- [should not allow overlaps of host and paths without canary annotations](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L64) +- [should not allow overlaps of host and paths without canary annotations in any rule](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L81) +- [should allow overlaps of host and paths with canary annotation](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L112) +- [should block ingress with invalid path](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L133) +- [should return an error if there is an error validating the ingress definition](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L152) +- [should return an error if there is an invalid value in some annotation](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L167) +- [should return an error if there is a forbidden value in some annotation](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L181) +- [should return an error if there is an invalid path and wrong pathType is set](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L195) +- [should not return an error if the Ingress V1 definition is valid with Ingress Class](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L229) +- [should not return an error if the Ingress V1 definition is valid with IngressClass annotation](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L245) +- [should return an error if the Ingress V1 definition contains invalid annotations](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L263) +- [should not return an error for an invalid Ingress when it has unknown class](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L278) ### [affinity session-cookie-name](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/affinity.go#L43) - [should set sticky cookie SERVERID](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/affinity.go#L50) - [should change cookie name on ingress definition change](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/affinity.go#L72) @@ -54,7 +56,7 @@ Do not try to edit it manually. - [should return status code 401 when authentication is configured with invalid content and Authorization header is sent](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L233) - [proxy_set_header My-Custom-Header 42;](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L272) - [proxy_set_header My-Custom-Header 42;](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L292) -- [proxy_set_header 'My-Custom-Header' '42';](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L311) +- [proxy_set_header "My-Custom-Header" "42";](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L311) - [user retains cookie by default](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L420) - [user does not retain cookie if upstream returns error status code](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L431) - [user with annotated ingress retains cookie if upstream returns error status code](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L442) @@ -281,7 +283,7 @@ Do not try to edit it manually. ### [[Default Backend]](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/defaultbackend/default_backend.go#L30) - [should return 404 sending requests when only a default backend is running](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/defaultbackend/default_backend.go#L33) - [enables access logging for default backend](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/defaultbackend/default_backend.go#L88) -- [disables access logging for default backend](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/defaultbackend/default_backend.go#L105) +- [disables access logging for default backend](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/defaultbackend/default_backend.go#L102) ### [[Default Backend] SSL](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/defaultbackend/ssl.go#L26) - [should return a self generated SSL certificate](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/defaultbackend/ssl.go#L29) ### [[Default Backend] change default settings](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/defaultbackend/with_hosts.go#L30) @@ -400,10 +402,10 @@ Do not try to edit it manually. - [should not create sync events](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/disable_sync_events.go#L83) ### [enable-real-ip](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/enable_real_ip.go#L30) - [trusts X-Forwarded-For header only when setting is true](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/enable_real_ip.go#L40) -- [should not trust X-Forwarded-For header when setting is false](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/enable_real_ip.go#L79) +- [should not trust X-Forwarded-For header when setting is false](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/enable_real_ip.go#L80) ### [use-forwarded-headers](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/forwarded_headers.go#L31) - [should trust X-Forwarded headers when setting is true](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/forwarded_headers.go#L41) -- [should not trust X-Forwarded headers when setting is false](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/forwarded_headers.go#L93) +- [should not trust X-Forwarded headers when setting is false](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/forwarded_headers.go#L95) ### [Geoip2](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/geoip2.go#L36) - [should include geoip2 line in config when enabled and db file exists](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/geoip2.go#L45) - [should only allow requests from specific countries](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/geoip2.go#L69) @@ -510,10 +512,12 @@ Do not try to edit it manually. ### [proxy-next-upstream](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_next_upstream.go#L28) - [should build proxy next upstream using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_next_upstream.go#L36) ### [use-proxy-protocol](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_protocol.go#L38) -- [should respect port passed by the PROXY Protocol](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_protocol.go#L48) -- [should respect proto passed by the PROXY Protocol server port](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_protocol.go#L85) -- [should enable PROXY Protocol for HTTPS](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_protocol.go#L121) -- [should enable PROXY Protocol for TCP](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_protocol.go#L164) +- [should respect port passed by the PROXY Protocol](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_protocol.go#L49) +- [should respect proto passed by the PROXY Protocol server port](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_protocol.go#L86) +- [should enable PROXY Protocol for HTTPS](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_protocol.go#L122) +- [should enable PROXY Protocol for TCP](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_protocol.go#L165) +- [should not trust X-Forwarded headers when the client IP address is not trusted](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_protocol.go#L238) +- [should trust X-Forwarded headers when the client IP address is trusted](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_protocol.go#L274) ### [proxy-read-timeout](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_read_timeout.go#L29) - [should set valid proxy read timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_read_timeout.go#L37) - [should not set invalid proxy read timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_read_timeout.go#L53) @@ -536,6 +540,15 @@ Do not try to edit it manually. ### [With enable-ssl-passthrough enabled](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/ssl_passthrough.go#L55) - [should enable ssl-passthrough-proxy-port on a different port](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/ssl_passthrough.go#L56) - [should pass unknown traffic to default backend and handle known traffic](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/ssl_passthrough.go#L78) +### [ssl-session-cache](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/ssl_session_cache.go#L27) +- [should have default ssl_session_cache and ssl_session_timeout values](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/ssl_session_cache.go#L30) +- [should disable ssl_session_cache](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/ssl_session_cache.go#L37) +- [should set ssl_session_cache value](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/ssl_session_cache.go#L45) +- [should set ssl_session_timeout value](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/ssl_session_cache.go#L53) +### [ssl-session-tickets](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/ssl_session_tickets.go#L27) +- [should have default ssl_session_tickets value](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/ssl_session_tickets.go#L30) +- [should set ssl_session_tickets value](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/ssl_session_tickets.go#L36) +- [should set ssl_session_tickets and ssl_session_ticket_key values](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/ssl_session_tickets.go#L44) ### [configmap stream-snippet](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/stream_snippet.go#L35) - [should add value of stream-snippet via config map to nginx config](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/stream_snippet.go#L42) ### [[SSL] TLS protocols, ciphers and headers](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/tls.go#L32) @@ -559,4 +572,4 @@ Do not try to edit it manually. ### [[TCP] tcp-services](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/tcpudp/tcp.go#L38) - [should expose a TCP service](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/tcpudp/tcp.go#L46) - [should expose an ExternalName TCP service](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/tcpudp/tcp.go#L80) -- [should reload after an update in the configuration](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/tcpudp/tcp.go#L169) \ No newline at end of file +- [should reload after an update in the configuration](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/tcpudp/tcp.go#L168) \ No newline at end of file diff --git a/docs/examples/canary/README.md b/docs/examples/canary/README.md index a68d647484..d7c47012b2 100644 --- a/docs/examples/canary/README.md +++ b/docs/examples/canary/README.md @@ -31,7 +31,7 @@ spec: spec: containers: - name: production - image: registry.k8s.io/ingress-nginx/e2e-test-echo:v1.1.3@sha256:77e8f7aa7e5651409cbe4ca38430e61828873c7df325e6f83c7345e34011f6b2 + image: registry.k8s.io/ingress-nginx/e2e-test-echo:v1.2.9@sha256:9920d084b452b38ee663005a455aa7ed12c15afa512741ea9596e206a189bdf0 ports: - containerPort: 80 env: @@ -97,7 +97,7 @@ spec: spec: containers: - name: canary - image: registry.k8s.io/ingress-nginx/e2e-test-echo:v1.1.3@sha256:77e8f7aa7e5651409cbe4ca38430e61828873c7df325e6f83c7345e34011f6b2 + image: registry.k8s.io/ingress-nginx/e2e-test-echo:v1.2.9@sha256:9920d084b452b38ee663005a455aa7ed12c15afa512741ea9596e206a189bdf0 ports: - containerPort: 80 env: diff --git a/docs/examples/customization/custom-errors/README.md b/docs/examples/customization/custom-errors/README.md index 2d6e124bb4..95f39d00d8 100644 --- a/docs/examples/customization/custom-errors/README.md +++ b/docs/examples/customization/custom-errors/README.md @@ -49,7 +49,7 @@ If you do not already have an instance of the Ingress-Nginx Controller running, The `ingress-nginx` Service is of type `ClusterIP` in this example. This may vary depending on your environment. Make sure you can use the Service to reach NGINX before proceeding with the rest of this example. -[deploy]: ../../../deploy/ +[deploy]: ../../../deploy/index.md ## Testing error pages diff --git a/docs/examples/customization/custom-errors/custom-default-backend.helm.values.yaml b/docs/examples/customization/custom-errors/custom-default-backend.helm.values.yaml index 52eed6709f..17f22ea3bf 100644 --- a/docs/examples/customization/custom-errors/custom-default-backend.helm.values.yaml +++ b/docs/examples/customization/custom-errors/custom-default-backend.helm.values.yaml @@ -6,7 +6,7 @@ defaultBackend: image: registry: registry.k8s.io image: ingress-nginx/custom-error-pages - tag: v1.1.3@sha256:5aeaf5d01470bcc7d73b8846458b00dbc62d54277cd110cec8f28e663c11f93e + tag: v1.2.9@sha256:203d3020005dbdd735c1ad51f238d8663b9851399b52cc0c9c9e3f7273b6b299 extraVolumes: - name: custom-error-pages configMap: diff --git a/docs/examples/customization/custom-errors/custom-default-backend.yaml b/docs/examples/customization/custom-errors/custom-default-backend.yaml index 64da6e409a..c0f9aa4f65 100644 --- a/docs/examples/customization/custom-errors/custom-default-backend.yaml +++ b/docs/examples/customization/custom-errors/custom-default-backend.yaml @@ -36,7 +36,7 @@ spec: spec: containers: - name: nginx-error-server - image: registry.k8s.io/ingress-nginx/custom-error-pages:v1.1.3@sha256:5aeaf5d01470bcc7d73b8846458b00dbc62d54277cd110cec8f28e663c11f93e + image: registry.k8s.io/ingress-nginx/custom-error-pages:v1.2.9@sha256:203d3020005dbdd735c1ad51f238d8663b9851399b52cc0c9c9e3f7273b6b299 ports: - containerPort: 8080 # Setting the environment variable DEBUG we can see the headers sent diff --git a/docs/examples/customization/external-auth-headers/echo-service.yaml b/docs/examples/customization/external-auth-headers/echo-service.yaml index e17ff38516..ae02e5709f 100644 --- a/docs/examples/customization/external-auth-headers/echo-service.yaml +++ b/docs/examples/customization/external-auth-headers/echo-service.yaml @@ -18,7 +18,7 @@ spec: terminationGracePeriodSeconds: 60 containers: - name: echo-service - image: registry.k8s.io/ingress-nginx/e2e-test-echo:v1.1.3@sha256:77e8f7aa7e5651409cbe4ca38430e61828873c7df325e6f83c7345e34011f6b2 + image: registry.k8s.io/ingress-nginx/e2e-test-echo:v1.2.9@sha256:9920d084b452b38ee663005a455aa7ed12c15afa512741ea9596e206a189bdf0 ports: - containerPort: 8080 resources: diff --git a/docs/examples/customization/jwt/README.md b/docs/examples/customization/jwt/README.md index 1fd1ee00fa..22800f9c32 100644 --- a/docs/examples/customization/jwt/README.md +++ b/docs/examples/customization/jwt/README.md @@ -45,4 +45,4 @@ data: ``` References: - * [Custom Configuration](../custom-configuration/) + * [Custom Configuration](../custom-configuration/README.md) diff --git a/docs/examples/customization/sysctl/patch.json b/docs/examples/customization/sysctl/patch.json index 69482c7bec..e6e560538d 100644 --- a/docs/examples/customization/sysctl/patch.json +++ b/docs/examples/customization/sysctl/patch.json @@ -4,7 +4,7 @@ "spec": { "initContainers": [{ "name": "sysctl", - "image": "alpine:3.21", + "image": "alpine:3.23.3", "securityContext": { "privileged": true }, diff --git a/docs/examples/index.md b/docs/examples/index.md index 4efdae39f4..0ab696e839 100644 --- a/docs/examples/index.md +++ b/docs/examples/index.md @@ -5,7 +5,7 @@ Please review the [prerequisites](PREREQUISITES.md) before trying them. The examples on these pages include the `spec.ingressClassName` field which replaces the deprecated `kubernetes.io/ingress.class: nginx` annotation. Users of ingress-nginx < 1.0.0 (Helm chart < 4.0.0) should use the [legacy documentation](https://github.com/kubernetes/ingress-nginx/tree/legacy/docs/examples). -For more information, check out the [Migration to apiVersion networking.k8s.io/v1](../#faq-migration-to-apiversion-networkingk8siov1) guide. +For more information, check out the [Migration to apiVersion networking.k8s.io/v1](../user-guide/k8s-122-migration.md) guide. Category | Name | Description | Complexity Level ---------| ---- | ----------- | ---------------- diff --git a/docs/examples/rewrite/README.md b/docs/examples/rewrite/README.md index 16889e0bc3..0216feec92 100644 --- a/docs/examples/rewrite/README.md +++ b/docs/examples/rewrite/README.md @@ -6,7 +6,7 @@ This example demonstrates how to use `Rewrite` annotations. You will need to make sure your Ingress targets exactly one Ingress controller by specifying the [ingress.class annotation](../../user-guide/multiple-ingress.md), -and that you have an ingress controller [running](../../deploy/) in your cluster. +and that you have an ingress controller [running](../../deploy/index.md) in your cluster. ## Deployment diff --git a/docs/examples/static-ip/README.md b/docs/examples/static-ip/README.md index 992839a24b..d3dc76de63 100644 --- a/docs/examples/static-ip/README.md +++ b/docs/examples/static-ip/README.md @@ -7,7 +7,7 @@ This example demonstrates how to assign a static-ip to an Ingress on through the You need a [TLS cert](../PREREQUISITES.md#tls-certificates) and a [test HTTP service](../PREREQUISITES.md#test-http-service) for this example. You will also need to make sure your Ingress targets exactly one Ingress controller by specifying the [ingress.class annotation](../../user-guide/multiple-ingress.md), -and that you have an ingress controller [running](../../deploy/) in your cluster. +and that you have an ingress controller [running](../../deploy/index.md) in your cluster. ## Acquiring an IP diff --git a/docs/how-it-works.md b/docs/how-it-works.md index 161803210d..7065f3cc65 100644 --- a/docs/how-it-works.md +++ b/docs/how-it-works.md @@ -64,7 +64,7 @@ To prevent this situation to happen, the Ingress-Nginx Controller optionally exp This webhook appends the incoming ingress objects to the list of ingresses, generates the configuration and calls nginx to ensure the configuration has no syntax errors. [0]: https://github.com/openresty/lua-nginx-module/pull/1259 -[1]: https://coreos.com/kubernetes/docs/latest/replication-controller.html#the-reconciliation-loop-in-detail +[1]: https://kubernetes.io/docs/concepts/architecture/controller/#controller-pattern [2]: https://godoc.org/k8s.io/client-go/informers#NewFilteredSharedInformerFactory [3]: https://godoc.org/k8s.io/client-go/tools/cache#ResourceEventHandlerFuncs [4]: https://github.com/kubernetes/ingress-nginx/blob/main/internal/task/queue.go#L38 diff --git a/docs/index.md b/docs/index.md index bd6a825e1e..9eaf0286f8 100644 --- a/docs/index.md +++ b/docs/index.md @@ -1,12 +1,21 @@ -# Overview +# Retirement + +[What You Need to Know about Ingress NGINX Retirement](https://www.kubernetes.io/blog/2025/11/11/ingress-nginx-retirement/): + +* Best-effort maintenance will continue until March 2026. +* Afterward, there will be no further releases, no bugfixes, and no updates to resolve any security vulnerabilities that may be discovered. +* Existing deployments of Ingress NGINX will not be broken. + * Existing project artifacts such as Helm charts and container images will remain available. -This is the documentation for the Ingress NGINX Controller. +You can still find the documentation for the Ingress NGINX Controller on this page. + +# Overview -It is built around the [Kubernetes Ingress resource](https://kubernetes.io/docs/concepts/services-networking/ingress/), using a [ConfigMap](https://kubernetes.io/docs/concepts/configuration/configmap/) to store the controller configuration. +The Ingress NGINX Controller is built around the [Kubernetes Ingress resource](https://kubernetes.io/docs/concepts/services-networking/ingress/), using a [ConfigMap](https://kubernetes.io/docs/concepts/configuration/configmap/) to store the controller configuration. You can learn more about using [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) in the official [Kubernetes documentation](https://docs.k8s.io). # Getting Started -See [Deployment](./deploy/) for a whirlwind tour that will get you started. +See [Deployment](./deploy/index.md) for a whirlwind tour that will get you started. diff --git a/docs/kubectl-plugin.md b/docs/kubectl-plugin.md index 9e5a5dcc6d..4ca5745572 100644 --- a/docs/kubectl-plugin.md +++ b/docs/kubectl-plugin.md @@ -201,14 +201,12 @@ kubectl ingress-nginx conf -n ingress-nginx --host testaddr.local ```console $ kubectl ingress-nginx exec -i -n ingress-nginx -- ls /etc/nginx fastcgi_params -geoip lua mime.types modsecurity modules nginx.conf opentracing.json -opentelemetry.toml owasp-modsecurity-crs template ``` diff --git a/docs/lua_tests.md b/docs/lua_tests.md index 4d3d1fe70a..3ad74765a0 100644 --- a/docs/lua_tests.md +++ b/docs/lua_tests.md @@ -13,7 +13,7 @@ installations besides docker ## Where are the Lua Tests? -Lua Tests can be found in the [rootfs/etc/nginx/lua/test](../rootfs/etc/nginx/lua/test) directory +Lua Tests can be found in the [rootfs/etc/nginx/lua/test](https://github.com/kubernetes/ingress-nginx/tree/main/rootfs/etc/nginx/lua/test) directory [1]: https://openresty.org/en/installation.html diff --git a/docs/requirements.txt b/docs/requirements.txt index 5d5943b848..36a29f22c2 100644 --- a/docs/requirements.txt +++ b/docs/requirements.txt @@ -1,4 +1,4 @@ -mkdocs-material==9.4.5 -mkdocs-awesome-pages-plugin==2.9.2 -mkdocs-minify-plugin==0.7.1 -mkdocs-redirects==1.2.1 \ No newline at end of file +mkdocs-material==9.6.16 +mkdocs-awesome-pages-plugin==2.10.1 +mkdocs-minify-plugin==0.8.0 +mkdocs-redirects==1.2.2 \ No newline at end of file diff --git a/docs/user-guide/basic-usage.md b/docs/user-guide/basic-usage.md index aee0c0fd39..e29f1ef6c0 100644 --- a/docs/user-guide/basic-usage.md +++ b/docs/user-guide/basic-usage.md @@ -1,4 +1,4 @@ -# Basic usage - host based routing +# Basic usage - host based routing ingress-nginx can be used for many use cases, inside various cloud providers and supports a lot of configurations. In this section you can find a common usage scenario where a single load balancer powered by ingress-nginx will route traffic to 2 different HTTP backend services based on the host name. diff --git a/docs/user-guide/custom-errors.md b/docs/user-guide/custom-errors.md index 159a820788..7e0d23cb0b 100644 --- a/docs/user-guide/custom-errors.md +++ b/docs/user-guide/custom-errors.md @@ -28,4 +28,4 @@ See also the [Custom errors][example-custom-errors] example. [cm-custom-http-errors]: ./nginx-configuration/configmap.md#custom-http-errors [img-custom-error-pages]: https://github.com/kubernetes/ingress-nginx/tree/main/images/custom-error-pages -[example-custom-errors]: ../../examples/customization/custom-errors +[example-custom-errors]: ../examples/customization/custom-errors/README.md diff --git a/docs/user-guide/ingress-path-matching.md b/docs/user-guide/ingress-path-matching.md index 43d0490430..890d0ad13f 100644 --- a/docs/user-guide/ingress-path-matching.md +++ b/docs/user-guide/ingress-path-matching.md @@ -11,10 +11,6 @@ The ingress controller supports **case insensitive** regular expressions in the `spec.rules.http.paths.path` field. This can be enabled by setting the `nginx.ingress.kubernetes.io/use-regex` annotation to `true` (the default is false). -!!! hint - Kubernetes only accept expressions that comply with the RE2 engine syntax. It is possible that valid expressions accepted by NGINX cannot be used with ingress-nginx, because the PCRE library (used in NGINX) supports a wider syntax than RE2. - See the [RE2 Syntax](https://github.com/google/re2/wiki/Syntax) documentation for differences. - See the [description](./nginx-configuration/annotations.md#use-regex) of the `use-regex` annotation for more details. ```yaml diff --git a/docs/user-guide/nginx-configuration/annotations.md b/docs/user-guide/nginx-configuration/annotations.md index 82ad076626..69f0ca53b5 100755 --- a/docs/user-guide/nginx-configuration/annotations.md +++ b/docs/user-guide/nginx-configuration/annotations.md @@ -123,7 +123,7 @@ You can add these Kubernetes annotations to specific Ingress objects to customiz |[nginx.ingress.kubernetes.io/connection-proxy-header](#connection-proxy-header)|string| |[nginx.ingress.kubernetes.io/enable-access-log](#enable-access-log)|"true" or "false"| |[nginx.ingress.kubernetes.io/enable-opentelemetry](#enable-opentelemetry)|"true" or "false"| -|[nginx.ingress.kubernetes.io/opentelemetry-trust-incoming-span](#opentelemetry-trust-incoming-spans)|"true" or "false"| +|[nginx.ingress.kubernetes.io/opentelemetry-trust-incoming-span](#opentelemetry-trust-incoming-span)|"true" or "false"| |[nginx.ingress.kubernetes.io/use-regex](#use-regex)|bool| |[nginx.ingress.kubernetes.io/enable-modsecurity](#modsecurity)|bool| |[nginx.ingress.kubernetes.io/enable-owasp-core-rules](#modsecurity)|bool| @@ -446,15 +446,15 @@ kind: Ingress metadata: annotations: nginx.ingress.kubernetes.io/server-snippet: | - set $agentflag 0; + set $agentflag 0; - if ($http_user_agent ~* "(Mobile)" ){ - set $agentflag 1; - } + if ($http_user_agent ~* "(Mobile)" ){ + set $agentflag 1; + } - if ( $agentflag = 1 ) { - return 301 https://m.example.com; - } + if ( $agentflag = 1 ) { + return 301 https://m.example.com; + } ``` !!! attention @@ -530,7 +530,7 @@ Additionally it is possible to set: ```yaml nginx.ingress.kubernetes.io/auth-url: http://foo.com/external-auth nginx.ingress.kubernetes.io/auth-snippet: | - proxy_set_header Foo-Header 42; + proxy_set_header Foo-Header 42; ``` > Note: `nginx.ingress.kubernetes.io/auth-snippet` is an optional annotation. However, it may only be used in conjunction with `nginx.ingress.kubernetes.io/auth-url` and will be ignored if `nginx.ingress.kubernetes.io/auth-url` is not set @@ -709,6 +709,8 @@ nginx.ingress.kubernetes.io/proxy-body-size: 8m Sets a text that [should be changed in the domain attribute](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cookie_domain) of the "Set-Cookie" header fields of a proxied server response. +Value must be either `off` or two space-separated tokens (source domain and replacement). + To configure this setting globally for all Ingress rules, the `proxy-cookie-domain` value may be set in the [NGINX ConfigMap](./configmap.md#proxy-cookie-domain). ### Proxy cookie path @@ -729,7 +731,7 @@ To use custom values in an Ingress rule define these annotation: nginx.ingress.kubernetes.io/proxy-buffering: "on" ``` -### Proxy buffers Number +### Proxy buffers number Sets the number of the buffers in [`proxy_buffers`](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffers) used for reading the first part of the response received from the proxied server. By default proxy buffers number is set as 4 @@ -752,11 +754,9 @@ nginx.ingress.kubernetes.io/proxy-buffer-size: "8k" ### Proxy busy buffers size [Limits the total size of buffers that can be busy](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_busy_buffers_size) sending a response to the client while the response is not yet fully read. - -By default proxy busy buffers size is set as "8k". +By default, size is limited by the size of two buffers set by the `proxy_buffer_size` and `proxy_buffers` directives. To configure this setting globally, set `proxy-busy-buffers-size` in the [ConfigMap](./configmap.md#proxy-busy-buffers-size). To use custom values in an Ingress rule, define this annotation: - ```yaml nginx.ingress.kubernetes.io/proxy-busy-buffers-size: "16k" ``` @@ -838,8 +838,11 @@ nginx.ingress.kubernetes.io/enable-opentelemetry: "true" The option to trust incoming trace spans can be enabled or disabled globally through the ConfigMap but this will sometimes need to be overridden to enable it or disable it for a specific ingress (e.g. only enable on a private endpoint) +!!! note + This annotation requires `nginx.ingress.kubernetes.io/enable-opentelemetry` to be set to `"true"`, otherwise it will be ignored. + ```yaml -nginx.ingress.kubernetes.io/opentelemetry-trust-incoming-spans: "true" +nginx.ingress.kubernetes.io/opentelemetry-trust-incoming-span: "true" ``` ### X-Forwarded-Prefix Header @@ -860,7 +863,7 @@ It can be enabled using the following annotation: ```yaml nginx.ingress.kubernetes.io/enable-modsecurity: "true" ``` -ModSecurity will run in "Detection-Only" mode using the [recommended configuration](https://github.com/SpiderLabs/ModSecurity/blob/v3/master/modsecurity.conf-recommended). +ModSecurity will run in "Detection-Only" mode using the [recommended configuration](https://github.com/owasp-modsecurity/ModSecurity/blob/v3/master/modsecurity.conf-recommended). You can enable the [OWASP Core Rule Set](https://www.modsecurity.org/CRS/Documentation/) by setting the following annotation: @@ -876,25 +879,25 @@ nginx.ingress.kubernetes.io/modsecurity-transaction-id: "$request_id" You can also add your own set of modsecurity rules via a snippet: ```yaml nginx.ingress.kubernetes.io/modsecurity-snippet: | -SecRuleEngine On -SecDebugLog /tmp/modsec_debug.log + SecRuleEngine On + SecDebugLog /tmp/modsec_debug.log ``` Note: If you use both `enable-owasp-core-rules` and `modsecurity-snippet` annotations together, only the `modsecurity-snippet` will take effect. If you wish to include the [OWASP Core Rule Set](https://www.modsecurity.org/CRS/Documentation/) or -[recommended configuration](https://github.com/SpiderLabs/ModSecurity/blob/v3/master/modsecurity.conf-recommended) simply use the include +[recommended configuration](https://github.com/owasp-modsecurity/ModSecurity/blob/v3/master/modsecurity.conf-recommended) simply use the include statement: nginx 0.24.1 and below ```yaml nginx.ingress.kubernetes.io/modsecurity-snippet: | -Include /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf -Include /etc/nginx/modsecurity/modsecurity.conf + Include /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf + Include /etc/nginx/modsecurity/modsecurity.conf ``` nginx 0.25.0 and above ```yaml nginx.ingress.kubernetes.io/modsecurity-snippet: | -Include /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf + Include /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf ``` ### Backend Protocol diff --git a/docs/user-guide/nginx-configuration/configmap.md b/docs/user-guide/nginx-configuration/configmap.md index 87f6827861..df38e1f83c 100644 --- a/docs/user-guide/nginx-configuration/configmap.md +++ b/docs/user-guide/nginx-configuration/configmap.md @@ -57,7 +57,7 @@ The following table shows a configuration option's name, type, and the default v | [error-log-level](#error-log-level) | string | "notice" | | | [http2-max-field-size](#http2-max-field-size) | string | "" | DEPRECATED in favour of [large_client_header_buffers](#large-client-header-buffers) | | [http2-max-header-size](#http2-max-header-size) | string | "" | DEPRECATED in favour of [large_client_header_buffers](#large-client-header-buffers) | -| [http2-max-requests](#http2-max-requests) | int | 0 | DEPRECATED in favour of [keepalive_requests](#keepalive-requests) | +| [http2-max-requests](#http2-max-requests) | int | 0 | DEPRECATED in favour of [keepalive_requests](#keep-alive-requests) | | [http2-max-concurrent-streams](#http2-max-concurrent-streams) | int | 128 | | | [hsts](#hsts) | bool | "true" | | | [hsts-include-subdomains](#hsts-include-subdomains) | bool | "true" | | @@ -73,7 +73,7 @@ The following table shows a configuration option's name, type, and the default v | [enable-multi-accept](#enable-multi-accept) | bool | "true" | | | [max-worker-connections](#max-worker-connections) | int | 16384 | | | [max-worker-open-files](#max-worker-open-files) | int | 0 | | -| [map-hash-bucket-size](#max-hash-bucket-size) | int | 64 | | +| [map-hash-bucket-size](#map-hash-bucket-size) | int | 64 | | | [nginx-status-ipv4-whitelist](#nginx-status-ipv4-whitelist) | []string | "127.0.0.1" | | | [nginx-status-ipv6-whitelist](#nginx-status-ipv6-whitelist) | []string | "::1" | | | [proxy-real-ip-cidr](#proxy-real-ip-cidr) | []string | "0.0.0.0/0" | | @@ -84,7 +84,7 @@ The following table shows a configuration option's name, type, and the default v | [proxy-headers-hash-bucket-size](#proxy-headers-hash-bucket-size) | int | 64 | | | [reuse-port](#reuse-port) | bool | "true" | | | [server-tokens](#server-tokens) | bool | "false" | | -| [ssl-ciphers](#ssl-ciphers) | string | "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" | | +| [ssl-ciphers](#ssl-ciphers) | string | "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256" | | | [ssl-ecdh-curve](#ssl-ecdh-curve) | string | "auto" | | | [ssl-dh-param](#ssl-dh-param) | string | "" | | | [ssl-protocols](#ssl-protocols) | string | "TLSv1.2 TLSv1.3" | | @@ -115,7 +115,7 @@ The following table shows a configuration option's name, type, and the default v | [worker-shutdown-timeout](#worker-shutdown-timeout) | string | "240s" | | | [enable-serial-reloads](#enable-serial-reloads) | bool | "false" | | | [load-balance](#load-balance) | string | "round_robin" | | -| [variables-hash-bucket-size](#variables-hash-bucket-size) | int | 128 | | +| [variables-hash-bucket-size](#variables-hash-bucket-size) | int | 256 | | | [variables-hash-max-size](#variables-hash-max-size) | int | 2048 | | | [upstream-keepalive-connections](#upstream-keepalive-connections) | int | 320 | | | [upstream-keepalive-time](#upstream-keepalive-time) | string | "1h" | | @@ -148,25 +148,18 @@ The following table shows a configuration option's name, type, and the default v | [jaeger-debug-header](#jaeger-debug-header) | string | uber-debug-id | | | [jaeger-baggage-header](#jaeger-baggage-header) | string | jaeger-baggage | | | [jaeger-trace-baggage-header-prefix](#jaeger-trace-baggage-header-prefix) | string | uberctx- | | -| [datadog-collector-host](#datadog-collector-host) | string | "" | | -| [datadog-collector-port](#datadog-collector-port) | int | 8126 | | -| [datadog-service-name](#datadog-service-name) | string | "nginx" | | -| [datadog-environment](#datadog-environment) | string | "prod" | | -| [datadog-operation-name-override](#datadog-operation-name-override) | string | "nginx.handle" | | -| [datadog-priority-sampling](#datadog-priority-sampling) | bool | "true" | | -| [datadog-sample-rate](#datadog-sample-rate) | float | 1.0 | | | [enable-opentelemetry](#enable-opentelemetry) | bool | "false" | | | [opentelemetry-trust-incoming-span](#opentelemetry-trust-incoming-span) | bool | "true" | | | [opentelemetry-operation-name](#opentelemetry-operation-name) | string | "" | | -| [opentelemetry-config](#/etc/nginx/opentelemetry.toml) | string | "/etc/nginx/opentelemetry.toml" | | +| [opentelemetry-config](#opentelemetry-config) | string | "/etc/ingress-controller/telemetry/opentelemetry.toml" | | | [otlp-collector-host](#otlp-collector-host) | string | "" | | | [otlp-collector-port](#otlp-collector-port) | int | 4317 | | -| [otel-max-queuesize](#otel-max-queuesize) | int | | | -| [otel-schedule-delay-millis](#otel-schedule-delay-millis) | int | | | -| [otel-max-export-batch-size](#otel-max-export-batch-size) | int | | | +| [otel-max-queuesize](#otel-max-queuesize) | int | 2048 | | +| [otel-schedule-delay-millis](#otel-schedule-delay-millis) | int | 5000 | | +| [otel-max-export-batch-size](#otel-max-export-batch-size) | int | 512 | | | [otel-service-name](#otel-service-name) | string | "nginx" | | -| [otel-sampler](#otel-sampler) | string | "AlwaysOff" | | -| [otel-sampler-parent-based](#otel-sampler-parent-based) | bool | "false" | | +| [otel-sampler](#otel-sampler) | string | "AlwaysOn" | | +| [otel-sampler-parent-based](#otel-sampler-parent-based) | bool | "true" | | | [otel-sampler-ratio](#otel-sampler-ratio) | float | 0.01 | | | [main-snippet](#main-snippet) | string | "" | | | [http-snippet](#http-snippet) | string | "" | | @@ -180,7 +173,7 @@ The following table shows a configuration option's name, type, and the default v | [proxy-send-timeout](#proxy-send-timeout) | int | 60 | | | [proxy-buffers-number](#proxy-buffers-number) | int | 4 | | | [proxy-buffer-size](#proxy-buffer-size) | string | "4k" | | -| [proxy-busy-buffers-size](#proxy-busy-buffers-size) | string | "8k" | | +| [proxy-busy-buffers-size](#proxy-busy-buffers-size) | string | "" | | | [proxy-cookie-path](#proxy-cookie-path) | string | "off" | | | [proxy-cookie-domain](#proxy-cookie-domain) | string | "off" | | | [proxy-next-upstream](#proxy-next-upstream) | string | "error timeout" | | @@ -222,7 +215,7 @@ The following table shows a configuration option's name, type, and the default v | [default-type](#default-type) | string | "text/html" | | | [service-upstream](#service-upstream) | bool | "false" | | | [ssl-reject-handshake](#ssl-reject-handshake) | bool | "false" | | -| [debug-connections](#debug-connections) | []string | "127.0.0.1,1.1.1.1/24" | | +| [debug-connections](#debug-connections) | []string | "" | | | [strict-validate-path-type](#strict-validate-path-type) | bool | "true" | | | [grpc-buffer-size-kb](#grpc-buffer-size-kb) | int | 0 | | | [relative-redirects](#relative-redirects) | bool | false | | @@ -519,7 +512,7 @@ Example for json output: log-format-upstream: '{"time": "$time_iso8601", "remote_addr": "$proxy_protocol_addr", "x_forwarded_for": "$proxy_add_x_forwarded_for", "request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time, "status": $status, "vhost": "$host", "request_proto": "$server_protocol", - "path": "$uri", "request_query": "$args", "request_length": $request_length, "duration": $request_time,"method": "$request_method", "http_referrer": "$http_referer", + "path": "$uri", "request_query": "$args", "request_length": $request_length, "method": "$request_method", "http_referrer": "$http_referer", "http_user_agent": "$http_user_agent" }' ``` @@ -613,7 +606,7 @@ Send NGINX Server header in responses and display NGINX version in error pages. Sets the [ciphers](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers) list to enable. The ciphers are specified in the format understood by the OpenSSL library. The default cipher list is: - `ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384`. + `ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256`. The ordering of a ciphersuite is very important because it decides which algorithms are going to be selected in priority. The recommendation above prioritizes algorithms that provide perfect [forward secrecy](https://wiki.mozilla.org/Security/Server_Side_TLS#Forward_Secrecy). @@ -755,7 +748,7 @@ Enables or disables [HTTP/2](https://nginx.org/en/docs/http/ngx_http_v2_module.h ## gzip-disable -Disables [gzipping](http://nginx.org/en/docs/http/ngx_http_gzip_module.html#gzip_disable) of responses for requests with "User-Agent" header fields matching any of the specified regular expressions. +Disables [gzipping](https://nginx.org/en/docs/http/ngx_http_gzip_module.html#gzip_disable) of responses for requests with "User-Agent" header fields matching any of the specified regular expressions. ## gzip-level @@ -809,14 +802,14 @@ _References:_ Sets the bucket size for the variables hash table. _References:_ -[https://nginx.org/en/docs/http/ngx_http_map_module.html#variables_hash_bucket_size](https://nginx.org/en/docs/http/ngx_http_map_module.html#variables_hash_bucket_size) +[https://nginx.org/en/docs/http/ngx_http_map_module.html#map_hash_bucket_size](https://nginx.org/en/docs/http/ngx_http_map_module.html#map_hash_bucket_size) ## variables-hash-max-size Sets the maximum size of the variables hash table. _References:_ -[https://nginx.org/en/docs/http/ngx_http_map_module.html#variables_hash_max_size](https://nginx.org/en/docs/http/ngx_http_map_module.html#variables_hash_max_size) +[https://nginx.org/en/docs/http/ngx_http_map_module.html#map_hash_max_size](https://nginx.org/en/docs/http/ngx_http_map_module.html#map_hash_max_size) ## upstream-keepalive-connections @@ -835,7 +828,7 @@ Sets the maximum time during which requests can be processed through one keepali _**default:**_ "1h" _References:_ -[http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive_time](http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive_time) +[https://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive_time](https://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive_time) ## upstream-keepalive-timeout @@ -984,36 +977,6 @@ Specifies the header name used to submit baggage if there is no root span. _**de Specifies the header prefix used to propagate baggage. _**default:**_ uberctx- -## datadog-collector-host - -Specifies the datadog agent host to use when uploading traces. It must be a valid URL. - -## datadog-collector-port - -Specifies the port to use when uploading traces. _**default:**_ 8126 - -## datadog-service-name - -Specifies the service name to use for any traces created. _**default:**_ nginx - -## datadog-environment - -Specifies the environment this trace belongs to. _**default:**_ prod - -## datadog-operation-name-override - -Overrides the operation name to use for any traces crated. _**default:**_ nginx.handle - -## datadog-priority-sampling - -Specifies to use client-side sampling. -If true disables client-side sampling (thus ignoring `sample_rate`) and enables distributed priority sampling, where traces are sampled based on a combination of user-assigned priorities and configuration from the agent. _**default:**_ true - -## datadog-sample-rate - -Specifies sample rate for any traces created. -This is effective only when `datadog-priority-sampling` is `false` _**default:**_ 1.0 - ## enable-opentelemetry Enables the nginx OpenTelemetry extension. _**default:**_ is disabled @@ -1027,6 +990,10 @@ Specifies a custom name for the server span. _**default:**_ is empty For example, set to "HTTP $request_method $uri". +## opentelemetry-config + +Sets the opentelemetry config file. _**default:**_ /etc/ingress-controller/telemetry/opentelemetry.toml + ## otlp-collector-host Specifies the host to use when uploading traces. It must be a valid URL. @@ -1039,12 +1006,13 @@ Specifies the port to use when uploading traces. _**default:**_ 4317 Specifies the service name to use for any traces created. _**default:**_ nginx -## opentelemetry-trust-incoming-span: "true" +## opentelemetry-trust-incoming-span + Enables or disables using spans from incoming requests as parent for created ones. _**default:**_ true -## otel-sampler-parent-based +## otel-sampler-parent-based -Uses sampler implementation which by default will take a sample if parent Activity is sampled. _**default:**_ false +Uses sampler implementation which by default will take a sample if parent Activity is sampled. _**default:**_ true ## otel-sampler-ratio @@ -1052,7 +1020,7 @@ Specifies sample rate for any traces created. _**default:**_ 0.01 ## otel-sampler -Specifies the sampler to be used when sampling traces. The available samplers are: AlwaysOff, AlwaysOn, TraceIdRatioBased, remote. _**default:**_ AlwaysOff +Specifies the sampler to be used when sampling traces. The available samplers are: AlwaysOff, AlwaysOn, TraceIdRatioBased, remote. _**default:**_ AlwaysOn ## main-snippet @@ -1127,6 +1095,8 @@ Sets a text that [should be changed in the path attribute](https://nginx.org/en/ Sets a text that [should be changed in the domain attribute](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cookie_domain) of the “Set-Cookie” header fields of a proxied server response. +Value must be either `off` or two space-separated tokens (source domain and replacement). + ## proxy-next-upstream Specifies in [which cases](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_next_upstream) a request should be passed to the next server. @@ -1149,6 +1119,7 @@ _References:_ ## proxy-request-buffering Enables or disables [buffering of a client request body](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_request_buffering). +Valid values are `on` and `off`. ## ssl-redirect @@ -1368,7 +1339,7 @@ Enables debugging log for selected client connections. _**default:**_ "" _References:_ -[http://nginx.org/en/docs/ngx_core_module.html#debug_connection](http://nginx.org/en/docs/ngx_core_module.html#debug_connection) +[https://nginx.org/en/docs/ngx_core_module.html#debug_connection](https://nginx.org/en/docs/ngx_core_module.html#debug_connection) ## strict-validate-path-type diff --git a/docs/user-guide/third-party-addons/modsecurity.md b/docs/user-guide/third-party-addons/modsecurity.md index 38d39888d1..9f11833bdb 100644 --- a/docs/user-guide/third-party-addons/modsecurity.md +++ b/docs/user-guide/third-party-addons/modsecurity.md @@ -1,14 +1,14 @@ # ModSecurity Web Application Firewall -ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx that is developed by Trustwave's SpiderLabs. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis - [https://www.modsecurity.org](https://www.modsecurity.org) +ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx that is developed by OWASP. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis - [https://www.modsecurity.org](https://www.modsecurity.org) -The [ModSecurity-nginx](https://github.com/SpiderLabs/ModSecurity-nginx) connector is the connection point between NGINX and libmodsecurity (ModSecurity v3). +The [ModSecurity-nginx](https://github.com/owasp-modsecurity/ModSecurity-nginx) connector is the connection point between NGINX and libmodsecurity (ModSecurity v3). The default ModSecurity configuration file is located in `/etc/nginx/modsecurity/modsecurity.conf`. This is the only file located in this directory and contains the default recommended configuration. Using a volume we can replace this file with the desired configuration. To enable the ModSecurity feature we need to specify `enable-modsecurity: "true"` in the configuration configmap. >__Note:__ the default configuration use detection only, because that minimizes the chances of post-installation disruption. -Due to the value of the setting [SecAuditLogType=Concurrent](https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogtype) the ModSecurity log is stored in multiple files inside the directory `/var/log/audit`. +Due to the value of the setting [SecAuditLogType=Concurrent](https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogtype) the ModSecurity log is stored in multiple files inside the directory `/var/log/audit`. The default `Serial` value in SecAuditLogType can impact performance. The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts. diff --git a/docs/user-guide/third-party-addons/opentelemetry.md b/docs/user-guide/third-party-addons/opentelemetry.md index ed062e0faf..a1a336025d 100644 --- a/docs/user-guide/third-party-addons/opentelemetry.md +++ b/docs/user-guide/third-party-addons/opentelemetry.md @@ -51,7 +51,7 @@ Other optional configuration options: # specifies the name to use for the server span opentelemetry-operation-name -# sets whether or not to trust incoming telemetry spans +# sets whether or not to trust incoming telemetry spans, Default: true opentelemetry-trust-incoming-span # specifies the port to use when uploading traces, Default: 4317 @@ -60,26 +60,23 @@ otlp-collector-port # specifies the service name to use for any traces created, Default: nginx otel-service-name -# The maximum queue size. After the size is reached data are dropped. +# The maximum queue size. After the size is reached data are dropped, Default: 2048 otel-max-queuesize -# The delay interval in milliseconds between two consecutive exports. +# The delay interval in milliseconds between two consecutive exports, Default: 5000 otel-schedule-delay-millis -# How long the export can run before it is cancelled. -otel-schedule-delay-millis - -# The maximum batch size of every export. It must be smaller or equal to maxQueueSize. +# The maximum batch size of every export. It must be smaller or equal to maxQueueSize, Default: 512 otel-max-export-batch-size # specifies sample rate for any traces created, Default: 0.01 otel-sampler-ratio # specifies the sampler to be used when sampling traces. -# The available samplers are: AlwaysOn, AlwaysOff, TraceIdRatioBased, Default: AlwaysOff +# The available samplers are: AlwaysOn, AlwaysOff, TraceIdRatioBased, Default: AlwaysOn otel-sampler -# Uses sampler implementation which by default will take a sample if parent Activity is sampled, Default: false +# Uses sampler implementation which by default will take a sample if parent Activity is sampled, Default: true otel-sampler-parent-based ``` @@ -155,7 +152,7 @@ To install the example and collectors run: kind: ConfigMap data: enable-opentelemetry: "true" - opentelemetry-config: "/etc/nginx/opentelemetry.toml" + opentelemetry-config: "/etc/ingress-controller/telemetry/opentelemetry.toml" opentelemetry-operation-name: "HTTP $request_method $service_name $uri" opentelemetry-trust-incoming-span: "true" otlp-collector-host: "otel-coll-collector.otel.svc" diff --git a/docs/user-guide/tls.md b/docs/user-guide/tls.md index eaf33e210a..121d2ce914 100644 --- a/docs/user-guide/tls.md +++ b/docs/user-guide/tls.md @@ -145,7 +145,7 @@ apiVersion: v1 metadata: name: nginx-config data: - ssl-ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA" + ssl-ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA" ssl-protocols: "TLSv1.2 TLSv1.3" ``` diff --git a/go.mod b/go.mod index 3da3884512..8b314b660f 100644 --- a/go.mod +++ b/go.mod @@ -1,145 +1,143 @@ module k8s.io/ingress-nginx -go 1.24.3 +go 1.26.1 require ( dario.cat/mergo v1.0.2 - github.com/armon/go-proxyproto v0.1.0 + github.com/Anddd7/pb v0.0.0-20250506021228-7e355c18f206 + github.com/blang/semver/v4 v4.0.0 github.com/eapache/channels v1.1.0 github.com/fsnotify/fsnotify v1.9.0 github.com/google/go-github/v48 v48.2.0 - github.com/helm/helm v2.17.0+incompatible github.com/json-iterator/go v1.1.12 github.com/kylelemons/godebug v1.1.0 - github.com/magefile/mage v1.15.0 + github.com/magefile/mage v1.16.1 github.com/mitchellh/go-ps v1.0.0 github.com/mitchellh/hashstructure/v2 v2.0.2 github.com/mitchellh/mapstructure v1.5.0 github.com/moul/pb v0.0.0-20220425114252-bca18df4138c github.com/ncabatoff/process-exporter v0.8.7 - github.com/onsi/ginkgo/v2 v2.23.4 - github.com/opencontainers/cgroups v0.0.2 + github.com/onsi/ginkgo/v2 v2.28.1 + github.com/opencontainers/cgroups v0.0.6 + github.com/pires/go-proxyproto v0.11.0 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 - github.com/prometheus/client_golang v1.22.0 + github.com/prometheus/client_golang v1.23.2 github.com/prometheus/client_model v0.6.2 - github.com/prometheus/common v0.64.0 - github.com/spf13/cobra v1.9.1 - github.com/spf13/pflag v1.0.6 - github.com/stretchr/testify v1.10.0 - github.com/vmware-labs/yaml-jsonpath v0.3.2 + github.com/prometheus/common v0.67.5 + github.com/spf13/cobra v1.10.2 + github.com/spf13/pflag v1.0.10 + github.com/stretchr/testify v1.11.1 github.com/yudai/gojsondiff v1.0.0 github.com/zakjan/cert-chain-resolver v0.0.0-20221221105603-fcedb00c5b30 - golang.org/x/crypto v0.38.0 - google.golang.org/grpc v1.72.2 + go.yaml.in/yaml/v3 v3.0.4 + golang.org/x/crypto v0.49.0 + golang.org/x/oauth2 v0.36.0 + google.golang.org/grpc v1.79.3 gopkg.in/go-playground/pool.v3 v3.1.1 gopkg.in/mcuadros/go-syslog.v2 v2.3.0 - k8s.io/api v0.33.1 - k8s.io/apiextensions-apiserver v0.33.1 - k8s.io/apimachinery v0.33.1 - k8s.io/apiserver v0.33.1 - k8s.io/cli-runtime v0.33.1 - k8s.io/client-go v0.33.1 - k8s.io/code-generator v0.33.1 - k8s.io/component-base v0.33.1 - k8s.io/klog/v2 v2.130.1 + helm.sh/helm/v4 v4.1.3 + k8s.io/api v0.35.3 + k8s.io/apiextensions-apiserver v0.35.3 + k8s.io/apimachinery v0.35.3 + k8s.io/apiserver v0.35.3 + k8s.io/cli-runtime v0.35.3 + k8s.io/client-go v0.35.3 + k8s.io/code-generator v0.35.3 + k8s.io/component-base v0.35.3 + k8s.io/klog/v2 v2.140.0 + k8s.io/utils v0.0.0-20260210185600-b8788abfbbc2 pault.ag/go/sniff v0.0.0-20200207005214-cf7e4d167732 - sigs.k8s.io/controller-runtime v0.21.0 + sigs.k8s.io/controller-runtime v0.23.3 sigs.k8s.io/mdtoc v1.4.0 ) require ( - github.com/Masterminds/semver v1.5.0 // indirect - github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be // indirect - github.com/dprotaso/go-yit v0.0.0-20250513224043-18a80f8f6df4 // indirect - github.com/fxamacker/cbor/v2 v2.8.0 // indirect - github.com/ghodss/yaml v1.0.0 // indirect - github.com/gobwas/glob v0.2.3 // indirect - github.com/google/go-querystring v1.1.0 // indirect - github.com/moby/sys/userns v0.1.0 // indirect - github.com/x448/float16 v0.8.4 // indirect - go.opentelemetry.io/otel v1.36.0 // indirect - go.opentelemetry.io/otel/trace v1.36.0 // indirect - go.uber.org/automaxprocs v1.6.0 // indirect - gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect - gopkg.in/yaml.v2 v2.4.0 // indirect - k8s.io/helm v2.17.0+incompatible // indirect - sigs.k8s.io/randfill v1.0.0 // indirect - sigs.k8s.io/release-utils v0.8.3 // indirect -) - -require ( - github.com/Anddd7/pb v0.0.0-20250506021228-7e355c18f206 github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c // indirect - github.com/BurntSushi/toml v1.5.0 // indirect + github.com/BurntSushi/toml v1.6.0 // indirect + github.com/Masterminds/semver/v3 v3.4.0 // indirect github.com/beorn7/perks v1.0.1 // indirect - github.com/blang/semver/v4 v4.0.0 github.com/cespare/xxhash/v2 v2.3.0 // indirect - github.com/coreos/go-systemd/v22 v22.5.0 // indirect - github.com/cyphar/filepath-securejoin v0.4.1 // indirect + github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be // indirect + github.com/coreos/go-systemd/v22 v22.7.0 // indirect + github.com/cyphar/filepath-securejoin v0.6.1 // indirect github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect github.com/eapache/queue v1.1.0 // indirect - github.com/emicklei/go-restful/v3 v3.12.2 // indirect + github.com/emicklei/go-restful/v3 v3.13.0 // indirect github.com/evanphx/json-patch/v5 v5.9.11 // indirect github.com/fullsailor/pkcs7 v0.0.0-20190404230743-d7302db945fa // indirect + github.com/fxamacker/cbor/v2 v2.9.0 // indirect github.com/go-errors/errors v1.5.1 // indirect - github.com/go-logr/logr v1.4.2 // indirect - github.com/go-openapi/jsonpointer v0.21.1 // indirect - github.com/go-openapi/jsonreference v0.21.0 // indirect - github.com/go-openapi/swag v0.23.1 // indirect + github.com/go-logr/logr v1.4.3 // indirect + github.com/go-openapi/jsonpointer v0.22.5 // indirect + github.com/go-openapi/jsonreference v0.21.5 // indirect + github.com/go-openapi/swag v0.25.5 // indirect + github.com/go-openapi/swag/cmdutils v0.25.5 // indirect + github.com/go-openapi/swag/conv v0.25.5 // indirect + github.com/go-openapi/swag/fileutils v0.25.5 // indirect + github.com/go-openapi/swag/jsonname v0.25.5 // indirect + github.com/go-openapi/swag/jsonutils v0.25.5 // indirect + github.com/go-openapi/swag/loading v0.25.5 // indirect + github.com/go-openapi/swag/mangling v0.25.5 // indirect + github.com/go-openapi/swag/netutils v0.25.5 // indirect + github.com/go-openapi/swag/stringutils v0.25.5 // indirect + github.com/go-openapi/swag/typeutils v0.25.5 // indirect + github.com/go-openapi/swag/yamlutils v0.25.5 // indirect github.com/go-task/slim-sprig/v3 v3.0.0 // indirect - github.com/godbus/dbus/v5 v5.1.0 // indirect - github.com/gogo/protobuf v1.3.2 // indirect + github.com/godbus/dbus/v5 v5.2.2 // indirect github.com/golang/protobuf v1.5.4 // indirect github.com/gomarkdown/markdown v0.0.0-20240328165702-4d01890c35c0 // indirect github.com/google/btree v1.1.3 // indirect - github.com/google/gnostic-models v0.6.9 // indirect + github.com/google/gnostic-models v0.7.1 // indirect github.com/google/go-cmp v0.7.0 // indirect - github.com/google/pprof v0.0.0-20250501235452-c0086092b71a // indirect - github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect + github.com/google/go-querystring v1.2.0 // indirect + github.com/google/pprof v0.0.0-20260302011040-a15ffb7f9dcc // indirect github.com/google/uuid v1.6.0 // indirect github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect - github.com/josharian/intern v1.0.0 // indirect github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect - github.com/mailru/easyjson v0.9.0 // indirect - github.com/mattn/go-colorable v0.1.13 // indirect - github.com/mattn/go-isatty v0.0.19 // indirect github.com/mmarkdown/mmark v2.0.40+incompatible // indirect github.com/moby/sys/mountinfo v0.7.2 // indirect + github.com/moby/sys/userns v0.1.0 // indirect github.com/moby/term v0.5.2 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect - github.com/modern-go/reflect2 v1.0.2 // indirect + github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/ncabatoff/go-seq v0.0.0-20180805175032-b08ef85ed833 // indirect + github.com/onsi/ginkgo v1.16.5 // indirect github.com/peterbourgon/diskv v2.0.1+incompatible // indirect - github.com/pkg/errors v0.9.1 // indirect - github.com/prometheus/procfs v0.16.1 // indirect - github.com/sergi/go-diff v1.3.1 // indirect - github.com/sirupsen/logrus v1.9.3 // indirect + github.com/prometheus/procfs v0.20.1 // indirect + github.com/santhosh-tekuri/jsonschema/v6 v6.0.2 // indirect + github.com/sergi/go-diff v1.4.0 // indirect + github.com/sirupsen/logrus v1.9.4 // indirect + github.com/x448/float16 v0.8.4 // indirect github.com/xlab/treeprint v1.2.0 // indirect github.com/yudai/golcs v0.0.0-20170316035057-ecda9a501e82 // indirect github.com/yudai/pp v2.0.1+incompatible // indirect - golang.org/x/mod v0.24.0 // indirect - golang.org/x/net v0.40.0 // indirect - golang.org/x/oauth2 v0.30.0 - golang.org/x/sync v0.14.0 // indirect - golang.org/x/sys v0.33.0 // indirect - golang.org/x/term v0.32.0 // indirect - golang.org/x/text v0.25.0 // indirect - golang.org/x/time v0.11.0 // indirect - golang.org/x/tools v0.33.0 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20250519155744-55703ea1f237 // indirect - google.golang.org/protobuf v1.36.6 // indirect + go.opentelemetry.io/otel v1.42.0 // indirect + go.opentelemetry.io/otel/trace v1.42.0 // indirect + go.yaml.in/yaml/v2 v2.4.4 // indirect + golang.org/x/mod v0.34.0 // indirect + golang.org/x/net v0.52.0 // indirect + golang.org/x/sync v0.20.0 // indirect + golang.org/x/sys v0.42.0 // indirect + golang.org/x/term v0.41.0 // indirect + golang.org/x/text v0.35.0 // indirect + golang.org/x/time v0.15.0 // indirect + golang.org/x/tools v0.43.0 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20260316180232-0b37fe3546d5 // indirect + google.golang.org/protobuf v1.36.11 // indirect + gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect gopkg.in/go-playground/assert.v1 v1.2.1 // indirect gopkg.in/inf.v0 v0.9.1 // indirect - gopkg.in/yaml.v3 v3.0.1 - k8s.io/gengo/v2 v2.0.0-20250207200755-1244d31929d7 // indirect - k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff // indirect - k8s.io/utils v0.0.0-20250502105355-0f33e8f1c979 // indirect - sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect - sigs.k8s.io/kustomize/api v0.19.0 // indirect - sigs.k8s.io/kustomize/kyaml v0.19.0 // indirect - sigs.k8s.io/structured-merge-diff/v4 v4.7.0 // indirect - sigs.k8s.io/yaml v1.4.0 // indirect + gopkg.in/yaml.v3 v3.0.1 // indirect + k8s.io/gengo/v2 v2.0.0-20250922181213-ec3ebc5fd46b // indirect + k8s.io/kube-openapi v0.0.0-20260319004828-5883c5ee87b9 // indirect + sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect + sigs.k8s.io/kustomize/api v0.21.1 // indirect + sigs.k8s.io/kustomize/kyaml v0.21.1 // indirect + sigs.k8s.io/randfill v1.0.0 // indirect + sigs.k8s.io/release-utils v0.8.3 // indirect + sigs.k8s.io/structured-merge-diff/v6 v6.3.2 // indirect + sigs.k8s.io/yaml v1.6.0 // indirect ) diff --git a/go.sum b/go.sum index a2b857b8e4..112af3adb6 100644 --- a/go.sum +++ b/go.sum @@ -1,15 +1,15 @@ dario.cat/mergo v1.0.2 h1:85+piFYR1tMbRrLcDwR18y4UKJ3aH1Tbzi24VRW1TK8= dario.cat/mergo v1.0.2/go.mod h1:E/hbnu0NxMFBjpMIE34DRGLWqDy0g5FuKDhCb31ngxA= +github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 h1:bvDV9vkmnHYOMsOr4WLk+Vo07yKIzd94sVoIqshQ4bU= +github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8= github.com/Anddd7/pb v0.0.0-20250506021228-7e355c18f206 h1:Q6bRlF05+gv0dEhIj9XAlgRsmuPF4sKS6yp5aD333aw= github.com/Anddd7/pb v0.0.0-20250506021228-7e355c18f206/go.mod h1:vYWKbnXd2KAZHUECLPzSE0Er3FgiEmOdPtxwSIRihck= github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c h1:udKWzYgxTojEKWjV8V+WSxDXJ4NFATAsZjh8iIbsQIg= github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= -github.com/BurntSushi/toml v1.5.0 h1:W5quZX/G/csjUnuI8SUYlsHs9M38FC7znL0lIO+DvMg= -github.com/BurntSushi/toml v1.5.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho= -github.com/Masterminds/semver v1.5.0 h1:H65muMkzWKEuNDnfl9d70GUjFniHKHRbFPGBuZ3QEww= -github.com/Masterminds/semver v1.5.0/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y= -github.com/armon/go-proxyproto v0.1.0 h1:TWWcSsjco7o2itn6r25/5AqKBiWmsiuzsUDLT/MTl7k= -github.com/armon/go-proxyproto v0.1.0/go.mod h1:Xj90dce2VKbHzRAeiVQAMBtj4M5oidoXJ8lmgyW21mw= +github.com/BurntSushi/toml v1.6.0 h1:dRaEfpa2VI55EwlIW72hMRHdWouJeRF7TPYhI+AUQjk= +github.com/BurntSushi/toml v1.6.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho= +github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0= +github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM= @@ -18,98 +18,130 @@ github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UF github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be h1:J5BL2kskAlV9ckgEsNQXscjIaLiOYiZ75d4e94E6dcQ= github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be/go.mod h1:mk5IQ+Y0ZeO87b858TlA645sVcEcbiX6YqP98kt+7+w= -github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs= -github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= +github.com/coreos/go-systemd/v22 v22.7.0 h1:LAEzFkke61DFROc7zNLX/WA2i5J8gYqe0rSj9KI28KA= +github.com/coreos/go-systemd/v22 v22.7.0/go.mod h1:xNUYtjHu2EDXbsxz1i41wouACIwT7Ybq9o0BQhMwD0w= github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g= github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY= github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4= -github.com/cyphar/filepath-securejoin v0.4.1 h1:JyxxyPEaktOD+GAnqIqTf9A8tHyAG22rowi7HkoSU1s= -github.com/cyphar/filepath-securejoin v0.4.1/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGLDGQL7h7bg04C/+u9jI= +github.com/cyphar/filepath-securejoin v0.6.1 h1:5CeZ1jPXEiYt3+Z6zqprSAgSWiggmpVyciv8syjIpVE= +github.com/cyphar/filepath-securejoin v0.6.1/go.mod h1:A8hd4EnAeyujCJRrICiOWqjS1AX0a9kM5XL+NwKoYSc= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/dprotaso/go-yit v0.0.0-20191028211022-135eb7262960/go.mod h1:9HQzr9D/0PGwMEbC3d5AB7oi67+h4TsQqItC1GVYG58= -github.com/dprotaso/go-yit v0.0.0-20250513224043-18a80f8f6df4 h1:JzpdVajvTuXQXL10D0vId1ZcW9alSJ3H0CnZczzz4ec= -github.com/dprotaso/go-yit v0.0.0-20250513224043-18a80f8f6df4/go.mod h1:lHwJo6jMevQL9tNpW6vLyhkK13bYHBcoh9tUakMhbnE= +github.com/dlclark/regexp2 v1.11.0 h1:G/nrcoOa7ZXlpoa/91N3X7mM3r8eIlMBBJZvsz/mxKI= +github.com/dlclark/regexp2 v1.11.0/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8= github.com/eapache/channels v1.1.0 h1:F1taHcn7/F0i8DYqKXJnyhJcVpp2kgFcNePxXtnyu4k= github.com/eapache/channels v1.1.0/go.mod h1:jMm2qB5Ubtg9zLd+inMZd2/NUvXgzmWXsDaLyQIGfH0= github.com/eapache/queue v1.1.0 h1:YOEu7KNc61ntiQlcEeUIoDTJ2o8mQznoNvUhiigpIqc= github.com/eapache/queue v1.1.0/go.mod h1:6eCeP0CKFpHLu8blIFXhExK/dRa7WDZfr6jVFPTqq+I= -github.com/emicklei/go-restful/v3 v3.12.2 h1:DhwDP0vY3k8ZzE0RunuJy8GhNpPL6zqLkDf9B/a0/xU= -github.com/emicklei/go-restful/v3 v3.12.2/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/emicklei/go-restful/v3 v3.13.0 h1:C4Bl2xDndpU6nJ4bc1jXd+uTmYPVUwkD6bFY/oTyCes= +github.com/emicklei/go-restful/v3 v3.13.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= github.com/evanphx/json-patch/v5 v5.9.11 h1:/8HVnzMq13/3x9TPvjG08wUGqBTmZBsCWzjTM0wiaDU= github.com/evanphx/json-patch/v5 v5.9.11/go.mod h1:3j+LviiESTElxA4p3EMKAB9HXj3/XEtnUf6OZxqIQTM= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= +github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k= github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0= github.com/fullsailor/pkcs7 v0.0.0-20160414161337-2585af45975b/go.mod h1:KnogPXtdwXqoenmZCw6S+25EAm2MkxbG0deNDu4cbSA= github.com/fullsailor/pkcs7 v0.0.0-20190404230743-d7302db945fa h1:RDBNVkRviHZtvDvId8XSGPu3rmpmSe+wKRcEWNgsfWU= github.com/fullsailor/pkcs7 v0.0.0-20190404230743-d7302db945fa/go.mod h1:KnogPXtdwXqoenmZCw6S+25EAm2MkxbG0deNDu4cbSA= -github.com/fxamacker/cbor/v2 v2.8.0 h1:fFtUGXUzXPHTIUdne5+zzMPTfffl3RD5qYnkY40vtxU= -github.com/fxamacker/cbor/v2 v2.8.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ= -github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk= -github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= +github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM= +github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ= +github.com/gkampitakis/ciinfo v0.3.2 h1:JcuOPk8ZU7nZQjdUhctuhQofk7BGHuIy0c9Ez8BNhXs= +github.com/gkampitakis/ciinfo v0.3.2/go.mod h1:1NIwaOcFChN4fa/B0hEBdAb6npDlFL8Bwx4dfRLRqAo= +github.com/gkampitakis/go-diff v1.3.2 h1:Qyn0J9XJSDTgnsgHRdz9Zp24RaJeKMUHg2+PDZZdC4M= +github.com/gkampitakis/go-diff v1.3.2/go.mod h1:LLgOrpqleQe26cte8s36HTWcTmMEur6OPYerdAAS9tk= +github.com/gkampitakis/go-snaps v0.5.15 h1:amyJrvM1D33cPHwVrjo9jQxX8g/7E2wYdZ+01KS3zGE= +github.com/gkampitakis/go-snaps v0.5.15/go.mod h1:HNpx/9GoKisdhw9AFOBT1N7DBs9DiHo/hGheFGBZ+mc= github.com/go-errors/errors v1.5.1 h1:ZwEMSLRCapFLflTpT7NKaAc7ukJ8ZPEjzlxt8rPN8bk= github.com/go-errors/errors v1.5.1/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og= -github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= -github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI= +github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ= github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg= -github.com/go-openapi/jsonpointer v0.21.1 h1:whnzv/pNXtK2FbX/W9yJfRmE2gsmkfahjMKB0fZvcic= -github.com/go-openapi/jsonpointer v0.21.1/go.mod h1:50I1STOfbY1ycR8jGz8DaMeLCdXiI6aDteEdRNNzpdk= -github.com/go-openapi/jsonreference v0.21.0 h1:Rs+Y7hSXT83Jacb7kFyjn4ijOuVGSvOdF2+tg1TRrwQ= -github.com/go-openapi/jsonreference v0.21.0/go.mod h1:LmZmgsrTkVg9LG4EaHeY8cBDslNPMo06cago5JNLkm4= -github.com/go-openapi/swag v0.23.1 h1:lpsStH0n2ittzTnbaSloVZLuB5+fvSY/+hnagBjSNZU= -github.com/go-openapi/swag v0.23.1/go.mod h1:STZs8TbRvEQQKUA+JZNAm3EWlgaOBGpyFDqQnDHMef0= +github.com/go-openapi/jsonpointer v0.22.5 h1:8on/0Yp4uTb9f4XvTrM2+1CPrV05QPZXu+rvu2o9jcA= +github.com/go-openapi/jsonpointer v0.22.5/go.mod h1:gyUR3sCvGSWchA2sUBJGluYMbe1zazrYWIkWPjjMUY0= +github.com/go-openapi/jsonreference v0.21.5 h1:6uCGVXU/aNF13AQNggxfysJ+5ZcU4nEAe+pJyVWRdiE= +github.com/go-openapi/jsonreference v0.21.5/go.mod h1:u25Bw85sX4E2jzFodh1FOKMTZLcfifd1Q+iKKOUxExw= +github.com/go-openapi/swag v0.25.5 h1:pNkwbUEeGwMtcgxDr+2GBPAk4kT+kJ+AaB+TMKAg+TU= +github.com/go-openapi/swag v0.25.5/go.mod h1:B3RT6l8q7X803JRxa2e59tHOiZlX1t8viplOcs9CwTA= +github.com/go-openapi/swag/cmdutils v0.25.5 h1:yh5hHrpgsw4NwM9KAEtaDTXILYzdXh/I8Whhx9hKj7c= +github.com/go-openapi/swag/cmdutils v0.25.5/go.mod h1:pdae/AFo6WxLl5L0rq87eRzVPm/XRHM3MoYgRMvG4A0= +github.com/go-openapi/swag/conv v0.25.5 h1:wAXBYEXJjoKwE5+vc9YHhpQOFj2JYBMF2DUi+tGu97g= +github.com/go-openapi/swag/conv v0.25.5/go.mod h1:CuJ1eWvh1c4ORKx7unQnFGyvBbNlRKbnRyAvDvzWA4k= +github.com/go-openapi/swag/fileutils v0.25.5 h1:B6JTdOcs2c0dBIs9HnkyTW+5gC+8NIhVBUwERkFhMWk= +github.com/go-openapi/swag/fileutils v0.25.5/go.mod h1:V3cT9UdMQIaH4WiTrUc9EPtVA4txS0TOmRURmhGF4kc= +github.com/go-openapi/swag/jsonname v0.25.5 h1:8p150i44rv/Drip4vWI3kGi9+4W9TdI3US3uUYSFhSo= +github.com/go-openapi/swag/jsonname v0.25.5/go.mod h1:jNqqikyiAK56uS7n8sLkdaNY/uq6+D2m2LANat09pKU= +github.com/go-openapi/swag/jsonutils v0.25.5 h1:XUZF8awQr75MXeC+/iaw5usY/iM7nXPDwdG3Jbl9vYo= +github.com/go-openapi/swag/jsonutils v0.25.5/go.mod h1:48FXUaz8YsDAA9s5AnaUvAmry1UcLcNVWUjY42XkrN4= +github.com/go-openapi/swag/jsonutils/fixtures_test v0.25.5 h1:SX6sE4FrGb4sEnnxbFL/25yZBb5Hcg1inLeErd86Y1U= +github.com/go-openapi/swag/jsonutils/fixtures_test v0.25.5/go.mod h1:/2KvOTrKWjVA5Xli3DZWdMCZDzz3uV/T7bXwrKWPquo= +github.com/go-openapi/swag/loading v0.25.5 h1:odQ/umlIZ1ZVRteI6ckSrvP6e2w9UTF5qgNdemJHjuU= +github.com/go-openapi/swag/loading v0.25.5/go.mod h1:I8A8RaaQ4DApxhPSWLNYWh9NvmX2YKMoB9nwvv6oW6g= +github.com/go-openapi/swag/mangling v0.25.5 h1:hyrnvbQRS7vKePQPHHDso+k6CGn5ZBs5232UqWZmJZw= +github.com/go-openapi/swag/mangling v0.25.5/go.mod h1:6hadXM/o312N/h98RwByLg088U61TPGiltQn71Iw0NY= +github.com/go-openapi/swag/netutils v0.25.5 h1:LZq2Xc2QI8+7838elRAaPCeqJnHODfSyOa7ZGfxDKlU= +github.com/go-openapi/swag/netutils v0.25.5/go.mod h1:lHbtmj4m57APG/8H7ZcMMSWzNqIQcu0RFiXrPUara14= +github.com/go-openapi/swag/stringutils v0.25.5 h1:NVkoDOA8YBgtAR/zvCx5rhJKtZF3IzXcDdwOsYzrB6M= +github.com/go-openapi/swag/stringutils v0.25.5/go.mod h1:PKK8EZdu4QJq8iezt17HM8RXnLAzY7gW0O1KKarrZII= +github.com/go-openapi/swag/typeutils v0.25.5 h1:EFJ+PCga2HfHGdo8s8VJXEVbeXRCYwzzr9u4rJk7L7E= +github.com/go-openapi/swag/typeutils v0.25.5/go.mod h1:itmFmScAYE1bSD8C4rS0W+0InZUBrB2xSPbWt6DLGuc= +github.com/go-openapi/swag/yamlutils v0.25.5 h1:kASCIS+oIeoc55j28T4o8KwlV2S4ZLPT6G0iq2SSbVQ= +github.com/go-openapi/swag/yamlutils v0.25.5/go.mod h1:Gek1/SjjfbYvM+Iq4QGwa/2lEXde9n2j4a3wI3pNuOQ= +github.com/go-openapi/testify/enable/yaml/v2 v2.4.0 h1:7SgOMTvJkM8yWrQlU8Jm18VeDPuAvB/xWrdxFJkoFag= +github.com/go-openapi/testify/enable/yaml/v2 v2.4.0/go.mod h1:14iV8jyyQlinc9StD7w1xVPW3CO3q1Gj04Jy//Kw4VM= +github.com/go-openapi/testify/v2 v2.4.0 h1:8nsPrHVCWkQ4p8h1EsRVymA2XABB4OT40gcvAu+voFM= +github.com/go-openapi/testify/v2 v2.4.0/go.mod h1:HCPmvFFnheKK2BuwSA0TbbdxJ3I16pjwMkYkP4Ywn54= +github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE= github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI= github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8= -github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y= -github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8= -github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= -github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk= -github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= -github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= -github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= +github.com/goccy/go-yaml v1.18.0 h1:8W7wMFS12Pcas7KU+VVkaiCng+kG8QiFeFwzFb+rwuw= +github.com/goccy/go-yaml v1.18.0/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA= +github.com/godbus/dbus/v5 v5.2.2 h1:TUR3TgtSVDmjiXOgAAyaZbYmIeP3DPkld3jgKGV8mXQ= +github.com/godbus/dbus/v5 v5.2.2/go.mod h1:3AAv2+hPq5rdnr5txxxRwiGjPXamgoIHgz9FPBfOp3c= github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= +github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= +github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= +github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w= +github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= +github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= github.com/gomarkdown/markdown v0.0.0-20240328165702-4d01890c35c0 h1:4gjrh/PN2MuWCCElk8/I4OCKRKWCCo2zEct3VKCbibU= github.com/gomarkdown/markdown v0.0.0-20240328165702-4d01890c35c0/go.mod h1:JDGcbDT52eL4fju3sZ4TeHGsQwhG9nbDV21aMyhwPoA= github.com/google/btree v1.1.3 h1:CVpQJjYgC4VbzxeGVHfvZrv1ctoYCAI8vbl07Fcxlyg= github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4= -github.com/google/gnostic-models v0.6.9 h1:MU/8wDLif2qCXZmzncUQ/BOfxWfthHi63KqpoNbWqVw= -github.com/google/gnostic-models v0.6.9/go.mod h1:CiWsm0s6BSQd1hRn8/QmxqB6BesYcbSZxsz9b0KuDBw= -github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/gnostic-models v0.7.1 h1:SisTfuFKJSKM5CPZkffwi6coztzzeYUhc3v4yxLWH8c= +github.com/google/gnostic-models v0.7.1/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7OUGxBlw57miDrQ= +github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= +github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= +github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8= github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU= github.com/google/go-github/v48 v48.2.0 h1:68puzySE6WqUY9KWmpOsDEQfDZsso98rT6pZcz9HqcE= github.com/google/go-github/v48 v48.2.0/go.mod h1:dDlehKBDo850ZPvCTK0sEqTCVWcrGl2LcDiajkYi89Y= -github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8= -github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU= +github.com/google/go-querystring v1.2.0 h1:yhqkPbu2/OH+V9BfpCVPZkNmUXhb2gBxJArfhIxNtP0= +github.com/google/go-querystring v1.2.0/go.mod h1:8IFJqpSRITyJ8QhQ13bmbeMBDfmeEJZD5A0egEOmkqU= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= -github.com/google/pprof v0.0.0-20250501235452-c0086092b71a h1:rDA3FfmxwXR+BVKKdz55WwMJ1pD2hJQNW31d+l3mPk4= -github.com/google/pprof v0.0.0-20250501235452-c0086092b71a/go.mod h1:5hDyRhoBCxViHszMt12TnOpEI4VVi+U8Gm9iphldiMA= -github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4= -github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ= +github.com/google/pprof v0.0.0-20260302011040-a15ffb7f9dcc h1:VBbFa1lDYWEeV5FZKUiYKYT0VxCp9twUmmaq9eb8sXw= +github.com/google/pprof v0.0.0-20260302011040-a15ffb7f9dcc/go.mod h1:MxpfABSjhmINe3F1It9d+8exIHFvUqtLIRCdOGNXqiI= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 h1:+ngKgrYPPJrOjhax5N+uePQ0Fh1Z7PheYoUI/0nzkPA= github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= -github.com/helm/helm v2.17.0+incompatible h1:0iy95yMXrfWpwaoOA9XRP+cTvitTrq+LcJV9DvR5n1Y= -github.com/helm/helm v2.17.0+incompatible/go.mod h1:ahXhuvluW4YnSL6W6hDVetZsVK8Pv4BP8OwKli7aMqo= github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= -github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= -github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= +github.com/joshdk/go-junit v1.0.0 h1:S86cUKIdwBHWwA6xCmFlf3RTLfVXYQfvanM5Uh+K6GE= +github.com/joshdk/go-junit v1.0.0/go.mod h1:TiiV0PqkaNfFXjEiyjWM3XXrhVyCa1K4Zfga6W52ung= github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= -github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= -github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo= github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= @@ -123,15 +155,16 @@ github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de h1:9TO3cAIGXtEhnIaL+V+BEER86oLrvS+kWobKpbJuye0= github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de/go.mod h1:zAbeS9B/r2mtpb6U+EI2rYA5OAXxsYw6wTamcNW+zcE= -github.com/magefile/mage v1.15.0 h1:BvGheCMAsG3bWUDbZ8AyXXpCNwU9u5CB6sM+HNb9HYg= -github.com/magefile/mage v1.15.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A= -github.com/mailru/easyjson v0.9.0 h1:PrnmzHw7262yW8sTBwxi1PdJA3Iw/EKBa8psRf7d9a4= -github.com/mailru/easyjson v0.9.0/go.mod h1:1+xMtQp2MRNVL/V1bOzuP3aP8VNwRW55fQUto+XFtTU= +github.com/magefile/mage v1.16.1 h1:j5UwkdA48xTlGs0Hcm1Q3sSAcxBorntQjiewDNMsqlo= +github.com/magefile/mage v1.16.1/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A= +github.com/maruel/natural v1.1.1 h1:Hja7XhhmvEFhcByqDoHz9QZbkWey+COd9xWfCfn1ioo= +github.com/maruel/natural v1.1.1/go.mod h1:v+Rfd79xlw1AgVBjbO0BEQmptqb5HvL/k9GRHB7ZKEg= github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA= github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg= -github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= -github.com/mattn/go-isatty v0.0.19 h1:JITubQf0MOLdlGRuRq+jtsDlekdYPia9ZFsB8h/APPA= -github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= +github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY= +github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= +github.com/mfridman/tparse v0.18.0 h1:wh6dzOKaIwkUGyKgOntDW4liXSo37qg5AXbIhkMV3vE= +github.com/mfridman/tparse v0.18.0/go.mod h1:gEvqZTuCgEhPbYk/2lS3Kcxg1GmTxxU7kTC8DvP0i/A= github.com/mitchellh/go-ps v1.0.0 h1:i6ampVEEF4wQFF+bkYfwYgY+F/uYJDktmvLPf7qIgjc= github.com/mitchellh/go-ps v1.0.0/go.mod h1:J4lOc8z8yJs6vUwklHw2XEIiT4z4C40KtWVN3nvg8Pg= github.com/mitchellh/hashstructure/v2 v2.0.2 h1:vGKWl0YJqUNxE8d+h8f6NJLcCJrgbhC4NcD46KavDd4= @@ -149,8 +182,9 @@ github.com/moby/term v0.5.2/go.mod h1:d3djjFCrjnB+fl8NJux+EJzu0msscUP+f8it8hPkFL github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= -github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M= github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= +github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee h1:W5t00kpgFdJifH4BDsTlE89Zl93FEloxaWZfGcifgq8= +github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 h1:n6/2gBQ3RWajuToeY6ZtZTIKv2v7ThUy5KKusIT0yc0= github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00/go.mod h1:Pm3mSP3c5uWn86xMLZ5Sa7JB9GsEZySvHYXCTK4E9q4= github.com/moul/pb v0.0.0-20220425114252-bca18df4138c h1:1STmblv9zmHLDpru4dbnf1PNL6wrrZNf7yBH+SfQU+s= @@ -161,48 +195,50 @@ github.com/ncabatoff/go-seq v0.0.0-20180805175032-b08ef85ed833 h1:t4WWQ9I797y7QU github.com/ncabatoff/go-seq v0.0.0-20180805175032-b08ef85ed833/go.mod h1:0CznHmXSjMEqs5Tezj/w2emQoM41wzYM9KpDKUHPYag= github.com/ncabatoff/process-exporter v0.8.7 h1:V+Xtlq7Q9ticzNtkIR9fUlyNxD+rQLs1P8qzumsCWQI= github.com/ncabatoff/process-exporter v0.8.7/go.mod h1:tzUO/+OadS/ynh8xu2lO66zb72a8x0VrIWLPddKGilU= -github.com/nxadm/tail v1.4.11 h1:8feyoE3OzPrcshW5/MJ4sGESc5cqmGkGCWlco4l0bqY= -github.com/nxadm/tail v1.4.11/go.mod h1:OTaG3NK980DZzxbRq6lEuzgU+mug70nY11sMd4JXXHc= +github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A= +github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE= +github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU= github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= -github.com/onsi/ginkgo v1.10.2/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk= github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU= -github.com/onsi/ginkgo/v2 v2.23.4 h1:ktYTpKJAVZnDT4VjxSbiBenUjmlL/5QkBEocaWXiQus= -github.com/onsi/ginkgo/v2 v2.23.4/go.mod h1:Bt66ApGPBFzHyR+JO10Zbt0Gsp4uWxu5mIOTusL46e8= -github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= -github.com/onsi/gomega v1.37.0 h1:CdEG8g0S133B4OswTDC/5XPSzE1OeP29QOioj2PID2Y= -github.com/onsi/gomega v1.37.0/go.mod h1:8D9+Txp43QWKhM24yyOBEdpkzN8FvJyAwecBgsU4KU0= -github.com/opencontainers/cgroups v0.0.2 h1:A+mAPPMfgKNCEZUUtibESFx06uvhAmvo8sSz3Abwk7o= -github.com/opencontainers/cgroups v0.0.2/go.mod h1:s8lktyhlGUqM7OSRL5P7eAW6Wb+kWPNvt4qvVfzA5vs= +github.com/onsi/ginkgo/v2 v2.28.1 h1:S4hj+HbZp40fNKuLUQOYLDgZLwNUVn19N3Atb98NCyI= +github.com/onsi/ginkgo/v2 v2.28.1/go.mod h1:CLtbVInNckU3/+gC8LzkGUb9oF+e8W8TdUsxPwvdOgE= +github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= +github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= +github.com/onsi/gomega v1.39.0 h1:y2ROC3hKFmQZJNFeGAMeHZKkjBL65mIZcvrLQBF9k6Q= +github.com/onsi/gomega v1.39.0/go.mod h1:ZCU1pkQcXDO5Sl9/VVEGlDyp+zm0m1cmeG5TOzLgdh4= +github.com/opencontainers/cgroups v0.0.6 h1:tfZFWTIIGaUUFImTyuTg+Mr5x8XRiSdZESgEBW7UxuI= +github.com/opencontainers/cgroups v0.0.6/go.mod h1:oWVzJsKK0gG9SCRBfTpnn16WcGEqDI8PAcpMGbqWxcs= github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI= github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= -github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= -github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pires/go-proxyproto v0.11.0 h1:gUQpS85X/VJMdUsYyEgyn59uLJvGqPhJV5YvG68wXH4= +github.com/pires/go-proxyproto v0.11.0/go.mod h1:ZKAAyp3cgy5Y5Mo4n9AlScrkCZwUy0g3Jf+slqQVcuU= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/prashantv/gostub v1.1.0 h1:BTyx3RfQjRHnUWaGF9oQos79AlQ5k8WNktv7VGvVH4g= -github.com/prashantv/gostub v1.1.0/go.mod h1:A5zLQHz7ieHGG7is6LLXLz7I8+3LZzsrV0P1IAHhP5U= -github.com/prometheus/client_golang v1.22.0 h1:rb93p9lokFEsctTys46VnV1kLCDpVZ0a/Y92Vm0Zc6Q= -github.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0= +github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h0RJWRi/o0o= +github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg= github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk= github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE= -github.com/prometheus/common v0.64.0 h1:pdZeA+g617P7oGv1CzdTzyeShxAGrTBsolKNOLQPGO4= -github.com/prometheus/common v0.64.0/go.mod h1:0gZns+BLRQ3V6NdaerOhMbwwRbNh9hkGINtQAsP5GS8= -github.com/prometheus/procfs v0.16.1 h1:hZ15bTNuirocR6u0JZ6BAHHmwS1p8B4P6MRqxtzMyRg= -github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlTmWl8x/U+Is= -github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII= -github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o= +github.com/prometheus/common v0.67.5 h1:pIgK94WWlQt1WLwAC5j2ynLaBRDiinoAb86HZHTUGI4= +github.com/prometheus/common v0.67.5/go.mod h1:SjE/0MzDEEAyrdr5Gqc6G+sXI67maCxzaT3A2+HqjUw= +github.com/prometheus/procfs v0.20.1 h1:XwbrGOIplXW/AU3YhIhLODXMJYyC1isLFfYCsTEycfc= +github.com/prometheus/procfs v0.20.1/go.mod h1:o9EMBZGRyvDrSPH1RqdxhojkuXstoe4UlK79eF5TGGo= +github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ= +github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= -github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= -github.com/sergi/go-diff v1.3.1 h1:xkr+Oxo4BOQKmkn/B9eMK0g5Kg/983T9DqqPHwYqD+8= -github.com/sergi/go-diff v1.3.1/go.mod h1:aMJSSKb2lpPvRNec0+w3fl7LP9IOFzdc9Pa4NFbPK1I= -github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= -github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= -github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo= -github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0= -github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o= -github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/santhosh-tekuri/jsonschema/v6 v6.0.2 h1:KRzFb2m7YtdldCEkzs6KqmJw4nqEVZGK7IN2kJkjTuQ= +github.com/santhosh-tekuri/jsonschema/v6 v6.0.2/go.mod h1:JXeL+ps8p7/KNMjDQk3TCwPpBy0wYklyWTfbkIzdIFU= +github.com/sergi/go-diff v1.4.0 h1:n/SP9D5ad1fORl+llWyN+D6qoUETXNZARKjyY2/KVCw= +github.com/sergi/go-diff v1.4.0/go.mod h1:A0bzQcvG0E7Rwjx0REVgAGH58e96+X0MeOfepqsbeW4= +github.com/sirupsen/logrus v1.9.4 h1:TsZE7l11zFCLZnZ+teH4Umoq5BhEIfIzfRDZ1Uzql2w= +github.com/sirupsen/logrus v1.9.4/go.mod h1:ftWc9WdOfJ0a92nsE2jF5u5ZwH8Bv2zdeOC42RjbV2g= +github.com/spf13/cobra v1.10.2 h1:DMTTonx5m65Ic0GOoRY2c16WCbHxOOw6xxezuLaBpcU= +github.com/spf13/cobra v1.10.2/go.mod h1:7C1pvHqHw5A4vrJfjNwvOdzYu0Gml16OCs2GRiTUUS4= +github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk= +github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY= github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA= @@ -211,11 +247,17 @@ github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UV github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= -github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA= -github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= +github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U= +github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U= +github.com/tidwall/gjson v1.18.0 h1:FIDeeyB800efLX89e5a8Y0BNH+LOngJyGrIWxG2FKQY= +github.com/tidwall/gjson v1.18.0/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk= +github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA= +github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM= +github.com/tidwall/pretty v1.2.1 h1:qjsOFOWWQl+N3RsoF5/ssm1pHmJJwhjlSbZ51I6wMl4= +github.com/tidwall/pretty v1.2.1/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU= +github.com/tidwall/sjson v1.2.5 h1:kLy8mja+1c9jlljvWTlSazM7cKDRfJuR/bOJhcY5NcY= +github.com/tidwall/sjson v1.2.5/go.mod h1:Fvgq9kS/6ociJEDnK0Fk1cpYF4FIW6ZF7LAe+6jwd28= github.com/urfave/cli v1.17.1-0.20160602030128-01a33823596e/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA= -github.com/vmware-labs/yaml-jsonpath v0.3.2 h1:/5QKeCBGdsInyDCyVNLbXyilb61MXGi9NP674f9Hobk= -github.com/vmware-labs/yaml-jsonpath v0.3.2/go.mod h1:U6whw1z03QyqgWdgXxvVnQ90zN1BWz5V+51Ewf8k+rQ= github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= github.com/xlab/treeprint v1.2.0 h1:HzHnuAF1plUN2zGlAFHbSQP2qJ0ZAD3XF5XD7OesXRQ= @@ -226,96 +268,108 @@ github.com/yudai/golcs v0.0.0-20170316035057-ecda9a501e82 h1:BHyfKlQyqbsFN5p3Ifn github.com/yudai/golcs v0.0.0-20170316035057-ecda9a501e82/go.mod h1:lgjkn3NuSvDfVJdfcVVdX+jpBxNmX4rDAzaS45IcYoM= github.com/yudai/pp v2.0.1+incompatible h1:Q4//iY4pNF6yPLZIigmvcl7k/bPgrcTPIFIcmawg5bI= github.com/yudai/pp v2.0.1+incompatible/go.mod h1:PuxR/8QJ7cyCkFp/aUDS+JY727OFEZkTdatxwunjIkc= -github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/zakjan/cert-chain-resolver v0.0.0-20221221105603-fcedb00c5b30 h1:rzHvkiukOVYcf840FqAsHqBMhfLofvQIxWtczkGRklU= github.com/zakjan/cert-chain-resolver v0.0.0-20221221105603-fcedb00c5b30/go.mod h1:/Hzu8ych2oXCs1iNI+MeASyFzWTncQ6nlu/wgqbqC2A= -go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA= -go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A= -go.opentelemetry.io/otel v1.36.0 h1:UumtzIklRBY6cI/lllNZlALOF5nNIzJVb16APdvgTXg= -go.opentelemetry.io/otel v1.36.0/go.mod h1:/TcFMXYjyRNh8khOAO9ybYkqaDBb/70aVwkNML4pP8E= -go.opentelemetry.io/otel/metric v1.36.0 h1:MoWPKVhQvJ+eeXWHFBOPoBOi20jh6Iq2CcCREuTYufE= -go.opentelemetry.io/otel/metric v1.36.0/go.mod h1:zC7Ks+yeyJt4xig9DEw9kuUFe5C3zLbVjV2PzT6qzbs= -go.opentelemetry.io/otel/sdk v1.34.0 h1:95zS4k/2GOy069d321O8jWgYsW3MzVV+KuSPKp7Wr1A= -go.opentelemetry.io/otel/sdk v1.34.0/go.mod h1:0e/pNiaMAqaykJGKbi+tSjWfNNHMTxoC9qANsCzbyxU= -go.opentelemetry.io/otel/sdk/metric v1.34.0 h1:5CeK9ujjbFVL5c1PhLuStg1wxA7vQv7ce1EK0Gyvahk= -go.opentelemetry.io/otel/sdk/metric v1.34.0/go.mod h1:jQ/r8Ze28zRKoNRdkjCZxfs6YvBTG1+YIqyFVFYec5w= -go.opentelemetry.io/otel/trace v1.36.0 h1:ahxWNuqZjpdiFAyrIoQ4GIiAIhxAunQR6MUoKrsNd4w= -go.opentelemetry.io/otel/trace v1.36.0/go.mod h1:gQ+OnDZzrybY4k4seLzPAWNwVBBVlF2szhehOBB/tGA= -go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs= -go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8= +go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64= +go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y= +go.opentelemetry.io/otel v1.42.0 h1:lSQGzTgVR3+sgJDAU/7/ZMjN9Z+vUip7leaqBKy4sho= +go.opentelemetry.io/otel v1.42.0/go.mod h1:lJNsdRMxCUIWuMlVJWzecSMuNjE7dOYyWlqOXWkdqCc= +go.opentelemetry.io/otel/metric v1.42.0 h1:2jXG+3oZLNXEPfNmnpxKDeZsFI5o4J+nz6xUlaFdF/4= +go.opentelemetry.io/otel/metric v1.42.0/go.mod h1:RlUN/7vTU7Ao/diDkEpQpnz3/92J9ko05BIwxYa2SSI= +go.opentelemetry.io/otel/sdk v1.40.0 h1:KHW/jUzgo6wsPh9At46+h4upjtccTmuZCFAc9OJ71f8= +go.opentelemetry.io/otel/sdk v1.40.0/go.mod h1:Ph7EFdYvxq72Y8Li9q8KebuYUr2KoeyHx0DRMKrYBUE= +go.opentelemetry.io/otel/sdk/metric v1.40.0 h1:mtmdVqgQkeRxHgRv4qhyJduP3fYJRMX4AtAlbuWdCYw= +go.opentelemetry.io/otel/sdk/metric v1.40.0/go.mod h1:4Z2bGMf0KSK3uRjlczMOeMhKU2rhUqdWNoKcYrtcBPg= +go.opentelemetry.io/otel/trace v1.42.0 h1:OUCgIPt+mzOnaUTpOQcBiM/PLQ/Op7oq6g4LenLmOYY= +go.opentelemetry.io/otel/trace v1.42.0/go.mod h1:f3K9S+IFqnumBkKhRJMeaZeNk9epyhnCmQh/EysQCdc= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8= go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= +go.yaml.in/yaml/v2 v2.4.4 h1:tuyd0P+2Ont/d6e2rl3be67goVK4R6deVxCUX5vyPaQ= +go.yaml.in/yaml/v2 v2.4.4/go.mod h1:gMZqIpDtDqOfM0uNfy0SkpRhvUryYH0Z6wdMYcacYXQ= +go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc= +go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.38.0 h1:jt+WWG8IZlBnVbomuhg2Mdq0+BBQaHbtqHEFEigjUV8= -golang.org/x/crypto v0.38.0/go.mod h1:MvrbAqul58NNYPKnOra203SB9vpuZW0e+RRZV+Ggqjw= -golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/crypto v0.49.0 h1:+Ng2ULVvLHnJ/ZFEq4KdcDd/cfjrrjjNSXNzxg0Y4U4= +golang.org/x/crypto v0.49.0/go.mod h1:ErX4dUh2UM+CFYiXZRTcMpEcN8b/1gxEuv3nODoYtCA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.24.0 h1:ZfthKaKaT4NrhGVZHO1/WDTwGES4De8KtWO0SIbNJMU= -golang.org/x/mod v0.24.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww= +golang.org/x/mod v0.34.0 h1:xIHgNUUnW6sYkcM5Jleh05DvLOtwc6RitGHbDk4akRI= +golang.org/x/mod v0.34.0/go.mod h1:ykgH52iCZe79kzLLMhyCUzhMci+nQj+0XkbXpNYtVjY= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.40.0 h1:79Xs7wF06Gbdcg4kdCCIQArK11Z1hr5POQ6+fIYHNuY= -golang.org/x/net v0.40.0/go.mod h1:y0hY0exeL2Pku80/zKK7tpntoX23cqL3Oa6njdgRtds= -golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI= -golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU= +golang.org/x/net v0.52.0 h1:He/TN1l0e4mmR3QqHMT2Xab3Aj3L9qjbhRm78/6jrW0= +golang.org/x/net v0.52.0/go.mod h1:R1MAz7uMZxVMualyPXb+VaqGSa3LIaUqk0eEt3w36Sw= +golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs= +golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.14.0 h1:woo0S4Yywslg6hp4eUFjTVOyKt0RookbpAHG4c1HmhQ= -golang.org/x/sync v0.14.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= +golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4= +golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0= golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw= -golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= -golang.org/x/term v0.32.0 h1:DR4lr0TjUs3epypdhTOkMmuF5CDFJ/8pOnbzMZPQ7bg= -golang.org/x/term v0.32.0/go.mod h1:uZG1FhGx848Sqfsq4/DlJr3xGGsYMu/L5GW4abiaEPQ= +golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo= +golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw= +golang.org/x/term v0.41.0 h1:QCgPso/Q3RTJx2Th4bDLqML4W6iJiaXFq2/ftQF13YU= +golang.org/x/term v0.41.0/go.mod h1:3pfBgksrReYfZ5lvYM0kSO0LIkAl4Yl2bXOkKP7Ec2A= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.25.0 h1:qVyWApTSYLk/drJRO5mDlNYskwQznZmkpV2c8q9zls4= -golang.org/x/text v0.25.0/go.mod h1:WEdwpYrmk1qmdHvhkSTNPm3app7v4rsT8F2UD6+VHIA= -golang.org/x/time v0.11.0 h1:/bpjEDfN9tkoN/ryeYHnv5hcMlc8ncjMcM4XBk5NWV0= -golang.org/x/time v0.11.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg= +golang.org/x/text v0.35.0 h1:JOVx6vVDFokkpaq1AEptVzLTpDe9KGpj5tR4/X+ybL8= +golang.org/x/text v0.35.0/go.mod h1:khi/HExzZJ2pGnjenulevKNX1W67CUy0AsXcNubPGCA= +golang.org/x/time v0.15.0 h1:bbrp8t3bGUeFOx08pvsMYRTCVSMk89u4tKbNOZbp88U= +golang.org/x/time v0.15.0/go.mod h1:Y4YMaQmXwGQZoFaVFk4YpCt4FLQMYKZe9oeV/f4MSno= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= -golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.33.0 h1:4qz2S3zmRxbGIhDIAgjxvFutSvH5EfnsYrRBj0UI0bc= -golang.org/x/tools v0.33.0/go.mod h1:CIJMaWEY88juyUfo7UbgPqbC8rU2OqfAV1h2Qp0oMYI= +golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.43.0 h1:12BdW9CeB3Z+J/I/wj34VMl8X+fEXBxVR90JeMX5E7s= +golang.org/x/tools v0.43.0/go.mod h1:uHkMso649BX2cZK6+RpuIPXS3ho2hZo4FVwfoy1vIk0= +golang.org/x/tools/go/expect v0.1.1-deprecated h1:jpBZDwmgPhXsKZC6WhL20P4b/wmnpsEAGHaNy0n/rJM= +golang.org/x/tools/go/expect v0.1.1-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY= +golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated h1:1h2MnaIAIXISqTFKdENegdpAgUXz6NrPEsbIeWaBRvM= +golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated/go.mod h1:RVAQXBGNv1ib0J382/DPCRS/BPnsGebyM1Gj5VSDpG8= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= gomodules.xyz/jsonpatch/v2 v2.4.0 h1:Ci3iUJyx9UeRx7CeFN8ARgGbkESwJK+KB9lLcWxY/Zw= gomodules.xyz/jsonpatch/v2 v2.4.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY= -google.golang.org/genproto/googleapis/rpc v0.0.0-20250519155744-55703ea1f237 h1:cJfm9zPbe1e873mHJzmQ1nwVEeRDU/T1wXDK2kUSU34= -google.golang.org/genproto/googleapis/rpc v0.0.0-20250519155744-55703ea1f237/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A= -google.golang.org/grpc v1.72.2 h1:TdbGzwb82ty4OusHWepvFWGLgIbNo1/SUynEN0ssqv8= -google.golang.org/grpc v1.72.2/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM= -google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY= -google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY= +gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk= +gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E= +google.golang.org/genproto/googleapis/rpc v0.0.0-20260316180232-0b37fe3546d5 h1:aJmi6DVGGIStN9Mobk/tZOOQUBbj0BPjZjjnOdoZKts= +google.golang.org/genproto/googleapis/rpc v0.0.0-20260316180232-0b37fe3546d5/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8= +google.golang.org/grpc v1.79.3 h1:sybAEdRIEtvcD68Gx7dmnwjZKlyfuc61Dyo9pGXXkKE= +google.golang.org/grpc v1.79.3/go.mod h1:KmT0Kjez+0dde/v2j9vzwoAScgEPx/Bw1CYChhHLrHQ= +google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= +google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= +google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= +google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE= +google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo= +google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE= +google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= -gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4= -gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M= +gopkg.in/evanphx/json-patch.v4 v4.13.0 h1:czT3CmqEaQ1aanPc5SdlgQrrEIb8w/wwCvWWnfEbYzo= +gopkg.in/evanphx/json-patch.v4 v4.13.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M= gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= gopkg.in/go-playground/assert.v1 v1.2.1 h1:xoYuJVE7KT85PYWrN730RguIQO0ePzVRfFMXadIrXTM= gopkg.in/go-playground/assert.v1 v1.2.1/go.mod h1:9RXL0bg/zibRAgZUYszZSwO/z8Y/a8bDuhia5mkpMnE= @@ -327,59 +381,56 @@ gopkg.in/mcuadros/go-syslog.v2 v2.3.0 h1:kcsiS+WsTKyIEPABJBJtoG0KkOS6yzvJ+/eZlhD gopkg.in/mcuadros/go-syslog.v2 v2.3.0/go.mod h1:l5LPIyOOyIdQquNg+oU6Z3524YwrcqEm0aKH+5zpt2U= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= -gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= +gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= -gopkg.in/yaml.v3 v3.0.0-20191026110619-0b21df46bc1d/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -k8s.io/api v0.33.1 h1:tA6Cf3bHnLIrUK4IqEgb2v++/GYUtqiu9sRVk3iBXyw= -k8s.io/api v0.33.1/go.mod h1:87esjTn9DRSRTD4fWMXamiXxJhpOIREjWOSjsW1kEHw= -k8s.io/apiextensions-apiserver v0.33.1 h1:N7ccbSlRN6I2QBcXevB73PixX2dQNIW0ZRuguEE91zI= -k8s.io/apiextensions-apiserver v0.33.1/go.mod h1:uNQ52z1A1Gu75QSa+pFK5bcXc4hq7lpOXbweZgi4dqA= -k8s.io/apimachinery v0.33.1 h1:mzqXWV8tW9Rw4VeW9rEkqvnxj59k1ezDUl20tFK/oM4= -k8s.io/apimachinery v0.33.1/go.mod h1:BHW0YOu7n22fFv/JkYOEfkUYNRN0fj0BlvMFWA7b+SM= -k8s.io/apiserver v0.33.1 h1:yLgLUPDVC6tHbNcw5uE9mo1T6ELhJj7B0geifra3Qdo= -k8s.io/apiserver v0.33.1/go.mod h1:VMbE4ArWYLO01omz+k8hFjAdYfc3GVAYPrhP2tTKccs= -k8s.io/cli-runtime v0.33.1 h1:TvpjEtF71ViFmPeYMj1baZMJR4iWUEplklsUQ7D3quA= -k8s.io/cli-runtime v0.33.1/go.mod h1:9dz5Q4Uh8io4OWCLiEf/217DXwqNgiTS/IOuza99VZE= -k8s.io/client-go v0.33.1 h1:ZZV/Ks2g92cyxWkRRnfUDsnhNn28eFpt26aGc8KbXF4= -k8s.io/client-go v0.33.1/go.mod h1:JAsUrl1ArO7uRVFWfcj6kOomSlCv+JpvIsp6usAGefA= -k8s.io/code-generator v0.33.1 h1:ZLzIRdMsh3Myfnx9BaooX6iQry29UJjVfVG+BuS+UMw= -k8s.io/code-generator v0.33.1/go.mod h1:HUKT7Ubp6bOgIbbaPIs9lpd2Q02uqkMCMx9/GjDrWpY= -k8s.io/component-base v0.33.1 h1:EoJ0xA+wr77T+G8p6T3l4efT2oNwbqBVKR71E0tBIaI= -k8s.io/component-base v0.33.1/go.mod h1:guT/w/6piyPfTgq7gfvgetyXMIh10zuXA6cRRm3rDuY= -k8s.io/gengo/v2 v2.0.0-20250207200755-1244d31929d7 h1:2OX19X59HxDprNCVrWi6jb7LW1PoqTlYqEq5H2oetog= -k8s.io/gengo/v2 v2.0.0-20250207200755-1244d31929d7/go.mod h1:EJykeLsmFC60UQbYJezXkEsG2FLrt0GPNkU5iK5GWxU= -k8s.io/helm v2.17.0+incompatible h1:Bpn6o1wKLYqKM3+Osh8e+1/K2g/GsQJ4F4yNF2+deao= -k8s.io/helm v2.17.0+incompatible/go.mod h1:LZzlS4LQBHfciFOurYBFkCMTaZ0D1l+p0teMg7TSULI= -k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= -k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= -k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff h1:/usPimJzUKKu+m+TE36gUyGcf03XZEP0ZIKgKj35LS4= -k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff/go.mod h1:5jIi+8yX4RIb8wk3XwBo5Pq2ccx4FP10ohkbSKCZoK8= -k8s.io/utils v0.0.0-20250502105355-0f33e8f1c979 h1:jgJW5IePPXLGB8e/1wvd0Ich9QE97RvvF3a8J3fP/Lg= -k8s.io/utils v0.0.0-20250502105355-0f33e8f1c979/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +helm.sh/helm/v4 v4.1.3 h1:Abfmb+oJUtxoaXDyB2Jhw1zRk3hT6aFfHta+AXb8Lno= +helm.sh/helm/v4 v4.1.3/go.mod h1:5dSo8rRgn3OTkDAc/k0Ipw5/Q+BlqKIKZwa0XwSiINI= +k8s.io/api v0.35.3 h1:pA2fiBc6+N9PDf7SAiluKGEBuScsTzd2uYBkA5RzNWQ= +k8s.io/api v0.35.3/go.mod h1:9Y9tkBcFwKNq2sxwZTQh1Njh9qHl81D0As56tu42GA4= +k8s.io/apiextensions-apiserver v0.35.3 h1:2fQUhEO7P17sijylbdwt0nBdXP0TvHrHj0KeqHD8FiU= +k8s.io/apiextensions-apiserver v0.35.3/go.mod h1:tK4Kz58ykRpwAEkXUb634HD1ZAegEElktz/B3jgETd8= +k8s.io/apimachinery v0.35.3 h1:MeaUwQCV3tjKP4bcwWGgZ/cp/vpsRnQzqO6J6tJyoF8= +k8s.io/apimachinery v0.35.3/go.mod h1:jQCgFZFR1F4Ik7hvr2g84RTJSZegBc8yHgFWKn//hns= +k8s.io/apiserver v0.35.3 h1:D2eIcfJ05hEAEewoSDg+05e0aSRwx8Y4Agvd/wiomUI= +k8s.io/apiserver v0.35.3/go.mod h1:JI0n9bHYzSgIxgIrfe21dbduJ9NHzKJ6RchcsmIKWKY= +k8s.io/cli-runtime v0.35.3 h1:UZq4ipNimtzBmhN7PPKbfAdqo8quK0H0UdGl6qAQnqI= +k8s.io/cli-runtime v0.35.3/go.mod h1:O7MUmCqcKSd5xI+O5X7/pRkB5l0O2NIhOdUVwbHLXu4= +k8s.io/client-go v0.35.3 h1:s1lZbpN4uI6IxeTM2cpdtrwHcSOBML1ODNTCCfsP1pg= +k8s.io/client-go v0.35.3/go.mod h1:RzoXkc0mzpWIDvBrRnD+VlfXP+lRzqQjCmKtiwZ8Q9c= +k8s.io/code-generator v0.35.3 h1:NDGCLkEm6Ho65wTdSe2EgErmmtsrezOPwwOchlNc6FQ= +k8s.io/code-generator v0.35.3/go.mod h1:LAVriRGXQusHQ0Ns64SE1ublSswm1KrK7cXn0GuQETg= +k8s.io/component-base v0.35.3 h1:mbKbzoIMy7JDWS/wqZobYW1JDVRn/RKRaoMQHP9c4P0= +k8s.io/component-base v0.35.3/go.mod h1:IZ8LEG30kPN4Et5NeC7vjNv5aU73ku5MS15iZyvyMYk= +k8s.io/gengo/v2 v2.0.0-20250922181213-ec3ebc5fd46b h1:gMplByicHV/TJBizHd9aVEsTYoJBnnUAT5MHlTkbjhQ= +k8s.io/gengo/v2 v2.0.0-20250922181213-ec3ebc5fd46b/go.mod h1:CgujABENc3KuTrcsdpGmrrASjtQsWCT7R99mEV4U/fM= +k8s.io/klog/v2 v2.140.0 h1:Tf+J3AH7xnUzZyVVXhTgGhEKnFqye14aadWv7bzXdzc= +k8s.io/klog/v2 v2.140.0/go.mod h1:o+/RWfJ6PwpnFn7OyAG3QnO47BFsymfEfrz6XyYSSp0= +k8s.io/kube-openapi v0.0.0-20260319004828-5883c5ee87b9 h1:Sztf7ESG9tAXRW/ACJZjrj5jhdOUqS2KFRQT+CTvu78= +k8s.io/kube-openapi v0.0.0-20260319004828-5883c5ee87b9/go.mod h1:uGBT7iTA6c6MvqUvSXIaYZo9ukscABYi2btjhvgKGZ0= +k8s.io/utils v0.0.0-20260210185600-b8788abfbbc2 h1:AZYQSJemyQB5eRxqcPky+/7EdBj0xi3g0ZcxxJ7vbWU= +k8s.io/utils v0.0.0-20260210185600-b8788abfbbc2/go.mod h1:xDxuJ0whA3d0I4mf/C4ppKHxXynQ+fxnkmQH0vTHnuk= pault.ag/go/sniff v0.0.0-20200207005214-cf7e4d167732 h1:SAElp8THCfmBdM+4lmWX5gebiSSkEr7PAYDVF91qpfg= pault.ag/go/sniff v0.0.0-20200207005214-cf7e4d167732/go.mod h1:lpvCfhqEHNJSSpG5R5A2EgsVzG8RTt4RfPoQuRAcDmg= -sigs.k8s.io/controller-runtime v0.21.0 h1:CYfjpEuicjUecRk+KAeyYh+ouUBn4llGyDYytIGcJS8= -sigs.k8s.io/controller-runtime v0.21.0/go.mod h1:OSg14+F65eWqIu4DceX7k/+QRAbTTvxeQSNSOQpukWM= -sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE= -sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg= -sigs.k8s.io/kustomize/api v0.19.0 h1:F+2HB2mU1MSiR9Hp1NEgoU2q9ItNOaBJl0I4Dlus5SQ= -sigs.k8s.io/kustomize/api v0.19.0/go.mod h1:/BbwnivGVcBh1r+8m3tH1VNxJmHSk1PzP5fkP6lbL1o= -sigs.k8s.io/kustomize/kyaml v0.19.0 h1:RFge5qsO1uHhwJsu3ipV7RNolC7Uozc0jUBC/61XSlA= -sigs.k8s.io/kustomize/kyaml v0.19.0/go.mod h1:FeKD5jEOH+FbZPpqUghBP8mrLjJ3+zD3/rf9NNu1cwY= +sigs.k8s.io/controller-runtime v0.23.3 h1:VjB/vhoPoA9l1kEKZHBMnQF33tdCLQKJtydy4iqwZ80= +sigs.k8s.io/controller-runtime v0.23.3/go.mod h1:B6COOxKptp+YaUT5q4l6LqUJTRpizbgf9KSRNdQGns0= +sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg= +sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg= +sigs.k8s.io/kustomize/api v0.21.1 h1:lzqbzvz2CSvsjIUZUBNFKtIMsEw7hVLJp0JeSIVmuJs= +sigs.k8s.io/kustomize/api v0.21.1/go.mod h1:f3wkKByTrgpgltLgySCntrYoq5d3q7aaxveSagwTlwI= +sigs.k8s.io/kustomize/kyaml v0.21.1 h1:IVlbmhC076nf6foyL6Taw4BkrLuEsXUXNpsE+ScX7fI= +sigs.k8s.io/kustomize/kyaml v0.21.1/go.mod h1:hmxADesM3yUN2vbA5z1/YTBnzLJ1dajdqpQonwBL1FQ= sigs.k8s.io/mdtoc v1.4.0 h1:2pDEwJSjoVrGr5BPkG+LoLkYLKvgtGYurrBY8ul3SxQ= sigs.k8s.io/mdtoc v1.4.0/go.mod h1:KVnRRtK1rX9aQ95qF0rt3x2ytTxf3r7W7N41H+0KF0k= -sigs.k8s.io/randfill v0.0.0-20250304075658-069ef1bbf016/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY= sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU= sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY= sigs.k8s.io/release-utils v0.8.3 h1:KtOtA4qDmzJyeQ2zkDsFVI25+NViwms/o5eL2NftFdA= sigs.k8s.io/release-utils v0.8.3/go.mod h1:fp82Fma06OXBhEJ+GUJKqvcplDBomruK1R/1fWJnsrQ= -sigs.k8s.io/structured-merge-diff/v4 v4.7.0 h1:qPeWmscJcXP0snki5IYF79Z8xrl8ETFxgMd7wez1XkI= -sigs.k8s.io/structured-merge-diff/v4 v4.7.0/go.mod h1:dDy58f92j70zLsuZVuUX5Wp9vtxXpaZnkPGWeqDfCps= -sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= -sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY= +sigs.k8s.io/structured-merge-diff/v6 v6.3.2 h1:kwVWMx5yS1CrnFWA/2QHyRVJ8jM6dBA80uLmm0wJkk8= +sigs.k8s.io/structured-merge-diff/v6 v6.3.2/go.mod h1:M3W8sfWvn2HhQDIbGWj3S099YozAsymCo/wrT5ohRUE= +sigs.k8s.io/yaml v1.6.0 h1:G8fkbMSAFqgEFgh4b1wmtzDnioxFCUgTZhlbj5P9QYs= +sigs.k8s.io/yaml v1.6.0/go.mod h1:796bPqUfzR/0jLAl6XjHl3Ck7MiyVv8dbTdyT3/pMf4= diff --git a/hack/.tool-versions b/hack/.tool-versions index 4bd118c7b0..93f54d8d9e 100644 --- a/hack/.tool-versions +++ b/hack/.tool-versions @@ -1,2 +1,2 @@ kustomize 4.5.4 -helm 3.8.2 +helm 4.1.3 diff --git a/hack/verify-golint.sh b/hack/verify-golint.sh index 17bcedd9fc..b2fb22df70 100755 --- a/hack/verify-golint.sh +++ b/hack/verify-golint.sh @@ -26,8 +26,8 @@ LINT=${LINT:-golangci-lint} if [[ -z "$(command -v ${LINT})" ]]; then echo "${LINT} is missing. Installing it now." - # See: https://golangci-lint.run/usage/install/#local-installation - curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.53.3 + # See: https://golangci-lint.run/welcome/install/#local-installation + curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/HEAD/install.sh | sh -s -- -b $(go env GOPATH)/bin v2.3.0 LINT=$(go env GOPATH)/bin/golangci-lint fi diff --git a/images/cfssl/TAG b/images/cfssl/TAG index c641220244..1db994be91 100644 --- a/images/cfssl/TAG +++ b/images/cfssl/TAG @@ -1 +1 @@ -v1.1.4 +v1.2.9 diff --git a/images/cfssl/rootfs/Dockerfile b/images/cfssl/rootfs/Dockerfile index 3978c8f4ba..95e10fdead 100644 --- a/images/cfssl/rootfs/Dockerfile +++ b/images/cfssl/rootfs/Dockerfile @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM alpine:3.21 +FROM alpine:3.23.3 RUN echo "@testing https://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories RUN apk update \ diff --git a/images/custom-error-pages/TAG b/images/custom-error-pages/TAG index c641220244..1db994be91 100644 --- a/images/custom-error-pages/TAG +++ b/images/custom-error-pages/TAG @@ -1 +1 @@ -v1.1.4 +v1.2.9 diff --git a/images/custom-error-pages/rootfs/Dockerfile b/images/custom-error-pages/rootfs/Dockerfile index f789e7afcd..00e3fe9496 100755 --- a/images/custom-error-pages/rootfs/Dockerfile +++ b/images/custom-error-pages/rootfs/Dockerfile @@ -14,7 +14,7 @@ ARG GOLANG_VERSION -FROM golang:${GOLANG_VERSION}-alpine3.21 AS builder +FROM golang:${GOLANG_VERSION}-alpine3.23 AS builder RUN apk update \ && apk upgrade && apk add git diff --git a/images/custom-error-pages/rootfs/go.mod b/images/custom-error-pages/rootfs/go.mod index e408d5ccf9..f228eb959d 100644 --- a/images/custom-error-pages/rootfs/go.mod +++ b/images/custom-error-pages/rootfs/go.mod @@ -1,16 +1,17 @@ module k8s.io/ingress-nginx/custom-error-pages -go 1.24.3 +go 1.26.1 -require github.com/prometheus/client_golang v1.22.0 +require github.com/prometheus/client_golang v1.23.2 require ( github.com/beorn7/perks v1.0.1 // indirect github.com/cespare/xxhash/v2 v2.3.0 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/prometheus/client_model v0.6.2 // indirect - github.com/prometheus/common v0.64.0 // indirect - github.com/prometheus/procfs v0.16.1 // indirect - golang.org/x/sys v0.33.0 // indirect - google.golang.org/protobuf v1.36.6 // indirect + github.com/prometheus/common v0.67.5 // indirect + github.com/prometheus/procfs v0.20.1 // indirect + go.yaml.in/yaml/v2 v2.4.4 // indirect + golang.org/x/sys v0.42.0 // indirect + google.golang.org/protobuf v1.36.11 // indirect ) diff --git a/images/custom-error-pages/rootfs/go.sum b/images/custom-error-pages/rootfs/go.sum index 9ae5774100..c3d873170b 100644 --- a/images/custom-error-pages/rootfs/go.sum +++ b/images/custom-error-pages/rootfs/go.sum @@ -14,19 +14,23 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/prometheus/client_golang v1.22.0 h1:rb93p9lokFEsctTys46VnV1kLCDpVZ0a/Y92Vm0Zc6Q= -github.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0= +github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h0RJWRi/o0o= +github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg= github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk= github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE= -github.com/prometheus/common v0.64.0 h1:pdZeA+g617P7oGv1CzdTzyeShxAGrTBsolKNOLQPGO4= -github.com/prometheus/common v0.64.0/go.mod h1:0gZns+BLRQ3V6NdaerOhMbwwRbNh9hkGINtQAsP5GS8= -github.com/prometheus/procfs v0.16.1 h1:hZ15bTNuirocR6u0JZ6BAHHmwS1p8B4P6MRqxtzMyRg= -github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlTmWl8x/U+Is= -github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA= -github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= -golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw= -golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= -google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY= -google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY= +github.com/prometheus/common v0.67.5 h1:pIgK94WWlQt1WLwAC5j2ynLaBRDiinoAb86HZHTUGI4= +github.com/prometheus/common v0.67.5/go.mod h1:SjE/0MzDEEAyrdr5Gqc6G+sXI67maCxzaT3A2+HqjUw= +github.com/prometheus/procfs v0.20.1 h1:XwbrGOIplXW/AU3YhIhLODXMJYyC1isLFfYCsTEycfc= +github.com/prometheus/procfs v0.20.1/go.mod h1:o9EMBZGRyvDrSPH1RqdxhojkuXstoe4UlK79eF5TGGo= +github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U= +github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U= +go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= +go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= +go.yaml.in/yaml/v2 v2.4.4 h1:tuyd0P+2Ont/d6e2rl3be67goVK4R6deVxCUX5vyPaQ= +go.yaml.in/yaml/v2 v2.4.4/go.mod h1:gMZqIpDtDqOfM0uNfy0SkpRhvUryYH0Z6wdMYcacYXQ= +golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo= +golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw= +google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE= +google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/images/custom-error-pages/rootfs/main.go b/images/custom-error-pages/rootfs/main.go index 4228a7214b..c620a88151 100644 --- a/images/custom-error-pages/rootfs/main.go +++ b/images/custom-error-pages/rootfs/main.go @@ -94,7 +94,7 @@ func main() { w.WriteHeader(http.StatusOK) }) - http.ListenAndServe(fmt.Sprintf(":8080"), nil) + http.ListenAndServe(":8080", nil) } func errorHandler(path, defaultFormat string) func(http.ResponseWriter, *http.Request) { @@ -149,7 +149,6 @@ func errorHandler(path, defaultFormat string) func(http.ResponseWriter, *http.Re code = 404 log.Printf("unexpected error reading return code: %v. Using %v", err, code) } - w.WriteHeader(code) if !strings.HasPrefix(ext, ".") { ext = "." + ext @@ -172,14 +171,16 @@ func errorHandler(path, defaultFormat string) func(http.ResponseWriter, *http.Re } defer f.Close() log.Printf("serving custom error response for code %v and format %v from file %v", code, format, file) + w.WriteHeader(code) io.Copy(w, f) return } defer f.Close() log.Printf("serving custom error response for code %v and format %v from file %v", code, format, file) + w.WriteHeader(code) io.Copy(w, f) - duration := time.Now().Sub(start).Seconds() + duration := time.Since(start).Seconds() proto := strconv.Itoa(r.ProtoMajor) proto = fmt.Sprintf("%s.%s", proto, strconv.Itoa(r.ProtoMinor)) diff --git a/images/e2e-test-echo/EXTRAARGS b/images/e2e-test-echo/EXTRAARGS index 3db8aaa5c8..b7e0bb2283 100644 --- a/images/e2e-test-echo/EXTRAARGS +++ b/images/e2e-test-echo/EXTRAARGS @@ -1 +1 @@ ---build-arg LUAROCKS_VERSION=3.8.0 --build-arg LUAROCKS_SHA=ab6612ca9ab87c6984871d2712d05525775e8b50172701a0a1cabddf76de2be7 \ No newline at end of file +--build-arg LUAROCKS_VERSION=v3.12.2 --build-arg LUAROCKS_SHA=9c25fa7ab5017d60b25137ab1a4cb76e3185df1fe02df1f577f57d1a6b548a2a diff --git a/images/e2e-test-echo/TAG b/images/e2e-test-echo/TAG index c641220244..1db994be91 100644 --- a/images/e2e-test-echo/TAG +++ b/images/e2e-test-echo/TAG @@ -1 +1 @@ -v1.1.4 +v1.2.9 diff --git a/images/e2e-test-echo/rootfs/Dockerfile b/images/e2e-test-echo/rootfs/Dockerfile index eaa9198355..f35974a0ab 100644 --- a/images/e2e-test-echo/rootfs/Dockerfile +++ b/images/e2e-test-echo/rootfs/Dockerfile @@ -2,13 +2,13 @@ ARG BASE_IMAGE FROM ${BASE_IMAGE} -RUN apk update && apk upgrade && apk add -U --no-cache perl curl make unzip +RUN apk update && apk upgrade && apk add -U --no-cache perl curl make unzip wget ARG LUAROCKS_VERSION ARG LUAROCKS_SHA RUN wget -O /tmp/luarocks.tgz \ - https://github.com/luarocks/luarocks/archive/v${LUAROCKS_VERSION}.tar.gz \ + https://github.com/luarocks/luarocks/archive/${LUAROCKS_VERSION}.tar.gz \ && echo "${LUAROCKS_SHA} */tmp/luarocks.tgz" | sha256sum -c - \ && tar -C /tmp -xzf /tmp/luarocks.tgz \ && cd /tmp/luarocks* \ @@ -17,4 +17,4 @@ RUN wget -O /tmp/luarocks.tgz \ RUN luarocks install lua-resty-template -COPY nginx.conf /etc/nginx/nginx.conf \ No newline at end of file +COPY nginx.conf /etc/nginx/nginx.conf diff --git a/images/ext-auth-example-authsvc/TAG b/images/ext-auth-example-authsvc/TAG index c641220244..1db994be91 100644 --- a/images/ext-auth-example-authsvc/TAG +++ b/images/ext-auth-example-authsvc/TAG @@ -1 +1 @@ -v1.1.4 +v1.2.9 diff --git a/images/ext-auth-example-authsvc/rootfs/Dockerfile b/images/ext-auth-example-authsvc/rootfs/Dockerfile index dced61d99f..6d47c6ccf2 100644 --- a/images/ext-auth-example-authsvc/rootfs/Dockerfile +++ b/images/ext-auth-example-authsvc/rootfs/Dockerfile @@ -1,6 +1,6 @@ ARG GOLANG_VERSION -FROM golang:${GOLANG_VERSION}-alpine3.21 AS builder +FROM golang:${GOLANG_VERSION}-alpine3.23 AS builder RUN mkdir /authsvc WORKDIR /authsvc COPY . ./ diff --git a/images/ext-auth-example-authsvc/rootfs/go.mod b/images/ext-auth-example-authsvc/rootfs/go.mod index 0f6ce29c7f..46a6174228 100644 --- a/images/ext-auth-example-authsvc/rootfs/go.mod +++ b/images/ext-auth-example-authsvc/rootfs/go.mod @@ -1,7 +1,7 @@ module k8s.io/ingress-nginx/ext-auth-example-authsvc -go 1.24.3 +go 1.26.1 -require k8s.io/apimachinery v0.33.1 +require k8s.io/apimachinery v0.35.3 require github.com/google/uuid v1.6.0 // indirect diff --git a/images/ext-auth-example-authsvc/rootfs/go.sum b/images/ext-auth-example-authsvc/rootfs/go.sum index 81b98923ca..eca96abc8e 100644 --- a/images/ext-auth-example-authsvc/rootfs/go.sum +++ b/images/ext-auth-example-authsvc/rootfs/go.sum @@ -1,4 +1,4 @@ github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -k8s.io/apimachinery v0.33.1 h1:mzqXWV8tW9Rw4VeW9rEkqvnxj59k1ezDUl20tFK/oM4= -k8s.io/apimachinery v0.33.1/go.mod h1:BHW0YOu7n22fFv/JkYOEfkUYNRN0fj0BlvMFWA7b+SM= +k8s.io/apimachinery v0.35.3 h1:MeaUwQCV3tjKP4bcwWGgZ/cp/vpsRnQzqO6J6tJyoF8= +k8s.io/apimachinery v0.35.3/go.mod h1:jQCgFZFR1F4Ik7hvr2g84RTJSZegBc8yHgFWKn//hns= diff --git a/images/fastcgi-helloserver/TAG b/images/fastcgi-helloserver/TAG index c641220244..1db994be91 100644 --- a/images/fastcgi-helloserver/TAG +++ b/images/fastcgi-helloserver/TAG @@ -1 +1 @@ -v1.1.4 +v1.2.9 diff --git a/images/fastcgi-helloserver/rootfs/Dockerfile b/images/fastcgi-helloserver/rootfs/Dockerfile index 8f1e73248e..f6fb865b8e 100755 --- a/images/fastcgi-helloserver/rootfs/Dockerfile +++ b/images/fastcgi-helloserver/rootfs/Dockerfile @@ -13,7 +13,7 @@ # limitations under the License. ARG GOLANG_VERSION -FROM golang:${GOLANG_VERSION}-alpine3.21 AS builder +FROM golang:${GOLANG_VERSION}-alpine3.23 AS builder WORKDIR /go/src/k8s.io/ingress-nginx/images/fastcgi diff --git a/images/fastcgi-helloserver/rootfs/go.mod b/images/fastcgi-helloserver/rootfs/go.mod index f7749d93b5..783085b7dc 100644 --- a/images/fastcgi-helloserver/rootfs/go.mod +++ b/images/fastcgi-helloserver/rootfs/go.mod @@ -1,3 +1,3 @@ module k8s.io/ingress-nginx/fastcgi-helloserver -go 1.24.3 +go 1.26.1 diff --git a/images/go-grpc-greeter-server/TAG b/images/go-grpc-greeter-server/TAG index c641220244..1db994be91 100644 --- a/images/go-grpc-greeter-server/TAG +++ b/images/go-grpc-greeter-server/TAG @@ -1 +1 @@ -v1.1.4 +v1.2.9 diff --git a/images/go-grpc-greeter-server/rootfs/Dockerfile b/images/go-grpc-greeter-server/rootfs/Dockerfile index a3b59fc2be..4320151545 100644 --- a/images/go-grpc-greeter-server/rootfs/Dockerfile +++ b/images/go-grpc-greeter-server/rootfs/Dockerfile @@ -1,6 +1,6 @@ ARG GOLANG_VERSION -FROM golang:${GOLANG_VERSION}-alpine3.21 AS build +FROM golang:${GOLANG_VERSION}-alpine3.23 AS build WORKDIR /go/src/greeter-server diff --git a/images/go-grpc-greeter-server/rootfs/go.mod b/images/go-grpc-greeter-server/rootfs/go.mod index bcf224d447..770b4f00bb 100644 --- a/images/go-grpc-greeter-server/rootfs/go.mod +++ b/images/go-grpc-greeter-server/rootfs/go.mod @@ -1,17 +1,16 @@ module k8s.io/ingress-nginx/go-grpc-greeter-server -go 1.24.3 +go 1.26.1 require ( - google.golang.org/grpc v1.72.2 - google.golang.org/grpc/examples v0.0.0-20250526155028-4cab0e6dc6e7 + google.golang.org/grpc v1.79.3 + google.golang.org/grpc/examples v0.0.0-20260318074645-12e91ddb6df6 ) require ( - github.com/google/go-cmp v0.7.0 // indirect - golang.org/x/net v0.40.0 // indirect - golang.org/x/sys v0.33.0 // indirect - golang.org/x/text v0.25.0 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20250519155744-55703ea1f237 // indirect - google.golang.org/protobuf v1.36.6 // indirect + golang.org/x/net v0.52.0 // indirect + golang.org/x/sys v0.42.0 // indirect + golang.org/x/text v0.35.0 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20260316180232-0b37fe3546d5 // indirect + google.golang.org/protobuf v1.36.11 // indirect ) diff --git a/images/go-grpc-greeter-server/rootfs/go.sum b/images/go-grpc-greeter-server/rootfs/go.sum index c7071ed659..a7c74470ef 100644 --- a/images/go-grpc-greeter-server/rootfs/go.sum +++ b/images/go-grpc-greeter-server/rootfs/go.sum @@ -1,5 +1,7 @@ -github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= -github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= +github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= +github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI= +github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= @@ -8,29 +10,31 @@ github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8= github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA= -go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A= -go.opentelemetry.io/otel v1.35.0 h1:xKWKPxrxB6OtMCbmMY021CqC45J+3Onta9MqjhnusiQ= -go.opentelemetry.io/otel v1.35.0/go.mod h1:UEqy8Zp11hpkUrL73gSlELM0DupHoiq72dR+Zqel/+Y= -go.opentelemetry.io/otel/metric v1.35.0 h1:0znxYu2SNyuMSQT4Y9WDWej0VpcsxkuklLa4/siN90M= -go.opentelemetry.io/otel/metric v1.35.0/go.mod h1:nKVFgxBZ2fReX6IlyW28MgZojkoAkJGaE8CpgeAU3oE= -go.opentelemetry.io/otel/sdk v1.35.0 h1:iPctf8iprVySXSKJffSS79eOjl9pvxV9ZqOWT0QejKY= -go.opentelemetry.io/otel/sdk v1.35.0/go.mod h1:+ga1bZliga3DxJ3CQGg3updiaAJoNECOgJREo9KHGQg= -go.opentelemetry.io/otel/sdk/metric v1.35.0 h1:1RriWBmCKgkeHEhM7a2uMjMUfP7MsOF5JpUCaEqEI9o= -go.opentelemetry.io/otel/sdk/metric v1.35.0/go.mod h1:is6XYCUMpcKi+ZsOvfluY5YstFnhW0BidkR+gL+qN+w= -go.opentelemetry.io/otel/trace v1.35.0 h1:dPpEfJu1sDIqruz7BHFG3c7528f6ddfSWfFDVt/xgMs= -go.opentelemetry.io/otel/trace v1.35.0/go.mod h1:WUk7DtFp1Aw2MkvqGdwiXYDZZNvA/1J8o6xRXLrIkyc= -golang.org/x/net v0.40.0 h1:79Xs7wF06Gbdcg4kdCCIQArK11Z1hr5POQ6+fIYHNuY= -golang.org/x/net v0.40.0/go.mod h1:y0hY0exeL2Pku80/zKK7tpntoX23cqL3Oa6njdgRtds= -golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw= -golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= -golang.org/x/text v0.25.0 h1:qVyWApTSYLk/drJRO5mDlNYskwQznZmkpV2c8q9zls4= -golang.org/x/text v0.25.0/go.mod h1:WEdwpYrmk1qmdHvhkSTNPm3app7v4rsT8F2UD6+VHIA= -google.golang.org/genproto/googleapis/rpc v0.0.0-20250519155744-55703ea1f237 h1:cJfm9zPbe1e873mHJzmQ1nwVEeRDU/T1wXDK2kUSU34= -google.golang.org/genproto/googleapis/rpc v0.0.0-20250519155744-55703ea1f237/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A= -google.golang.org/grpc v1.72.2 h1:TdbGzwb82ty4OusHWepvFWGLgIbNo1/SUynEN0ssqv8= -google.golang.org/grpc v1.72.2/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM= -google.golang.org/grpc/examples v0.0.0-20250526155028-4cab0e6dc6e7 h1:qmTRTvUbC4g5DBQbWBBaK8fZfUH0nV7F0Vr0MfLr2Lw= -google.golang.org/grpc/examples v0.0.0-20250526155028-4cab0e6dc6e7/go.mod h1:tVWJxR8lMn4AFXavKgoU/QtZvQ+E6K1HNS6Q/FuqMxc= -google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY= -google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY= +go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64= +go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y= +go.opentelemetry.io/otel v1.42.0 h1:lSQGzTgVR3+sgJDAU/7/ZMjN9Z+vUip7leaqBKy4sho= +go.opentelemetry.io/otel v1.42.0/go.mod h1:lJNsdRMxCUIWuMlVJWzecSMuNjE7dOYyWlqOXWkdqCc= +go.opentelemetry.io/otel/metric v1.42.0 h1:2jXG+3oZLNXEPfNmnpxKDeZsFI5o4J+nz6xUlaFdF/4= +go.opentelemetry.io/otel/metric v1.42.0/go.mod h1:RlUN/7vTU7Ao/diDkEpQpnz3/92J9ko05BIwxYa2SSI= +go.opentelemetry.io/otel/sdk v1.42.0 h1:LyC8+jqk6UJwdrI/8VydAq/hvkFKNHZVIWuslJXYsDo= +go.opentelemetry.io/otel/sdk v1.42.0/go.mod h1:rGHCAxd9DAph0joO4W6OPwxjNTYWghRWmkHuGbayMts= +go.opentelemetry.io/otel/sdk/metric v1.42.0 h1:D/1QR46Clz6ajyZ3G8SgNlTJKBdGp84q9RKCAZ3YGuA= +go.opentelemetry.io/otel/sdk/metric v1.42.0/go.mod h1:Ua6AAlDKdZ7tdvaQKfSmnFTdHx37+J4ba8MwVCYM5hc= +go.opentelemetry.io/otel/trace v1.42.0 h1:OUCgIPt+mzOnaUTpOQcBiM/PLQ/Op7oq6g4LenLmOYY= +go.opentelemetry.io/otel/trace v1.42.0/go.mod h1:f3K9S+IFqnumBkKhRJMeaZeNk9epyhnCmQh/EysQCdc= +golang.org/x/net v0.52.0 h1:He/TN1l0e4mmR3QqHMT2Xab3Aj3L9qjbhRm78/6jrW0= +golang.org/x/net v0.52.0/go.mod h1:R1MAz7uMZxVMualyPXb+VaqGSa3LIaUqk0eEt3w36Sw= +golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo= +golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw= +golang.org/x/text v0.35.0 h1:JOVx6vVDFokkpaq1AEptVzLTpDe9KGpj5tR4/X+ybL8= +golang.org/x/text v0.35.0/go.mod h1:khi/HExzZJ2pGnjenulevKNX1W67CUy0AsXcNubPGCA= +gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk= +gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E= +google.golang.org/genproto/googleapis/rpc v0.0.0-20260316180232-0b37fe3546d5 h1:aJmi6DVGGIStN9Mobk/tZOOQUBbj0BPjZjjnOdoZKts= +google.golang.org/genproto/googleapis/rpc v0.0.0-20260316180232-0b37fe3546d5/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8= +google.golang.org/grpc v1.79.3 h1:sybAEdRIEtvcD68Gx7dmnwjZKlyfuc61Dyo9pGXXkKE= +google.golang.org/grpc v1.79.3/go.mod h1:KmT0Kjez+0dde/v2j9vzwoAScgEPx/Bw1CYChhHLrHQ= +google.golang.org/grpc/examples v0.0.0-20260318074645-12e91ddb6df6 h1:T2BRvEuhGb8xbZd+QoV/hJ10tyclSbzVaRnxWJVqLvk= +google.golang.org/grpc/examples v0.0.0-20260318074645-12e91ddb6df6/go.mod h1:j/6+OA1GHt8bu2ZkJxLWufKDhhYor5yjGCLKBDUf9GI= +google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE= +google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco= diff --git a/images/httpbun/TAG b/images/httpbun/TAG index c641220244..1db994be91 100644 --- a/images/httpbun/TAG +++ b/images/httpbun/TAG @@ -1 +1 @@ -v1.1.4 +v1.2.9 diff --git a/images/kube-webhook-certgen/TAG b/images/kube-webhook-certgen/TAG index f074f24d22..62f6ecd02c 100644 --- a/images/kube-webhook-certgen/TAG +++ b/images/kube-webhook-certgen/TAG @@ -1 +1 @@ -v1.5.4 +v1.6.9 diff --git a/images/kube-webhook-certgen/rootfs/go.mod b/images/kube-webhook-certgen/rootfs/go.mod index 0e427d435c..3aa6cd23d8 100644 --- a/images/kube-webhook-certgen/rootfs/go.mod +++ b/images/kube-webhook-certgen/rootfs/go.mod @@ -1,56 +1,64 @@ module github.com/jet/kube-webhook-certgen -go 1.24.3 +go 1.26.1 require ( github.com/onrik/logrus v0.11.0 - github.com/sirupsen/logrus v1.9.3 - github.com/spf13/cobra v1.9.1 - k8s.io/api v0.33.1 - k8s.io/apimachinery v0.33.1 - k8s.io/client-go v0.33.1 - k8s.io/kube-aggregator v0.33.1 + github.com/sirupsen/logrus v1.9.4 + github.com/spf13/cobra v1.10.2 + k8s.io/api v0.35.3 + k8s.io/apimachinery v0.35.3 + k8s.io/client-go v0.35.3 + k8s.io/kube-aggregator v0.35.3 ) require ( github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect - github.com/emicklei/go-restful/v3 v3.12.2 // indirect - github.com/fxamacker/cbor/v2 v2.8.0 // indirect - github.com/go-logr/logr v1.4.2 // indirect - github.com/go-openapi/jsonpointer v0.21.1 // indirect - github.com/go-openapi/jsonreference v0.21.0 // indirect - github.com/go-openapi/swag v0.23.1 // indirect - github.com/gogo/protobuf v1.3.2 // indirect - github.com/google/gnostic-models v0.6.9 // indirect - github.com/google/go-cmp v0.7.0 // indirect + github.com/emicklei/go-restful/v3 v3.13.0 // indirect + github.com/fxamacker/cbor/v2 v2.9.0 // indirect + github.com/go-logr/logr v1.4.3 // indirect + github.com/go-openapi/jsonpointer v0.22.5 // indirect + github.com/go-openapi/jsonreference v0.21.5 // indirect + github.com/go-openapi/swag v0.25.5 // indirect + github.com/go-openapi/swag/cmdutils v0.25.5 // indirect + github.com/go-openapi/swag/conv v0.25.5 // indirect + github.com/go-openapi/swag/fileutils v0.25.5 // indirect + github.com/go-openapi/swag/jsonname v0.25.5 // indirect + github.com/go-openapi/swag/jsonutils v0.25.5 // indirect + github.com/go-openapi/swag/loading v0.25.5 // indirect + github.com/go-openapi/swag/mangling v0.25.5 // indirect + github.com/go-openapi/swag/netutils v0.25.5 // indirect + github.com/go-openapi/swag/stringutils v0.25.5 // indirect + github.com/go-openapi/swag/typeutils v0.25.5 // indirect + github.com/go-openapi/swag/yamlutils v0.25.5 // indirect + github.com/google/gnostic-models v0.7.1 // indirect github.com/google/uuid v1.6.0 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect - github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect - github.com/mailru/easyjson v0.9.0 // indirect + github.com/kr/text v0.2.0 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect - github.com/modern-go/reflect2 v1.0.2 // indirect + github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect - github.com/onsi/ginkgo/v2 v2.23.4 // indirect - github.com/onsi/gomega v1.36.3 // indirect - github.com/pkg/errors v0.9.1 // indirect - github.com/spf13/pflag v1.0.6 // indirect + github.com/spf13/pflag v1.0.10 // indirect + github.com/tidwall/gjson v1.18.0 // indirect + github.com/tidwall/pretty v1.2.1 // indirect github.com/x448/float16 v0.8.4 // indirect - golang.org/x/net v0.40.0 // indirect - golang.org/x/oauth2 v0.30.0 // indirect - golang.org/x/sys v0.33.0 // indirect - golang.org/x/term v0.32.0 // indirect - golang.org/x/text v0.25.0 // indirect - golang.org/x/time v0.11.0 // indirect - google.golang.org/protobuf v1.36.6 // indirect - gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect + go.yaml.in/yaml/v2 v2.4.4 // indirect + go.yaml.in/yaml/v3 v3.0.4 // indirect + golang.org/x/net v0.52.0 // indirect + golang.org/x/oauth2 v0.36.0 // indirect + golang.org/x/sys v0.42.0 // indirect + golang.org/x/term v0.41.0 // indirect + golang.org/x/text v0.35.0 // indirect + golang.org/x/time v0.15.0 // indirect + google.golang.org/protobuf v1.36.11 // indirect + gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect - gopkg.in/yaml.v3 v3.0.1 // indirect - k8s.io/klog/v2 v2.130.1 // indirect - k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff // indirect - k8s.io/utils v0.0.0-20250502105355-0f33e8f1c979 // indirect - sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect + k8s.io/klog/v2 v2.140.0 // indirect + k8s.io/kube-openapi v0.0.0-20260319004828-5883c5ee87b9 // indirect + k8s.io/utils v0.0.0-20260210185600-b8788abfbbc2 // indirect + sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect sigs.k8s.io/randfill v1.0.0 // indirect - sigs.k8s.io/structured-merge-diff/v4 v4.7.0 // indirect - sigs.k8s.io/yaml v1.4.0 // indirect + sigs.k8s.io/structured-merge-diff/v6 v6.3.2 // indirect + sigs.k8s.io/yaml v1.6.0 // indirect ) diff --git a/images/kube-webhook-certgen/rootfs/go.sum b/images/kube-webhook-certgen/rootfs/go.sum index 5defb14a46..425eb45bae 100644 --- a/images/kube-webhook-certgen/rootfs/go.sum +++ b/images/kube-webhook-certgen/rootfs/go.sum @@ -1,165 +1,147 @@ github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g= +github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/emicklei/go-restful/v3 v3.12.2 h1:DhwDP0vY3k8ZzE0RunuJy8GhNpPL6zqLkDf9B/a0/xU= -github.com/emicklei/go-restful/v3 v3.12.2/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= -github.com/fxamacker/cbor/v2 v2.8.0 h1:fFtUGXUzXPHTIUdne5+zzMPTfffl3RD5qYnkY40vtxU= -github.com/fxamacker/cbor/v2 v2.8.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ= -github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= -github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= -github.com/go-openapi/jsonpointer v0.21.1 h1:whnzv/pNXtK2FbX/W9yJfRmE2gsmkfahjMKB0fZvcic= -github.com/go-openapi/jsonpointer v0.21.1/go.mod h1:50I1STOfbY1ycR8jGz8DaMeLCdXiI6aDteEdRNNzpdk= -github.com/go-openapi/jsonreference v0.21.0 h1:Rs+Y7hSXT83Jacb7kFyjn4ijOuVGSvOdF2+tg1TRrwQ= -github.com/go-openapi/jsonreference v0.21.0/go.mod h1:LmZmgsrTkVg9LG4EaHeY8cBDslNPMo06cago5JNLkm4= -github.com/go-openapi/swag v0.23.1 h1:lpsStH0n2ittzTnbaSloVZLuB5+fvSY/+hnagBjSNZU= -github.com/go-openapi/swag v0.23.1/go.mod h1:STZs8TbRvEQQKUA+JZNAm3EWlgaOBGpyFDqQnDHMef0= -github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI= -github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8= -github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= -github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= -github.com/google/gnostic-models v0.6.9 h1:MU/8wDLif2qCXZmzncUQ/BOfxWfthHi63KqpoNbWqVw= -github.com/google/gnostic-models v0.6.9/go.mod h1:CiWsm0s6BSQd1hRn8/QmxqB6BesYcbSZxsz9b0KuDBw= -github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/emicklei/go-restful/v3 v3.13.0 h1:C4Bl2xDndpU6nJ4bc1jXd+uTmYPVUwkD6bFY/oTyCes= +github.com/emicklei/go-restful/v3 v3.13.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM= +github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ= +github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI= +github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-openapi/jsonpointer v0.22.5 h1:8on/0Yp4uTb9f4XvTrM2+1CPrV05QPZXu+rvu2o9jcA= +github.com/go-openapi/jsonpointer v0.22.5/go.mod h1:gyUR3sCvGSWchA2sUBJGluYMbe1zazrYWIkWPjjMUY0= +github.com/go-openapi/jsonreference v0.21.5 h1:6uCGVXU/aNF13AQNggxfysJ+5ZcU4nEAe+pJyVWRdiE= +github.com/go-openapi/jsonreference v0.21.5/go.mod h1:u25Bw85sX4E2jzFodh1FOKMTZLcfifd1Q+iKKOUxExw= +github.com/go-openapi/swag v0.25.5 h1:pNkwbUEeGwMtcgxDr+2GBPAk4kT+kJ+AaB+TMKAg+TU= +github.com/go-openapi/swag v0.25.5/go.mod h1:B3RT6l8q7X803JRxa2e59tHOiZlX1t8viplOcs9CwTA= +github.com/go-openapi/swag/cmdutils v0.25.5 h1:yh5hHrpgsw4NwM9KAEtaDTXILYzdXh/I8Whhx9hKj7c= +github.com/go-openapi/swag/cmdutils v0.25.5/go.mod h1:pdae/AFo6WxLl5L0rq87eRzVPm/XRHM3MoYgRMvG4A0= +github.com/go-openapi/swag/conv v0.25.5 h1:wAXBYEXJjoKwE5+vc9YHhpQOFj2JYBMF2DUi+tGu97g= +github.com/go-openapi/swag/conv v0.25.5/go.mod h1:CuJ1eWvh1c4ORKx7unQnFGyvBbNlRKbnRyAvDvzWA4k= +github.com/go-openapi/swag/fileutils v0.25.5 h1:B6JTdOcs2c0dBIs9HnkyTW+5gC+8NIhVBUwERkFhMWk= +github.com/go-openapi/swag/fileutils v0.25.5/go.mod h1:V3cT9UdMQIaH4WiTrUc9EPtVA4txS0TOmRURmhGF4kc= +github.com/go-openapi/swag/jsonname v0.25.5 h1:8p150i44rv/Drip4vWI3kGi9+4W9TdI3US3uUYSFhSo= +github.com/go-openapi/swag/jsonname v0.25.5/go.mod h1:jNqqikyiAK56uS7n8sLkdaNY/uq6+D2m2LANat09pKU= +github.com/go-openapi/swag/jsonutils v0.25.5 h1:XUZF8awQr75MXeC+/iaw5usY/iM7nXPDwdG3Jbl9vYo= +github.com/go-openapi/swag/jsonutils v0.25.5/go.mod h1:48FXUaz8YsDAA9s5AnaUvAmry1UcLcNVWUjY42XkrN4= +github.com/go-openapi/swag/jsonutils/fixtures_test v0.25.5 h1:SX6sE4FrGb4sEnnxbFL/25yZBb5Hcg1inLeErd86Y1U= +github.com/go-openapi/swag/jsonutils/fixtures_test v0.25.5/go.mod h1:/2KvOTrKWjVA5Xli3DZWdMCZDzz3uV/T7bXwrKWPquo= +github.com/go-openapi/swag/loading v0.25.5 h1:odQ/umlIZ1ZVRteI6ckSrvP6e2w9UTF5qgNdemJHjuU= +github.com/go-openapi/swag/loading v0.25.5/go.mod h1:I8A8RaaQ4DApxhPSWLNYWh9NvmX2YKMoB9nwvv6oW6g= +github.com/go-openapi/swag/mangling v0.25.5 h1:hyrnvbQRS7vKePQPHHDso+k6CGn5ZBs5232UqWZmJZw= +github.com/go-openapi/swag/mangling v0.25.5/go.mod h1:6hadXM/o312N/h98RwByLg088U61TPGiltQn71Iw0NY= +github.com/go-openapi/swag/netutils v0.25.5 h1:LZq2Xc2QI8+7838elRAaPCeqJnHODfSyOa7ZGfxDKlU= +github.com/go-openapi/swag/netutils v0.25.5/go.mod h1:lHbtmj4m57APG/8H7ZcMMSWzNqIQcu0RFiXrPUara14= +github.com/go-openapi/swag/stringutils v0.25.5 h1:NVkoDOA8YBgtAR/zvCx5rhJKtZF3IzXcDdwOsYzrB6M= +github.com/go-openapi/swag/stringutils v0.25.5/go.mod h1:PKK8EZdu4QJq8iezt17HM8RXnLAzY7gW0O1KKarrZII= +github.com/go-openapi/swag/typeutils v0.25.5 h1:EFJ+PCga2HfHGdo8s8VJXEVbeXRCYwzzr9u4rJk7L7E= +github.com/go-openapi/swag/typeutils v0.25.5/go.mod h1:itmFmScAYE1bSD8C4rS0W+0InZUBrB2xSPbWt6DLGuc= +github.com/go-openapi/swag/yamlutils v0.25.5 h1:kASCIS+oIeoc55j28T4o8KwlV2S4ZLPT6G0iq2SSbVQ= +github.com/go-openapi/swag/yamlutils v0.25.5/go.mod h1:Gek1/SjjfbYvM+Iq4QGwa/2lEXde9n2j4a3wI3pNuOQ= +github.com/go-openapi/testify/enable/yaml/v2 v2.4.0 h1:7SgOMTvJkM8yWrQlU8Jm18VeDPuAvB/xWrdxFJkoFag= +github.com/go-openapi/testify/enable/yaml/v2 v2.4.0/go.mod h1:14iV8jyyQlinc9StD7w1xVPW3CO3q1Gj04Jy//Kw4VM= +github.com/go-openapi/testify/v2 v2.4.0 h1:8nsPrHVCWkQ4p8h1EsRVymA2XABB4OT40gcvAu+voFM= +github.com/go-openapi/testify/v2 v2.4.0/go.mod h1:HCPmvFFnheKK2BuwSA0TbbdxJ3I16pjwMkYkP4Ywn54= +github.com/google/gnostic-models v0.7.1 h1:SisTfuFKJSKM5CPZkffwi6coztzzeYUhc3v4yxLWH8c= +github.com/google/gnostic-models v0.7.1/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7OUGxBlw57miDrQ= github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8= github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= -github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 h1:BHT72Gu3keYf3ZEu2J0b1vyeLSOYI8bm5wbJM/8yDe8= -github.com/google/pprof v0.0.0-20250403155104-27863c87afa6/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= -github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= -github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= -github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= -github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= -github.com/mailru/easyjson v0.9.0 h1:PrnmzHw7262yW8sTBwxi1PdJA3Iw/EKBa8psRf7d9a4= -github.com/mailru/easyjson v0.9.0/go.mod h1:1+xMtQp2MRNVL/V1bOzuP3aP8VNwRW55fQUto+XFtTU= github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= -github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M= github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= +github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee h1:W5t00kpgFdJifH4BDsTlE89Zl93FEloxaWZfGcifgq8= +github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/onrik/logrus v0.11.0 h1:pu+BCaWL36t0yQaj/2UHK2erf88dwssAKOT51mxPUVs= github.com/onrik/logrus v0.11.0/go.mod h1:fO2vlZwIdti6PidD3gV5YKt9Lq5ptpnP293RAe1ITwk= -github.com/onsi/ginkgo/v2 v2.23.4 h1:ktYTpKJAVZnDT4VjxSbiBenUjmlL/5QkBEocaWXiQus= -github.com/onsi/ginkgo/v2 v2.23.4/go.mod h1:Bt66ApGPBFzHyR+JO10Zbt0Gsp4uWxu5mIOTusL46e8= -github.com/onsi/gomega v1.36.3 h1:hID7cr8t3Wp26+cYnfcjR6HpJ00fdogN6dqZ1t6IylU= -github.com/onsi/gomega v1.36.3/go.mod h1:8D9+Txp43QWKhM24yyOBEdpkzN8FvJyAwecBgsU4KU0= -github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= -github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII= -github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o= +github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ= +github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= -github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= -github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= -github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo= -github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0= -github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o= -github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/sirupsen/logrus v1.9.4 h1:TsZE7l11zFCLZnZ+teH4Umoq5BhEIfIzfRDZ1Uzql2w= +github.com/sirupsen/logrus v1.9.4/go.mod h1:ftWc9WdOfJ0a92nsE2jF5u5ZwH8Bv2zdeOC42RjbV2g= +github.com/spf13/cobra v1.10.2 h1:DMTTonx5m65Ic0GOoRY2c16WCbHxOOw6xxezuLaBpcU= +github.com/spf13/cobra v1.10.2/go.mod h1:7C1pvHqHw5A4vrJfjNwvOdzYu0Gml16OCs2GRiTUUS4= +github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk= +github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY= github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= -github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= -github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA= -github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= -github.com/tidwall/gjson v1.14.4 h1:uo0p8EbA09J7RQaflQ1aBRffTR7xedD2bcIVSYxLnkM= -github.com/tidwall/gjson v1.14.4/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk= +github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U= +github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U= +github.com/tidwall/gjson v1.18.0 h1:FIDeeyB800efLX89e5a8Y0BNH+LOngJyGrIWxG2FKQY= +github.com/tidwall/gjson v1.18.0/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk= github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA= github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM= -github.com/tidwall/pretty v1.2.0 h1:RWIZEg2iJ8/g6fDDYzMpobmaoGh5OLl4AXtGUGPcqCs= github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU= +github.com/tidwall/pretty v1.2.1 h1:qjsOFOWWQl+N3RsoF5/ssm1pHmJJwhjlSbZ51I6wMl4= +github.com/tidwall/pretty v1.2.1/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU= github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= -github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= -github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= -go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs= -go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8= -golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= -golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.40.0 h1:79Xs7wF06Gbdcg4kdCCIQArK11Z1hr5POQ6+fIYHNuY= -golang.org/x/net v0.40.0/go.mod h1:y0hY0exeL2Pku80/zKK7tpntoX23cqL3Oa6njdgRtds= -golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI= -golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU= -golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw= -golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= -golang.org/x/term v0.32.0 h1:DR4lr0TjUs3epypdhTOkMmuF5CDFJ/8pOnbzMZPQ7bg= -golang.org/x/term v0.32.0/go.mod h1:uZG1FhGx848Sqfsq4/DlJr3xGGsYMu/L5GW4abiaEPQ= -golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.25.0 h1:qVyWApTSYLk/drJRO5mDlNYskwQznZmkpV2c8q9zls4= -golang.org/x/text v0.25.0/go.mod h1:WEdwpYrmk1qmdHvhkSTNPm3app7v4rsT8F2UD6+VHIA= -golang.org/x/time v0.11.0 h1:/bpjEDfN9tkoN/ryeYHnv5hcMlc8ncjMcM4XBk5NWV0= -golang.org/x/time v0.11.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg= -golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= -golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.31.0 h1:0EedkvKDbh+qistFTd0Bcwe/YLh4vHwWEkiI0toFIBU= -golang.org/x/tools v0.31.0/go.mod h1:naFTU+Cev749tSJRXJlna0T3WxKvb1kWEx15xA4SdmQ= -golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY= -google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY= +go.yaml.in/yaml/v2 v2.4.4 h1:tuyd0P+2Ont/d6e2rl3be67goVK4R6deVxCUX5vyPaQ= +go.yaml.in/yaml/v2 v2.4.4/go.mod h1:gMZqIpDtDqOfM0uNfy0SkpRhvUryYH0Z6wdMYcacYXQ= +go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc= +go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg= +golang.org/x/net v0.52.0 h1:He/TN1l0e4mmR3QqHMT2Xab3Aj3L9qjbhRm78/6jrW0= +golang.org/x/net v0.52.0/go.mod h1:R1MAz7uMZxVMualyPXb+VaqGSa3LIaUqk0eEt3w36Sw= +golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs= +golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q= +golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo= +golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw= +golang.org/x/term v0.41.0 h1:QCgPso/Q3RTJx2Th4bDLqML4W6iJiaXFq2/ftQF13YU= +golang.org/x/term v0.41.0/go.mod h1:3pfBgksrReYfZ5lvYM0kSO0LIkAl4Yl2bXOkKP7Ec2A= +golang.org/x/text v0.35.0 h1:JOVx6vVDFokkpaq1AEptVzLTpDe9KGpj5tR4/X+ybL8= +golang.org/x/text v0.35.0/go.mod h1:khi/HExzZJ2pGnjenulevKNX1W67CUy0AsXcNubPGCA= +golang.org/x/time v0.15.0 h1:bbrp8t3bGUeFOx08pvsMYRTCVSMk89u4tKbNOZbp88U= +golang.org/x/time v0.15.0/go.mod h1:Y4YMaQmXwGQZoFaVFk4YpCt4FLQMYKZe9oeV/f4MSno= +google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE= +google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= -gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4= -gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M= +gopkg.in/evanphx/json-patch.v4 v4.13.0 h1:czT3CmqEaQ1aanPc5SdlgQrrEIb8w/wwCvWWnfEbYzo= +gopkg.in/evanphx/json-patch.v4 v4.13.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M= gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= -gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -k8s.io/api v0.33.1 h1:tA6Cf3bHnLIrUK4IqEgb2v++/GYUtqiu9sRVk3iBXyw= -k8s.io/api v0.33.1/go.mod h1:87esjTn9DRSRTD4fWMXamiXxJhpOIREjWOSjsW1kEHw= -k8s.io/apimachinery v0.33.1 h1:mzqXWV8tW9Rw4VeW9rEkqvnxj59k1ezDUl20tFK/oM4= -k8s.io/apimachinery v0.33.1/go.mod h1:BHW0YOu7n22fFv/JkYOEfkUYNRN0fj0BlvMFWA7b+SM= -k8s.io/client-go v0.33.1 h1:ZZV/Ks2g92cyxWkRRnfUDsnhNn28eFpt26aGc8KbXF4= -k8s.io/client-go v0.33.1/go.mod h1:JAsUrl1ArO7uRVFWfcj6kOomSlCv+JpvIsp6usAGefA= -k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= -k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= -k8s.io/kube-aggregator v0.33.1 h1:PigQUqAvd6Y4hBjQAqhKz3lEJC2VHLL4bSOEuS06a40= -k8s.io/kube-aggregator v0.33.1/go.mod h1:16/wlU5Lj7hNJSv7JSu5FLvxyrgiJVLCHzfVoECAsuI= -k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff h1:/usPimJzUKKu+m+TE36gUyGcf03XZEP0ZIKgKj35LS4= -k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff/go.mod h1:5jIi+8yX4RIb8wk3XwBo5Pq2ccx4FP10ohkbSKCZoK8= -k8s.io/utils v0.0.0-20250502105355-0f33e8f1c979 h1:jgJW5IePPXLGB8e/1wvd0Ich9QE97RvvF3a8J3fP/Lg= -k8s.io/utils v0.0.0-20250502105355-0f33e8f1c979/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE= -sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg= -sigs.k8s.io/randfill v0.0.0-20250304075658-069ef1bbf016/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY= +k8s.io/api v0.35.3 h1:pA2fiBc6+N9PDf7SAiluKGEBuScsTzd2uYBkA5RzNWQ= +k8s.io/api v0.35.3/go.mod h1:9Y9tkBcFwKNq2sxwZTQh1Njh9qHl81D0As56tu42GA4= +k8s.io/apimachinery v0.35.3 h1:MeaUwQCV3tjKP4bcwWGgZ/cp/vpsRnQzqO6J6tJyoF8= +k8s.io/apimachinery v0.35.3/go.mod h1:jQCgFZFR1F4Ik7hvr2g84RTJSZegBc8yHgFWKn//hns= +k8s.io/client-go v0.35.3 h1:s1lZbpN4uI6IxeTM2cpdtrwHcSOBML1ODNTCCfsP1pg= +k8s.io/client-go v0.35.3/go.mod h1:RzoXkc0mzpWIDvBrRnD+VlfXP+lRzqQjCmKtiwZ8Q9c= +k8s.io/klog/v2 v2.140.0 h1:Tf+J3AH7xnUzZyVVXhTgGhEKnFqye14aadWv7bzXdzc= +k8s.io/klog/v2 v2.140.0/go.mod h1:o+/RWfJ6PwpnFn7OyAG3QnO47BFsymfEfrz6XyYSSp0= +k8s.io/kube-aggregator v0.35.3 h1:erIo8Dfapd0Fg44XAbgCNioJMtr3Z5mI/G1PSpj9B7Q= +k8s.io/kube-aggregator v0.35.3/go.mod h1:lOLyWTEuiKT2kS/Wkj0foq+P+Xt4gs/xkrhz2r33lAQ= +k8s.io/kube-openapi v0.0.0-20260319004828-5883c5ee87b9 h1:Sztf7ESG9tAXRW/ACJZjrj5jhdOUqS2KFRQT+CTvu78= +k8s.io/kube-openapi v0.0.0-20260319004828-5883c5ee87b9/go.mod h1:uGBT7iTA6c6MvqUvSXIaYZo9ukscABYi2btjhvgKGZ0= +k8s.io/utils v0.0.0-20260210185600-b8788abfbbc2 h1:AZYQSJemyQB5eRxqcPky+/7EdBj0xi3g0ZcxxJ7vbWU= +k8s.io/utils v0.0.0-20260210185600-b8788abfbbc2/go.mod h1:xDxuJ0whA3d0I4mf/C4ppKHxXynQ+fxnkmQH0vTHnuk= +sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg= +sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg= sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU= sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY= -sigs.k8s.io/structured-merge-diff/v4 v4.7.0 h1:qPeWmscJcXP0snki5IYF79Z8xrl8ETFxgMd7wez1XkI= -sigs.k8s.io/structured-merge-diff/v4 v4.7.0/go.mod h1:dDy58f92j70zLsuZVuUX5Wp9vtxXpaZnkPGWeqDfCps= -sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= -sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY= +sigs.k8s.io/structured-merge-diff/v6 v6.3.2 h1:kwVWMx5yS1CrnFWA/2QHyRVJ8jM6dBA80uLmm0wJkk8= +sigs.k8s.io/structured-merge-diff/v6 v6.3.2/go.mod h1:M3W8sfWvn2HhQDIbGWj3S099YozAsymCo/wrT5ohRUE= +sigs.k8s.io/yaml v1.6.0 h1:G8fkbMSAFqgEFgh4b1wmtzDnioxFCUgTZhlbj5P9QYs= +sigs.k8s.io/yaml v1.6.0/go.mod h1:796bPqUfzR/0jLAl6XjHl3Ck7MiyVv8dbTdyT3/pMf4= diff --git a/images/nginx/TAG b/images/nginx/TAG index 826e142463..2a644933f0 100644 --- a/images/nginx/TAG +++ b/images/nginx/TAG @@ -1 +1 @@ -v2.1.1 +v2.2.9 diff --git a/images/nginx/rootfs/Dockerfile b/images/nginx/rootfs/Dockerfile index 8f6bab1379..5cbce6139e 100644 --- a/images/nginx/rootfs/Dockerfile +++ b/images/nginx/rootfs/Dockerfile @@ -11,7 +11,7 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. -FROM alpine:3.21 AS builder +FROM alpine:3.23.3 AS builder COPY . / @@ -21,7 +21,7 @@ RUN apk update \ && /build.sh # Use a multi-stage build -FROM alpine:3.21 +FROM alpine:3.23.3 ENV PATH=$PATH:/usr/local/luajit/bin:/usr/local/nginx/sbin:/usr/local/nginx/bin diff --git a/images/nginx/rootfs/build.sh b/images/nginx/rootfs/build.sh index 2e1a8fafe4..bdf6eb03ee 100755 --- a/images/nginx/rootfs/build.sh +++ b/images/nginx/rootfs/build.sh @@ -32,20 +32,20 @@ export MORE_HEADERS_VERSION=v0.37 # Check for recent changes: https://github.com/atomx/nginx-http-auth-digest/compare/v1.0.0...master export NGINX_DIGEST_AUTH=v1.0.0 -# Check for recent changes: https://github.com/SpiderLabs/ModSecurity-nginx/compare/v1.0.3...master -export MODSECURITY_VERSION=v1.0.3 +# Check for recent changes: https://github.com/owasp-modsecurity/ModSecurity-nginx/compare/v1.0.4...master +export MODSECURITY_VERSION=v1.0.4 -# Check for recent changes: https://github.com/SpiderLabs/ModSecurity/compare/v3.0.14...v3/master +# Check for recent changes: https://github.com/owasp-modsecurity/ModSecurity/compare/v3.0.14...v3/master export MODSECURITY_LIB_VERSION=v3.0.14 -# Check for recent changes: https://github.com/coreruleset/coreruleset/compare/v4.10.0...main -export OWASP_MODSECURITY_CRS_VERSION=v4.10.0 +# Check for recent changes: https://github.com/coreruleset/coreruleset/compare/v4.22.0...main +export OWASP_MODSECURITY_CRS_VERSION=v4.22.0 -# Check for recent changes: https://github.com/openresty/lua-nginx-module/compare/v0.10.27...master -export LUA_NGX_VERSION=v0.10.27 +# Check for recent changes: https://github.com/openresty/lua-nginx-module/compare/v0.10.28...master +export LUA_NGX_VERSION=v0.10.28 -# Check for recent changes: https://github.com/openresty/stream-lua-nginx-module/compare/v0.0.15...master -export LUA_STREAM_NGX_VERSION=v0.0.15 +# Check for recent changes: https://github.com/openresty/stream-lua-nginx-module/compare/v0.0.16...master +export LUA_STREAM_NGX_VERSION=v0.0.16 # Check for recent changes: https://github.com/openresty/lua-upstream-nginx-module/compare/v0.07...master export LUA_UPSTREAM_VERSION=v0.07 @@ -56,8 +56,8 @@ export LUA_CJSON_VERSION=2.1.0.14 # Check for recent changes: https://github.com/leev/ngx_http_geoip2_module/compare/445df24ef3781e488cee3dfe8a1e111997fc1dfe...master export GEOIP2_VERSION=445df24ef3781e488cee3dfe8a1e111997fc1dfe -# Check for recent changes: https://github.com/openresty/luajit2/compare/v2.1-20240815...v2.1-agentzh -export LUAJIT_VERSION=v2.1-20240815 +# Check for recent changes: https://github.com/openresty/luajit2/compare/v2.1-20250117...v2.1-agentzh +export LUAJIT_VERSION=v2.1-20250117 # Check for recent changes: https://github.com/openresty/lua-resty-balancer/compare/v0.05...master export LUA_RESTY_BALANCER=v0.05 @@ -65,8 +65,8 @@ export LUA_RESTY_BALANCER=v0.05 # Check for recent changes: https://github.com/openresty/lua-resty-lrucache/compare/v0.15...master export LUA_RESTY_CACHE=v0.15 -# Check for recent changes: https://github.com/openresty/lua-resty-core/compare/v0.1.30...master -export LUA_RESTY_CORE=v0.1.30 +# Check for recent changes: https://github.com/openresty/lua-resty-core/compare/v0.1.31...master +export LUA_RESTY_CORE=v0.1.31 # Check for recent changes: https://github.com/cloudflare/lua-resty-cookie/compare/f418d77082eaef48331302e84330488fdc810ef4...master export LUA_RESTY_COOKIE_VERSION=f418d77082eaef48331302e84330488fdc810ef4 @@ -95,17 +95,17 @@ export LUA_RESTY_REDIS_VERSION=v0.31 # Check for recent changes: https://github.com/api7/lua-resty-ipmatcher/compare/3e93c53eb8c9884efe939ef070486a0e507cc5be...master export LUA_RESTY_IPMATCHER_VERSION=3e93c53eb8c9884efe939ef070486a0e507cc5be -# Check for recent changes: https://github.com/microsoft/mimalloc/compare/v2.1.9...master -export MIMALOC_VERSION=v2.1.9 +# Check for recent changes: https://github.com/microsoft/mimalloc/compare/v2.2.4...main +export MIMALOC_VERSION=v2.2.4 -# Check for recent changes: https://github.com/open-telemetry/opentelemetry-cpp/compare/v1.18.0...main -export OPENTELEMETRY_CPP_VERSION=v1.18.0 +# Check for recent changes: https://github.com/open-telemetry/opentelemetry-cpp/compare/v1.19.0...main +export OPENTELEMETRY_CPP_VERSION=v1.19.0 # Check for recent changes: https://github.com/open-telemetry/opentelemetry-proto/compare/v1.5.0...main export OPENTELEMETRY_PROTO_VERSION=v1.5.0 -# Check for recent changes: https://github.com/nginx/njs/compare/0.8.10...master -export NJS_VERSION=0.8.10 +# Check for recent changes: https://github.com/nginx/njs/compare/0.9.0...master +export NJS_VERSION=0.9.0 export BUILD_PATH=/tmp/build @@ -211,7 +211,7 @@ get_src f09851e6309560a8ff3e901548405066c83f1f6ff88aa7171e0763bd9514762b \ "https://github.com/atomx/nginx-http-auth-digest/archive/$NGINX_DIGEST_AUTH.tar.gz" "nginx-http-auth-digest" get_src 32a42256616cc674dca24c8654397390adff15b888b77eb74e0687f023c8751b \ - "https://github.com/SpiderLabs/ModSecurity-nginx/archive/$MODSECURITY_VERSION.tar.gz" "ModSecurity-nginx" + "https://github.com/owasp-modsecurity/ModSecurity-nginx/archive/$MODSECURITY_VERSION.tar.gz" "ModSecurity-nginx" get_src bc764db42830aeaf74755754b900253c233ad57498debe7a441cee2c6f4b07c2 \ "https://github.com/openresty/lua-nginx-module/archive/$LUA_NGX_VERSION.tar.gz" "lua-nginx-module" @@ -336,7 +336,7 @@ make install # build modsecurity library cd "$BUILD_PATH" -git clone -n https://github.com/SpiderLabs/ModSecurity +git clone -n https://github.com/owasp-modsecurity/ModSecurity cd ModSecurity/ git checkout $MODSECURITY_LIB_VERSION git submodule init @@ -344,10 +344,20 @@ git submodule update sh build.sh -# https://github.com/SpiderLabs/ModSecurity/issues/1909#issuecomment-465926762 +# https://github.com/owasp-modsecurity/ModSecurity/issues/1909#issuecomment-465926762 sed -i '115i LUA_CFLAGS="${LUA_CFLAGS} -DWITH_LUA_JIT_2_1"' build/lua.m4 sed -i '117i AC_SUBST(LUA_CFLAGS)' build/lua.m4 +# +# As of Alpine v3.23.0, building ModSecurity fails with: +# +# headers/modsecurity/collection/collection.h:x:x: error: 'int32_t' has not been declared +# headers/modsecurity/collection/collection.h:x:x: note: 'int32_t' is defined in header ''; this is probably fixable by adding '#include ' +# +# Sadly this has not been fixed upstream, yet, so we manually patch it here. +# +sed -i '24i #include ' headers/modsecurity/collection/collection.h + ./configure \ --disable-doxygen-doc \ --disable-doxygen-html \ @@ -410,21 +420,6 @@ Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf " > /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf -# NGINX compiles a small test program to check if an added module works as expected. -# -# ModSecurity-nginx provides 'printf("hello");' as a test, but newer versions of GCC, -# as included in Alpine 3.21, do not allow implicit declaration of function 'printf': -# -# objs/autotest.c:7:5: error: implicit declaration of function 'printf' [-Wimplicit-function-declaration] -# -# For this reason we replace 'printf("hello");' by 'msc_init();', which is always available. -# -# This fix is taken from a PR, that has been proposed to the ModSecurity-nginx project: -# -# https://github.com/owasp-modsecurity/ModSecurity-nginx/pull/275 -# -sed -i "s/ngx_feature_test='printf(\"hello\");'/ngx_feature_test='msc_init();'/" $BUILD_PATH/ModSecurity-nginx/config - # build nginx cd "$BUILD_PATH/nginx-$NGINX_VERSION" @@ -601,7 +596,8 @@ cd "$BUILD_PATH/mimalloc" mkdir -p out/release cd out/release -cmake ../.. +# See this issue for why we disable architecture specific optimizations: https://github.com/kubernetes/ingress-nginx/issues/13608. +cmake -DMI_NO_OPT_ARCH=ON ../.. make make install diff --git a/images/nginx/rootfs/patches/05_nginx-1.27.1-stream_ssl_preread_no_skip.patch b/images/nginx/rootfs/patches/05_nginx-1.27.1-stream_ssl_preread_no_skip.patch index e45e9f69a7..b4fc7d67f8 100644 --- a/images/nginx/rootfs/patches/05_nginx-1.27.1-stream_ssl_preread_no_skip.patch +++ b/images/nginx/rootfs/patches/05_nginx-1.27.1-stream_ssl_preread_no_skip.patch @@ -1,10 +1,15 @@ diff --git a/src/stream/ngx_stream_ssl_preread_module.c b/src/stream/ngx_stream_ssl_preread_module.c -index e3d11fd9..3717b5fe 100644 +index 3fc83ff2f..7e65d65be 100644 --- a/src/stream/ngx_stream_ssl_preread_module.c +++ b/src/stream/ngx_stream_ssl_preread_module.c -@@ -159,7 +159,7 @@ ngx_stream_ssl_preread_handler(ngx_stream_session_t *s) +@@ -190,11 +190,11 @@ ngx_stream_ssl_preread_handler(ngx_stream_session_t *s) + } + + if (rc == NGX_OK) { +- return ngx_stream_ssl_preread_servername(s, &ctx->host); ++ rc = ngx_stream_ssl_preread_servername(s, &ctx->host); + } - rc = ngx_stream_ssl_preread_parse_record(ctx, p, p + len); if (rc != NGX_AGAIN) { - return rc; + return rc == NGX_OK ? NGX_DECLINED : rc; diff --git a/images/nginx/rootfs/patches/28_nginx-1.27.1-CVE-2025-23419.patch b/images/nginx/rootfs/patches/28_nginx-1.27.1-CVE-2025-23419.patch new file mode 100644 index 0000000000..dc692bfb9e --- /dev/null +++ b/images/nginx/rootfs/patches/28_nginx-1.27.1-CVE-2025-23419.patch @@ -0,0 +1,87 @@ +diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c +index 3cca57cf5..9593b7fb5 100644 +--- a/src/http/ngx_http_request.c ++++ b/src/http/ngx_http_request.c +@@ -932,6 +932,31 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) + goto done; + } + ++ sscf = ngx_http_get_module_srv_conf(cscf->ctx, ngx_http_ssl_module); ++ ++#if (defined TLS1_3_VERSION \ ++ && !defined LIBRESSL_VERSION_NUMBER && !defined OPENSSL_IS_BORINGSSL) ++ ++ /* ++ * SSL_SESSION_get0_hostname() is only available in OpenSSL 1.1.1+, ++ * but servername being negotiated in every TLSv1.3 handshake ++ * is only returned in OpenSSL 1.1.1+ as well ++ */ ++ ++ if (sscf->verify) { ++ const char *hostname; ++ ++ hostname = SSL_SESSION_get0_hostname(SSL_get0_session(ssl_conn)); ++ ++ if (hostname != NULL && ngx_strcmp(hostname, servername) != 0) { ++ c->ssl->handshake_rejected = 1; ++ *ad = SSL_AD_ACCESS_DENIED; ++ return SSL_TLSEXT_ERR_ALERT_FATAL; ++ } ++ } ++ ++#endif ++ + hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t)); + if (hc->ssl_servername == NULL) { + goto error; +@@ -945,8 +970,6 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) + + ngx_set_connection_log(c, clcf->error_log); + +- sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module); +- + c->ssl->buffer_size = sscf->buffer_size; + + if (sscf->ssl.ctx) { +diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c +index ba444776a..6dee106de 100644 +--- a/src/stream/ngx_stream_ssl_module.c ++++ b/src/stream/ngx_stream_ssl_module.c +@@ -521,12 +521,35 @@ ngx_stream_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) + goto done; + } + ++ sscf = ngx_stream_get_module_srv_conf(cscf->ctx, ngx_stream_ssl_module); ++ ++#if (defined TLS1_3_VERSION \ ++ && !defined LIBRESSL_VERSION_NUMBER && !defined OPENSSL_IS_BORINGSSL) ++ ++ /* ++ * SSL_SESSION_get0_hostname() is only available in OpenSSL 1.1.1+, ++ * but servername being negotiated in every TLSv1.3 handshake ++ * is only returned in OpenSSL 1.1.1+ as well ++ */ ++ ++ if (sscf->verify) { ++ const char *hostname; ++ ++ hostname = SSL_SESSION_get0_hostname(SSL_get0_session(ssl_conn)); ++ ++ if (hostname != NULL && ngx_strcmp(hostname, servername) != 0) { ++ c->ssl->handshake_rejected = 1; ++ *ad = SSL_AD_ACCESS_DENIED; ++ return SSL_TLSEXT_ERR_ALERT_FATAL; ++ } ++ } ++ ++#endif ++ + s->srv_conf = cscf->ctx->srv_conf; + + ngx_set_connection_log(c, cscf->error_log); + +- sscf = ngx_stream_get_module_srv_conf(s, ngx_stream_ssl_module); +- + if (sscf->ssl.ctx) { + if (SSL_set_SSL_CTX(ssl_conn, sscf->ssl.ctx) == NULL) { + goto error; diff --git a/images/nginx/rootfs/patches/28_nginx-1.27.1-upstream_timeout_fields.patch b/images/nginx/rootfs/patches/29_nginx-1.27.1-upstream_timeout_fields.patch similarity index 100% rename from images/nginx/rootfs/patches/28_nginx-1.27.1-upstream_timeout_fields.patch rename to images/nginx/rootfs/patches/29_nginx-1.27.1-upstream_timeout_fields.patch diff --git a/images/nginx/rootfs/patches/29_nginx-1.27.1-safe_resolver_ipv6_option.patch b/images/nginx/rootfs/patches/30_nginx-1.27.1-safe_resolver_ipv6_option.patch similarity index 100% rename from images/nginx/rootfs/patches/29_nginx-1.27.1-safe_resolver_ipv6_option.patch rename to images/nginx/rootfs/patches/30_nginx-1.27.1-safe_resolver_ipv6_option.patch diff --git a/images/nginx/rootfs/patches/30_nginx-1.27.1-socket_cloexec.patch b/images/nginx/rootfs/patches/31_nginx-1.27.1-socket_cloexec.patch similarity index 100% rename from images/nginx/rootfs/patches/30_nginx-1.27.1-socket_cloexec.patch rename to images/nginx/rootfs/patches/31_nginx-1.27.1-socket_cloexec.patch diff --git a/images/nginx/rootfs/patches/31_nginx-1.27.1-reuseport_close_unused_fds.patch b/images/nginx/rootfs/patches/32_nginx-1.27.1-reuseport_close_unused_fds.patch similarity index 100% rename from images/nginx/rootfs/patches/31_nginx-1.27.1-reuseport_close_unused_fds.patch rename to images/nginx/rootfs/patches/32_nginx-1.27.1-reuseport_close_unused_fds.patch diff --git a/images/nginx/rootfs/patches/32_nginx-1.27.1-proc_exit_handler.patch b/images/nginx/rootfs/patches/33_nginx-1.27.1-proc_exit_handler.patch similarity index 100% rename from images/nginx/rootfs/patches/32_nginx-1.27.1-proc_exit_handler.patch rename to images/nginx/rootfs/patches/33_nginx-1.27.1-proc_exit_handler.patch diff --git a/images/nginx/rootfs/patches/34_nginx-1.27.1-stream_proxy_protocol_v2.patch b/images/nginx/rootfs/patches/34_nginx-1.27.1-stream_proxy_protocol_v2.patch new file mode 100644 index 0000000000..88d5e101d1 --- /dev/null +++ b/images/nginx/rootfs/patches/34_nginx-1.27.1-stream_proxy_protocol_v2.patch @@ -0,0 +1,630 @@ +diff --git a/src/core/ngx_proxy_protocol.c b/src/core/ngx_proxy_protocol.c +index 49888b9..27c927e 100644 +--- a/src/core/ngx_proxy_protocol.c ++++ b/src/core/ngx_proxy_protocol.c +@@ -12,6 +12,39 @@ + #define NGX_PROXY_PROTOCOL_AF_INET 1 + #define NGX_PROXY_PROTOCOL_AF_INET6 2 + ++#define NGX_PROXY_PROTOCOL_V2_SIG "\x0D\x0A\x0D\x0A\x00\x0D\x0A\x51\x55\x49\x54\x0A" ++#define NGX_PROXY_PROTOCOL_V2_SIG_LEN 12 ++#define NGX_PROXY_PROTOCOL_V2_HDR_LEN 16 ++#define NGX_PROXY_PROTOCOL_V2_HDR_LEN_INET \ ++ (NGX_PROXY_PROTOCOL_V2_HDR_LEN + (4 + 4 + 2 + 2)) ++#define NGX_PROXY_PROTOCOL_V2_HDR_LEN_INET6 \ ++ (NGX_PROXY_PROTOCOL_V2_HDR_LEN + (16 + 16 + 2 + 2)) ++ ++#define NGX_PROXY_PROTOCOL_V2_CMD_PROXY (0x20 | 0x01) ++ ++#define NGX_PROXY_PROTOCOL_V2_TRANS_STREAM 0x01 ++ ++#define NGX_PROXY_PROTOCOL_V2_FAM_UNSPEC 0x00 ++#define NGX_PROXY_PROTOCOL_V2_FAM_INET 0x10 ++#define NGX_PROXY_PROTOCOL_V2_FAM_INET6 0x20 ++ ++#define NGX_PROXY_PROTOCOL_V2_TYPE_ALPN 0x01 ++#define NGX_PROXY_PROTOCOL_V2_TYPE_AUTHORITY 0x02 # Not implemented ++#define NGX_PROXY_PROTOCOL_V2_TYPE_CRC32C 0x03 # Not implemented ++#define NGX_PROXY_PROTOCOL_V2_TYPE_NOOP 0x04 # Not implemented ++#define NGX_PROXY_PROTOCOL_V2_TYPE_UNIQUE_ID 0x05 # Not implemented ++#define NGX_PROXY_PROTOCOL_V2_TYPE_SSL 0x20 ++#define NGX_PROXY_PROTOCOL_V2_SUBTYPE_SSL_VERSION 0x21 ++#define NGX_PROXY_PROTOCOL_V2_SUBTYPE_SSL_CN 0x22 ++#define NGX_PROXY_PROTOCOL_V2_SUBTYPE_SSL_CIPHER 0x23 ++#define NGX_PROXY_PROTOCOL_V2_SUBTYPE_SSL_SIG_ALG 0x24 ++#define NGX_PROXY_PROTOCOL_V2_SUBTYPE_SSL_KEY_ALG 0x25 ++#define NGX_PROXY_PROTOCOL_V2_TYPE_NETNS 0x30 # Not implemented ++ ++#define NGX_PROXY_PROTOCOL_V2_CLIENT_SSL 0x01 ++#define NGX_PROXY_PROTOCOL_V2_CLIENT_CERT_CONN 0x02 ++#define NGX_PROXY_PROTOCOL_V2_CLIENT_CERT_SESS 0x04 ++ + + #define ngx_proxy_protocol_parse_uint16(p) \ + ( ((uint16_t) (p)[0] << 8) \ +@@ -66,6 +99,53 @@ typedef struct { + } ngx_proxy_protocol_tlv_entry_t; + + ++typedef union { ++ struct { ++ uint32_t src_addr; ++ uint32_t dst_addr; ++ uint16_t src_port; ++ uint16_t dst_port; ++ } ip4; ++ struct { ++ uint8_t src_addr[16]; ++ uint8_t dst_addr[16]; ++ uint16_t src_port; ++ uint16_t dst_port; ++ } ip6; ++} ngx_proxy_protocol_addrs_t; ++ ++ ++typedef struct { ++ u_char signature[12]; ++ uint8_t version_command; ++ uint8_t family_transport; ++ uint16_t len; ++ ngx_proxy_protocol_addrs_t addr; ++} ngx_proxy_protocol_v2_header_t; ++ ++ ++struct ngx_tlv_s { ++ uint8_t type; ++ uint8_t length_hi; ++ uint8_t length_lo; ++ uint8_t value[0]; ++} __attribute__((packed)); ++ ++typedef struct ngx_tlv_s ngx_tlv_t; ++ ++ ++#if (NGX_STREAM_SSL) ++struct ngx_tlv_ssl_s { ++ ngx_tlv_t tlv; ++ uint8_t client; ++ uint32_t verify; ++ uint8_t sub_tlv[]; ++} __attribute__((packed)); ++ ++typedef struct ngx_tlv_ssl_s ngx_tlv_ssl_t; ++#endif ++ ++ + static u_char *ngx_proxy_protocol_read_addr(ngx_connection_t *c, u_char *p, + u_char *last, ngx_str_t *addr); + static u_char *ngx_proxy_protocol_read_port(u_char *p, u_char *last, +@@ -74,6 +154,15 @@ static u_char *ngx_proxy_protocol_v2_read(ngx_connection_t *c, u_char *buf, + u_char *last); + static ngx_int_t ngx_proxy_protocol_lookup_tlv(ngx_connection_t *c, + ngx_str_t *tlvs, ngx_uint_t type, ngx_str_t *value); ++static u_char *ngx_proxy_protocol_v2_write(ngx_connection_t *c, u_char *buf, ++ u_char *last); ++#if (NGX_HAVE_INET6) ++static void ngx_v4tov6(struct in6_addr *sin6_addr, struct sockaddr *addr); ++#endif ++#if (NGX_STREAM_SSL) ++static u_char *ngx_copy_tlv(u_char *pos, u_char *last, u_char type, ++ u_char *value, uint16_t value_len); ++#endif + + + static ngx_proxy_protocol_tlv_entry_t ngx_proxy_protocol_tlv_entries[] = { +@@ -277,7 +366,8 @@ ngx_proxy_protocol_read_port(u_char *p, u_char *last, in_port_t *port, + + + u_char * +-ngx_proxy_protocol_write(ngx_connection_t *c, u_char *buf, u_char *last) ++ngx_proxy_protocol_write(ngx_connection_t *c, u_char *buf, u_char *last, ++ ngx_uint_t pp_version) + { + ngx_uint_t port, lport; + +@@ -291,6 +381,10 @@ ngx_proxy_protocol_write(ngx_connection_t *c, u_char *buf, u_char *last) + return NULL; + } + ++ if (pp_version == 2) { ++ return ngx_proxy_protocol_v2_write(c, buf, last); ++ } ++ + switch (c->sockaddr->sa_family) { + + case AF_INET: +@@ -612,3 +706,360 @@ ngx_proxy_protocol_lookup_tlv(ngx_connection_t *c, ngx_str_t *tlvs, + + return NGX_DECLINED; + } ++ ++ ++static u_char * ++ngx_proxy_protocol_v2_write(ngx_connection_t *c, u_char *buf, u_char *last) ++{ ++ struct sockaddr *src, *dst; ++ ngx_proxy_protocol_v2_header_t *header; ++#if (NGX_HAVE_INET6) ++ struct in6_addr v6_tmp; ++ ngx_int_t v6_used; ++#endif ++#if (NGX_STREAM_SSL) ++ ngx_tlv_ssl_t *tlv; ++ u_char *value, *pos; ++ u_char kbuf[100]; ++ const unsigned char *data; ++ unsigned int data_len; ++ ++ X509 *crt; ++ EVP_PKEY *key; ++ const ASN1_OBJECT *algorithm; ++ const char *s; ++ ++ long rc; ++ size_t tlv_len; ++#endif ++ size_t len; ++ ++ header = (ngx_proxy_protocol_v2_header_t *) buf; ++ ++ header->len = 0; ++ ++ src = c->sockaddr; ++ dst = c->local_sockaddr; ++ ++ len = 0; ++ ++#if (NGX_HAVE_INET6) ++ v6_used = 0; ++#endif ++ ++ ngx_memcpy(header->signature, NGX_PROXY_PROTOCOL_V2_SIG, ++ NGX_PROXY_PROTOCOL_V2_SIG_LEN); ++ ++ header->version_command = NGX_PROXY_PROTOCOL_V2_CMD_PROXY; ++ header->family_transport = NGX_PROXY_PROTOCOL_V2_TRANS_STREAM; ++ ++ /** Addrs */ ++ ++ switch (src->sa_family) { ++ ++ case AF_INET: ++ ++ if (dst->sa_family == AF_INET) { ++ ++ header->addr.ip4.src_addr = ++ ((struct sockaddr_in *) src)->sin_addr.s_addr; ++ header->addr.ip4.src_port = ((struct sockaddr_in *) src)->sin_port; ++ } ++#if (NGX_HAVE_INET6) ++ else /** dst == AF_INET6 */{ ++ ++ ngx_v4tov6(&v6_tmp, src); ++ ngx_memcpy(header->addr.ip6.src_addr, &v6_tmp, 16); ++ header->addr.ip6.src_port = ((struct sockaddr_in *) src)->sin_port; ++ } ++#endif ++ break; ++ ++#if (NGX_HAVE_INET6) ++ case AF_INET6: ++ v6_used = 1; ++ ++ ngx_memcpy(header->addr.ip6.src_addr, ++ &((struct sockaddr_in6 *) src)->sin6_addr, 16); ++ header->addr.ip6.src_port = ((struct sockaddr_in6 *) src)->sin6_port; ++ ++ break; ++#endif ++ ++ default: ++ ngx_log_debug1(NGX_LOG_DEBUG_CORE, c->log, 0, ++ "PROXY protocol v2 unsupported src address family %ui", ++ src->sa_family); ++ goto unspec; ++ }; ++ ++ switch (dst->sa_family) { ++ case AF_INET: ++ ++ if (src->sa_family == AF_INET) { ++ ++ header->addr.ip4.dst_addr = ++ ((struct sockaddr_in *) dst)->sin_addr.s_addr; ++ header->addr.ip4.dst_port = ((struct sockaddr_in *) dst)->sin_port; ++ } ++#if (NGX_HAVE_INET6) ++ else /** src == AF_INET6 */{ ++ ++ ngx_v4tov6(&v6_tmp, dst); ++ ngx_memcpy(header->addr.ip6.dst_addr, &v6_tmp, 16); ++ header->addr.ip6.dst_port = ((struct sockaddr_in *) dst)->sin_port; ++ ++ } ++#endif ++ break; ++ ++#if (NGX_HAVE_INET6) ++ case AF_INET6: ++ v6_used = 1; ++ ++ ngx_memcpy(header->addr.ip6.dst_addr, ++ &((struct sockaddr_in6 *) dst)->sin6_addr, 16); ++ header->addr.ip6.dst_port = ((struct sockaddr_in6 *) dst)->sin6_port; ++ ++ break; ++#endif ++ ++ default: ++ ngx_log_debug1(NGX_LOG_DEBUG_CORE, c->log, 0, ++ "PROXY protocol v2 unsupported dest address family %ui", ++ dst->sa_family); ++ goto unspec; ++ } ++ ++#if (NGX_HAVE_INET6) ++ if (!v6_used) { ++ header->family_transport |= NGX_PROXY_PROTOCOL_V2_FAM_INET; ++ len = NGX_PROXY_PROTOCOL_V2_HDR_LEN_INET; ++ ++ } else { ++ header->family_transport |= NGX_PROXY_PROTOCOL_V2_FAM_INET6; ++ len = NGX_PROXY_PROTOCOL_V2_HDR_LEN_INET6; ++ ++ } ++#else ++ header->family_transport |= NGX_PROXY_PROTOCOL_V2_FAM_INET; ++ len = NGX_PROXY_PROTOCOL_V2_HDR_LEN_INET; ++#endif ++ ++ /** SSL TLVs */ ++#if (NGX_STREAM_SSL) ++ ++ if (c->ssl != NULL) { ++ ++ data = NULL; ++ data_len = 0; ++ ++ tlv = (ngx_tlv_ssl_t *) (buf + len); ++ ngx_memzero(tlv, sizeof(ngx_tlv_ssl_t)); ++ ++ tlv->tlv.type = NGX_PROXY_PROTOCOL_V2_TYPE_SSL; ++ pos = buf + len + sizeof(ngx_tlv_ssl_t); ++ ++ tlv->client |= NGX_PROXY_PROTOCOL_V2_CLIENT_SSL; ++ ++#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation ++ SSL_get0_alpn_selected(c->ssl->connection, &data, &data_len); ++ ++#ifdef TLSEXT_TYPE_next_proto_neg ++ if (data_len == 0) { ++ SSL_get0_next_proto_negotiated(c->ssl->connection, ++ &data, &data_len); ++ } ++#endif ++ ++#else /* TLSEXT_TYPE_next_proto_neg */ ++ SSL_get0_next_proto_negotiated(c->ssl->connection, &data, &data_len); ++#endif ++ ++ if (data_len) { ++ ++ pos = ngx_copy_tlv(pos, last, ++ NGX_PROXY_PROTOCOL_V2_TYPE_ALPN, ++ (u_char *) data, (uint16_t) data_len); ++ if (pos == NULL) { ++ return NULL; ++ } ++ } ++ ++ value = (u_char *) SSL_get_version(c->ssl->connection); ++ if (value != NULL) { ++ ++ pos = ngx_copy_tlv(pos, last, ++ NGX_PROXY_PROTOCOL_V2_SUBTYPE_SSL_VERSION, ++ value, ngx_strlen(value)); ++ if (pos == NULL) { ++ return NULL; ++ } ++ } ++ ++ crt = SSL_get0_peer_certificate(c->ssl->connection); ++ if (crt != NULL) { ++ tlv->client |= NGX_PROXY_PROTOCOL_V2_CLIENT_CERT_SESS; ++ ++ rc = SSL_get_verify_result(c->ssl->connection); ++ tlv->verify = htonl(rc); ++ ++ if (rc == X509_V_OK) { ++ if (ngx_ssl_ocsp_get_status(c, &s) == NGX_OK) { ++ tlv->client |= NGX_PROXY_PROTOCOL_V2_CLIENT_CERT_CONN; ++ } ++ } ++ ++ X509_NAME *subject_name_value = X509_get_subject_name(crt); ++ if(subject_name_value != NULL) { ++ int nid = OBJ_txt2nid("CN"); ++ int index = X509_NAME_get_index_by_NID(subject_name_value, nid, -1); ++ ++ X509_NAME_ENTRY *subject_name_cn_entry = X509_NAME_get_entry(subject_name_value, index); ++ if (subject_name_cn_entry) { ++ ASN1_STRING *subject_name_cn_data_asn1 = X509_NAME_ENTRY_get_data(subject_name_cn_entry); ++ ++ if (subject_name_cn_data_asn1 != NULL) { ++ value = (u_char *) ASN1_STRING_get0_data(subject_name_cn_data_asn1); ++ if(value != NULL) { ++ pos = ngx_copy_tlv(pos, last, ++ NGX_PROXY_PROTOCOL_V2_SUBTYPE_SSL_CN, ++ value, ngx_strlen(value)); ++ if (pos == NULL) { ++ return NULL; ++ } ++ } ++ } ++ } ++ } ++ } ++ ++ ++ crt = SSL_get_certificate(c->ssl->connection); ++ if (crt != NULL) { ++ key = X509_get_pubkey(crt); ++ ++ /** Key */ ++ if (key != NULL) { ++ switch (EVP_PKEY_base_id(key)) { ++ case EVP_PKEY_RSA: ++ value = (u_char *) "RSA"; ++ break; ++ case EVP_PKEY_EC: ++ value = (u_char *) "EC"; ++ break; ++ case EVP_PKEY_DSA: ++ value = (u_char *) "DSA"; ++ break; ++ default: ++ value = NULL; ++ break; ++ } ++ ++ if (value != NULL) { ++ value = ngx_snprintf(kbuf, sizeof(kbuf) - 1, "%s%d%Z", ++ value, EVP_PKEY_bits(key)); ++ ++ pos = ngx_copy_tlv(pos, last, ++ NGX_PROXY_PROTOCOL_V2_SUBTYPE_SSL_KEY_ALG, ++ kbuf, ngx_strlen(kbuf)); ++ } ++ ++ EVP_PKEY_free(key); ++ ++ if (pos == NULL) { ++ return NULL; ++ } ++ } ++ ++ /* ALG */ ++ X509_ALGOR_get0(&algorithm, NULL, NULL, X509_get0_tbs_sigalg(crt)); ++ value = (u_char *) OBJ_nid2sn(OBJ_obj2nid(algorithm)); ++ ++ if (value != NULL) { ++ ++ pos = ngx_copy_tlv(pos, last, ++ NGX_PROXY_PROTOCOL_V2_SUBTYPE_SSL_SIG_ALG, ++ value, ngx_strlen(value)); ++ if (pos == NULL) { ++ return NULL; ++ } ++ } ++ } ++ ++ value = (u_char *) SSL_get_cipher_name(c->ssl->connection); ++ if (value != NULL) { ++ ++ pos = ngx_copy_tlv(pos, last, ++ NGX_PROXY_PROTOCOL_V2_SUBTYPE_SSL_CIPHER, ++ value, ngx_strlen(value)); ++ if (pos == NULL) { ++ return NULL; ++ } ++ } ++ ++ tlv_len = pos - (buf + len); ++ ++ tlv->tlv.length_hi = (uint16_t) (tlv_len - sizeof(ngx_tlv_t)) >> 8; ++ tlv->tlv.length_lo = (uint16_t) (tlv_len - sizeof(ngx_tlv_t)) & 0x00ff; ++ ++ len = len + tlv_len; ++ } ++ ++#endif ++ ++ header->len = htons(len - NGX_PROXY_PROTOCOL_V2_HDR_LEN); ++ return buf + len; ++ ++unspec: ++ header->family_transport |= NGX_PROXY_PROTOCOL_V2_FAM_UNSPEC; ++ header->len = 0; ++ ++ return buf + NGX_PROXY_PROTOCOL_V2_HDR_LEN; ++} ++ ++ ++#if (NGX_HAVE_INET6) ++static void ++ngx_v4tov6(struct in6_addr *sin6_addr, struct sockaddr *addr) ++{ ++ static const char rfc4291[] = { 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0xFF, 0xFF }; ++ ++ struct in_addr tmp_addr, *sin_addr; ++ ++ sin_addr = &((struct sockaddr_in *) addr)->sin_addr; ++ ++ tmp_addr.s_addr = sin_addr->s_addr; ++ ngx_memcpy(sin6_addr->s6_addr, rfc4291, sizeof(rfc4291)); ++ ngx_memcpy(sin6_addr->s6_addr + 12, &tmp_addr.s_addr, 4); ++} ++#endif ++ ++ ++#if (NGX_STREAM_SSL) ++ ++static u_char * ++ngx_copy_tlv(u_char *pos, u_char *last, u_char type, ++ u_char *value, uint16_t value_len) ++{ ++ ngx_tlv_t *tlv; ++ ++ if (last - pos < (long) sizeof(*tlv)) { ++ return NULL; ++ } ++ ++ tlv = (ngx_tlv_t *) pos; ++ ++ tlv->type = type; ++ tlv->length_hi = (uint16_t) value_len >> 8; ++ tlv->length_lo = (uint16_t) value_len & 0x00ff; ++ ngx_memcpy(tlv->value, value, value_len); ++ ++ return pos + (value_len + sizeof(*tlv)); ++} ++ ++#endif ++ ++ +diff --git a/src/core/ngx_proxy_protocol.h b/src/core/ngx_proxy_protocol.h +index d1749f5..bc2e0a2 100644 +--- a/src/core/ngx_proxy_protocol.h ++++ b/src/core/ngx_proxy_protocol.h +@@ -29,7 +29,7 @@ struct ngx_proxy_protocol_s { + u_char *ngx_proxy_protocol_read(ngx_connection_t *c, u_char *buf, + u_char *last); + u_char *ngx_proxy_protocol_write(ngx_connection_t *c, u_char *buf, +- u_char *last); ++ u_char *last, ngx_uint_t pp_version); + ngx_int_t ngx_proxy_protocol_get_tlv(ngx_connection_t *c, ngx_str_t *name, + ngx_str_t *value); + +diff --git a/src/stream/ngx_stream_proxy_module.c b/src/stream/ngx_stream_proxy_module.c +index 82dca1e..0279866 100644 +--- a/src/stream/ngx_stream_proxy_module.c ++++ b/src/stream/ngx_stream_proxy_module.c +@@ -30,7 +30,7 @@ typedef struct { + ngx_uint_t responses; + ngx_uint_t next_upstream_tries; + ngx_flag_t next_upstream; +- ngx_flag_t proxy_protocol; ++ ngx_uint_t proxy_protocol; + ngx_flag_t half_close; + ngx_stream_upstream_local_t *local; + ngx_flag_t socket_keepalive; +@@ -125,6 +125,14 @@ static ngx_conf_post_t ngx_stream_proxy_ssl_conf_command_post = + #endif + + ++static ngx_conf_enum_t ngx_stream_proxy_protocol[] = { ++ { ngx_string("off"), 0 }, ++ { ngx_string("on"), 1 }, ++ { ngx_string("v2"), 2 }, ++ { ngx_null_string, 0 } ++}; ++ ++ + static ngx_conf_deprecated_t ngx_conf_deprecated_proxy_downstream_buffer = { + ngx_conf_deprecated, "proxy_downstream_buffer", "proxy_buffer_size" + }; +@@ -243,10 +251,10 @@ static ngx_command_t ngx_stream_proxy_commands[] = { + + { ngx_string("proxy_protocol"), + NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_FLAG, +- ngx_conf_set_flag_slot, ++ ngx_conf_set_enum_slot, + NGX_STREAM_SRV_CONF_OFFSET, + offsetof(ngx_stream_proxy_srv_conf_t, proxy_protocol), +- NULL }, ++ &ngx_stream_proxy_protocol }, + + { ngx_string("proxy_half_close"), + NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_FLAG, +@@ -914,7 +922,7 @@ ngx_stream_proxy_init_upstream(ngx_stream_session_t *s) + return; + } + +- p = ngx_pnalloc(c->pool, NGX_PROXY_PROTOCOL_V1_MAX_HEADER); ++ p = ngx_pnalloc(c->pool, NGX_PROXY_PROTOCOL_MAX_HEADER); + if (p == NULL) { + ngx_stream_proxy_finalize(s, NGX_STREAM_INTERNAL_SERVER_ERROR); + return; +@@ -922,8 +930,8 @@ ngx_stream_proxy_init_upstream(ngx_stream_session_t *s) + + cl->buf->pos = p; + +- p = ngx_proxy_protocol_write(c, p, +- p + NGX_PROXY_PROTOCOL_V1_MAX_HEADER); ++ p = ngx_proxy_protocol_write(c, p, p + NGX_PROXY_PROTOCOL_MAX_HEADER, ++ u->proxy_protocol); + if (p == NULL) { + ngx_stream_proxy_finalize(s, NGX_STREAM_INTERNAL_SERVER_ERROR); + return; +@@ -963,7 +971,7 @@ static ngx_int_t + ngx_stream_proxy_send_proxy_protocol(ngx_stream_session_t *s) + { + u_char *p; +- u_char buf[NGX_PROXY_PROTOCOL_V1_MAX_HEADER]; ++ u_char buf[NGX_PROXY_PROTOCOL_MAX_HEADER]; + ssize_t n, size; + ngx_connection_t *c, *pc; + ngx_stream_upstream_t *u; +@@ -976,15 +984,15 @@ ngx_stream_proxy_send_proxy_protocol(ngx_stream_session_t *s) + ngx_log_debug0(NGX_LOG_DEBUG_STREAM, c->log, 0, + "stream proxy send PROXY protocol header"); + +- p = ngx_proxy_protocol_write(c, buf, +- buf + NGX_PROXY_PROTOCOL_V1_MAX_HEADER); ++ u = s->upstream; ++ ++ p = ngx_proxy_protocol_write(c, buf, buf + NGX_PROXY_PROTOCOL_MAX_HEADER, ++ u->proxy_protocol); + if (p == NULL) { + ngx_stream_proxy_finalize(s, NGX_STREAM_INTERNAL_SERVER_ERROR); + return NGX_ERROR; + } + +- u = s->upstream; +- + pc = u->peer.connection; + + size = p - buf; +@@ -2116,7 +2124,7 @@ ngx_stream_proxy_create_srv_conf(ngx_conf_t *cf) + conf->responses = NGX_CONF_UNSET_UINT; + conf->next_upstream_tries = NGX_CONF_UNSET_UINT; + conf->next_upstream = NGX_CONF_UNSET; +- conf->proxy_protocol = NGX_CONF_UNSET; ++ conf->proxy_protocol = NGX_CONF_UNSET_UINT; + conf->local = NGX_CONF_UNSET_PTR; + conf->socket_keepalive = NGX_CONF_UNSET; + conf->half_close = NGX_CONF_UNSET; +@@ -2171,7 +2179,7 @@ ngx_stream_proxy_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) + + ngx_conf_merge_value(conf->next_upstream, prev->next_upstream, 1); + +- ngx_conf_merge_value(conf->proxy_protocol, prev->proxy_protocol, 0); ++ ngx_conf_merge_uint_value(conf->proxy_protocol, prev->proxy_protocol, 0); + + ngx_conf_merge_ptr_value(conf->local, prev->local, NULL); + +diff --git a/src/stream/ngx_stream_upstream.h b/src/stream/ngx_stream_upstream.h +index 25433d6..6df11df 100644 +--- a/src/stream/ngx_stream_upstream.h ++++ b/src/stream/ngx_stream_upstream.h +@@ -141,7 +141,7 @@ typedef struct { + ngx_stream_upstream_resolved_t *resolved; + ngx_stream_upstream_state_t *state; + unsigned connected:1; +- unsigned proxy_protocol:1; ++ unsigned proxy_protocol:2; + unsigned half_closed:1; + } ngx_stream_upstream_t; + diff --git a/images/test-runner/Makefile b/images/test-runner/Makefile index 5556e7544a..c9779bfb60 100644 --- a/images/test-runner/Makefile +++ b/images/test-runner/Makefile @@ -35,16 +35,16 @@ build: builder --build-arg BASE_IMAGE=$(BASE_IMAGE) \ --build-arg GOLANG_VERSION=$(GOLANG_VERSION) \ --build-arg ETCD_VERSION=3.5.13-0 \ - --build-arg K8S_RELEASE=v1.33.1 \ + --build-arg K8S_RELEASE=v1.35.3 \ --build-arg RESTY_CLI_VERSION=0.27 \ --build-arg RESTY_CLI_SHA=e5f4f3128af49ba5c4d039d0554e5ae91bbe05866f60eccfa96d3653274bff90 \ - --build-arg LUAROCKS_VERSION=3.8.0 \ - --build-arg LUAROCKS_SHA=ab6612ca9ab87c6984871d2712d05525775e8b50172701a0a1cabddf76de2be7 \ + --build-arg LUAROCKS_VERSION=v3.12.2 \ + --build-arg LUAROCKS_SHA=9c25fa7ab5017d60b25137ab1a4cb76e3185df1fe02df1f577f57d1a6b548a2a \ --build-arg CHART_TESTING_VERSION=3.8.0 \ --build-arg YAML_LINT_VERSION=1.33.0 \ --build-arg YAMALE_VERSION=4.0.4 \ - --build-arg HELM_VERSION=3.14.4 \ - --build-arg GINKGO_VERSION=2.23.4 \ + --build-arg HELM_VERSION=4.1.3 \ + --build-arg GINKGO_VERSION=2.28.1 \ --build-arg GOLINT_VERSION=latest \ rootfs \ --tag $(IMAGE):$(TAG) \ diff --git a/images/test-runner/TAG b/images/test-runner/TAG index 826e142463..2a644933f0 100644 --- a/images/test-runner/TAG +++ b/images/test-runner/TAG @@ -1 +1 @@ -v2.1.1 +v2.2.9 diff --git a/images/test-runner/rootfs/Dockerfile b/images/test-runner/rootfs/Dockerfile index 69fae92d76..dd98f83100 100644 --- a/images/test-runner/rootfs/Dockerfile +++ b/images/test-runner/rootfs/Dockerfile @@ -15,7 +15,7 @@ ARG BASE_IMAGE ARG GOLANG_VERSION ARG ETCD_VERSION -FROM golang:${GOLANG_VERSION}-alpine3.21 AS go +FROM golang:${GOLANG_VERSION}-alpine3.23 AS go FROM registry.k8s.io/etcd:${ETCD_VERSION} AS etcd FROM ${BASE_IMAGE} @@ -81,7 +81,7 @@ RUN wget -qO /tmp/resty_cli.tgz \ && rm -rf /tmp/* RUN wget -qO /tmp/luarocks.tgz \ - https://github.com/luarocks/luarocks/archive/v${LUAROCKS_VERSION}.tar.gz \ + https://github.com/luarocks/luarocks/archive/${LUAROCKS_VERSION}.tar.gz \ && echo "${LUAROCKS_SHA} */tmp/luarocks.tgz" | sha256sum -c - \ && tar -C /tmp -xzf /tmp/luarocks.tgz \ && cd /tmp/luarocks* \ diff --git a/internal/admission/controller/server.go b/internal/admission/controller/server.go index 74f55fd016..41fdba4920 100644 --- a/internal/admission/controller/server.go +++ b/internal/admission/controller/server.go @@ -28,6 +28,12 @@ import ( var scheme = runtime.NewScheme() +// The Kubernetes default is 3 MB. +// Multiply by 3 to be safe +// +// https://github.com/kubernetes/kubernetes/blob/3025b0a7b4b9fba6110759e905346ead5c9c0720/staging/src/k8s.io/apimachinery/pkg/runtime/serializer/cbor/internal/modes/buffers.go#L47 +const maxBodySizeBytes = 9 * 1024 * 1024 // 9 MB + func init() { if err := admissionv1.AddToScheme(scheme); err != nil { klog.ErrorS(err, "Failed to add scheme") @@ -59,12 +65,19 @@ func NewAdmissionControllerServer(ac AdmissionController) *AdmissionControllerSe func (acs *AdmissionControllerServer) ServeHTTP(w http.ResponseWriter, req *http.Request) { defer req.Body.Close() - data, err := io.ReadAll(req.Body) + lr := io.LimitReader(req.Body, maxBodySizeBytes) + data, err := io.ReadAll(lr) if err != nil { klog.ErrorS(err, "Failed to read request body") w.WriteHeader(http.StatusBadRequest) return } + if len(data) == maxBodySizeBytes { + // buffer full, request is too large + klog.Errorf("Request body too large. Max is %d bytes", maxBodySizeBytes-1) + w.WriteHeader(http.StatusRequestEntityTooLarge) + return + } codec := json.NewSerializerWithOptions(json.DefaultMetaFactory, scheme, scheme, json.SerializerOptions{ Pretty: true, diff --git a/internal/ingress/annotations/auth/main.go b/internal/ingress/annotations/auth/main.go index 79e3ce5d38..840b3c61cd 100644 --- a/internal/ingress/annotations/auth/main.go +++ b/internal/ingress/annotations/auth/main.go @@ -242,7 +242,7 @@ func (a auth) Parse(ing *networking.Ingress) (interface{}, error) { }, nil } -// dumpSecret dumps the content of a secret into a file +// dumpSecretAuthFile dumps the content of a secret into a file // in the expected format for the specified authorization func dumpSecretAuthFile(filename string, secret *api.Secret) error { val, ok := secret.Data["auth"] diff --git a/internal/ingress/annotations/authreq/main.go b/internal/ingress/annotations/authreq/main.go index ad38c36b12..6b171c2a87 100644 --- a/internal/ingress/annotations/authreq/main.go +++ b/internal/ingress/annotations/authreq/main.go @@ -18,6 +18,7 @@ package authreq import ( "fmt" + "reflect" "regexp" "strings" @@ -243,14 +244,18 @@ func (e1 *Config) Equal(e2 *Config) bool { return false } + if !reflect.DeepEqual(e1.ProxySetHeaders, e2.ProxySetHeaders) { + return false + } + return sets.StringElementsMatch(e1.AuthCacheDuration, e2.AuthCacheDuration) } var ( - methodsRegex = regexp.MustCompile("(GET|HEAD|POST|PUT|PATCH|DELETE|CONNECT|OPTIONS|TRACE)") + methodsRegex = regexp.MustCompile("^(GET|HEAD|POST|PUT|PATCH|DELETE|CONNECT|OPTIONS|TRACE)$") headerRegexp = regexp.MustCompile(`^[a-zA-Z\d\-_]+$`) statusCodeRegex = regexp.MustCompile(`^\d{3}$`) - durationRegex = regexp.MustCompile(`^\d+(ms|s|m|h|d|w|M|y)$`) // see http://nginx.org/en/docs/syntax.html + durationRegex = regexp.MustCompile(`^\d+(ms|s|m|h|d|w|M|y)$`) // see https://nginx.org/en/docs/syntax.html ) // ValidMethod checks is the provided string a valid HTTP method diff --git a/internal/ingress/annotations/authtls/main.go b/internal/ingress/annotations/authtls/main.go index de4d1cc1d8..cb1484e716 100644 --- a/internal/ingress/annotations/authtls/main.go +++ b/internal/ingress/annotations/authtls/main.go @@ -42,7 +42,7 @@ const ( var ( authVerifyClientRegex = regexp.MustCompile(`^(on|off|optional|optional_no_ca)$`) - redirectRegex = regexp.MustCompile(`^((https?://)?[A-Za-z0-9\-.]+(:\d+)?)?(/[A-Za-z0-9\-_.]+)*/?$`) + redirectRegex = regexp.MustCompile(`^(@[A-Za-z0-9_-]+|((https?://)?[A-Za-z0-9\-.]+(:\d+)?)?(/[A-Za-z0-9\-_.]+)*/?)$`) ) var authTLSAnnotations = parser.Annotation{ @@ -148,12 +148,12 @@ func (a authTLS) Parse(ing *networking.Ingress) (interface{}, error) { var err error config := &Config{} - tlsauthsecret, err := parser.GetStringAnnotation(annotationAuthTLSSecret, ing, a.annotationConfig.Annotations) + authTLSSecret, err := parser.GetStringAnnotation(annotationAuthTLSSecret, ing, a.annotationConfig.Annotations) if err != nil { return &Config{}, err } - ns, _, err := k8s.ParseNameNS(tlsauthsecret) + ns, _, err := k8s.ParseNameNS(authTLSSecret) if err != nil { return &Config{}, ing_errors.NewLocationDenied(err.Error()) } @@ -166,7 +166,7 @@ func (a authTLS) Parse(ing *networking.Ingress) (interface{}, error) { return &Config{}, ing_errors.NewLocationDenied("cross namespace secrets are not supported") } - authCert, err := a.r.GetAuthCertificate(tlsauthsecret) + authCert, err := a.r.GetAuthCertificate(authTLSSecret) if err != nil { e := fmt.Errorf("error obtaining certificate: %w", err) return &Config{}, ing_errors.LocationDeniedError{Reason: e} diff --git a/internal/ingress/annotations/authtls/main_test.go b/internal/ingress/annotations/authtls/main_test.go index 37342e513a..96ff2898b6 100644 --- a/internal/ingress/annotations/authtls/main_test.go +++ b/internal/ingress/annotations/authtls/main_test.go @@ -48,14 +48,7 @@ func buildIngress() *networking.Ingress { Namespace: api.NamespaceDefault, }, Spec: networking.IngressSpec{ - DefaultBackend: &networking.IngressBackend{ - Service: &networking.IngressServiceBackend{ - Name: "default-backend", - Port: networking.ServiceBackendPort{ - Number: 80, - }, - }, - }, + DefaultBackend: &defaultBackend, Rules: []networking.IngressRule{ { Host: "foo.bar.com", @@ -163,15 +156,38 @@ func TestAnnotations(t *testing.T) { if u.ValidationDepth != 2 { t.Errorf("expected %v but got %v", 2, u.ValidationDepth) } - if u.ErrorPage != "ok.com/error" { - t.Errorf("expected %v but got %v", "ok.com/error", u.ErrorPage) - } if u.PassCertToUpstream != true { t.Errorf("expected %v but got %v", true, u.PassCertToUpstream) } if u.MatchCN != "CN=(hello-app|ok|goodbye)" { t.Errorf("expected %v but got %v", "CN=(hello-app|ok|goodbye)", u.MatchCN) } + + for _, tc := range []struct { + name string + errorPage string + want string + }{ + {"url redirect", "ok.com/error", "ok.com/error"}, + {"named redirect numeric", "@401", "@401"}, + {"named redirect alphanumeric with underscores", "@four_oh_one", "@four_oh_one"}, + } { + t.Run(tc.name, func(t *testing.T) { + data[parser.GetAnnotationWithPrefix(annotationAuthTLSErrorPage)] = tc.errorPage + ing.SetAnnotations(data) + i, err := NewParser(fakeSecret).Parse(ing) + if err != nil { + t.Errorf("Unexpected error with ingress: %v", err) + } + u, ok := i.(*Config) + if !ok { + t.Errorf("expected *Config but got %v", u) + } + if u.ErrorPage != tc.want { + t.Errorf("expected %v but got %v", tc.want, u.ErrorPage) + } + }) + } } func TestInvalidAnnotations(t *testing.T) { diff --git a/internal/ingress/annotations/customhttperrors/main.go b/internal/ingress/annotations/customhttperrors/main.go index f3c72a22fc..9a25c91b1b 100644 --- a/internal/ingress/annotations/customhttperrors/main.go +++ b/internal/ingress/annotations/customhttperrors/main.go @@ -17,6 +17,7 @@ limitations under the License. package customhttperrors import ( + "fmt" "regexp" "strconv" "strings" @@ -72,10 +73,17 @@ func (e customhttperrors) Parse(ing *networking.Ingress) (interface{}, error) { cSplit := strings.Split(c, ",") codes := make([]int, 0, len(cSplit)) for _, i := range cSplit { - num, err := strconv.Atoi(i) + // Trim whitespace to handle "404, 500" format + trimmed := strings.TrimSpace(i) + if trimmed == "" { + continue + } + + num, err := strconv.Atoi(trimmed) if err != nil { - return nil, err + return nil, fmt.Errorf("invalid HTTP status code %q: %w", trimmed, err) } + codes = append(codes, num) } diff --git a/internal/ingress/annotations/parser/validators.go b/internal/ingress/annotations/parser/validators.go index 3c724a3110..65cdb49cc4 100644 --- a/internal/ingress/annotations/parser/validators.go +++ b/internal/ingress/annotations/parser/validators.go @@ -20,6 +20,7 @@ import ( "errors" "fmt" "regexp" + "slices" "strconv" "strings" "time" @@ -253,8 +254,12 @@ func CheckAnnotationRisk(annotations map[string]string, maxrisk AnnotationRisk, var err error for annotation := range annotations { annPure := TrimAnnotationPrefix(annotation) - if cfg, ok := config[annPure]; ok && cfg.Risk > maxrisk { - err = errors.Join(err, fmt.Errorf("annotation %s is too risky for environment", annotation)) + // We need to iterate through the map as we need to consider annotation aliases which are part of the value. + for key, cfg := range config { + // Check if either the key or any alias equals the annotation and the risk is higher than allowed. + if (key == annPure || slices.Contains(cfg.AnnotationAliases, annPure)) && cfg.Risk > maxrisk { + err = errors.Join(err, fmt.Errorf("annotation %s is too risky for environment", annotation)) + } } } return err diff --git a/internal/ingress/annotations/parser/validators_test.go b/internal/ingress/annotations/parser/validators_test.go index 49923ba766..38347dad78 100644 --- a/internal/ingress/annotations/parser/validators_test.go +++ b/internal/ingress/annotations/parser/validators_test.go @@ -308,6 +308,20 @@ func TestCheckAnnotationRisk(t *testing.T) { }, wantErr: false, }, + { + name: "annotation aliases should be considered in risk evaluation", + maxrisk: AnnotationRiskLow, + annotations: map[string]string{ + "nginx.ingress.kubernetes.io/alias": "value", + }, + config: AnnotationFields{ + "annotation": { + Risk: AnnotationRiskCritical, + AnnotationAliases: []string{"alias"}, + }, + }, + wantErr: true, + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { diff --git a/internal/ingress/annotations/proxy/main.go b/internal/ingress/annotations/proxy/main.go index aaa093eafd..b21650ca55 100644 --- a/internal/ingress/annotations/proxy/main.go +++ b/internal/ingress/annotations/proxy/main.go @@ -46,7 +46,11 @@ const ( proxyMaxTempFileSizeAnnotation = "proxy-max-temp-file-size" //#nosec G101 ) -var validUpstreamAnnotation = regexp.MustCompile(`^((error|timeout|invalid_header|http_500|http_502|http_503|http_504|http_403|http_404|http_429|non_idempotent|off)\s?)+$`) +var ( + cookieDomainChars = `\-\.\_\~a-zA-Z0-9\/:` + validUpstreamAnnotation = regexp.MustCompile(`^((error|timeout|invalid_header|http_500|http_502|http_503|http_504|http_403|http_404|http_429|non_idempotent|off)\s?)+$`) + cookieDomainRegex = regexp.MustCompile(`^(off|[` + cookieDomainChars + `]+\s+[` + cookieDomainChars + `]+)$`) +) var proxyAnnotations = parser.Annotation{ Group: "backend", @@ -87,7 +91,7 @@ var proxyAnnotations = parser.Annotation{ Validator: parser.ValidateRegex(parser.SizeRegex, true), Scope: parser.AnnotationScopeLocation, Risk: parser.AnnotationRiskLow, - Documentation: `This annotation limits the total size of buffers that can be busy sending a response to the client while the response is not yet fully read. By default proxy busy buffers size is set as "8k".`, + Documentation: `This annotation limits the total size of buffers that can be busy sending a response to the client while the response is not yet fully read.`, }, proxyCookiePathAnnotation: { Validator: parser.ValidateRegex(parser.URLIsValidRegex, true), @@ -96,7 +100,7 @@ var proxyAnnotations = parser.Annotation{ Documentation: `This annotation sets a text that should be changed in the path attribute of the "Set-Cookie" header fields of a proxied server response.`, }, proxyCookieDomainAnnotation: { - Validator: parser.ValidateRegex(parser.BasicCharsRegex, true), + Validator: parser.ValidateRegex(cookieDomainRegex, false), Scope: parser.AnnotationScopeLocation, Risk: parser.AnnotationRiskMedium, Documentation: `This annotation ets a text that should be changed in the domain attribute of the "Set-Cookie" header fields of a proxied server response.`, diff --git a/internal/ingress/annotations/proxy/main_test.go b/internal/ingress/annotations/proxy/main_test.go index b6ce07fb25..2e522d5de2 100644 --- a/internal/ingress/annotations/proxy/main_test.go +++ b/internal/ingress/annotations/proxy/main_test.go @@ -88,7 +88,7 @@ func (m mockBackend) GetDefaultBackend() defaults.Backend { ProxyReadTimeout: 20, ProxyBuffersNumber: 4, ProxyBufferSize: "10k", - ProxyBusyBuffersSize: "15k", + ProxyBusyBuffersSize: "", ProxyBodySize: "3k", ProxyNextUpstream: "error", ProxyNextUpstreamTimeout: 0, @@ -258,6 +258,9 @@ func TestProxyWithNoAnnotation(t *testing.T) { if !ok { t.Fatalf("expected a Config type") } + if p.BusyBuffersSize != "" { + t.Errorf("expected empty BusyBuffersSize but returned %v", p.BusyBuffersSize) + } if p.ConnectTimeout != 10 { t.Errorf("expected 10 as connect-timeout but returned %v", p.ConnectTimeout) } @@ -273,9 +276,6 @@ func TestProxyWithNoAnnotation(t *testing.T) { if p.BufferSize != "10k" { t.Errorf("expected 10k as buffer-size but returned %v", p.BufferSize) } - if p.BusyBuffersSize != "15k" { - t.Errorf("expected 15k as buffer-size but returned %v", p.BusyBuffersSize) - } if p.BodySize != "3k" { t.Errorf("expected 3k as body-size but returned %v", p.BodySize) } @@ -298,3 +298,83 @@ func TestProxyWithNoAnnotation(t *testing.T) { t.Errorf("expected 1024m as proxy-max-temp-file-size but returned %v", p.ProxyMaxTempFileSize) } } + +func TestCookieDomainRegex(t *testing.T) { + validator := parser.ValidateRegex(cookieDomainRegex, false) + tests := []struct { + name string + value string + wantErr bool + }{ + { + name: "should accept off", + value: "off", + wantErr: false, + }, + { + name: "should accept two space-separated domains", + value: "example.org .example.com", + wantErr: false, + }, + { + name: "should accept domain with dot prefix", + value: ".old.domain .new.domain", + wantErr: false, + }, + { + name: "should reject single domain without space", + value: "example.org", + wantErr: true, + }, + { + name: "should accept value with colon", + value: "example.org:8080 .example.com", + wantErr: false, + }, + { + name: "should reject three parameters", + value: "example.org example.com extra", + wantErr: true, + }, + { + name: "should reject empty value", + value: "", + wantErr: true, + }, + { + name: "should reject value with semicolon", + value: "example.org; .example.com", + wantErr: true, + }, + { + name: "should accept multiple spaces between tokens", + value: "example.org .example.com", + wantErr: false, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if err := validator(tt.value); (err != nil) != tt.wantErr { + t.Errorf("cookieDomainRegex validator(%q) error = %v, wantErr %v", tt.value, err, tt.wantErr) + } + }) + } +} + +func TestProxyWithBusyBuffersSizeAnnotation(t *testing.T) { + ing := buildIngress() + data := map[string]string{} + data[parser.GetAnnotationWithPrefix("proxy-busy-buffers-size")] = "4k" + ing.SetAnnotations(data) + i, err := NewParser(mockBackend{}).Parse(ing) + if err != nil { + t.Fatalf("unexpected error parsing a valid") + } + p, ok := i.(*Config) + if !ok { + t.Fatalf("expected a Config type") + } + if p.BusyBuffersSize != "4k" { + t.Errorf("expected 4k as BusyBuffersSize but returned %v", p.BusyBuffersSize) + } +} diff --git a/internal/ingress/annotations/ratelimit/main.go b/internal/ingress/annotations/ratelimit/main.go index e79c698bf2..7a38a02dd0 100644 --- a/internal/ingress/annotations/ratelimit/main.go +++ b/internal/ingress/annotations/ratelimit/main.go @@ -99,7 +99,7 @@ func (rt1 *Config) Equal(rt2 *Config) bool { } // Zone returns information about the NGINX rate limit (limit_req_zone) -// http://nginx.org/en/docs/http/ngx_http_limit_req_module.html#limit_req_zone +// https://nginx.org/en/docs/http/ngx_http_limit_req_module.html#limit_req_zone type Zone struct { Name string `json:"name"` Limit int `json:"limit"` diff --git a/internal/ingress/annotations/rewrite/main.go b/internal/ingress/annotations/rewrite/main.go index d78a004b91..fd18028956 100644 --- a/internal/ingress/annotations/rewrite/main.go +++ b/internal/ingress/annotations/rewrite/main.go @@ -145,7 +145,7 @@ func (a rewrite) Parse(ing *networking.Ingress) (interface{}, error) { config.Target, err = parser.GetStringAnnotation(rewriteTargetAnnotation, ing, a.annotationConfig.Annotations) if err != nil { if errors.IsValidationError(err) { - klog.Warningf("%sis invalid, defaulting to empty", rewriteTargetAnnotation) + klog.Warningf("%s is invalid, defaulting to empty", rewriteTargetAnnotation) } config.Target = "" } diff --git a/internal/ingress/controller/admission_batcher.go b/internal/ingress/controller/admission_batcher.go index 1fdc2c2e03..d607af922e 100644 --- a/internal/ingress/controller/admission_batcher.go +++ b/internal/ingress/controller/admission_batcher.go @@ -6,7 +6,6 @@ import ( "sync" "time" - "github.com/pkg/errors" networking "k8s.io/api/networking/v1" "k8s.io/ingress-nginx/internal/ingress/annotations" "k8s.io/ingress-nginx/internal/ingress/controller/store" @@ -142,21 +141,21 @@ func (n *NGINXController) validateNewIngresses(newIngresses []*networking.Ingres for _, newIngress := range newIngresses { err := checkOverlap(newIngress, servers) if err != nil { - return errors.Wrapf(err, "error while validating overlap for ingress %s/%s", newIngress.Namespace, newIngress.Name) + return fmt.Errorf("error while validating overlap for ingress %s/%s: %w", newIngress.Namespace, newIngress.Name, err) } } start = time.Now() template, err := n.generateTemplate(cfg, *newIngCfg) if err != nil { - return errors.Wrapf(err, "error while generating template for ingresses %s", ingsListStr) + return fmt.Errorf("error while generating template for ingresses %s: %w", ingsListStr, err) } klog.Info("Generated nginx template in ", time.Now().Sub(start).Seconds(), " seconds for ", ingsListStr) start = time.Now() err = n.testTemplate(template) if err != nil { - return errors.Wrapf(err, "error while testing template for of ingresses %s", ingsListStr) + return fmt.Errorf("error while testing template for of ingresses %s: %w", ingsListStr, err) } klog.Info("Tested nginx template in ", time.Now().Sub(start).Seconds(), " seconds for ", ingsListStr) diff --git a/internal/ingress/controller/config/config.go b/internal/ingress/controller/config/config.go index 1dbef14250..afc56eb91d 100644 --- a/internal/ingress/controller/config/config.go +++ b/internal/ingress/controller/config/config.go @@ -32,11 +32,11 @@ import ( var EnableSSLChainCompletion = false const ( - // http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size + // https://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size // Sets the maximum allowed size of the client request body bodySize = "1m" - // http://nginx.org/en/docs/ngx_core_module.html#error_log + // https://nginx.org/en/docs/ngx_core_module.html#error_log // Configures logging level [debug | info | notice | warn | error | crit | alert | emerg] // Log levels above are listed in the order of increasing severity errorLevel = "notice" @@ -55,34 +55,34 @@ const ( logFormatStream = `[$remote_addr] [$time_local] $protocol $status $bytes_sent $bytes_received $session_time` - // http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_buffer_size + // https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_buffer_size // Sets the size of the buffer used for sending data. // 4k helps NGINX to improve TLS Time To First Byte (TTTFB) // https://www.igvita.com/2013/12/16/optimizing-nginx-tls-time-to-first-byte/ sslBufferSize = "4k" // Enabled ciphers list to enabled. The ciphers are specified in the format understood by the OpenSSL library - // http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers - sslCiphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" + // https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers + sslCiphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256" // SSL enabled protocols to use - // http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols + // https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols sslProtocols = "TLSv1.2 TLSv1.3" // Disable TLS 1.3 early data - // http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_early_data + // https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_early_data sslEarlyData = false // Time during which a client may reuse the session parameters stored in a cache. - // http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_timeout + // https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_timeout sslSessionTimeout = "10m" // Size of the SSL shared cache between all worker processes. - // http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache + // https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache sslSessionCacheSize = "10m" // Parameters for a shared memory zone that will keep states for various keys. - // http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html#limit_conn_zone + // https://nginx.org/en/docs/http/ngx_http_limit_conn_module.html#limit_conn_zone defaultLimitConnZoneVariable = "$binary_remote_addr" ) @@ -113,12 +113,12 @@ type Configuration struct { // AllowBackendServerHeader enables the return of the header Server from the backend // instead of the generic nginx string. - // http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_hide_header + // https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_hide_header // By default this is disabled AllowBackendServerHeader bool `json:"allow-backend-server-header"` // AccessLogParams sets additional params for access_log - // http://nginx.org/en/docs/http/ngx_http_log_module.html#access_log + // https://nginx.org/en/docs/http/ngx_http_log_module.html#access_log // By default it's empty AccessLogParams string `json:"access-log-params,omitempty"` @@ -131,25 +131,25 @@ type Configuration struct { EnableAuthAccessLog bool `json:"enable-auth-access-log"` // AccessLogPath sets the path of the access logs for both http and stream contexts if enabled - // http://nginx.org/en/docs/http/ngx_http_log_module.html#access_log - // http://nginx.org/en/docs/stream/ngx_stream_log_module.html#access_log + // https://nginx.org/en/docs/http/ngx_http_log_module.html#access_log + // https://nginx.org/en/docs/stream/ngx_stream_log_module.html#access_log // By default access logs go to /var/log/nginx/access.log AccessLogPath string `json:"access-log-path,omitempty"` // HTTPAccessLogPath sets the path of the access logs for http context globally if enabled - // http://nginx.org/en/docs/http/ngx_http_log_module.html#access_log + // https://nginx.org/en/docs/http/ngx_http_log_module.html#access_log HTTPAccessLogPath string `json:"http-access-log-path,omitempty"` // StreamAccessLogPath sets the path of the access logs for stream context globally if enabled - // http://nginx.org/en/docs/stream/ngx_stream_log_module.html#access_log + // https://nginx.org/en/docs/stream/ngx_stream_log_module.html#access_log StreamAccessLogPath string `json:"stream-access-log-path,omitempty"` // WorkerCPUAffinity bind nginx worker processes to CPUs this will improve response latency - // http://nginx.org/en/docs/ngx_core_module.html#worker_cpu_affinity + // https://nginx.org/en/docs/ngx_core_module.html#worker_cpu_affinity // By default this is disabled WorkerCPUAffinity string `json:"worker-cpu-affinity,omitempty"` // ErrorLogPath sets the path of the error logs - // http://nginx.org/en/docs/ngx_core_module.html#error_log + // https://nginx.org/en/docs/ngx_core_module.html#error_log // By default error logs go to /var/log/nginx/error.log ErrorLogPath string `json:"error-log-path,omitempty"` @@ -170,32 +170,32 @@ type Configuration struct { // ClientHeaderBufferSize allows to configure a custom buffer // size for reading client request header - // http://nginx.org/en/docs/http/ngx_http_core_module.html#client_header_buffer_size + // https://nginx.org/en/docs/http/ngx_http_core_module.html#client_header_buffer_size ClientHeaderBufferSize string `json:"client-header-buffer-size"` // Defines a timeout for reading client request header, in seconds - // http://nginx.org/en/docs/http/ngx_http_core_module.html#client_header_timeout + // https://nginx.org/en/docs/http/ngx_http_core_module.html#client_header_timeout ClientHeaderTimeout int `json:"client-header-timeout,omitempty"` // Sets buffer size for reading client request body - // http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_buffer_size + // https://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_buffer_size ClientBodyBufferSize string `json:"client-body-buffer-size,omitempty"` // Defines a timeout for reading client request body, in seconds - // http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_timeout + // https://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_timeout ClientBodyTimeout int `json:"client-body-timeout,omitempty"` // DisableAccessLog disables the Access Log globally for both HTTP and Stream contexts from NGINX ingress controller - // http://nginx.org/en/docs/http/ngx_http_log_module.html - // http://nginx.org/en/docs/stream/ngx_stream_log_module.html + // https://nginx.org/en/docs/http/ngx_http_log_module.html + // https://nginx.org/en/docs/stream/ngx_stream_log_module.html DisableAccessLog bool `json:"disable-access-log,omitempty"` // DisableHTTPAccessLog disables the Access Log for http context globally from NGINX ingress controller - // http://nginx.org/en/docs/http/ngx_http_log_module.html + // https://nginx.org/en/docs/http/ngx_http_log_module.html DisableHTTPAccessLog bool `json:"disable-http-access-log,omitempty"` // DisableStreamAccessLog disables the Access Log for stream context globally from NGINX ingress controller - // http://nginx.org/en/docs/stream/ngx_stream_log_module.html + // https://nginx.org/en/docs/stream/ngx_stream_log_module.html DisableStreamAccessLog bool `json:"disable-stream-access-log,omitempty"` // DisableIpv6DNS disables IPv6 for nginx resolver @@ -205,12 +205,12 @@ type Configuration struct { DisableIpv6 bool `json:"disable-ipv6,omitempty"` // EnableUnderscoresInHeaders enables underscores in header names - // http://nginx.org/en/docs/http/ngx_http_core_module.html#underscores_in_headers + // https://nginx.org/en/docs/http/ngx_http_core_module.html#underscores_in_headers // By default this is disabled EnableUnderscoresInHeaders bool `json:"enable-underscores-in-headers"` // IgnoreInvalidHeaders set if header fields with invalid names should be ignored - // http://nginx.org/en/docs/http/ngx_http_core_module.html#ignore_invalid_headers + // https://nginx.org/en/docs/http/ngx_http_core_module.html#ignore_invalid_headers // By default this is enabled IgnoreInvalidHeaders bool `json:"ignore-invalid-headers"` @@ -218,7 +218,7 @@ type Configuration struct { // in case of an error. The previous behavior can be restored using the value true RetryNonIdempotent bool `json:"retry-non-idempotent"` - // http://nginx.org/en/docs/ngx_core_module.html#error_log + // https://nginx.org/en/docs/ngx_core_module.html#error_log // Configures logging level [debug | info | notice | warn | error | crit | alert | emerg] // Log levels above are listed in the order of increasing severity ErrorLogLevel string `json:"error-log-level,omitempty"` @@ -233,14 +233,14 @@ type Configuration struct { // Deprecated: HTTP2MaxHeaderSize is deprecated. HTTP2MaxHeaderSize string `json:"http2-max-header-size,omitempty"` - // http://nginx.org/en/docs/http/ngx_http_v2_module.html#http2_max_requests + // https://nginx.org/en/docs/http/ngx_http_v2_module.html#http2_max_requests // HTTP2MaxRequests Sets the maximum number of requests (including push requests) that can be served // through one HTTP/2 connection, after which the next client request will lead to connection closing // and the need of establishing a new connection. // Deprecated: HTTP2MaxRequests is deprecated. HTTP2MaxRequests int `json:"http2-max-requests,omitempty"` - // http://nginx.org/en/docs/http/ngx_http_v2_module.html#http2_max_concurrent_streams + // https://nginx.org/en/docs/http/ngx_http_v2_module.html#http2_max_concurrent_streams // Sets the maximum number of concurrent HTTP/2 streams in a connection. HTTP2MaxConcurrentStreams int `json:"http2-max-concurrent-streams,omitempty"` @@ -263,52 +263,52 @@ type Configuration struct { // Time during which a keep-alive client connection will stay open on the server side. // The zero value disables keep-alive client connections - // http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout + // https://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout KeepAlive int `json:"keep-alive,omitempty"` // Sets the maximum number of requests that can be served through one keep-alive connection. - // http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_requests + // https://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_requests KeepAliveRequests int `json:"keep-alive-requests,omitempty"` // LargeClientHeaderBuffers Sets the maximum number and size of buffers used for reading // large client request header. - // http://nginx.org/en/docs/http/ngx_http_core_module.html#large_client_header_buffers + // https://nginx.org/en/docs/http/ngx_http_core_module.html#large_client_header_buffers // Default: 4 8k LargeClientHeaderBuffers string `json:"large-client-header-buffers"` // Disable all escaping - // http://nginx.org/en/docs/http/ngx_http_log_module.html#log_format + // https://nginx.org/en/docs/http/ngx_http_log_module.html#log_format LogFormatEscapeNone bool `json:"log-format-escape-none,omitempty"` // Enable json escaping - // http://nginx.org/en/docs/http/ngx_http_log_module.html#log_format + // https://nginx.org/en/docs/http/ngx_http_log_module.html#log_format LogFormatEscapeJSON bool `json:"log-format-escape-json,omitempty"` // Customize upstream log_format - // http://nginx.org/en/docs/http/ngx_http_log_module.html#log_format + // https://nginx.org/en/docs/http/ngx_http_log_module.html#log_format LogFormatUpstream string `json:"log-format-upstream,omitempty"` // Customize stream log_format - // http://nginx.org/en/docs/http/ngx_http_log_module.html#log_format + // https://nginx.org/en/docs/http/ngx_http_log_module.html#log_format LogFormatStream string `json:"log-format-stream,omitempty"` // If disabled, a worker process will accept one new connection at a time. // Otherwise, a worker process will accept all new connections at a time. - // http://nginx.org/en/docs/ngx_core_module.html#multi_accept + // https://nginx.org/en/docs/ngx_core_module.html#multi_accept // Default: true EnableMultiAccept bool `json:"enable-multi-accept,omitempty"` // Maximum number of simultaneous connections that can be opened by each worker process - // http://nginx.org/en/docs/ngx_core_module.html#worker_connections + // https://nginx.org/en/docs/ngx_core_module.html#worker_connections MaxWorkerConnections int `json:"max-worker-connections,omitempty"` // Maximum number of files that can be opened by each worker process. - // http://nginx.org/en/docs/ngx_core_module.html#worker_rlimit_nofile + // https://nginx.org/en/docs/ngx_core_module.html#worker_rlimit_nofile MaxWorkerOpenFiles int `json:"max-worker-open-files,omitempty"` // Sets the bucket size for the map variables hash tables. // Default value depends on the processor’s cache line size. - // http://nginx.org/en/docs/http/ngx_http_map_module.html#map_hash_bucket_size + // https://nginx.org/en/docs/http/ngx_http_map_module.html#map_hash_bucket_size MapHashBucketSize int `json:"map-hash-bucket-size,omitempty"` // NginxStatusIpv4Whitelist has the list of cidr that are allowed to access @@ -325,76 +325,76 @@ type Configuration struct { // Maximum size of the server names hash tables used in server names, map directive’s values, // MIME types, names of request header strings, etcd. - // http://nginx.org/en/docs/hash.html - // http://nginx.org/en/docs/http/ngx_http_core_module.html#server_names_hash_max_size + // https://nginx.org/en/docs/hash.html + // https://nginx.org/en/docs/http/ngx_http_core_module.html#server_names_hash_max_size ServerNameHashMaxSize int `json:"server-name-hash-max-size,omitempty"` // Size of the bucket for the server names hash tables - // http://nginx.org/en/docs/hash.html - // http://nginx.org/en/docs/http/ngx_http_core_module.html#server_names_hash_bucket_size + // https://nginx.org/en/docs/hash.html + // https://nginx.org/en/docs/http/ngx_http_core_module.html#server_names_hash_bucket_size ServerNameHashBucketSize int `json:"server-name-hash-bucket-size,omitempty"` // Size of the bucket for the proxy headers hash tables - // http://nginx.org/en/docs/hash.html + // https://nginx.org/en/docs/hash.html // https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_headers_hash_max_size ProxyHeadersHashMaxSize int `json:"proxy-headers-hash-max-size,omitempty"` // Maximum size of the bucket for the proxy headers hash tables - // http://nginx.org/en/docs/hash.html + // https://nginx.org/en/docs/hash.html // https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_headers_hash_bucket_size ProxyHeadersHashBucketSize int `json:"proxy-headers-hash-bucket-size,omitempty"` // Enables or disables emitting nginx version in error messages and in the “Server” response header field. - // http://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens + // https://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens // Default: false ShowServerTokens bool `json:"server-tokens"` // Enabled ciphers list to enabled. The ciphers are specified in the format understood by // the OpenSSL library - // http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers + // https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers SSLCiphers string `json:"ssl-ciphers,omitempty"` // Specifies a curve for ECDHE ciphers. - // http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ecdh_curve + // https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ecdh_curve SSLECDHCurve string `json:"ssl-ecdh-curve,omitempty"` // The secret that contains Diffie-Hellman key to help with "Perfect Forward Secrecy" // https://wiki.openssl.org/index.php/Diffie-Hellman_parameters // https://wiki.mozilla.org/Security/Server_Side_TLS#DHE_handshake_and_dhparam - // http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam + // https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam SSLDHParam string `json:"ssl-dh-param,omitempty"` // SSL enabled protocols to use - // http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols + // https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols SSLProtocols string `json:"ssl-protocols,omitempty"` // Enables or disable TLS 1.3 early data. - // http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_early_data + // https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_early_data SSLEarlyData bool `json:"ssl-early-data,omitempty"` // Enables or disables the use of shared SSL cache among worker processes. - // http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache + // https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache SSLSessionCache bool `json:"ssl-session-cache,omitempty"` // Size of the SSL shared cache between all worker processes. - // http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache + // https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache SSLSessionCacheSize string `json:"ssl-session-cache-size,omitempty"` // Enables or disables session resumption through TLS session tickets. - // http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_tickets + // https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_tickets SSLSessionTickets bool `json:"ssl-session-tickets,omitempty"` // Sets the secret key used to encrypt and decrypt TLS session tickets. - // http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_tickets + // https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_tickets // By default, a randomly generated key is used. // Example: openssl rand 80 | openssl enc -A -base64 SSLSessionTicketKey string `json:"ssl-session-ticket-key,omitempty"` // Time during which a client may reuse the session parameters stored in a cache. - // http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_timeout + // https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_timeout SSLSessionTimeout string `json:"ssl-session-timeout,omitempty"` - // http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_buffer_size + // https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_buffer_size // Sets the size of the buffer used for sending data. // 4k helps NGINX to improve TLS Time To First Byte (TTTFB) // https://www.igvita.com/2013/12/16/optimizing-nginx-tls-time-to-first-byte/ @@ -421,7 +421,7 @@ type Configuration struct { EnableAioWrite bool `json:"enable-aio-write,omitempty"` // Enables or disables the use of the nginx module that compresses responses using the "gzip" method - // http://nginx.org/en/docs/http/ngx_http_gzip_module.html + // https://nginx.org/en/docs/http/ngx_http_gzip_module.html UseGzip bool `json:"use-gzip,omitempty"` // UseGeoIP2 enables the geoip2 module for NGINX @@ -446,13 +446,13 @@ type Configuration struct { BrotliTypes string `json:"brotli-types,omitempty"` // Enables or disables the HTTP/2 support in secure connections - // http://nginx.org/en/docs/http/ngx_http_v2_module.html + // https://nginx.org/en/docs/http/ngx_http_v2_module.html // Default: true UseHTTP2 bool `json:"use-http2,omitempty"` // Disables gzipping of responses for requests with "User-Agent" header fields matching any of // the specified regular expressions. - // http://nginx.org/en/docs/http/ngx_http_gzip_module.html#gzip_disable + // https://nginx.org/en/docs/http/ngx_http_gzip_module.html#gzip_disable GzipDisable string `json:"gzip-disable,omitempty"` // gzip Compression Level that will be used @@ -467,33 +467,33 @@ type Configuration struct { GzipTypes string `json:"gzip-types,omitempty"` // Defines the number of worker processes. By default auto means number of available CPU cores - // http://nginx.org/en/docs/ngx_core_module.html#worker_processes + // https://nginx.org/en/docs/ngx_core_module.html#worker_processes WorkerProcesses string `json:"worker-processes,omitempty"` // Defines whether multiple concurrent reloads of worker processes should occur. // Set this to false to prevent more than n x 2 workers to exist at any time, to avoid potential OOM situations and high CPU load // With this setting on false, configuration changes in the queue will be re-queued with an exponential backoff, until the number of worker process is the expected value. // By default new worker processes are spawned every time there's a change that cannot be applied dynamically with no upper limit to the number of running workers - // http://nginx.org/en/docs/ngx_core_module.html#worker_processes + // https://nginx.org/en/docs/ngx_core_module.html#worker_processes WorkerSerialReloads bool `json:"enable-serial-reloads,omitempty"` // Defines a timeout for a graceful shutdown of worker processes - // http://nginx.org/en/docs/ngx_core_module.html#worker_shutdown_timeout + // https://nginx.org/en/docs/ngx_core_module.html#worker_shutdown_timeout WorkerShutdownTimeout string `json:"worker-shutdown-timeout,omitempty"` // Sets the bucket size for the variables hash table. - // http://nginx.org/en/docs/http/ngx_http_map_module.html#variables_hash_bucket_size + // https://nginx.org/en/docs/http/ngx_http_map_module.html#map_hash_bucket_size VariablesHashBucketSize int `json:"variables-hash-bucket-size,omitempty"` // Sets the maximum size of the variables hash table. - // http://nginx.org/en/docs/http/ngx_http_map_module.html#variables_hash_max_size + // https://nginx.org/en/docs/http/ngx_http_map_module.html#map_hash_max_size VariablesHashMaxSize int `json:"variables-hash-max-size,omitempty"` // Activates the cache for connections to upstream servers. // The connections parameter sets the maximum number of idle keepalive connections to // upstream servers that are preserved in the cache of each worker process. When this // number is exceeded, the least recently used connections are closed. - // http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive + // https://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive UpstreamKeepaliveConnections int `json:"upstream-keepalive-connections,omitempty"` // Sets the maximum time during which requests can be processed through one keepalive connection @@ -501,46 +501,46 @@ type Configuration struct { UpstreamKeepaliveTime string `json:"upstream-keepalive-time,omitempty"` // Sets a timeout during which an idle keepalive connection to an upstream server will stay open. - // http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive_timeout + // https://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive_timeout UpstreamKeepaliveTimeout int `json:"upstream-keepalive-timeout,omitempty"` // Sets the maximum number of requests that can be served through one keepalive connection. // After the maximum number of requests is made, the connection is closed. - // http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive_requests + // https://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive_requests UpstreamKeepaliveRequests int `json:"upstream-keepalive-requests,omitempty"` // Sets the maximum size of the variables hash table. - // http://nginx.org/en/docs/http/ngx_http_map_module.html#variables_hash_max_size + // https://nginx.org/en/docs/http/ngx_http_map_module.html#map_hash_max_size LimitConnZoneVariable string `json:"limit-conn-zone-variable,omitempty"` // Sets the timeout between two successive read or write operations on client or proxied server connections. // If no data is transmitted within this time, the connection is closed. - // http://nginx.org/en/docs/stream/ngx_stream_proxy_module.html#proxy_timeout + // https://nginx.org/en/docs/stream/ngx_stream_proxy_module.html#proxy_timeout ProxyStreamTimeout string `json:"proxy-stream-timeout,omitempty"` // When a connection to the proxied server cannot be established, determines whether // a client connection will be passed to the next server. - // http://nginx.org/en/docs/stream/ngx_stream_proxy_module.html#proxy_next_upstream + // https://nginx.org/en/docs/stream/ngx_stream_proxy_module.html#proxy_next_upstream ProxyStreamNextUpstream bool `json:"proxy-stream-next-upstream,omitempty"` // Limits the time allowed to pass a connection to the next server. // The 0 value turns off this limitation. - // http://nginx.org/en/docs/stream/ngx_stream_proxy_module.html#proxy_next_upstream_timeout + // https://nginx.org/en/docs/stream/ngx_stream_proxy_module.html#proxy_next_upstream_timeout ProxyStreamNextUpstreamTimeout string `json:"proxy-stream-next-upstream-timeout,omitempty"` // Limits the number of possible tries a request should be passed to the next server. // The 0 value turns off this limitation. - // http://nginx.org/en/docs/stream/ngx_stream_proxy_module.html#proxy_next_upstream_tries + // https://nginx.org/en/docs/stream/ngx_stream_proxy_module.html#proxy_next_upstream_tries ProxyStreamNextUpstreamTries int `json:"proxy-stream-next-upstream-tries,omitempty"` // Sets the number of datagrams expected from the proxied server in response // to the client request if the UDP protocol is used. - // http://nginx.org/en/docs/stream/ngx_stream_proxy_module.html#proxy_responses + // https://nginx.org/en/docs/stream/ngx_stream_proxy_module.html#proxy_responses // Default: 1 ProxyStreamResponses int `json:"proxy-stream-responses,omitempty"` // Modifies the HTTP version the proxy uses to interact with the backend. - // http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_http_version + // https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_http_version ProxyHTTPVersion string `json:"proxy-http-version"` // Disables NGINX proxy-intercept-errors when error_page/custom-http-errors are set @@ -586,7 +586,7 @@ type Configuration struct { GenerateRequestID bool `json:"generate-request-id,omitempty"` // Adds an X-Original-Uri header with the original request URI to the backend request - // Default: true + // Default: false ProxyAddOriginalURIHeader bool `json:"proxy-add-original-uri-header"` // EnableOpentelemetry enables the nginx Opentelemetry extension @@ -594,7 +594,7 @@ type Configuration struct { EnableOpentelemetry bool `json:"enable-opentelemetry"` // OpentelemetryConfig sets the opentelemetry config file - // Default: /etc/nginx/opentelemetry.toml + // Default: /etc/ingress-controller/telemetry/opentelemetry.toml OpentelemetryConfig string `json:"opentelemetry-config"` // OpentelemetryOperationName specifies a custom name for the server span @@ -672,12 +672,12 @@ type Configuration struct { HideHeaders []string `json:"hide-headers"` // LimitReqStatusCode Sets the status code to return in response to rejected requests. - // http://nginx.org/en/docs/http/ngx_http_limit_req_module.html#limit_req_status + // https://nginx.org/en/docs/http/ngx_http_limit_req_module.html#limit_req_status // Default: 503 LimitReqStatusCode int `json:"limit-req-status-code"` // LimitConnStatusCode Sets the status code to return in response to rejected connections. - // http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html#limit_conn_status + // https://nginx.org/en/docs/http/ngx_http_limit_conn_module.html#limit_conn_status // Default: 503 LimitConnStatusCode int `json:"limit-conn-status-code"` @@ -726,12 +726,12 @@ type Configuration struct { ProxySSLLocationOnly bool `json:"proxy-ssl-location-only"` // DefaultType Sets the default MIME type of a response. - // http://nginx.org/en/docs/http/ngx_http_core_module.html#default_type + // https://nginx.org/en/docs/http/ngx_http_core_module.html#default_type // Default: text/html DefaultType string `json:"default-type"` // DebugConnections Enables debugging log for selected client connections - // http://nginx.org/en/docs/ngx_core_module.html#debug_connection + // https://nginx.org/en/docs/ngx_core_module.html#debug_connection // Default: "" DebugConnections []string `json:"debug-connections"` @@ -860,7 +860,7 @@ func NewDefault() Configuration { ProxySendTimeout: 60, ProxyBuffersNumber: 4, ProxyBufferSize: "4k", - ProxyBusyBuffersSize: "8k", + ProxyBusyBuffersSize: "", ProxyCookieDomain: "off", ProxyCookiePath: "off", ProxyNextUpstream: "error timeout", diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go index 025c08131d..8b68b7ee6c 100644 --- a/internal/ingress/controller/controller.go +++ b/internal/ingress/controller/controller.go @@ -17,6 +17,7 @@ limitations under the License. package controller import ( + "context" "fmt" "sort" "strconv" @@ -27,6 +28,8 @@ import ( apiv1 "k8s.io/api/core/v1" networking "k8s.io/api/networking/v1" apiequality "k8s.io/apimachinery/pkg/api/equality" + "k8s.io/apimachinery/pkg/api/operation" + "k8s.io/apimachinery/pkg/api/validate" "k8s.io/apimachinery/pkg/labels" "k8s.io/apimachinery/pkg/util/intstr" "k8s.io/apimachinery/pkg/util/sets" @@ -191,7 +194,18 @@ func (n *NGINXController) syncIngress(interface{}) error { n.metricCollector.SetSSLExpireTime(servers) n.metricCollector.SetSSLInfo(servers) + hash, err := hashstructure.Hash(pcfg, hashstructure.FormatV1, &hashstructure.HashOptions{ + TagName: "json", + }) + if err != nil { + klog.Errorf("unexpected error hashing configuration: %v", err) + } + if n.runningConfig.Equal(pcfg) { + if !n.lastConfigSuccess { + n.metricCollector.ConfigSuccess(hash, true) + n.lastConfigSuccess = true + } klog.V(3).Infof("No configuration change detected, skipping backend reload") return nil } @@ -201,19 +215,13 @@ func (n *NGINXController) syncIngress(interface{}) error { if !utilingress.IsDynamicConfigurationEnough(pcfg, n.runningConfig) { klog.InfoS("Configuration changes detected, backend reload required") - hash, err := hashstructure.Hash(pcfg, hashstructure.FormatV1, &hashstructure.HashOptions{ - TagName: "json", - }) - if err != nil { - klog.Errorf("unexpected error hashing configuration: %v", err) - } - pcfg.ConfigurationChecksum = fmt.Sprintf("%v", hash) err = n.OnUpdate(*pcfg) if err != nil { n.metricCollector.IncReloadErrorCount() n.metricCollector.ConfigSuccess(hash, false) + n.lastConfigSuccess = false klog.Errorf("Unexpected failure reloading the backend:\n%v", err) n.recorder.Eventf(k8s.IngressPodDetails, apiv1.EventTypeWarning, "RELOAD", fmt.Sprintf("Error reloading NGINX: %v", err)) return err @@ -222,6 +230,7 @@ func (n *NGINXController) syncIngress(interface{}) error { klog.InfoS("Backend successfully reloaded") n.metricCollector.ConfigSuccess(hash, true) n.metricCollector.IncReloadCount() + n.lastConfigSuccess = true n.recorder.Eventf(k8s.IngressPodDetails, apiv1.EventTypeNormal, "RELOAD", "NGINX reload triggered due to a change in configuration") } @@ -242,7 +251,7 @@ func (n *NGINXController) syncIngress(interface{}) error { } retriesRemaining := retry.Steps - err := wait.ExponentialBackoff(retry, func() (bool, error) { + err = wait.ExponentialBackoff(retry, func() (bool, error) { err := n.configureDynamically(pcfg) if err == nil { klog.V(2).Infof("Dynamic reconfiguration succeeded.") @@ -355,6 +364,12 @@ func (n *NGINXController) CheckIngress(ing *networking.Ingress) error { cfg := n.store.GetBackendConfiguration() cfg.Resolver = n.resolver + // Validate UID + // The only argument that matters is ing.UID. + if err := validate.UUID(context.TODO(), operation.Operation{}, nil, &ing.UID, nil); err != nil { + return fmt.Errorf("ingress has invalid UID: %v", err) + } + // Adds the pathType Validation if cfg.StrictValidatePathType { if err := inspector.ValidatePathType(ing); err != nil { @@ -1375,6 +1390,10 @@ func (n *NGINXController) createServers(data []*ingress.Ingress, } } + if !servers[host].SSLPassthrough && anns.SSLPassthrough { + servers[host].SSLPassthrough = true + } + // only add SSL ciphers if the server does not have them previously configured if servers[host].SSLCiphers == "" && anns.SSLCipher.SSLCiphers != "" { servers[host].SSLCiphers = anns.SSLCipher.SSLCiphers @@ -1787,16 +1806,14 @@ func checkOverlap(ing *networking.Ingress, servers []*ingress.Server) error { continue } - // same ingress + // path overlap. Check if one of the ingresses has a canary annotation + isCanaryEnabled, annotationErr := parser.GetBoolAnnotation("canary", ing, canary.CanaryAnnotations.Annotations) for _, existing := range existingIngresses { if existing.ObjectMeta.Namespace == ing.ObjectMeta.Namespace && existing.ObjectMeta.Name == ing.ObjectMeta.Name { - return nil + // same ingress + continue } - } - // path overlap. Check if one of the ingresses has a canary annotation - isCanaryEnabled, annotationErr := parser.GetBoolAnnotation("canary", ing, canary.CanaryAnnotations.Annotations) - for _, existing := range existingIngresses { isExistingCanaryEnabled, existingAnnotationErr := parser.GetBoolAnnotation("canary", existing, canary.CanaryAnnotations.Annotations) if isCanaryEnabled && isExistingCanaryEnabled { @@ -1809,7 +1826,6 @@ func checkOverlap(ing *networking.Ingress, servers []*ingress.Server) error { } // no overlap - return nil } } diff --git a/internal/ingress/controller/controller_test.go b/internal/ingress/controller/controller_test.go index f54ba1de99..399096e30c 100644 --- a/internal/ingress/controller/controller_test.go +++ b/internal/ingress/controller/controller_test.go @@ -38,6 +38,7 @@ import ( networking "k8s.io/api/networking/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/labels" + "k8s.io/apimachinery/pkg/types" "k8s.io/client-go/kubernetes/fake" "k8s.io/ingress-nginx/pkg/apis/ingress" @@ -63,6 +64,7 @@ import ( const ( exampleBackend = "example-http-svc-1-80" TRUE = "true" + goodUID = "467a2005-a207-40f8-a15d-fd30b8ecfe94" ) type fakeIngressStore struct { @@ -221,8 +223,42 @@ func TestCheckIngress(t *testing.T) { }, }, } + + t.Run("when uids are invalid", func(t *testing.T) { + invalidUIDs := []string{ + "invalid_uid!@#$%", + "invalid_uid!", + "12345-67890-xyz", // xyz are not valid hex characters + "12345 67890", // spaces not allowed + "", + "urn:uuid:12345-67890-xyz", // xyz are not valid hex characters + "urn:uud:12345-67890-xyz", + "urn:uuid:12345 ", + } + for _, uid := range invalidUIDs { + ing.UID = types.UID(uid) + if nginx.CheckIngress(ing) == nil { + t.Errorf("with an invalid uid %s, an error should be returned", uid) + } + } + }) + + t.Run("when uids are valid", func(t *testing.T) { + validUIDs := []string{ + "467a2005-a207-40f8-a15d-fd30b8ecfe94", + "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa", + } + for _, uid := range validUIDs { + ing.UID = types.UID(uid) + if nginx.CheckIngress(ing) != nil { + t.Errorf("with a valid uid %s, no error should be returned", uid) + } + } + }) + t.Run("when the class is the nginx one", func(t *testing.T) { ing.ObjectMeta.Annotations["kubernetes.io/ingress.class"] = "nginx" + ing.UID = goodUID nginx.command = testNginxTestCommand{ t: t, err: nil, @@ -242,6 +278,7 @@ func TestCheckIngress(t *testing.T) { }, } ing.Spec.Rules[0].Host = "test.example.com" + ing.UID = goodUID nginx.command = testNginxTestCommand{ t: t, err: nil, @@ -311,6 +348,7 @@ func TestCheckIngress(t *testing.T) { err: nil, } ing.ObjectMeta.Annotations["nginx.ingress.kubernetes.io/custom-headers"] = "invalid_directive" + ing.UID = goodUID if err := nginx.CheckIngress(ing); err == nil { t.Errorf("with an invalid value in annotation the ingress should be rejected") } @@ -2541,6 +2579,98 @@ func TestGetBackendServers(t *testing.T) { } }, }, + { + Ingresses: []*ingress.Ingress{ + { + Ingress: networking.Ingress{ + ObjectMeta: metav1.ObjectMeta{ + Name: "ssl-passthrough-1", + Namespace: "default", + }, + Spec: networking.IngressSpec{ + Rules: []networking.IngressRule{ + { + Host: "example.com", + IngressRuleValue: networking.IngressRuleValue{ + HTTP: &networking.HTTPIngressRuleValue{ + Paths: []networking.HTTPIngressPath{ + { + Path: "/path1", + PathType: &pathTypePrefix, + Backend: networking.IngressBackend{ + Service: &networking.IngressServiceBackend{ + Name: "path1-svc", + Port: networking.ServiceBackendPort{ + Number: 80, + }, + }, + }, + }, + }, + }, + }, + }, + }, + }, + }, + ParsedAnnotations: &annotations.Ingress{ + SSLPassthrough: false, + }, + }, + { + Ingress: networking.Ingress{ + ObjectMeta: metav1.ObjectMeta{ + Name: "ssl-passthrough-2", + Namespace: "default", + Annotations: map[string]string{ + "nginx.ingress.kubernetes.io/ssl-passthrough": "true", + }, + }, + Spec: networking.IngressSpec{ + Rules: []networking.IngressRule{ + { + Host: "example.com", + IngressRuleValue: networking.IngressRuleValue{ + HTTP: &networking.HTTPIngressRuleValue{ + Paths: []networking.HTTPIngressPath{ + { + Path: "/", + PathType: &pathTypePrefix, + Backend: networking.IngressBackend{ + Service: &networking.IngressServiceBackend{ + Name: "path2-svc", + Port: networking.ServiceBackendPort{ + Number: 443, + }, + }, + }, + }, + }, + }, + }, + }, + }, + }, + }, + ParsedAnnotations: &annotations.Ingress{ + SSLPassthrough: true, + }, + }, + }, + Validate: func(_ []*ingress.Ingress, _ []*ingress.Backend, servers []*ingress.Server) { + if len(servers) != 2 { + t.Errorf("servers count should be 2, got %d", len(servers)) + return + } + + s := servers[1] + + if !s.SSLPassthrough { + t.Errorf("ssl passthrough should be true, got false") + } + }, + SetConfigMap: testConfigMap, + }, } for _, testCase := range testCases { diff --git a/internal/ingress/controller/nginx.go b/internal/ingress/controller/nginx.go index acf9bca9ca..c00de100db 100644 --- a/internal/ingress/controller/nginx.go +++ b/internal/ingress/controller/nginx.go @@ -37,8 +37,8 @@ import ( "time" "unicode" - proxyproto "github.com/armon/go-proxyproto" "github.com/eapache/channels" + proxyproto "github.com/pires/go-proxyproto" apiv1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/util/intstr" "k8s.io/client-go/kubernetes/scheme" @@ -267,6 +267,8 @@ type NGINXController struct { command NginxExecTester + lastConfigSuccess bool + admissionBatcher AdmissionBatcher } @@ -278,7 +280,7 @@ func (n *NGINXController) Start() { // we need to use the defined ingress class to allow multiple leaders // in order to update information about ingress status - // TODO: For now, as the the IngressClass logics has changed, is up to the + // TODO: For now, as the IngressClass logics has changed, is up to the // cluster admin to create different Leader Election IDs. // Should revisit this in a future @@ -838,7 +840,11 @@ func (n *NGINXController) setupSSLProxy() { klog.Fatalf("%v", err) } - proxyList := &proxyproto.Listener{Listener: listener, ProxyHeaderTimeout: cfg.ProxyProtocolHeaderTimeout} + proxyList := &proxyproto.Listener{ + Listener: listener, + ReadHeaderTimeout: cfg.ProxyProtocolHeaderTimeout, + ReadBufferSize: 4096, // cf #14489 + } // accept TCP connections on the configured HTTPS port go func() { diff --git a/internal/ingress/controller/store/objectref.go b/internal/ingress/controller/store/objectref.go index 89ea472518..44dfe39e7f 100644 --- a/internal/ingress/controller/store/objectref.go +++ b/internal/ingress/controller/store/objectref.go @@ -112,7 +112,7 @@ func (o *objectRefMap) Reference(ref string) []string { if !ok { return make([]string, 0) } - return consumers.UnsortedList() + return sets.List(consumers) } // ReferencedBy returns all objects referenced by the given object. diff --git a/internal/ingress/controller/store/store.go b/internal/ingress/controller/store/store.go index d4bd6136f8..07318c0aae 100644 --- a/internal/ingress/controller/store/store.go +++ b/internal/ingress/controller/store/store.go @@ -817,7 +817,17 @@ func New( DeleteFunc: func(obj interface{}) { svc, ok := obj.(*corev1.Service) if !ok { - klog.Errorf("unexpected type: %T", obj) + // If we reached here it means the service was deleted but its final state is unrecorded. + tombstone, ok := obj.(cache.DeletedFinalStateUnknown) + if !ok { + klog.ErrorS(nil, "Error obtaining object from tombstone", "key", obj) + return + } + svc, ok = tombstone.Obj.(*corev1.Service) + if !ok { + klog.Errorf("Tombstone contained object that is not a Service: %#v", obj) + return + } } if svc.Spec.Type == corev1.ServiceTypeExternalName { updateCh.In() <- Event{ diff --git a/internal/ingress/controller/template/template.go b/internal/ingress/controller/template/template.go index 8bd2d32167..c49d23b3db 100644 --- a/internal/ingress/controller/template/template.go +++ b/internal/ingress/controller/template/template.go @@ -68,7 +68,7 @@ const ( // Writer is the interface to render a template type Writer interface { // Write renders the template. - // NOTE: Implementors must ensure that the content of the returned slice is not modified by the implementation + // NOTE: Implementers must ensure that the content of the returned slice is not modified by the implementation // after the return of this function. Write(conf *config.TemplateConfig) ([]byte, error) } @@ -278,6 +278,7 @@ var funcMap = text_template.FuncMap{ "buildLuaSharedDictionaries": buildLuaSharedDictionaries, "luaConfigurationRequestBodySize": luaConfigurationRequestBodySize, "buildLocation": buildLocation, + "sanitizeQuotedRegex": sanitizeQuotedRegex, "buildAuthLocation": buildAuthLocation, "shouldApplyGlobalAuth": shouldApplyGlobalAuth, "buildAuthResponseHeaders": buildAuthResponseHeaders, @@ -526,16 +527,30 @@ func buildLocation(input interface{}, enforceRegex bool) string { return slash } - path := location.Path + path := sanitizeQuotedRegex(location.Path) if enforceRegex { return fmt.Sprintf(`~* "^%s"`, path) } - if location.PathType != nil && *location.PathType == networkingv1.PathTypeExact { - return fmt.Sprintf(`= %s`, path) + return fmt.Sprintf(`= "%s"`, path) } - return path + return fmt.Sprintf(`"%s"`, path) +} + +// sanitizeQuotedRegex escapes backslashes and double quotes in a location path +// so paths cannot escape NGINX configuration. +func sanitizeQuotedRegex(path string) string { + builder := strings.Builder{} + builder.Grow(2 * len(path)) + // note that iterating over a string iterates over its runes, not bytes + for _, r := range path { + if r == '\\' || r == '"' { + builder.WriteByte('\\') + } + builder.WriteRune(r) + } + return builder.String() } func buildAuthLocation(input interface{}, globalExternalAuthURL string) string { @@ -549,9 +564,7 @@ func buildAuthLocation(input interface{}, globalExternalAuthURL string) string { return "" } - str := base64.URLEncoding.EncodeToString([]byte(location.Path)) - // removes "=" after encoding - str = strings.ReplaceAll(str, "=", "") + str := base64.RawURLEncoding.EncodeToString([]byte(location.Path)) pathType := "default" if location.PathType != nil { @@ -619,8 +632,9 @@ func buildAuthProxySetHeaders(headers map[string]string) []string { } for name, value := range headers { - res = append(res, fmt.Sprintf("proxy_set_header '%v' '%v';", name, value)) + res = append(res, fmt.Sprintf("proxy_set_header %q %q;", name, value)) } + sort.Strings(res) return res } @@ -772,7 +786,7 @@ func buildProxyPass(_ string, b, loc interface{}) string { return fmt.Sprintf(` rewrite "(?i)%s" %s break; -%v%v %s%s;`, path, location.Rewrite.Target, xForwardedPrefix, proxyPass, proto, upstreamName) +%v%v %s%s;`, sanitizeQuotedRegex(path), location.Rewrite.Target, xForwardedPrefix, proxyPass, proto, upstreamName) } // default proxy_pass @@ -848,7 +862,7 @@ func buildRateLimitZones(input interface{}) []string { } } - return zones.UnsortedList() + return sets.List(zones) } // buildRateLimit produces an array of limit_req to be used inside the Path of @@ -993,7 +1007,7 @@ func buildNextUpstream(i, r interface{}) string { return strings.Join(nextUpstreamCodes, " ") } -// refer to http://nginx.org/en/docs/syntax.html +// refer to https://nginx.org/en/docs/syntax.html // Nginx differentiates between size and offset // offset directives support gigabytes in addition var ( @@ -1002,7 +1016,7 @@ var ( ) // isValidByteSize validates size units valid in nginx -// http://nginx.org/en/docs/syntax.html +// https://nginx.org/en/docs/syntax.html func isValidByteSize(input interface{}, isOffset bool) bool { s, ok := input.(string) if !ok { diff --git a/internal/ingress/controller/template/template_test.go b/internal/ingress/controller/template/template_test.go index 428bdb0bc9..ab7f94b327 100644 --- a/internal/ingress/controller/template/template_test.go +++ b/internal/ingress/controller/template/template_test.go @@ -71,7 +71,7 @@ var ( "when secure backend enabled": { "/", "/", - "/", + "\"/\"", "proxy_pass https://upstream_balancer;", "proxy_pass https://upstream_balancer;", false, @@ -82,7 +82,7 @@ var ( "when secure backend and dynamic config enabled": { "/", "/", - "/", + "\"/\"", "proxy_pass https://upstream_balancer;", "proxy_pass https://upstream_balancer;", false, @@ -93,7 +93,7 @@ var ( "when secure backend, stickiness and dynamic config enabled": { "/", "/", - "/", + "\"/\"", "proxy_pass https://upstream_balancer;", "proxy_pass https://upstream_balancer;", true, @@ -104,7 +104,7 @@ var ( "invalid redirect / to / with dynamic config enabled": { "/", "/", - "/", + "\"/\"", "proxy_pass http://upstream_balancer;", "proxy_pass $scheme://upstream_balancer;", false, @@ -115,7 +115,7 @@ var ( "invalid redirect / to /": { "/", "/", - "/", + "\"/\"", "proxy_pass http://upstream_balancer;", "proxy_pass $scheme://upstream_balancer;", false, @@ -548,12 +548,25 @@ func TestBuildAuthResponseLua(t *testing.T) { func TestBuildAuthProxySetHeaders(t *testing.T) { proxySetHeaders := map[string]string{ - "header1": "value1", - "header2": "value2", + "Content-Security-Policy": "default-src 'self'; img-src 'self' example.com", + "Content-Type": "application/json; charset=\"utf-8\"", + "header1": "value1", + "header2": "value2", + "Link": "; rel=\"preload\"; as=\"script\"; crossorigin=\"anonymous\"", + "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36", + "new\rline": "value1", + "newline2": "valu\ne2", } + expected := []string{ - "proxy_set_header 'header1' 'value1';", - "proxy_set_header 'header2' 'value2';", + `proxy_set_header "Content-Security-Policy" "default-src 'self'; img-src 'self' example.com";`, + `proxy_set_header "Content-Type" "application/json; charset=\"utf-8\"";`, + `proxy_set_header "Link" "; rel=\"preload\"; as=\"script\"; crossorigin=\"anonymous\"";`, + `proxy_set_header "User-Agent" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36";`, + `proxy_set_header "header1" "value1";`, + `proxy_set_header "header2" "value2";`, + `proxy_set_header "new\rline" "value1";`, + `proxy_set_header "newline2" "valu\ne2";`, } headers := buildAuthProxySetHeaders(proxySetHeaders) @@ -743,6 +756,110 @@ func TestTemplateWithData(t *testing.T) { } } +func mustReadTemplateConfig(t *testing.T) config.TemplateConfig { + t.Helper() + + pwd, err := os.Getwd() + if err != nil { + t.Fatalf("unexpected error: %v", err) + } + + data, err := os.ReadFile(path.Join(pwd, "../../../../test/data/config.json")) + if err != nil { + t.Fatalf("unexpected error reading json file: %v", err) + } + + var dat config.TemplateConfig + if err := jsoniter.ConfigCompatibleWithStandardLibrary.Unmarshal(data, &dat); err != nil { + t.Fatalf("unexpected error unmarshalling json: %v", err) + } + if dat.ListenPorts == nil { + dat.ListenPorts = &config.ListenPorts{} + } + + // Required by template rendering. + dat.Cfg.DefaultSSLCertificate = &ingress.SSLCert{} + + return dat +} + +func TestTemplateRendersEscapedLocationPath(t *testing.T) { + dat := mustReadTemplateConfig(t) + + implSpecific := networking.PathTypeImplementationSpecific + if len(dat.Servers) == 0 || len(dat.Servers[0].Locations) == 0 { + t.Fatalf("test/data/config.json must contain at least one server and one location") + } + + base := dat.Servers[0] + loc := *base.Locations[0] + // path containing a quote and a backslash + loc.Path = `/"\\` + loc.PathType = &implSpecific + + srv := *base + srv.Hostname = "escape.test" + srv.Aliases = nil + srv.Locations = []*ingress.Location{&loc} + + dat.Servers = append(dat.Servers, &srv) + + ngxTpl, err := NewTemplate(nginx.TemplatePath) + if err != nil { + t.Fatalf("invalid NGINX template: %v", err) + } + + rt, err := ngxTpl.Write(&dat) + if err != nil { + t.Fatalf("invalid NGINX template: %v", err) + } + + out := string(rt) + if !strings.Contains(out, `server_name "escape.test"`) { + t.Fatalf("expected server block for escape.test") + } + // The rendered nginx.conf must keep the path inside quotes and escape quotes/backslashes. + if !strings.Contains(out, `location "/\"\\\\"`) { + t.Fatalf("expected escaped location path to be rendered safely") + } +} + +func TestTemplateRendersEscapedServerAliases(t *testing.T) { + dat := mustReadTemplateConfig(t) + + if len(dat.Servers) == 0 { + t.Fatalf("test/data/config.json must contain at least one server") + } + + base := dat.Servers[0] + srv := *base + srv.Hostname = "alias.test" + srv.Aliases = []string{`foo\\bar`, `foo"bar`} + + dat.Servers = append(dat.Servers, &srv) + + ngxTpl, err := NewTemplate(nginx.TemplatePath) + if err != nil { + t.Fatalf("invalid NGINX template: %v", err) + } + + rt, err := ngxTpl.Write(&dat) + if err != nil { + t.Fatalf("invalid NGINX template: %v", err) + } + + out := string(rt) + if !strings.Contains(out, `server_name "alias.test"`) { + t.Fatalf("expected server block for alias.test") + } + if !strings.Contains(out, `"foo\\\\bar"`) { + t.Fatalf("expected backslashes in server-alias to be escaped") + } + if !strings.Contains(out, `"foo\"bar"`) { + t.Fatalf("expected quotes in server-alias to be escaped") + } +} + func BenchmarkTemplateWithData(b *testing.B) { pwd, err := os.Getwd() if err != nil { diff --git a/internal/ingress/controller/util.go b/internal/ingress/controller/util.go index 975fb822ae..31f4fd97e3 100644 --- a/internal/ingress/controller/util.go +++ b/internal/ingress/controller/util.go @@ -75,7 +75,7 @@ func upstreamServiceNameAndPort(service *networking.IngressServiceBackend) (stri // sysctlSomaxconn returns the maximum number of connections that can be queued // for acceptance (value of net.core.somaxconn) -// http://nginx.org/en/docs/http/ngx_http_core_module.html#listen +// https://nginx.org/en/docs/http/ngx_http_core_module.html#listen func sysctlSomaxconn() int { maxConns, err := getSysctl("net/core/somaxconn") if err != nil || maxConns < 512 { diff --git a/internal/ingress/defaults/main.go b/internal/ingress/defaults/main.go index 4ee3d8e525..abca0ea9e9 100644 --- a/internal/ingress/defaults/main.go +++ b/internal/ingress/defaults/main.go @@ -26,8 +26,8 @@ type Backend struct { AppRoot string `json:"app-root"` // enables which HTTP codes should be passed for processing with the error_page directive - // http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_intercept_errors - // http://nginx.org/en/docs/http/ngx_http_core_module.html#error_page + // https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_intercept_errors + // https://nginx.org/en/docs/http/ngx_http_core_module.html#error_page // By default this is disabled CustomHTTPErrors []int `json:"custom-http-errors"` @@ -37,59 +37,59 @@ type Backend struct { // allows usage of CustomHTTPErrors without intercepting service errors // e.g. custom 404 and 503 when service-a does not exist or is not available // but service-a can return 404 and 503 error codes without intercept - // http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_intercept_errors + // https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_intercept_errors // By default this is false DisableProxyInterceptErrors bool `json:"disable-proxy-intercept-errors"` - // http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size + // https://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size // Sets the maximum allowed size of the client request body ProxyBodySize string `json:"proxy-body-size"` // Defines a timeout for establishing a connection with a proxied server. // It should be noted that this timeout cannot usually exceed 75 seconds. - // http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_connect_timeout + // https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_connect_timeout ProxyConnectTimeout int `json:"proxy-connect-timeout"` // Timeout in seconds for reading a response from the proxied server. The timeout is set only between // two successive read operations, not for the transmission of the whole response - // http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_read_timeout + // https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_read_timeout ProxyReadTimeout int `json:"proxy-read-timeout"` // Timeout in seconds for transmitting a request to the proxied server. The timeout is set only between // two successive write operations, not for the transmission of the whole request. - // http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_send_timeout + // https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_send_timeout ProxySendTimeout int `json:"proxy-send-timeout"` // Sets the number of the buffers used for reading a response from the proxied server - // http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffers + // https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffers ProxyBuffersNumber int `json:"proxy-buffers-number"` // Sets the size of the buffer used for reading the first part of the response received from the // proxied server. This part usually contains a small response header. - // http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size) + // https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size ProxyBufferSize string `json:"proxy-buffer-size"` // Limits the total size of buffers that can be busy sending a response to the client while // the response is not yet fully read. - // http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_busy_buffers_size + // https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_busy_buffers_size ProxyBusyBuffersSize string `json:"proxy-busy-buffers-size"` // Sets a text that should be changed in the path attribute of the “Set-Cookie” header fields of // a proxied server response. - // http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cookie_path + // https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cookie_path ProxyCookiePath string `json:"proxy-cookie-path"` // Sets a text that should be changed in the domain attribute of the “Set-Cookie” header fields // of a proxied server response. - // http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cookie_domain + // https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cookie_domain ProxyCookieDomain string `json:"proxy-cookie-domain"` // Specifies in which cases a request should be passed to the next server. - // http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_next_upstream + // https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_next_upstream ProxyNextUpstream string `json:"proxy-next-upstream"` // Limits the time during which a request can be passed to the next server. - // http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_next_upstream_timeout + // https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_next_upstream_timeout ProxyNextUpstreamTimeout int `json:"proxy-next-upstream-timeout"` // Limits the number of possible tries for passing a request to the next server. @@ -97,17 +97,17 @@ type Backend struct { ProxyNextUpstreamTries int `json:"proxy-next-upstream-tries"` // Sets the original text that should be changed in the "Location" and "Refresh" header fields of a proxied server response. - // http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_redirect + // https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_redirect // Default: off ProxyRedirectFrom string `json:"proxy-redirect-from"` // Sets the replacement text that should be changed in the "Location" and "Refresh" header fields of a proxied server response. - // http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_redirect + // https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_redirect // Default: off ProxyRedirectTo string `json:"proxy-redirect-to"` // Enables or disables buffering of a client request body. - // http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_request_buffering + // https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_request_buffering ProxyRequestBuffering string `json:"proxy-request-buffering"` // Name server/s used to resolve names of upstream servers into IP addresses. @@ -131,14 +131,14 @@ type Backend struct { UsePortInRedirects bool `json:"use-port-in-redirects"` // Enables or disables relative redirects. By default nginx uses absolute redirects. - // http://nginx.org/en/docs/http/ngx_http_core_module.html#absolute_redirect + // https://nginx.org/en/docs/http/ngx_http_core_module.html#absolute_redirect // Default: false RelativeRedirects bool `json:"relative-redirects"` // Enable stickiness by client-server mapping based on a NGINX variable, text or a combination of both. // A consistent hashing method will be used which ensures only a few keys would be remapped to different // servers on upstream group changes - // http://nginx.org/en/docs/http/ngx_http_upstream_module.html#hash + // https://nginx.org/en/docs/http/ngx_http_upstream_module.html#hash UpstreamHashBy string `json:"upstream-hash-by"` // Consistent hashing subset flag. @@ -153,34 +153,34 @@ type Backend struct { LoadBalancing string `json:"load-balance"` // WhitelistSourceRange allows limiting access to certain client addresses - // http://nginx.org/en/docs/http/ngx_http_access_module.html + // https://nginx.org/en/docs/http/ngx_http_access_module.html WhitelistSourceRange []string `json:"whitelist-source-range"` // DenylistSourceRange allows limiting access to certain client addresses - // http://nginx.org/en/docs/http/ngx_http_access_module.html + // https://nginx.org/en/docs/http/ngx_http_access_module.html DenylistSourceRange []string `json:"denylist-source-range"` // Limits the rate of response transmission to a client. // The rate is specified in bytes per second. The zero value disables rate limiting. // The limit is set per a request, and so if a client simultaneously opens two connections, // the overall rate will be twice as much as the specified limit. - // http://nginx.org/en/docs/http/ngx_http_core_module.html#limit_rate + // https://nginx.org/en/docs/http/ngx_http_core_module.html#limit_rate LimitRate int `json:"limit-rate"` // Sets the initial amount after which the further transmission of a response to a client will be rate limited. - // http://nginx.org/en/docs/http/ngx_http_core_module.html#limit_rate_after + // https://nginx.org/en/docs/http/ngx_http_core_module.html#limit_rate_after LimitRateAfter int `json:"limit-rate-after"` // Enables or disables buffering of responses from the proxied server. - // http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffering + // https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffering ProxyBuffering string `json:"proxy-buffering"` // Modifies the HTTP version the proxy uses to interact with the backend. - // http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_http_version + // https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_http_version ProxyHTTPVersion string `json:"proxy-http-version"` // Sets the maximum temp file size when proxy-buffers capacity is exceeded. - // http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_max_temp_file_size + // https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_max_temp_file_size ProxyMaxTempFileSize string `json:"proxy-max-temp-file-size"` // By default, the NGINX ingress controller uses a list of all endpoints (Pod IP/port) in the NGINX upstream configuration. diff --git a/internal/ingress/inspector/inspector.go b/internal/ingress/inspector/inspector.go index b41e18d9ed..a3176c0702 100644 --- a/internal/ingress/inspector/inspector.go +++ b/internal/ingress/inspector/inspector.go @@ -55,7 +55,13 @@ func ValidatePathType(ing *networking.Ingress) error { } if path.PathType == nil || *path.PathType != implSpecific { if isValid := validPathType.MatchString(path.Path); !isValid { - err = errors.Join(err, fmt.Errorf("path %s cannot be used with pathType %s", path.Path, string(*path.PathType))) + var pathTypeStr string + if path.PathType != nil { + pathTypeStr = string(*path.PathType) + } else { + pathTypeStr = "" + } + err = errors.Join(err, fmt.Errorf("path %s cannot be used with pathType %s", path.Path, pathTypeStr)) } } } diff --git a/internal/ingress/inspector/inspector_test.go b/internal/ingress/inspector/inspector_test.go index 36b029cfff..cf19aba7ff 100644 --- a/internal/ingress/inspector/inspector_test.go +++ b/internal/ingress/inspector/inspector_test.go @@ -44,10 +44,18 @@ var ( PathType: &prefix, Path: "/xpto/ab0/x_ss-9", }, + { + PathType: &prefix, + Path: "/.well-known/acme-challenge/", + }, { PathType: &exact, Path: "/bla/", }, + { + PathType: &exact, + Path: "/.well-known/acme-challenge/", + }, }, }, }, @@ -101,6 +109,17 @@ var ( PathType: &prefix, Path: "/lala/xp\ntest", }, + { + PathType: &prefix, + Path: "/$lala/test", + }, + { + PathType: &prefix, + Path: "#lala/test", + }, + { + Path: "notvalidpathname-panics", + }, }, }, }, @@ -174,6 +193,9 @@ func TestValidatePathType(t *testing.T) { aErr("xpto/lala", "Exact"), aErr("/foo/bar/[a-z]{3}", "Prefix"), aErr("/lala/xp\ntest", "Prefix"), + aErr("/$lala/test", "Prefix"), + aErr("#lala/test", "Prefix"), + aErr("notvalidpathname-panics", ""), ), }, } diff --git a/internal/ingress/inspector/rules.go b/internal/ingress/inspector/rules.go index 8388efdd5b..fc9e49d571 100644 --- a/internal/ingress/inspector/rules.go +++ b/internal/ingress/inspector/rules.go @@ -28,13 +28,13 @@ var ( invalidSecretsDir = regexp.MustCompile(`/var/run/secrets`) invalidByLuaDirective = regexp.MustCompile(`.*_by_lua.*`) - // validPathType enforces alphanumeric, -, _ and / characters. - // The field (?i) turns this regex case insensitive + // validPathType enforces alphanumeric, -, _ , . and / characters. + // The field (?i) turns this regex case-insensitive // The remaining regex says that the string must start with a "/" (^/) - // the group [[:alnum:]\_\-\/]* says that any amount of characters (A-Za-z0-9), _, - and / + // the group [[:alnum:]\_\-\/\.]* says that any amount of characters (A-Za-z0-9), _, - , . and / // are accepted until the end of the line // Nothing else is accepted. - validPathType = regexp.MustCompile(`(?i)^/[[:alnum:]\_\-/]*$`) + validPathType = regexp.MustCompile(`(?i)^/[[:alnum:]._\-/]*$`) invalidRegex = []regexp.Regexp{} ) diff --git a/internal/ingress/metric/collectors/socket.go b/internal/ingress/metric/collectors/socket.go index 0bdd816ae1..03ceee4610 100644 --- a/internal/ingress/metric/collectors/socket.go +++ b/internal/ingress/metric/collectors/socket.go @@ -102,6 +102,12 @@ var requestTags = []string{ // the ingress watch namespace and class used by the controller func NewSocketCollector(pod, namespace, class string, metricsPerHost, metricsPerUndefinedHost, reportStatusClasses bool, buckets HistogramBuckets, bucketFactor float64, maxBuckets uint32, excludeMetrics []string) (*SocketCollector, error) { socket := "/tmp/nginx/prometheus-nginx.socket" + + // Ensure the directory exists + if err := os.MkdirAll("/tmp/nginx", 0o755); err != nil { + return nil, fmt.Errorf("failed to create socket directory: %w", err) + } + // unix sockets must be unlink()ed before being used //nolint:errcheck // Ignore unlink error _ = syscall.Unlink(socket) @@ -111,7 +117,7 @@ func NewSocketCollector(pod, namespace, class string, metricsPerHost, metricsPer return nil, err } - err = os.Chmod(socket, 0o777) // #nosec + err = os.Chmod(socket, 0o660) // Read/write for owner and group only - more secure than 0o777 if err != nil { return nil, err } diff --git a/internal/ingress/metric/collectors/testutils.go b/internal/ingress/metric/collectors/testutils.go index 3fc0fc754a..731e7998f9 100644 --- a/internal/ingress/metric/collectors/testutils.go +++ b/internal/ingress/metric/collectors/testutils.go @@ -26,6 +26,7 @@ import ( "github.com/prometheus/client_golang/prometheus" dto "github.com/prometheus/client_model/go" "github.com/prometheus/common/expfmt" + "github.com/prometheus/common/model" ) // GatherAndCompare retrieves all metrics exposed by a collector and compares it @@ -41,7 +42,7 @@ func GatherAndCompare(_ prometheus.Collector, expected string, metricNames []str if metricNames != nil { metrics = filterMetrics(metrics, metricNames) } - var tp expfmt.TextParser + tp := expfmt.NewTextParser(model.UTF8Validation) expectedMetrics, err := tp.TextToMetricFamilies(bytes.NewReader([]byte(expected))) if err != nil { return fmt.Errorf("parsing expected metrics failed: %s", err) diff --git a/internal/ingress/status/status.go b/internal/ingress/status/status.go index ef01cdd248..8eee7dd746 100644 --- a/internal/ingress/status/status.go +++ b/internal/ingress/status/status.go @@ -95,11 +95,16 @@ func (s *statusSync) Run(stopCh chan struct{}) { // when this instance is the leader we need to enqueue // an item to trigger the update of the Ingress status. - //nolint:staticcheck // TODO: will replace it since wait.PollUntil is deprecated - err := wait.PollUntil(time.Duration(UpdateInterval)*time.Second, func() (bool, error) { + ctx, cancel := context.WithCancel(context.Background()) + go func() { + <-stopCh + cancel() + }() + + err := wait.PollUntilContextCancel(ctx, time.Duration(UpdateInterval)*time.Second, true, func(context.Context) (bool, error) { s.syncQueue.EnqueueTask(task.GetDummyObject("sync status")) return false, nil - }, stopCh) + }) if err != nil { klog.ErrorS(err, "error running poll") } @@ -220,9 +225,11 @@ func (s *statusSync) runningAddresses() ([]v1.IngressLoadBalancerIngress, error) continue } - name := k8s.GetNodeIPOrName(s.Client, pod.Spec.NodeName, s.UseNodeInternalIP) - if !stringInIngresses(name, addrs) { - addrs = append(addrs, nameOrIPToLoadBalancerIngress(name)) + theseAddresses := k8s.GetNodeIPs(s.Client, pod.Spec.NodeName, s.UseNodeInternalIP) + for _, thisAddress := range theseAddresses { + if !stringInIngresses(thisAddress, addrs) { + addrs = append(addrs, nameOrIPToLoadBalancerIngress(thisAddress)) + } } } diff --git a/internal/k8s/main.go b/internal/k8s/main.go index 5e93e560d6..0c628251e9 100644 --- a/internal/k8s/main.go +++ b/internal/k8s/main.go @@ -42,37 +42,31 @@ func ParseNameNS(input string) (ns, name string, err error) { return nsName[0], nsName[1], nil } -// GetNodeIPOrName returns the IP address or the name of a node in the cluster -func GetNodeIPOrName(kubeClient clientset.Interface, name string, useInternalIP bool) string { +// GetNodeIPs returns the IP addresses of a node in the cluster +func GetNodeIPs(kubeClient clientset.Interface, name string, useInternalIP bool) []string { node, err := kubeClient.CoreV1().Nodes().Get(context.TODO(), name, metav1.GetOptions{}) if err != nil { klog.ErrorS(err, "Error getting node", "name", name) - return "" + return []string{} } - defaultOrInternalIP := "" + externalIPs := []string{} + internalIPs := []string{} + for _, address := range node.Status.Addresses { - if address.Type == apiv1.NodeInternalIP { - if address.Address != "" { - defaultOrInternalIP = address.Address - break - } + if address.Type == apiv1.NodeInternalIP && address.Address != "" { + internalIPs = append(internalIPs, address.Address) + } + if address.Type == apiv1.NodeExternalIP && address.Address != "" { + externalIPs = append(externalIPs, address.Address) } } - if useInternalIP { - return defaultOrInternalIP - } - - for _, address := range node.Status.Addresses { - if address.Type == apiv1.NodeExternalIP { - if address.Address != "" { - return address.Address - } - } + if useInternalIP || len(externalIPs) == 0 { + return internalIPs } - return defaultOrInternalIP + return externalIPs } var ( diff --git a/internal/k8s/main_test.go b/internal/k8s/main_test.go index 1721c1fb29..3d3fe73f0f 100644 --- a/internal/k8s/main_test.go +++ b/internal/k8s/main_test.go @@ -17,6 +17,7 @@ limitations under the License. package k8s import ( + "slices" "testing" apiv1 "k8s.io/api/core/v1" @@ -60,13 +61,15 @@ func TestGetNodeIP(t *testing.T) { name string cs *testclient.Clientset nodeName string - ea string + ea []string useInternalIP bool }{ { "empty node list", testclient.NewSimpleClientset(), - "demo", "", true, + "demo", + []string{}, + true, }, { "node does not exist", @@ -82,10 +85,12 @@ func TestGetNodeIP(t *testing.T) { }, }, }, - }}}), "notexistnode", "", true, + }}}), "notexistnode", + []string{}, + true, }, { - "node exist and only has an internal IP address (useInternalIP=false)", + "node exists and only has an internal IP address (useInternalIP=false)", testclient.NewSimpleClientset(&apiv1.NodeList{Items: []apiv1.Node{{ ObjectMeta: metav1.ObjectMeta{ Name: "demo", @@ -98,10 +103,56 @@ func TestGetNodeIP(t *testing.T) { }, }, }, - }}}), "demo", "10.0.0.1", false, + }}}), "demo", + []string{"10.0.0.1"}, + false, }, { - "node exist and only has an internal IP address", + "node exists has an internal IP address and an empty external IP address (useInternalIP=false)", + testclient.NewSimpleClientset(&apiv1.NodeList{Items: []apiv1.Node{{ + ObjectMeta: metav1.ObjectMeta{ + Name: "demo", + }, + Status: apiv1.NodeStatus{ + Addresses: []apiv1.NodeAddress{ + { + Type: apiv1.NodeExternalIP, + Address: "", + }, + { + Type: apiv1.NodeInternalIP, + Address: "10.0.0.1", + }, + }, + }, + }}}), "demo", + []string{"10.0.0.1"}, + false, + }, + { + "node exists and has two internal IP address (useInternalIP=false)", + testclient.NewSimpleClientset(&apiv1.NodeList{Items: []apiv1.Node{{ + ObjectMeta: metav1.ObjectMeta{ + Name: "demo", + }, + Status: apiv1.NodeStatus{ + Addresses: []apiv1.NodeAddress{ + { + Type: apiv1.NodeInternalIP, + Address: "10.0.0.1", + }, + { + Type: apiv1.NodeInternalIP, + Address: "fd00::1", + }, + }, + }, + }}}), "demo", + []string{"10.0.0.1", "fd00::1"}, + false, + }, + { + "node exists and only has an internal IP address", testclient.NewSimpleClientset(&apiv1.NodeList{Items: []apiv1.Node{{ ObjectMeta: metav1.ObjectMeta{ Name: "demo", @@ -114,7 +165,31 @@ func TestGetNodeIP(t *testing.T) { }, }, }, - }}}), "demo", "10.0.0.1", true, + }}}), "demo", + []string{"10.0.0.1"}, + true, + }, + { + "node exists and has two internal IP address", + testclient.NewSimpleClientset(&apiv1.NodeList{Items: []apiv1.Node{{ + ObjectMeta: metav1.ObjectMeta{ + Name: "demo", + }, + Status: apiv1.NodeStatus{ + Addresses: []apiv1.NodeAddress{ + { + Type: apiv1.NodeInternalIP, + Address: "10.0.0.1", + }, + { + Type: apiv1.NodeInternalIP, + Address: "fd00::1", + }, + }, + }, + }}}), "demo", + []string{"10.0.0.1", "fd00::1"}, + true, }, { "node exist and only has an external IP address", @@ -130,7 +205,27 @@ func TestGetNodeIP(t *testing.T) { }, }, }, - }}}), "demo", "10.0.0.1", false, + }}}), "demo", + []string{"10.0.0.1"}, + false, + }, + { + "node exist and only has an external IP address (useInternalIP=true)", + testclient.NewSimpleClientset(&apiv1.NodeList{Items: []apiv1.Node{{ + ObjectMeta: metav1.ObjectMeta{ + Name: "demo", + }, + Status: apiv1.NodeStatus{ + Addresses: []apiv1.NodeAddress{ + { + Type: apiv1.NodeExternalIP, + Address: "10.0.0.1", + }, + }, + }, + }}}), "demo", + []string{}, + true, }, { "multiple nodes - choose the right one", @@ -162,10 +257,12 @@ func TestGetNodeIP(t *testing.T) { }, }, }}), - "demo2", "10.0.0.2", true, + "demo2", + []string{"10.0.0.2"}, + true, }, { - "node with both IP internal and external IP address - returns external IP", + "node with both internal and external IP address - returns external IP", testclient.NewSimpleClientset(&apiv1.NodeList{Items: []apiv1.Node{{ ObjectMeta: metav1.ObjectMeta{ Name: "demo", @@ -182,10 +279,12 @@ func TestGetNodeIP(t *testing.T) { }, }, }}}), - "demo", "10.0.0.2", false, + "demo", + []string{"10.0.0.2"}, + false, }, { - "node with both IP internal and external IP address - returns internal IP", + "node with both internal and external IP address - returns internal IP", testclient.NewSimpleClientset(&apiv1.NodeList{Items: []apiv1.Node{{ ObjectMeta: metav1.ObjectMeta{ Name: "demo", @@ -202,14 +301,16 @@ func TestGetNodeIP(t *testing.T) { }, }, }}}), - "demo", "10.0.0.2", true, + "demo", + []string{"10.0.0.2"}, + true, }, } for _, fk := range fKNodes { - address := GetNodeIPOrName(fk.cs, fk.nodeName, fk.useInternalIP) - if address != fk.ea { - t.Errorf("%v - expected %s, but returned %s", fk.name, fk.ea, address) + addresses := GetNodeIPs(fk.cs, fk.nodeName, fk.useInternalIP) + if !slices.Equal(addresses, fk.ea) { + t.Errorf("%v - expected %v, but returned %v", fk.name, fk.ea, addresses) } } } diff --git a/internal/nginx/main.go b/internal/nginx/main.go index fc586e9e83..18ee5ecd1c 100644 --- a/internal/nginx/main.go +++ b/internal/nginx/main.go @@ -55,7 +55,7 @@ var HealthPath = "/healthz" var HealthCheckTimeout = 10 * time.Second // StatusPath defines the path used to expose the NGINX status page -// http://nginx.org/en/docs/http/ngx_http_stub_status_module.html +// https://nginx.org/en/docs/http/ngx_http_stub_status_module.html var StatusPath = "/nginx_status" // StreamPort defines the port used by NGINX for the NGINX stream configuration socket diff --git a/internal/task/queue.go b/internal/task/queue.go index 8753bed346..44916bb14d 100644 --- a/internal/task/queue.go +++ b/internal/task/queue.go @@ -120,10 +120,16 @@ func (t *Queue) worker() { klog.ErrorS(nil, "invalid item type", "key", key) } if item.Timestamp != 0 && t.lastSync > item.Timestamp { - klog.V(3).InfoS("skipping sync", "key", item.Key, "last", t.lastSync, "now", item.Timestamp) - t.queue.Forget(key) - t.queue.Done(key) - continue + // fix issue https://github.com/kubernetes/ingress-nginx/issues/14374 + if t.lastSync > ts { + klog.Warningf("The lastSync time %d is later than the current time %d; setting lastSync to %d", t.lastSync, ts, item.Timestamp) + t.lastSync = item.Timestamp + } else { + klog.V(3).InfoS("skipping sync", "key", item.Key, "last", t.lastSync, "now", item.Timestamp) + t.queue.Forget(key) + t.queue.Done(key) + continue + } } klog.V(3).InfoS("syncing", "key", item.Key) diff --git a/joom-build.sh b/joom-build.sh index a4f0391cec..fae61643e5 100755 --- a/joom-build.sh +++ b/joom-build.sh @@ -7,9 +7,17 @@ export BASE_TAG BASE_TAG=$(cat TAG) export TAG="${BASE_TAG}-batching-patch-$(date -u +%d%m%y-%H%M%S)" -export ARCH=amd64 +ARCHES=(amd64 arm64) +IMAGE="${REGISTRY}/controller" -make build ARCH=$ARCH -make image PLATFORM=linux/$ARCH TAG=$TAG REGISTRY=$REGISTRY +for ARCH in "${ARCHES[@]}"; do + make build ARCH="$ARCH" + make image PLATFORM="linux/$ARCH" TAG="${TAG}-${ARCH}" ARCH="$ARCH" REGISTRY="$REGISTRY" + docker push "${IMAGE}:${TAG}-${ARCH}" +done -docker push "${REGISTRY}/controller:${TAG}" +docker manifest create "${IMAGE}:${TAG}" \ + "${IMAGE}:${TAG}-amd64" \ + "${IMAGE}:${TAG}-arm64" + +docker manifest push "${IMAGE}:${TAG}" diff --git a/magefiles/steps/helm.go b/magefiles/steps/helm.go index 73c9b0b3b4..f0e76b0a6e 100644 --- a/magefiles/steps/helm.go +++ b/magefiles/steps/helm.go @@ -19,13 +19,13 @@ package steps import ( "bytes" "os" + "strings" semver "github.com/blang/semver/v4" - "github.com/helm/helm/pkg/chartutil" "github.com/magefile/mage/mg" "github.com/magefile/mage/sh" - yamlpath "github.com/vmware-labs/yaml-jsonpath/pkg/yamlpath" - "gopkg.in/yaml.v3" + "go.yaml.in/yaml/v3" + chartutil "helm.sh/helm/v4/pkg/chart/v2/util" utils "k8s.io/ingress-nginx/magefiles/utils" ) @@ -119,46 +119,91 @@ func updateChartReleaseNotes(releaseNotes []string) { utils.CheckIfError(err, "HELM Failed to save chart manifest: %s", HelmChartPath) } -// UpdateChartValue Updates the Helm ChartValue -func (Helm) UpdateChartValue(key, value string) { - updateChartValue(key, value) +// Updates a Helm chart value by path and value. +func (Helm) UpdateChartValue(path, value string) { + updateChartValue(path, value) } -func updateChartValue(key, value string) { - utils.Info("HELM Updating Chart %s %s:%s", HelmChartValues, key, value) - - // read current values.yaml - data, err := os.ReadFile(HelmChartValues) - utils.CheckIfError(err, "HELM Could not Load Helm Chart Values files %s", HelmChartValues) - - // var valuesStruct IngressChartValue - var n yaml.Node - utils.CheckIfError(yaml.Unmarshal(data, &n), "HELM Could not Unmarshal %s", HelmChartValues) +// Updates a Helm chart value by path and value. +func updateChartValue(path, value string) { + utils.Info("HELM Updating path %q to value %q in file %q", path, value, HelmChartValues) + + // Read file. + file, err := os.ReadFile(HelmChartValues) + utils.CheckIfError(err, "HELM Failed to read file %q", HelmChartValues) + + // Unmarshal values. + var values yaml.Node + err = yaml.Unmarshal(file, &values) + utils.CheckIfError(err, "HELM Failed to unmarshal values %q", HelmChartValues) + + // Variable to track if we updated the value in the values. + updated := false + + // Iterate nodes. + for _, node := range values.Content { + // Variable to track if we found the path in the values. + found := false + + // Split path into keys and iterate over them to find the node to update. + for _, key := range strings.Split(path, ".") { + // Reset found variable for each key, since it might happen a single key of a path is not a mapping or not found. + found = false + + // Check if node is a mapping node. + if node.Kind != yaml.MappingNode { + break + } + + // Iterate over mapping content to find the key. + // Each key and its value are stored in consecutive positions in the content slice, so we need to iterate with a step of 2. + for i := 0; i < len(node.Content); i += 2 { + // Check if the current key matches the desired key. + if node.Content[i].Value == key { + // If we found the key, we need to update the mapping variable to point to its value. + node = node.Content[i+1] + found = true + break + } + } + + // Check if we found the key in the mapping. + if !found { + break + } + } + + // Check if we found the path in the node. + if !found { + continue + } + + // Update the value of the node. + node.SetString(value) + updated = true + } - // update value - // keyParse := parsePath(key) - p, err := yamlpath.NewPath(key) - utils.CheckIfError(err, "HELM cannot create path") + // Check if we updated the value in the values. + if !updated { + utils.ErrorF("HELM Could not find path %q in values %q", path, HelmChartValues) + os.Exit(1) + } - q, err := p.Find(&n) - utils.CheckIfError(err, "HELM unexpected error finding path") + // Setup encoder with buffer and indent. + var encodedValues bytes.Buffer + encoder := yaml.NewEncoder(&encodedValues) + encoder.SetIndent(2) - for _, i := range q { - utils.Info("HELM Found %s at %s", i.Value, key) - i.Value = value - utils.Info("HELM Updated %s at %s", i.Value, key) - } + // Encode the values. + err = encoder.Encode(&values) + utils.CheckIfError(err, "HELM Failed to encode values") - //// write to file - var b bytes.Buffer - yamlEncoder := yaml.NewEncoder(&b) - yamlEncoder.SetIndent(2) - err = yamlEncoder.Encode(&n) - utils.CheckIfError(err, "HELM Could not Marshal new Values file") - err = os.WriteFile(HelmChartValues, b.Bytes(), 0o644) - utils.CheckIfError(err, "HELM Could not write new Values file to %s", HelmChartValues) + // Write the values to file. + //nolint:gosec // We need to write to the file with 644 permissions. + err = os.WriteFile(HelmChartValues, encodedValues.Bytes(), 0o644) + utils.CheckIfError(err, "HELM Failed to write values to file %q", HelmChartValues) - utils.Info("HELM Ingress Nginx Helm Chart update %s %s", key, value) + utils.Info("HELM Updated path %q to value %q in file %q", path, value, HelmChartValues) } func (Helm) Helmdocs() error { diff --git a/magefiles/steps/release.go b/magefiles/steps/release.go index b6d46336af..a6f1d70285 100644 --- a/magefiles/steps/release.go +++ b/magefiles/steps/release.go @@ -27,8 +27,8 @@ import ( "github.com/google/go-github/v48/github" "github.com/magefile/mage/mg" "github.com/magefile/mage/sh" + "go.yaml.in/yaml/v3" "golang.org/x/oauth2" - "gopkg.in/yaml.v3" utils "k8s.io/ingress-nginx/magefiles/utils" ) diff --git a/magefiles/utils/helm.go b/magefiles/utils/helm.go deleted file mode 100644 index cb8acae579..0000000000 --- a/magefiles/utils/helm.go +++ /dev/null @@ -1,392 +0,0 @@ -/* -Copyright 2023 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package utils - -type IngressChartValue struct { - CommonLabels struct{} `yaml:"commonLabels"` - Controller struct { - Name string `yaml:"name"` - Image struct { - Chroot bool `yaml:"chroot"` - Registry string `yaml:"registry"` - Image string `yaml:"image"` - Tag string `yaml:"tag"` - Digest string `yaml:"digest"` - DigestChroot string `yaml:"digestChroot"` - PullPolicy string `yaml:"pullPolicy"` - RunAsUser int `yaml:"runAsUser"` - AllowPrivilegeEscalation bool `yaml:"allowPrivilegeEscalation"` - } `yaml:"image"` - ContainerName string `yaml:"containerName"` - ContainerPort struct { - HTTP int `yaml:"http"` - HTTPS int `yaml:"https"` - } `yaml:"containerPort"` - Config struct{} `yaml:"config"` - ConfigAnnotations struct{} `yaml:"configAnnotations"` - ProxySetHeaders struct{} `yaml:"proxySetHeaders"` - AddHeaders struct{} `yaml:"addHeaders"` - DNSConfig struct{} `yaml:"dnsConfig"` - Hostname struct{} `yaml:"hostname"` - DNSPolicy string `yaml:"dnsPolicy"` - ReportNodeInternalIP bool `yaml:"reportNodeInternalIp"` - WatchIngressWithoutClass bool `yaml:"watchIngressWithoutClass"` - IngressClassByName bool `yaml:"ingressClassByName"` - AllowSnippetAnnotations bool `yaml:"allowSnippetAnnotations"` - HostNetwork bool `yaml:"hostNetwork"` - HostPort struct { - Enabled bool `yaml:"enabled"` - Ports struct { - HTTP int `yaml:"http"` - HTTPS int `yaml:"https"` - } `yaml:"ports"` - } `yaml:"hostPort"` - ElectionID string `yaml:"electionID"` - IngressClassResource struct { - Name string `yaml:"name"` - Enabled bool `yaml:"enabled"` - Default bool `yaml:"default"` - ControllerValue string `yaml:"controllerValue"` - Parameters struct{} `yaml:"parameters"` - } `yaml:"ingressClassResource"` - IngressClass string `yaml:"ingressClass"` - PodLabels struct{} `yaml:"podLabels"` - PodSecurityContext struct{} `yaml:"podSecurityContext"` - Sysctls struct{} `yaml:"sysctls"` - PublishService struct { - Enabled bool `yaml:"enabled"` - PathOverride string `yaml:"pathOverride"` - } `yaml:"publishService"` - Scope struct { - Enabled bool `yaml:"enabled"` - Namespace string `yaml:"namespace"` - NamespaceSelector string `yaml:"namespaceSelector"` - } `yaml:"scope"` - ConfigMapNamespace string `yaml:"configMapNamespace"` - TCP struct { - ConfigMapNamespace string `yaml:"configMapNamespace"` - Annotations struct{} `yaml:"annotations"` - } `yaml:"tcp"` - UDP struct { - ConfigMapNamespace string `yaml:"configMapNamespace"` - Annotations struct{} `yaml:"annotations"` - } `yaml:"udp"` - MaxmindLicenseKey string `yaml:"maxmindLicenseKey"` - ExtraArgs struct{} `yaml:"extraArgs"` - ExtraEnvs []interface{} `yaml:"extraEnvs"` - Kind string `yaml:"kind"` - Annotations struct{} `yaml:"annotations"` - Labels struct{} `yaml:"labels"` - UpdateStrategy struct{} `yaml:"updateStrategy"` - MinReadySeconds int `yaml:"minReadySeconds"` - Tolerations []interface{} `yaml:"tolerations"` - Affinity struct{} `yaml:"affinity"` - TopologySpreadConstraints []interface{} `yaml:"topologySpreadConstraints"` - TerminationGracePeriodSeconds int `yaml:"terminationGracePeriodSeconds"` - NodeSelector struct { - KubernetesIoOs string `yaml:"kubernetes.io/os"` - } `yaml:"nodeSelector"` - LivenessProbe struct { - HTTPGet struct { - Path string `yaml:"path"` - Port int `yaml:"port"` - Scheme string `yaml:"scheme"` - } `yaml:"httpGet"` - InitialDelaySeconds int `yaml:"initialDelaySeconds"` - PeriodSeconds int `yaml:"periodSeconds"` - TimeoutSeconds int `yaml:"timeoutSeconds"` - SuccessThreshold int `yaml:"successThreshold"` - FailureThreshold int `yaml:"failureThreshold"` - } `yaml:"livenessProbe"` - ReadinessProbe struct { - HTTPGet struct { - Path string `yaml:"path"` - Port int `yaml:"port"` - Scheme string `yaml:"scheme"` - } `yaml:"httpGet"` - InitialDelaySeconds int `yaml:"initialDelaySeconds"` - PeriodSeconds int `yaml:"periodSeconds"` - TimeoutSeconds int `yaml:"timeoutSeconds"` - SuccessThreshold int `yaml:"successThreshold"` - FailureThreshold int `yaml:"failureThreshold"` - } `yaml:"readinessProbe"` - HealthCheckPath string `yaml:"healthCheckPath"` - HealthCheckHost string `yaml:"healthCheckHost"` - PodAnnotations struct{} `yaml:"podAnnotations"` - ReplicaCount int `yaml:"replicaCount"` - MinAvailable int `yaml:"minAvailable"` - Resources struct { - Requests struct { - CPU string `yaml:"cpu"` - Memory string `yaml:"memory"` - } `yaml:"requests"` - } `yaml:"resources"` - Autoscaling struct { - APIVersion string `yaml:"apiVersion"` - Enabled bool `yaml:"enabled"` - Annotations struct{} `yaml:"annotations"` - MinReplicas int `yaml:"minReplicas"` - MaxReplicas int `yaml:"maxReplicas"` - TargetCPUUtilizationPercentage int `yaml:"targetCPUUtilizationPercentage"` - TargetMemoryUtilizationPercentage int `yaml:"targetMemoryUtilizationPercentage"` - Behavior struct{} `yaml:"behavior"` - } `yaml:"autoscaling"` - AutoscalingTemplate []interface{} `yaml:"autoscalingTemplate"` - Keda struct { - APIVersion string `yaml:"apiVersion"` - Enabled bool `yaml:"enabled"` - MinReplicas int `yaml:"minReplicas"` - MaxReplicas int `yaml:"maxReplicas"` - PollingInterval int `yaml:"pollingInterval"` - CooldownPeriod int `yaml:"cooldownPeriod"` - RestoreToOriginalReplicaCount bool `yaml:"restoreToOriginalReplicaCount"` - ScaledObject struct { - Annotations struct{} `yaml:"annotations"` - } `yaml:"scaledObject"` - Triggers []interface{} `yaml:"triggers"` - Behavior struct{} `yaml:"behavior"` - } `yaml:"keda"` - EnableMimalloc bool `yaml:"enableMimalloc"` - CustomTemplate struct { - ConfigMapName string `yaml:"configMapName"` - ConfigMapKey string `yaml:"configMapKey"` - } `yaml:"customTemplate"` - Service struct { - Enabled bool `yaml:"enabled"` - AppProtocol bool `yaml:"appProtocol"` - Annotations struct{} `yaml:"annotations"` - Labels struct{} `yaml:"labels"` - ExternalIPs []interface{} `yaml:"externalIPs"` - LoadBalancerIP string `yaml:"loadBalancerIP"` - LoadBalancerSourceRanges []interface{} `yaml:"loadBalancerSourceRanges"` - EnableHTTP bool `yaml:"enableHttp"` - EnableHTTPS bool `yaml:"enableHttps"` - IPFamilyPolicy string `yaml:"ipFamilyPolicy"` - IPFamilies []string `yaml:"ipFamilies"` - Ports struct { - HTTP int `yaml:"http"` - HTTPS int `yaml:"https"` - } `yaml:"ports"` - TargetPorts struct { - HTTP string `yaml:"http"` - HTTPS string `yaml:"https"` - } `yaml:"targetPorts"` - Type string `yaml:"type"` - NodePorts struct { - HTTP string `yaml:"http"` - HTTPS string `yaml:"https"` - TCP struct{} `yaml:"tcp"` - UDP struct{} `yaml:"udp"` - } `yaml:"nodePorts"` - External struct { - Enabled bool `yaml:"enabled"` - } `yaml:"external"` - Internal struct { - Enabled bool `yaml:"enabled"` - Annotations struct{} `yaml:"annotations"` - LoadBalancerSourceRanges []interface{} `yaml:"loadBalancerSourceRanges"` - } `yaml:"internal"` - } `yaml:"service"` - ShareProcessNamespace bool `yaml:"shareProcessNamespace"` - ExtraContainers []interface{} `yaml:"extraContainers"` - ExtraVolumeMounts []interface{} `yaml:"extraVolumeMounts"` - ExtraVolumes []interface{} `yaml:"extraVolumes"` - ExtraInitContainers []interface{} `yaml:"extraInitContainers"` - ExtraModules []interface{} `yaml:"extraModules"` - AdmissionWebhooks struct { - Annotations struct{} `yaml:"annotations"` - Enabled bool `yaml:"enabled"` - ExtraEnvs []interface{} `yaml:"extraEnvs"` - FailurePolicy string `yaml:"failurePolicy"` - Port int `yaml:"port"` - Certificate string `yaml:"certificate"` - Key string `yaml:"key"` - NamespaceSelector struct{} `yaml:"namespaceSelector"` - ObjectSelector struct{} `yaml:"objectSelector"` - Labels struct{} `yaml:"labels"` - NetworkPolicyEnabled bool `yaml:"networkPolicyEnabled"` - Service struct { - Annotations struct{} `yaml:"annotations"` - ExternalIPs []interface{} `yaml:"externalIPs"` - LoadBalancerSourceRanges []interface{} `yaml:"loadBalancerSourceRanges"` - ServicePort int `yaml:"servicePort"` - Type string `yaml:"type"` - } `yaml:"service"` - CreateSecretJob struct { - SecurityContext struct { - AllowPrivilegeEscalation bool `yaml:"allowPrivilegeEscalation"` - } `yaml:"securityContext"` - Resources struct{} `yaml:"resources"` - } `yaml:"createSecretJob"` - PatchWebhookJob struct { - SecurityContext struct { - AllowPrivilegeEscalation bool `yaml:"allowPrivilegeEscalation"` - } `yaml:"securityContext"` - Resources struct{} `yaml:"resources"` - } `yaml:"patchWebhookJob"` - Patch struct { - Enabled bool `yaml:"enabled"` - Image struct { - Registry string `yaml:"registry"` - Image string `yaml:"image"` - Tag string `yaml:"tag"` - Digest string `yaml:"digest"` - PullPolicy string `yaml:"pullPolicy"` - } `yaml:"image"` - PriorityClassName string `yaml:"priorityClassName"` - PodAnnotations struct{} `yaml:"podAnnotations"` - NodeSelector struct { - KubernetesIoOs string `yaml:"kubernetes.io/os"` - } `yaml:"nodeSelector"` - Tolerations []interface{} `yaml:"tolerations"` - Labels struct{} `yaml:"labels"` - SecurityContext struct { - RunAsNonRoot bool `yaml:"runAsNonRoot"` - RunAsUser int `yaml:"runAsUser"` - FsGroup int `yaml:"fsGroup"` - } `yaml:"securityContext"` - } `yaml:"patch"` - CertManager struct { - Enabled bool `yaml:"enabled"` - RootCert struct { - Duration string `yaml:"duration"` - } `yaml:"rootCert"` - AdmissionCert struct { - Duration string `yaml:"duration"` - } `yaml:"admissionCert"` - } `yaml:"certManager"` - } `yaml:"admissionWebhooks"` - Metrics struct { - Port int `yaml:"port"` - PortName string `yaml:"portName"` - Enabled bool `yaml:"enabled"` - Service struct { - Annotations struct{} `yaml:"annotations"` - ExternalIPs []interface{} `yaml:"externalIPs"` - LoadBalancerSourceRanges []interface{} `yaml:"loadBalancerSourceRanges"` - ServicePort int `yaml:"servicePort"` - Type string `yaml:"type"` - } `yaml:"service"` - ServiceMonitor struct { - Enabled bool `yaml:"enabled"` - AdditionalLabels struct{} `yaml:"additionalLabels"` - Namespace string `yaml:"namespace"` - NamespaceSelector struct{} `yaml:"namespaceSelector"` - ScrapeInterval string `yaml:"scrapeInterval"` - TargetLabels []interface{} `yaml:"targetLabels"` - Relabelings []interface{} `yaml:"relabelings"` - MetricRelabelings []interface{} `yaml:"metricRelabelings"` - } `yaml:"serviceMonitor"` - PrometheusRule struct { - Enabled bool `yaml:"enabled"` - AdditionalLabels struct{} `yaml:"additionalLabels"` - Rules []interface{} `yaml:"rules"` - } `yaml:"prometheusRule"` - } `yaml:"metrics"` - Lifecycle struct { - PreStop struct { - Exec struct { - Command []string `yaml:"command"` - } `yaml:"exec"` - } `yaml:"preStop"` - } `yaml:"lifecycle"` - PriorityClassName string `yaml:"priorityClassName"` - } `yaml:"controller"` - RevisionHistoryLimit int `yaml:"revisionHistoryLimit"` - DefaultBackend struct { - Enabled bool `yaml:"enabled"` - Name string `yaml:"name"` - Image struct { - Registry string `yaml:"registry"` - Image string `yaml:"image"` - Tag string `yaml:"tag"` - PullPolicy string `yaml:"pullPolicy"` - RunAsUser int `yaml:"runAsUser"` - RunAsNonRoot bool `yaml:"runAsNonRoot"` - ReadOnlyRootFilesystem bool `yaml:"readOnlyRootFilesystem"` - AllowPrivilegeEscalation bool `yaml:"allowPrivilegeEscalation"` - } `yaml:"image"` - ExtraArgs struct{} `yaml:"extraArgs"` - ServiceAccount struct { - Create bool `yaml:"create"` - Name string `yaml:"name"` - AutomountServiceAccountToken bool `yaml:"automountServiceAccountToken"` - } `yaml:"serviceAccount"` - ExtraEnvs []interface{} `yaml:"extraEnvs"` - Port int `yaml:"port"` - LivenessProbe struct { - FailureThreshold int `yaml:"failureThreshold"` - InitialDelaySeconds int `yaml:"initialDelaySeconds"` - PeriodSeconds int `yaml:"periodSeconds"` - SuccessThreshold int `yaml:"successThreshold"` - TimeoutSeconds int `yaml:"timeoutSeconds"` - } `yaml:"livenessProbe"` - ReadinessProbe struct { - FailureThreshold int `yaml:"failureThreshold"` - InitialDelaySeconds int `yaml:"initialDelaySeconds"` - PeriodSeconds int `yaml:"periodSeconds"` - SuccessThreshold int `yaml:"successThreshold"` - TimeoutSeconds int `yaml:"timeoutSeconds"` - } `yaml:"readinessProbe"` - Tolerations []interface{} `yaml:"tolerations"` - Affinity struct{} `yaml:"affinity"` - PodSecurityContext struct{} `yaml:"podSecurityContext"` - ContainerSecurityContext struct{} `yaml:"containerSecurityContext"` - PodLabels struct{} `yaml:"podLabels"` - NodeSelector struct { - KubernetesIoOs string `yaml:"kubernetes.io/os"` - } `yaml:"nodeSelector"` - PodAnnotations struct{} `yaml:"podAnnotations"` - ReplicaCount int `yaml:"replicaCount"` - MinAvailable int `yaml:"minAvailable"` - Resources struct{} `yaml:"resources"` - ExtraVolumeMounts []interface{} `yaml:"extraVolumeMounts"` - ExtraVolumes []interface{} `yaml:"extraVolumes"` - Autoscaling struct { - Annotations struct{} `yaml:"annotations"` - Enabled bool `yaml:"enabled"` - MinReplicas int `yaml:"minReplicas"` - MaxReplicas int `yaml:"maxReplicas"` - TargetCPUUtilizationPercentage int `yaml:"targetCPUUtilizationPercentage"` - TargetMemoryUtilizationPercentage int `yaml:"targetMemoryUtilizationPercentage"` - } `yaml:"autoscaling"` - Service struct { - Annotations struct{} `yaml:"annotations"` - ExternalIPs []interface{} `yaml:"externalIPs"` - LoadBalancerSourceRanges []interface{} `yaml:"loadBalancerSourceRanges"` - ServicePort int `yaml:"servicePort"` - Type string `yaml:"type"` - } `yaml:"service"` - PriorityClassName string `yaml:"priorityClassName"` - Labels struct{} `yaml:"labels"` - } `yaml:"defaultBackend"` - Rbac struct { - Create bool `yaml:"create"` - Scope bool `yaml:"scope"` - } `yaml:"rbac"` - ServiceAccount struct { - Create bool `yaml:"create"` - Name string `yaml:"name"` - AutomountServiceAccountToken bool `yaml:"automountServiceAccountToken"` - Annotations struct{} `yaml:"annotations"` - } `yaml:"serviceAccount"` - ImagePullSecrets []interface{} `yaml:"imagePullSecrets"` - TCP struct{} `yaml:"tcp"` - UDP struct{} `yaml:"udp"` - PortNamePrefix string `yaml:"portNamePrefix"` - DhParam interface{} `yaml:"dhParam"` -} diff --git a/mkdocs.yml b/mkdocs.yml index b59546c9cc..f54c1db2e8 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -24,7 +24,7 @@ markdown_extensions: - pymdownx.critic - pymdownx.details - pymdownx.emoji: - emoji_index: !!python/name:materialx.emoji.twemoji + emoji_index: !!python/name:material.extensions.emoji.twemoji emoji_generator: !!python/name:materialx.emoji.to_svg - pymdownx.highlight - pymdownx.inlinehilite diff --git a/netlify.toml b/netlify.toml deleted file mode 100644 index dc4b0d1ca9..0000000000 --- a/netlify.toml +++ /dev/null @@ -1,11 +0,0 @@ -# netlify configuration -[build] -publish = "site" -command = "make build-docs" -ignore = "git diff --quiet $CACHED_COMMIT_REF $COMMIT_REF ./docs" -# available here https://github.com/netlify/build-image/blob/focal/included_software.md#languages -environment = { PYTHON_VERSION = "3.8" } - -[context.deploy-preview] - publish = "site/" - command = "make build-docs" diff --git a/pkg/flags/flags_test.go b/pkg/flags/flags_test.go index fdf153021a..3740bdbd81 100644 --- a/pkg/flags/flags_test.go +++ b/pkg/flags/flags_test.go @@ -20,6 +20,9 @@ import ( "os" "testing" "time" + + "k8s.io/ingress-nginx/internal/ingress/controller" + "k8s.io/ingress-nginx/internal/ingress/controller/config" ) func TestNoMandatoryFlag(t *testing.T) { @@ -55,8 +58,153 @@ func TestDefaults(t *testing.T) { } } -func TestSetupSSLProxy(_ *testing.T) { - // TODO TestSetupSSLProxy +func TestSetupSSLProxy(t *testing.T) { + tests := []struct { + name string + args []string + expectError bool + description string + validateConfig func(t *testing.T, _ bool, cfg *controller.Configuration) + }{ + { + name: "valid SSL proxy configuration with passthrough enabled", + args: []string{"cmd", "--enable-ssl-passthrough", "--ssl-passthrough-proxy-port", "9999"}, + expectError: false, + description: "Should accept valid SSL proxy port with passthrough enabled", + validateConfig: func(t *testing.T, _ bool, cfg *controller.Configuration) { + if !cfg.EnableSSLPassthrough { + t.Error("Expected EnableSSLPassthrough to be true") + } + if cfg.ListenPorts.SSLProxy != 9999 { + t.Errorf("Expected SSLProxy port to be 9999, got %d", cfg.ListenPorts.SSLProxy) + } + }, + }, + { + name: "SSL proxy port without explicit passthrough enabling", + args: []string{"cmd", "--ssl-passthrough-proxy-port", "8443"}, + expectError: false, + description: "Should accept SSL proxy port configuration without explicit passthrough enable", + validateConfig: func(t *testing.T, _ bool, cfg *controller.Configuration) { + if cfg.ListenPorts.SSLProxy != 8443 { + t.Errorf("Expected SSLProxy port to be 8443, got %d", cfg.ListenPorts.SSLProxy) + } + }, + }, + { + name: "SSL proxy with default backend service", + args: []string{"cmd", "--enable-ssl-passthrough", "--default-backend-service", "default/backend", "--ssl-passthrough-proxy-port", "9000"}, + expectError: false, + description: "Should work with default backend service and SSL passthrough", + validateConfig: func(t *testing.T, _ bool, cfg *controller.Configuration) { + if !cfg.EnableSSLPassthrough { + t.Error("Expected EnableSSLPassthrough to be true") + } + if cfg.DefaultService != "default/backend" { + t.Errorf("Expected DefaultService to be 'default/backend', got %s", cfg.DefaultService) + } + if cfg.ListenPorts.SSLProxy != 9000 { + t.Errorf("Expected SSLProxy port to be 9000, got %d", cfg.ListenPorts.SSLProxy) + } + }, + }, + { + name: "SSL proxy with default SSL certificate", + args: []string{"cmd", "--enable-ssl-passthrough", "--default-ssl-certificate", "default/tls-cert", "--ssl-passthrough-proxy-port", "8080"}, + expectError: false, + description: "Should work with default SSL certificate and passthrough", + validateConfig: func(t *testing.T, _ bool, cfg *controller.Configuration) { + if !cfg.EnableSSLPassthrough { + t.Error("Expected EnableSSLPassthrough to be true") + } + if cfg.DefaultSSLCertificate != "default/tls-cert" { + t.Errorf("Expected DefaultSSLCertificate to be 'default/tls-cert', got %s", cfg.DefaultSSLCertificate) + } + if cfg.ListenPorts.SSLProxy != 8080 { + t.Errorf("Expected SSLProxy port to be 8080, got %d", cfg.ListenPorts.SSLProxy) + } + }, + }, + { + name: "SSL proxy with chain completion enabled", + args: []string{"cmd", "--enable-ssl-passthrough", "--enable-ssl-chain-completion", "--ssl-passthrough-proxy-port", "7443"}, + expectError: false, + description: "Should work with SSL chain completion and passthrough", + validateConfig: func(t *testing.T, _ bool, cfg *controller.Configuration) { + if !cfg.EnableSSLPassthrough { + t.Error("Expected EnableSSLPassthrough to be true") + } + if !config.EnableSSLChainCompletion { + t.Error("Expected EnableSSLChainCompletion to be true") + } + if cfg.ListenPorts.SSLProxy != 7443 { + t.Errorf("Expected SSLProxy port to be 7443, got %d", cfg.ListenPorts.SSLProxy) + } + }, + }, + { + name: "SSL proxy with minimal configuration", + args: []string{"cmd", "--enable-ssl-passthrough"}, + expectError: false, + description: "Should work with minimal SSL passthrough configuration using default port", + validateConfig: func(t *testing.T, _ bool, cfg *controller.Configuration) { + if !cfg.EnableSSLPassthrough { + t.Error("Expected EnableSSLPassthrough to be true") + } + // Default port should be 442 + if cfg.ListenPorts.SSLProxy != 442 { + t.Errorf("Expected default SSLProxy port to be 442, got %d", cfg.ListenPorts.SSLProxy) + } + }, + }, + { + name: "SSL proxy with comprehensive configuration", + args: []string{"cmd", "--enable-ssl-passthrough", "--enable-ssl-chain-completion", "--default-ssl-certificate", "kube-system/default-cert", "--default-backend-service", "kube-system/default-backend", "--ssl-passthrough-proxy-port", "10443"}, + expectError: false, + description: "Should work with comprehensive SSL proxy configuration", + validateConfig: func(t *testing.T, _ bool, cfg *controller.Configuration) { + if !cfg.EnableSSLPassthrough { + t.Error("Expected EnableSSLPassthrough to be true") + } + if !config.EnableSSLChainCompletion { + t.Error("Expected EnableSSLChainCompletion to be true") + } + if cfg.DefaultSSLCertificate != "kube-system/default-cert" { + t.Errorf("Expected DefaultSSLCertificate to be 'kube-system/default-cert', got %s", cfg.DefaultSSLCertificate) + } + if cfg.DefaultService != "kube-system/default-backend" { + t.Errorf("Expected DefaultService to be 'kube-system/default-backend', got %s", cfg.DefaultService) + } + if cfg.ListenPorts.SSLProxy != 10443 { + t.Errorf("Expected SSLProxy port to be 10443, got %d", cfg.ListenPorts.SSLProxy) + } + }, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + ResetForTesting(func() { t.Fatal("Parsing failed") }) + + oldArgs := os.Args + defer func() { os.Args = oldArgs }() + + os.Args = tt.args + + showVersion, cfg, err := ParseFlags() + if tt.expectError && err == nil { + t.Fatalf("Expected error for %s, but got none", tt.description) + } + if !tt.expectError && err != nil { + t.Fatalf("Expected no error for %s, got: %v", tt.description, err) + } + + // Run additional validation if provided and no error occurred + if !tt.expectError && tt.validateConfig != nil { + tt.validateConfig(t, showVersion, cfg) + } + }) + } } func TestFlagConflict(t *testing.T) { diff --git a/pkg/util/runtime/cpu_linux.go b/pkg/util/runtime/cpu_linux.go index b9992c6de4..56fd2cd530 100644 --- a/pkg/util/runtime/cpu_linux.go +++ b/pkg/util/runtime/cpu_linux.go @@ -96,6 +96,10 @@ func readCgroup2StringToInt64Tuple(cgroupString string) (quota, period int64) { values := strings.Fields(cgroupString) + if len(values) == 0 { + return -1, -1 + } + if values[0] == "max" { return -1, -1 } diff --git a/pkg/util/runtime/cpu_linux_test.go b/pkg/util/runtime/cpu_linux_test.go new file mode 100644 index 0000000000..9f6f9be923 --- /dev/null +++ b/pkg/util/runtime/cpu_linux_test.go @@ -0,0 +1,94 @@ +//go:build linux +// +build linux + +/* +Copyright 2018 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package runtime + +import ( + "testing" +) + +func TestReadCgroup2StringToInt64Tuple(t *testing.T) { + tests := []struct { + name string + input string + expectedQuota int64 + expectedPeriod int64 + }{ + { + name: "empty string", + input: "", + expectedQuota: -1, + expectedPeriod: -1, + }, + { + name: "whitespace only", + input: " ", + expectedQuota: -1, + expectedPeriod: -1, + }, + { + name: "max value", + input: "max 100000", + expectedQuota: -1, + expectedPeriod: -1, + }, + { + name: "quota only", + input: "50000", + expectedQuota: 50000, + expectedPeriod: 100000, + }, + { + name: "quota and period", + input: "50000 100000", + expectedQuota: 50000, + expectedPeriod: 100000, + }, + { + name: "quota and custom period", + input: "100000 200000", + expectedQuota: 100000, + expectedPeriod: 200000, + }, + { + name: "invalid quota", + input: "invalid 100000", + expectedQuota: -1, + expectedPeriod: -1, + }, + { + name: "invalid period", + input: "50000 invalid", + expectedQuota: -1, + expectedPeriod: -1, + }, + } + + for _, tc := range tests { + t.Run(tc.name, func(t *testing.T) { + quota, period := readCgroup2StringToInt64Tuple(tc.input) + if quota != tc.expectedQuota { + t.Errorf("expected quota %d, got %d", tc.expectedQuota, quota) + } + if period != tc.expectedPeriod { + t.Errorf("expected period %d, got %d", tc.expectedPeriod, period) + } + }) + } +} diff --git a/rootfs/Dockerfile b/rootfs/Dockerfile index 9b7753b5d0..f5a0833e4e 100644 --- a/rootfs/Dockerfile +++ b/rootfs/Dockerfile @@ -49,6 +49,7 @@ COPY --chown=www-data:www-data bin/${TARGETARCH}/wait-shutdown / # with volumes (custom templates) RUN bash -xeu -c ' \ writeDirs=( \ + /etc/ingress-controller \ /etc/ingress-controller/ssl \ /etc/ingress-controller/auth \ /etc/ingress-controller/geoip \ diff --git a/rootfs/Dockerfile-chroot b/rootfs/Dockerfile-chroot index 08863610fa..872d61aff3 100644 --- a/rootfs/Dockerfile-chroot +++ b/rootfs/Dockerfile-chroot @@ -23,7 +23,7 @@ RUN apk update \ && apk upgrade \ && /chroot.sh -FROM alpine:3.21 +FROM alpine:3.23.3 ARG TARGETARCH ARG VERSION diff --git a/rootfs/etc/nginx/lua/nginx/ngx_conf_external_auth.lua b/rootfs/etc/nginx/lua/nginx/ngx_conf_external_auth.lua index 6c68cf07c9..ec2797c5fb 100644 --- a/rootfs/etc/nginx/lua/nginx/ngx_conf_external_auth.lua +++ b/rootfs/etc/nginx/lua/nginx/ngx_conf_external_auth.lua @@ -1,5 +1,5 @@ local auth_path = ngx.var.auth_path -local auth_keepalive_share_vars = ngx.var.auth_keepalive_share_vars +local auth_keepalive_share_vars = ngx.var.auth_keepalive_share_vars == "true" and true or false local auth_response_headers = ngx.var.auth_response_headers local ngx_re_split = require("ngx.re").split local ipairs = ipairs @@ -27,4 +27,4 @@ end if res.status == ngx.HTTP_UNAUTHORIZED or res.status == ngx.HTTP_FORBIDDEN then ngx.exit(res.status) end -ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR) \ No newline at end of file +ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR) diff --git a/rootfs/etc/nginx/lua/util/split.lua b/rootfs/etc/nginx/lua/util/split.lua index 63edf0900b..3735b64ab5 100644 --- a/rootfs/etc/nginx/lua/util/split.lua +++ b/rootfs/etc/nginx/lua/util/split.lua @@ -24,7 +24,7 @@ function _M.get_last_value(var) return t[#t] end --- http://nginx.org/en/docs/http/ngx_http_upstream_module.html#example +-- https://nginx.org/en/docs/http/ngx_http_upstream_module.html#example -- CAVEAT: nginx is giving out : instead of , so the docs are wrong -- 127.0.0.1:26157 : 127.0.0.1:26157 , ngx.var.upstream_addr -- 200 : 200 , ngx.var.upstream_status diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl index e51eca0e92..3c6a5573a6 100644 --- a/rootfs/etc/nginx/template/nginx.tmpl +++ b/rootfs/etc/nginx/template/nginx.tmpl @@ -42,7 +42,7 @@ worker_cpu_affinity {{ $cfg.WorkerCPUAffinity }}; worker_rlimit_nofile {{ $cfg.MaxWorkerOpenFiles }}; -{{/* http://nginx.org/en/docs/ngx_core_module.html#worker_shutdown_timeout */}} +{{/* https://nginx.org/en/docs/ngx_core_module.html#worker_shutdown_timeout */}} {{/* avoid waiting too long during a reload */}} worker_shutdown_timeout {{ $cfg.WorkerShutdownTimeout }} ; @@ -351,7 +351,7 @@ http { log_format upstreaminfo {{ if $cfg.LogFormatEscapeNone }}escape=none {{ else if $cfg.LogFormatEscapeJSON }}escape=json {{ end }}'{{ $cfg.LogFormatUpstream }}'; {{/* map urls that should not appear in access.log */}} - {{/* http://nginx.org/en/docs/http/ngx_http_log_module.html#access_log */}} + {{/* https://nginx.org/en/docs/http/ngx_http_log_module.html#access_log */}} map $request_uri $loggable { {{ range $reqUri := $cfg.SkipAccessLogURLs }} {{ $reqUri }} 0;{{ end }} @@ -380,7 +380,7 @@ http { map $http_upgrade $connection_upgrade { default upgrade; {{ if (gt $cfg.UpstreamKeepaliveConnections 0) }} - # See http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive + # See https://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive '' ''; {{ else }} '' close; @@ -480,7 +480,7 @@ http { {{ end }} {{ if not (empty $cfg.SSLDHParam) }} - # allow custom DH file http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam + # allow custom DH file https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam ssl_dhparam {{ $cfg.SSLDHParam }}; {{ end }} @@ -589,7 +589,7 @@ http { {{ range $redirect := .RedirectServers }} ## start server {{ $redirect.From }} server { - server_name {{ $redirect.From }}; + server_name {{ $redirect.From | quote }}; {{ buildHTTPListener $all $redirect.From }} {{ buildHTTPSListener $all $redirect.From }} @@ -619,7 +619,7 @@ http { {{ $applyGlobalAuth := shouldApplyGlobalAuth $location $all.Cfg.GlobalExternalAuth.URL }} {{ $applyAuthUpstream := shouldApplyAuthUpstream $location $all.Cfg }} {{ if and (eq $applyAuthUpstream true) (eq $applyGlobalAuth false) }} - ## start auth upstream {{ $server.Hostname }}{{ $location.Path }} + ## start auth upstream {{ $server.Hostname }} upstream {{ buildAuthUpstreamName $location $server.Hostname }} { {{- $externalAuth := $location.ExternalAuth }} server {{ extractHostPort $externalAuth.URL }}; @@ -628,7 +628,7 @@ http { keepalive_requests {{ $externalAuth.KeepaliveRequests }}; keepalive_timeout {{ $externalAuth.KeepaliveTimeout }}s; } - ## end auth upstream {{ $server.Hostname }}{{ $location.Path }} + ## end auth upstream {{ $server.Hostname }} {{ end }} {{ end }} {{ end }} @@ -636,7 +636,7 @@ http { {{ range $server := $servers }} ## start server {{ $server.Hostname }} server { - server_name {{ buildServerName $server.Hostname }} {{range $server.Aliases }}{{ . }} {{ end }}; + server_name {{ buildServerName $server.Hostname | quote }} {{ range $server.Aliases }}"{{ sanitizeQuotedRegex . }}" {{ end }}; {{ if $cfg.UseHTTP2 }} http2 on; @@ -1041,6 +1041,7 @@ stream { # resumes it has the correct value set for this variable so that Lua can pick backend correctly set $proxy_upstream_name {{ buildUpstreamName $location | quote }}; + proxy_intercept_errors off; proxy_pass_request_body off; proxy_set_header Content-Length ""; proxy_set_header X-Forwarded-Proto ""; @@ -1076,7 +1077,9 @@ stream { {{ end }} proxy_buffer_size {{ $location.Proxy.BufferSize }}; proxy_buffers {{ $location.Proxy.BuffersNumber }} {{ $location.Proxy.BufferSize }}; + {{ if $location.Proxy.BusyBuffersSize }} proxy_busy_buffers_size {{ $location.Proxy.BusyBuffersSize }}; + {{ end }} proxy_request_buffering {{ $location.Proxy.RequestBuffering }}; proxy_ssl_server_name on; @@ -1111,7 +1114,7 @@ stream { # The target is an upstream with HTTP keepalive, that is why the # Connection header is cleared and the HTTP version is set to 1.1 as # the Nginx documentation suggests: - # http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive + # https://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive proxy_http_version 1.1; proxy_set_header Connection ""; set $target {{ changeHostPort $externalAuth.URL $authUpstreamName }}; @@ -1334,7 +1337,9 @@ stream { proxy_buffering {{ $location.Proxy.ProxyBuffering }}; proxy_buffer_size {{ $location.Proxy.BufferSize }}; proxy_buffers {{ $location.Proxy.BuffersNumber }} {{ $location.Proxy.BufferSize }}; + {{ if $location.Proxy.BusyBuffersSize }} proxy_busy_buffers_size {{ $location.Proxy.BusyBuffersSize }}; + {{ end }} {{ if isValidByteSize $location.Proxy.ProxyMaxTempFileSize true }} proxy_max_temp_file_size {{ $location.Proxy.ProxyMaxTempFileSize }}; {{ end }} diff --git a/test/data/cleanConf.expected.conf b/test/data/cleanConf.expected.conf index 9c0513b37d..7ad94110ff 100644 --- a/test/data/cleanConf.expected.conf +++ b/test/data/cleanConf.expected.conf @@ -84,7 +84,7 @@ http { map $http_upgrade $connection_upgrade { default upgrade; - # See http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive + # See https://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive '' ''; } diff --git a/test/data/cleanConf.src.conf b/test/data/cleanConf.src.conf index 6da578106a..e13a2b2667 100644 --- a/test/data/cleanConf.src.conf +++ b/test/data/cleanConf.src.conf @@ -113,7 +113,7 @@ lua_shared_dict ocsp_response_cache 5M; map $http_upgrade $connection_upgrade { default upgrade; - # See http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive + # See https://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive '' ''; } diff --git a/test/e2e-image/Dockerfile b/test/e2e-image/Dockerfile index c16545e439..13e69834a0 100644 --- a/test/e2e-image/Dockerfile +++ b/test/e2e-image/Dockerfile @@ -1,7 +1,7 @@ ARG E2E_BASE_IMAGE FROM ${E2E_BASE_IMAGE} AS BASE -FROM alpine:3.21 +FROM alpine:3.23.3 RUN apk update \ && apk upgrade && apk add -U --no-cache \ diff --git a/test/e2e-image/Makefile b/test/e2e-image/Makefile index c53c6cd330..9e9bc73a84 100644 --- a/test/e2e-image/Makefile +++ b/test/e2e-image/Makefile @@ -1,6 +1,6 @@ DIR:=$(shell dirname $(realpath $(firstword $(MAKEFILE_LIST)))) -E2E_BASE_IMAGE ?= "registry.k8s.io/ingress-nginx/e2e-test-runner:v2.1.1@sha256:01201e647bae6c805c00e1b532734c48798c4577bde12ccfb3eca3c0d00b10fd" +E2E_BASE_IMAGE ?= "registry.k8s.io/ingress-nginx/e2e-test-runner:v2.2.9@sha256:6eda6a8d17ff65c5af647abb0714b882047b77d18161712d77daf5f610fd4020" image: echo "..entered Makefile in /test/e2e-image" diff --git a/test/e2e/HTTPBUN_IMAGE b/test/e2e/HTTPBUN_IMAGE index 4dce0ea75b..0096da5c9b 100644 --- a/test/e2e/HTTPBUN_IMAGE +++ b/test/e2e/HTTPBUN_IMAGE @@ -1 +1 @@ -registry.k8s.io/ingress-nginx/httpbun:v1.1.3@sha256:768fa3a3732ee14d7ecd31b9dd6e24a6e2fc9f935359cf695098a0833b0d2c49 +registry.k8s.io/ingress-nginx/httpbun:v1.2.9@sha256:be2bdcaadd60c0208dde6d0f029106e1b82a9837dc7580e821ef4071de23777b diff --git a/test/e2e/admission/admission.go b/test/e2e/admission/admission.go index 2c94a58931..51bd88f356 100644 --- a/test/e2e/admission/admission.go +++ b/test/e2e/admission/admission.go @@ -19,6 +19,7 @@ package admission import ( "bytes" "context" + "crypto/tls" "fmt" "net/http" "os/exec" @@ -43,6 +44,23 @@ var _ = framework.IngressNginxDescribeSerial("[Admission] admission controller", f.NewSlowEchoDeployment() }) + ginkgo.It("should not allow REALLY large ingresses", func() { + // Make a post request with garbage data + // We have to directly POST because Kubernetes itself will reject the object before it getes to the validating webhook. + transport := &http.Transport{ + TLSClientConfig: &tls.Config{ + InsecureSkipVerify: true, //nolint:gosec // Ignore the gosec error in testing + }, + } + client := &http.Client{Transport: transport} + body := strings.Repeat("b", 9*1024*1024) // 32MB body + resp, err := client.Post(fmt.Sprintf("https://nginx-ingress-controller-admission.%s.svc.cluster.local:443/networking/v1/ingresses", f.Namespace), "application/json", strings.NewReader(body)) + assert.Nil(ginkgo.GinkgoT(), err, "creating HTTP request") + defer resp.Body.Close() + + assert.Equal(ginkgo.GinkgoT(), http.StatusRequestEntityTooLarge, resp.StatusCode, "response status code") + }) + ginkgo.It("should not allow overlaps of host and paths without canary annotations", func() { host := admissionTestHost @@ -52,7 +70,7 @@ var _ = framework.IngressNginxDescribeSerial("[Admission] admission controller", f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, fmt.Sprintf("server_name %v", host)) + return strings.Contains(server, fmt.Sprintf(`server_name "%v"`, host)) }) secondIngress := framework.NewSingleIngress("second-ingress", "/", host, f.Namespace, framework.EchoService, 80, nil) @@ -60,6 +78,37 @@ var _ = framework.IngressNginxDescribeSerial("[Admission] admission controller", assert.NotNil(ginkgo.GinkgoT(), err, "creating an ingress with the same host and path should return an error") }) + ginkgo.It("should not allow overlaps of host and paths without canary annotations in any rule", func() { + host := admissionTestHost + + firstIngress := framework.NewSingleIngressWithMultiplePaths( + "first-ingress", + []string{"/safe-path-1", "/conflict-path"}, + host, + f.Namespace, + framework.EchoService, + 80, + nil) + _, err := f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Create(context.TODO(), firstIngress, metav1.CreateOptions{}) + assert.Nil(ginkgo.GinkgoT(), err, "creating ingress") + + f.WaitForNginxServer(host, + func(server string) bool { + return strings.Contains(server, fmt.Sprintf(`server_name "%v"`, host)) + }) + + secondIngress := framework.NewSingleIngressWithMultiplePaths( + "second-ingress", + []string{"/safe-path-2", "/conflict-path"}, + host, + f.Namespace, + framework.EchoService, + 80, + nil) + _, err = f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Create(context.TODO(), secondIngress, metav1.CreateOptions{}) + assert.NotNil(ginkgo.GinkgoT(), err, "creating an ingress with the same host and path should return an error") + }) + ginkgo.It("should allow overlaps of host and paths with canary annotation", func() { host := admissionTestHost @@ -69,7 +118,7 @@ var _ = framework.IngressNginxDescribeSerial("[Admission] admission controller", f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, fmt.Sprintf("server_name %v", host)) + return strings.Contains(server, fmt.Sprintf(`server_name "%v"`, host)) }) canaryAnnotations := map[string]string{ @@ -90,7 +139,7 @@ var _ = framework.IngressNginxDescribeSerial("[Admission] admission controller", f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, fmt.Sprintf("server_name %v", host)) + return strings.Contains(server, fmt.Sprintf(`server_name "%v"`, host)) }) secondIngress := framework.NewSingleIngress("second-ingress", "/etc/nginx", host, f.Namespace, framework.EchoService, 80, nil) diff --git a/test/e2e/annotations/affinity.go b/test/e2e/annotations/affinity.go index b64581ef62..c17514d12a 100644 --- a/test/e2e/annotations/affinity.go +++ b/test/e2e/annotations/affinity.go @@ -58,7 +58,7 @@ var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, fmt.Sprintf("server_name %s ;", host)) + return strings.Contains(server, fmt.Sprintf(`server_name "%s" ;`, host)) }) f.HTTPTestClient(). @@ -80,7 +80,7 @@ var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, fmt.Sprintf("server_name %s ;", host)) + return strings.Contains(server, fmt.Sprintf(`server_name "%s" ;`, host)) }) f.HTTPTestClient(). @@ -115,7 +115,7 @@ var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, fmt.Sprintf("server_name %s ;", host)) + return strings.Contains(server, fmt.Sprintf(`server_name "%s" ;`, host)) }) f.HTTPTestClient(). @@ -181,7 +181,7 @@ var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, fmt.Sprintf("server_name %s ;", host)) + return strings.Contains(server, fmt.Sprintf(`server_name "%s" ;`, host)) }) f.HTTPTestClient(). @@ -212,7 +212,7 @@ var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, fmt.Sprintf("server_name %s ;", host)) + return strings.Contains(server, fmt.Sprintf(`server_name "%s" ;`, host)) }) local, err := time.LoadLocation("GMT") @@ -243,7 +243,7 @@ var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, fmt.Sprintf("server_name %s ;", host)) + return strings.Contains(server, fmt.Sprintf(`server_name "%s" ;`, host)) }) f.HTTPTestClient(). @@ -265,7 +265,7 @@ var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, fmt.Sprintf("server_name %s ;", host)) + return strings.Contains(server, fmt.Sprintf(`server_name "%s" ;`, host)) }) f.HTTPTestClient(). @@ -289,7 +289,7 @@ var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, fmt.Sprintf("server_name %s ;", host)) + return strings.Contains(server, fmt.Sprintf(`server_name "%s" ;`, host)) }) f.HTTPTestClient(). @@ -312,7 +312,7 @@ var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, fmt.Sprintf("server_name %s ;", host)) + return strings.Contains(server, fmt.Sprintf(`server_name "%s" ;`, host)) }) f.HTTPTestClient(). @@ -340,7 +340,7 @@ var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, `location /foo/bar`) && strings.Contains(server, `location /foo`) + return strings.Contains(server, `location "/foo/bar/"`) && strings.Contains(server, `location "/foo/"`) }) f.HTTPTestClient(). @@ -368,7 +368,7 @@ var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() { f.WaitForNginxServer("_", func(server string) bool { - return strings.Contains(server, "server_name _") + return strings.Contains(server, `server_name "_"`) }) f.HTTPTestClient(). @@ -393,7 +393,7 @@ var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() { f.WaitForNginxServer(host, func(server string) bool { // server alias sort by sort.Strings(), see: internal/ingress/annotations/alias/main.go:60 - return strings.Contains(server, fmt.Sprintf("server_name %s %s %s ;", host, alias1, alias2)) + return strings.Contains(server, fmt.Sprintf(`server_name "%s" "%s" "%s" ;`, host, alias1, alias2)) }) f.HTTPTestClient(). @@ -430,7 +430,7 @@ var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, fmt.Sprintf("server_name %s ;", host)) + return strings.Contains(server, fmt.Sprintf(`server_name "%s" ;`, host)) }) f.HTTPTestClient(). @@ -453,7 +453,7 @@ var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, fmt.Sprintf("server_name %s ;", host)) + return strings.Contains(server, fmt.Sprintf(`server_name "%s" ;`, host)) }) f.HTTPTestClient(). @@ -475,7 +475,7 @@ var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, fmt.Sprintf("server_name %s ;", host)) && + return strings.Contains(server, fmt.Sprintf(`server_name "%s" ;`, host)) && strings.Contains(server, "listen 443") }) diff --git a/test/e2e/annotations/affinitymode.go b/test/e2e/annotations/affinitymode.go index e6253b6ffa..7869eeb970 100644 --- a/test/e2e/annotations/affinitymode.go +++ b/test/e2e/annotations/affinitymode.go @@ -56,7 +56,7 @@ var _ = framework.DescribeAnnotation("affinitymode", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, fmt.Sprintf("server_name %s ;", host)) + return strings.Contains(server, fmt.Sprintf(`server_name "%s" ;`, host)) }) // Check configuration @@ -89,7 +89,7 @@ var _ = framework.DescribeAnnotation("affinitymode", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, fmt.Sprintf("server_name %s ;", host)) + return strings.Contains(server, fmt.Sprintf(`server_name "%s" ;`, host)) }) // Check configuration diff --git a/test/e2e/annotations/alias.go b/test/e2e/annotations/alias.go index ca4fe9c317..b84357d7df 100644 --- a/test/e2e/annotations/alias.go +++ b/test/e2e/annotations/alias.go @@ -43,7 +43,7 @@ var _ = framework.DescribeAnnotation("server-alias", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, fmt.Sprintf("server_name %v", host)) + return strings.Contains(server, fmt.Sprintf(`server_name "%v"`, host)) }) f.HTTPTestClient(). @@ -72,7 +72,7 @@ var _ = framework.DescribeAnnotation("server-alias", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, fmt.Sprintf("server_name %v", host)) + return strings.Contains(server, fmt.Sprintf(`server_name "%v"`, host)) }) hosts := []string{fooHost, "bar"} @@ -100,7 +100,7 @@ var _ = framework.DescribeAnnotation("server-alias", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, fmt.Sprintf("server_name %v bar", host)) + return strings.Contains(server, fmt.Sprintf(`server_name "%v" "bar"`, host)) }) hosts := []string{fooHost, "bar"} diff --git a/test/e2e/annotations/auth.go b/test/e2e/annotations/auth.go index ddda1dce5f..742cdc47df 100644 --- a/test/e2e/annotations/auth.go +++ b/test/e2e/annotations/auth.go @@ -57,7 +57,7 @@ var _ = framework.DescribeAnnotation("auth-*", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "server_name auth") + return strings.Contains(server, `server_name "auth"`) }) f.HTTPTestClient(). @@ -81,7 +81,7 @@ var _ = framework.DescribeAnnotation("auth-*", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "server_name auth") + return strings.Contains(server, `server_name "auth"`) }) f.HTTPTestClient(). @@ -108,7 +108,7 @@ var _ = framework.DescribeAnnotation("auth-*", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "server_name auth") + return strings.Contains(server, `server_name "auth"`) }) f.HTTPTestClient(). @@ -135,7 +135,7 @@ var _ = framework.DescribeAnnotation("auth-*", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "server_name auth") + return strings.Contains(server, `server_name "auth"`) }) f.HTTPTestClient(). @@ -164,7 +164,7 @@ var _ = framework.DescribeAnnotation("auth-*", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "server_name auth") + return strings.Contains(server, `server_name "auth"`) }) f.HTTPTestClient(). @@ -191,7 +191,7 @@ var _ = framework.DescribeAnnotation("auth-*", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "server_name auth") + return strings.Contains(server, `server_name "auth"`) }) f.HTTPTestClient(). @@ -219,7 +219,7 @@ var _ = framework.DescribeAnnotation("auth-*", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "server_name auth") + return strings.Contains(server, `server_name "auth"`) }) f.HTTPTestClient(). @@ -258,7 +258,7 @@ var _ = framework.DescribeAnnotation("auth-*", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "server_name auth") + return strings.Contains(server, `server_name "auth"`) }) f.HTTPTestClient(). @@ -308,7 +308,7 @@ var _ = framework.DescribeAnnotation("auth-*", func() { }) }) - ginkgo.It(`should set "proxy_set_header 'My-Custom-Header' '42';" when auth-headers are set`, func() { + ginkgo.It(`should set "proxy_set_header "My-Custom-Header" "42";" when auth-headers are set`, func() { host := authHost annotations := map[string]string{ @@ -325,7 +325,7 @@ var _ = framework.DescribeAnnotation("auth-*", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, `proxy_set_header 'My-Custom-Header' '42';`) + return strings.Contains(server, `proxy_set_header "My-Custom-Header" "42";`) }) }) @@ -413,7 +413,7 @@ http { f.WaitForNginxServer(host, func(server string) bool { //nolint:goconst //server_name is a constant - return strings.Contains(server, "server_name "+host) + return strings.Contains(server, fmt.Sprintf(`server_name "%v"`, host)) }) }) @@ -445,7 +445,7 @@ http { f.UpdateIngress(ing2) f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "server_name "+host) + return strings.Contains(server, fmt.Sprintf(`server_name "%v"`, host)) }) f.HTTPTestClient(). @@ -474,7 +474,7 @@ http { f.EnsureIngress(ing) f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "server_name auth") + return strings.Contains(server, `server_name "auth"`) }) }) @@ -512,7 +512,7 @@ http { f.WaitForNginxServer(anotherHost, func(server string) bool { - return strings.Contains(server, "server_name "+anotherHost) + return strings.Contains(server, fmt.Sprintf(`server_name "%s"`, anotherHost)) }) f.HTTPTestClient(). @@ -694,7 +694,7 @@ http { f.EnsureIngress(ing) f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "server_name auth") + return strings.Contains(server, `server_name "auth"`) }) }) @@ -732,7 +732,7 @@ http { f.WaitForNginxServer(anotherHost, func(server string) bool { - return strings.Contains(server, "server_name "+anotherHost) + return strings.Contains(server, fmt.Sprintf(`server_name "%s"`, anotherHost)) }) f.HTTPTestClient(). @@ -763,14 +763,14 @@ http { fooIng := framework.NewSingleIngress(fmt.Sprintf("foo-%s-ing", host), fooPath, host, f.Namespace, framework.EchoService, 80, annotations) f.EnsureIngress(fooIng) f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "location /foo") + return strings.Contains(server, `location "/foo/"`) }) ginkgo.By("Adding an ingress rule for /bar") barIng := framework.NewSingleIngress(fmt.Sprintf("bar-%s-ing", host), barPath, host, f.Namespace, framework.EchoService, 80, annotations) f.EnsureIngress(barIng) f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "location /bar") + return strings.Contains(server, `location "/bar/"`) }) } @@ -880,7 +880,7 @@ http { f.EnsureIngress(ing) f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "server_name auth") + return strings.Contains(server, `server_name "auth"`) }) }) diff --git a/test/e2e/annotations/canary.go b/test/e2e/annotations/canary.go index ea733dbf43..26f7dfa9d7 100644 --- a/test/e2e/annotations/canary.go +++ b/test/e2e/annotations/canary.go @@ -57,7 +57,7 @@ var _ = framework.DescribeAnnotation("canary-*", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "server_name foo") + return strings.Contains(server, `server_name "foo"`) }) canaryAnnotations := map[string]string{ @@ -126,7 +126,7 @@ var _ = framework.DescribeAnnotation("canary-*", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server,"server_name foo") + return strings.Contains(server, `server_name "foo"`) }) canaryAnnotations := map[string]string{ @@ -186,7 +186,7 @@ var _ = framework.DescribeAnnotation("canary-*", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "server_name foo") + return strings.Contains(server, `server_name "foo"`) }) canaryAnnotations := map[string]string{ @@ -261,7 +261,7 @@ var _ = framework.DescribeAnnotation("canary-*", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "server_name foo") + return strings.Contains(server, `server_name "foo"`) }) ginkgo.By("routing requests destined for the mainline ingress to the mainelin upstream") @@ -301,7 +301,7 @@ var _ = framework.DescribeAnnotation("canary-*", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "server_name foo") + return strings.Contains(server, `server_name "foo"`) }) canaryAnnotations := map[string]string{ @@ -335,7 +335,7 @@ var _ = framework.DescribeAnnotation("canary-*", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "server_name foo") + return strings.Contains(server, `server_name "foo"`) }) ginkgo.By("routing requests destined fro the mainline ingress to the mainline upstream") @@ -375,7 +375,7 @@ var _ = framework.DescribeAnnotation("canary-*", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "server_name foo") + return strings.Contains(server, `server_name "foo"`) }) canaryAnnotations := map[string]string{ @@ -396,7 +396,7 @@ var _ = framework.DescribeAnnotation("canary-*", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "server_name foo") + return strings.Contains(server, `server_name "foo"`) }) newAnnotations := map[string]string{ @@ -415,7 +415,7 @@ var _ = framework.DescribeAnnotation("canary-*", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "server_name foo") + return strings.Contains(server, `server_name "foo"`) }) ginkgo.By("routing requests destined for the mainline ingress to the mainline upstream") @@ -456,7 +456,7 @@ var _ = framework.DescribeAnnotation("canary-*", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "server_name foo") + return strings.Contains(server, `server_name "foo"`) }) canaryAnnotations := map[string]string{ @@ -525,7 +525,7 @@ var _ = framework.DescribeAnnotation("canary-*", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "server_name foo") + return strings.Contains(server, `server_name "foo"`) }) canaryAnnotations := map[string]string{ @@ -606,7 +606,7 @@ var _ = framework.DescribeAnnotation("canary-*", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "server_name foo") + return strings.Contains(server, `server_name "foo"`) }) canaryAnnotations := map[string]string{ @@ -659,7 +659,7 @@ var _ = framework.DescribeAnnotation("canary-*", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "server_name foo") + return strings.Contains(server, `server_name "foo"`) }) canaryAnnotations := map[string]string{ @@ -704,7 +704,7 @@ var _ = framework.DescribeAnnotation("canary-*", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "server_name foo") + return strings.Contains(server, `server_name "foo"`) }) canaryAnnotations := map[string]string{ @@ -753,7 +753,7 @@ var _ = framework.DescribeAnnotation("canary-*", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "server_name foo") + return strings.Contains(server, `server_name "foo"`) }) canaryAnnotations := map[string]string{ @@ -802,7 +802,7 @@ var _ = framework.DescribeAnnotation("canary-*", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "server_name foo") + return strings.Contains(server, `server_name "foo"`) }) canaryAnnotations := map[string]string{ @@ -874,7 +874,7 @@ var _ = framework.DescribeAnnotation("canary-*", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "server_name foo") + return strings.Contains(server, `server_name "foo"`) }) canaryIngName := fmt.Sprintf("%v-canary", host) @@ -894,7 +894,7 @@ var _ = framework.DescribeAnnotation("canary-*", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "server_name foo") + return strings.Contains(server, `server_name "foo"`) }) f.HTTPTestClient(). @@ -922,7 +922,7 @@ var _ = framework.DescribeAnnotation("canary-*", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "server_name foo") + return strings.Contains(server, `server_name "foo"`) }) canaryIngName := fmt.Sprintf("%v-canary", host) @@ -964,7 +964,7 @@ var _ = framework.DescribeAnnotation("canary-*", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "server_name foo") + return strings.Contains(server, `server_name "foo"`) }) canaryIngName := fmt.Sprintf("%v-canary", host) @@ -1007,7 +1007,7 @@ var _ = framework.DescribeAnnotation("canary-*", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "server_name foo") + return strings.Contains(server, `server_name "foo"`) }) canaryIngName := fmt.Sprintf("%v-canary", host) @@ -1043,7 +1043,7 @@ var _ = framework.DescribeAnnotation("canary-*", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "server_name foo") + return strings.Contains(server, `server_name "foo"`) }) canaryIngName := fmt.Sprintf("%v-canary", host) @@ -1129,8 +1129,8 @@ var _ = framework.DescribeAnnotation("canary-*", func() { nil)) f.WaitForNginxConfiguration(func(cfg string) bool { - return strings.Contains(cfg, "server_name "+otherHost) && - !strings.Contains(cfg, "server_name "+host) + return strings.Contains(cfg, fmt.Sprintf(`server_name "%v"`, otherHost)) && + !strings.Contains(cfg, fmt.Sprintf(`server_name "%v"`, host)) }) }) }) @@ -1163,7 +1163,7 @@ var _ = framework.DescribeAnnotation("canary-*", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "server_name foo") + return strings.Contains(server, `server_name "foo"`) }) }) @@ -1189,7 +1189,7 @@ var _ = framework.DescribeAnnotation("canary-*", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "server_name foo") + return strings.Contains(server, `server_name "foo"`) }) // Canary weight is 1% to ensure affinity cookie does its job. @@ -1256,7 +1256,7 @@ var _ = framework.DescribeAnnotation("canary-*", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "server_name foo") + return strings.Contains(server, `server_name "foo"`) }) // Canary weight is 1% to ensure affinity cookie does its job. @@ -1324,7 +1324,7 @@ var _ = framework.DescribeAnnotation("canary-*", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "server_name foo") + return strings.Contains(server, `server_name "foo"`) }) // Canary weight is 50% to ensure requests are going there. diff --git a/test/e2e/annotations/customheaders.go b/test/e2e/annotations/customheaders.go index 274ce8278c..66f371df37 100644 --- a/test/e2e/annotations/customheaders.go +++ b/test/e2e/annotations/customheaders.go @@ -43,7 +43,7 @@ var _ = framework.DescribeAnnotation("custom-headers-*", func() { f.WaitForNginxServer(customHeaderHost, func(server string) bool { - return strings.Contains(server, "server_name custom-headers") + return strings.Contains(server, `server_name "custom-headers"`) }) f.HTTPTestClient(). @@ -64,7 +64,7 @@ var _ = framework.DescribeAnnotation("custom-headers-*", func() { f.WaitForNginxServer(customHeaderHost, func(server string) bool { - return strings.Contains(server, "server_name custom-headers") + return strings.Contains(server, `server_name "custom-headers"`) }) f.HTTPTestClient(). diff --git a/test/e2e/annotations/customhttperrors.go b/test/e2e/annotations/customhttperrors.go index 37a3e9695f..8e8011173f 100644 --- a/test/e2e/annotations/customhttperrors.go +++ b/test/e2e/annotations/customhttperrors.go @@ -53,7 +53,7 @@ var _ = framework.DescribeAnnotation("custom-http-errors", func() { var serverConfig string f.WaitForNginxServer(host, func(sc string) bool { serverConfig = sc - return strings.Contains(serverConfig, fmt.Sprintf("server_name %s", host)) + return strings.Contains(serverConfig, fmt.Sprintf(`server_name "%s"`, host)) }) ginkgo.By("turning on proxy_intercept_errors directive") @@ -94,7 +94,7 @@ var _ = framework.DescribeAnnotation("custom-http-errors", func() { f.WaitForNginxServer(host, func(sc string) bool { serverConfig = sc - return strings.Contains(serverConfig, "location /else") + return strings.Contains(serverConfig, `location "/else/"`) }) count := strings.Count(serverConfig, fmt.Sprintf("location %s", errorBlockName("upstream-default-backend", "503"))) assert.Equal(ginkgo.GinkgoT(), count, 1) diff --git a/test/e2e/annotations/default_backend.go b/test/e2e/annotations/default_backend.go index 72ca303b57..407876c99c 100644 --- a/test/e2e/annotations/default_backend.go +++ b/test/e2e/annotations/default_backend.go @@ -45,7 +45,7 @@ var _ = framework.DescribeAnnotation("default-backend", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, fmt.Sprintf("server_name %v", host)) + return strings.Contains(server, fmt.Sprintf(`server_name "%v"`, host)) }) requestID := "something-unique" diff --git a/test/e2e/annotations/disableproxyintercepterrors.go b/test/e2e/annotations/disableproxyintercepterrors.go index 17efa45884..f78bbb9f28 100644 --- a/test/e2e/annotations/disableproxyintercepterrors.go +++ b/test/e2e/annotations/disableproxyintercepterrors.go @@ -51,7 +51,7 @@ var _ = framework.DescribeAnnotation("disable-proxy-intercept-errors", func() { var serverConfig string f.WaitForNginxServer(host, func(sc string) bool { serverConfig = sc - return strings.Contains(serverConfig, fmt.Sprintf("server_name %s", host)) + return strings.Contains(serverConfig, fmt.Sprintf(`server_name "%s"`, host)) }) ginkgo.By("turning off proxy_intercept_errors directive") diff --git a/test/e2e/annotations/fromtowwwredirect.go b/test/e2e/annotations/fromtowwwredirect.go index a3fb3b9b5d..c54a87b20b 100644 --- a/test/e2e/annotations/fromtowwwredirect.go +++ b/test/e2e/annotations/fromtowwwredirect.go @@ -48,7 +48,7 @@ var _ = framework.DescribeAnnotation("from-to-www-redirect", func() { f.WaitForNginxConfiguration( func(cfg string) bool { - return strings.Contains(cfg, `server_name www.fromtowwwredirect.bar.com;`) && + return strings.Contains(cfg, `server_name "www.fromtowwwredirect.bar.com";`) && strings.Contains(cfg, `return 308 $redirect_to;`) }) @@ -87,7 +87,7 @@ var _ = framework.DescribeAnnotation("from-to-www-redirect", func() { f.WaitForNginxServer(toHost, func(server string) bool { - return strings.Contains(server, fmt.Sprintf(`server_name %v;`, toHost)) && + return strings.Contains(server, fmt.Sprintf(`server_name "%v";`, toHost)) && strings.Contains(server, `return 308 $redirect_to;`) }) diff --git a/test/e2e/annotations/limitconnections.go b/test/e2e/annotations/limitconnections.go index 7d00b6df06..2caa03d3bb 100644 --- a/test/e2e/annotations/limitconnections.go +++ b/test/e2e/annotations/limitconnections.go @@ -41,7 +41,7 @@ var _ = framework.DescribeAnnotation("Annotation - limit-connections", func() { ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.SlowEchoService, 80, nil) f.EnsureIngress(ing) f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, fmt.Sprintf("server_name %s ;", host)) + return strings.Contains(server, fmt.Sprintf(`server_name "%s" ;`, host)) }) // limit connections diff --git a/test/e2e/annotations/proxyssl.go b/test/e2e/annotations/proxyssl.go index 898cbed480..8d5aa39f75 100644 --- a/test/e2e/annotations/proxyssl.go +++ b/test/e2e/annotations/proxyssl.go @@ -220,6 +220,6 @@ func assertProxySSL(f *framework.Framework, host, sslName, ciphers, protocols, v return c } - return c && strings.Contains(server, fmt.Sprintf("proxy_ssl_server_name %s;", proxySSLServerName)) + return c && strings.Contains(server, fmt.Sprintf(`proxy_ssl_server_name %s;`, proxySSLServerName)) }) } diff --git a/test/e2e/annotations/relativeredirects.go b/test/e2e/annotations/relativeredirects.go index 430b357e47..ba82ceafa2 100644 --- a/test/e2e/annotations/relativeredirects.go +++ b/test/e2e/annotations/relativeredirects.go @@ -51,7 +51,7 @@ var _ = framework.DescribeAnnotation("relative-redirects", func() { var serverConfig string f.WaitForNginxServer(relativeRedirectsHostname, func(srvCfg string) bool { serverConfig = srvCfg - return strings.Contains(serverConfig, fmt.Sprintf("server_name %s", relativeRedirectsHostname)) + return strings.Contains(serverConfig, fmt.Sprintf(`server_name "%s"`, relativeRedirectsHostname)) }) ginkgo.By("turning off absolute_redirect directive") @@ -70,7 +70,7 @@ var _ = framework.DescribeAnnotation("relative-redirects", func() { f.EnsureIngress(ing) f.WaitForNginxServer(relativeRedirectsHostname, func(srvCfg string) bool { - return strings.Contains(srvCfg, fmt.Sprintf("server_name %s", relativeRedirectsHostname)) + return strings.Contains(srvCfg, fmt.Sprintf(`server_name "%s"`, relativeRedirectsHostname)) }) ginkgo.By("sending request to redirected URL path") @@ -93,7 +93,7 @@ var _ = framework.DescribeAnnotation("relative-redirects", func() { f.EnsureIngress(ing) f.WaitForNginxServer(relativeRedirectsHostname, func(srvCfg string) bool { - return strings.Contains(srvCfg, fmt.Sprintf("server_name %s", relativeRedirectsHostname)) + return strings.Contains(srvCfg, fmt.Sprintf(`server_name "%s"`, relativeRedirectsHostname)) }) ginkgo.By("sending request to redirected URL path") diff --git a/test/e2e/annotations/rewrite.go b/test/e2e/annotations/rewrite.go index 173df29f00..b2e2c2b3c7 100644 --- a/test/e2e/annotations/rewrite.go +++ b/test/e2e/annotations/rewrite.go @@ -119,7 +119,7 @@ var _ = framework.DescribeAnnotation("rewrite-target use-regex enable-rewrite-lo f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "location /foo/ {") + return strings.Contains(server, `location "/foo/" {`) }) ginkgo.By(`creating an ingress definition with the use-regex amd rewrite-target annotation`) diff --git a/test/e2e/annotations/satisfy.go b/test/e2e/annotations/satisfy.go index 6ba6db33ee..b61f701916 100644 --- a/test/e2e/annotations/satisfy.go +++ b/test/e2e/annotations/satisfy.go @@ -103,7 +103,7 @@ var _ = framework.DescribeAnnotation("satisfy", func() { f.EnsureIngress(ing) f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "server_name auth") + return strings.Contains(server, `server_name "auth"`) }) // with basic auth cred diff --git a/test/e2e/annotations/serviceupstream.go b/test/e2e/annotations/serviceupstream.go index 1d80f304a8..1632c4a13c 100644 --- a/test/e2e/annotations/serviceupstream.go +++ b/test/e2e/annotations/serviceupstream.go @@ -47,7 +47,7 @@ var _ = framework.DescribeAnnotation("service-upstream", func() { f.EnsureIngress(ing) f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, fmt.Sprintf("server_name %s", host)) + return strings.Contains(server, fmt.Sprintf(`server_name "%s"`, host)) }) ginkgo.By("checking if the service is reached") @@ -75,7 +75,7 @@ var _ = framework.DescribeAnnotation("service-upstream", func() { f.EnsureIngress(ing) f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, fmt.Sprintf("server_name %s", host)) + return strings.Contains(server, fmt.Sprintf(`server_name "%s"`, host)) }) ginkgo.By("checking if the service is reached") @@ -105,7 +105,7 @@ var _ = framework.DescribeAnnotation("service-upstream", func() { f.EnsureIngress(ing) f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, fmt.Sprintf("server_name %s", host)) + return strings.Contains(server, fmt.Sprintf(`server_name "%s"`, host)) }) ginkgo.By("checking if the service is reached") diff --git a/test/e2e/annotations/upstreamhashby.go b/test/e2e/annotations/upstreamhashby.go index 1b81066627..ed56355dea 100644 --- a/test/e2e/annotations/upstreamhashby.go +++ b/test/e2e/annotations/upstreamhashby.go @@ -36,7 +36,7 @@ func startIngress(f *framework.Framework, annotations map[string]string) map[str f.EnsureIngress(ing) f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, fmt.Sprintf("server_name %s ;", host)) + return strings.Contains(server, fmt.Sprintf(`server_name "%s" ;`, host)) }) //nolint:staticcheck // TODO: will replace it since wait.Poll is deprecated diff --git a/test/e2e/defaultbackend/default_backend.go b/test/e2e/defaultbackend/default_backend.go index 9368780003..976a6e4f8d 100644 --- a/test/e2e/defaultbackend/default_backend.go +++ b/test/e2e/defaultbackend/default_backend.go @@ -86,9 +86,6 @@ var _ = framework.IngressNginxDescribe("[Default Backend]", func() { }) ginkgo.It("enables access logging for default backend", func() { - // TODO: fix - ginkgo.Skip("enable-access-log-for-default-backend") - f.UpdateNginxConfigMapData("enable-access-log-for-default-backend", "true") f.HTTPTestClient(). @@ -103,9 +100,6 @@ var _ = framework.IngressNginxDescribe("[Default Backend]", func() { }) ginkgo.It("disables access logging for default backend", func() { - // TODO: fix - ginkgo.Skip("enable-access-log-for-default-backend") - // enable-access-log-for-default-backend is false by default, setting the value to false do not trigger a reload f.UpdateNginxConfigMapData("enable-access-log-for-default-backend", "true") f.UpdateNginxConfigMapData("enable-access-log-for-default-backend", "false") diff --git a/test/e2e/disableleaderelection/disable_leader.go b/test/e2e/disableleaderelection/disable_leader.go index fd7369dfb1..d1ca55e741 100644 --- a/test/e2e/disableleaderelection/disable_leader.go +++ b/test/e2e/disableleaderelection/disable_leader.go @@ -45,13 +45,13 @@ var _ = framework.IngressNginxDescribe("[Disable Leader] Routing works when lead f.WaitForNginxServer(host1, func(server string) bool { return strings.Contains(server, host1) && - strings.Contains(server, "location /foo") + strings.Contains(server, `location "/foo/"`) }) f.WaitForNginxServer(host2, func(server string) bool { return strings.Contains(server, host2) && - strings.Contains(server, "location /ping") + strings.Contains(server, `location "/ping/"`) }) f.HTTPTestClient(). diff --git a/test/e2e/endpointslices/longname.go b/test/e2e/endpointslices/longname.go index b2242daacc..48b41e30aa 100644 --- a/test/e2e/endpointslices/longname.go +++ b/test/e2e/endpointslices/longname.go @@ -41,7 +41,7 @@ var _ = framework.IngressNginxDescribe("[Endpointslices] long service name", fun f.EnsureIngress(ing) f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, fmt.Sprintf("server_name %s", host)) + return strings.Contains(server, fmt.Sprintf(`server_name "%s"`, host)) }) ginkgo.By("checking if the service is reached") diff --git a/test/e2e/endpointslices/topology.go b/test/e2e/endpointslices/topology.go index 70f7ff86b5..ac91b51e2c 100644 --- a/test/e2e/endpointslices/topology.go +++ b/test/e2e/endpointslices/topology.go @@ -45,7 +45,7 @@ var _ = framework.IngressNginxDescribeSerial("[TopologyHints] topology aware rou f.EnsureIngress(ing) f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, fmt.Sprintf("server_name %s", host)) + return strings.Contains(server, fmt.Sprintf(`server_name "%s"`, host)) }) ginkgo.By("checking if the service is reached") diff --git a/test/e2e/framework/deployment.go b/test/e2e/framework/deployment.go index f6ac6222bd..0cdfb039cb 100644 --- a/test/e2e/framework/deployment.go +++ b/test/e2e/framework/deployment.go @@ -47,7 +47,7 @@ const NIPService = "external-nip" var HTTPBunImage = os.Getenv("HTTPBUN_IMAGE") // EchoImage is the default image to be used by the echo service -const EchoImage = "registry.k8s.io/ingress-nginx/e2e-test-echo:v1.1.3@sha256:77e8f7aa7e5651409cbe4ca38430e61828873c7df325e6f83c7345e34011f6b2" //#nosec G101 +const EchoImage = "registry.k8s.io/ingress-nginx/e2e-test-echo:v1.2.9@sha256:9920d084b452b38ee663005a455aa7ed12c15afa512741ea9596e206a189bdf0" //#nosec G101 // TODO: change all Deployment functions to use these options // in order to reduce complexity and have a unified API across the @@ -158,7 +158,7 @@ func (f *Framework) NewEchoDeployment(opts ...func(*deploymentOptions)) { assert.Nil(ginkgo.GinkgoT(), err, "waiting for endpoints to become ready") } -// BuildNipHost used to generate a nip host for DNS resolving +// BuildNIPHost used to generate a nip host for DNS resolving func BuildNIPHost(ip string) string { return fmt.Sprintf("%s.nip.io", ip) } diff --git a/test/e2e/framework/fastcgi_helloserver.go b/test/e2e/framework/fastcgi_helloserver.go index 325810aeb3..c151dd0fcb 100644 --- a/test/e2e/framework/fastcgi_helloserver.go +++ b/test/e2e/framework/fastcgi_helloserver.go @@ -59,7 +59,7 @@ func (f *Framework) NewNewFastCGIHelloServerDeploymentWithReplicas(replicas int3 Containers: []corev1.Container{ { Name: "fastcgi-helloserver", - Image: "registry.k8s.io/ingress-nginx/fastcgi-helloserver:v1.1.3@sha256:c150b9db05d67312168ff7a07c0b6cbf39f0339a6adfef945f8d4c16fc4d588e", + Image: "registry.k8s.io/ingress-nginx/fastcgi-helloserver:v1.2.9@sha256:0e3d0f312967bec687cc335accb989a6b72e3faa20c1d71e4e77ab842320b9c6", Env: []corev1.EnvVar{}, Ports: []corev1.ContainerPort{ { diff --git a/test/e2e/framework/k8s.go b/test/e2e/framework/k8s.go index 7c067421d9..4d413e4b47 100644 --- a/test/e2e/framework/k8s.go +++ b/test/e2e/framework/k8s.go @@ -144,8 +144,7 @@ func (f *Framework) EnsureDeployment(deployment *appsv1.Deployment) *appsv1.Depl // waitForPodsReady waits for a given amount of time until a group of Pods is running in the given namespace. func waitForPodsReady(kubeClientSet kubernetes.Interface, timeout time.Duration, expectedReplicas int, namespace string, opts *metav1.ListOptions) error { - //nolint:staticcheck // TODO: will replace it since wait.PollImmediate is deprecated - return wait.PollImmediate(1*time.Second, timeout, func() (bool, error) { + return wait.PollUntilContextTimeout(context.Background(), 1*time.Second, timeout, true, func(_ context.Context) (bool, error) { pl, err := kubeClientSet.CoreV1().Pods(namespace).List(context.TODO(), *opts) if err != nil { return false, nil @@ -172,8 +171,7 @@ func waitForPodsReady(kubeClientSet kubernetes.Interface, timeout time.Duration, // waitForPodsDeleted waits for a given amount of time until a group of Pods are deleted in the given namespace. func waitForPodsDeleted(kubeClientSet kubernetes.Interface, timeout time.Duration, namespace string, opts *metav1.ListOptions) error { - //nolint:staticcheck // TODO: will replace it since wait.Poll is deprecated - return wait.Poll(Poll, timeout, func() (bool, error) { + return wait.PollUntilContextTimeout(context.Background(), Poll, timeout, true, func(_ context.Context) (bool, error) { pl, err := kubeClientSet.CoreV1().Pods(namespace).List(context.TODO(), *opts) if err != nil { return false, nil @@ -192,8 +190,8 @@ func WaitForEndpoints(kubeClientSet kubernetes.Interface, timeout time.Duration, if expectedEndpoints == 0 { return nil } - //nolint:staticcheck // TODO: will replace it since wait.PollImmediate is deprecated - return wait.PollImmediate(Poll, timeout, func() (bool, error) { + + err := wait.PollUntilContextTimeout(context.Background(), Poll, timeout, true, func(_ context.Context) (bool, error) { endpoint, err := kubeClientSet.CoreV1().Endpoints(ns).Get(context.TODO(), name, metav1.GetOptions{}) if k8sErrors.IsNotFound(err) { return false, nil @@ -207,6 +205,8 @@ func WaitForEndpoints(kubeClientSet kubernetes.Interface, timeout time.Duration, return false, nil }) + + return err } func countReadyEndpoints(e *core.Endpoints) int { @@ -254,8 +254,9 @@ func isPodReady(p *core.Pod) bool { // getIngressNGINXPod returns the ingress controller running pod func getIngressNGINXPod(ns string, kubeClientSet kubernetes.Interface) (*core.Pod, error) { var pod *core.Pod - //nolint:staticcheck // TODO: will replace it since wait.Poll is deprecated - err := wait.Poll(1*time.Second, DefaultTimeout, func() (bool, error) { + ctx, cancel := context.WithTimeout(context.Background(), DefaultTimeout) + defer cancel() + err := wait.PollUntilContextTimeout(ctx, 1*time.Second, DefaultTimeout, true, func(_ context.Context) (bool, error) { l, err := kubeClientSet.CoreV1().Pods(ns).List(context.TODO(), metav1.ListOptions{ LabelSelector: "app.kubernetes.io/name=ingress-nginx", }) @@ -281,8 +282,7 @@ func getIngressNGINXPod(ns string, kubeClientSet kubernetes.Interface) (*core.Po return false, nil }) if err != nil { - //nolint:staticcheck // TODO: will replace it since wait.ErrWaitTimeout is deprecated - if err == wait.ErrWaitTimeout { + if ctx.Err() == context.DeadlineExceeded { return nil, fmt.Errorf("timeout waiting at least one ingress-nginx pod running in namespace %v", ns) } diff --git a/test/e2e/framework/metrics.go b/test/e2e/framework/metrics.go index 774f1bd7e5..cb1aefe981 100644 --- a/test/e2e/framework/metrics.go +++ b/test/e2e/framework/metrics.go @@ -22,6 +22,7 @@ import ( dto "github.com/prometheus/client_model/go" "github.com/prometheus/common/expfmt" + "github.com/prometheus/common/model" ) // GetMetric returns the current prometheus metric exposed by NGINX @@ -42,7 +43,7 @@ func (f *Framework) GetMetric(metricName, ip string) (*dto.MetricFamily, error) return nil, fmt.Errorf("GET request for URL %q returned HTTP status %s", url, resp.Status) } - var parser expfmt.TextParser + parser := expfmt.NewTextParser(model.UTF8Validation) metrics, err := parser.TextToMetricFamilies(resp.Body) if err != nil { return nil, fmt.Errorf("reading text format failed: %v", err) diff --git a/test/e2e/gracefulshutdown/shutdown.go b/test/e2e/gracefulshutdown/shutdown.go index e9883338f1..65673bf6b2 100644 --- a/test/e2e/gracefulshutdown/shutdown.go +++ b/test/e2e/gracefulshutdown/shutdown.go @@ -42,7 +42,7 @@ var _ = framework.IngressNginxDescribe("[Shutdown] ingress controller", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "server_name shutdown") + return strings.Contains(server, `server_name "shutdown"`) }) f.HTTPTestClient(). @@ -77,7 +77,7 @@ var _ = framework.IngressNginxDescribe("[Shutdown] ingress controller", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "server_name shutdown") + return strings.Contains(server, `server_name "shutdown"`) }) startTime := time.Now() @@ -122,7 +122,7 @@ var _ = framework.IngressNginxDescribe("[Shutdown] ingress controller", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "server_name shutdown") + return strings.Contains(server, `server_name "shutdown"`) }) startTime := time.Now() diff --git a/test/e2e/ingress/deep_inspection.go b/test/e2e/ingress/deep_inspection.go index 8869665fbf..ebb20b8030 100644 --- a/test/e2e/ingress/deep_inspection.go +++ b/test/e2e/ingress/deep_inspection.go @@ -42,8 +42,8 @@ var _ = framework.IngressNginxDescribe("[Ingress] DeepInspection", func() { f.WaitForNginxServer(host, func(server string) bool { return strings.Contains(server, host) && - strings.Contains(server, "location /xpto") && - !strings.Contains(server, "location /bla") + strings.Contains(server, `location "/xpto/"`) && + !strings.Contains(server, `location "/bla/"`) }) f.HTTPTestClient(). diff --git a/test/e2e/ingress/pathtype_exact.go b/test/e2e/ingress/pathtype_exact.go index 2660e32a45..339835a8bc 100644 --- a/test/e2e/ingress/pathtype_exact.go +++ b/test/e2e/ingress/pathtype_exact.go @@ -59,8 +59,8 @@ var _ = framework.IngressNginxDescribe("[Ingress] [PathType] exact", func() { f.WaitForNginxServer(host, func(server string) bool { return strings.Contains(server, host) && - strings.Contains(server, "location = /exact") && - strings.Contains(server, "location /exact/") + strings.Contains(server, `location = "/exact"`) && + strings.Contains(server, `location "/exact/"`) }) body := f.HTTPTestClient(). @@ -97,8 +97,8 @@ var _ = framework.IngressNginxDescribe("[Ingress] [PathType] exact", func() { f.WaitForNginxServer(host, func(server string) bool { return strings.Contains(server, host) && - strings.Contains(server, "location = /exact") && - strings.Contains(server, "location /exact/") + strings.Contains(server, `location = "/exact"`) && + strings.Contains(server, `location "/exact/"`) }) body = f.HTTPTestClient(). diff --git a/test/e2e/ingress/pathtype_mixed.go b/test/e2e/ingress/pathtype_mixed.go index 3212089c90..602206bd0d 100644 --- a/test/e2e/ingress/pathtype_mixed.go +++ b/test/e2e/ingress/pathtype_mixed.go @@ -58,8 +58,8 @@ var _ = framework.IngressNginxDescribe("[Ingress] [PathType] mix Exact and Prefi f.WaitForNginxServer(host, func(server string) bool { return strings.Contains(server, host) && - strings.Contains(server, "location = /") && - strings.Contains(server, "location /") + strings.Contains(server, `location = "/"`) && + strings.Contains(server, `location "/"`) }) ginkgo.By("Checking exact request to /") @@ -104,8 +104,8 @@ var _ = framework.IngressNginxDescribe("[Ingress] [PathType] mix Exact and Prefi f.WaitForNginxServer(host, func(server string) bool { return strings.Contains(server, host) && - strings.Contains(server, "location = /foo") && - strings.Contains(server, "location /foo/") + strings.Contains(server, `location = "/foo"`) && + strings.Contains(server, `location "/foo/"`) }) ginkgo.By("Checking exact request to /foo") diff --git a/test/e2e/ingress/pathtype_prefix.go b/test/e2e/ingress/pathtype_prefix.go index ce11ca8bfe..7827e0f6cc 100644 --- a/test/e2e/ingress/pathtype_prefix.go +++ b/test/e2e/ingress/pathtype_prefix.go @@ -41,7 +41,7 @@ var _ = framework.IngressNginxDescribe("[Ingress] [PathType] prefix checks", fun f.WaitForNginxServer(host, func(server string) bool { return strings.Contains(server, host) && - strings.Contains(server, "location /aaa") + strings.Contains(server, `location "/aaa/"`) }) f.HTTPTestClient(). diff --git a/test/e2e/leaks/lua_ssl.go b/test/e2e/leaks/lua_ssl.go index 88285ba4b6..a2dde0334f 100644 --- a/test/e2e/leaks/lua_ssl.go +++ b/test/e2e/leaks/lua_ssl.go @@ -79,7 +79,7 @@ func provisionIngress(hostname string, f *framework.Framework) { f.WaitForNginxServer(hostname, func(server string) bool { - return strings.Contains(server, fmt.Sprintf("server_name %v", hostname)) && + return strings.Contains(server, fmt.Sprintf(`server_name "%v"`, hostname)) && strings.Contains(server, "listen 443") }) } diff --git a/test/e2e/loadbalance/configmap.go b/test/e2e/loadbalance/configmap.go index 737cd06dd4..2e38e277e5 100644 --- a/test/e2e/loadbalance/configmap.go +++ b/test/e2e/loadbalance/configmap.go @@ -42,7 +42,7 @@ var _ = framework.DescribeSetting("[Load Balancer] load-balance", func() { f.EnsureIngress(framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, nil)) f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "server_name load-balance.com") + return strings.Contains(server, `server_name "load-balance.com"`) }) algorithm, err := f.GetLbAlgorithm(framework.EchoService, 80) diff --git a/test/e2e/loadbalance/ewma.go b/test/e2e/loadbalance/ewma.go index f457e63573..716e2641e3 100644 --- a/test/e2e/loadbalance/ewma.go +++ b/test/e2e/loadbalance/ewma.go @@ -46,7 +46,7 @@ var _ = framework.DescribeSetting("[Load Balancer] EWMA", func() { f.EnsureIngress(framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, nil)) f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "server_name load-balance.com") + return strings.Contains(server, `server_name "load-balance.com"`) }) algorithm, err := f.GetLbAlgorithm(framework.EchoService, 80) diff --git a/test/e2e/loadbalance/round_robin.go b/test/e2e/loadbalance/round_robin.go index 5f66671434..6f858583bb 100644 --- a/test/e2e/loadbalance/round_robin.go +++ b/test/e2e/loadbalance/round_robin.go @@ -42,7 +42,7 @@ var _ = framework.DescribeSetting("[Load Balancer] round-robin", func() { f.EnsureIngress(framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, nil)) f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "server_name load-balance.com") + return strings.Contains(server, `server_name "load-balance.com"`) }) re, err := regexp.Compile(fmt.Sprintf(`%v.*`, framework.EchoService)) diff --git a/test/e2e/lua/dynamic_configuration.go b/test/e2e/lua/dynamic_configuration.go index a5e2196cef..578f5c2cda 100644 --- a/test/e2e/lua/dynamic_configuration.go +++ b/test/e2e/lua/dynamic_configuration.go @@ -212,7 +212,7 @@ func createIngress(f *framework.Framework, host, deploymentName string) { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, fmt.Sprintf("server_name %s ;", host)) && + return strings.Contains(server, fmt.Sprintf(`server_name "%s" ;`, host)) && strings.Contains(server, "proxy_pass http://upstream_balancer;") }) } diff --git a/test/e2e/metrics/metrics.go b/test/e2e/metrics/metrics.go index bec09bb37c..a2479c10b2 100644 --- a/test/e2e/metrics/metrics.go +++ b/test/e2e/metrics/metrics.go @@ -43,7 +43,7 @@ var _ = framework.IngressNginxDescribe("[metrics] exported prometheus metrics", f.EnsureIngress(framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, nil)) f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, fmt.Sprintf("server_name %s ;", host)) && + return strings.Contains(server, fmt.Sprintf(`server_name "%s" ;`, host)) && strings.Contains(server, "proxy_pass http://upstream_balancer;") }) }) diff --git a/test/e2e/run-chart-test.sh b/test/e2e/run-chart-test.sh index 29352e3702..e22c2d5a1b 100755 --- a/test/e2e/run-chart-test.sh +++ b/test/e2e/run-chart-test.sh @@ -62,7 +62,7 @@ export KUBECONFIG="${KUBECONFIG:-$HOME/.kube/kind-config-$KIND_CLUSTER_NAME}" if [ "${SKIP_CLUSTER_CREATION:-false}" = "false" ]; then echo "[dev-env] creating Kubernetes cluster with kind" - export K8S_VERSION=${K8S_VERSION:-v1.33.1@sha256:050072256b9a903bd914c0b2866828150cb229cea0efe5892e2b644d5dd3b34f} + export K8S_VERSION=${K8S_VERSION:-v1.35.1@sha256:05d7bcdefbda08b4e038f644c4df690cdac3fba8b06f8289f30e10026720a1ab} kind create cluster \ --verbosity=${KIND_LOG_LEVEL} \ @@ -78,7 +78,7 @@ fi if [ "${SKIP_IMAGE_CREATION:-false}" = "false" ]; then if ! command -v ginkgo &> /dev/null; then - go install github.com/onsi/ginkgo/v2/ginkgo@v2.23.4 + go install github.com/onsi/ginkgo/v2/ginkgo@v2.28.1 fi echo "[dev-env] building image" make -C ${DIR}/../../ clean-image build image @@ -114,5 +114,5 @@ docker run \ --workdir /workdir \ --entrypoint ct \ --rm \ - registry.k8s.io/ingress-nginx/e2e-test-runner:v2.1.1@sha256:01201e647bae6c805c00e1b532734c48798c4577bde12ccfb3eca3c0d00b10fd \ + registry.k8s.io/ingress-nginx/e2e-test-runner:v2.2.9@sha256:6eda6a8d17ff65c5af647abb0714b882047b77d18161712d77daf5f610fd4020 \ install --charts charts/ingress-nginx diff --git a/test/e2e/run-kind-e2e.sh b/test/e2e/run-kind-e2e.sh index a1440660e2..a6ec380d46 100755 --- a/test/e2e/run-kind-e2e.sh +++ b/test/e2e/run-kind-e2e.sh @@ -63,7 +63,7 @@ echo "Running e2e with nginx base image ${NGINX_BASE_IMAGE}" if [ "${SKIP_CLUSTER_CREATION}" = "false" ]; then echo "[dev-env] creating Kubernetes cluster with kind" - export K8S_VERSION=${K8S_VERSION:-v1.33.1@sha256:050072256b9a903bd914c0b2866828150cb229cea0efe5892e2b644d5dd3b34f} + export K8S_VERSION=${K8S_VERSION:-v1.35.1@sha256:05d7bcdefbda08b4e038f644c4df690cdac3fba8b06f8289f30e10026720a1ab} # delete the cluster if it exists if kind get clusters | grep "${KIND_CLUSTER_NAME}"; then @@ -95,7 +95,7 @@ fi if [ "${SKIP_E2E_IMAGE_CREATION}" = "false" ]; then if ! command -v ginkgo &> /dev/null; then - go install github.com/onsi/ginkgo/v2/ginkgo@v2.23.4 + go install github.com/onsi/ginkgo/v2/ginkgo@v2.28.1 fi echo "[dev-env] .. done building controller images" diff --git a/test/e2e/security/request_smuggling.go b/test/e2e/security/request_smuggling.go index 5ede02d4b5..36f2b72741 100644 --- a/test/e2e/security/request_smuggling.go +++ b/test/e2e/security/request_smuggling.go @@ -61,7 +61,7 @@ server { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, fmt.Sprintf("server_name %v", host)) + return strings.Contains(server, fmt.Sprintf(`server_name "%v"`, host)) }) out, err := smugglingRequest(host, f.GetNginxIP(), 80) diff --git a/test/e2e/servicebackend/service_nil_backend.go b/test/e2e/servicebackend/service_nil_backend.go index 9b5b4c7e62..7551047e4e 100644 --- a/test/e2e/servicebackend/service_nil_backend.go +++ b/test/e2e/servicebackend/service_nil_backend.go @@ -49,8 +49,8 @@ var _ = framework.IngressNginxDescribe("[Service] Nil Service Backend", func() { f.EnsureIngress(ing) f.WaitForNginxConfiguration(func(cfg string) bool { - return strings.Contains(cfg, "server_name nilbackend.svc.com") && - strings.Contains(cfg, "server_name valid.svc.com") + return strings.Contains(cfg, `server_name "nilbackend.svc.com"`) && + strings.Contains(cfg, `server_name "valid.svc.com"`) }) f.HTTPTestClient(). diff --git a/test/e2e/settings/badannotationvalues.go b/test/e2e/settings/badannotationvalues.go index aa9906909c..1295a262b3 100644 --- a/test/e2e/settings/badannotationvalues.go +++ b/test/e2e/settings/badannotationvalues.go @@ -50,7 +50,7 @@ var _ = framework.DescribeAnnotation("Bad annotation values", func() { f.WaitForNginxServer(host, func(server string) bool { - return !strings.Contains(server, fmt.Sprintf("server_name %s ;", host)) + return !strings.Contains(server, fmt.Sprintf(`server_name "%s" ;`, host)) }) f.WaitForNginxServer(host, @@ -87,7 +87,7 @@ var _ = framework.DescribeAnnotation("Bad annotation values", func() { f.WaitForNginxServer(host, func(server string) bool { - return !strings.Contains(server, fmt.Sprintf("server_name %s ;", host)) + return !strings.Contains(server, fmt.Sprintf(`server_name "%s" ;`, host)) }) f.WaitForNginxServer(host, @@ -120,7 +120,7 @@ var _ = framework.DescribeAnnotation("Bad annotation values", func() { f.WaitForNginxServer(hostValid, func(server string) bool { - return strings.Contains(server, fmt.Sprintf("server_name %s ;", hostValid)) + return strings.Contains(server, fmt.Sprintf(`server_name "%s" ;`, hostValid)) }) f.WaitForNginxServer(hostValid, @@ -153,7 +153,7 @@ var _ = framework.DescribeAnnotation("Bad annotation values", func() { f.WaitForNginxServer(host, func(server string) bool { - return !strings.Contains(server, fmt.Sprintf("server_name %s ;", host)) + return !strings.Contains(server, fmt.Sprintf(`server_name "%s" ;`, host)) }) f.WaitForNginxServer(host, diff --git a/test/e2e/settings/brotli.go b/test/e2e/settings/brotli.go index aacaddec54..b0131797e3 100644 --- a/test/e2e/settings/brotli.go +++ b/test/e2e/settings/brotli.go @@ -46,7 +46,7 @@ var _ = framework.IngressNginxDescribe("brotli", func() { f.WaitForNginxConfiguration( func(server string) bool { - return strings.Contains(server, fmt.Sprintf("server_name %v", host)) && + return strings.Contains(server, fmt.Sprintf(`server_name "%v"`, host)) && strings.Contains(server, "brotli on") && strings.Contains(server, fmt.Sprintf("brotli_types %v", contentEncoding)) && strings.Contains(server, fmt.Sprintf("brotli_min_length %d", brotliMinLength)) diff --git a/test/e2e/settings/disable_catch_all.go b/test/e2e/settings/disable_catch_all.go index 4e7a16f4de..ba717f9705 100644 --- a/test/e2e/settings/disable_catch_all.go +++ b/test/e2e/settings/disable_catch_all.go @@ -57,7 +57,7 @@ var _ = framework.IngressNginxDescribe("[Flag] disable-catch-all", func() { f.EnsureIngress(ing) f.WaitForNginxServer(host, func(cfg string) bool { - return strings.Contains(cfg, "server_name foo") + return strings.Contains(cfg, `server_name "foo"`) }) f.WaitForNginxServer("_", func(cfg string) bool { @@ -86,7 +86,7 @@ var _ = framework.IngressNginxDescribe("[Flag] disable-catch-all", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "server_name foo") + return strings.Contains(server, `server_name "foo"`) }) f.HTTPTestClient(). @@ -110,7 +110,7 @@ var _ = framework.IngressNginxDescribe("[Flag] disable-catch-all", func() { assert.Nil(ginkgo.GinkgoT(), err) f.WaitForNginxConfiguration(func(cfg string) bool { - return !strings.Contains(cfg, "server_name foo") + return !strings.Contains(cfg, `server_name "foo"`) }) f.HTTPTestClient(). @@ -127,7 +127,7 @@ var _ = framework.IngressNginxDescribe("[Flag] disable-catch-all", func() { f.EnsureIngress(ing) f.WaitForNginxServer(host, func(cfg string) bool { - return strings.Contains(cfg, "server_name foo") + return strings.Contains(cfg, `server_name "foo"`) }) f.HTTPTestClient(). diff --git a/test/e2e/settings/disable_service_external_name.go b/test/e2e/settings/disable_service_external_name.go index 6028280897..06f0bed6d8 100644 --- a/test/e2e/settings/disable_service_external_name.go +++ b/test/e2e/settings/disable_service_external_name.go @@ -77,11 +77,11 @@ var _ = framework.IngressNginxDescribe("[Flag] disable-service-external-name", f f.EnsureIngress(ing) f.WaitForNginxServer(nonexternalhost, func(cfg string) bool { - return strings.Contains(cfg, "server_name echo-svc.com") + return strings.Contains(cfg, `server_name "echo-svc.com"`) }) f.WaitForNginxServer(externalhost, func(cfg string) bool { - return strings.Contains(cfg, "server_name echo-external-svc.com") + return strings.Contains(cfg, `server_name "echo-external-svc.com"`) }) f.HTTPTestClient(). diff --git a/test/e2e/settings/disable_sync_events.go b/test/e2e/settings/disable_sync_events.go index 0d55c96e48..b0e5cc9303 100644 --- a/test/e2e/settings/disable_sync_events.go +++ b/test/e2e/settings/disable_sync_events.go @@ -41,7 +41,7 @@ var _ = framework.IngressNginxDescribe("[Flag] disable-sync-events", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, fmt.Sprintf("server_name %v", host)) + return strings.Contains(server, fmt.Sprintf(`server_name "%v"`, host)) }) //nolint:goconst //string interpolation @@ -70,7 +70,7 @@ var _ = framework.IngressNginxDescribe("[Flag] disable-sync-events", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, fmt.Sprintf("server_name %v", host)) + return strings.Contains(server, fmt.Sprintf(`server_name "%v"`, host)) }) events, err := f.KubeClientSet.CoreV1().Events(ing.Namespace).List(context.TODO(), metav1.ListOptions{FieldSelector: "reason=Sync,involvedObject.name=" + host}) @@ -98,7 +98,7 @@ var _ = framework.IngressNginxDescribe("[Flag] disable-sync-events", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, fmt.Sprintf("server_name %v", host)) + return strings.Contains(server, fmt.Sprintf(`server_name "%v"`, host)) }) events, err := f.KubeClientSet.CoreV1().Events(ing.Namespace).List(context.TODO(), metav1.ListOptions{FieldSelector: "reason=Sync,involvedObject.name=" + host}) diff --git a/test/e2e/settings/enable_real_ip.go b/test/e2e/settings/enable_real_ip.go index c56a8aefa1..07b43d4a1f 100644 --- a/test/e2e/settings/enable_real_ip.go +++ b/test/e2e/settings/enable_real_ip.go @@ -48,7 +48,7 @@ var _ = framework.DescribeSetting("enable-real-ip", func() { f.WaitForNginxServer(host, func(server string) bool { //nolint:goconst //already a const - return strings.Contains(server, "server_name "+host) && + return strings.Contains(server, fmt.Sprintf(`server_name "%v"`, host)) && !strings.Contains(server, "proxy_set_header X-Forwarded-Proto $full_x_forwarded_proto;") }) @@ -86,7 +86,7 @@ var _ = framework.DescribeSetting("enable-real-ip", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "server_name "+host) && + return strings.Contains(server, fmt.Sprintf(`server_name "%v"`, host)) && strings.Contains(server, "proxy_set_header X-Forwarded-Proto $pass_access_scheme;") }) diff --git a/test/e2e/settings/forwarded_headers.go b/test/e2e/settings/forwarded_headers.go index d0c29ebaa1..c13da3f297 100644 --- a/test/e2e/settings/forwarded_headers.go +++ b/test/e2e/settings/forwarded_headers.go @@ -48,7 +48,7 @@ var _ = framework.DescribeSetting("use-forwarded-headers", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "server_name forwarded-headers") && + return strings.Contains(server, `server_name "forwarded-headers"`) && strings.Contains(server, "proxy_set_header X-Forwarded-Proto $pass_access_scheme;") }) @@ -101,7 +101,7 @@ var _ = framework.DescribeSetting("use-forwarded-headers", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "server_name forwarded-headers") && + return strings.Contains(server, `server_name "forwarded-headers"`) && strings.Contains(server, "proxy_set_header X-Forwarded-Proto $pass_access_scheme;") }) diff --git a/test/e2e/settings/geoip2.go b/test/e2e/settings/geoip2.go index 9c6d59dc53..e5bdfd6c63 100644 --- a/test/e2e/settings/geoip2.go +++ b/test/e2e/settings/geoip2.go @@ -157,7 +157,7 @@ var _ = framework.DescribeSetting("Geoip2", func() { f.WaitForNginxServer(host, func(server string) bool { return strings.Contains(server, host) && - strings.Contains(server, "location /") + strings.Contains(server, `location "/"`) }) f.HTTPTestClient(). diff --git a/test/e2e/settings/global_external_auth.go b/test/e2e/settings/global_external_auth.go index f589a63e94..153ac7c736 100644 --- a/test/e2e/settings/global_external_auth.go +++ b/test/e2e/settings/global_external_auth.go @@ -69,7 +69,7 @@ var _ = framework.DescribeSetting("[Security] global-auth-url", func() { f.EnsureIngress(fooIng) f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "location /foo") + return strings.Contains(server, `location "/foo/"`) }) ginkgo.By("Adding an ingress rule for /bar") @@ -77,7 +77,7 @@ var _ = framework.DescribeSetting("[Security] global-auth-url", func() { f.EnsureIngress(barIng) f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "location /bar") + return strings.Contains(server, `location "/bar/"`) }) ginkgo.By("Adding a global-auth-url to configMap") @@ -137,7 +137,7 @@ var _ = framework.DescribeSetting("[Security] global-auth-url", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "location /bar") + return strings.Contains(server, `location "/bar/"`) }) ginkgo.By("Sending a request to protected service /foo") @@ -315,7 +315,7 @@ http { f.EnsureIngress(ing2) f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "server_name "+host) + return strings.Contains(server, fmt.Sprintf(`server_name "%v"`, host)) }) }) diff --git a/test/e2e/settings/ingress_class.go b/test/e2e/settings/ingress_class.go index 80c09f80c3..61202ac447 100644 --- a/test/e2e/settings/ingress_class.go +++ b/test/e2e/settings/ingress_class.go @@ -86,8 +86,8 @@ var _ = framework.IngressNginxDescribe("[Flag] ingress-class", func() { f.EnsureIngress(ing) f.WaitForNginxConfiguration(func(cfg string) bool { - return !strings.Contains(cfg, "server_name foo") && - strings.Contains(cfg, "server_name bar") + return !strings.Contains(cfg, `server_name "foo"`) && + strings.Contains(cfg, `server_name "bar"`) }) f.HTTPTestClient(). @@ -114,8 +114,8 @@ var _ = framework.IngressNginxDescribe("[Flag] ingress-class", func() { f.EnsureIngress(ing) f.WaitForNginxConfiguration(func(cfg string) bool { - return !strings.Contains(cfg, "server_name foo-1") && - strings.Contains(cfg, "server_name bar-1") + return !strings.Contains(cfg, `server_name "foo-1"`) && + strings.Contains(cfg, `server_name "bar-1"`) }) f.HTTPTestClient(). @@ -146,8 +146,8 @@ var _ = framework.IngressNginxDescribe("[Flag] ingress-class", func() { f.EnsureIngress(ing) f.WaitForNginxConfiguration(func(cfg string) bool { - return strings.Contains(cfg, "server_name foo-ok") && - strings.Contains(cfg, "server_name bar-ok") + return strings.Contains(cfg, `server_name "foo-ok"`) && + strings.Contains(cfg, `server_name "bar-ok"`) }) f.HTTPTestClient(). @@ -174,8 +174,8 @@ var _ = framework.IngressNginxDescribe("[Flag] ingress-class", func() { f.EnsureIngress(ing) f.WaitForNginxConfiguration(func(cfg string) bool { - return !strings.Contains(cfg, "server_name foo-invalid") && - strings.Contains(cfg, "server_name bar-valid") + return !strings.Contains(cfg, `server_name "foo-invalid"`) && + strings.Contains(cfg, `server_name "bar-valid"`) }) f.HTTPTestClient(). @@ -206,8 +206,8 @@ var _ = framework.IngressNginxDescribe("[Flag] ingress-class", func() { f.EnsureIngress(ing) f.WaitForNginxConfiguration(func(cfg string) bool { - return strings.Contains(cfg, "server_name foo-annotation") && - strings.Contains(cfg, "server_name foo-class") + return strings.Contains(cfg, `server_name "foo-annotation"`) && + strings.Contains(cfg, `server_name "foo-class"`) }) f.HTTPTestClient(). @@ -239,8 +239,8 @@ var _ = framework.IngressNginxDescribe("[Flag] ingress-class", func() { framework.Sleep() f.WaitForNginxConfiguration(func(cfg string) bool { - return !strings.Contains(cfg, "server_name foo-annotation") && - !strings.Contains(cfg, "server_name foo-class") + return !strings.Contains(cfg, `server_name "foo-annotation"`) && + !strings.Contains(cfg, `server_name "foo-class"`) }) f.HTTPTestClient(). @@ -269,8 +269,8 @@ var _ = framework.IngressNginxDescribe("[Flag] ingress-class", func() { f.EnsureIngress(ing) f.WaitForNginxConfiguration(func(cfg string) bool { - return !strings.Contains(cfg, "server_name foo-no-nnotation") && - !strings.Contains(cfg, "server_name foo-no-class") + return !strings.Contains(cfg, `server_name "foo-no-nnotation"`) && + !strings.Contains(cfg, `server_name "foo-no-class"`) }) f.HTTPTestClient(). @@ -305,8 +305,8 @@ var _ = framework.IngressNginxDescribe("[Flag] ingress-class", func() { framework.Sleep() f.WaitForNginxConfiguration(func(cfg string) bool { - return strings.Contains(cfg, "server_name foo-no-annotation") && - strings.Contains(cfg, "server_name foo-no-class") + return strings.Contains(cfg, `server_name "foo-no-annotation"`) && + strings.Contains(cfg, `server_name "foo-no-class"`) }) f.HTTPTestClient(). @@ -336,8 +336,8 @@ var _ = framework.IngressNginxDescribe("[Flag] ingress-class", func() { f.EnsureIngress(ing) f.WaitForNginxConfiguration(func(cfg string) bool { - return strings.Contains(cfg, "server_name foo-annotation2class") && - strings.Contains(cfg, "server_name foo-class2annotation") + return strings.Contains(cfg, `server_name "foo-annotation2class"`) && + strings.Contains(cfg, `server_name "foo-class2annotation"`) }) f.HTTPTestClient(). @@ -371,8 +371,8 @@ var _ = framework.IngressNginxDescribe("[Flag] ingress-class", func() { framework.Sleep() f.WaitForNginxConfiguration(func(cfg string) bool { - return strings.Contains(cfg, "server_name foo-annotation2class") && - strings.Contains(cfg, "server_name foo-class2annotation") + return strings.Contains(cfg, `server_name "foo-annotation2class"`) && + strings.Contains(cfg, `server_name "foo-class2annotation"`) }) f.HTTPTestClient(). @@ -433,9 +433,9 @@ var _ = framework.IngressNginxDescribe("[Flag] ingress-class", func() { f.EnsureIngress(ing) f.WaitForNginxConfiguration(func(cfg string) bool { - return !strings.Contains(cfg, "server_name bar") && - strings.Contains(cfg, "server_name foo") && - strings.Contains(cfg, "server_name foobar123") + return !strings.Contains(cfg, `server_name "bar"`) && + strings.Contains(cfg, `server_name "foo"`) && + strings.Contains(cfg, `server_name "foobar123"`) }) f.HTTPTestClient(). @@ -495,8 +495,8 @@ var _ = framework.IngressNginxDescribe("[Flag] ingress-class", func() { f.EnsureIngress(ing) f.WaitForNginxConfiguration(func(cfg string) bool { - return strings.Contains(cfg, "server_name bar") && - !strings.Contains(cfg, "server_name foo") + return strings.Contains(cfg, `server_name "bar"`) && + !strings.Contains(cfg, `server_name "foo"`) }) f.HTTPTestClient(). @@ -555,9 +555,9 @@ var _ = framework.IngressNginxDescribe("[Flag] ingress-class", func() { f.EnsureIngress(ing) f.WaitForNginxConfiguration(func(cfg string) bool { - return strings.Contains(cfg, "server_name validhostclassname") && - strings.Contains(cfg, "server_name validhostclassspec") && - !strings.Contains(cfg, "server_name invalidannotation") + return strings.Contains(cfg, `server_name "validhostclassname"`) && + strings.Contains(cfg, `server_name "validhostclassspec"`) && + !strings.Contains(cfg, `server_name "invalidannotation"`) }) f.HTTPTestClient(). @@ -635,7 +635,7 @@ var _ = framework.IngressNginxDescribe("[Flag] ingress-class", func() { f.EnsureIngress(ing) f.WaitForNginxConfiguration(func(cfg string) bool { - return strings.Contains(cfg, "server_name foo") + return strings.Contains(cfg, `server_name "foo"`) }) f.HTTPTestClient(). @@ -652,7 +652,7 @@ var _ = framework.IngressNginxDescribe("[Flag] ingress-class", func() { f.EnsureIngress(ing) f.WaitForNginxConfiguration(func(cfg string) bool { - return !strings.Contains(cfg, "server_name noclassforyou") + return !strings.Contains(cfg, `server_name "noclassforyou"`) }) f.HTTPTestClient(). diff --git a/test/e2e/settings/limit_rate.go b/test/e2e/settings/limit_rate.go index 9d79dc3582..f7765d774f 100644 --- a/test/e2e/settings/limit_rate.go +++ b/test/e2e/settings/limit_rate.go @@ -41,7 +41,7 @@ var _ = framework.DescribeSetting("Configmap - limit-rate", func() { f.EnsureIngress(ing) f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, fmt.Sprintf("server_name %s ;", host)) + return strings.Contains(server, fmt.Sprintf(`server_name "%s" ;`, host)) }) wlKey := "limit-rate" diff --git a/test/e2e/settings/listen_nondefault_ports.go b/test/e2e/settings/listen_nondefault_ports.go index 9d3952227d..669c0fc4cf 100644 --- a/test/e2e/settings/listen_nondefault_ports.go +++ b/test/e2e/settings/listen_nondefault_ports.go @@ -48,7 +48,7 @@ var _ = framework.IngressNginxDescribe("[Flag] custom HTTP and HTTPS ports", fun f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "server_name forwarded-headers") + return strings.Contains(server, `server_name "forwarded-headers"`) }) f.HTTPTestClient(). @@ -76,7 +76,7 @@ var _ = framework.IngressNginxDescribe("[Flag] custom HTTP and HTTPS ports", fun f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "server_name forwarded-headers") + return strings.Contains(server, `server_name "forwarded-headers"`) }) f.HTTPTestClientWithTLSConfig(tlsConfig). @@ -110,7 +110,7 @@ var _ = framework.IngressNginxDescribe("[Flag] custom HTTP and HTTPS ports", fun f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "server_name forwarded-headers") + return strings.Contains(server, `server_name "forwarded-headers"`) }) f.HTTPTestClientWithTLSConfig(tlsConfig). diff --git a/test/e2e/settings/namespace_selector.go b/test/e2e/settings/namespace_selector.go index 1da62ee863..553e77bd97 100644 --- a/test/e2e/settings/namespace_selector.go +++ b/test/e2e/settings/namespace_selector.go @@ -61,8 +61,8 @@ var _ = framework.IngressNginxDescribeSerial("[Flag] watch namespace selector", ginkgo.Context("With specific watch-namespace-selector flags", func() { ginkgo.It("should ignore Ingress of namespace without label foo=bar and accept those of namespace with label foo=bar", func() { f.WaitForNginxConfiguration(func(cfg string) bool { - return !strings.Contains(cfg, "server_name bar") && - strings.Contains(cfg, "server_name foo") + return !strings.Contains(cfg, `server_name "bar"`) && + strings.Contains(cfg, `server_name "foo"`) }) f.HTTPTestClient(). @@ -101,7 +101,7 @@ var _ = framework.IngressNginxDescribeSerial("[Flag] watch namespace selector", assert.Nil(ginkgo.GinkgoT(), err, "updating ingress") f.WaitForNginxConfiguration(func(cfg string) bool { - return strings.Contains(cfg, "server_name bar") + return strings.Contains(cfg, `server_name "bar"`) }) f.HTTPTestClient(). diff --git a/test/e2e/settings/ocsp/ocsp.go b/test/e2e/settings/ocsp/ocsp.go index 06ca7284f8..d8b0e9892e 100644 --- a/test/e2e/settings/ocsp/ocsp.go +++ b/test/e2e/settings/ocsp/ocsp.go @@ -115,7 +115,7 @@ var _ = framework.DescribeSetting("OCSP", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, fmt.Sprintf(`server_name %v`, host)) + return strings.Contains(server, fmt.Sprintf(`server_name "%v"`, host)) }) tlsConfig := &tls.Config{ServerName: host, InsecureSkipVerify: true} //nolint:gosec // Ignore the gosec error in testing @@ -297,7 +297,7 @@ func ocspserveDeployment(namespace string) (*appsv1.Deployment, *corev1.Service) Containers: []corev1.Container{ { Name: name, - Image: "registry.k8s.io/ingress-nginx/cfssl:v1.1.3@sha256:68defb0ae012e3023e81c525958e5e19a0fac64841f17f488c798a2f582b67a5", + Image: "registry.k8s.io/ingress-nginx/cfssl:v1.2.9@sha256:40abba2d26b5aba72bd40bbadde1a00eabf6dfbd7111c7dd40ebe0281e70bb93", Command: []string{ "/bin/bash", "-c", diff --git a/test/e2e/settings/proxy_host.go b/test/e2e/settings/proxy_host.go index bb5dc9c012..63b76597db 100644 --- a/test/e2e/settings/proxy_host.go +++ b/test/e2e/settings/proxy_host.go @@ -45,7 +45,7 @@ var _ = framework.IngressNginxDescribe("Dynamic $proxy_host", func() { f.WaitForNginxConfiguration( func(server string) bool { - return strings.Contains(server, fmt.Sprintf("server_name %v", test)) && + return strings.Contains(server, fmt.Sprintf(`server_name "%v"`, test)) && strings.Contains(server, "set $proxy_host $proxy_upstream_name") }) @@ -71,7 +71,7 @@ var _ = framework.IngressNginxDescribe("Dynamic $proxy_host", func() { f.WaitForNginxConfiguration( func(server string) bool { - return strings.Contains(server, fmt.Sprintf("server_name %v", test)) && + return strings.Contains(server, fmt.Sprintf(`server_name "%v"`, test)) && strings.Contains(server, "set $proxy_host $proxy_upstream_name") }) diff --git a/test/e2e/settings/proxy_protocol.go b/test/e2e/settings/proxy_protocol.go index fd507d25dd..5f190ec30f 100644 --- a/test/e2e/settings/proxy_protocol.go +++ b/test/e2e/settings/proxy_protocol.go @@ -55,7 +55,7 @@ var _ = framework.DescribeSetting("use-proxy-protocol", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "server_name proxy-protocol") && + return strings.Contains(server, `server_name "proxy-protocol"`) && strings.Contains(server, "listen 80 proxy_protocol") }) @@ -92,7 +92,7 @@ var _ = framework.DescribeSetting("use-proxy-protocol", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "server_name proxy-protocol") && + return strings.Contains(server, `server_name "proxy-protocol"`) && strings.Contains(server, "listen 80 proxy_protocol") }) @@ -244,7 +244,7 @@ var _ = framework.DescribeSetting("use-proxy-protocol", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "server_name proxy-protocol") && + return strings.Contains(server, `server_name "proxy-protocol"`) && strings.Contains(server, "listen 80 proxy_protocol") }) @@ -283,7 +283,7 @@ var _ = framework.DescribeSetting("use-proxy-protocol", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "server_name proxy-protocol") && + return strings.Contains(server, `server_name "proxy-protocol"`) && strings.Contains(server, "listen 80 proxy_protocol") }) diff --git a/test/e2e/settings/ssl_session_cache.go b/test/e2e/settings/ssl_session_cache.go new file mode 100644 index 0000000000..75b48d3f94 --- /dev/null +++ b/test/e2e/settings/ssl_session_cache.go @@ -0,0 +1,60 @@ +/* +Copyright 2025 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package settings + +import ( + "strings" + + "github.com/onsi/ginkgo/v2" + + "k8s.io/ingress-nginx/test/e2e/framework" +) + +var _ = framework.DescribeSetting("ssl-session-cache", func() { + f := framework.NewDefaultFramework("ssl-session-cache") + + ginkgo.It("should have default ssl_session_cache and ssl_session_timeout values", func() { + f.WaitForNginxConfiguration(func(cfg string) bool { + return strings.Contains(cfg, "ssl_session_cache shared:SSL:10m;") && + strings.Contains(cfg, "ssl_session_timeout 10m;") + }) + }) + + ginkgo.It("should disable ssl_session_cache", func() { + f.UpdateNginxConfigMapData("ssl-session-cache", "false") + + f.WaitForNginxConfiguration(func(cfg string) bool { + return !strings.Contains(cfg, "ssl_session_cache") + }) + }) + + ginkgo.It("should set ssl_session_cache value", func() { + f.UpdateNginxConfigMapData("ssl-session-cache-size", "20m") + + f.WaitForNginxConfiguration(func(cfg string) bool { + return strings.Contains(cfg, "ssl_session_cache shared:SSL:20m;") + }) + }) + + ginkgo.It("should set ssl_session_timeout value", func() { + f.UpdateNginxConfigMapData("ssl-session-timeout", "30m") + + f.WaitForNginxConfiguration(func(cfg string) bool { + return strings.Contains(cfg, "ssl_session_timeout 30m;") + }) + }) +}) diff --git a/test/e2e/settings/ssl_session_tickets.go b/test/e2e/settings/ssl_session_tickets.go new file mode 100644 index 0000000000..b472d557ba --- /dev/null +++ b/test/e2e/settings/ssl_session_tickets.go @@ -0,0 +1,53 @@ +/* +Copyright 2025 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package settings + +import ( + "strings" + + "github.com/onsi/ginkgo/v2" + + "k8s.io/ingress-nginx/test/e2e/framework" +) + +var _ = framework.DescribeSetting("ssl-session-tickets", func() { + f := framework.NewDefaultFramework("ssl-session-tickets") + + ginkgo.It("should have default ssl_session_tickets value", func() { + f.WaitForNginxConfiguration(func(cfg string) bool { + return strings.Contains(cfg, "ssl_session_tickets off;") + }) + }) + + ginkgo.It("should set ssl_session_tickets value", func() { + f.UpdateNginxConfigMapData("ssl-session-tickets", "true") + + f.WaitForNginxConfiguration(func(cfg string) bool { + return strings.Contains(cfg, "ssl_session_tickets on;") + }) + }) + + ginkgo.It("should set ssl_session_tickets and ssl_session_ticket_key values", func() { + f.UpdateNginxConfigMapData("ssl-session-tickets", "true") + f.UpdateNginxConfigMapData("ssl-session-ticket-key", "WW9gcPHgfcrw6DNqY5VE2NjM6gtgUhJ4Vn6ZwRGi/7+A9TNFa4Fvfe1cmlPec9bxDoenN70aMBeZBlcrKshnKT4WJxFNLCuTHhfn4loTOEo=") + + f.WaitForNginxConfiguration(func(cfg string) bool { + return strings.Contains(cfg, "ssl_session_tickets on;") && + strings.Contains(cfg, "ssl_session_ticket_key /etc/ingress-controller/tickets.key;") + }) + }) +}) diff --git a/test/e2e/ssl/http_redirect.go b/test/e2e/ssl/http_redirect.go index 982dd4f6c6..9bd16731a5 100644 --- a/test/e2e/ssl/http_redirect.go +++ b/test/e2e/ssl/http_redirect.go @@ -40,7 +40,7 @@ var _ = framework.IngressNginxDescribe("[SSL] redirect to HTTPS", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "server_name redirect.com") && + return strings.Contains(server, `server_name "redirect.com"`) && strings.Contains(server, "listen 443") && strings.Contains(server, "listen 80") }) diff --git a/test/e2e/ssl/secret_update.go b/test/e2e/ssl/secret_update.go index 8e81f09f9a..cb1fc50238 100644 --- a/test/e2e/ssl/secret_update.go +++ b/test/e2e/ssl/secret_update.go @@ -61,7 +61,7 @@ var _ = framework.IngressNginxDescribe("[SSL] secret update", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "server_name ssl-update") && + return strings.Contains(server, `server_name "ssl-update"`) && strings.Contains(server, "listen 443") }) @@ -95,7 +95,7 @@ var _ = framework.IngressNginxDescribe("[SSL] secret update", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "server_name invalid-ssl") && + return strings.Contains(server, `server_name "invalid-ssl"`) && strings.Contains(server, "listen 443") }) //nolint:gosec // Ignore certificate validation in testing diff --git a/test/e2e/status/update.go b/test/e2e/status/update.go index c3c48f8d2a..cfbf7f0acb 100644 --- a/test/e2e/status/update.go +++ b/test/e2e/status/update.go @@ -75,7 +75,7 @@ var _ = framework.IngressNginxDescribe("[Status] status update", func() { f.WaitForNginxConfiguration( func(cfg string) bool { - return strings.Contains(cfg, fmt.Sprintf("server_name %s", host)) + return strings.Contains(cfg, fmt.Sprintf(`server_name "%s"`, host)) }) framework.Logf("waiting for leader election and initial status update") @@ -108,8 +108,7 @@ var _ = framework.IngressNginxDescribe("[Status] status update", func() { } }() - //nolint:staticcheck // TODO: will replace it since wait.Poll is deprecated - err = wait.Poll(5*time.Second, 4*time.Minute, func() (done bool, err error) { + err = wait.PollUntilContextTimeout(context.Background(), 5*time.Second, 4*time.Minute, true, func(_ context.Context) (done bool, err error) { ing, err = f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Get(context.TODO(), host, metav1.GetOptions{}) if err != nil { return false, nil diff --git a/test/e2e/tcpudp/tcp.go b/test/e2e/tcpudp/tcp.go index 856184d18b..fc84523a87 100644 --- a/test/e2e/tcpudp/tcp.go +++ b/test/e2e/tcpudp/tcp.go @@ -157,8 +157,7 @@ var _ = framework.IngressNginxDescribe("[TCP] tcp-services", func() { return false, nil }) - //nolint:staticcheck // TODO: will replace it since wait.ErrWaitTimeout is deprecated - if err == wait.ErrWaitTimeout { + if err != nil && errRetry != nil { err = errRetry }