DevFW-CICD/ingress-nginx-helm
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Release controller 1.9.6 and helm 4.9.1 (#10919)

Browse source 
Signed-off-by: James Strong <strong.james.e@gmail.com>
This commit is contained in:
James Strong 2024-01-27 02:45:19 -05:00 committed by GitHub
parent e8699bfb92
commit 4e97379b4e
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
29 changed files with 318 additions and 436 deletions
Download patch file Download diff file Expand all files Collapse all files

7
docs/user-guide/multiple-ingress.md
View file

@ -10,9 +10,7 @@ But, when user has deployed with `scope.enabled`, then the ingress class resourc
If all ingress controllers respect IngressClasses (e.g. multiple instances of ingress-nginx v1.0), you can deploy two Ingress controllers by granting them control over two different IngressClasses, then selecting one of the two IngressClasses with `ingressClassName`.
First, ensure the `--controller-class=` and `--ingress-class` are set to something different on each ingress controller, If your additional ingress controller is to be installed in a namespace, where there is/are one/more-than-one ingress-nginx-controller(s) already installed, then you need to specify a different unique `--election-id` for the new instance of the controller.
In addition, you need to specify `--ingress-class-by-name=true` in the controller args list. The `--ingress-class-by-name` defines if Ingress Controller should watch for Ingress Class by Name together with Controller Class. (default false).
First, ensure the `--controller-class=` and `--ingress-class` are set to something different on each ingress controller, If your additional ingress controller is to be installed in a namespace, where there is/are one/more-than-one ingress-nginx-controller(s) already installed, then you need to specify a different unique `--election-id` for the new instance of the controller.
```yaml
# ingress-nginx Deployment/Statefulset
@ -25,8 +23,7 @@ spec:
- /nginx-ingress-controller
- '--election-id=ingress-controller-leader'
- '--controller-class=k8s.io/internal-ingress-nginx'
- '--ingress-class=internal-nginx'
- '--ingress-class-by-name=true'
- '--ingress-class=k8s.io/internal-nginx'
...
```

29
docs/user-guide/nginx-configuration/annotations.md
View file

@ -50,7 +50,6 @@ You can add these Kubernetes annotations to specific Ingress objects to customiz
|[nginx.ingress.kubernetes.io/client-body-buffer-size](#client-body-buffer-size)|string|
|[nginx.ingress.kubernetes.io/configuration-snippet](#configuration-snippet)|string|
|[nginx.ingress.kubernetes.io/custom-http-errors](#custom-http-errors)|[]int|
|[nginx.ingress.kubernetes.io/disable-proxy-intercept-errors](#disable-proxy-intercept-errors)|"true" or "false"|
|[nginx.ingress.kubernetes.io/default-backend](#default-backend)|string|
|[nginx.ingress.kubernetes.io/enable-cors](#enable-cors)|"true" or "false"|
|[nginx.ingress.kubernetes.io/cors-allow-origin](#enable-cors)|string|
@ -317,8 +316,7 @@ nginx.ingress.kubernetes.io/configuration-snippet: |
more_set_headers "Request-Id: $req_id";
```
!!! attention
Since version 1.9.0, `"configuration-snippet"` annotation is disabled by default and has to be explicitly enabled, see [allow-snippet-annotations](./configmap.md#allow-snippet-annotations). Enabling it can be dangerous in multi-tenant clusters, as it can lead to people with otherwise limited permissions being able to retrieve all secrets on the cluster. See CVE-2021-25742 and the [related issue on github](https://github.com/kubernetes/ingress-nginx/issues/7837) for more information.
Be aware this can be dangerous in multi-tenant clusters, as it can lead to people with otherwise limited permissions being able to retrieve all secrets on the cluster. The recommended mitigation for this threat is to disable this feature, so it may not work for you. See CVE-2021-25742 and the [related issue on github](https://github.com/kubernetes/ingress-nginx/issues/7837) for more information.
### Custom HTTP Errors
@ -331,17 +329,6 @@ Example usage:
nginx.ingress.kubernetes.io/custom-http-errors: "404,415"
```
## Disable Proxy intercept Errors
Like the [`disable-proxy-intercept-errors`](./configmap.md#disable-proxy-intercept-errors) value in the ConfigMap, this annotation allows to disable NGINX `proxy-intercept-errors` when `custom-http-errors` are set, but only for the NGINX location associated with this ingress. If a [default backend annotation](#default-backend) is specified on the ingress, the errors will be routed to that annotation's default backend service (instead of the global default backend).
Different ingresses can specify different sets of errors codes and there are UseCases where NGINX shall not intercept all errors returned from upstream.
If `disable-proxy-intercept-errors` is also specified globally, the annotation will override the global value for the given ingress' hostname and path.
Example usage:
```
nginx.ingress.kubernetes.io/disable-proxy-intercept-errors: "false"
```
### Default Backend
This annotation is of the form `nginx.ingress.kubernetes.io/default-backend: <svc name>` to specify a custom default backend. This `<svc name>` is a reference to a service inside of the same namespace in which you are applying this annotation. This annotation overrides the global default backend. In case the service has [multiple ports](https://kubernetes.io/docs/concepts/services-networking/service/#multi-port-services), the first one is the one which will receive the backend traffic.
@ -441,9 +428,6 @@ metadata:
}
```
!!! attention
Since version 1.9.0, `"server-snippet"` annotation is disabled by default and has to be explicitly enabled, see [allow-snippet-annotations](./configmap.md#allow-snippet-annotations). Enabling it can be dangerous in multi-tenant clusters, as it can lead to people with otherwise limited permissions being able to retrieve all secrets on the cluster. See CVE-2021-25742 and the [related issue on github](https://github.com/kubernetes/ingress-nginx/issues/7837) for more information.
!!! attention
This annotation can be used only once per host.
@ -521,15 +505,12 @@ nginx.ingress.kubernetes.io/auth-snippet: |
```
> Note: `nginx.ingress.kubernetes.io/auth-snippet` is an optional annotation. However, it may only be used in conjunction with `nginx.ingress.kubernetes.io/auth-url` and will be ignored if `nginx.ingress.kubernetes.io/auth-url` is not set
!!! attention
Since version 1.9.0, `"auth-snippet"` annotation is disabled by default and has to be explicitly enabled, see [allow-snippet-annotations](./configmap.md#allow-snippet-annotations). Enabling it can be dangerous in multi-tenant clusters, as it can lead to people with otherwise limited permissions being able to retrieve all secrets on the cluster. See CVE-2021-25742 and the [related issue on github](https://github.com/kubernetes/ingress-nginx/issues/7837) for more information.
!!! example
Please check the [external-auth](../../examples/auth/external-auth/README.md) example.
#### Global External Authentication
By default the controller redirects all requests to an existing service that provides authentication if `global-auth-url` is set in the NGINX ConfigMap. If you want to disable this behavior for a specific ingress, you can use the annotation `nginx.ingress.kubernetes.io/enable-global-auth: "false"`.
By default the controller redirects all requests to an existing service that provides authentication if `global-auth-url` is set in the NGINX ConfigMap. If you want to disable this behavior for that ingress, you can use `enable-global-auth: "false"` in the NGINX ConfigMap.
`nginx.ingress.kubernetes.io/enable-global-auth`:
indicates if GlobalExternalAuth configuration should be applied or not to this Ingress rule. Default values is set to `"true"`.
@ -914,9 +895,6 @@ nginx.ingress.kubernetes.io/modsecurity-snippet: |
Include /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf
```
!!! attention
Since version 1.9.0, `"modsecurity-snippet"` annotation is disabled by default and has to be explicitly enabled, see [allow-snippet-annotations](./configmap.md#allow-snippet-annotations). Enabling it can be dangerous in multi-tenant clusters, as it can lead to people with otherwise limited permissions being able to retrieve all secrets on the cluster. See CVE-2021-25742 and the [related issue on github](https://github.com/kubernetes/ingress-nginx/issues/7837) for more information.
### Backend Protocol
Using `backend-protocol` annotations is possible to indicate how NGINX should communicate with the backend service. (Replaces `secure-backends` in older versions)
@ -1006,6 +984,3 @@ metadata:
proxy_pass 127.0.0.1:80;
}
```
!!! attention
Since version 1.9.0, `"stream-snippet"` annotation is disabled by default and has to be explicitly enabled, see [allow-snippet-annotations](./configmap.md#allow-snippet-annotations). Enabling it can be dangerous in multi-tenant clusters, as it can lead to people with otherwise limited permissions being able to retrieve all secrets on the cluster. See CVE-2021-25742 and the [related issue on github](https://github.com/kubernetes/ingress-nginx/issues/7837) for more information.

26
docs/user-guide/nginx-configuration/configmap.md
View file

@ -39,7 +39,6 @@ The following table shows a configuration option's name, type, and the default v
|[http-access-log-path](#http-access-log-path)|string|""||
|[stream-access-log-path](#stream-access-log-path)|string|""||
|[enable-access-log-for-default-backend](#enable-access-log-for-default-backend)|bool|"false"||
|[enable-auth-access-log](#enable-auth-access-log)|bool|"false"||
|[error-log-path](#error-log-path)|string|"/var/log/nginx/error.log"||
|[enable-modsecurity](#enable-modsecurity)|bool|"false"||
|[modsecurity-snippet](#modsecurity-snippet)|string|""||
@ -164,7 +163,7 @@ The following table shows a configuration option's name, type, and the default v
|[enable-opentelemetry](#enable-opentelemetry)|bool|"false"||
|[opentelemetry-trust-incoming-span](#opentelemetry-trust-incoming-span)|bool|"true"||
|[opentelemetry-operation-name](#opentelemetry-operation-name)|string|""||
|[opentelemetry-config](#/etc/ingress-controller/telemetry/opentelemetry.toml)|string|"/etc/ingress-controller/telemetry/opentelemetry.toml"||
|[opentelemetry-config](#/etc/nginx/opentelemetry.toml)|string|"/etc/nginx/opentelemetry.toml"||
|[otlp-collector-host](#otlp-collector-host)|string|""||
|[otlp-collector-port](#otlp-collector-port)|int|4317||
|[otel-max-queuesize](#otel-max-queuesize)|int|||
@ -180,7 +179,6 @@ The following table shows a configuration option's name, type, and the default v
|[stream-snippet](#stream-snippet)|string|""||
|[location-snippet](#location-snippet)|string|""||
|[custom-http-errors](#custom-http-errors)|[]int|[]int{}||
|[disable-proxy-intercept-errors](#disable-proxy-intercept-errors)|bool|"false"|
|[proxy-body-size](#proxy-body-size)|string|"1m"||
|[proxy-connect-timeout](#proxy-connect-timeout)|int|5||
|[proxy-read-timeout](#proxy-read-timeout)|int|60||
@ -219,7 +217,6 @@ The following table shows a configuration option's name, type, and the default v
|[global-auth-snippet](#global-auth-snippet)|string|""||
|[global-auth-cache-key](#global-auth-cache-key)|string|""||
|[global-auth-cache-duration](#global-auth-cache-duration)|string|"200 202 401 5m"||
|[global-auth-always-set-cookie](#global-auth-always-set-cookie)|bool|"false"||
|[no-auth-locations](#no-auth-locations)|string|"/.well-known/acme-challenge"||
|[block-cidrs](#block-cidrs)|[]string|""||
|[block-user-agents](#block-user-agents)|[]string|""||
@ -266,7 +263,7 @@ Enables Ingress to parse and add *-snippet annotations/directives created by the
Warning: We recommend enabling this option only if you TRUST users with permission to create Ingress objects, as this
may allow a user to add restricted configurations to the final nginx.conf file
**This option is defaulted to false since v1.9.0**
**This option will be defaulted to false in the next major release**
## annotations-risk-level
@ -329,10 +326,6 @@ __Note:__ If not specified, the `access-log-path` will be used.
Enables logging access to default backend. _**default:**_ is disabled.
## enable-auth-access-log
Enables logging access to the authentication endpoint. _**default:**_ is disabled.
## error-log-path
Error log path. Goes to `/var/log/nginx/error.log` by default.
@ -727,9 +720,6 @@ Enables or disables compression of HTTP responses using the ["gzip" module](http
## use-geoip
!!! attention
GeoIP is deprecated and removed on v1.10. Users willing to use GeoIP should use GeoIP2
Enables or disables ["geoip" module](https://nginx.org/en/docs/http/ngx_http_geoip_module.html) that creates variables with values depending on the client IP address, using the precompiled MaxMind databases.
_**default:**_ true
@ -1130,18 +1120,10 @@ You can not use this to add new locations that proxy to the Kubernetes pods, as
Enables which HTTP codes should be passed for processing with the [error_page directive](https://nginx.org/en/docs/http/ngx_http_core_module.html#error_page)
Setting at least one code also enables [proxy_intercept_errors](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_intercept_errors) if not disabled with [disable-proxy-intercept-errors](#disable-proxy-intercept-errors).
Setting at least one code also enables [proxy_intercept_errors](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_intercept_errors) which are required to process error_page.
Example usage: `custom-http-errors: 404,415`
## disable-proxy-intercept-errors
Allows to disable [proxy-intercept-errors](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_intercept_errors).
Disabling [proxy_intercept_errors](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_intercept_errors) allows to pass upstream errors to client even if [custom-http-errors](#custom-http-errors) are set.
Example usage: `disable-proxy-intercept-errors: "true"`
## proxy-body-size
Sets the maximum allowed size of the client request body.
@ -1299,7 +1281,7 @@ _**default:**_ "/.well-known/acme-challenge"
A url to an existing service that provides authentication for all the locations.
Similar to the Ingress rule annotation `nginx.ingress.kubernetes.io/auth-url`.
Locations that should not get authenticated can be listed using `no-auth-locations` See [no-auth-locations](#no-auth-locations). In addition, each service can be excluded from authentication via annotation `nginx.ingress.kubernetes.io/enable-global-auth` set to "false".
Locations that should not get authenticated can be listed using `no-auth-locations` See [no-auth-locations](#no-auth-locations). In addition, each service can be excluded from authentication via annotation `enable-global-auth` set to "false".
_**default:**_ ""
_References:_ [https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md#external-authentication](https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md#external-authentication)

4
docs/user-guide/third-party-addons/opentelemetry.md
View file

@ -165,7 +165,7 @@ To install the example and collectors run:
kind: ConfigMap
data:
enable-opentelemetry: "true"
opentelemetry-config: "/etc/ingress-controller/telemetry/opentelemetry.toml"
opentelemetry-config: "/etc/nginx/opentelemetry.toml"
opentelemetry-operation-name: "HTTP $request_method $service_name $uri"
opentelemetry-trust-incoming-span: "true"
otlp-collector-host: "otel-coll-collector.otel.svc"
@ -282,7 +282,7 @@ for common annotations and configurations:
| Legacy | OpenTelemetry |
|--------------------------------------------------|--------------------------------------------------|
| `nginx.ingress.kubernetes.io/enable-opentracing` | `nginx.ingress.kubernetes.io/enable-opentelemetry` |
| `opentracing-trust-incoming-span` | `opentelemetry-trust-incoming-span` |
| `opentracing-trust-incoming-span` | `opentracing-trust-incoming-span` |
### Configs

3
docs/user-guide/tls.md
View file

@ -127,9 +127,6 @@ ingress-nginx defaults to using TLS 1.2 and 1.3 only, with a [secure set of TLS
### Legacy TLS
!!! warning
TLSv1, TLSv1.1 are not supported in ingress-nginx v1.6.0 and above.
The default configuration, though secure, does not support some older browsers and operating systems.
For instance, TLS 1.1+ is only enabled by default from Android 5.0 on. At the time of writing,