diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 099d7e2a0..d660265dc 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -46,12 +46,12 @@ jobs: uses: actions/checkout@v2 - name: Run Gosec Security Scanner - uses: securego/gosec@master + uses: securego/gosec@b99b5f7838e43a4104354ad92a6a1774302ee1f9 with: # G601 for zz_generated.deepcopy.go # G306 TODO: Expect WriteFile permissions to be 0600 or less # G307 TODO: Deferring unsafe method "Close" - args: -exclude=G601,G104,G204,G304,G306,G307 -tests=false -exclude-dir=test -exclude-dir=images/ -exclude-dir=docs/ ./... + args: -exclude=G109,G601,G104,G204,G304,G306,G307 -tests=false -exclude-dir=test -exclude-dir=images/ -exclude-dir=docs/ ./... build: name: Build @@ -65,11 +65,11 @@ jobs: - name: Checkout uses: actions/checkout@v2 - - name: Set up Go 1.16 + - name: Set up Go 1.17 id: go uses: actions/setup-go@v2 with: - go-version: 1.16 + go-version: 1.17 - name: Set up Docker Buildx id: buildx diff --git a/.github/workflows/helm.yaml b/.github/workflows/helm.yaml index 7c54282de..b4aa5a5ff 100644 --- a/.github/workflows/helm.yaml +++ b/.github/workflows/helm.yaml @@ -4,7 +4,7 @@ on: push: branches: - main - - dev-v1 + - legacy jobs: diff --git a/Changelog.md b/Changelog.md index c92a69301..bb4c90684 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,33 @@ # Changelog +### 0.51.0 + +**Image:** + +- k8s.gcr.io/ingress-nginx/controller:v0.51.0@sha256:df2f0bcddb9295986f019231956fb0e78788032420b15ef99d48fcf9305e8a04 + +This release upgrades Alpine to 3.14.4 and nginx to 1.19.10 + +Patches [OpenSSL CVE-2022-0778](https://github.com/kubernetes/ingress-nginx/issues/8339) + +Patches [Libxml2 CVE-2022-23308](https://github.com/kubernetes/ingress-nginx/issues/8321) + +### 0.50.0 + +**Image:** + +- `k8s.gcr.io/ingress-nginx/controller:v0.50.0@sha256:f46fc2d161c97a9d950635acb86fb3f8d4adcfb03ee241ea89c6cde16aa3fdf8` + +This release makes the annotation `annotation-value-word-blocklist` backwards compatible by being an empty list instead of prescribed defaults. +Effectively reverting [7874](https://github.com/kubernetes/ingress-nginx/pull/7874) but keeping the functionality of `annotation-value-word-blocklist` + +See Issue [7939](https://github.com/kubernetes/ingress-nginx/pull/7939) for more discussion + +Admins should still consider putting a reasonable block list in place, more information on why can be found [here](https://github.com/kubernetes/ingress-nginx/issues/7837) and how in our documentation [here](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#annotation-value-word-blocklist) + +_Changes:_ +- [7963](https://github.com/kubernetes/ingress-nginx/pull/7963) Change sanitization message from error to warning (#7963) +- [7942](https://github.com/kubernetes/ingress-nginx/pull/7942) update default block list,docs, tests (#7942) ### 0.49.0 diff --git a/Makefile b/Makefile index edd16e4cc..cf95495b9 100644 --- a/Makefile +++ b/Makefile @@ -51,7 +51,7 @@ endif REGISTRY ?= gcr.io/k8s-staging-ingress-nginx -BASE_IMAGE ?= k8s.gcr.io/ingress-nginx/nginx:v20210809-g98288bc3c@sha256:f9363669cf26514c9548c1fe4f8f4e2f58dfb76616bcd638a0ff7f0ec3457c17 +BASE_IMAGE ?= k8s.gcr.io/ingress-nginx/nginx:5402d35663917ccbbf77ff48a22b8c6f77097f48@sha256:ec8a104df307f5c6d68157b7ac8e5e1e2c2f0ea07ddf25bb1c6c43c67e351180 GOARCH=$(ARCH) diff --git a/README.md b/README.md index 5d8efeccb..efc09e832 100644 --- a/README.md +++ b/README.md @@ -29,13 +29,16 @@ For detailed changes on the `ingress-nginx` helm chart, please check the followi ### Support Versions table | Ingress-nginx version | k8s supported version | Alpine Version | Nginx Version | -|-----------------------|------------- |----------------|---------------| -| v1.0.0-alpha.2 | 1.22, 1.21, 1.20, 1.19 | 3.13.5 | 1.20.1 | -| v1.0.0-alpha.1 | 1.21, 1.20, 1.19 | 3.13.5 | 1.20.1 | -| v0.49.0 | 1.21, 1.20, 1.19 | 3.13.5 | 1.20.1 | -| v0.48.1 | 1.21, 1.20, 1.19 | 3.13.5 | 1.20.1 | -| v0.47.0 | 1.21, 1.20, 1.19 | 3.13.5 | 1.20.1 | -| v0.46.0 | 1.21, 1.20, 1.19 | 3.13.2 | 1.19.6 | +|-----------------------|------------------------|----------------|---------------| +| v1.0.0-alpha.2 | 1.22, 1.21, 1.20, 1.19 | 3.13.5 | 1.20.1 | +| v1.0.0-alpha.1 | 1.21, 1.20, 1.19 | 3.13.5 | 1.20.1 | +| v0.51.0 | 1.21, 1.20, 1.19 | 3.14.4 | 1.19.10† | +| v0.50.0 | 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† | +| v0.49.3 | 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† | +| v0.49.0 | 1.21, 1.20, 1.19 | 3.13.5 | 1.20.1 | +| v0.48.1 | 1.21, 1.20, 1.19 | 3.13.5 | 1.20.1 | +| v0.47.0 | 1.21, 1.20, 1.19 | 3.13.5 | 1.20.1 | +| v0.46.0 | 1.21, 1.20, 1.19 | 3.13.2 | 1.19.6 | ## Get Involved diff --git a/TAG b/TAG index 9dc0e188e..5c63c289a 100644 --- a/TAG +++ b/TAG @@ -1 +1 @@ -v0.49.0 +v0.51.0 diff --git a/build/run-in-docker.sh b/build/run-in-docker.sh index 01211c796..debbe9752 100755 --- a/build/run-in-docker.sh +++ b/build/run-in-docker.sh @@ -37,7 +37,7 @@ function cleanup { } trap cleanup EXIT -E2E_IMAGE=${E2E_IMAGE:-k8s.gcr.io/ingress-nginx/e2e-test-runner:v20210810-g820a21a74@sha256:7d7393a8c6c72d76145282df53ea0679a5b769211fd1cd6b8910b6dda1bd986d} +E2E_IMAGE=${E2E_IMAGE:-k8s.gcr.io/ingress-nginx/e2e-test-runner:v20210822-g5e5faa24d@sha256:55c568d9e35e15d94b3ab41fe549b8ee4cd910cc3e031ddcccd06256755c5d89} DOCKER_OPTS=${DOCKER_OPTS:-} DOCKER_IN_DOCKER_ENABLED=${DOCKER_IN_DOCKER_ENABLED:-} diff --git a/charts/ingress-nginx/CHANGELOG.md b/charts/ingress-nginx/CHANGELOG.md index 36526e082..207b74988 100644 --- a/charts/ingress-nginx/CHANGELOG.md +++ b/charts/ingress-nginx/CHANGELOG.md @@ -2,6 +2,18 @@ This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). +### 3.40.0 +- [7973](https://github.com/kubernetes/ingress-nginx/pull/7973) update controller version to v0.50.0 +- [7963](https://github.com/kubernetes/ingress-nginx/pull/7963) Change sanitization message from error to warning (#7963) +- [7942](https://github.com/kubernetes/ingress-nginx/pull/7942) update default block list,docs, tests (#7942) + +### 3.39.0 +- [7742] https://github.com/kubernetes/ingress-nginx/pull/7742 Release v0.49.3 with bugfixes + +### 3.37.0 +- [7666] https://github.com/kubernetes/ingress-nginx/pull/7666 Add option to disable snippet annotations +- [7671] https://github.com/kubernetes/ingress-nginx/pull/7671 Downgrade NGINX image to v1.19.9 + ### 3.34.0 - [7256] https://github.com/kubernetes/ingress-nginx/pull/7256 Add namespace field in the namespace scoped resource templates diff --git a/charts/ingress-nginx/Chart.yaml b/charts/ingress-nginx/Chart.yaml index 996160607..baa31face 100644 --- a/charts/ingress-nginx/Chart.yaml +++ b/charts/ingress-nginx/Chart.yaml @@ -1,9 +1,9 @@ apiVersion: v2 name: ingress-nginx -# When the version is modified, make sure the artifacthub.io/changes list is updated +# When the version is modified, please make sure the artifacthub.io/changes list is updated # Also update CHANGELOG.md -version: 3.36.0 -appVersion: 0.49.0 +version: 3.41.0 +appVersion: 0.51.0 home: https://github.com/kubernetes/ingress-nginx description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer icon: https://upload.wikimedia.org/wikipedia/commons/thumb/c/c5/Nginx_logo.svg/500px-Nginx_logo.svg.png @@ -14,12 +14,16 @@ sources: - https://github.com/kubernetes/ingress-nginx type: application maintainers: - - name: ChiefAlexander + - name: rikatz + - name: strongjz + - name: tao12345666333 engine: gotpl kubeVersion: ">=1.16.0-0" annotations: # List of changes for the release in artifacthub.io # https://artifacthub.io/packages/helm/ingress-nginx/ingress-nginx?modal=changelog artifacthub.io/changes: | - - Migrate the webhook-certgen program inside ingress repo. - - Fix forwarding of auth-response-headers to gRPC backends + - "#8307 Nginx v1.19.10" + - "#8386 Alpine 3.14.4" + - "#8339 Patch OpenSSL CVE-2022-0778" + - "#8321 Vulnerability CVE-2022-23308 for libxml2" diff --git a/charts/ingress-nginx/ci/daemonset-customconfig-values.yaml b/charts/ingress-nginx/ci/daemonset-customconfig-values.yaml index e12b53421..076e32414 100644 --- a/charts/ingress-nginx/ci/daemonset-customconfig-values.yaml +++ b/charts/ingress-nginx/ci/daemonset-customconfig-values.yaml @@ -1,5 +1,6 @@ controller: kind: DaemonSet + allowSnippetAnnotations: false admissionWebhooks: enabled: false service: diff --git a/charts/ingress-nginx/ci/deployment-autoscaling-behavior-values.yaml b/charts/ingress-nginx/ci/deployment-autoscaling-behavior-values.yaml new file mode 100644 index 000000000..dca3f35f8 --- /dev/null +++ b/charts/ingress-nginx/ci/deployment-autoscaling-behavior-values.yaml @@ -0,0 +1,14 @@ +controller: + autoscaling: + enabled: true + behavior: + scaleDown: + stabilizationWindowSeconds: 300 + policies: + - type: Pods + value: 1 + periodSeconds: 180 + admissionWebhooks: + enabled: false + service: + type: ClusterIP diff --git a/charts/ingress-nginx/ci/deployment-customconfig-values.yaml b/charts/ingress-nginx/ci/deployment-customconfig-values.yaml index f232531ac..e1f022e38 100644 --- a/charts/ingress-nginx/ci/deployment-customconfig-values.yaml +++ b/charts/ingress-nginx/ci/deployment-customconfig-values.yaml @@ -1,6 +1,7 @@ controller: config: use-proxy-protocol: "true" + allowSnippetAnnotations: false admissionWebhooks: enabled: false service: diff --git a/charts/ingress-nginx/templates/controller-configmap.yaml b/charts/ingress-nginx/templates/controller-configmap.yaml index 630545140..697389207 100644 --- a/charts/ingress-nginx/templates/controller-configmap.yaml +++ b/charts/ingress-nginx/templates/controller-configmap.yaml @@ -10,6 +10,7 @@ metadata: name: {{ include "ingress-nginx.controller.fullname" . }} namespace: {{ .Release.Namespace }} data: + allow-snippet-annotations: "{{ .Values.controller.allowSnippetAnnotations }}" {{- if .Values.controller.addHeaders }} add-headers: {{ .Release.Namespace }}/{{ include "ingress-nginx.fullname" . }}-custom-add-headers {{- end }} diff --git a/charts/ingress-nginx/templates/controller-hpa.yaml b/charts/ingress-nginx/templates/controller-hpa.yaml index fb14bdf6a..876315f33 100644 --- a/charts/ingress-nginx/templates/controller-hpa.yaml +++ b/charts/ingress-nginx/templates/controller-hpa.yaml @@ -22,9 +22,9 @@ spec: maxReplicas: {{ .Values.controller.autoscaling.maxReplicas }} metrics: {{- with .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} - - type: Resource - resource: - name: memory + - type: Resource + resource: + name: memory target: type: Utilization averageUtilization: {{ . }} @@ -38,7 +38,11 @@ spec: averageUtilization: {{ . }} {{- end }} {{- with .Values.controller.autoscalingTemplate }} -{{- toYaml . | nindent 2 }} + {{- toYaml . | nindent 2 }} + {{- end }} + {{- with .Values.controller.autoscaling.behavior }} + behavior: + {{- toYaml . | nindent 4 }} {{- end }} {{- end }} {{- end }} diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index 54ee795e6..fb9085afe 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -15,8 +15,8 @@ controller: # for backwards compatibility consider setting the full image url via the repository value below # use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail # repository: - tag: "v0.49.0" - digest: sha256:e9707504ad0d4c119036b6d41ace4a33596139d3feb9ccb6617813ce48c3eeef + tag: "v0.50.0" + digest: sha256:f46fc2d161c97a9d950635acb86fb3f8d4adcfb03ee241ea89c6cde16aa3fdf8 pullPolicy: IfNotPresent # www-data -> uid 101 runAsUser: 101 @@ -61,6 +61,12 @@ controller: # Ingress status was blank because there is no Service exposing the NGINX Ingress controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply reportNodeInternalIp: false + # This configuration defines if Ingress Controller should allow users to set + # their own *-snippet annotations, otherwise this is forbidden / dropped + # when users add those annotations. + # Global snippets in ConfigMap are still respected + allowSnippetAnnotations: true + # Required for use with CNI based kubernetes installations (such as ones set up by kubeadm), # since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920 # is merged @@ -335,6 +341,19 @@ controller: maxReplicas: 11 targetCPUUtilizationPercentage: 50 targetMemoryUtilizationPercentage: 50 + behavior: {} + # scaleDown: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 1 + # periodSeconds: 180 + # scaleUp: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 2 + # periodSeconds: 60 autoscalingTemplate: [] # Custom or additional autoscaling metrics diff --git a/deploy/static/provider/aws/deploy-tls-termination.yaml b/deploy/static/provider/aws/deploy-tls-termination.yaml index 2d4ad3ab7..d52a1e395 100644 --- a/deploy/static/provider/aws/deploy-tls-termination.yaml +++ b/deploy/static/provider/aws/deploy-tls-termination.yaml @@ -13,10 +13,10 @@ apiVersion: v1 kind: ServiceAccount metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx @@ -28,20 +28,18 @@ apiVersion: v1 kind: ConfigMap metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx-controller namespace: ingress-nginx data: - http-snippet: | - server{ - listen 2443; - return 308 https://$host$request_uri; - } + allow-snippet-annotations: 'true' + http-snippet: "server {\n listen 2443;\n return 308 https://$host$request_uri;\n\ + }\n" proxy-real-ip-cidr: XXX.XXX.XXX/XX use-forwarded-headers: 'true' --- @@ -50,10 +48,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm name: ingress-nginx rules: @@ -119,10 +117,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm name: ingress-nginx roleRef: @@ -139,10 +137,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx @@ -225,10 +223,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx @@ -247,10 +245,10 @@ apiVersion: v1 kind: Service metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx-controller-admission @@ -278,10 +276,10 @@ metadata: service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https service.beta.kubernetes.io/aws-load-balancer-type: elb labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx-controller @@ -308,10 +306,10 @@ apiVersion: apps/v1 kind: Deployment metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx-controller @@ -334,7 +332,7 @@ spec: dnsPolicy: ClusterFirst containers: - name: controller - image: k8s.gcr.io/ingress-nginx/controller:v0.49.0@sha256:e9707504ad0d4c119036b6d41ace4a33596139d3feb9ccb6617813ce48c3eeef + image: k8s.gcr.io/ingress-nginx/controller:v0.50.0@sha256:f46fc2d161c97a9d950635acb86fb3f8d4adcfb03ee241ea89c6cde16aa3fdf8 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -426,10 +424,10 @@ apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook name: ingress-nginx-admission @@ -467,10 +465,10 @@ metadata: helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook --- @@ -483,10 +481,10 @@ metadata: helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook rules: @@ -507,10 +505,10 @@ metadata: helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook roleRef: @@ -532,10 +530,10 @@ metadata: helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook rules: @@ -557,10 +555,10 @@ metadata: helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook roleRef: @@ -582,10 +580,10 @@ metadata: helm.sh/hook: pre-install,pre-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook spec: @@ -593,10 +591,10 @@ spec: metadata: name: ingress-nginx-admission-create labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook spec: @@ -632,10 +630,10 @@ metadata: helm.sh/hook: post-install,post-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook spec: @@ -643,10 +641,10 @@ spec: metadata: name: ingress-nginx-admission-patch labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook spec: diff --git a/deploy/static/provider/aws/deploy.yaml b/deploy/static/provider/aws/deploy.yaml index acd8fd604..efc632d30 100644 --- a/deploy/static/provider/aws/deploy.yaml +++ b/deploy/static/provider/aws/deploy.yaml @@ -13,10 +13,10 @@ apiVersion: v1 kind: ServiceAccount metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx @@ -28,25 +28,26 @@ apiVersion: v1 kind: ConfigMap metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx-controller namespace: ingress-nginx data: + allow-snippet-annotations: 'true' --- # Source: ingress-nginx/templates/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm name: ingress-nginx rules: @@ -112,10 +113,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm name: ingress-nginx roleRef: @@ -132,10 +133,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx @@ -218,10 +219,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx @@ -240,10 +241,10 @@ apiVersion: v1 kind: Service metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx-controller-admission @@ -268,10 +269,10 @@ metadata: service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true' service.beta.kubernetes.io/aws-load-balancer-type: nlb labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx-controller @@ -298,10 +299,10 @@ apiVersion: apps/v1 kind: Deployment metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx-controller @@ -324,7 +325,7 @@ spec: dnsPolicy: ClusterFirst containers: - name: controller - image: k8s.gcr.io/ingress-nginx/controller:v0.49.0@sha256:e9707504ad0d4c119036b6d41ace4a33596139d3feb9ccb6617813ce48c3eeef + image: k8s.gcr.io/ingress-nginx/controller:v0.50.0@sha256:f46fc2d161c97a9d950635acb86fb3f8d4adcfb03ee241ea89c6cde16aa3fdf8 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -413,10 +414,10 @@ apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook name: ingress-nginx-admission @@ -454,10 +455,10 @@ metadata: helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook --- @@ -470,10 +471,10 @@ metadata: helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook rules: @@ -494,10 +495,10 @@ metadata: helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook roleRef: @@ -519,10 +520,10 @@ metadata: helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook rules: @@ -544,10 +545,10 @@ metadata: helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook roleRef: @@ -569,10 +570,10 @@ metadata: helm.sh/hook: pre-install,pre-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook spec: @@ -580,10 +581,10 @@ spec: metadata: name: ingress-nginx-admission-create labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook spec: @@ -619,10 +620,10 @@ metadata: helm.sh/hook: post-install,post-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook spec: @@ -630,10 +631,10 @@ spec: metadata: name: ingress-nginx-admission-patch labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook spec: diff --git a/deploy/static/provider/baremetal/deploy.yaml b/deploy/static/provider/baremetal/deploy.yaml index 55c2dc5ae..4e89e7f66 100644 --- a/deploy/static/provider/baremetal/deploy.yaml +++ b/deploy/static/provider/baremetal/deploy.yaml @@ -13,10 +13,10 @@ apiVersion: v1 kind: ServiceAccount metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx @@ -28,25 +28,26 @@ apiVersion: v1 kind: ConfigMap metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx-controller namespace: ingress-nginx data: + allow-snippet-annotations: 'true' --- # Source: ingress-nginx/templates/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm name: ingress-nginx rules: @@ -112,10 +113,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm name: ingress-nginx roleRef: @@ -132,10 +133,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx @@ -218,10 +219,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx @@ -240,10 +241,10 @@ apiVersion: v1 kind: Service metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx-controller-admission @@ -265,10 +266,10 @@ kind: Service metadata: annotations: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx-controller @@ -294,10 +295,10 @@ apiVersion: apps/v1 kind: Deployment metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx-controller @@ -320,7 +321,7 @@ spec: dnsPolicy: ClusterFirst containers: - name: controller - image: k8s.gcr.io/ingress-nginx/controller:v0.49.0@sha256:e9707504ad0d4c119036b6d41ace4a33596139d3feb9ccb6617813ce48c3eeef + image: k8s.gcr.io/ingress-nginx/controller:v0.50.0@sha256:f46fc2d161c97a9d950635acb86fb3f8d4adcfb03ee241ea89c6cde16aa3fdf8 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -408,10 +409,10 @@ apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook name: ingress-nginx-admission @@ -449,10 +450,10 @@ metadata: helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook --- @@ -465,10 +466,10 @@ metadata: helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook rules: @@ -489,10 +490,10 @@ metadata: helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook roleRef: @@ -514,10 +515,10 @@ metadata: helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook rules: @@ -539,10 +540,10 @@ metadata: helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook roleRef: @@ -564,10 +565,10 @@ metadata: helm.sh/hook: pre-install,pre-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook spec: @@ -575,10 +576,10 @@ spec: metadata: name: ingress-nginx-admission-create labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook spec: @@ -614,10 +615,10 @@ metadata: helm.sh/hook: post-install,post-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook spec: @@ -625,10 +626,10 @@ spec: metadata: name: ingress-nginx-admission-patch labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook spec: diff --git a/deploy/static/provider/cloud/deploy.yaml b/deploy/static/provider/cloud/deploy.yaml index be69bee73..d97ce00ff 100644 --- a/deploy/static/provider/cloud/deploy.yaml +++ b/deploy/static/provider/cloud/deploy.yaml @@ -13,10 +13,10 @@ apiVersion: v1 kind: ServiceAccount metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx @@ -28,25 +28,26 @@ apiVersion: v1 kind: ConfigMap metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx-controller namespace: ingress-nginx data: + allow-snippet-annotations: 'true' --- # Source: ingress-nginx/templates/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm name: ingress-nginx rules: @@ -112,10 +113,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm name: ingress-nginx roleRef: @@ -132,10 +133,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx @@ -218,10 +219,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx @@ -240,10 +241,10 @@ apiVersion: v1 kind: Service metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx-controller-admission @@ -265,10 +266,10 @@ kind: Service metadata: annotations: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx-controller @@ -295,10 +296,10 @@ apiVersion: apps/v1 kind: Deployment metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx-controller @@ -321,7 +322,7 @@ spec: dnsPolicy: ClusterFirst containers: - name: controller - image: k8s.gcr.io/ingress-nginx/controller:v0.49.0@sha256:e9707504ad0d4c119036b6d41ace4a33596139d3feb9ccb6617813ce48c3eeef + image: k8s.gcr.io/ingress-nginx/controller:v0.50.0@sha256:f46fc2d161c97a9d950635acb86fb3f8d4adcfb03ee241ea89c6cde16aa3fdf8 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -410,10 +411,10 @@ apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook name: ingress-nginx-admission @@ -451,10 +452,10 @@ metadata: helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook --- @@ -467,10 +468,10 @@ metadata: helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook rules: @@ -491,10 +492,10 @@ metadata: helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook roleRef: @@ -516,10 +517,10 @@ metadata: helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook rules: @@ -541,10 +542,10 @@ metadata: helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook roleRef: @@ -566,10 +567,10 @@ metadata: helm.sh/hook: pre-install,pre-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook spec: @@ -577,10 +578,10 @@ spec: metadata: name: ingress-nginx-admission-create labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook spec: @@ -616,10 +617,10 @@ metadata: helm.sh/hook: post-install,post-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook spec: @@ -627,10 +628,10 @@ spec: metadata: name: ingress-nginx-admission-patch labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook spec: diff --git a/deploy/static/provider/do/deploy.yaml b/deploy/static/provider/do/deploy.yaml index 95be9c1e4..038512fe0 100644 --- a/deploy/static/provider/do/deploy.yaml +++ b/deploy/static/provider/do/deploy.yaml @@ -13,10 +13,10 @@ apiVersion: v1 kind: ServiceAccount metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx @@ -28,15 +28,16 @@ apiVersion: v1 kind: ConfigMap metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx-controller namespace: ingress-nginx data: + allow-snippet-annotations: 'true' use-proxy-protocol: 'true' --- # Source: ingress-nginx/templates/clusterrole.yaml @@ -44,10 +45,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm name: ingress-nginx rules: @@ -113,10 +114,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm name: ingress-nginx roleRef: @@ -133,10 +134,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx @@ -219,10 +220,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx @@ -241,10 +242,10 @@ apiVersion: v1 kind: Service metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx-controller-admission @@ -267,10 +268,10 @@ metadata: annotations: service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: 'true' labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx-controller @@ -297,10 +298,10 @@ apiVersion: apps/v1 kind: Deployment metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx-controller @@ -323,7 +324,7 @@ spec: dnsPolicy: ClusterFirst containers: - name: controller - image: k8s.gcr.io/ingress-nginx/controller:v0.49.0@sha256:e9707504ad0d4c119036b6d41ace4a33596139d3feb9ccb6617813ce48c3eeef + image: k8s.gcr.io/ingress-nginx/controller:v0.50.0@sha256:f46fc2d161c97a9d950635acb86fb3f8d4adcfb03ee241ea89c6cde16aa3fdf8 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -412,10 +413,10 @@ apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook name: ingress-nginx-admission @@ -453,10 +454,10 @@ metadata: helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook --- @@ -469,10 +470,10 @@ metadata: helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook rules: @@ -493,10 +494,10 @@ metadata: helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook roleRef: @@ -518,10 +519,10 @@ metadata: helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook rules: @@ -543,10 +544,10 @@ metadata: helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook roleRef: @@ -568,10 +569,10 @@ metadata: helm.sh/hook: pre-install,pre-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook spec: @@ -579,10 +580,10 @@ spec: metadata: name: ingress-nginx-admission-create labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook spec: @@ -618,10 +619,10 @@ metadata: helm.sh/hook: post-install,post-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook spec: @@ -629,10 +630,10 @@ spec: metadata: name: ingress-nginx-admission-patch labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook spec: diff --git a/deploy/static/provider/exoscale/deploy.yaml b/deploy/static/provider/exoscale/deploy.yaml index 47b86b9b0..a7634f5b8 100644 --- a/deploy/static/provider/exoscale/deploy.yaml +++ b/deploy/static/provider/exoscale/deploy.yaml @@ -13,10 +13,10 @@ apiVersion: v1 kind: ServiceAccount metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx @@ -28,25 +28,26 @@ apiVersion: v1 kind: ConfigMap metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx-controller namespace: ingress-nginx data: + allow-snippet-annotations: 'true' --- # Source: ingress-nginx/templates/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm name: ingress-nginx rules: @@ -112,10 +113,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm name: ingress-nginx roleRef: @@ -132,10 +133,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx @@ -218,10 +219,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx @@ -240,10 +241,10 @@ apiVersion: v1 kind: Service metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx-controller-admission @@ -273,10 +274,10 @@ metadata: service.beta.kubernetes.io/exoscale-loadbalancer-service-healthcheck-timeout: 3s service.beta.kubernetes.io/exoscale-loadbalancer-service-strategy: source-hash labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx-controller @@ -303,10 +304,10 @@ apiVersion: apps/v1 kind: DaemonSet metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx-controller @@ -329,7 +330,7 @@ spec: dnsPolicy: ClusterFirst containers: - name: controller - image: k8s.gcr.io/ingress-nginx/controller:v0.49.0@sha256:e9707504ad0d4c119036b6d41ace4a33596139d3feb9ccb6617813ce48c3eeef + image: k8s.gcr.io/ingress-nginx/controller:v0.50.0@sha256:f46fc2d161c97a9d950635acb86fb3f8d4adcfb03ee241ea89c6cde16aa3fdf8 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -418,10 +419,10 @@ apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook name: ingress-nginx-admission @@ -459,10 +460,10 @@ metadata: helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook --- @@ -475,10 +476,10 @@ metadata: helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook rules: @@ -499,10 +500,10 @@ metadata: helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook roleRef: @@ -524,10 +525,10 @@ metadata: helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook rules: @@ -549,10 +550,10 @@ metadata: helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook roleRef: @@ -574,10 +575,10 @@ metadata: helm.sh/hook: pre-install,pre-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook spec: @@ -585,10 +586,10 @@ spec: metadata: name: ingress-nginx-admission-create labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook spec: @@ -624,10 +625,10 @@ metadata: helm.sh/hook: post-install,post-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook spec: @@ -635,10 +636,10 @@ spec: metadata: name: ingress-nginx-admission-patch labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook spec: diff --git a/deploy/static/provider/kind/deploy.yaml b/deploy/static/provider/kind/deploy.yaml index c53e2ae1b..d4ef5d9c6 100644 --- a/deploy/static/provider/kind/deploy.yaml +++ b/deploy/static/provider/kind/deploy.yaml @@ -13,10 +13,10 @@ apiVersion: v1 kind: ServiceAccount metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx @@ -28,25 +28,26 @@ apiVersion: v1 kind: ConfigMap metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx-controller namespace: ingress-nginx data: + allow-snippet-annotations: 'true' --- # Source: ingress-nginx/templates/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm name: ingress-nginx rules: @@ -112,10 +113,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm name: ingress-nginx roleRef: @@ -132,10 +133,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx @@ -218,10 +219,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx @@ -240,10 +241,10 @@ apiVersion: v1 kind: Service metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx-controller-admission @@ -265,10 +266,10 @@ kind: Service metadata: annotations: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx-controller @@ -294,10 +295,10 @@ apiVersion: apps/v1 kind: Deployment metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx-controller @@ -324,7 +325,7 @@ spec: dnsPolicy: ClusterFirst containers: - name: controller - image: k8s.gcr.io/ingress-nginx/controller:v0.49.0@sha256:e9707504ad0d4c119036b6d41ace4a33596139d3feb9ccb6617813ce48c3eeef + image: k8s.gcr.io/ingress-nginx/controller:v0.50.0@sha256:f46fc2d161c97a9d950635acb86fb3f8d4adcfb03ee241ea89c6cde16aa3fdf8 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -420,10 +421,10 @@ apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook name: ingress-nginx-admission @@ -461,10 +462,10 @@ metadata: helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook --- @@ -477,10 +478,10 @@ metadata: helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook rules: @@ -501,10 +502,10 @@ metadata: helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook roleRef: @@ -526,10 +527,10 @@ metadata: helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook rules: @@ -551,10 +552,10 @@ metadata: helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook roleRef: @@ -576,10 +577,10 @@ metadata: helm.sh/hook: pre-install,pre-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook spec: @@ -587,10 +588,10 @@ spec: metadata: name: ingress-nginx-admission-create labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook spec: @@ -626,10 +627,10 @@ metadata: helm.sh/hook: post-install,post-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook spec: @@ -637,10 +638,10 @@ spec: metadata: name: ingress-nginx-admission-patch labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook spec: diff --git a/deploy/static/provider/scw/deploy.yaml b/deploy/static/provider/scw/deploy.yaml index 2fd0154d5..7ee6c846c 100644 --- a/deploy/static/provider/scw/deploy.yaml +++ b/deploy/static/provider/scw/deploy.yaml @@ -13,10 +13,10 @@ apiVersion: v1 kind: ServiceAccount metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx @@ -28,15 +28,16 @@ apiVersion: v1 kind: ConfigMap metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx-controller namespace: ingress-nginx data: + allow-snippet-annotations: 'true' use-proxy-protocol: 'true' --- # Source: ingress-nginx/templates/clusterrole.yaml @@ -44,10 +45,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm name: ingress-nginx rules: @@ -113,10 +114,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm name: ingress-nginx roleRef: @@ -133,10 +134,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx @@ -219,10 +220,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx @@ -241,10 +242,10 @@ apiVersion: v1 kind: Service metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx-controller-admission @@ -267,10 +268,10 @@ metadata: annotations: service.beta.kubernetes.io/scw-loadbalancer-proxy-protocol-v2: 'true' labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx-controller @@ -297,10 +298,10 @@ apiVersion: apps/v1 kind: Deployment metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: controller name: ingress-nginx-controller @@ -323,7 +324,7 @@ spec: dnsPolicy: ClusterFirst containers: - name: controller - image: k8s.gcr.io/ingress-nginx/controller:v0.49.0@sha256:e9707504ad0d4c119036b6d41ace4a33596139d3feb9ccb6617813ce48c3eeef + image: k8s.gcr.io/ingress-nginx/controller:v0.50.0@sha256:f46fc2d161c97a9d950635acb86fb3f8d4adcfb03ee241ea89c6cde16aa3fdf8 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -412,10 +413,10 @@ apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook name: ingress-nginx-admission @@ -453,10 +454,10 @@ metadata: helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook --- @@ -469,10 +470,10 @@ metadata: helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook rules: @@ -493,10 +494,10 @@ metadata: helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook roleRef: @@ -518,10 +519,10 @@ metadata: helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook rules: @@ -543,10 +544,10 @@ metadata: helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook roleRef: @@ -568,10 +569,10 @@ metadata: helm.sh/hook: pre-install,pre-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook spec: @@ -579,10 +580,10 @@ spec: metadata: name: ingress-nginx-admission-create labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook spec: @@ -618,10 +619,10 @@ metadata: helm.sh/hook: post-install,post-upgrade helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook spec: @@ -629,10 +630,10 @@ spec: metadata: name: ingress-nginx-admission-patch labels: - helm.sh/chart: ingress-nginx-3.36.0 + helm.sh/chart: ingress-nginx-3.41.0 app.kubernetes.io/name: ingress-nginx app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.49.0 + app.kubernetes.io/version: 0.51.0 app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: admission-webhook spec: diff --git a/docs/deploy/index.md b/docs/deploy/index.md index 33345ade2..3eaa3e902 100644 --- a/docs/deploy/index.md +++ b/docs/deploy/index.md @@ -54,7 +54,7 @@ Kubernetes is available in Docker Desktop - Windows, from [version 18.06.0-ce](https://docs.docker.com/docker-for-windows/release-notes/#docker-community-edition-18060-ce-win70-2018-07-25) ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.49.0/deploy/static/provider/cloud/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.51.0/deploy/static/provider/cloud/deploy.yaml ``` #### minikube @@ -82,7 +82,7 @@ In AWS we use a Network load balancer (NLB) to expose the NGINX Ingress controll ##### Network Load Balancer (NLB) ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.49.0/deploy/static/provider/aws/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.51.0/deploy/static/provider/aws/deploy.yaml ``` ##### TLS termination in AWS Load Balancer (ELB) @@ -91,10 +91,10 @@ In some scenarios is required to terminate TLS in the Load Balancer and not in t For this purpose we provide a template: -- Download [deploy-tls-termination.yaml](https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.49.0/deploy/static/provider/aws/deploy-tls-termination.yaml) +- Download [deploy-tls-termination.yaml](https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.51.0/deploy/static/provider/aws/deploy-tls-termination.yaml) ```console -wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.49.0/deploy/static/provider/aws/deploy-tls-termination.yaml +wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.51.0/deploy/static/provider/aws/deploy-tls-termination.yaml ``` - Edit the file and change: @@ -140,7 +140,7 @@ More information with regards to timeouts can be found in the [official AWS docu ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.49.0/deploy/static/provider/cloud/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.51.0/deploy/static/provider/cloud/deploy.yaml ``` !!! failure Important @@ -149,7 +149,7 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/cont #### Azure ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.49.0/deploy/static/provider/cloud/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.51.0/deploy/static/provider/cloud/deploy.yaml ``` More information with regards to Azure annotations for ingress controller can be found in the [official AKS documentation](https://docs.microsoft.com/en-us/azure/aks/ingress-internal-ip#create-an-ingress-controller). @@ -157,13 +157,13 @@ More information with regards to Azure annotations for ingress controller can be #### Digital Ocean ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.49.0/deploy/static/provider/do/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.51.0/deploy/static/provider/do/deploy.yaml ``` #### Scaleway ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.49.0/deploy/static/provider/scw/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.51.0/deploy/static/provider/scw/deploy.yaml ``` #### Exoscale @@ -187,7 +187,7 @@ A [complete list of available annotations for Oracle Cloud Infrastructure](https Using [NodePort](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport): ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.49.0/deploy/static/provider/baremetal/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.51.0/deploy/static/provider/baremetal/deploy.yaml ``` !!! tip diff --git a/docs/user-guide/nginx-configuration/configmap.md b/docs/user-guide/nginx-configuration/configmap.md index 850354105..ffcf9a1d8 100755 --- a/docs/user-guide/nginx-configuration/configmap.md +++ b/docs/user-guide/nginx-configuration/configmap.md @@ -29,6 +29,8 @@ The following table shows a configuration option's name, type, and the default v |:---|:---|:------| |[add-headers](#add-headers)|string|""| |[allow-backend-server-header](#allow-backend-server-header)|bool|"false"| +|[allow-snippet-annotations](#allow-snippet-annotations)|bool|true| +|[annotation-value-word-blocklist](#annotation-value-word-blocklist)|string array|""| |[hide-headers](#hide-headers)|string array|empty| |[access-log-params](#access-log-params)|string|""| |[access-log-path](#access-log-path)|string|"/var/log/nginx/access.log"| @@ -209,6 +211,27 @@ Sets custom headers from named configmap before sending traffic to the client. S Enables the return of the header Server from the backend instead of the generic nginx string. _**default:**_ is disabled +## allow-snippet-annotations + +Enables Ingress to parse and add *-snippet annotations/directives created by the user. _**default:**_ `true`; + +Warning: We recommend enabling this option only if you TRUST users with permission to create Ingress objects, as this +may allow a user to add restricted configurations to the final nginx.conf file + +## annotation-value-word-blocklist + +Contains a comma-separated value of chars/words that are well known of being used to abuse Ingress configuration +and must be blocked. Related to [CVE-2021-25742](https://github.com/kubernetes/ingress-nginx/issues/7837) + +When an annotation is detected with a value that matches one of the blocked bad words, the whole Ingress won't be configured. + +_**default:**_ `""` + +When doing this, the default blocklist is override, which means that the Ingress admin should add all the words +that should be blocked, here is a suggested block list. + +_**suggested:**_ `"load_module,lua_package,_by_lua,location,root,proxy_pass,serviceaccount,{,},',\"` + ## hide-headers Sets additional header that will not be passed from the upstream server to the client response. diff --git a/go.mod b/go.mod index c0e2b350b..44b1717b5 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module k8s.io/ingress-nginx -go 1.16 +go 1.17 require ( github.com/armon/go-proxyproto v0.0.0-20210323213023-7e956b284f0a @@ -46,3 +46,104 @@ require ( sigs.k8s.io/controller-runtime v0.9.5 sigs.k8s.io/mdtoc v1.0.1 ) + +require ( + cloud.google.com/go v0.81.0 // indirect + github.com/Azure/go-autorest v14.2.0+incompatible // indirect + github.com/Azure/go-autorest/autorest v0.11.12 // indirect + github.com/Azure/go-autorest/autorest/adal v0.9.5 // indirect + github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect + github.com/Azure/go-autorest/logger v0.2.0 // indirect + github.com/Azure/go-autorest/tracing v0.6.0 // indirect + github.com/BurntSushi/toml v0.3.1 // indirect + github.com/PuerkitoBio/purell v1.1.1 // indirect + github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect + github.com/ajg/form v1.5.1 // indirect + github.com/andybalholm/brotli v1.0.2 // indirect + github.com/beorn7/perks v1.0.1 // indirect + github.com/blang/semver v3.5.1+incompatible // indirect + github.com/cespare/xxhash/v2 v2.1.1 // indirect + github.com/coreos/go-systemd/v22 v22.3.2 // indirect + github.com/cyphar/filepath-securejoin v0.2.2 // indirect + github.com/davecgh/go-spew v1.1.1 // indirect + github.com/eapache/queue v1.1.0 // indirect + github.com/emicklei/go-restful v2.9.5+incompatible // indirect + github.com/evanphx/json-patch v4.11.0+incompatible // indirect + github.com/fatih/structs v1.0.0 // indirect + github.com/form3tech-oss/jwt-go v3.2.2+incompatible // indirect + github.com/fullsailor/pkcs7 v0.0.0-20160414161337-2585af45975b // indirect + github.com/go-errors/errors v1.0.1 // indirect + github.com/go-logr/logr v0.4.0 // indirect + github.com/go-openapi/jsonpointer v0.19.3 // indirect + github.com/go-openapi/jsonreference v0.19.3 // indirect + github.com/go-openapi/spec v0.19.5 // indirect + github.com/go-openapi/swag v0.19.5 // indirect + github.com/godbus/dbus/v5 v5.0.4 // indirect + github.com/gogo/protobuf v1.3.2 // indirect + github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e // indirect + github.com/golang/protobuf v1.5.2 // indirect + github.com/gomarkdown/markdown v0.0.0-20200824053859-8c8b3816f167 // indirect + github.com/google/btree v1.0.0 // indirect + github.com/google/go-cmp v0.5.5 // indirect + github.com/google/go-querystring v1.0.0 // indirect + github.com/google/gofuzz v1.1.0 // indirect + github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect + github.com/google/uuid v1.2.0 // indirect + github.com/googleapis/gnostic v0.5.5 // indirect + github.com/gorilla/websocket v1.4.2 // indirect + github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 // indirect + github.com/hashicorp/golang-lru v0.5.4 // indirect + github.com/imkira/go-interpol v1.0.0 // indirect + github.com/inconshreveable/mousetrap v1.0.0 // indirect + github.com/klauspost/compress v1.12.2 // indirect + github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect + github.com/mailru/easyjson v0.7.0 // indirect + github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect + github.com/mmarkdown/mmark v2.0.40+incompatible // indirect + github.com/moby/sys/mountinfo v0.4.1 // indirect + github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect + github.com/modern-go/reflect2 v1.0.1 // indirect + github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect + github.com/ncabatoff/go-seq v0.0.0-20180805175032-b08ef85ed833 // indirect + github.com/nxadm/tail v1.4.8 // indirect + github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 // indirect + github.com/peterbourgon/diskv v2.0.1+incompatible // indirect + github.com/prometheus/procfs v0.6.0 // indirect + github.com/sergi/go-diff v1.1.0 // indirect + github.com/sirupsen/logrus v1.8.1 // indirect + github.com/valyala/bytebufferpool v1.0.0 // indirect + github.com/valyala/fasthttp v1.27.0 // indirect + github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f // indirect + github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect + github.com/xeipuuv/gojsonschema v1.1.0 // indirect + github.com/xlab/treeprint v0.0.0-20181112141820-a009c3971eca // indirect + github.com/yalp/jsonpath v0.0.0-20180802001716-5cc68e5049a0 // indirect + github.com/yudai/gojsondiff v1.0.0 // indirect + github.com/yudai/golcs v0.0.0-20170316035057-ecda9a501e82 // indirect + go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect + go.uber.org/atomic v1.7.0 // indirect + go.uber.org/multierr v1.6.0 // indirect + go.uber.org/zap v1.18.1 // indirect + golang.org/x/mod v0.4.2 // indirect + golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c // indirect + golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c // indirect + golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d // indirect + golang.org/x/text v0.3.6 // indirect + golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac // indirect + golang.org/x/tools v0.1.2 // indirect + golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect + google.golang.org/appengine v1.6.7 // indirect + google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c // indirect + google.golang.org/protobuf v1.26.0 // indirect + gopkg.in/inf.v0 v0.9.1 // indirect + gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect + gopkg.in/yaml.v2 v2.4.0 // indirect + gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect + k8s.io/gengo v0.0.0-20201214224949-b6c5ce23f027 // indirect + k8s.io/kube-openapi v0.0.0-20210305001622-591a79e4bda7 // indirect + moul.io/http2curl v1.0.1-0.20190925090545-5cd742060b0e // indirect + sigs.k8s.io/kustomize/api v0.8.8 // indirect + sigs.k8s.io/kustomize/kyaml v0.10.17 // indirect + sigs.k8s.io/structured-merge-diff/v4 v4.1.2 // indirect + sigs.k8s.io/yaml v1.2.0 // indirect +) diff --git a/hack/boilerplate/boilerplate.generated.go.txt b/hack/boilerplate/boilerplate.generated.go.txt new file mode 100644 index 000000000..daba3a171 --- /dev/null +++ b/hack/boilerplate/boilerplate.generated.go.txt @@ -0,0 +1,16 @@ +/* +Copyright 2021 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + diff --git a/hack/boilerplate/boilerplate.py b/hack/boilerplate/boilerplate.py index 614c6ef67..01a74d067 100755 --- a/hack/boilerplate/boilerplate.py +++ b/hack/boilerplate/boilerplate.py @@ -193,7 +193,7 @@ def get_regexs(): '(%s)' % "|".join(map(lambda l: str(l), years))) # strip // +build \n\n build constraints regexs["go_build_constraints"] = re.compile( - r"^(// \+build.*\n)+\n", re.MULTILINE) + r"^((// \+build.*\n)|(//go:build.*\n))+\n", re.MULTILINE) # strip #!.* from shell scripts regexs["shebang"] = re.compile(r"^(#!.*\n)\n*", re.MULTILINE) return regexs diff --git a/hack/tools.go b/hack/tools.go index aad9b7438..489a3ccb0 100644 --- a/hack/tools.go +++ b/hack/tools.go @@ -1,3 +1,4 @@ +//go:build tools // +build tools /* diff --git a/hack/update-codegen.sh b/hack/update-codegen.sh index a80a03b3a..9023a3a1a 100755 --- a/hack/update-codegen.sh +++ b/hack/update-codegen.sh @@ -41,4 +41,4 @@ ${CODEGEN_PKG}/generate-groups.sh "deepcopy" \ k8s.io/ingress-nginx/internal k8s.io/ingress-nginx/internal \ .:ingress \ --output-base "$(dirname ${BASH_SOURCE})/../../.." \ - --go-header-file ${SCRIPT_ROOT}/hack/boilerplate/boilerplate.go.txt + --go-header-file ${SCRIPT_ROOT}/hack/boilerplate/boilerplate.generated.go.txt diff --git a/images/echo/Makefile b/images/echo/Makefile index 90a544b24..8fbbdce4d 100644 --- a/images/echo/Makefile +++ b/images/echo/Makefile @@ -36,7 +36,7 @@ build: ensure-buildx --platform=${PLATFORMS} $(OUTPUT) \ --progress=$(PROGRESS) \ --pull \ - --build-arg BASE_IMAGE=k8s.gcr.io/ingress-nginx/nginx:v20210809-g98288bc3c@sha256:f9363669cf26514c9548c1fe4f8f4e2f58dfb76616bcd638a0ff7f0ec3457c17 \ + --build-arg BASE_IMAGE=k8s.gcr.io/ingress-nginx/nginx:5402d35663917ccbbf77ff48a22b8c6f77097f48@sha256:ec8a104df307f5c6d68157b7ac8e5e1e2c2f0ea07ddf25bb1c6c43c67e351180 \ --build-arg LUAROCKS_VERSION=3.3.1 \ --build-arg LUAROCKS_SHA=837481e408f7c06b59befe7ec194537c657687d624894bca7f79034302141a34 \ -t $(IMAGE):$(TAG) rootfs diff --git a/images/nginx/README.md b/images/nginx/README.md index dde0b618a..a100156a9 100644 --- a/images/nginx/README.md +++ b/images/nginx/README.md @@ -18,7 +18,7 @@ This image provides a default configuration file with no backend servers. _Using docker_ ```console -docker run -v /some/nginx.con:/etc/nginx/nginx.conf:ro k8s.gcr.io/ingress-nginx/nginx:v20210809-g98288bc3c@sha256:f9363669cf26514c9548c1fe4f8f4e2f58dfb76616bcd638a0ff7f0ec3457c17 +docker run -v /some/nginx.conf:/etc/nginx/nginx.conf:ro k8s.gcr.io/ingress-nginx/nginx:5402d35663917ccbbf77ff48a22b8c6f77097f48@sha256:ec8a104df307f5c6d68157b7ac8e5e1e2c2f0ea07ddf25bb1c6c43c67e351180 ``` _Creating a replication controller_ diff --git a/images/nginx/rc.yaml b/images/nginx/rc.yaml index 98a3df14b..cf9c59d15 100644 --- a/images/nginx/rc.yaml +++ b/images/nginx/rc.yaml @@ -38,7 +38,7 @@ spec: spec: containers: - name: nginx - image: k8s.gcr.io/ingress-nginx/nginx:v20210809-g98288bc3c@sha256:f9363669cf26514c9548c1fe4f8f4e2f58dfb76616bcd638a0ff7f0ec3457c17 + image: k8s.gcr.io/ingress-nginx/nginx:5402d35663917ccbbf77ff48a22b8c6f77097f48@sha256:ec8a104df307f5c6d68157b7ac8e5e1e2c2f0ea07ddf25bb1c6c43c67e351180 ports: - containerPort: 80 - containerPort: 443 diff --git a/images/nginx/rootfs/Dockerfile b/images/nginx/rootfs/Dockerfile index e639687f1..85bea7e62 100644 --- a/images/nginx/rootfs/Dockerfile +++ b/images/nginx/rootfs/Dockerfile @@ -13,7 +13,7 @@ # limitations under the License. -FROM alpine:3.13 as builder +FROM alpine:3.14.2 as builder COPY . / @@ -23,7 +23,7 @@ RUN apk update \ && /build.sh # Use a multi-stage build -FROM alpine:3.13 +FROM alpine:3.14.2 ENV PATH=$PATH:/usr/local/luajit/bin:/usr/local/nginx/sbin:/usr/local/nginx/bin diff --git a/images/nginx/rootfs/build.sh b/images/nginx/rootfs/build.sh index 42add23b5..d0f84db4e 100755 --- a/images/nginx/rootfs/build.sh +++ b/images/nginx/rootfs/build.sh @@ -18,7 +18,7 @@ set -o errexit set -o nounset set -o pipefail -export NGINX_VERSION=1.20.1 +export NGINX_VERSION=1.19.9 # Check for recent changes: https://github.com/vision5/ngx_devel_kit/compare/v0.3.1...master export NDK_VERSION=0.3.1 @@ -190,7 +190,7 @@ mkdir --verbose -p "$BUILD_PATH" cd "$BUILD_PATH" # download, verify and extract the source files -get_src e462e11533d5c30baa05df7652160ff5979591d291736cfa5edb9fd2edb48c49 \ +get_src 2e35dff06a9826e8aca940e9e8be46b7e4b12c19a48d55bfc2dc28fc9cc7d841 \ "https://nginx.org/download/nginx-$NGINX_VERSION.tar.gz" get_src 0e971105e210d272a497567fa2e2c256f4e39b845a5ba80d373e26ba1abfbd85 \ diff --git a/images/test-runner/Makefile b/images/test-runner/Makefile index 57db0c37e..1a13e5161 100644 --- a/images/test-runner/Makefile +++ b/images/test-runner/Makefile @@ -23,7 +23,7 @@ REGISTRY ?= local IMAGE = $(REGISTRY)/e2e-test-runner -NGINX_BASE_IMAGE ?= k8s.gcr.io/ingress-nginx/nginx:v20210809-g98288bc3c@sha256:f9363669cf26514c9548c1fe4f8f4e2f58dfb76616bcd638a0ff7f0ec3457c17 +NGINX_BASE_IMAGE ?= k8s.gcr.io/ingress-nginx/nginx:5402d35663917ccbbf77ff48a22b8c6f77097f48@sha256:ec8a104df307f5c6d68157b7ac8e5e1e2c2f0ea07ddf25bb1c6c43c67e351180 # required to enable buildx export DOCKER_CLI_EXPERIMENTAL=enabled diff --git a/internal/ingress/annotations/parser/main_test.go b/internal/ingress/annotations/parser/main_test.go index 218565183..dce5d16ad 100644 --- a/internal/ingress/annotations/parser/main_test.go +++ b/internal/ingress/annotations/parser/main_test.go @@ -116,6 +116,12 @@ rewrite (?i)/arcgis/services/Utilities/Geometry/GeometryServer(.*)$ /arcgis/serv } continue } + if !test.expErr { + if err != nil { + t.Errorf("%v: didn't expected error but error was returned: %v", test.name, err) + } + continue + } if s != test.exp { t.Errorf("%v: expected \"%v\" but \"%v\" was returned", test.name, test.exp, s) } diff --git a/internal/ingress/controller/config/config.go b/internal/ingress/controller/config/config.go index b96e26772..0e53a1443 100644 --- a/internal/ingress/controller/config/config.go +++ b/internal/ingress/controller/config/config.go @@ -93,6 +93,15 @@ const ( type Configuration struct { defaults.Backend `json:",squash"` + // AllowSnippetAnnotations enable users to add their own snippets via ingress annotation. + // If disabled, only snippets added via ConfigMap are added to ingress. + AllowSnippetAnnotations bool `json:"allow-snippet-annotations"` + + // AnnotationValueWordBlocklist defines words that should not be part of an user annotation value + // (can be used to run arbitrary code or configs, for example) and that should be dropped. + // This list should be separated by "," character + AnnotationValueWordBlocklist string `json:"annotation-value-word-blocklist"` + // Sets the name of the configmap that contains the headers to pass to the client AddHeaders string `json:"add-headers,omitempty"` @@ -749,7 +758,6 @@ func NewDefault() Configuration { defNginxStatusIpv4Whitelist := make([]string, 0) defNginxStatusIpv6Whitelist := make([]string, 0) defResponseHeaders := make([]string, 0) - defIPCIDR = append(defIPCIDR, "0.0.0.0/0") defNginxStatusIpv4Whitelist = append(defNginxStatusIpv4Whitelist, "127.0.0.1") defNginxStatusIpv6Whitelist = append(defNginxStatusIpv6Whitelist, "::1") @@ -757,7 +765,10 @@ func NewDefault() Configuration { defGlobalExternalAuth := GlobalExternalAuth{"", "", "", "", "", append(defResponseHeaders, ""), "", "", "", []string{}, map[string]string{}} cfg := Configuration{ + + AllowSnippetAnnotations: true, AllowBackendServerHeader: false, + AnnotationValueWordBlocklist: "", AccessLogPath: "/var/log/nginx/access.log", AccessLogParams: "", EnableAccessLogForDefaultBackend: false, diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go index ab0d9ab6d..3d60f292c 100644 --- a/internal/ingress/controller/controller.go +++ b/internal/ingress/controller/controller.go @@ -235,27 +235,43 @@ func (n *NGINXController) CheckIngress(ing *networking.Ingress) error { return fmt.Errorf("This deployment is trying to create a catch-all ingress while DisableCatchAll flag is set to true. Remove '.spec.backend' or set DisableCatchAll flag to false.") } - if parser.AnnotationsPrefix != parser.DefaultAnnotationsPrefix { - for key := range ing.ObjectMeta.GetAnnotations() { + cfg := n.store.GetBackendConfiguration() + cfg.Resolver = n.resolver + + var arrayBadWords []string + + if cfg.AnnotationValueWordBlocklist != "" { + arrayBadWords = strings.Split(strings.TrimSpace(cfg.AnnotationValueWordBlocklist), ",") + } + + for key, value := range ing.ObjectMeta.GetAnnotations() { + + if parser.AnnotationsPrefix != parser.DefaultAnnotationsPrefix { if strings.HasPrefix(key, fmt.Sprintf("%s/", parser.DefaultAnnotationsPrefix)) { return fmt.Errorf("This deployment has a custom annotation prefix defined. Use '%s' instead of '%s'", parser.AnnotationsPrefix, parser.DefaultAnnotationsPrefix) } } + + if strings.HasPrefix(key, fmt.Sprintf("%s/", parser.AnnotationsPrefix)) && len(arrayBadWords) != 0 { + for _, forbiddenvalue := range arrayBadWords { + if strings.Contains(value, strings.TrimSpace(forbiddenvalue)) { + return fmt.Errorf("%s annotation contains invalid word %s", key, forbiddenvalue) + } + } + } + + if !cfg.AllowSnippetAnnotations && strings.HasSuffix(key, "-snippet") { + return fmt.Errorf("%s annotation cannot be used. Snippet directives are disabled by the Ingress administrator", key) + } + + if len(cfg.GlobalRateLimitMemcachedHost) == 0 && strings.HasPrefix(key, fmt.Sprintf("%s/%s", parser.AnnotationsPrefix, "global-rate-limit")) { + return fmt.Errorf("'global-rate-limit*' annotations require 'global-rate-limit-memcached-host' settings configured in the global configmap") + } + } k8s.SetDefaultNGINXPathType(ing) - cfg := n.store.GetBackendConfiguration() - cfg.Resolver = n.resolver - - if len(cfg.GlobalRateLimitMemcachedHost) == 0 { - for key := range ing.ObjectMeta.GetAnnotations() { - if strings.HasPrefix(key, fmt.Sprintf("%s/%s", parser.AnnotationsPrefix, "global-rate-limit")) { - return fmt.Errorf("'global-rate-limit*' annotations require 'global-rate-limit-memcached-host' settings configured in the global configmap") - } - } - } - allIngresses := n.store.ListIngresses() filter := func(toCheck *ingress.Ingress) bool { @@ -508,6 +524,30 @@ func (n *NGINXController) getConfiguration(ingresses []*ingress.Ingress) (sets.S } } +func dropSnippetDirectives(anns *annotations.Ingress, ingKey string) { + if anns != nil { + if anns.ConfigurationSnippet != "" { + klog.V(3).Infof("Ingress %q tried to use configuration-snippet and the annotation is disabled by the admin. Removing the annotation", ingKey) + anns.ConfigurationSnippet = "" + } + if anns.ServerSnippet != "" { + klog.V(3).Infof("Ingress %q tried to use server-snippet and the annotation is disabled by the admin. Removing the annotation", ingKey) + anns.ServerSnippet = "" + } + + if anns.ModSecurity.Snippet != "" { + klog.V(3).Infof("Ingress %q tried to use modsecurity-snippet and the annotation is disabled by the admin. Removing the annotation", ingKey) + anns.ModSecurity.Snippet = "" + } + + if anns.ExternalAuth.AuthSnippet != "" { + klog.V(3).Infof("Ingress %q tried to use auth-snippet and the annotation is disabled by the admin. Removing the annotation", ingKey) + anns.ExternalAuth.AuthSnippet = "" + } + + } +} + // getBackendServers returns a list of Upstream and Server to be used by the // backend. An upstream can be used in multiple servers if the namespace, // service name and port are the same. @@ -522,6 +562,10 @@ func (n *NGINXController) getBackendServers(ingresses []*ingress.Ingress) ([]*in ingKey := k8s.MetaNamespaceKey(ing) anns := ing.ParsedAnnotations + if !n.store.GetBackendConfiguration().AllowSnippetAnnotations { + dropSnippetDirectives(anns, ingKey) + } + for _, rule := range ing.Spec.Rules { host := rule.Host if host == "" { @@ -789,6 +833,11 @@ func (n *NGINXController) createUpstreams(data []*ingress.Ingress, du *ingress.B for _, ing := range data { anns := ing.ParsedAnnotations + ingKey := k8s.MetaNamespaceKey(ing) + + if !n.store.GetBackendConfiguration().AllowSnippetAnnotations { + dropSnippetDirectives(anns, ingKey) + } var defBackend string if ing.Spec.Backend != nil { @@ -1069,6 +1118,10 @@ func (n *NGINXController) createServers(data []*ingress.Ingress, ingKey := k8s.MetaNamespaceKey(ing) anns := ing.ParsedAnnotations + if !n.store.GetBackendConfiguration().AllowSnippetAnnotations { + dropSnippetDirectives(anns, ingKey) + } + // default upstream name un := du.Name @@ -1145,6 +1198,10 @@ func (n *NGINXController) createServers(data []*ingress.Ingress, ingKey := k8s.MetaNamespaceKey(ing) anns := ing.ParsedAnnotations + if !n.store.GetBackendConfiguration().AllowSnippetAnnotations { + dropSnippetDirectives(anns, ingKey) + } + if anns.Canary.Enabled { klog.V(2).Infof("Ingress %v is marked as Canary, ignoring", ingKey) continue @@ -1638,7 +1695,7 @@ func checkOverlap(ing *networking.Ingress, ingresses []*ingress.Ingress, servers return fmt.Errorf(`host "%s" and path "%s" is already defined in ingress %s/%s`, rule.Host, path.Path, existing.Namespace, existing.Name) } - if annotationErr == errors.ErrMissingAnnotations && existingAnnotationErr == existingAnnotationErr { + if annotationErr == errors.ErrMissingAnnotations && existingAnnotationErr == errors.ErrMissingAnnotations { return fmt.Errorf(`host "%s" and path "%s" is already defined in ingress %s/%s`, rule.Host, path.Path, existing.Namespace, existing.Name) } } diff --git a/internal/ingress/controller/controller_test.go b/internal/ingress/controller/controller_test.go index 34ee87bdb..6af3ae1e4 100644 --- a/internal/ingress/controller/controller_test.go +++ b/internal/ingress/controller/controller_test.go @@ -42,6 +42,7 @@ import ( "k8s.io/ingress-nginx/internal/ingress" "k8s.io/ingress-nginx/internal/ingress/annotations" "k8s.io/ingress-nginx/internal/ingress/annotations/canary" + "k8s.io/ingress-nginx/internal/ingress/annotations/ipwhitelist" "k8s.io/ingress-nginx/internal/ingress/annotations/parser" "k8s.io/ingress-nginx/internal/ingress/annotations/proxyssl" "k8s.io/ingress-nginx/internal/ingress/annotations/sessionaffinity" @@ -56,11 +57,12 @@ import ( ) type fakeIngressStore struct { - ingresses []*ingress.Ingress + ingresses []*ingress.Ingress + configuration ngx_config.Configuration } -func (fakeIngressStore) GetBackendConfiguration() ngx_config.Configuration { - return ngx_config.Configuration{} +func (fis fakeIngressStore) GetBackendConfiguration() ngx_config.Configuration { + return fis.configuration } func (fakeIngressStore) GetConfigMap(key string) (*corev1.ConfigMap, error) { @@ -246,6 +248,9 @@ func TestCheckIngress(t *testing.T) { }) t.Run("When the default annotation prefix is used despite an override", func(t *testing.T) { + defer func() { + parser.AnnotationsPrefix = "nginx.ingress.kubernetes.io" + }() parser.AnnotationsPrefix = "ingress.kubernetes.io" ing.ObjectMeta.Annotations["nginx.ingress.kubernetes.io/backend-protocol"] = "GRPC" nginx.command = testNginxTestCommand{ @@ -257,6 +262,44 @@ func TestCheckIngress(t *testing.T) { } }) + t.Run("When snippets are disabled and user tries to use snippet annotation", func(t *testing.T) { + nginx.store = fakeIngressStore{ + ingresses: []*ingress.Ingress{}, + configuration: ngx_config.Configuration{ + AllowSnippetAnnotations: false, + }, + } + nginx.command = testNginxTestCommand{ + t: t, + err: nil, + } + ing.ObjectMeta.Annotations["nginx.ingress.kubernetes.io/server-snippet"] = "bla" + if err := nginx.CheckIngress(ing); err == nil { + t.Errorf("with a snippet annotation, ingresses using the default should be rejected") + } + }) + + t.Run("When invalid directives are used in annotation values", func(t *testing.T) { + nginx.store = fakeIngressStore{ + ingresses: []*ingress.Ingress{}, + configuration: ngx_config.Configuration{ + AnnotationValueWordBlocklist: "invalid_directive, another_directive", + }, + } + nginx.command = testNginxTestCommand{ + t: t, + err: nil, + } + ing.ObjectMeta.Annotations["nginx.ingress.kubernetes.io/custom-headers"] = "invalid_directive" + if err := nginx.CheckIngress(ing); err == nil { + t.Errorf("with an invalid value in annotation the ingress should be rejected") + } + ing.ObjectMeta.Annotations["nginx.ingress.kubernetes.io/custom-headers"] = "another_directive" + if err := nginx.CheckIngress(ing); err == nil { + t.Errorf("with an invalid value in annotation the ingress should be rejected") + } + }) + t.Run("When a new catch-all ingress is being created despite catch-alls being disabled ", func(t *testing.T) { backendBefore := ing.Spec.Backend disableCatchAllBefore := nginx.cfg.DisableCatchAll @@ -284,6 +327,9 @@ func TestCheckIngress(t *testing.T) { }) t.Run("When the ingress is in a different namespace than the watched one", func(t *testing.T) { + defer func() { + nginx.cfg.Namespace = "test-namespace" + }() nginx.command = testNginxTestCommand{ t: t, err: fmt.Errorf("test error"), @@ -2075,6 +2121,83 @@ func TestGetBackendServers(t *testing.T) { } }, }, + { + Ingresses: []*ingress.Ingress{ + { + Ingress: networking.Ingress{ + ObjectMeta: metav1.ObjectMeta{ + Name: "not-allowed-snippet", + Namespace: "default", + Annotations: map[string]string{ + "nginx.ingress.kubernetes.io/server-snippet": "bla", + "nginx.ingress.kubernetes.io/configuration-snippet": "blo", + "nginx.ingress.kubernetes.io/whitelist-source-range": "10.0.0.0/24", + }, + }, + Spec: networking.IngressSpec{ + Rules: []networking.IngressRule{ + { + Host: "example.com", + IngressRuleValue: networking.IngressRuleValue{ + HTTP: &networking.HTTPIngressRuleValue{ + Paths: []networking.HTTPIngressPath{ + { + Path: "/path1", + PathType: &pathTypePrefix, + Backend: networking.IngressBackend{ + ServiceName: "path1-svc", + ServicePort: intstr.IntOrString{ + Type: intstr.Int, + IntVal: 80, + }, + }, + }, + }, + }, + }, + }, + }, + }, + }, + ParsedAnnotations: &annotations.Ingress{ + Whitelist: ipwhitelist.SourceRange{CIDR: []string{"10.0.0.0/24"}}, + ServerSnippet: "bla", + ConfigurationSnippet: "blo", + }, + }, + }, + Validate: func(ingresses []*ingress.Ingress, upstreams []*ingress.Backend, servers []*ingress.Server) { + if len(servers) != 2 { + t.Errorf("servers count should be 2, got %d", len(servers)) + return + } + s := servers[1] + + if s.ServerSnippet != "" { + t.Errorf("server snippet should be empty, got '%s'", s.ServerSnippet) + } + + if s.Locations[0].ConfigurationSnippet != "" { + t.Errorf("config snippet should be empty, got '%s'", s.Locations[0].ConfigurationSnippet) + } + + if len(s.Locations[0].Whitelist.CIDR) != 1 || s.Locations[0].Whitelist.CIDR[0] != "10.0.0.0/24" { + t.Errorf("allow list was incorrectly dropped, len should be 1 and contain 10.0.0.0/24") + } + + }, + SetConfigMap: func(ns string) *v1.ConfigMap { + return &v1.ConfigMap{ + ObjectMeta: metav1.ObjectMeta{ + Name: "config", + SelfLink: fmt.Sprintf("/api/v1/namespaces/%s/configmaps/config", ns), + }, + Data: map[string]string{ + "allow-snippet-annotations": "false", + }, + } + }, + }, } for _, testCase := range testCases { diff --git a/internal/ingress/controller/store/store.go b/internal/ingress/controller/store/store.go index 14096d270..0438ec4e2 100644 --- a/internal/ingress/controller/store/store.go +++ b/internal/ingress/controller/store/store.go @@ -23,6 +23,7 @@ import ( "os" "reflect" "sort" + "strings" "sync" "time" @@ -630,6 +631,21 @@ func hasCatchAllIngressRule(spec networkingv1beta1.IngressSpec) bool { return spec.Backend != nil } +func checkBadAnnotationValue(annotations map[string]string, badwords string) error { + arraybadWords := strings.Split(strings.TrimSpace(badwords), ",") + + for annotation, value := range annotations { + if strings.HasPrefix(annotation, fmt.Sprintf("%s/", parser.AnnotationsPrefix)) { + for _, forbiddenvalue := range arraybadWords { + if strings.Contains(value, forbiddenvalue) { + return fmt.Errorf("%s annotation contains invalid word %s", annotation, forbiddenvalue) + } + } + } + } + return nil +} + // syncIngress parses ingress annotations converting the value of the // annotation to a go struct func (s *k8sStore) syncIngress(ing *networkingv1beta1.Ingress) { @@ -638,6 +654,14 @@ func (s *k8sStore) syncIngress(ing *networkingv1beta1.Ingress) { copyIng := &networkingv1beta1.Ingress{} ing.ObjectMeta.DeepCopyInto(©Ing.ObjectMeta) + + if s.backendConfig.AnnotationValueWordBlocklist != "" { + if err := checkBadAnnotationValue(copyIng.Annotations, s.backendConfig.AnnotationValueWordBlocklist); err != nil { + klog.Warningf("skipping ingress %s: %s", key, err) + return + } + } + ing.Spec.DeepCopyInto(©Ing.Spec) ing.Status.DeepCopyInto(©Ing.Status) diff --git a/internal/ingress/controller/template/template.go b/internal/ingress/controller/template/template.go index 3ba46681e..0163e1c69 100644 --- a/internal/ingress/controller/template/template.go +++ b/internal/ingress/controller/template/template.go @@ -62,6 +62,9 @@ const ( // Writer is the interface to render a template type Writer interface { + // Write renders the template. + // NOTE: Implementors must ensure that the content of the returned slice is not modified by the implementation + // after the return of this function. Write(conf config.TemplateConfig) ([]byte, error) } @@ -201,7 +204,12 @@ func (t *Template) Write(conf config.TemplateConfig) ([]byte, error) { return nil, err } - return outCmdBuf.Bytes(), nil + // make a copy to ensure that we are no longer modifying the content of the buffer + out := outCmdBuf.Bytes() + res := make([]byte, len(out)) + copy(res, out) + + return res, nil } var ( @@ -1103,7 +1111,7 @@ func buildOpentracing(c interface{}, s interface{}) string { buf := bytes.NewBufferString("") if cfg.DatadogCollectorHost != "" { - buf.WriteString("opentracing_load_tracer /usr/local/lib64/libdd_opentracing.so /etc/nginx/opentracing.json;") + buf.WriteString("opentracing_load_tracer /usr/local/lib/libdd_opentracing.so /etc/nginx/opentracing.json;") } else if cfg.ZipkinCollectorHost != "" { buf.WriteString("opentracing_load_tracer /usr/local/lib/libzipkin_opentracing_plugin.so /etc/nginx/opentracing.json;") } else if cfg.JaegerCollectorHost != "" || cfg.JaegerEndpoint != "" { diff --git a/internal/ingress/controller/template/template_test.go b/internal/ingress/controller/template/template_test.go index cb2d20b9a..fdf45a15a 100644 --- a/internal/ingress/controller/template/template_test.go +++ b/internal/ingress/controller/template/template_test.go @@ -1288,7 +1288,7 @@ func TestBuildOpenTracing(t *testing.T) { EnableOpentracing: true, DatadogCollectorHost: "datadog-host.com", } - expected = "opentracing_load_tracer /usr/local/lib64/libdd_opentracing.so /etc/nginx/opentracing.json;\r\n" + expected = "opentracing_load_tracer /usr/local/lib/libdd_opentracing.so /etc/nginx/opentracing.json;\r\n" actual = buildOpentracing(cfgDatadog, []*ingress.Server{}) if expected != actual { @@ -1312,7 +1312,7 @@ func TestBuildOpenTracing(t *testing.T) { OpentracingOperationName: "my-operation-name", OpentracingLocationOperationName: "my-location-operation-name", } - expected = "opentracing_load_tracer /usr/local/lib64/libdd_opentracing.so /etc/nginx/opentracing.json;\r\n" + expected = "opentracing_load_tracer /usr/local/lib/libdd_opentracing.so /etc/nginx/opentracing.json;\r\n" expected += "opentracing_operation_name \"my-operation-name\";\n" expected += "opentracing_location_operation_name \"my-location-operation-name\";\n" actual = buildOpentracing(cfgOpenTracing, []*ingress.Server{}) diff --git a/internal/ingress/status/status.go b/internal/ingress/status/status.go index 506ae398c..a3ba41c03 100644 --- a/internal/ingress/status/status.go +++ b/internal/ingress/status/status.go @@ -215,8 +215,21 @@ func (s *statusSync) runningAddresses() ([]string, error) { } func (s *statusSync) isRunningMultiplePods() bool { + + // As a standard, app.kubernetes.io are "reserved well-known" labels. + // In our case, we add those labels as identifiers of the Ingress + // deployment in this namespace, so we can select it as a set of Ingress instances. + // As those labels are also generated as part of a HELM deployment, we can be "safe" they + // cover 95% of the cases + podLabel := make(map[string]string) + for k, v := range k8s.IngressPodDetails.Labels { + if k != "pod-template-hash" && k != "controller-revision-hash" && k != "pod-template-generation" { + podLabel[k] = v + } + } + pods, err := s.Client.CoreV1().Pods(k8s.IngressPodDetails.Namespace).List(context.TODO(), metav1.ListOptions{ - LabelSelector: labels.SelectorFromSet(k8s.IngressPodDetails.Labels).String(), + LabelSelector: labels.SelectorFromSet(podLabel).String(), }) if err != nil { return false diff --git a/internal/ingress/zz_generated.deepcopy.go b/internal/ingress/zz_generated.deepcopy.go index 5d49fb05e..410173e26 100644 --- a/internal/ingress/zz_generated.deepcopy.go +++ b/internal/ingress/zz_generated.deepcopy.go @@ -1,3 +1,4 @@ +//go:build !ignore_autogenerated // +build !ignore_autogenerated /* diff --git a/internal/k8s/zz_generated.deepcopy.go b/internal/k8s/zz_generated.deepcopy.go index 0261457fe..29f1163bc 100644 --- a/internal/k8s/zz_generated.deepcopy.go +++ b/internal/k8s/zz_generated.deepcopy.go @@ -1,3 +1,4 @@ +//go:build !ignore_autogenerated // +build !ignore_autogenerated /* diff --git a/internal/runtime/cpu_linux.go b/internal/runtime/cpu_linux.go index 7b6a96d60..e7513d619 100644 --- a/internal/runtime/cpu_linux.go +++ b/internal/runtime/cpu_linux.go @@ -1,3 +1,4 @@ +//go:build linux // +build linux /* diff --git a/internal/runtime/cpu_notlinux.go b/internal/runtime/cpu_notlinux.go index 86a649e62..2a1b48252 100644 --- a/internal/runtime/cpu_notlinux.go +++ b/internal/runtime/cpu_notlinux.go @@ -1,3 +1,4 @@ +//go:build !linux // +build !linux /* diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl index b4c91ef54..32b02f72a 100755 --- a/rootfs/etc/nginx/template/nginx.tmpl +++ b/rootfs/etc/nginx/template/nginx.tmpl @@ -429,7 +429,7 @@ http { # turn on session caching to drastically improve performance {{ if $cfg.SSLSessionCache }} - ssl_session_cache builtin:1000 shared:SSL:{{ $cfg.SSLSessionCacheSize }}; + ssl_session_cache shared:SSL:{{ $cfg.SSLSessionCacheSize }}; ssl_session_timeout {{ $cfg.SSLSessionTimeout }}; {{ end }} diff --git a/stable.txt b/stable.txt index 19b69dedd..b84e34fe0 100644 --- a/stable.txt +++ b/stable.txt @@ -1 +1 @@ -controller-v0.49.0 +controller-v0.51.0 diff --git a/test/e2e-image/Dockerfile b/test/e2e-image/Dockerfile index f31ed184d..28cd272b6 100644 --- a/test/e2e-image/Dockerfile +++ b/test/e2e-image/Dockerfile @@ -1,4 +1,4 @@ -FROM k8s.gcr.io/ingress-nginx/e2e-test-runner:v20210810-g820a21a74@sha256:7d7393a8c6c72d76145282df53ea0679a5b769211fd1cd6b8910b6dda1bd986d AS BASE +FROM k8s.gcr.io/ingress-nginx/e2e-test-runner:v20210822-g5e5faa24d@sha256:55c568d9e35e15d94b3ab41fe549b8ee4cd910cc3e031ddcccd06256755c5d89 AS BASE FROM alpine:3.12 diff --git a/test/e2e/admission/admission.go b/test/e2e/admission/admission.go index b6cf638fe..c205703c3 100644 --- a/test/e2e/admission/admission.go +++ b/test/e2e/admission/admission.go @@ -146,6 +146,34 @@ var _ = framework.IngressNginxDescribe("[Serial] admission controller", func() { } }) + ginkgo.It("should return an error if there is an invalid value in some annotation", func() { + host := "admission-test" + + annotations := map[string]string{ + "nginx.ingress.kubernetes.io/connection-proxy-header": "a;}", + } + + f.UpdateNginxConfigMapData("annotation-value-word-blocklist", "}") + + firstIngress := framework.NewSingleIngress("first-ingress", "/", host, f.Namespace, framework.EchoService, 80, annotations) + _, err := f.KubeClientSet.NetworkingV1beta1().Ingresses(f.Namespace).Create(context.TODO(), firstIngress, metav1.CreateOptions{}) + assert.NotNil(ginkgo.GinkgoT(), err, "creating an ingress with invalid annotation value should return an error") + }) + + ginkgo.It("should return an error if there is a forbidden value in some annotation", func() { + host := "admission-test" + + annotations := map[string]string{ + "nginx.ingress.kubernetes.io/connection-proxy-header": "set_by_lua", + } + + f.UpdateNginxConfigMapData("annotation-value-word-blocklist", "set_by_lua") + + firstIngress := framework.NewSingleIngress("first-ingress", "/", host, f.Namespace, framework.EchoService, 80, annotations) + _, err := f.KubeClientSet.NetworkingV1beta1().Ingresses(f.Namespace).Create(context.TODO(), firstIngress, metav1.CreateOptions{}) + assert.NotNil(ginkgo.GinkgoT(), err, "creating an ingress with invalid annotation value should return an error") + }) + ginkgo.It("should not return an error if the Ingress V1 definition is valid", func() { if !f.IsIngressV1Ready { ginkgo.Skip("Test requires Kubernetes v1.19 or higher") @@ -178,6 +206,17 @@ var _ = framework.IngressNginxDescribe("[Serial] admission controller", func() { assert.NotNil(ginkgo.GinkgoT(), err, "creating an ingress with invalid configuration should return an error") } }) + + ginkgo.It("should return an error if there is an invalid value in some annotation", func() { + host := "admission-test" + + annotations := map[string]string{ + "nginx.ingress.kubernetes.io/connection-proxy-header": "a;}", + } + firstIngress := framework.NewSingleIngress("first-ingress", "/", host, f.Namespace, framework.EchoService, 80, annotations) + _, err := f.KubeClientSet.NetworkingV1beta1().Ingresses(f.Namespace).Create(context.TODO(), firstIngress, metav1.CreateOptions{}) + assert.NotNil(ginkgo.GinkgoT(), err, "creating an ingress with invalid annotation value should return an error") + }) }) func uninstallChart(f *framework.Framework) error { diff --git a/test/e2e/annotations/globalratelimit.go b/test/e2e/annotations/globalratelimit.go index dd985c68c..ca9302892 100644 --- a/test/e2e/annotations/globalratelimit.go +++ b/test/e2e/annotations/globalratelimit.go @@ -40,6 +40,11 @@ var _ = framework.DescribeAnnotation("annotation-global-rate-limit", func() { annotations["nginx.ingress.kubernetes.io/global-rate-limit"] = "5" annotations["nginx.ingress.kubernetes.io/global-rate-limit-window"] = "2m" + // We need to allow { and } characters for this annotation to work + f.UpdateNginxConfigMapData("annotation-value-word-blocklist", "load_module, lua_package, _by_lua, location, root") + // Sleep a while just to guarantee that the configmap is applied + framework.Sleep() + ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) ing = f.EnsureIngress(ing) namespace := strings.Replace(string(ing.UID), "-", "", -1) diff --git a/test/e2e/annotations/modsecurity.go b/test/e2e/annotations/modsecurity.go index d83803c93..574ff8424 100644 --- a/test/e2e/annotations/modsecurity.go +++ b/test/e2e/annotations/modsecurity.go @@ -165,7 +165,9 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() { "nginx.ingress.kubernetes.io/enable-modsecurity": "true", "nginx.ingress.kubernetes.io/modsecurity-snippet": snippet, } - + f.UpdateNginxConfigMapData("annotation-value-word-blocklist", "load_module, lua_package, _by_lua, location, root, {, }") + // Sleep a while just to guarantee that the configmap is applied + framework.Sleep() ing := framework.NewSingleIngress(host, "/", host, nameSpace, framework.EchoService, 80, annotations) f.EnsureIngress(ing) @@ -198,7 +200,9 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() { annotations := map[string]string{ "nginx.ingress.kubernetes.io/modsecurity-snippet": snippet, } - + f.UpdateNginxConfigMapData("annotation-value-word-blocklist", "load_module, lua_package, _by_lua, location, root, {, }") + // Sleep a while just to guarantee that the configmap is applied + framework.Sleep() ing := framework.NewSingleIngress(host, "/", host, nameSpace, framework.EchoService, 80, annotations) f.EnsureIngress(ing) @@ -232,7 +236,9 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() { annotations := map[string]string{ "nginx.ingress.kubernetes.io/modsecurity-snippet": snippet, } - + f.UpdateNginxConfigMapData("annotation-value-word-blocklist", "load_module, lua_package, _by_lua, location, root, {, }") + // Sleep a while just to guarantee that the configmap is applied + framework.Sleep() ing := framework.NewSingleIngress(host, "/", host, nameSpace, framework.EchoService, 80, annotations) f.EnsureIngress(ing) @@ -268,7 +274,9 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() { annotations := map[string]string{ "nginx.ingress.kubernetes.io/modsecurity-snippet": snippet, } - + f.UpdateNginxConfigMapData("annotation-value-word-blocklist", "load_module, lua_package, _by_lua, location, root, {, }") + // Sleep a while just to guarantee that the configmap is applied + framework.Sleep() ing := framework.NewSingleIngress(host, "/", host, nameSpace, framework.EchoService, 80, annotations) f.EnsureIngress(ing) @@ -282,7 +290,7 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() { f.WaitForNginxServer(host, func(server string) bool { - return true + return strings.Contains(server, "SecRequestBodyAccess On") }) f.HTTPTestClient(). @@ -292,4 +300,46 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() { Expect(). Status(http.StatusForbidden) }) + + ginkgo.It("should enable modsecurity through the config map but ignore snippet as disabled by admin", func() { + host := "modsecurity.foo.com" + nameSpace := f.Namespace + + snippet := `SecRequestBodyAccess On + SecAuditEngine RelevantOnly + SecAuditLogParts ABIJDEFHZ + SecAuditLog /dev/stdout + SecAuditLogType Serial + SecRule REQUEST_HEADERS:User-Agent \"block-ua\" \"log,deny,id:107,status:403,msg:\'UA blocked\'\"` + + annotations := map[string]string{ + "nginx.ingress.kubernetes.io/modsecurity-snippet": snippet, + } + f.UpdateNginxConfigMapData("annotation-value-word-blocklist", "load_module, lua_package, _by_lua, location, root, {, }") + // Sleep a while just to guarantee that the configmap is applied + framework.Sleep() + ing := framework.NewSingleIngress(host, "/", host, nameSpace, framework.EchoService, 80, annotations) + f.EnsureIngress(ing) + + expectedComment := "SecRuleEngine On" + + f.SetNginxConfigMapData(map[string]string{ + "enable-modsecurity": "true", + "enable-owasp-modsecurity-crs": "true", + "allow-snippet-annotations": "false", + "modsecurity-snippet": expectedComment, + }) + + f.WaitForNginxServer(host, + func(server string) bool { + return !strings.Contains(server, "block-ua") + }) + + f.HTTPTestClient(). + GET("/"). + WithHeader("Host", host). + WithHeader("User-Agent", "block-ua"). + Expect(). + Status(http.StatusOK) + }) }) diff --git a/test/e2e/annotations/serversnippet.go b/test/e2e/annotations/serversnippet.go index 8a4f25ea4..adba23fee 100644 --- a/test/e2e/annotations/serversnippet.go +++ b/test/e2e/annotations/serversnippet.go @@ -17,6 +17,7 @@ limitations under the License. package annotations import ( + "net/http" "strings" "github.com/onsi/ginkgo" @@ -35,8 +36,8 @@ var _ = framework.DescribeAnnotation("server-snippet", func() { host := "serversnippet.foo.com" annotations := map[string]string{ "nginx.ingress.kubernetes.io/server-snippet": ` - more_set_headers "Content-Length: $content_length"; - more_set_headers "Content-Type: $content_type";`, + more_set_headers "Foo: Bar"; + more_set_headers "Xpto: Lalala";`, } ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) @@ -44,8 +45,50 @@ var _ = framework.DescribeAnnotation("server-snippet", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, `more_set_headers "Content-Length: $content_length`) && - strings.Contains(server, `more_set_headers "Content-Type: $content_type";`) + return strings.Contains(server, `more_set_headers "Foo: Bar`) && + strings.Contains(server, `more_set_headers "Xpto: Lalala";`) }) + + f.HTTPTestClient(). + GET("/"). + WithHeader("Host", host). + Expect(). + Status(http.StatusOK).Headers(). + ValueEqual("Foo", []string{"Bar"}). + ValueEqual("Xpto", []string{"Lalala"}) + }) + + ginkgo.It(`drops server snippet if disabled by the administrator`, func() { + host := "noserversnippet.foo.com" + annotations := map[string]string{ + "nginx.ingress.kubernetes.io/server-snippet": ` + more_set_headers "Foo: Bar"; + more_set_headers "Xpto: Lalala";`, + } + + ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) + f.UpdateNginxConfigMapData("allow-snippet-annotations", "false") + defer func() { + // Return to the original value + f.UpdateNginxConfigMapData("allow-snippet-annotations", "true") + }() + // Sleep a while just to guarantee that the configmap is applied + framework.Sleep() + f.EnsureIngress(ing) + + f.WaitForNginxServer(host, + func(server string) bool { + return !strings.Contains(server, `more_set_headers "Foo: Bar`) && + !strings.Contains(server, `more_set_headers "Xpto: Lalala";`) + }) + + f.HTTPTestClient(). + GET("/"). + WithHeader("Host", host). + Expect(). + Status(http.StatusOK).Headers(). + NotContainsKey("Foo"). + NotContainsKey("Xpto") + }) }) diff --git a/test/e2e/annotations/snippet.go b/test/e2e/annotations/snippet.go index 61c39fa65..be0e9ccf9 100644 --- a/test/e2e/annotations/snippet.go +++ b/test/e2e/annotations/snippet.go @@ -17,6 +17,7 @@ limitations under the License. package annotations import ( + "net/http" "strings" "github.com/onsi/ginkgo" @@ -31,11 +32,11 @@ var _ = framework.DescribeAnnotation("configuration-snippet", func() { f.NewEchoDeployment() }) - ginkgo.It(`set snippet "more_set_headers "Request-Id: $req_id";" in all locations"`, func() { + ginkgo.It(`set snippet "more_set_headers "Foo1: Bar1";" in all locations"`, func() { host := "configurationsnippet.foo.com" annotations := map[string]string{ "nginx.ingress.kubernetes.io/configuration-snippet": ` - more_set_headers "Request-Id: $req_id";`, + more_set_headers "Foo1: Bar1";`, } ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) @@ -43,7 +44,44 @@ var _ = framework.DescribeAnnotation("configuration-snippet", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, `more_set_headers "Request-Id: $req_id";`) + return strings.Contains(server, `more_set_headers "Foo1: Bar1";`) }) + + f.HTTPTestClient(). + GET("/"). + WithHeader("Host", host). + Expect(). + Status(http.StatusOK).Headers(). + ValueEqual("Foo1", []string{"Bar1"}) + }) + + ginkgo.It(`drops snippet "more_set_headers "Foo1: Bar1";" in all locations if disabled by admin"`, func() { + host := "noconfigurationsnippet.foo.com" + annotations := map[string]string{ + "nginx.ingress.kubernetes.io/configuration-snippet": ` + more_set_headers "Foo1: Bar1";`, + } + + ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) + f.UpdateNginxConfigMapData("allow-snippet-annotations", "false") + defer func() { + // Return to the original value + f.UpdateNginxConfigMapData("allow-snippet-annotations", "true") + }() + // Sleep a while just to guarantee that the configmap is applied + framework.Sleep() + f.EnsureIngress(ing) + + f.WaitForNginxServer(host, + func(server string) bool { + return !strings.Contains(server, `more_set_headers "Foo1: Bar1";`) + }) + + f.HTTPTestClient(). + GET("/"). + WithHeader("Host", host). + Expect(). + Status(http.StatusOK).Headers(). + NotContainsKey("Foo1") }) }) diff --git a/test/e2e/framework/deployment.go b/test/e2e/framework/deployment.go index 79da5c2ca..c635c7fce 100644 --- a/test/e2e/framework/deployment.go +++ b/test/e2e/framework/deployment.go @@ -38,7 +38,7 @@ const SlowEchoService = "slow-echo" const HTTPBinService = "httpbin" // NginxBaseImage use for testing -const NginxBaseImage = "k8s.gcr.io/ingress-nginx/nginx:v20210809-g98288bc3c@sha256:f9363669cf26514c9548c1fe4f8f4e2f58dfb76616bcd638a0ff7f0ec3457c17" +const NginxBaseImage = "k8s.gcr.io/ingress-nginx/nginx:5402d35663917ccbbf77ff48a22b8c6f77097f48@sha256:ec8a104df307f5c6d68157b7ac8e5e1e2c2f0ea07ddf25bb1c6c43c67e351180" // NewEchoDeployment creates a new single replica deployment of the echoserver image in a particular namespace func (f *Framework) NewEchoDeployment() { diff --git a/test/e2e/framework/util.go b/test/e2e/framework/util.go index e094166f1..62603462f 100644 --- a/test/e2e/framework/util.go +++ b/test/e2e/framework/util.go @@ -38,7 +38,7 @@ const ( Poll = 2 * time.Second // DefaultTimeout time to wait for operations to complete - DefaultTimeout = 5 * time.Minute + DefaultTimeout = 90 * time.Second ) func nowStamp() string { diff --git a/test/e2e/ingress/pathtype_mixed.go b/test/e2e/ingress/pathtype_mixed.go index aac7d9ffa..7dc56674f 100644 --- a/test/e2e/ingress/pathtype_mixed.go +++ b/test/e2e/ingress/pathtype_mixed.go @@ -44,14 +44,14 @@ var _ = framework.IngressNginxDescribe("[Ingress] [PathType] mix Exact and Prefi host := "mixed.path" annotations := map[string]string{ - "nginx.ingress.kubernetes.io/configuration-snippet": `more_set_input_headers "pathType: exact";more_set_input_headers "pathlocation: /";`, + "nginx.ingress.kubernetes.io/configuration-snippet": `more_set_input_headers "pathType: exact";more_set_input_headers "pathheader: /";`, } ing := framework.NewSingleIngress("exact-root", "/", host, f.Namespace, framework.EchoService, 80, annotations) ing.Spec.Rules[0].IngressRuleValue.HTTP.Paths[0].PathType = &exactPathType f.EnsureIngress(ing) annotations = map[string]string{ - "nginx.ingress.kubernetes.io/configuration-snippet": `more_set_input_headers "pathType: prefix";more_set_input_headers "pathlocation: /";`, + "nginx.ingress.kubernetes.io/configuration-snippet": `more_set_input_headers "pathType: prefix";more_set_input_headers "pathheader: /";`, } ing = framework.NewSingleIngress("prefix-root", "/", host, f.Namespace, framework.EchoService, 80, annotations) f.EnsureIngress(ing) @@ -74,7 +74,7 @@ var _ = framework.IngressNginxDescribe("[Ingress] [PathType] mix Exact and Prefi assert.NotContains(ginkgo.GinkgoT(), body, "pathtype=prefix") assert.Contains(ginkgo.GinkgoT(), body, "pathtype=exact") - assert.Contains(ginkgo.GinkgoT(), body, "pathlocation=/") + assert.Contains(ginkgo.GinkgoT(), body, "pathheader=/") ginkgo.By("Checking prefix request to /bar") body = f.HTTPTestClient(). @@ -87,17 +87,17 @@ var _ = framework.IngressNginxDescribe("[Ingress] [PathType] mix Exact and Prefi assert.Contains(ginkgo.GinkgoT(), body, "pathtype=prefix") assert.NotContains(ginkgo.GinkgoT(), body, "pathtype=exact") - assert.Contains(ginkgo.GinkgoT(), body, "pathlocation=/") + assert.Contains(ginkgo.GinkgoT(), body, "pathheader=/") annotations = map[string]string{ - "nginx.ingress.kubernetes.io/configuration-snippet": `more_set_input_headers "pathType: exact";more_set_input_headers "pathlocation: /foo";`, + "nginx.ingress.kubernetes.io/configuration-snippet": `more_set_input_headers "pathType: exact";more_set_input_headers "pathheader: /foo";`, } ing = framework.NewSingleIngress("exact-foo", "/foo", host, f.Namespace, framework.EchoService, 80, annotations) ing.Spec.Rules[0].IngressRuleValue.HTTP.Paths[0].PathType = &exactPathType f.EnsureIngress(ing) annotations = map[string]string{ - "nginx.ingress.kubernetes.io/configuration-snippet": `more_set_input_headers "pathType: prefix";more_set_input_headers "pathlocation: /foo";`, + "nginx.ingress.kubernetes.io/configuration-snippet": `more_set_input_headers "pathType: prefix";more_set_input_headers "pathheader: /foo";`, } ing = framework.NewSingleIngress("prefix-foo", "/foo", host, f.Namespace, framework.EchoService, 80, annotations) f.EnsureIngress(ing) @@ -120,7 +120,7 @@ var _ = framework.IngressNginxDescribe("[Ingress] [PathType] mix Exact and Prefi assert.NotContains(ginkgo.GinkgoT(), body, "pathtype=prefix") assert.Contains(ginkgo.GinkgoT(), body, "pathtype=exact") - assert.Contains(ginkgo.GinkgoT(), body, "pathlocation=/foo") + assert.Contains(ginkgo.GinkgoT(), body, "pathheader=/foo") ginkgo.By("Checking prefix request to /foo/bar") body = f.HTTPTestClient(). @@ -132,7 +132,7 @@ var _ = framework.IngressNginxDescribe("[Ingress] [PathType] mix Exact and Prefi Raw() assert.Contains(ginkgo.GinkgoT(), body, "pathtype=prefix") - assert.Contains(ginkgo.GinkgoT(), body, "pathlocation=/foo") + assert.Contains(ginkgo.GinkgoT(), body, "pathheader=/foo") ginkgo.By("Checking prefix request to /foobar") body = f.HTTPTestClient(). @@ -144,6 +144,6 @@ var _ = framework.IngressNginxDescribe("[Ingress] [PathType] mix Exact and Prefi Raw() assert.Contains(ginkgo.GinkgoT(), body, "pathtype=prefix") - assert.Contains(ginkgo.GinkgoT(), body, "pathlocation=/") + assert.Contains(ginkgo.GinkgoT(), body, "pathheader=/") }) }) diff --git a/test/e2e/settings/badannotationvalues.go b/test/e2e/settings/badannotationvalues.go new file mode 100644 index 000000000..cae6605cc --- /dev/null +++ b/test/e2e/settings/badannotationvalues.go @@ -0,0 +1,164 @@ +/* +Copyright 2021 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package settings + +import ( + "fmt" + "net/http" + "strings" + + "github.com/onsi/ginkgo" + + "k8s.io/ingress-nginx/test/e2e/framework" +) + +var _ = framework.DescribeAnnotation("Bad annotation values", func() { + f := framework.NewDefaultFramework("bad-annotation") + + ginkgo.BeforeEach(func() { + f.NewEchoDeployment() + }) + + ginkgo.It("[BAD_ANNOTATIONS] should drop an ingress if there is an invalid character in some annotation", func() { + host := "invalid-value-test" + + annotations := map[string]string{ + "nginx.ingress.kubernetes.io/configuration-snippet": ` + # abc { }`, + } + + ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) + f.UpdateNginxConfigMapData("allow-snippet-annotations", "true") + f.UpdateNginxConfigMapData("annotation-value-word-blocklist", "something_forbidden,otherthing_forbidden,{") + + f.EnsureIngress(ing) + + f.WaitForNginxServer(host, + func(server string) bool { + return !strings.Contains(server, fmt.Sprintf("server_name %s ;", host)) + }) + + f.WaitForNginxServer(host, + func(server string) bool { + return !strings.Contains(server, "# abc { }") + }) + + f.HTTPTestClient(). + GET("/"). + WithHeader("Host", host). + Expect(). + Status(http.StatusNotFound) + }) + + ginkgo.It("[BAD_ANNOTATIONS] should drop an ingress if there is a forbidden word in some annotation", func() { + host := "forbidden-value-test" + + annotations := map[string]string{ + "nginx.ingress.kubernetes.io/configuration-snippet": ` + default_type text/plain; + content_by_lua_block { + ngx.say("Hello World") + }`, + } + + ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) + f.UpdateNginxConfigMapData("allow-snippet-annotations", "true") + f.UpdateNginxConfigMapData("annotation-value-word-blocklist", "something_forbidden,otherthing_forbidden,content_by_lua_block") + // Sleep a while just to guarantee that the configmap is applied + framework.Sleep() + f.EnsureIngress(ing) + + f.WaitForNginxServer(host, + func(server string) bool { + return !strings.Contains(server, fmt.Sprintf("server_name %s ;", host)) + }) + + f.WaitForNginxServer(host, + func(server string) bool { + return !strings.Contains(server, `ngx.say("Hello World")`) + }) + + f.HTTPTestClient(). + GET("/"). + WithHeader("Host", host). + Expect(). + Status(http.StatusNotFound) + }) + + ginkgo.It("[BAD_ANNOTATIONS] should allow an ingress if there is a default blocklist config in place", func() { + + hostValid := "custom-allowed-value-test" + annotationsValid := map[string]string{ + "nginx.ingress.kubernetes.io/configuration-snippet": ` + # bla_by_lua`, + } + + ingValid := framework.NewSingleIngress(hostValid, "/", hostValid, f.Namespace, framework.EchoService, 80, annotationsValid) + + // Sleep a while just to guarantee that the configmap is applied + framework.Sleep() + f.EnsureIngress(ingValid) + + f.WaitForNginxServer(hostValid, + func(server string) bool { + return strings.Contains(server, fmt.Sprintf("server_name %s ;", hostValid)) + }) + + f.WaitForNginxServer(hostValid, + func(server string) bool { + return strings.Contains(server, "# bla_by_lua") + }) + + f.HTTPTestClient(). + GET("/"). + WithHeader("Host", hostValid). + Expect(). + Status(http.StatusOK) + }) + + ginkgo.It("[BAD_ANNOTATIONS] should drop an ingress if there is a custom blocklist config in place and allow others to pass", func() { + host := "custom-forbidden-value-test" + + annotations := map[string]string{ + "nginx.ingress.kubernetes.io/configuration-snippet": ` + # something_forbidden`, + } + + ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) + f.UpdateNginxConfigMapData("annotation-value-word-blocklist", "something_forbidden,otherthing_forbidden") + // Sleep a while just to guarantee that the configmap is applied + framework.Sleep() + f.EnsureIngress(ing) + + f.WaitForNginxServer(host, + func(server string) bool { + return !strings.Contains(server, fmt.Sprintf("server_name %s ;", host)) + }) + + f.WaitForNginxServer(host, + func(server string) bool { + return !strings.Contains(server, "# something_forbidden") + }) + + f.HTTPTestClient(). + GET("/"). + WithHeader("Host", host). + Expect(). + Status(http.StatusNotFound) + + }) +}) diff --git a/test/e2e/settings/server_snippet.go b/test/e2e/settings/server_snippet.go new file mode 100644 index 000000000..b9e172717 --- /dev/null +++ b/test/e2e/settings/server_snippet.go @@ -0,0 +1,149 @@ +/* +Copyright 2021 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package settings + +import ( + "net/http" + "strings" + + "github.com/onsi/ginkgo" + + "k8s.io/ingress-nginx/test/e2e/framework" +) + +var _ = framework.DescribeSetting("configmap server-snippet", func() { + f := framework.NewDefaultFramework("cm-server-snippet") + + ginkgo.BeforeEach(func() { + f.NewEchoDeployment() + }) + + ginkgo.It("should add value of server-snippet setting to all ingress config", func() { + host := "serverglobalsnippet1.foo.com" + hostAnnots := "serverannotssnippet1.foo.com" + + f.SetNginxConfigMapData(map[string]string{ + "server-snippet": ` + more_set_headers "Globalfoo: Foooo";`, + }) + + annotations := map[string]string{ + "nginx.ingress.kubernetes.io/server-snippet": ` + more_set_headers "Foo: Bar"; + more_set_headers "Xpto: Lalala";`, + } + + ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, nil) + f.EnsureIngress(ing) + + ing1 := framework.NewSingleIngress(hostAnnots, "/", hostAnnots, f.Namespace, framework.EchoService, 80, annotations) + f.EnsureIngress(ing1) + + // Sleep a while just to guarantee that the configmap is applied + framework.Sleep() + + f.WaitForNginxServer(host, + func(server string) bool { + return strings.Contains(server, `more_set_headers "Globalfoo: Foooo`) && + !strings.Contains(server, `more_set_headers "Foo: Bar";`) && + !strings.Contains(server, `more_set_headers "Xpto: Lalala";`) + }) + + f.WaitForNginxServer(hostAnnots, + func(server string) bool { + return strings.Contains(server, `more_set_headers "Globalfoo: Foooo`) && + strings.Contains(server, `more_set_headers "Foo: Bar";`) && + strings.Contains(server, `more_set_headers "Xpto: Lalala";`) + }) + + f.HTTPTestClient(). + GET("/"). + WithHeader("Host", host). + Expect(). + Status(http.StatusOK).Headers(). + ValueEqual("Globalfoo", []string{"Foooo"}). + NotContainsKey("Foo"). + NotContainsKey("Xpto") + + f.HTTPTestClient(). + GET("/"). + WithHeader("Host", hostAnnots). + Expect(). + Status(http.StatusOK).Headers(). + ValueEqual("Foo", []string{"Bar"}). + ValueEqual("Xpto", []string{"Lalala"}). + ValueEqual("Globalfoo", []string{"Foooo"}) + }) + + ginkgo.It("should add global server-snippet and drop annotations per admin config", func() { + host := "serverglobalsnippet2.foo.com" + hostAnnots := "serverannotssnippet2.foo.com" + + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + "server-snippet": ` + more_set_headers "Globalfoo: Foooo";`, + }) + + annotations := map[string]string{ + "nginx.ingress.kubernetes.io/server-snippet": ` + more_set_headers "Foo: Bar"; + more_set_headers "Xpto: Lalala";`, + } + + ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, nil) + f.EnsureIngress(ing) + + ing1 := framework.NewSingleIngress(hostAnnots, "/", hostAnnots, f.Namespace, framework.EchoService, 80, annotations) + f.EnsureIngress(ing1) + + // Sleep a while just to guarantee that the configmap is applied + framework.Sleep() + + f.WaitForNginxServer(host, + func(server string) bool { + return strings.Contains(server, `more_set_headers "Globalfoo: Foooo`) && + !strings.Contains(server, `more_set_headers "Foo: Bar";`) && + !strings.Contains(server, `more_set_headers "Xpto: Lalala";`) + }) + + f.WaitForNginxServer(hostAnnots, + func(server string) bool { + return strings.Contains(server, `more_set_headers "Globalfoo: Foooo`) && + !strings.Contains(server, `more_set_headers "Foo: Bar";`) && + !strings.Contains(server, `more_set_headers "Xpto: Lalala";`) + }) + + f.HTTPTestClient(). + GET("/"). + WithHeader("Host", host). + Expect(). + Status(http.StatusOK).Headers(). + ValueEqual("Globalfoo", []string{"Foooo"}). + NotContainsKey("Foo"). + NotContainsKey("Xpto") + + f.HTTPTestClient(). + GET("/"). + WithHeader("Host", hostAnnots). + Expect(). + Status(http.StatusOK).Headers(). + ValueEqual("Globalfoo", []string{"Foooo"}). + NotContainsKey("Foo"). + NotContainsKey("Xpto") + }) +})