Bump github.com/spf13/cobra from 1.8.1 to 1.9.1 (#12859 )

Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bump the go group across 3 directories with 11 updates (#12857 )
2025-02-17 04:30:24 -08:00 · 2025-02-17 03:32:22 -08:00 · 2025-02-17 03:16:23 -08:00 · 2025-02-17 02:18:22 -08:00 · 2025-02-15 01:10:20 -08:00 · 2025-02-14 14:48:21 -08:00
5247 changed files with 135305 additions and 1475007 deletions
--- a/.codecov.yml
+++ b/.codecov.yml
@ -1,8 +0,0 @@
-coverage:
-  status:
-    project:
-      default:
-        target: 40%
-        threshold: null
-    patch: false
-    changes: false
--- a/.ct.yaml
+++ b/.ct.yaml
@ -0,0 +1,26 @@
+# Copyright 2024 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+remote: origin
+target-branch: main
+
+validate-maintainers: false
+check-version-increment: false
+
+chart-repos:
+  - ingress-nginx=https://kubernetes.github.io/ingress-nginx
+helm-extra-args: --timeout 800s
+
+chart-dirs:
+  - charts
--- a/images/grpc-fortune-teller/go.mod
+++ b/images/grpc-fortune-teller/go.mod
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@ -10,7 +10,8 @@ assignees: ''
 <!--

 Welcome to ingress-nginx!  For a smooth issue process, try to answer the following questions.
-Don't worry if they're not all applicable; just try to include what you can :-)
+Don't worry if they're not all applicable; just try to include what you can :-).
+More info helps better understanding of the issue (needless to say).

 If you need to include code snippets or logs, please put them in fenced code
 blocks.  If they're super-long, please use the details tag like
@ -27,7 +28,22 @@ This questions are the first thing we need to know to understand the context.

 -->

-**NGINX Ingress controller version**:
+**What happened**:
+
+<!-- (please include exact error messages if you can) -->
+
+**What you expected to happen**:
+
+<!-- What do you think went wrong? -->
+
+
+**NGINX Ingress controller version** (exec into the pod and run `/nginx-ingress-controller --version`):
+<!--
+POD_NAMESPACE=ingress-nginx
+POD_NAME=$(kubectl get pods -n $POD_NAMESPACE -l app.kubernetes.io/name=ingress-nginx --field-selector=status.phase=Running -o jsonpath='{.items[0].metadata.name}')
+
+kubectl exec -it $POD_NAME -n $POD_NAMESPACE -- /nginx-ingress-controller --version  
+-->

 **Kubernetes version** (use `kubectl version`):

@ -37,17 +53,36 @@ This questions are the first thing we need to know to understand the context.
 - **OS** (e.g. from /etc/os-release):
 - **Kernel** (e.g. `uname -a`):
 - **Install tools**:
+  - `Please mention how/where was the cluster created like kubeadm/kops/minikube/kind etc. `
+- **Basic cluster related info**:
+  - `kubectl version`
+  - `kubectl get nodes -o wide`
+
+- **How was the ingress-nginx-controller installed**:
+  - If helm was used then please show output of `helm ls -A | grep -i ingress`
+  - If helm was used then please show output of `helm -n <ingresscontrollernamespace> get values <helmreleasename>`
+  - If helm was not used, then copy/paste the complete precise command used to install the controller, along with the flags and options used
+  - if you have more than one instance of the ingress-nginx-controller installed in the same cluster, please provide details for all the instances
+
+- **Current State of the controller**:
+  - `kubectl describe ingressclasses`
+  - `kubectl -n <ingresscontrollernamespace> get all -A -o wide`
+  - `kubectl -n <ingresscontrollernamespace> describe po <ingresscontrollerpodname>`
+  - `kubectl -n <ingresscontrollernamespace> describe svc <ingresscontrollerservicename>`
+
+- **Current state of ingress object, if applicable**:
+  - `kubectl -n <appnamespace> get all,ing -o wide`
+  - `kubectl -n <appnamespace> describe ing <ingressname>`
+  - If applicable, then, your complete and exact curl/grpcurl command (redacted if required) and the reponse to the curl/grpcurl command with the -v flag
+
 - **Others**:
+  - Any other related information like ;
+    - copy/paste of the snippet (if applicable)
+    - `kubectl describe ...` of any custom configmap(s) created and in use
+    - Any other related information that may help

-**What happened**:

-<!-- (please include exact error messages if you can) -->
-
-**What you expected to happen**:
-
-<!-- What do you think went wrong? -->
-
-**How to reproduce it**:
+**How to reproduce this issue**:
 <!---

 As minimally and precisely as possible. Keep in mind we do not have access to your cluster or application.
@ -60,28 +95,34 @@ Help up us (if possible) reproducing the issue using minikube or kind.

 ## Install the ingress controller

-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/baremetal/deploy.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/baremetal/deploy.yaml

 ## Install an application that will act as default backend (is just an echo app)

-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/docs/examples/http-svc.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/docs/examples/http-svc.yaml

 ## Create an ingress (please add any additional annotation required)

 echo "
-  apiVersion: networking.k8s.io/v1beta1
+  apiVersion: networking.k8s.io/v1
  kind: Ingress
  metadata:
    name: foo-bar
+    annotations:
+      kubernetes.io/ingress.class: nginx
  spec:
+    ingressClassName: nginx # omit this if you're on controller version below 1.0.0
    rules:
    - host: foo.bar
      http:
        paths:
-        - backend:
-            serviceName: http-svc
-            servicePort: 80
-          path: /
+        - path: /
+          pathType: Prefix
+          backend:
+            service:
+              name: http-svc
+              port: 
+                number: 80
 " | kubectl apply -f -

 ## make a request
@ -93,6 +134,9 @@ kubectl exec -it -n ingress-nginx $POD_NAME -- curl -H 'Host: foo.bar' localhost

 **Anything else we need to know**:

-<!-- If this is actually about documentation, add `/kind documentation` below -->
+<!-- If this is actually about documentation, uncomment the following block -->

-/kind bug
+<!-- 
+/kind documentation
+/remove-kind bug
+-->
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@ -0,0 +1,4 @@
+contact_links:
+  - name: Support Request/Question 
+    url: https://kubernetes.slack.com/messages/ingress-nginx/
+    about: Support request or question relating to Ingress NGINX in Kubernetes Slack
--- a/.github/ISSUE_TEMPLATE/cve_report.md
+++ b/.github/ISSUE_TEMPLATE/cve_report.md
@ -0,0 +1,20 @@
+---
+name: CVE Finding Report
+about: CVE reporting for ingress-nginx
+title: ''
+labels: kind/bug
+assignees:
+    - Gacko
+    - strongjz
+---
+
+<!-- if you found something that impacts directly ingress-nginx and
+is not a public CVE yet, please reach out security@kubernetes.io" -->
+
+<!-- What scanner and version reported the CVE? -->
+
+<!-- What CVE was reported in the scanner findings? -->
+
+<!-- What versions of the controller did you test with?  -->
+
+<!-- Please provider other details that will help us determine the severity of the issue -->
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@ -7,24 +7,15 @@ assignees: ''

 ---

-<!--
-
-Welcome to ingress-nginx!  For a smooth feature request process, try to
-answer the following questions. Don't worry if they're not all applicable; just
-try to include what you can :-)
-
-If you need to include code snippets or logs, please put them in fenced code
-blocks.  If they're super-long, please use the details tag like
-<details><summary>super-long log</summary> lots of stuff </details>
-
-->
-
 <!-- What do you want to happen? -->

 <!-- Is there currently another issue associated with this? -->

 <!-- Does it require a particular kubernetes version? -->

-<!-- If this is actually about documentation, add `/kind documentation` below -->
+<!-- If this is actually about documentation, uncomment the following block -->

-/kind feature
+<!-- 
+/kind documentation
+/remove-kind feature
+-->
--- a/.github/ISSUE_TEMPLATE/support-question.md
+++ b/.github/ISSUE_TEMPLATE/support-question.md
@ -1,37 +0,0 @@
---
-name: Question
-about: Any questions you might have.
-title: ''
-labels: triage/support
-assignees: ''
-
---
-
-<!--
-
-Welcome to ingress-nginx!
-
-You probably didn't want to be one this page.  It shouldn't really be here anyway.
-
-* If you want a quick response to a question, ask on the Kubernetes Slack instance in #ingress-nginx.
-
-* If this is actually a bug or a feature request, file one of those.  If you're
-  not sure which, just take a guess and we can always re-label.
-
-* If you think this might turn into a bug or feature request, but you're not
-  sure, try asking in Slack first.
-
-->
-
-<!--
-
-Still here?  Double-check that this hasn't been asked before, then put your question below
-with as many details as possible.
-
-If you need to include code snippets or logs, please put them in fenced code
-blocks.  If they're super-long, please use the details tag like
-<details><summary>super-long log</summary> lots of stuff </details>
-
-->
-
-/triage support
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@ -1,5 +1,6 @@
 <!--- Provide a general summary of your changes in the Title above --->
 <!--- Please don't @-mention people in PR or commit messages (do so in an additional comment). --->
+<!--- Please make sure you title is descriptive, it is used in the Release notes to let others know what it does ---> 

 ## What this PR does / why we need it:
 <!--- Why is this change required? What problem does it solve? -->
@ -9,7 +10,9 @@
 <!--- What types of changes does your code introduce? Put an `x` in all the boxes that apply: -->
 - [ ] Bug fix (non-breaking change which fixes an issue)
 - [ ] New feature (non-breaking change which adds functionality)
+- [ ] CVE Report (Scanner found CVE and adding report)
 - [ ] Breaking change (fix or feature that would cause existing functionality to change)
+- [ ] Documentation only

 ## Which issue/s this PR fixes
 <!--
@ -28,6 +31,6 @@ fixes #
 <!--- If you're unsure about any of these, don't hesitate to ask. We're here to help! -->
 - [ ] My change requires a change to the documentation.
 - [ ] I have updated the documentation accordingly.
- [ ] I've read the [CONTRIBUTION](https://github.com/kubernetes/ingress-nginx/blob/master/CONTRIBUTING.md) guide
- [ ] I have added tests to cover my changes.
+- [ ] I've read the [CONTRIBUTION](https://github.com/kubernetes/ingress-nginx/blob/main/CONTRIBUTING.md) guide
+- [ ] I have added unit and/or e2e tests to cover my changes.
 - [ ] All new and existing tests passed.
--- a/.github/actions/mkdocs/Dockerfile
+++ b/.github/actions/mkdocs/Dockerfile
@ -1,4 +1,4 @@
-FROM squidfunk/mkdocs-material:5.1.0
+FROM squidfunk/mkdocs-material:9.4.5

 COPY action.sh /action.sh

--- a/.github/actions/mkdocs/action.sh
+++ b/.github/actions/mkdocs/action.sh
@ -16,7 +16,7 @@

 set -e

-REQUIREMENTS="${GITHUB_WORKSPACE}/requirements.txt"
+REQUIREMENTS="${GITHUB_WORKSPACE}/docs/requirements.txt"

 if [ -f "${REQUIREMENTS}" ]; then
    pip install -r "${REQUIREMENTS}"
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -0,0 +1,43 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    labels:
+      - "area/dependency"
+      - "release-note-none"
+      - "ok-to-test"
+    groups:
+      actions:
+        update-types:
+          - "minor"
+          - "patch"
+  - package-ecosystem: "docker"
+    directories:
+      - "**/rootfs"
+    schedule:
+      interval: "weekly"
+    labels:
+      - "area/dependency"
+      - "release-note-none"
+      - "ok-to-test"
+    groups:
+      docker:
+        update-types:
+          - "minor"
+          - "patch"
+  - package-ecosystem: "gomod"
+    directories:
+      - "/"
+      - "**/rootfs"
+    schedule:
+      interval: "weekly"
+    labels:
+      - "area/dependency"
+      - "release-note-none"
+      - "ok-to-test"
+    groups:
+      go:
+        update-types:
+          - "patch"
--- a/.github/workflows/chart.yaml
+++ b/.github/workflows/chart.yaml
@ -0,0 +1,64 @@
+name: Chart
+
+on:
+  push:
+    branches:
+      - main
+      - release-*
+    paths:
+      - charts/ingress-nginx/Chart.yaml
+  
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  release:
+    name: Release
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: write
+
+    steps:
+      - name: Set up Python
+        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+        with:
+          python-version: 3.x
+
+      - name: Set up Helm
+        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
+
+      - name: Set up Helm Chart Testing
+        uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b # v2.7.0
+
+      - name: Set up Artifact Hub
+        run: |
+          curl --fail --location https://github.com/artifacthub/hub/releases/download/v1.20.0/ah_1.20.0_linux_amd64.tar.gz --output /tmp/ah.tar.gz
+          echo "9027626f19ff9f3ac668f222917130ac885e289e922e1428bfd2e7f066324e31  /tmp/ah.tar.gz" | shasum --check
+          sudo tar --extract --file /tmp/ah.tar.gz --directory /usr/local/bin ah
+
+      - name: Set up Git
+        run: |
+          git config --global user.name "${GITHUB_ACTOR}"
+          git config --global user.email "${GITHUB_ACTOR}@users.noreply.github.com"
+
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+
+      - name: Lint chart
+        run: |
+          ct lint --config .ct.yaml
+          ah lint --path charts/ingress-nginx
+
+      - name: Release chart
+        uses: helm/chart-releaser-action@cae68fefc6b5f367a0275617c9f83181ba54714f # v1.7.0
+        env:
+          CR_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          CR_RELEASE_NAME_TEMPLATE: helm-chart-{{ .Version }}
+          CR_SKIP_EXISTING: true
+        with:
+          charts_dir: charts
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@ -0,0 +1,322 @@
+name: CI
+
+on:
+  pull_request:
+    branches:
+      - "*"
+    paths-ignore:
+      - 'docs/**'
+      - 'deploy/**'
+      - '**.md'
+      - 'images/**' # Images changes should be tested on their own workflow
+      - '!images/nginx/**'
+
+  push:
+    branches:
+      - main
+      - release-*
+    paths-ignore:
+      - 'docs/**'
+      - 'deploy/**'
+      - '**.md'
+      - 'images/**' # Images changes should be tested on their own workflow
+
+  workflow_dispatch:
+    inputs:
+      run_e2e:
+        description: 'Force e2e to run'
+        required: false
+        type: boolean
+
+
+permissions:
+  contents: read
+
+jobs:
+
+  changes:
+    permissions:
+      contents: read  # for dorny/paths-filter to fetch a list of changed files
+      pull-requests: read  # for dorny/paths-filter to read pull requests
+    runs-on: ubuntu-latest
+    outputs:
+      go: ${{ steps.filter.outputs.go }}
+      charts: ${{ steps.filter.outputs.charts }}
+      baseimage: ${{ steps.filter.outputs.baseimage }}
+
+    steps:
+
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
+        id: filter
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          filters: |
+            go:
+              - '**/*.go'
+              - 'go.mod'
+              - 'go.sum'
+              - 'rootfs/**/*'
+              - 'TAG'
+              - 'test/e2e/**/*'
+              - 'NGINX_BASE'
+            charts:
+              - 'charts/ingress-nginx/Chart.yaml'
+              - 'charts/ingress-nginx/**/*'
+              - 'NGINX_BASE'
+            baseimage:
+              - 'NGINX_BASE'
+              - 'images/nginx/**'
+            docs:
+              - '**/*.md'
+            lua:
+              - '**/*.lua'
+
+  lua-lint:
+    runs-on: ubuntu-latest
+    needs: changes
+    if: |
+      (needs.changes.outputs.lua == 'true') || ${{ github.event.workflow_dispatch.run_e2e == 'true' }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      
+      - name: Lint Lua
+        uses: lunarmodules/luacheck@v1
+        with:
+          args: --codes --globals lua_ingress --globals configuration --globals balancer --globals monitor --globals certificate --globals tcp_udp_configuration --globals tcp_udp_balancer --no-max-comment-line-length -q rootfs/etc/nginx/lua/
+
+  test-go:
+    runs-on: ubuntu-latest
+    needs: changes
+    if: |
+      (needs.changes.outputs.go == 'true') || ${{ github.event.workflow_dispatch.run_e2e == 'true' }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Get go version
+        run: echo "GOLANG_VERSION=$(cat GOLANG_VERSION)" >> $GITHUB_ENV
+
+      - name: Set up Go
+        id: go
+        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
+        with:
+          go-version: ${{ env.GOLANG_VERSION }}
+          check-latest: true
+
+      - name: Run test
+        run: make test
+
+        
+  verify-docs:
+    name: Verify Doc generation
+    runs-on: ubuntu-latest
+    needs: changes
+    if: |
+      (needs.changes.outputs.go == 'true') || (needs.changes.outputs.docs == 'true') || ${{ github.event.workflow_dispatch.run_e2e == 'true' }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Get go version
+        run: echo "GOLANG_VERSION=$(cat GOLANG_VERSION)" >> $GITHUB_ENV
+      - name: Set up Go
+        id: go
+        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
+        with:
+          go-version: ${{ env.GOLANG_VERSION }}
+          check-latest: true
+      - name: Verify Docs
+        run: make verify-docs
+
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    needs: changes
+    outputs:
+      golangversion: ${{ steps.golangversion.outputs.version }}
+    if: |
+      (needs.changes.outputs.go == 'true') || (needs.changes.outputs.charts == 'true') || (needs.changes.outputs.baseimage == 'true') || ${{ github.event.workflow_dispatch.run_e2e == 'true' }}
+
+    env:
+        PLATFORMS: linux/amd64
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Get go version
+        id: golangversion
+        run: |
+          echo "version=$(cat GOLANG_VERSION)" >> "$GITHUB_OUTPUT"
+
+      - name: Set up Go
+        id: go
+        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
+        with:
+          go-version: ${{ steps.golangversion.outputs.version }}
+          check-latest: true
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@4574d27a4764455b42196d70a065bc6853246a25 # v3.4.0
+
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0
+        with:
+          version: latest
+
+      - name: Available platforms
+        run: echo ${{ steps.buildx.outputs.platforms }}
+
+      - name: Prepare Host
+        run: |
+          curl -LO https://dl.k8s.io/release/v1.32.2/bin/linux/amd64/kubectl
+          chmod +x ./kubectl
+          sudo mv ./kubectl /usr/local/bin/kubectl
+
+      - name: Build NGINX Base image
+        if: |
+          needs.changes.outputs.baseimage == 'true'
+        run: |
+            export TAG=$(cat images/nginx/TAG)
+            cd images/nginx/rootfs && docker buildx build --platform=${{ env.PLATFORMS }} --load -t registry.k8s.io/ingress-nginx/nginx:${TAG} .
+
+      - name: Build images
+        env:
+          TAG: 1.0.0-dev
+          ARCH: amd64
+          REGISTRY: ingress-controller
+        run: |
+          echo "building images..."
+          export TAGNGINX=$(cat images/nginx/TAG)
+          make BASE_IMAGE=registry.k8s.io/ingress-nginx/nginx:${TAGNGINX} clean-image build image image-chroot
+          make -C test/e2e-image image
+
+          echo "creating images cache..."
+          docker save \
+            nginx-ingress-controller:e2e \
+            ingress-controller/controller:1.0.0-dev \
+            ingress-controller/controller-chroot:1.0.0-dev \
+            | gzip > docker.tar.gz
+
+      - name: cache
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        with:
+          name: docker.tar.gz
+          path: docker.tar.gz
+          retention-days: 5
+
+  chart-lint:
+    name: Chart / Lint
+    runs-on: ubuntu-latest
+    needs:
+      - changes
+
+    if: fromJSON(needs.changes.outputs.charts) || fromJSON(needs.changes.outputs.baseimage) || fromJSON(github.event.workflow_dispatch.run_e2e)
+
+    steps:
+      - name: Set up Python
+        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+        with:
+          python-version: 3.x
+
+      - name: Set up Helm
+        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
+
+      - name: Set up Helm Chart Testing
+        uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b # v2.7.0
+
+      - name: Set up Artifact Hub
+        run: |
+          curl --fail --location https://github.com/artifacthub/hub/releases/download/v1.20.0/ah_1.20.0_linux_amd64.tar.gz --output /tmp/ah.tar.gz
+          echo "9027626f19ff9f3ac668f222917130ac885e289e922e1428bfd2e7f066324e31  /tmp/ah.tar.gz" | shasum --check
+          sudo tar --extract --file /tmp/ah.tar.gz --directory /usr/local/bin ah
+
+      - name: Set up Helm Docs
+        uses: gabe565/setup-helm-docs-action@d5c35bdc9133cfbea3b671acadf50a29029e87c2 # v1.0.4
+
+      - name: Set up Helm Unit Test
+        run: helm plugin install https://github.com/helm-unittest/helm-unittest
+
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+
+      - name: Lint chart
+        run: |
+          ct lint --config .ct.yaml
+          ah lint --path charts/ingress-nginx
+
+      - name: Check docs
+        run: |
+          helm-docs --chart-search-root charts
+          git diff --exit-code charts/ingress-nginx/README.md
+
+      - name: Run tests
+        run: helm unittest charts/ingress-nginx --file "tests/**/*_test.yaml"
+
+  chart-test:
+    name: Chart / Test
+    runs-on: ubuntu-latest
+    needs:
+      - changes
+      - build
+      - chart-lint
+
+    if: fromJSON(needs.changes.outputs.charts) || fromJSON(needs.changes.outputs.baseimage) || fromJSON(github.event.workflow_dispatch.run_e2e)
+
+    strategy:
+      matrix:
+        k8s: [v1.28.15, v1.29.12, v1.30.8, v1.31.4, v1.32.0]
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Download cache
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: docker.tar.gz
+
+      - name: Load cache
+        run: gzip --decompress --stdout docker.tar.gz | docker load
+
+      - name: Run tests
+        env:
+          K8S_VERSION: ${{ matrix.k8s }}
+          SKIP_IMAGE_CREATION: true
+        run: |
+          sudo mkdir -pm 777 "${HOME}/.kube"
+          make kind-e2e-chart-tests
+
+  kubernetes:
+    name: Kubernetes
+    needs:
+      - changes
+      - build
+    if: |
+      (needs.changes.outputs.go == 'true') || (needs.changes.outputs.baseimage == 'true') || ${{ github.event.workflow_dispatch.run_e2e == 'true' }}
+    strategy:
+      matrix:
+        k8s: [v1.28.15, v1.29.12, v1.30.8, v1.31.4, v1.32.0]
+    uses: ./.github/workflows/zz-tmpl-k8s-e2e.yaml
+    with:
+      k8s-version: ${{ matrix.k8s }}
+
+  kubernetes-chroot:
+    name: Kubernetes chroot
+    needs:
+      - changes
+      - build
+    if: |
+      (needs.changes.outputs.go == 'true') || (needs.changes.outputs.baseimage == 'true') || ${{ github.event.workflow_dispatch.run_e2e == 'true' }}
+    strategy:
+      matrix:
+        k8s: [v1.28.15, v1.29.12, v1.30.8, v1.31.4, v1.32.0]
+    uses: ./.github/workflows/zz-tmpl-k8s-e2e.yaml
+    with:
+      k8s-version: ${{ matrix.k8s }}
+      variation: "CHROOT"
--- a/.github/workflows/depreview.yaml
+++ b/.github/workflows/depreview.yaml
@ -0,0 +1,14 @@
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: 'Checkout Repository'
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0
--- a/.github/workflows/docs.yaml
+++ b/.github/workflows/docs.yaml
@ -0,0 +1,55 @@
+name: Documentation
+
+on:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+jobs:
+
+  changes:
+    permissions:
+      contents: read  # for dorny/paths-filter to fetch a list of changed files
+      pull-requests: read  # for dorny/paths-filter to read pull requests
+    runs-on: ubuntu-latest
+    if: |
+      (github.repository == 'kubernetes/ingress-nginx')
+    outputs:
+      docs: ${{ steps.filter.outputs.docs }}
+      charts: ${{ steps.filter.outputs.charts }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
+        id: filter
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          filters: |
+            docs:
+             - 'docs/**/*'
+
+  docs:
+    name: Update
+    runs-on: ubuntu-latest
+    needs:
+      - changes
+    if: |
+      (github.repository == 'kubernetes/ingress-nginx') &&
+      (needs.changes.outputs.docs == 'true')
+
+    permissions:
+      contents: write # needed to write releases
+
+    steps:
+      - name: Checkout master
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Deploy
+        uses: ./.github/actions/mkdocs
+        env:
+          PERSONAL_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@ -0,0 +1,34 @@
+name: golangci-lint
+
+on:
+  pull_request:
+    paths:
+      - '**/*.go'
+      - '.github/workflows/golangci-lint.yml'
+
+permissions:
+  contents: read
+
+jobs:
+  golangci:
+    name: lint
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Get go version
+        run: echo "GOLANG_VERSION=$(cat GOLANG_VERSION)" >> $GITHUB_ENV
+
+      - name: Set up Go
+        id: go
+        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
+        with:
+          go-version: ${{ env.GOLANG_VERSION }}
+          check-latest: true
+
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@2226d7cb06a077cd73e56eedd38eecad18e5d837 # v6.5.0
+        with:
+          version: v1.62
+          only-new-issues: true
--- a/.github/workflows/images.yaml
+++ b/.github/workflows/images.yaml
@ -0,0 +1,192 @@
+name: Container Images
+
+on:
+  pull_request:
+    branches:
+      - "*"
+    paths:
+      - 'images/**'
+
+  push:
+    branches:
+      - main
+    paths:
+      - 'images/**'
+
+permissions:
+  contents: write
+  packages: write
+
+env:
+  PLATFORMS: linux/amd64
+
+jobs:
+  changes:
+    permissions:
+      contents: read  # for dorny/paths-filter to fetch a list of changed files
+      pull-requests: read  # for dorny/paths-filter to read pull requests
+    runs-on: ubuntu-latest
+    outputs:
+      custom-error-pages: ${{ steps.filter.outputs.custom-error-pages }}
+      cfssl: ${{ steps.filter.outputs.cfssl }}
+      fastcgi-helloserver: ${{ steps.filter.outputs.fastcgi-helloserver }}
+      e2e-test-echo: ${{ steps.filter.outputs.e2e-test-echo }}
+      go-grpc-greeter-server: ${{ steps.filter.outputs.go-grpc-greeter-server }}
+      httpbun: ${{ steps.filter.outputs.httpbun }}
+      kube-webhook-certgen: ${{ steps.filter.outputs.kube-webhook-certgen }}
+      ext-auth-example-authsvc: ${{ steps.filter.outputs.ext-auth-example-authsvc }}
+      nginx: ${{ steps.filter.outputs.nginx }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
+        id: filter
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          filters: |
+            custom-error-pages:
+              - 'images/custom-error-pages/**'
+            cfssl:
+              - 'images/cfssl/**'
+            fastcgi-helloserver:
+              - 'images/fastcgi-helloserver/**'
+            e2e-test-echo:
+              - 'images/e2e-test-echo/**'
+            go-grpc-greeter-server:
+              - 'images/go-grpc-greeter-server/**'
+            httpbun:
+              - 'images/httpbun/**'
+            kube-webhook-certgen:
+              - 'images/kube-webhook-certgen/**'
+            ext-auth-example-authsvc:
+              - 'images/ext-auth-example-authsvc/**'
+            nginx:
+              - 'images/nginx/**'
+
+  #### TODO: Make the below jobs 'less dumb' and use the job name as parameter (the github.job context does not work here)
+  cfssl:
+    needs: changes
+    if: |
+      (needs.changes.outputs.cfssl == 'true')
+    uses: ./.github/workflows/zz-tmpl-images.yaml
+    with:
+      name: cfssl
+    secrets: inherit
+
+  custom-error-pages:
+    needs: changes
+    if: |
+      (needs.changes.outputs.custom-error-pages == 'true')
+    uses: ./.github/workflows/zz-tmpl-images.yaml
+    with:
+      name: custom-error-pages
+    secrets: inherit
+
+  e2e-test-echo:
+    needs: changes
+    if: |
+      (needs.changes.outputs.e2e-test-echo == 'true')
+    uses: ./.github/workflows/zz-tmpl-images.yaml
+    with:
+      name: e2e-test-echo
+    secrets: inherit
+
+  ext-auth-example-authsvc:
+    needs: changes
+    if: |
+      (needs.changes.outputs.ext-auth-example-authsvc == 'true')
+    uses: ./.github/workflows/zz-tmpl-images.yaml
+    with:
+      name: ext-auth-example-authsvc
+    secrets: inherit
+
+  fastcgi-helloserver:
+    needs: changes
+    if: |
+      (needs.changes.outputs.fastcgi-helloserver == 'true')
+    uses: ./.github/workflows/zz-tmpl-images.yaml
+    with:
+      name: fastcgi-helloserver
+    secrets: inherit
+
+  go-grpc-greeter-server:
+    needs: changes
+    if: |
+      (needs.changes.outputs.go-grpc-greeter-server == 'true')
+    uses: ./.github/workflows/zz-tmpl-images.yaml
+    with:
+      name: go-grpc-greeter-server
+    secrets: inherit
+
+  httpbun:
+    needs: changes
+    if: |
+      (needs.changes.outputs.httpbun == 'true')
+    uses: ./.github/workflows/zz-tmpl-images.yaml
+    with:
+      name: httpbun
+    secrets: inherit
+
+  kube-webhook-certgen:
+    runs-on: ubuntu-latest
+    needs: changes
+    if: |
+      (needs.changes.outputs.kube-webhook-certgen == 'true')
+    strategy:
+      matrix:
+        k8s: [v1.28.15, v1.29.12, v1.30.8, v1.31.4, v1.32.0]
+    steps:
+    - name: Checkout
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+    - name: Get go version
+      run: echo "GOLANG_VERSION=$(cat GOLANG_VERSION)" >> $GITHUB_ENV
+
+    - name: Set up Go
+      id: go
+      uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
+      with:
+        go-version: ${{ env.GOLANG_VERSION }}
+        check-latest: true
+    - name: image build
+      run: |
+        cd images/ && make NAME=kube-webhook-certgen build
+    - name: Create Kubernetes cluster
+      id: kind
+      run: |
+        kind create cluster --image=kindest/node:${{ matrix.k8s }}
+    - name: image test
+      run: |
+        cd images/ && make NAME=kube-webhook-certgen test test-e2e
+
+  nginx:
+    permissions:
+      contents: write
+      packages: write
+    runs-on: ubuntu-latest
+    needs: changes
+    if: |
+      (github.event_name == 'push' && github.ref == 'refs/heads/main' && needs.changes.outputs.nginx == 'true')
+    env:
+      PLATFORMS: linux/amd64,linux/arm,linux/arm64
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@4574d27a4764455b42196d70a065bc6853246a25 # v3.4.0
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0
+        with:
+          version: latest
+          platforms: ${{ env.PLATFORMS }}
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: build-image
+        run: |
+          export TAG=$(cat images/nginx/TAG)
+          cd images/nginx/rootfs && docker buildx build --platform=${{ env.PLATFORMS }} --push -t ingressnginx/nginx:${TAG} .
--- a/.github/workflows/junit-reports.yaml
+++ b/.github/workflows/junit-reports.yaml
@ -0,0 +1,22 @@
+name: 'E2E Test Report'
+
+on:
+  workflow_run:
+    workflows: ['CI']                     # runs after CI workflow
+    types:
+      - completed
+
+permissions:
+  checks: write
+
+jobs:
+  report:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: dorny/test-reporter@31a54ee7ebcacc03a09ea97a7e5465a47b84aea5 # v1.9.1
+        with:
+          artifact: /e2e-test-reports-(.*)/
+          name: JEST Tests $1               # Name of the check run which will be created
+          path: 'report*.xml'               # Path to test results (inside artifact .zip)
+          reporter: jest-junit              # Format of test results
+          fail-on-empty: 'true'
--- a/.github/workflows/main.yaml
+++ b/.github/workflows/main.yaml
@ -1,37 +0,0 @@
-name: Documentation and Helm chart
-
-on:
-  push:
-    branches:
-      - master
-
-jobs:
-
-  docs:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout master
-        uses: actions/checkout@v1
-
-      - name: Deploy docs
-        uses: ./.github/actions/mkdocs
-        env:
-          PERSONAL_TOKEN: ${{ secrets.PERSONAL_TOKEN }}
-
-  chart:
-    needs: docs
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout master
-        uses: actions/checkout@v1
-
-      - name: Setup
-        shell: bash
-        run: |
-          git config --global user.name "$GITHUB_ACTOR"
-          git config --global user.email "$GITHUB_ACTOR@users.noreply.github.com"
-
-      - name: Run chart-releaser
-        uses: helm/chart-releaser-action@v1.0.0-rc.2
-        env:
-          CR_TOKEN: "${{ secrets.PERSONAL_TOKEN }}"
--- a/.github/workflows/perftest.yaml
+++ b/.github/workflows/perftest.yaml
@ -0,0 +1,72 @@
+name: Performance Test
+
+on:
+  workflow_dispatch:
+    inputs:
+      logLevel:
+        description: 'Log level'
+        required: true
+        default: 'warning'
+      tags:
+        description: 'K6 Load Test'
+
+permissions:
+  contents: read
+
+jobs:
+  k6_test_run:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Install K6
+        run: |
+          wget https://github.com/grafana/k6/releases/download/v0.38.2/k6-v0.38.2-linux-amd64.tar.gz
+          echo '7c9e5a26aaa2c638c042f6dfda7416161b8d2e0d4cb930721a38083b8be109ab *k6-v0.38.2-linux-amd64.tar.gz' | shasum -c
+          tar -xvf k6-v0.38.2-linux-amd64.tar.gz k6-v0.38.2-linux-amd64/k6
+          mv k6-v0.38.2-linux-amd64/k6 .
+          ./k6
+
+      - name: Make dev-env
+        run: |
+          mkdir $HOME/.kube
+          make dev-env
+          podName=`kubectl -n ingress-nginx get po | grep -i controller | awk '{print $1}'`
+          if [[ -z ${podName} ]] ; then
+            sleep 5
+          fi
+          kubectl wait pod -n ingress-nginx --for condition=Ready $podName
+          kubectl get all -A
+
+      - name: Deploy workload
+        run: |
+          kubectl create deploy k6 --image kennethreitz/httpbin --port 80 && \
+            kubectl expose deploy k6 --port 80 && \
+            kubectl create ing k6 --class nginx \
+            --rule test.ingress-nginx-controller.ga/*=k6:80
+          podName=`kubectl get po | grep -i k6 | awk '{print $1}'`
+          if [[ -z ${podName} ]] ; then
+            sleep 5
+          fi
+          kubectl wait pod --for condition=Ready $podName
+          kubectl get all,secrets,ing
+
+      - name: Tune OS
+        run : |
+          sudo sysctl -A 2>/dev/null | egrep -i "local_port_range|tw_reuse|tcp_timestamps"
+          sudo sh -c "ulimit"
+          sudo sysctl -w net.ipv4.ip_local_port_range="1024 65535"
+          sudo sysctl -w net.ipv4.tcp_tw_reuse=1
+          sudo sysctl -w net.ipv4.tcp_timestamps=1
+          sudo sh -c "ulimit "
+
+      - name: Run smoke test
+        run: |
+          vmstat -at 5 | tee vmstat_report &
+          #./k6 login cloud -t $K6_TOKEN
+          #./k6 run -o cloud ./smoketest.js
+          ./k6 run test/k6/smoketest.js
+          pkill vmstat
+          cat vmstat_report
--- a/.github/workflows/plugin.yaml
+++ b/.github/workflows/plugin.yaml
@ -0,0 +1,50 @@
+name: kubectl plugin
+
+on:
+  release:
+    types: [published]
+
+permissions:
+  contents: write # for goreleaser/goreleaser-action
+
+jobs:
+  release-plugin:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+
+      - name: Get go version
+        run: echo "GOLANG_VERSION=$(cat GOLANG_VERSION)" >> $GITHUB_ENV
+
+      - name: Set up Go
+        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
+        with:
+          go-version: ${{ env.GOLANG_VERSION }}
+          check-latest: true
+
+      - name: Run GoReleaser Snapshot
+        if: ${{ ! startsWith(github.ref, 'refs/tags/') }}
+        uses: goreleaser/goreleaser-action@90a3faa9d0182683851fbfa97ca1a2cb983bfca3 # v6.2.1
+        with:
+          version: "~> v2"
+          args: release --snapshot --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Run GoReleaser
+        if: ${{ startsWith(github.ref, 'refs/tags/') }}
+        uses: goreleaser/goreleaser-action@90a3faa9d0182683851fbfa97ca1a2cb983bfca3 # v6.2.1
+        with:
+          version: "~> v2"
+          args: release --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Update new version in krew-index
+        if: ${{ startsWith(github.ref, 'refs/tags/') }}
+        uses: rajatjindal/krew-release-bot@3d9faef30a82761d610544f62afddca00993eef9 # v0.0.47
+        with:
+          krew_template_file: cmd/plugin/krew.yaml
--- a/.github/workflows/project.yml
+++ b/.github/workflows/project.yml
@ -0,0 +1,19 @@
+name: Adds all issues
+
+on:
+  issues:
+    types:
+      - opened
+
+jobs:
+  add-to-project:
+    name: Add issue to project
+    runs-on: ubuntu-latest
+    permissions:
+      repository-projects: write
+      issues: write
+    steps:
+      - uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2
+        with:
+          project-url: https://github.com/orgs/kubernetes/projects/104
+          github-token: ${{ secrets.PROJECT_WRITER }}
--- a/.github/workflows/release.txt
+++ b/.github/workflows/release.txt
@ -1,128 +0,0 @@
-name: Release
-
-on:
-  watch:
-    types: [started]
-
-jobs:
-  release:
-    runs-on: ubuntu-latest
-    if: github.actor == 'aledbf'
-    steps:
-      - name: Checkout master
-        uses: actions/checkout@v1
-
-      - name: Set up Go 1.14
-        uses: actions/setup-go@master
-        with:
-          go-version: 1.14
-
-      - name: Build krew plugin
-        shell: bash
-        run: |
-          export PATH=${PATH}:`go env GOPATH`/bin
-          make build-plugin
-
-#      - name: Build and publish images
-#        shell: bash
-#        run: |
-#          cat <<EOF | > build/images/nginx/aws.tfvars
-#          access_key = "${{ secrets.AWS_ACCESS_KEY }}"
-#          secret_key = "${{ secrets.AWS_ACCESS_SECRET_KEY }}"
-#          EOF
-#
-#          cat <<EOF | > build/images/nginx/env.tfvars
-#          docker_username="${{ secrets.DOCKER_USERNAME }}"
-#          docker_password="${{ secrets.DOCKER_PASSWORD }}"
-#          EOF
-#
-#          ./build/build-ingress-controller.sh
-
-      - name: Create env variables
-        shell: bash
-        run: |
-          # $(cat cmd/plugin/release/ingress-nginx.yaml)
-          echo "::set-env name=RELEASE_VERSION::$(make show-version)"
-          echo "::set-env name=RELEASE_CHANGELOG::##CHANGELOG##"
-
-      - name: Create release
-        id: create_release
-        uses: actions/create-release@v1
-        if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/controller')
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          tag_name: controller-${{ env.RELEASE_VERSION }}
-          release_name: "NGINX: ${{ env.RELEASE_VERSION }}"
-          body: |
-            **Image:** `quay.io/kubernetes-ingress-controller/nginx-ingress-controller:${{ env.RELEASE_VERSION }}`
-
-            ${{ env.RELEASE_CHANGELOG }}
-
-            Complete changelog [here](https://github.com/kubernetes/ingress-nginx/blob/master/Changelog.md)
-
-          draft: false
-          prerelease: false
-
-      - name: Upload krew plugin Darwin
-        uses: actions/upload-release-asset@v1
-        if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/controller')
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ steps.create_release.outputs.upload_url }}
-          asset_path: cmd/plugin/release/kubectl-ingress_nginx-darwin-amd64.tar.gz
-          asset_name: kubectl-ingress_nginx-darwin-amd64.tar.gz
-          asset_content_type: application/tar+gzip
-
-      - name: Upload krew plugin Linux
-        uses: actions/upload-release-asset@v1
-        if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/controller')
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ steps.create_release.outputs.upload_url }}
-          asset_path: cmd/plugin/release/kubectl-ingress_nginx-linux-amd64.tar.gz
-          asset_name: kubectl-ingress_nginx-linux-amd64.tar.gz
-          asset_content_type: application/tar+gzip
-
-      - name: Upload krew plugin Windows
-        uses: actions/upload-release-asset@v1
-        if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/controller')
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ steps.create_release.outputs.upload_url }}
-          asset_path: cmd/plugin/release/kubectl-ingress_nginx-windows-amd64.tar.gz
-          asset_name: kubectl-ingress_nginx-windows-amd64.tar.gz
-          asset_content_type: application/tar+gzip
-
-      - name: Upload krew plugin
-        uses: actions/upload-release-asset@v1
-        if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/controller')
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ steps.create_release.outputs.upload_url }}
-          asset_path: cmd/plugin/release/ingress-nginx.yaml
-          asset_name: ingress-nginx.yaml
-          asset_content_type: text/x-yaml
-
-      - name: Create KREW_PLUGIN_BODY_PR env variable
-        shell: bash
-        run: |
-          echo "::set-env name=KREW_PLUGIN_BODY_PR::$(cat cmd/plugin/release/ingress-nginx.yaml)"
-
-#      - name: Open PR for new release of Krew Plugin
-#        uses: gha-utilities/init-pull-request@v0.1.2
-#        env:
-#          GITHUB_REPOSITORY: maintainer/repo-name
-#        with:
-#          verbose: true
-#          draft: false
-#          pull_request_token: ${{ secrets.GITHUB_TOKEN }}
-#          head: ingress-nginx:krew
-#          base: krew
-#          title: 'Update ingress-nginx krew plugin to ${{ env.RELEASE_VERSION }}'
-#          body: |
-#            ${{ env.KREW_PLUGIN_BODY_PR }}
--- a/.github/workflows/scorecards.yml
+++ b/.github/workflows/scorecards.yml
@ -0,0 +1,64 @@
+name: Scorecards supply-chain security
+
+on:
+  # Only the default branch is supported.
+  branch_protection_rule:
+  schedule:
+    - cron: '20 11 * * 5'
+  push:
+    branches:
+      - "main"
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecards analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Used to receive a badge. (Upcoming feature)
+      id-token: write
+      # Needs for private repositories.
+      contents: read
+      actions: read
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) Read-only PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecards on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
+          # repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
+
+          # Publish the results for public repositories to enable scorecard badges. For more details, see
+          # https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories, `publish_results` will automatically be set to `false`, regardless
+          # of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
+        with:
+          sarif_file: results.sarif
--- a/.github/workflows/stale.yaml
+++ b/.github/workflows/stale.yaml
@ -0,0 +1,24 @@
+name: 'Stale Issues and PRs'
+
+on:
+  schedule:
+    - cron: '30 1 * * *'
+
+jobs:
+  stale:
+    runs-on: ubuntu-latest
+
+    permissions:
+      issues: write
+      pull-requests: write
+
+    steps:
+      - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
+        with:
+          stale-issue-message: "This is stale, but we won't close it automatically, just bare in mind the maintainers may be busy with other tasks and will reach your issue ASAP. If you have any question or request to prioritize this, please reach `#ingress-nginx-dev` on Kubernetes Slack."
+          stale-pr-message: "This is stale, but we won't close it automatically, just bare in mind the maintainers may be busy with other tasks and will reach your issue ASAP. If you have any question or request to prioritize this, please reach `#ingress-nginx-dev` on Kubernetes Slack."
+          stale-issue-label: lifecycle/frozen
+          stale-pr-label: lifecycle/frozen
+          days-before-issue-stale: 30
+          days-before-pr-stale: 45
+          days-before-close: -1  # dont not close issues/prs
--- a/.github/workflows/vulnerability-scans.yaml
+++ b/.github/workflows/vulnerability-scans.yaml
@ -0,0 +1,92 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+name: Vulnerability Scan
+
+on:
+  workflow_dispatch:
+  release:
+  schedule:
+    - cron: '00 9 * * 1'
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  version:
+    runs-on: ubuntu-latest
+    outputs:
+      versions: ${{ steps.version.outputs.TAGS }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+
+      - name: Latest Tag
+        id: version
+        shell: bash
+        run: |
+          readarray -t TAGS_ARRAY <<<"$(git tag --list 'controller-v*.*.*' --sort=-version:refname | grep -v 'beta\|alpha')"
+          FULL_TAGS=(${TAGS_ARRAY[0]} ${TAGS_ARRAY[1]} ${TAGS_ARRAY[2]})
+          SHORT_TAGS=()
+          for i in ${FULL_TAGS[@]}
+          do
+            echo "tag: $i"
+            short=$(echo "$i" | cut -d - -f 2)
+            SHORT_TAGS+=($short)
+          done
+          echo "${SHORT_TAGS[0]},${SHORT_TAGS[1]},${SHORT_TAGS[2]}"
+          TAGS_JSON="[\"${SHORT_TAGS[0]}\",\"${SHORT_TAGS[1]}\",\"${SHORT_TAGS[2]}\"]"
+          echo "${TAGS_JSON}"
+          echo "TAGS=${TAGS_JSON}" >> $GITHUB_OUTPUT
+
+  scan:
+    runs-on: ubuntu-latest
+    needs: version
+    strategy:
+      matrix:
+        versions: ${{ fromJSON(needs.version.outputs.versions) }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - shell: bash
+        id: test
+        run: echo "Scanning registry.k8s.io/ingress-nginx/controller@${{ matrix.versions }}"
+
+      - name: Scan image with AquaSec/Trivy
+        id: scan
+        uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0
+        with:
+          image-ref: registry.k8s.io/ingress-nginx/controller:${{ matrix.versions }}
+          format: 'sarif'
+          output: trivy-results-${{ matrix.versions }}.sarif
+          exit-code: 0
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN'
+
+      - name: Output Sarif File
+        shell: bash
+        run: cat ${{ github.workspace }}/trivy-results-${{ matrix.versions }}.sarif
+
+      # This step checks out a copy of your repository.
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
+        with:
+          token: ${{ github.token }}
+          # Path to SARIF file relative to the root of the repository
+          sarif_file: ${{ github.workspace }}/trivy-results-${{ matrix.versions }}.sarif
+
+      - name: Vulz Count
+        shell: bash
+        run: |
+          TRIVY_COUNT=$(cat ${{ github.workspace }}/trivy-results-${{ matrix.versions }}.sarif | jq '.runs[0].results | length')
+          echo "TRIVY_COUNT: $TRIVY_COUNT"
+          echo "Image Vulnerability scan output" >> $GITHUB_STEP_SUMMARY
+          echo "Image ID: registry.k8s.io/ingress-nginx/controller@${{ matrix.versions }}" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "Trivy Count: $TRIVY_COUNT" >> $GITHUB_STEP_SUMMARY
--- a/.github/workflows/zz-tmpl-images.yaml
+++ b/.github/workflows/zz-tmpl-images.yaml
@ -0,0 +1,81 @@
+#### THIS IS A TEMPLATE ####
+# This workflow is created to be a template for every time an e2e test is required,
+
+on:
+  workflow_call:
+    inputs:
+      name:
+        required: true
+        type: string
+      platforms-test:
+        type: string
+        default: linux/amd64
+      platforms-publish:
+        type: string
+        default: linux/amd64
+
+env:
+  PLATFORMS: ${{ inputs.platforms-test }}
+
+permissions:
+  contents: write
+  packages: write
+
+jobs:
+  changestag:
+    permissions:
+      contents: read  # for dorny/paths-filter to fetch a list of changed files
+    runs-on: ubuntu-latest
+    outputs:
+      tag: ${{ steps.filter.outputs.tag }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
+        id: filter
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          filters: |
+            tag:
+              - 'images/**/TAG'
+
+  image-build:
+    name: Build
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Build
+        run: |
+          cd images/ && make NAME=${{ inputs.name }} build
+
+  image-push:
+    name: Push
+    needs: changestag
+    if: |
+      (github.event_name == 'push' && github.ref == 'refs/heads/main' && github.repository == 'kubernetes/ingress-nginx' && needs.changestag.outputs.tag == 'true')
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      packages: write
+    env:
+      PLATFORMS: ${{ inputs.platforms-publish }}
+    steps:
+    - name: Checkout
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+    - name: Login to GitHub Container Registry
+      uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+      with:
+        username: ${{ secrets.DOCKERHUB_USERNAME }}
+        password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+    - name: Push
+      run: |
+          cd images/ && make REGISTRY=ingressnginx NAME=${{ inputs.name }} push
+
--- a/.github/workflows/zz-tmpl-k8s-e2e.yaml
+++ b/.github/workflows/zz-tmpl-k8s-e2e.yaml
@ -0,0 +1,57 @@
+#### THIS IS A TEMPLATE ####
+# This workflow is created to be a template for every time an e2e test is required,
+
+on:
+  workflow_call:
+    inputs:
+      k8s-version:
+        required: true
+        type: string
+      variation:
+        type: string
+
+permissions:
+  contents: read
+
+jobs:
+  kubernetes:
+    name: Kubernetes ${{ inputs.variation }}
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: cache
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: docker.tar.gz
+
+      - name: Create Kubernetes ${{ inputs.k8s-version }} cluster
+        id: kind
+        run: |
+          kind create cluster --image=kindest/node:${{ inputs.k8s-version }} --config test/e2e/kind.yaml
+
+      - name: Load images from cache
+        run: |
+          echo "loading docker images..."
+          gzip -dc docker.tar.gz | docker load
+
+      - name: Run e2e tests ${{ inputs.variation }}
+        env:
+          KIND_CLUSTER_NAME: kind
+          SKIP_CLUSTER_CREATION: true
+          SKIP_INGRESS_IMAGE_CREATION: true
+          SKIP_E2E_IMAGE_CREATION: true
+          IS_CHROOT: ${{ inputs.variation == 'CHROOT' }}
+        run: |
+          kind get kubeconfig > $HOME/.kube/kind-config-kind
+          make kind-e2e-test
+
+      - name: Upload e2e junit-reports ${{ inputs.variation }}
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        if: success() || failure()
+        with:
+          name: e2e-test-reports-${{ inputs.k8s-version }}${{ inputs.variation }}
+          path: 'test/junitreports/report*.xml'
+
--- a/.gitignore
+++ b/.gitignore
@ -46,6 +46,7 @@ test/e2e/e2e\.test
 bin
 test/e2e-image/wait-for-nginx.sh
 .cache
+.modcache
 cover.out

 # secret terraform variables
@ -57,3 +58,6 @@ images/fastcgi-helloserver/rootfs/fastcgi-helloserver
 cmd/plugin/release/ingress-nginx.yaml
 cmd/plugin/release/*.tar.gz
 cmd/plugin/release/LICENSE
+tmp/
+test/junitreports/
+tests/__snapshot__
--- a/.golangci.yml
+++ b/.golangci.yml
@ -0,0 +1,236 @@
+run:
+  timeout: 10m
+  allow-parallel-runners: true
+
+issues:
+  # Maximum issues count per one linter. Set to 0 to disable. Default is 50.
+  max-issues-per-linter: 0
+
+  # Maximum count of issues with the same text. Set to 0 to disable. Default is 3.
+  max-same-issues: 0
+linters:
+  disable-all: true
+  enable:
+    - asasalint
+    - asciicheck
+    - bidichk
+    - bodyclose
+    - contextcheck
+    - decorder
+    - dogsled
+    - dupl
+    - durationcheck
+    - errcheck
+    - errchkjson
+    - errname
+    - ginkgolinter
+    - gocheckcompilerdirectives
+    - goconst
+    - gocritic
+    - gocyclo
+    - godox
+    - gofmt
+    - gofumpt
+    - goheader
+    - goimports
+    - gomoddirectives
+    - gomodguard
+    - goprintffuncname
+    - gosec
+    - gosimple
+    - govet
+    - grouper
+    - importas
+    - ineffassign
+    - loggercheck
+    - makezero
+    - misspell
+    - musttag
+    - nakedret
+    - nolintlint
+    - nosprintfhostport
+    - prealloc
+    - predeclared
+    - promlinter
+    - reassign
+    - revive
+    - rowserrcheck
+    - sqlclosecheck
+    - staticcheck
+    - stylecheck
+    - tenv
+    - testableexamples
+    - typecheck
+    - unconvert
+    - unparam
+    - unused
+    - usestdlibvars
+    - whitespace
+    # - containedctx
+    # - cyclop
+    # - dupword
+    # - errorlint
+    # - exhaustive
+    # - exhaustruct
+    # - exportloopref
+    # - forbidigo
+    # - forcetypeassert
+    # - funlen
+    # - gci
+    # - gochecknoglobals
+    # - gochecknoinits
+    # - gocognit
+    # - godot
+    # - goerr113
+    # - gomnd
+    # - interfacebloat
+    # - ireturn
+    # - lll
+    # - maintidx
+    # - nestif
+    # - nilerr
+    # - nilnil
+    # - nlreturn
+    # - noctx
+    # - nonamedreturns
+    # - paralleltest
+    # - tagliatelle
+    # - testpackage
+    # - thelper
+    # - tparallel
+    # - varnamelen
+    # - wastedassign
+    # - wrapcheck
+    # - wsl
+linters-settings:
+  gocyclo:
+    min-complexity: 40
+  godox:
+    keywords:
+      - BUG
+      - FIXME
+      - HACK
+  errcheck:
+    check-type-assertions: true
+    check-blank: true
+  gocritic:
+    enabled-checks:
+      # Diagnostic
+      - appendAssign
+      - argOrder
+      - badCall
+      - badCond
+      - badLock
+      - badRegexp
+      - badSorting
+      - builtinShadowDecl
+      - caseOrder
+      - codegenComment
+      - commentedOutCode
+      - deferInLoop
+      - deprecatedComment
+      - dupArg
+      - dupBranchBody
+      - dupCase
+      - dupSubExpr
+      - dynamicFmtString
+      - emptyDecl
+      - evalOrder
+      - exitAfterDefer
+      - externalErrorReassign
+      - filepathJoin
+      - flagDeref
+      - flagName
+      - mapKey
+      - nilValReturn
+      - offBy1
+      - regexpPattern
+      - returnAfterHttpError
+      - sloppyReassign
+      - sloppyTypeAssert
+      - sortSlice
+      - sprintfQuotedString
+      - sqlQuery
+      - syncMapLoadAndDelete
+      - truncateCmp
+      - unnecessaryDefer
+      - weakCond
+
+      # Performance
+      - appendCombine
+      - equalFold
+      - hugeParam
+      - indexAlloc
+      - preferDecodeRune
+      - preferFprint
+      - preferStringWriter
+      - preferWriteByte
+      - rangeExprCopy
+      - rangeValCopy
+      - sliceClear
+      - stringXbytes
+
+      # Style
+      - assignOp
+      - boolExprSimplify
+      - captLocal
+      - commentFormatting
+      - commentedOutImport
+      - defaultCaseOrder
+      - deferUnlambda
+      - docStub
+      - dupImport
+      - elseif
+      - emptyFallthrough
+      - emptyStringTest
+      - exposedSyncMutex
+      - hexLiteral
+      - httpNoBody
+      - ifElseChain
+      - methodExprCall
+      - newDeref
+      - octalLiteral
+      - preferFilepathJoin
+      - redundantSprint
+      - regexpMust
+      - regexpSimplify
+      - ruleguard
+      - singleCaseSwitch
+      - sloppyLen
+      - stringConcatSimplify
+      - stringsCompare
+      - switchTrue
+      - timeExprSimplify
+      - tooManyResultsChecker
+      - typeAssertChain
+      - typeDefFirst
+      - typeSwitchVar
+      - underef
+      - unlabelStmt
+      - unlambda
+      - unslice
+      - valSwap
+      - whyNoLint
+      - wrapperFunc
+      - yodaStyleExpr
+
+      # Opinionated
+      - builtinShadow
+      - importShadow
+      - initClause
+      - nestingReduce
+      - paramTypeCombine
+      - ptrToRefParam
+      - typeUnparen
+      - unnamedResult
+      - unnecessaryBlock
+  nolintlint:
+    # Enable to ensure that nolint directives are all used. Default is true.
+    allow-unused: false
+    # Exclude following linters from requiring an explanation.  Default is [].
+    allow-no-explanation: []
+    # Enable to require an explanation of nonzero length after each nolint directive. Default is false.
+    # TODO(lint): Enforce explanations for `nolint` directives
+    require-explanation: false
+    # Enable to require nolint directives to mention the specific linter being suppressed. Default is false.
+    require-specific: true
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@ -0,0 +1,29 @@
+project_name: ingress-nginx
+release:
+  github:
+    owner: kubernetes
+    name: ingress-nginx
+builds:
+  - id: ingress-nginx
+    goos:
+    - darwin
+    - linux
+    - windows
+    goarch:
+    - arm64
+    - amd64
+    env:
+    - CGO_ENABLED=0
+    - GO111MODULE=on
+    main: cmd/plugin/main.go
+    binary: kubectl-ingress-nginx
+    ldflags: |
+      -s -w
+      -X k8s.io/ingress-nginx/version.COMMIT={{ .Commit }}
+      -X k8s.io/ingress-nginx/version.RELEASE={{ .Tag }}
+archives:
+  - id: ingress-nginx
+    builds:
+    - ingress-nginx
+    name_template: "kubectl-{{ .ProjectName }}_{{ .Os }}_{{ .Arch }}"
+    format: tar.gz
--- a/.luacheckrc
+++ b/.luacheckrc
@ -1,8 +1,6 @@
 std = 'ngx_lua'
-globals = {
-  '_TEST'
-}
-exclude_files = {'./rootfs/etc/nginx/lua/test/**/*.lua', './rootfs/etc/nginx/lua/plugins/**/test/**/*.lua'}
+max_line_length = 100
+exclude_files = {'./rootfs/etc/nginx/lua/test/**/*.lua'}
 files["rootfs/etc/nginx/lua/lua_ingress.lua"] = {
  ignore = { "122" },
  -- TODO(elvinefendi) figure out why this does not work
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -2,6 +2,8 @@

 Read the following guide if you're interested in contributing to Ingress. [Make Ingress-Nginx Work for you, and the Community](https://youtu.be/GDm-7BlmPPg) from KubeCon Europe 2018 is a great video to get you started!!

+Note that this guide refers to contributing to actual sources of the repository. If you interested in contributing through issue triaging, have a look at [this guide](./ISSUE_TRIAGE.md).
+
 ## Contributor License Agreements

 We'd love to accept your patches! Before we can take them, we have to jump a couple of legal hurdles.
@ -15,14 +17,16 @@ Follow either of the two links above to access the appropriate CLA and instructi

 ***NOTE***: Only original source code from you and other people that have signed the CLA can be accepted into the main repository.

-## Finding Things That Need Help
+## Finding Issues That Need Help

-If you're new to the project and want to help, but don't know where to start, we have a semi-curated list of issues that should not need deep knowledge of the system. [Have a look and see if anything sounds interesting](https://github.com/kubernetes/ingress-nginx/issues?utf8=%E2%9C%93&q=is%3Aopen%20is%3Aissue%20label%3A%22help+wanted%22). Alternatively, read some of the docs on other controllers and try to write your own, file and fix any/all issues that come up, including gaps in documentation!
+If you're new to the project and want to help, but don't know where to start, we have a semi-curated list of issues that should not need deep knowledge of the system. [Have a look and see if anything sounds interesting](https://github.com/kubernetes/ingress-nginx/issues?utf8=%E2%9C%93&q=is%3Aopen%20is%3Aissue%20label%3A%22help+wanted%22).
+
+Alternatively, search for the label [`triage-accepted`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+is%3Aissue+label%3Atriage%2Faccepted+) if you have some experience with ingress-nginx. Note, that it could make sense to grab issues with higher priority first.

 ## Contributing a Patch

 1. If you haven't already done so, sign a Contributor License Agreement (see details above).
-1. Read the [Ingress development guide](docs/development.md).
+1. Read the [Ingress development guide](docs/developer-guide/getting-started.md).
 1. Fork the desired repo, develop and test your code changes.
 1. Submit a pull request.

@ -30,7 +34,9 @@ All changes must be code reviewed. Coding conventions and standards are explaine

 ### Merge Approval

-Ingress collaborators may add "LGTM" (Looks Good To Me) or an equivalent comment to indicate that a PR is acceptable. Any change requires at least one LGTM.  No pull requests can be merged until at least one Ingress collaborator signs off with an LGTM.
+Ingress Nginx collaborators may add "/lgtm" (Looks Good To Me) to indicate that a PR is acceptable. Any change requires at least one LGTM.  No pull requests can be merged until at least one Ingress Nginx collaborator signs off with an LGTM. Adding the "/lgtm" comment result in the prow bot adding the `lgtm` label. Note that a pull request still needs an `approve` label from one of the owners.
+
+Reviewers or members who want to become reviewers according to the [k8s membership ladder](https://github.com/kubernetes/community/blob/master/community-membership.md), could actively search for [pull requests that need a review](https://github.com/kubernetes/ingress-nginx/pulls?q=is%3Aopen+is%3Apr+label%3Atriage%2Faccepted).

 ## Support Channels

@ -41,3 +47,6 @@ Whether you are a user or contributor, official support channels include:
 - Post: [Kubernetes Forum](https://discuss.kubernetes.io)

 Before opening a new issue or submitting a new pull request, it's helpful to search the project - it's likely that another user has already reported the issue you're facing, or it's a known issue that we're already aware of.
+
+## New Contributor Tips
+If you're a new contributor, you can follow the [New Contributor Tips guide](NEW_CONTRIBUTOR.md)
--- a/Changelog.md
+++ b/Changelog.md
--- a/1
+++ b/1
@ -0,0 +1 @@
+1.23.6
--- a/ISSUE_TRIAGE.md
+++ b/ISSUE_TRIAGE.md
@ -0,0 +1,89 @@
+# Triage Process
+
+As any kind of contributor (triage, reviewer ...), always have in mind that if a user came to us and raised an issue, the user may have a real problem. We must assume that, and not the opposite (the user needs to prove to us that this is a bug). Keeping that in mind, **be nice with users, even if you don’t agree with them**
+
+Note that this guide refers to contributing through issue triaging. If you are interested in contributing to actual sources of the repository, see [this guide](./CONTRIBUTING.md). 
+
+## General Information 
+
+The triage process of the ingress-nginx maintainers is based on the [triage process guidelines](https://github.com/kubernetes/community/blob/master/contributors/guide/issue-triage.md) of the Kubernetes community  
+
+However the exact process of the ingress-nginx maintainers may differ in certain aspects. This doc gives a more precise overview on how the ingress-nginx maintainers approach the issue triage process and other processes that are related. 
+
+## Triage Flow (Issues)
+
+This section describes the different stages of the triage flow for issues.
+
+### Prepare Issues
+New issues come in with the labels `needs-triage` and `needs-priority` and one of: `kind/bug`, `kind/feature` or `kind/support`. Unfortunately there are also some legacy issues that only have a `kind/*` label but neither `needs-triage` nor `needs-priority` . However for every issue that does not have the `triage-accepted` label the following steps have to be done to prepare them for further processing:  
+
+* Filter for issues [without the `triage-accepted`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+-label%3Atriage%2Faccepted+is%3Aissue) label.
+* Check if all necessary information are available. This is basically true, if people filled out the issue template correctly. If necessary information is missing, ask the author to add the missing information and add the label `triage/needs-information` if not already present. If already present, send the author a friendly reminder to add those. 
+* Check if the used versions of ingress-nginx and Kubernetes is supported. Note that [we only support n-3 versions](https://github.com/kubernetes/ingress-nginx#support-versions-table). If the version is not supported, ask the author to upgrade to newer versions and see if the error still persists. 
+* Read through the issue description and comments briefly to understand what the issue is about. Also check if the kind and area is correct, and adjust it if necessary. If the issue is understandable add the label `triage-accepted`.
+* If at any point you don't know how to proceed with an issue during the triage process, tag one of the [core maintainers](OWNERS_ALIASES) in the issue to raise attention or alternatively come to [this slack channel](https://kubernetes.slack.com/archives/C021E147ZA4) which may be the quicker way as people tend to miss github notifications. 
+
+Note: Issues that are stale for 90 days are being closed automatically. However we could be missing a bug here, so from time to time it makes sense to go over the closed ones and see if there is something important. Use [this filter](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aclosed+is%3Aissue+label%3Alifecycle%2Frotten+) to find those. 
+
+Who and When?
+* Basically everyone who wants to contribute can do the mentioned steps at any time.
+
+### Issue Prioritization
+For all issues, where all necessary information is available thus triage is accepted, we need to do some prioritization: 
+
+* Go through all issues with label [`triage-accepted`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+is%3Aissue+label%3Atriage%2Faccepted+).  
+* Add appropriate priority label: `priority/backlog`, `priority/critical-urgent`, `priority/awaiting-more-evidence`, `priority/important-longterm`, `priority/important-soon` or `good first issue`
+
+Who and When? 
+* Basically every contributor should be able to do that.
+* Tricky/important ones could be brought up during community meetings
+
+## Triage Flow (Pull Requests)
+
+This section describes the different stages of the triage flow for pull requests.
+
+### Prepare Pull Requests
+Pull requests come in with the labels `needs-triage`, `needs-priority` and `needs-kind` and one that indicates the size(`size/*`). Unfortunately there are also some legacy pull requests that only have a `size/*` label but neither `needs-triage` nor `needs-priority` . However for every pull request that does not have the `triage-accepted` label the following steps should be done to prepare them for further processing:   
+
+* Filter for pull requests [without the `triage-accepted`](https://github.com/kubernetes/ingress-nginx/pulls?q=is%3Aopen+-label%3Atriage%2Faccepted+is%3Apr) label.
+* Check if the cla is signed and all necessary information are available. This is basically true, if people filled out the pull request template correctly. If everything is fine add the `triage-accepted` label.
+* If at any point you don't know how to proceed with an issue during the triage process, tag one of the [core maintainers](OWNERS_ALIASES) in the issue to raise attention or alternatively come to [this slack channel](https://kubernetes.slack.com/archives/C021E147ZA4) which may be the quicker way as people tend to miss github notifications. 
+
+Who and When?
+* Basically everyone who wants to contribute can do the mentioned steps at any time.
+
+### Pull Request Prioritization
+For all pull requests, where all necessary information is available and cla is signed thus triage is accepted, we need to do some prioritization: 
+
+* Go through all pull requests with label [`triage-accepted`](https://github.com/kubernetes/ingress-nginx/pulls?q=is%3Aopen+is%3Apr+label%3Atriage%2Faccepted).  
+* Sync the `kind/*` and `priority/*` label from the linked issue for the pull request. If the pull request does not have any issue associated (which normally should not be the case), add an appropriate priority and kind label (one of: `priority/backlog`, `priority/critical-urgent`, `priority/important-longterm`, `priority/important-soon`) 
+
+Who and When? 
+* Basically every contributor should be able to do that.
+* Tricky/important ones could be brought up during community meetings
+
+## Labels 
+Labels are helpful for issues or pull requests to indicate in which lifecycle state they are currently and to categorize them. This section describes the most important ones with the additional info about how to add those. A complete label list of the Kubernetes community can be found [here](https://github.com/kubernetes/kubernetes/labels) while a complete label list for this project can be found [here](https://github.com/kubernetes/ingress-nginx/labels). However, here the most important ones: 
+
+* Triage:
+  * [`needs-triage`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+is%3Aissue+label%3Aneeds-triage): Indicates that the issue or pull request needs triage. Automatically added. 
+  * [`triage/accepted`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+label%3Atriage%2Faccepted+is%3Aissue+): Indicates that the issue is ready for further processing. Add with `/triage accepted`.
+  * [`triage/needs-information`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+label%3Atriage%2Fneeds-information+is%3Aissue+): Indicates that the issue lacks information. Add with `/triage needs-information`.
+* Kind: 
+  * [`kind/bug`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+label%3Akind%2Fbug+is%3Aissue): Indicates that the issue is assumed to be a bug. Add with `/kind bug`. Remove with `/remove-kind bug`.
+  * [`kind/feature`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+label%3Akind%2Ffeature+is%3Aissue+): Indicates that the issue is a feature request. Add with `/kind feature`. Remove with `/remove-kind feature`.
+  * [`kind/documentation`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+label%3Akind%2Fdocumentation+is%3Aissue+): Indicates that the issue is documentation related. Add with `/kind documentation`. Remove with `/remove-kind documentation`.
+  * [`kind/support`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+label%3Akind%2Fsupport+is%3Aissue+): Indicates the the issue is a support request. Add with `/kind support`. Remove with `/remove-kind support`.
+* Area: 
+  * [`area/helm`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+label%3Aarea%2Fhelm+is%3Aissue+): Indicates that the issue is related to helm charts. Add with `/area helm`.
+  * [`area/lua`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+label%3Aarea%2Flua+is%3Aissue+): Indicates that the issue is related to lua. Add with `/area lua`.
+  * [`area/docs`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+label%3Aarea%2Fdocs+is%3Aissue): Indicates that the issue is related to documentation. Add with `/area docs` .
+* Priority: 
+  * [`needs-priority`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+is%3Aissue+label%3Aneeds-priority): Indicates that the issue has no prioritization yet. Automatically added.
+  * [`priority/critical-urgent`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+label%3Apriority%2Fcritical-urgent+is%3Aissue+): indicates that the issue has highest priority. Add with `/priority critical-urgent`.
+  * [`priority/important-soon`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+label%3Apriority%2Fimportant-soon+is%3Aissue+): indicates that the issue should be worked on either currently soon, ideally in time for the next release. Add with `/priority important-soon`.
+  * [`priority/important-longterm`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+label%3Apriority%2Fimportant-longterm+is%3Aissue+): indicates that the issue is not important for now, but should be worked on in one of the upcoming releases. Add with `/priority important-longterm`.
+  * [`priority/backlog`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+label%3Apriority%2Fbacklog+is%3Aissue+): Indicates that the issue has the lowest priority. Add with `/priority backlog`.
+* Other: 
+  * [`help wanted`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+is%3Aissue+label%3A%22help+wanted%22): indicates that the issue needs help from a contributor. Add with `/help`.
+  * [`good first issue`](https://github.com/kubernetes/ingress-nginx/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22): indicates that the issue needs help from a contributor and is a good first issue for new contributors. Add with `/good-first-issue`.
--- a/MANUAL_RELEASE.md
+++ b/MANUAL_RELEASE.md
@ -0,0 +1,300 @@
+# RELEASE PROCESS
+
+## 1. BUILD the new Ingress-Nginx-Controller image
+
+### a. Make changes in codebase
+
+- Make changes as per issue
+
+### b. Make changes to appropriate files in [images directory ](images)
+
+- Make changes in /images
+
+### c. Create Pull Request
+
+- Open a Pull Request for your changes considering the following steps to fire cloudbuild of a new image for the Ingress-Nginx-Controller:
+
+  - In case of rare CVE fix or other reason to rebuild the nginx-base-image itself, look at the /images directory  [NGINX Base Image](https://github.com/kubernetes/ingress-nginx/tree/main/images/nginx).
+
+  - Example [NGINX_VERSION](images/nginx/rootfs/build.sh#L21), [SHA256](images/nginx/rootfs/build.sh#L124).
+
+  - If you are updating any component in [build.sh](images/nginx/rootfs/build.sh) please also update the SHA256 checksum of that component as well, the cloud build will fail with an exit 10 if not.
+
+### d. Merge
+
+- Merging will fire cloudbuild, which will result in images being promoted to the [staging container registry](https://console.cloud.google.com/gcr/images/k8s-staging-ingress-nginx).
+
+### e. Make sure cloudbuild is a success
+
+- Wait for [cloud build](https://console.cloud.google.com/cloud-build/builds?project=k8s-staging-ingress-nginx). If you don't have access to cloudbuild, you can also have a look at [this](https://prow.k8s.io/?repo=kubernetes%2Fingress-nginx&job=post-*), to see the progress of the build.
+
+- Proceed only after cloud-build is successful in building a new Ingress-Nginx-Controller image.
+
+
+## 2. If applicable, BUILD other images
+
+- If applicable, then build a new image of any other related component, ONLY IF APPLICABLE TO THE RELEASE
+
+### a. If applicable then make changes in relevant codebase
+
+- Change code as per issue
+
+### b. Make changes to appropriate files in [images directory ](images)
+
+- Sometimes, you may also be needing to rebuild, images for one or multiple other related components of the Ingress-Nginx-Controller ecosystem. Make changes to the required files in the /images directory, if/as applicable, in the context of the release you are attempting.  :
+
+  - [e2e](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e-image)
+
+    - Update references to e2e-test-runner image [If applicable] :
+
+      - [e2e-image](https://github.com/kubernetes/ingress-nginx/blob/main/test/e2e-image/Dockerfile#L1)
+      - [run-in-docker.sh](https://github.com/kubernetes/ingress-nginx/blob/main/build/run-in-docker.sh#L37)
+
+  - [test-runner](https://github.com/kubernetes/ingress-nginx/tree/main/images/test-runner)
+
+  - [echo](https://github.com/kubernetes/ingress-nginx/tree/main/images/echo)
+
+  - [cfssl](https://github.com/kubernetes/ingress-nginx/tree/main/images/cfssl)
+
+  - [fastcgi-helloserver](https://github.com/kubernetes/ingress-nginx/tree/main/images/fastcgi-helloserver)
+
+  - [httpbin](https://github.com/kubernetes/ingress-nginx/tree/main/images/httpbin)
+
+  - [kube-webhook-certgen](https://github.com/kubernetes/ingress-nginx/tree/main/images/kube-webhook-certgen)
+
+### c. Create PR
+
+- Open pull request(s) accordingly, to fire cloudbuild for rebuilding the component's image (if applicable).
+
+### d. Merge
+
+- Merging will fire cloudbuild, which will result in images being promoted to the [staging container registry](https://console.cloud.google.com/gcr/images/k8s-staging-ingress-nginx).
+
+### e. Make sure cloudbuild is a success
+
+- Wait for [cloud build](https://console.cloud.google.com/cloud-build/builds?project=k8s-staging-ingress-nginx). If you don't have access to cloudbuild, you can also have a look at [this](https://prow.k8s.io/?repo=kubernetes%2Fingress-nginx&job=post-*), to see the progress of the build.
+
+- Proceed only after cloud-build is successful in building a new Ingress-Nginx-Controller image.
+
+
+## 3. PROMOTE the Image(s):
+
+Promoting the images basically means that images, that were pushed to staging container registry in the steps above, now are also pushed to the public container registry. Thus are publicly available. Follow these steps to promote images:
+
+### a. Get the sha
+
+- Get the sha of the new image(s) of the controller, (and any other component image IF APPLICABLE to release), from the cloudbuild, from steps above
+
+  - The sha is available in output from [cloud build](https://console.cloud.google.com/cloud-build/builds?project=k8s-staging-ingress-nginx)
+
+  - The sha is also visible here https://console.cloud.google.com/gcr/images/k8s-staging-ingress-nginx/global/controller
+
+  - The sha is also visible [here](https://prow.k8s.io/?repo=kubernetes%2Fingress-nginx&job=post-*), after cloud build is finished. Click on the respective job, go to `Artifacts` section in the UI, then again `artifacts` in the directory browser. In the `build.log` at the very bottom you see something like this:
+
+  ```
+  ...
+  pushing manifest for us-central1-docker.pkg.dev/k8s-staging-images/ingress-nginx/controller:v1.0.2@sha256:e15fac6e8474d77e1f017edc33d804ce72a184e3c0a30963b2a0d7f0b89f6b16
+  ...
+  ```
+
+### b. Add the new image to [k8s.io](http://github.com/kubernetes/k8s.io)
+
+- The sha(s) from the step before (and the tag(s) for the new image(s) have to be added, as a new line, in a file, of the [k8s.io](http://github.com/kubernetes/k8s.io) project of Kubernetes organization.
+
+- Fork that other project (if you don't have a fork already).
+
+- Other project to fork  [GitHub repo kubernetes/k8s.io](http://github.com/kubernetes/k8s.io)
+
+- Fetch --all and rebase to upstream if already forked.
+
+- Create a branch in your fork, named as the issue number for this release
+
+- In the related branch, of your fork, edit the file /registry.k8s.io/images/k8s-staging-ingress-nginx/images.yaml.
+
+- For making, it easier, you can edit your branch directly in the browser. But be careful about making any mistake.
+
+- Insert the sha(s) & the tag(s), in a new line, in this file [Project kubernetes/k8s.io Ingress-Nginx-Controller Images](https://github.com/kubernetes/k8s.io/blob/main/registry.k8s.io/images/k8s-staging-ingress-nginx/images.yaml)  Look at this [example PR and the diff](https://github.com/kubernetes/k8s.io/pull/2536) to see how it was done before
+
+- Save and commit
+
+### c. Create PR
+
+- Open pull request to promote the new controller image.
+
+### d. Merge
+
+- Merge success is required for next step
+
+- Proceed only after cloud-build is successful in building a new Ingress-Nginx-Controller image.
+
+
+## 4. PREPARE for a new Release
+
+- Make sure to get the tag and sha of the promoted image from the step before, either from cloudbuild or from [here](https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/ingress-nginx/controller).
+
+- This involves editing of several files. So carefully follow the steps below and double check all changes with diff/grep etc., repeatedly. Mistakes here impact endusers.
+
+### a. Make sure your git workspace is ready
+
+- Get your git workspace ready
+
+  - If not using a pre-existing fork, then Fork the repo kubernetes/ingress-nginx
+
+  - Clone (to laptop or wherever)
+
+  - Add upstream
+
+  - Set upstream url to no_push
+
+  - Checkout & switch to branch, named as per related new-release-issue-number
+
+  - If already forked, and upstream already added, then `git fetch --all` and `git rebase upstream/main` (not  origin)
+
+  - Checkout a branch in your fork's clone
+
+  - Perform any other diligence as needed
+
+- Prefer to edit only and only in your branch, in your Fork
+
+### b. Edit the semver tag
+  - [TAG](https://github.com/kubernetes/ingress-nginx/blob/main/TAG#L1)
+
+### c. Edit the helm Chart
+  - Change the below-mentioned [Fields in Chart.yaml](https://github.com/kubernetes/ingress-nginx/blob/main/charts/ingress-nginx/Chart.yaml)
+    - version
+    - appVersion
+    - kubeVersion (**ONLY if applicable**)
+    - annotations
+      - artifacthub.io/prerelease: "true"
+      - artifacthub.io/changes: |
+        - Replace this line and other lines under this annotation with the Changelog. One process to generate the Changelog is described below
+          - Install and configure GitHub cli as per the docs of gh-cli  https://cli.github.com/,
+          - Change dir to your clone, of your fork, of the ingress-nginx project
+          - Run the below command and save the output to a txt file
+
+            ```
+            gh pr list -R kubernetes/ingress-nginx -s merged -L 38 -B main | cut -f1,2 | tee ~/Downloads/prlist.txt
+            ```
+            - The -L 38 was used for 2 reasons.
+              - Default number of results is 30 and there were more than 30 PRs merged while releasing v1.1.1. If you see the current/soon-to-be-old changelog, you can look at the most recent PR number that has been accounted for already, and start from after that last accounted for PR.
+              -  The other reason to use -L 38 was to omit the 39th, the 40th and the 41st line in the resulting list. These were non-relevant PRs.
+            - If you save the output of above command to a file called prlist.txt. It looks somewhat like this ;
+
+              ```
+              % cat ~/Downloads/prlist.txt
+              8129    fix syntax in docs for multi-tls example
+              8120    Update go in runner and release v1.1.1
+              8119    Update to go v1.17.6
+              8118    Remove deprecated libraries, update other libs
+              8117    Fix codegen errors
+              8115    chart/ghaction: set the correct permission to have access to push a release
+              ....
+              ```
+              You can delete the lines, that refer to PRs of the release process itself. We only need to list the feature/bugfix PRs. You can also delete the lines that are housekeeping or not really worth mentioning in the changelog.
+          -  you use some easy automation in bash/python/other, to get the PR-List that can be used in the changelog. For example, it's possible to use a bash scripty way, seen below, to convert those plaintext PR numbers into clickable links.
+
+            ```
+            #!/usr/bin/bash
+
+            file="$1"
+
+            while read -r line; do
+              pr_num=`echo "$line" | cut -f1`
+              pr_title=`echo "$line" | cut -f2`
+              echo "[$pr_num](https://github.com/kubernetes/ingress-nginx/pull/$pr_num) $pr_title"
+            done <$file
+
+            ```
+          - There was a parsing issue and path issue on MacOS, so above script had to be modified and MacOS monterey compatible script is below ;
+
+            ```
+            #!/bin/bash
+
+            file="$1"
+
+            while read -r line; do
+              pr_num=`echo "$line" | cut -f1`
+              pr_title=`echo "$line" | cut -f2`
+              echo \""[$pr_num](https://github.com/kubernetes/ingress-nginx/pull/$pr_num) $pr_title"\"
+            done <$file
+
+            ```
+          - If you saved the bash script content above, in a file like `$HOME/bin/prlist_to_changelog.sh`, then you could execute a command like this to get your prlist in a text file called changelog_content.txt;`
+
+          ```
+          prlist_to_changelog.sh ~/Downloads/prlist.txt | tee ~/Downloads//changelog_content.txt
+          ```
+
+### d. Edit the values.yaml and run helm-docs
+
+  - [Fields to edit in values.yaml](https://github.com/kubernetes/ingress-nginx/blob/main/charts/ingress-nginx/values.yaml)
+
+    - tag
+    - digest
+
+  - [helm-docs](https://github.com/norwoodj/helm-docs) is a tool that generates the README.md for a Helm chart automatically. In the CI pipeline workflow of GitHub actions (.github/workflows/ci.yaml), you can see how helm-docs is used. The CI pipeline is not designed to make commits back into the project, so we need to run helm-docs manually and commit the resulting generated README.md. You can obtain a recent version of the helm-docs binary here: https://github.com/norwoodj/helm-docs/releases.
+    ```
+    helm-docs --chart-search-root charts
+    git diff charts/ingress-nginx/README.md
+    ```
+    Take care of not leaving the helm-docs executable in your clone workspace or not committing the new README.md.
+
+### e. Edit the static manifests
+
+  - Prepare to use a script to update the edit the static manifests and set the "image", "digest", "version" etc. fields to the desired value.
+
+  - This script depends on kustomize and helm. The versions are pinned in `hack/.tool-versions` and you can use [asdf](https://github.com/asdf-vm/asdf#asdf) to install them
+
+  - Execute the script to update static manifests using that script [hack/generate-deploy-scripts.sh](https://github.com/kubernetes/ingress-nginx/blob/main/hack/generate-deploy-scripts.sh)
+  - Open some of the manifests and check if the script worked properly
+
+  - Use `grep -ir image: | less` on the deploy directory, to view for any misses by the script on image digest value or other undesired changes. The script should properly set the image and the digest fields to the desired tag and semver
+
+
+### f. Edit the changelog
+
+  [Changelog.md](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md)
+- Each time a release is made, a new section is added to the Changelog.md file
+- A new section in the Changelog.md file consists of 3 components listed below
+  - the "Image"
+  - the "Description"
+  - the "PRs list"
+- Look at the previous content to understand what the 3 components look like.
+- You can easily get the "Image" from a yaml manifest but be sure to look at a manifest in your git clone now and not the upstream on github. This is because, if you are following this documentation, then you generated manifests with new updated digest for the image, in step 4e above. You also most likely promoted the new image in a step above. Look at the previous release section in Changelog.md. The format looks like `registry.k8s.io/ingress-nginx/controller:.......`. One example of a yaml file to look at is /deploy/static/provider/baremetal/deploy.yaml (in your git clone branch and not on the upstream).
+- Next, you need to have a good overview of the changes introduced in this release and based on that you write a description. Look at previous descriptions. Ask the ingress-nginx-dev channel if required.
+- And then you need to add a list of the PRs merged, since the previous release.
+- One process to generate this list of PRs is already described above in step 4c. So if you are following this document, then you have done this already and very likely have retained the file containing the list of PRs, in the format that is needed.
+
+### g. Edit the Documentation:
+
+- Update the version in [docs/deploy/index.md](docs/deploy/index.md)
+- Update Supported versions in the Support Versions table in the README.md
+- Execute the script to update e2e docs [hack/generate-e2e-suite-doc.sh](https://github.com/kubernetes/ingress-nginx/blob/main/hack/generate-e2e-suite-doc.sh)
+
+### h. Update README.md
+
+- Update the table in README.md in the root of the project to reflect the support matrix. Add the new release version and details in there.
+
+## 5. RELEASE new version
+
+### a. Create PR
+
+- Open PR for releasing the new version of the Ingress-Nginx-Controller ;
+  - Look at this PR for how it was done before [example PR](https://github.com/kubernetes/ingress-nginx/pull/7490)
+  - Create a PR
+
+### b. Merge
+
+- Merge should produce manifests as well as chart
+- Check
+ - `helm repo update`
+ - `helm search repo ingress-nginx`
+
+## 6. GitHub release
+
+- Release to github
+
+- Edit the ghpages file as needed
+
+## TODO
+- Automate & simplify as much as possible, whenever possible, however possible
--- a/320
+++ b/320
@ -27,29 +27,24 @@ endif
 SHELL=/bin/bash -o pipefail -o errexit

 # Use the 0.0 tag for testing, it shouldn't clobber any release builds
-TAG ?= 0.31.1
+TAG ?= $(shell cat TAG)

-# Use docker to run makefile tasks
-USE_DOCKER ?= true
-
-# Disable run docker tasks if running in prow.
-# only checks the existence of the variable, not the value.
-ifdef DIND_TASKS
-USE_DOCKER=false
-endif
+# The env below is called GO_VERSION and not GOLANG_VERSION because 
+# the gcb image we use to build already defines GOLANG_VERSION and is a 
+# really old version
+GO_VERSION ?= $(shell cat GOLANG_VERSION)

 # e2e settings
 # Allow limiting the scope of the e2e tests. By default run everything
-FOCUS ?= .*
+FOCUS ?=
 # number of parallel test
-E2E_NODES ?= 14
-# slow test only if takes > 50s
-SLOW_E2E_THRESHOLD ?= 50
+E2E_NODES ?= 7
 # run e2e test suite with tests that check for memory leaks? (default is false)
 E2E_CHECK_LEAKS ?=

 REPO_INFO ?= $(shell git config --get remote.origin.url)
-GIT_COMMIT ?= git-$(shell git rev-parse --short HEAD)
+COMMIT_SHA ?= git-$(shell git rev-parse --short HEAD)
+BUILD_ID ?= "UNSET"

 PKG = k8s.io/ingress-nginx

@ -59,244 +54,229 @@ ifeq ($(ARCH),)
    $(error mandatory variable ARCH is empty, either set it when calling the command or make sure 'go env GOARCH' works)
 endif

-REGISTRY ?= quay.io/kubernetes-ingress-controller
+ifneq ($(PLATFORM),)
+	PLATFORM_FLAG="--platform"
+endif

-BASE_IMAGE ?= quay.io/kubernetes-ingress-controller/nginx
-BASE_TAG ?= 5d67794f4fbf38ec6575476de46201b068eabf87
+REGISTRY ?= us-central1-docker.pkg.dev/k8s-staging-images/ingress-nginx
+
+BASE_IMAGE ?= $(shell cat NGINX_BASE)

 GOARCH=$(ARCH)
-GOBUILD_FLAGS := -v
-
-# use vendor directory instead of go modules https://github.com/golang/go/wiki/Modules
-GO111MODULE=off
-
-TEMP_DIR := $(shell mktemp -d)
-DOCKERFILE := $(TEMP_DIR)/rootfs/Dockerfile

 help:  ## Display this help
-	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_-]+:.*?##/ { printf "  \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
-
-# internal task
-.PHONY: sub-container-%
-sub-container-%:
-	$(MAKE) ARCH=$* build container
-
-# internal task
-.PHONY: sub-push-%
-sub-push-%: ## Publish image for a particular arch.
-	$(MAKE) ARCH=$* push
-
-.PHONY: container
-container: clean-container .container-$(ARCH) ## Build image for a particular arch.
-
-# internal task to build image for a particular arch.
-.PHONY: .container-$(ARCH)
-.container-$(ARCH): init-docker-buildx
-	mkdir -p $(TEMP_DIR)/rootfs
-	cp bin/$(ARCH)/nginx-ingress-controller $(TEMP_DIR)/rootfs/nginx-ingress-controller
-	cp bin/$(ARCH)/dbg $(TEMP_DIR)/rootfs/dbg
-	cp bin/$(ARCH)/wait-shutdown $(TEMP_DIR)/rootfs/wait-shutdown
-
-	cp -RP rootfs/* $(TEMP_DIR)/rootfs
+	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z0-9_-]+:.*?##/ { printf "  \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)

+.PHONY: image
+image: clean-image ## Build image for a particular arch.
 	echo "Building docker image ($(ARCH))..."
-	# buildx assumes images are multi-arch
-	docker buildx build \
-		--pull \
-		--load \
+	docker build \
+		${PLATFORM_FLAG} ${PLATFORM} \
 		--no-cache \
-		--progress plain \
-		--platform linux/$(ARCH) \
-		--build-arg BASE_IMAGE="$(BASE_IMAGE)-$(ARCH):$(BASE_TAG)" \
+		--build-arg BASE_IMAGE="$(BASE_IMAGE)" \
 		--build-arg VERSION="$(TAG)" \
-		-t $(REGISTRY)/nginx-ingress-controller-${ARCH}:$(TAG) $(TEMP_DIR)/rootfs
+		--build-arg TARGETARCH="$(ARCH)" \
+		--build-arg COMMIT_SHA="$(COMMIT_SHA)" \
+		--build-arg BUILD_ID="$(BUILD_ID)" \
+		-t $(REGISTRY)/controller:$(TAG) rootfs

-.PHONY: clean-container
-clean-container: ## Removes local image
-	echo "removing old image $(BASE_IMAGE)-$(ARCH):$(TAG)"
-	@docker rmi -f $(BASE_IMAGE)-$(ARCH):$(TAG) || true
+.PHONY: gosec
+gosec:
+	docker run --rm -it -w /source/ -v "$(pwd)"/:/source securego/gosec:2.11.0 -exclude=G109,G601,G104,G204,G304,G306,G307 -tests=false -exclude-dir=test -exclude-dir=images/  -exclude-dir=docs/ /source/...

-.PHONY: push
-push: .push-$(ARCH) ## Publish image for a particular arch.
+.PHONY: image-chroot
+image-chroot: clean-chroot-image ## Build image for a particular arch.
+	echo "Building docker image ($(ARCH))..."
+	docker build \
+		--no-cache \
+		--build-arg BASE_IMAGE="$(BASE_IMAGE)" \
+		--build-arg VERSION="$(TAG)" \
+		--build-arg TARGETARCH="$(ARCH)" \
+		--build-arg COMMIT_SHA="$(COMMIT_SHA)" \
+		--build-arg BUILD_ID="$(BUILD_ID)" \
+		-t $(REGISTRY)/controller-chroot:$(TAG) rootfs -f rootfs/Dockerfile-chroot

-# internal task
-.PHONY: .push-$(ARCH)
-.push-$(ARCH):
-	docker push $(REGISTRY)/nginx-ingress-controller-${ARCH}:$(TAG)
+.PHONY: clean-image
+clean-image: ## Removes local image
+	echo "removing old image $(REGISTRY)/controller:$(TAG)"
+	@docker rmi -f $(REGISTRY)/controller:$(TAG) || true
+
+
+.PHONY: clean-chroot-image
+clean-chroot-image: ## Removes local image
+	echo "removing old image $(REGISTRY)/controller-chroot:$(TAG)"
+	@docker rmi -f $(REGISTRY)/controller-chroot:$(TAG) || true

-.PHONY: push-manifest
-push-manifest:
-	docker manifest create $(REGISTRY)/nginx-ingress-controller:$(TAG) \
-		$(REGISTRY)/nginx-ingress-controller-amd64:$(TAG) \
-		$(REGISTRY)/nginx-ingress-controller-arm:$(TAG) \
-		$(REGISTRY)/nginx-ingress-controller-arm64:$(TAG)
-	docker manifest push --purge $(REGISTRY)/nginx-ingress-controller:$(TAG)

 .PHONY: build
-build: check-go-version ## Build ingress controller, debug tool and pre-stop hook.
-ifeq ($(USE_DOCKER), true)
-	@build/run-in-docker.sh \
+build:  ## Build ingress controller, debug tool and pre-stop hook.
+	E2E_IMAGE=golang:$(GO_VERSION)-alpine3.21 USE_SHELL=/bin/sh build/run-in-docker.sh \
+		MAC_OS=$(MAC_OS) \
 		PKG=$(PKG) \
 		ARCH=$(ARCH) \
-		GIT_COMMIT=$(GIT_COMMIT) \
+		COMMIT_SHA=$(COMMIT_SHA) \
 		REPO_INFO=$(REPO_INFO) \
 		TAG=$(TAG) \
-		GOBUILD_FLAGS=$(GOBUILD_FLAGS) \
 		build/build.sh
-else
-	@build/build.sh
-endif

-.PHONY: build-plugin
-build-plugin: check-go-version ## Build ingress-nginx krew plugin.
-ifeq ($(USE_DOCKER), true)
-	@build/run-in-docker.sh \
-		PKG=$(PKG) \
-		ARCH=$(ARCH) \
-		GIT_COMMIT=$(GIT_COMMIT) \
-		REPO_INFO=$(REPO_INFO) \
-		TAG=$(TAG) \
-		GOBUILD_FLAGS=$(GOBUILD_FLAGS) \
-		build/build-plugin.sh
-else
-	@build/build-plugin.sh
-endif

 .PHONY: clean
 clean: ## Remove .gocache directory.
 	rm -rf bin/ .gocache/ .cache/

+.PHONY: verify-docs
+verify-docs: ## Verify doc generation
+	hack/verify-annotation-docs.sh
+
 .PHONY: static-check
 static-check: ## Run verification script for boilerplate, codegen, gofmt, golint, lualint and chart-lint.
-ifeq ($(USE_DOCKER), true)
 	@build/run-in-docker.sh \
+	    MAC_OS=$(MAC_OS) \
 		hack/verify-all.sh
-else
-	@hack/verify-all.sh
-endif
+
+.PHONY: golint-check
+golint-check:
+	@build/run-in-docker.sh \
+	    MAC_OS=$(MAC_OS) \
+		hack/verify-golint.sh
+
+###############################
+# Tests for ingress-nginx
+###############################

 .PHONY: test
-test: check-go-version ## Run go unit tests.
-ifeq ($(USE_DOCKER), true)
+test:  ## Run go unit tests.
 	@build/run-in-docker.sh \
 		PKG=$(PKG) \
+		MAC_OS=$(MAC_OS) \
 		ARCH=$(ARCH) \
-		GIT_COMMIT=$(GIT_COMMIT) \
+		COMMIT_SHA=$(COMMIT_SHA) \
 		REPO_INFO=$(REPO_INFO) \
 		TAG=$(TAG) \
-		GOBUILD_FLAGS=$(GOBUILD_FLAGS) \
-		build/test.sh
-else
-	@build/test.sh
-endif
+		GOFLAGS="-buildvcs=false" \
+		test/test.sh

 .PHONY: lua-test
 lua-test: ## Run lua unit tests.
-ifeq ($(USE_DOCKER), true)
 	@build/run-in-docker.sh \
-		BUSTED_ARGS=$(BUSTED_ARGS) \
-		build/test-lua.sh
-else
-	@build/test-lua.sh
-endif
+		MAC_OS=$(MAC_OS) \
+		test/test-lua.sh

 .PHONY: e2e-test
-e2e-test: check-go-version ## Run e2e tests (expects access to a working Kubernetes cluster).
-	@build/run-e2e-suite.sh
+e2e-test:  ## Run e2e tests (expects access to a working Kubernetes cluster).
+	@test/e2e/run-e2e-suite.sh

-.PHONY: e2e-test-image
-e2e-test-image: ## Build image for e2e tests.
-	@make -C test/e2e-image
+.PHONY: kind-e2e-test
+kind-e2e-test:  ## Run e2e tests using kind.
+	@test/e2e/run-kind-e2e.sh
+
+.PHONY: kind-e2e-chart-tests
+kind-e2e-chart-tests: ## Run helm chart e2e tests
+	@test/e2e/run-chart-test.sh

 .PHONY: e2e-test-binary
-e2e-test-binary: check-go-version ## Build ginkgo binary for e2e tests.
-ifeq ($(USE_DOCKER), true)
+e2e-test-binary:  ## Build binary for e2e tests.
 	@build/run-in-docker.sh \
+		MAC_OS=$(MAC_OS) \
 		ginkgo build ./test/e2e
-else
-	@ginkgo build ./test/e2e
-endif

 .PHONY: print-e2e-suite
 print-e2e-suite: e2e-test-binary ## Prints information about the suite of e2e tests.
 	@build/run-in-docker.sh \
+		MAC_OS=$(MAC_OS) \
 		hack/print-e2e-suite.sh

-.PHONY: cover
-cover: check-go-version ## Run go coverage unit tests.
-	@build/cover.sh
-	echo "Uploading coverage results..."
-	@curl -s https://codecov.io/bash | bash
-
 .PHONY: vet
 vet:
 	@go vet $(shell go list ${PKG}/internal/... | grep -v vendor)

 .PHONY: check_dead_links
 check_dead_links: ## Check if the documentation contains dead links.
-	@docker run -t \
-	  -v $$PWD:/tmp aledbf/awesome_bot:0.1 \
+	@docker run ${PLATFORM_FLAG} ${PLATFORM} -t \
+	  -w /tmp \
+	  -v $$PWD:/tmp dkhamsing/awesome_bot:1.20.0 \
 	  --allow-dupe \
-	  --allow-redirect $(shell find $$PWD -mindepth 1 -name "*.md" -printf '%P\n' | grep -v vendor | grep -v Changelog.md)
-
-.PHONY: dep-ensure
-dep-ensure: check-go-version ## Update and vendo go dependencies.
-	GO111MODULE=on go mod tidy -v
-	find vendor -name '*_test.go' -delete
-	GO111MODULE=on go mod vendor
+	  --allow-redirect $(shell find $$PWD -mindepth 1 -name vendor -prune -o -name .modcache -prune -o -iname Changelog.md -prune -o -name "*.md" | sed -e "s#$$PWD/##")

 .PHONY: dev-env
-dev-env: check-go-version ## Starts a local Kubernetes cluster using kind, building and deploying the ingress controller.
+dev-env:  ## Starts a local Kubernetes cluster using kind, building and deploying the ingress controller.
 	@build/dev-env.sh

 .PHONY: dev-env-stop
 dev-env-stop: ## Deletes local Kubernetes cluster created by kind.
 	@kind delete cluster --name ingress-nginx-dev

+
+
 .PHONY: live-docs
-live-docs: ## Build and launch a local copy of the documentation website in http://localhost:3000
-	@docker run --rm -it -p 8000:8000 -v ${PWD}:/docs squidfunk/mkdocs-material:5.1.0
+live-docs: ## Build and launch a local copy of the documentation website in http://localhost:8000
+	@docker build ${PLATFORM_FLAG} ${PLATFORM} \
+                  		--no-cache \
+                  		 -t ingress-nginx-docs .github/actions/mkdocs
+	@docker run ${PLATFORM_FLAG} ${PLATFORM} --rm -it \
+		-p 8000:8000 \
+		-v ${PWD}:/docs \
+		--entrypoint /bin/bash   \
+		ingress-nginx-docs \
+		-c "pip install -r /docs/docs/requirements.txt && mkdocs serve --dev-addr=0.0.0.0:8000"

 .PHONY: misspell
-misspell: check-go-version ## Check for spelling errors.
-	@go get github.com/client9/misspell/cmd/misspell
+misspell:  ## Check for spelling errors.
+	@go install github.com/client9/misspell/cmd/misspell@latest
 	misspell \
 		-locale US \
 		-error \
 		cmd/* internal/* deploy/* docs/* design/* test/* README.md

-.PHONY: kind-e2e-test
-kind-e2e-test: check-go-version ## Run e2e tests using kind.
-	@test/e2e/run.sh
-
-.PHONY: kind-e2e-chart-tests
-kind-e2e-chart-tests: ## Run helm chart e2e tests
-	@test/e2e/run-chart-test.sh
-
 .PHONY: run-ingress-controller
 run-ingress-controller: ## Run the ingress controller locally using a kubectl proxy connection.
 	@build/run-ingress-controller.sh

-.PHONY: check-go-version
-check-go-version:
-ifeq ($(USE_DOCKER), true)
-	@build/run-in-docker.sh \
-		hack/check-go-version.sh
-else
-	@hack/check-go-version.sh
-endif
-
-.PHONY: init-docker-buildx
-init-docker-buildx:
-ifeq ($(DIND_TASKS),)
-ifneq ($(shell docker buildx 2>&1 >/dev/null; echo $?),)
-	$(error "buildx not available. Docker 19.03 or higher is required with experimental features enabled")
-endif
-	docker run --rm --privileged docker/binfmt:66f9012c56a8316f9244ffd7622d7c21c1f6f28d
-	docker buildx create --name ingress-nginx --use || true
-	docker buildx inspect --bootstrap
-endif
+.PHONY: ensure-buildx
+ensure-buildx:
+	./hack/init-buildx.sh

 .PHONY: show-version
 show-version:
 	echo -n $(TAG)
+
+PLATFORMS ?= amd64 arm arm64
+BUILDX_PLATFORMS ?= linux/amd64,linux/arm,linux/arm64
+
+.PHONY: release # Build a multi-arch docker image
+release: ensure-buildx clean
+	echo "Building binaries..."
+	$(foreach PLATFORM,$(PLATFORMS), echo -n "$(PLATFORM)..."; ARCH=$(PLATFORM) make build;)
+
+	echo "Building and pushing ingress-nginx image...$(BUILDX_PLATFORMS)"
+
+	docker buildx build \
+		--no-cache \
+		$(MAC_DOCKER_FLAGS) \
+		--push \
+		--pull \
+		--progress plain \
+		--platform $(BUILDX_PLATFORMS) \
+		--build-arg BASE_IMAGE="$(BASE_IMAGE)" \
+		--build-arg VERSION="$(TAG)" \
+		--build-arg COMMIT_SHA="$(COMMIT_SHA)" \
+		--build-arg BUILD_ID="$(BUILD_ID)" \
+		-t $(REGISTRY)/controller:$(TAG) rootfs
+
+	docker buildx build \
+		--no-cache \
+		$(MAC_DOCKER_FLAGS) \
+		--push \
+		--pull \
+		--progress plain \
+		--platform $(BUILDX_PLATFORMS)  \
+		--build-arg BASE_IMAGE="$(BASE_IMAGE)" \
+		--build-arg VERSION="$(TAG)" \
+		--build-arg COMMIT_SHA="$(COMMIT_SHA)" \
+		--build-arg BUILD_ID="$(BUILD_ID)" \
+		-t $(REGISTRY)/controller-chroot:$(TAG) rootfs -f rootfs/Dockerfile-chroot
+
+.PHONY: build-docs
+build-docs:
+	pip install -r docs/requirements.txt
+	mkdocs build --config-file mkdocs.yml
--- a/NEW_CONTRIBUTOR.md
+++ b/NEW_CONTRIBUTOR.md
@ -0,0 +1,852 @@
+## New Contributor Tips
+
+Welcome to the Ingress Nginx new contributor tips.
+This guide briefly outlines the necessary knowledge & tools, required to start working on Ingress-NGINX Issues.
+
+### Prerequisites
+- Basic understanding of linux
+- Familiarity with the command line on linux
+- OSI Model(Links below)
+
+### Introduction
+It all starts with the OSI model...
+> The Open Systems Interconnection (OSI) model describes seven layers that computer systems use to communicate over a network. It was the first standard model for network communications, adopted by all major computer and telecommunication companies
+
+![Describes the 7 Layers of the OSI Model](https://i.imgur.com/qF0KjBq.png)
+
+#### Reading material for OSI Model
+[OSI Model CertificationKits](https://www.certificationkits.com/cisco-certification/cisco-ccna-640-802-exam-certification-guide/cisco-ccna-the-osi-model/)
+
+### Approaching the problem
+
+
+Not everybody knows everything. But the factors that help are a love/passion for this to begin. But to move forward, it's the approach and not the knowledge that sustains prolonged joy, while working on issues. If the approach is simple and powered by good-wishes-for-community, then info & tools are forthcoming and easy.
+
+Here we take a bird's eye-view of the hops in the network plumbing, that a packet takes, from source to destination, when we run `curl`, from a laptop to a nginx webserver process, running in a container, inside a pod, inside a Kubernetes cluster, created using `kind` or `minikube` or any other cluster-management tool.
+
+### [Kind](https://kind.sigs.k8s.io/) cluster example on a Linux Host
+
+#### TL;DR
+The destination of the packet from the curl command, is looked up, in the `routing table`. Based on the route, the packet first travels to the virtual bridge `172.18.0.1` interface, created by docker, when we created the kind cluster on a laptop. Next the packet is forwarded to `172.18.0.2`(See below on how we got this IP address), within the kind cluster. The `kube-proxy` container creates iptables rules that make sure the packet goes to the correct pod ip in this case `10.244.0.5`
+
+Command:
+```
+# docker ps
+CONTAINER ID   IMAGE                  COMMAND                  CREATED       STATUS          PORTS                       NAMES
+230e7246a32c   kindest/node:v1.24.1   "/usr/local/bin/entr…"   2 weeks ago   Up 54 seconds   127.0.0.1:38143->6443/tcp   kind-control-plane
+
+# docker inspect kind-control-plane -f '{{ .NetworkSettings.Networks.kind.IPAddress }}'
+172.18.0.2
+
+```
+
+
+
+If this part is confusing, you would first need to understand what a [bridge](https://tldp.org/HOWTO/BRIDGE-STP-HOWTO/what-is-a-bridge.html) is and what [docker network](https://docs.docker.com/network/) is.
+
+
+
+#### The journey of a curl packet.
+Let's begin with creating a [Kind](https://kind.sigs.k8s.io/docs/user/quick-start/) Cluster on your laptop
+```
+# kind create cluster
+```
+This will create a cluster called `kind`, to view the clusters type
+```
+# kind get clusters                                                                                                                              
+kind
+```
+Kind ships with `kubectl`, so we can use that to communicate with our clusters.
+```
+# kubectl get no -o wide                                                                                                                             
+NAME                 STATUS   ROLES           AGE     VERSION   INTERNAL-IP   EXTERNAL-IP   OS-IMAGE       KERNEL-VERSION    CONTAINER-RUNTIME
+kind-control-plane   Ready    control-plane   5d23h   v1.24.1   172.18.0.2    <none>        Ubuntu 21.10   5.18.12-arch1-1   containerd://1.6.4
+```
+Kind creates  a cluster using docker container as nodes, it does this using [containerd](https://containerd.io/) within the docker container.
+The concept of Docker in Docker is very important here.
+
+To start with simply create a nginx deployment using `kubectl`.
+```
+# kubectl create deployment nginx --image nginx:alpine --port=80
+deployment.apps/nginx created
+```
+Then we expose this as a NodePort Service.
+```
+# kubectl expose deployment/nginx --type=NodePort
+service/nginx-new exposed
+```
+Command: Now we can see that the service has been exposed.
+```
+# kubectl get svc -o wide
+NAME           TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)        AGE     SELECTOR
+nginx          NodePort    10.96.176.241   <none>        80:32329/TCP   4d8h    app=nginx
+```
+Output Relevance: From the above output, we can see that our nginx pod is being exposed as the `NodePort` service type, and now we can curl the Node IP `172.18.0.2` with the exposed port `32329`
+
+Command: The pod has an IP as shown below
+```
+# kubectl get po -o wide                                                                                                                            
+NAME                               READY   STATUS    RESTARTS      AGE     IP            NODE                 NOMINATED NODE   READINESS GATES
+nginx-6c8b449b8f-pdvdk             1/1     Running   1 (32h ago)   4d8h    10.244.0.5    kind-control-plane   <none>           <none>
+```
+
+Command: We can use `curl` on the laptop to view the nginx container that is running on port `32329`.
+
+```
+# curl  172.18.0.2:32329
+
+<!DOCTYPE html>
+<html>
+<head>
+<title>Welcome to nginx!</title>
+<style>
+html { color-scheme: light dark; }
+body { width: 35em; margin: 0 auto;
+font-family: Tahoma, Verdana, Arial, sans-serif; }
+</style>
+</head>
+<body>
+<h1>Welcome to nginx!</h1>
+<p>If you see this page, the nginx web server is successfully installed and
+working. Further configuration is required.</p>
+
+<p>For online documentation and support please refer to
+<a href="http://nginx.org/">nginx.org</a>.<br/>
+Commercial support is available at
+<a href="http://nginx.com/">nginx.com</a>.</p>
+
+<p><em>Thank you for using nginx.</em></p>
+</body>
+</html>
+```
+Now, we can check the ip interfaces as well subnets for our system is connected to:
+
+```
+$ ifconfig
+ethbr0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
+        inet 192.168.31.9  netmask 255.255.255.0  broadcast 192.168.31.255
+        inet6 fe80::7530:9ae5:3e8d:e45a  prefixlen 64  scopeid 0x20<link>
+        ether 2e:90:b3:e8:52:5b  txqueuelen 1000  (Ethernet)
+        RX packets 31220566  bytes 44930589084 (41.8 GiB)
+        RX errors 0  dropped 0  overruns 0  frame 0
+        TX packets 18104006  bytes 1757183680 (1.6 GiB)
+        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
+
+br-2fffe5cd5d9e: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
+        inet 172.18.0.1  netmask 255.255.0.0  broadcast 172.18.255.255
+        inet6 fc00:f853:ccd:e793::1  prefixlen 64  scopeid 0x0<global>
+        inet6 fe80::42:12ff:fed3:8fb0  prefixlen 64  scopeid 0x20<link>
+        inet6 fe80::1  prefixlen 64  scopeid 0x20<link>
+        ether 02:42:12:d3:8f:b0  txqueuelen 0  (Ethernet)
+        RX packets 3547  bytes 414792 (405.0 KiB)
+        RX errors 0  dropped 0  overruns 0  frame 0
+        TX packets 6267  bytes 8189931 (7.8 MiB)
+        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
+docker0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
+        inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255
+        inet6 fe80::42:a2ff:fe09:5edb  prefixlen 64  scopeid 0x20<link>
+        ether 02:42:a2:09:5e:db  txqueuelen 0  (Ethernet)
+        RX packets 14  bytes 2143 (2.0 KiB)
+        RX errors 0  dropped 0  overruns 0  frame 0
+        TX packets 40  bytes 6406 (6.2 KiB)
+        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
+```
+From the above output we can see that, there are two bridges connected to our systems network interface,one is the docker default bridge`docker0` and the other created by kind
+`br-2fffe5cd5d9e`.
+
+Since kind creates nodes as containers, this is easily accessible via `docker ps`.
+```
+$ docker ps
+
+CONTAINER ID   IMAGE                  COMMAND                  CREATED      STATUS        PORTS                       NAMES
+230e7246a32c   kindest/node:v1.24.1   "/usr/local/bin/entr…"   6 days ago   Up 33 hours   127.0.0.1:38143->6443/tcp   kind-control-plane
+```
+If we do a docker `exec` we can enter the container, we can also see the network interfaces within the container.
+```
+# docker exec -it 230e7246a32c bash
+
+# root@kind-control-plane:/# ip a
+1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
+    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
+    inet 127.0.0.1/8 scope host lo
+       valid_lft forever preferred_lft forever
+    inet6 ::1/128 scope host
+       valid_lft forever preferred_lft forever
+2: vethdb0d1da1@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
+    link/ether a2:a1:ce:08:d2:39 brd ff:ff:ff:ff:ff:ff link-netns cni-ddc25710-030a-cc05-c600-5a183fae01f7
+    inet 10.244.0.1/32 scope global vethdb0d1da1
+       valid_lft forever preferred_lft forever
+3: veth4d76603f@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
+    link/ether 9a:9b:6b:3e:d1:53 brd ff:ff:ff:ff:ff:ff link-netns cni-f2270000-8fc8-6f89-e56b-4759ae10a084
+    inet 10.244.0.1/32 scope global veth4d76603f
+       valid_lft forever preferred_lft forever
+4: vethcc2586d6@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
+    link/ether 52:f9:20:63:62:a2 brd ff:ff:ff:ff:ff:ff link-netns cni-97e337cd-1322-c1fa-7523-789af94f397f
+    inet 10.244.0.1/32 scope global vethcc2586d6
+       valid_lft forever preferred_lft forever
+5: veth783189a9@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
+    link/ether ba:e1:55:1f:6f:12 brd ff:ff:ff:ff:ff:ff link-netns cni-90849001-668a-03d2-7d9e-192de79ccc59
+    inet 10.244.0.1/32 scope global veth783189a9
+       valid_lft forever preferred_lft forever
+6: veth79c98c12@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
+    link/ether 22:05:55:c7:86:e9 brd ff:ff:ff:ff:ff:ff link-netns cni-734dfac9-9f70-ab33-265b-21569d90312a
+    inet 10.244.0.1/32 scope global veth79c98c12
+       valid_lft forever preferred_lft forever
+7: veth5b221c83@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
+    link/ether 92:3f:04:54:72:5a brd ff:ff:ff:ff:ff:ff link-netns cni-d8f6666b-1cfb-ef08-4bf8-237a7fc32da2
+    inet 10.244.0.1/32 scope global veth5b221c83
+       valid_lft forever preferred_lft forever
+8: vethad630fb8@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
+    link/ether 32:78:ec:f6:01:ea brd ff:ff:ff:ff:ff:ff link-netns cni-6cb3c179-cb17-3b81-2051-27231c44a3c4
+    inet 10.244.0.1/32 scope global vethad630fb8
+       valid_lft forever preferred_lft forever
+9: veth573a629b@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
+    link/ether e2:57:f8:c9:bc:94 brd ff:ff:ff:ff:ff:ff link-netns cni-d2dbb903-8310-57b4-7ba4-9f353dbc79dc
+    inet 10.244.0.1/32 scope global veth573a629b
+       valid_lft forever preferred_lft forever
+10: eth0@if11: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
+    link/ether 02:42:ac:12:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
+    inet 172.18.0.2/16 brd 172.18.255.255 scope global eth0
+       valid_lft forever preferred_lft forever
+    inet6 fc00:f853:ccd:e793::2/64 scope global nodad
+       valid_lft forever preferred_lft forever
+    inet6 fe80::42:acff:fe12:2/64 scope link
+       valid_lft forever preferred_lft forever
+11: vethd7368e27@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
+    link/ether 8a:74:ec:f6:d6:c9 brd ff:ff:ff:ff:ff:ff link-netns cni-7c7eb9cd-bbb1-65b0-0480-b8f1265f2f36
+    inet 10.244.0.1/32 scope global vethd7368e27
+       valid_lft forever preferred_lft forever
+12: veth7cadbf2b@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
+    link/ether 12:48:10:b7:b8:f5 brd ff:ff:ff:ff:ff:ff link-netns cni-b39e37b5-1bc8-626a-a553-a0be2f94a117
+    inet 10.244.0.1/32 scope global veth7cadbf2b
+       valid_lft forever preferred_lft forever
+
+```
+When we run `curl  172.18.0.2:32329` on the laptop it first needs to figure out where `172.18.0.2`, to do this it refers to the host routing table.
+```
+sudo netstat -rn                                                                                                                           main 
+Kernel IP routing table
+Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
+0.0.0.0         192.168.31.1    0.0.0.0         UG        0 0          0 ethbr0
+172.17.0.0      0.0.0.0         255.255.0.0     U         0 0          0 docker0
+172.18.0.0      0.0.0.0         255.255.0.0     U         0 0          0 br-2fffe5cd5d9e
+172.19.0.0      0.0.0.0         255.255.0.0     U         0 0          0 br-be5b544733a3
+192.168.31.0    0.0.0.0         255.255.255.0   U         0 0          0 ethbr0
+192.168.31.0    0.0.0.0         255.255.255.0   U         0 0          0 ethbr0
+192.168.39.0    0.0.0.0         255.255.255.0   U         0 0          0 virbr2
+192.168.122.0   0.0.0.0         255.255.255.0   U         0 0          0 virbr0
+```
+Output Relevance: From the above output, you can see that the `iface`(Interface) for `172.18.0.0` is `br-2fffe5cd5d9e`, which means traffic that needs to go to `172.18.0.0` will go through `br-2fffe5cd5d9e` which is created by docker for the kind container (this is the node in case of kind cluster).
+
+Now we need to understand how the packet travels from the container interface to the pod with IP `10.244.0.5`. The component that handles this is called kube-proxy
+
+So what exactly is [kube-proxy](https://kubernetes.io/docs/concepts/overview/components/#kube-proxy):
+> Kube-Proxy is a network proxy that runs on each node in your cluster, implementing part of the Kubernetes Service concept.
+kube-proxy maintains network rules on nodes. These network rules allow network communication to your Pods from network sessions inside or outside of your cluster
+
+So, as we can see that kube proxy handles the network rules required to aid the communication to the pods, we will look at the [iptables](https://linux.die.net/man/8/iptables)
+> `iptables` is a command line interface used to set up and maintain tables for the Netfilter firewall for IPv4, included in the Linux kernel. The firewall matches packets with rules defined in these tables and then takes the specified action on a possible match. Tables is the name for a set of chains
+
+Command:
+```
+# iptables -t nat -L PREROUTING -n
+Chain PREROUTING (policy ACCEPT)
+target     prot opt source               destination
+KUBE-SERVICES  all  --  0.0.0.0/0            0.0.0.0/0            /* kubernetes service portals */
+DOCKER_OUTPUT  all  --  0.0.0.0/0            172.18.0.1
+CNI-HOSTPORT-DNAT  all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL
+```
+
+```
+# iptables-save | grep PREROUTING
+-A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
+```
+Output Relevance:
+> -A: append new iptable rule
+> -j: jump to the target
+> KUBE-SERVICES: target
+
+> The above output appends a new rule for PREROUTING which every network packet will go through first as they try to access any kubernetes service
+
+
+What is `PREROUTING` in iptables?
+>PREROUTING: This chain is used to make any routing related decisions before (PRE) sending any packets
+
+To dig in further we need to go to the target, `KUBE-SERVICES` for our nginx service.
+```
+# iptables -t nat -L KUBE-SERVICES -n| grep nginx
+KUBE-SVC-2CMXP7HKUVJN7L6M  tcp  --  0.0.0.0/0            10.96.176.241        /* default/nginx cluster IP */ tcp dpt:80
+```
+Command:
+```
+# iptables -t nat -L KUBE-SVC-2CMXP7HKUVJN7L6M -n
+Chain KUBE-SVC-2CMXP7HKUVJN7L6M (2 references)
+target     prot opt source               destination
+KUBE-MARK-MASQ  tcp  -- !10.244.0.0/16        10.96.176.241        /* default/nginx cluster IP */ tcp dpt:80
+KUBE-SEP-4IEO3WJHPKXV3AOH  all  --  0.0.0.0/0            0.0.0.0/0            /* default/nginx -> 10.244.0.5:80 */
+
+# iptables -t nat -L KUBE-MARK-MASQ -n
+Chain KUBE-MARK-MASQ (31 references)
+target     prot opt source               destination
+MARK       all  --  0.0.0.0/0            0.0.0.0/0            MARK or 0x4000
+
+# iptables -t nat -L KUBE-SEP-4IEO3WJHPKXV3AOH -n
+Chain KUBE-SEP-4IEO3WJHPKXV3AOH (1 references)
+target     prot opt source               destination
+KUBE-MARK-MASQ  all  --  10.244.0.5           0.0.0.0/0            /* default/nginx */
+DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            /* default/nginx */ tcp to:10.244.0.5:80
+```
+
+
+```
+iptables-save | grep 10.96.176.241
+
+-A KUBE-SERVICES -d 10.96.176.241/32 -p tcp -m comment --comment "default/nginx cluster IP" -m tcp --dport 80 -j KUBE-SVC-2CMXP7HKUVJN7L6M
+-A KUBE-SVC-2CMXP7HKUVJN7L6M ! -s 10.244.0.0/16 -d 10.96.176.241/32 -p tcp -m comment --comment "default/nginx cluster IP" -m tcp --dport 80 -j KUBE-MARK-MASQ
+```
+
+As you can see the rules added by `kube-proxy` helps the packet reach to the destination service.
+
+### Minikube KVM VM Example on Linux
+
+#### TL;DR
+Now we look at the curl packet journey on minikube. The `routing table` is looked up to know the destination of the curl packet. The packet then first travels to the virtual bridge `192.168.39.1`, created by minikube kvm2 driver, when we created the minikube cluster, on a linux laptop. Then this packet is forwarded to `192.168.39.57`, within the minikube VM. We have docker containers running in the VM. Among them, the `kube-proxy` container creates iptables rules that make sure the packet goes to the correct pod ip, in this case `172.17.0.4`.
+
+
+To begin with the minikube example, we first need to create a minikube cluster on a linux laptop. In this example I'll be using the `kvm2` driver option for `minikube start` command, as default.
+
+```
+minikube start
+😄  minikube v1.26.0 on Arch "rolling"
+🆕  Kubernetes 1.24.2 is now available. If you would like to upgrade, specify: --kubernetes-version=v1.24.2
+✨  Using the kvm2 driver based on existing profile
+👍  Starting control plane node minikube in cluster minikube
+🏃  Updating the running kvm2 "minikube" VM ...
+🐳  Preparing Kubernetes v1.23.3 on Docker 20.10.12 ...
+    ▪ kubelet.housekeeping-interval=5m
+🔎  Verifying Kubernetes components...
+    ▪ Using image registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.1.1
+    ▪ Using image registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.1.1
+    ▪ Using image registry.k8s.io/ingress-nginx/controller:v1.2.1
+    ▪ Using image gcr.io/k8s-minikube/storage-provisioner:v5
+🔎  Verifying ingress addon...
+🌟  Enabled addons: ingress, storage-provisioner, default-storageclass
+🏄  Done! kubectl is now configured to use "minikube" cluster and "default" namespace by default
+```
+**Note**: The KVM driver provides a lot of options on customizing the cluster, however that is currently beyond the scope of this guide.
+
+Next we will get the Node IP.
+```
+$ kubectl get no -o wide                                                                                                                   
+NAME       STATUS   ROLES                  AGE   VERSION   INTERNAL-IP     EXTERNAL-IP   OS-IMAGE              KERNEL-VERSION   CONTAINER-RUNTIME
+minikube   Ready    control-plane,master   25d   v1.23.3   192.168.39.57   <none>        Buildroot 2021.02.4   4.19.202         docker://20.10.12
+```
+Minikube creates a Virtual Machine using the KVM2 driver(Other drivers such as Virtualbox do exist see `minikube start --help` for more information ), you should be able to see this with the following output(You may have to use sudo to get this output)
+
+```
+$ virsh --connect qemu:///system list
+ Id   Name       State
+--------------------------
+ 1    minikube   running
+
+ or
+
+ $ sudo virsh list
+ Id   Name       State
+--------------------------
+ 1    minikube   running
+
+```
+
+Moving on, simply create a nginx deployment using `kubectl`.
+```
+# kubectl create deployment nginx --image nginx:alpine --port=80
+deployment.apps/nginx created
+```
+Then we expose this as a NodePort Service.
+```
+# kubectl expose deployment/nginx --type=NodePort
+service/nginx-new exposed
+```
+Command: Now we can see that the service has been exposed.
+```
+# kubectl get svc -o wide                                                                                                                            main 
+NAME             TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)        AGE   SELECTOR
+kubernetes       ClusterIP   10.96.0.1    <none>        443/TCP        25d   <none>
+nginx-minikube   NodePort    10.97.44.4   <none>        80:32007/TCP   45h   app=nginx-minikube
+```
+Output Relevance: From the above output, we can see that our nginx pod is being exposed as the `NodePort` service type, and now we can curl the Node IP `192.168.39.57` with the exposed port `32007`
+
+Command: The pod has an IP as shown below
+```
+# kubectl get po -o wide
+NAME                              READY   STATUS    RESTARTS      AGE   IP           NODE       NOMINATED NODE   READINESS GATES
+nginx-minikube-7546f79bd8-x88bt   1/1     Running   3 (43m ago)   45h   172.17.0.4   minikube   <none>           <none>
+
+```
+
+Command: We can use `curl` on the laptop to view the nginx container that is running on port `32007`.
+```
+curl  192.168.39.57:32007
+<!DOCTYPE html>
+<html>
+<head>
+<title>Welcome to nginx!</title>
+<style>
+html { color-scheme: light dark; }
+body { width: 35em; margin: 0 auto;
+font-family: Tahoma, Verdana, Arial, sans-serif; }
+</style>
+</head>
+<body>
+<h1>Welcome to nginx!</h1>
+<p>If you see this page, the nginx web server is successfully installed and
+working. Further configuration is required.</p>
+
+<p>For online documentation and support please refer to
+<a href="http://nginx.org/">nginx.org</a>.<br/>
+Commercial support is available at
+<a href="http://nginx.com/">nginx.com</a>.</p>
+
+<p><em>Thank you for using nginx.</em></p>
+</body>
+</html>
+```
+
+So, how does this packet travel, lets dive in.
+We can check the ip interfaces as well subnets for our system is connected to:
+```
+$ ifconfig
+virbr2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
+        inet 192.168.39.1  netmask 255.255.255.0  broadcast 192.168.39.255
+        ether 52:54:00:19:29:93  txqueuelen 1000  (Ethernet)
+        RX packets 5132  bytes 1777099 (1.6 MiB)
+        RX errors 0  dropped 0  overruns 0  frame 0
+        TX packets 6113  bytes 998530 (975.1 KiB)
+        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
+
+virbr0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
+        inet 192.168.122.1  netmask 255.255.255.0  broadcast 192.168.122.255
+        ether 52:54:00:48:ee:35  txqueuelen 1000  (Ethernet)
+        RX packets 23648  bytes 1265196 (1.2 MiB)
+        RX errors 0  dropped 0  overruns 0  frame 0
+        TX packets 40751  bytes 60265308 (57.4 MiB)
+        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
+```
+Output Relevance: From the above output you can see there are two Virtual Bridges created by minikube when we created the cluster on the network. Here, `virbr0` is the default NAT network bridge while `virbr2` is a isolated network bridge on which the pods run.
+
+Minikube creates a Virtual Machine, to enter the virtual machine we can simply do:
+```
+# minikube ssh
+```
+
+The interfaces within the Virtual Machine are as follows.
+```
+docker0   Link encap:Ethernet  HWaddr 02:42:03:24:26:78
+          inet addr:172.17.0.1  Bcast:172.17.255.255  Mask:255.255.0.0
+          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
+          RX packets:31478 errors:0 dropped:0 overruns:0 frame:0
+          TX packets:36704 errors:0 dropped:0 overruns:0 carrier:0
+          collisions:0 txqueuelen:0
+          RX bytes:3264056 (3.1 MiB)  TX bytes:14061883 (13.4 MiB)
+
+eth0      Link encap:Ethernet  HWaddr 52:54:00:C9:3A:73
+          inet addr:192.168.39.57  Bcast:192.168.39.255  Mask:255.255.255.0
+          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
+          RX packets:8245 errors:0 dropped:9 overruns:0 frame:0
+          TX packets:3876 errors:0 dropped:0 overruns:0 carrier:0
+          collisions:0 txqueuelen:1000
+          RX bytes:812006 (792.9 KiB)  TX bytes:1044724 (1020.2 KiB)
+
+eth1      Link encap:Ethernet  HWaddr 52:54:00:7B:37:79
+          inet addr:192.168.122.35  Bcast:192.168.122.255  Mask:255.255.255.0
+          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
+          RX packets:4459 errors:0 dropped:9 overruns:0 frame:0
+          TX packets:201 errors:0 dropped:0 overruns:0 carrier:0
+          collisions:0 txqueuelen:1000
+          RX bytes:298528 (291.5 KiB)  TX bytes:25813 (25.2 KiB)
+
+lo        Link encap:Local Loopback
+          inet addr:127.0.0.1  Mask:255.0.0.0
+          UP LOOPBACK RUNNING  MTU:65536  Metric:1
+          RX packets:946772 errors:0 dropped:0 overruns:0 frame:0
+          TX packets:946772 errors:0 dropped:0 overruns:0 carrier:0
+          collisions:0 txqueuelen:1000
+          RX bytes:213465460 (203.5 MiB)  TX bytes:213465460 (203.5 MiB)
+
+vetha4f1dc5 Link encap:Ethernet  HWaddr 3E:1C:FE:C9:75:86
+          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
+          RX packets:10 errors:0 dropped:0 overruns:0 frame:0
+          TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
+          collisions:0 txqueuelen:0
+          RX bytes:1413 (1.3 KiB)  TX bytes:955 (955.0 B)
+
+vethbf35613 Link encap:Ethernet  HWaddr BA:31:7D:AE:2A:BF
+          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
+          RX packets:3526 errors:0 dropped:0 overruns:0 frame:0
+          TX packets:3934 errors:0 dropped:0 overruns:0 carrier:0
+          collisions:0 txqueuelen:0
+          RX bytes:342408 (334.3 KiB)  TX bytes:380193 (371.2 KiB)
+
+vethe092a51 Link encap:Ethernet  HWaddr 8A:37:D3:D9:D9:0E
+          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
+          RX packets:9603 errors:0 dropped:0 overruns:0 frame:0
+          TX packets:11151 errors:0 dropped:0 overruns:0 carrier:0
+          collisions:0 txqueuelen:0
+          RX bytes:1199235 (1.1 MiB)  TX bytes:5449408 (5.1 MiB)
+```
+Output Relevance: Here we have the Virtual Ethernet and we have docker bridges too since docker runs within the Virtual Machine.
+
+When we do a `curl` to `192.168.39.57:32007` on the laptop the packet first goes to the route table
+```
+Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
+0.0.0.0         192.168.31.1    0.0.0.0         UG        0 0          0 ethbr0
+172.17.0.0      0.0.0.0         255.255.0.0     U         0 0          0 docker0
+172.18.0.0      0.0.0.0         255.255.0.0     U         0 0          0 br-2fffe5cd5d9e
+172.19.0.0      0.0.0.0         255.255.0.0     U         0 0          0 br-be5b544733a3
+192.168.31.0    0.0.0.0         255.255.255.0   U         0 0          0 ethbr0
+192.168.31.0    0.0.0.0         255.255.255.0   U         0 0          0 ethbr0
+192.168.39.0    0.0.0.0         255.255.255.0   U         0 0          0 virbr2
+192.168.122.0   0.0.0.0         255.255.255.0   U         0 0          0 virbr0
+```
+Output Relevance: As you can see multiple routes are defined here, of which our Virtual Machine Node IP(192.168.39.57) is also shown in the table, so the packet now knows where it has to go.
+
+With that clear we now know how the packet goes from the laptop to the virtual bridge and then enters the Virtual Machine.
+
+Inside the virtual machine, [kube-proxy](https://kubernetes.io/docs/concepts/overview/components/#kube-proxy) handles the routing using iptables.
+
+So what exactly is [kube-proxy](https://kubernetes.io/docs/concepts/overview/components/#kube-proxy)(For those who skipped the kind example):
+> Kube-Proxy is a network proxy that runs on each node in your cluster, implementing part of the Kubernetes Service concept.
+kube-proxy maintains network rules on nodes. These network rules allow network communication to your Pods from network sessions inside or outside of your cluster
+
+So, as we can see that kube proxy handles the network rules required to aid the communication to the pods, we will look at the [iptables](https://linux.die.net/man/8/iptables)
+> `iptables` is a command line interface used to set up and maintain tables for the Netfilter firewall for IPv4, included in the Linux kernel. The firewall matches packets with rules defined in these tables and then takes the specified action on a possible match. Tables is the name for a set of chains
+
+Command:
+
+```
+# minikube ssh                                                                                                                                      
+                         _             _
+            _         _ ( )           ( )
+  ___ ___  (_)  ___  (_)| |/')  _   _ | |_      __
+/' _ ` _ `\| |/' _ `\| || , <  ( ) ( )| '_`\  /'__`\
+| ( ) ( ) || || ( ) || || |\`\ | (_) || |_) )(  ___/
+(_) (_) (_)(_)(_) (_)(_)(_) (_)`\___/'(_,__/'`\____)
+
+$ sudo iptables -t nat -L PREROUTING -n
+Chain PREROUTING (policy ACCEPT)
+target     prot opt source               destination
+KUBE-SERVICES  all  --  0.0.0.0/0            0.0.0.0/0            /* kubernetes service portals */
+DOCKER     all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL
+
+$ iptables-save | grep PREROUTING
+-A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
+
+```
+
+Output Relevance:
+> -A: append new iptable rule
+> -j: jump to the target
+> KUBE-SERVICES: target
+
+> The above output appends a new rule for PREROUTING which every network packet will go through first as they try to access any kubernetes service
+
+
+What is `PREROUTING` in iptables?
+>PREROUTING: This chain is used to make any routing related decisions before (PRE) sending any packets
+
+To dig in further we need to go to the target, `KUBE-SERVICES` for our nginx service.
+```
+# iptables -t nat -L KUBE-SERVICES -n| grep nginx
+KUBE-SVC-NRDCJV6H42SDXARP  tcp  --  0.0.0.0/0            10.97.44.4           /* default/nginx-minikube cluster IP */ tcp dpt:80
+```
+Command:
+```
+$ sudo iptables -t nat -L| grep KUBE-SVC-NRDCJV6H42SDXARP
+KUBE-SVC-NRDCJV6H42SDXARP  tcp  --  0.0.0.0/0            0.0.0.0/0            /* default/nginx-minikube */ tcp dpt:32007
+KUBE-SVC-NRDCJV6H42SDXARP  tcp  --  0.0.0.0/0            10.97.44.4           /* default/nginx-minikube cluster IP */ tcp dpt:80
+
+$ sudo iptables -t nat -L KUBE-MARK-MASQ -n
+Chain KUBE-MARK-MASQ (19 references)
+target     prot opt source               destination
+MARK       all  --  0.0.0.0/0            0.0.0.0/0            MARK or 0x4000
+
+sudo iptables-save | grep 172.17.0.4
+-A KUBE-SEP-AHQQ7ZFXMEBNX76B -s 172.17.0.4/32 -m comment --comment "default/nginx-minikube" -j KUBE-MARK-MASQ
+-A KUBE-SEP-AHQQ7ZFXMEBNX76B -p tcp -m comment --comment "default/nginx-minikube" -m tcp -j DNAT --to-destination 172.17.0.4:80
+```
+As you can see the rules added by kube-proxy helps the packet reach to the destination service.
+
+
+### Connection termination
+Connection termination is a type of event that occurs when there are load balancers present, the information for this is quite scarce, however I've found the following article, [IBM - Network Termination](https://www.ibm.com/docs/en/sva/9.0.4?topic=balancer-network-termination) that describes what it means by connection termination between clients(laptop) and server(load balancer) and the various other services.
+
+### Different types of connection errors.
+The following article on [TCP/IP errors](https://www.ibm.com/docs/en/db2/11.1?topic=message-tcpip-errors) has a list of the important tcp timeout errors that we need to know.
+
+
+| Common TCP/IP errors | Meaning |
+| -------- | -------- |
+| Resource temporarily unavailable.| Self-explanatory.     |
+| No space is left on a device or system table.|The disk partition is full|
+|No route to the host is available.|The routing table doesn't know where to route the packet.|
+|Connection was reset by the partner.|This usually means the packet was dropped as soon as it reached the server can be due to a firewall.|
+|The connection was timed out.|This indicates the firewall blocking your connection or the connection took too long.|
+
+## OSI Model Layer 7 (Application Layer)
+
+[What is layer 7?](https://www.cloudflare.com/learning/ddos/what-is-layer-7/)
+#### Summary
+Layer 7 refers to the seventh and topmost layer of the Open Systems Interconnect (OSI) Model known as the application layer. This is the highest layer which supports end-user processes and applications. Layer 7 identifies the communicating parties and the quality of service between them, considers privacy and user authentication, as well as identifies any constraints on the data syntax. This layer is wholly application-specific.
+
+
+## Setting up Ingress-Nginx Controller
+
+Since we are doing this on our local laptop, we are going to use the following tools:
+- [Minikube using KVM driver](https://minikube.sigs.k8s.io/docs/start/) - The host is linux-based in our example
+- [Metallb](https://metallb.universe.tf/) - Baremetal load-balancer.
+- [KVM](https://www.linux-kvm.org/page/Main_Page) / [Oracle VirtualBox](https://www.virtualbox.org/wiki/Downloads) / [VMWare](https://www.vmware.com/in/products/workstation-pro.html)
+
+
+### So let's begin with Metallb and Ingress-Nginx setup.
+
+For setting up metallb, we are going to follow the below steps:
+
+ - To begin the installation, we will execute:
+```
+minikube start
+```
+- To install Metallb, one can install it using the [manifest](https://metallb.universe.tf/installation/#installation-by-manifest) or by using [helm](https://metallb.universe.tf/installation/#installation-with-helm), for now we will use the Manifest method:
+```
+kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v0.13.4/config/manifests/metallb-native.yaml
+```
+
+- We need to now configure Metallb, we are using [Layer 2 configuration](https://metallb.universe.tf/configuration/#announce-the-service-ips), let's head over to the [Metallb Configuration](https://metallb.universe.tf/configuration/) website, here you will see how to setup metallb.
+>Layer 2 mode does not require the IPs to be bound to the network interfaces of your worker nodes. It works by responding to ARP requests on your local network directly, to give the machine’s MAC address to clients.
+In order to advertise the IP coming from an IPAddressPool, an L2Advertisement instance must be associated to the IPAddressPool.
+-  We have modified the IP address pool so that our loadbalancer knows which subnet to choose an IP from.Since we have only one minikube IP we need to modify the code given in the documentation.
+Save this as `metallb-config.yaml`:
+```
+apiVersion: metallb.io/v1beta1
+kind: IPAddressPool
+metadata:
+  name: first-pool
+  namespace: metallb-system
+spec:
+  addresses:
+  # The configuration website show's you this
+
+  #- 192.168.10.0/24
+  #- 192.168.9.1-192.168.9.5
+  #- fc00:f853:0ccd:e799::/124
+
+  # We are going to change this to `minikube ip` as such
+  - 192.168.39.57/32
+```
+Now deploy it using `kubectl`
+```
+kubectl apply -f metallb-config.yaml
+```
+- Now that metallb is setup, let's install [ingress-nginx](https://kubernetes.github.io/ingress-nginx/deploy/#quick-start) on the laptop.
+Note: We are using the install by manifest option from the Installation manual
+```
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.3.0/deploy/static/provider/cloud/deploy.yaml
+```
+or one can also install it using the minikube addons:
+```
+minikube addons enable ingress
+```
+ - Once your Ingress-Nginx controller is created you can run the following commands to see the output of the setup done.
+```
+kubectl get pods -n ingress-nginx
+NAME                                        READY   STATUS      RESTARTS   AGE
+ingress-nginx-admission-create-65bld        0/1     Completed   0          14m
+ingress-nginx-admission-patch-rwq4x         0/1     Completed   0          14m
+ingress-nginx-controller-6dc865cd86-7c5zd   1/1     Running     0          14m
+```
+The Ingress controller creates a Service with the type LoadBalancer and metallb provides the IP address.
+
+```
+kubectl -n ingress-nginx get svc
+
+NAME                                 TYPE           CLUSTER-IP      EXTERNAL-IP      PORT(S)                      AGE
+ingress-nginx-controller             LoadBalancer   10.108.154.53   192.168.39.223   80:30367/TCP,443:31491/TCP   4d15h
+ingress-nginx-controller-admission   ClusterIP      10.98.54.3      <none>           443/TCP                      4d15h
+```
+
+#### Creating an Ingress
+
+We will deploy a `httpd` service in a `httpd` namespace and create a ingress for it.
+
+First, let's create a namespace.
+```
+kubectl create namespace httpd
+```
+
+Next we will create a deployment
+```
+kubectl create deployment httpd -n httpd --image=httpd:alpine
+```
+
+Now, In order to create a service, let's expose this deployment
+```
+kubectl expose deployment -n httpd httpd --port 80
+```
+Let's check the `pod` that is created
+
+```
+kubectl get po -n httpd
+NAME                    READY   STATUS    RESTARTS   AGE
+httpd-fb7fcdc77-w287c   1/1     Running   0          64s
+```
+
+Let's list the services in the `httpd` namespace
+```
+kubectl get svc -n httpd
+NAME    TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)   AGE
+httpd   ClusterIP   10.104.111.0   <none>        80/TCP    13s
+```
+
+Once we have this we can now create an ingress using the following
+```
+kubectl -n httpd create ingress httpd --class nginx --rule httpd.dev.leonnunes.com/"*"=httpd:80
+```
+The above output, creates an ingress, for us with the rule to match the service if the host is `httpd.dev.leonnunes.com`. The class here is retrieved from the below command.
+
+To list the `ingressclasses` use
+```
+kubectl get ingressclasses
+NAME    CONTROLLER             PARAMETERS   AGE
+nginx   k8s.io/ingress-nginx   <none>       6h49m
+```
+
+The following command shows the ingress created
+```
+$ kubectl get ingress -A -o wide
+
+NAMESPACE   NAME    CLASS   HOSTS                     ADDRESS          PORTS   AGE
+httpd       httpd   nginx   httpd.dev.leonnunes.com   192.168.39.223   80      11d
+```
+
+To test if the rule works we can now do
+```
+$ minikube ip
+192.168.39.223
+
+$ curl --resolve httpd.dev.leonnunes.com:80:192.168.39.223 httpd.dev.leonnunes.com
+<html><body><h1>It works!</h1></body></html>
+
+or
+
+curl -H "Host: httpd.dev.leonnunes.com" 192.168.39.223
+```
+
+#### Example of Information found on layer 7
+We have setup `Ingress-Nginx`, using `nginx` as a class and `httpd` for this example.
+
+In order to display the info on Layer - 7, we have extracted the Layer 7 information from a simple `curl` request, and then using `tcpdump` command within the `httpd` pod we extracted the network packets and opened it using the `Wireshark` utility.
+
+Below given is the output that is important:
+```bash
+Frame 4: 391 bytes on wire (3128 bits), 391 bytes captured (3128 bits)
+Linux cooked capture v2
+Internet Protocol Version 4, Src: 172.17.0.4, Dst: 172.17.0.3
+Transmission Control Protocol, Src Port: 49074, Dst Port: 80, Seq: 1, Ack: 1, Len: 319
+Hypertext Transfer Protocol
+    GET / HTTP/1.1\r\n
+    Host: httpd.dev.leonnunes.com\r\n
+    X-Request-ID: 6e1a790412a0d1615dc0231358dc9c8b\r\n
+    X-Real-IP: 172.17.0.1\r\n
+    X-Forwarded-For: 172.17.0.1\r\n
+    X-Forwarded-Host: httpd.dev.leonnunes.com\r\n
+    X-Forwarded-Port: 80\r\n
+    X-Forwarded-Proto: http\r\n
+    X-Forwarded-Scheme: http\r\n
+    X-Scheme: http\r\n
+    User-Agent: curl/7.84.0\r\n
+    Accept: */*\r\n
+    \r\n
+    [Full request URI: http://httpd.dev.leonnunes.com/]
+    [HTTP request 1/1]
+    [Response in frame: 6]
+
+```
+The above output shows the information that the `httpd` pod receives. The `curl` command sends the host header, `Host: httpd.dev.leonnunes.com`, to the nginx controller, that then matches the rule and sends the information to the right controller
+
+The following output shows what is sent via the laptop.
+```
+curl --resolve httpd.dev.leonnunes.com:80:192.168.39.57 -H "Host: httpd.dev.leonnunes.com" 192.168.39.57 -vL
+* Added httpd.dev.leonnunes.com:80:192.168.39.57 to DNS cache
+*   Trying 192.168.39.57:80...
+* Connected to 192.168.39.57 (192.168.39.57) port 80 (#0)
+> GET / HTTP/1.1
+> Host: httpd.dev.leonnunes.com
+> User-Agent: curl/7.84.0
+> Accept: */*
+>
+* Mark bundle as not supporting multiuse
+< HTTP/1.1 200 OK
+< Date: Mon, 22 Aug 2022 16:05:27 GMT
+< Content-Type: text/html
+< Content-Length: 45
+< Connection: keep-alive
+< Last-Modified: Mon, 11 Jun 2007 18:53:14 GMT
+< ETag: "2d-432a5e4a73a80"
+< Accept-Ranges: bytes
+<
+<html><body><h1>It works!</h1></body></html>
+* Connection #0 to host 192.168.39.57 left intact
+```
+As you can see from the above output there are several headers added to the curl output after it reaches the `httpd` pod, these headers are added by the Ingress Nginx Controller.
+
+
+### References
+#### Basics of Networking
+   - https://www.cisco.com/en/US/docs/security/vpn5000/manager/reference/guide/appA.html
+   - http://web.stanford.edu/class/cs101/
+   - https://www.geeksforgeeks.org/basics-computer-networking/
+   - Subnetting
+     - https://www.computernetworkingnotes.com/ccna-study-guide/subnetting-tutorial-subnetting-explained-with-examples.html
+
+#### Video Links
+   - https://www.youtube.com/playlist?list=PLhfrWIlLOoKPc2RecyiM_A9nf3fUU3e6g
+   - https://www.youtube.com/watch?v=S7MNX_UD7vY&list=PLIhvC56v63IJVXv0GJcl9vO5Z6znCVb1P
+
+### Topics to read about
+   - Docker in Docker
+   - [Docker/Containers](https://www.oreilly.com/library/view/docker-deep-dive/9781800565135/)
+   - Containers
+
+### Basics of Kubernetes
+#### Reading Material
+- https://nubenetes.com/kubernetes-tutorials/
+- https://kubernetes.io/docs/concepts/
+#### Video Material
+- [Techworld with Nana 101](https://www.youtube.com/playlist?list=PLy7NrYWoggjziYQIDorlXjTvvwweTYoNC)
+- [Jeff Geerling Kubernetes 101](https://www.youtube.com/watch?v=IcslsH7OoYo&list=PL2_OBreMn7FoYmfx27iSwocotjiikS5BD)
+
+#### Hands-On Kubernetes
+- https://kube.academy/
+- https://www.civo.com/academy
+
+### Networking in Kubernetes
+- [Kubernetes Networking 101](https://youtu.be/CYnwBIpvSlM?t=284)
+- [CNCF Kubernetes 101](https://www.youtube.com/watch?v=cUGXu2tiZMc)
+
+### Tools/Commands to help with troubleshooting.
+- [mtr](https://www.redhat.com/sysadmin/linux-mtr-command) - Tracing the packet from the source to destination
+- [tcpdump](https://linuxconfig.org/how-to-use-tcpdump-command-on-linux) - Monitor packets
+- [wireshark](https://www.lifewire.com/wireshark-tutorial-4143298) - Read/Sniff packets
+- [nslookup](https://phoenixnap.com/kb/nslookup-command) - Lookup Nameservers
+- [netstat](https://www.lifewire.com/netstat-command-2618098) - List network details
+- [curl](https://linuxhandbook.com/curl-command-examples/) - Curl a website from the command line
+- [ifconfig](https://www.tecmint.com/ifconfig-command-examples/)/[ip](https://www.geeksforgeeks.org/ip-command-in-linux-with-examples/) - Show ip address configuration
+- [dig](https://www.geeksforgeeks.org/dig-command-in-linux-with-examples/) - Query Nameservers
+- [ipcalc](https://www.linux.com/topic/networking/how-calculate-network-addresses-ipcalc/) - Calculate IP addresses
+- Advanced Tools for troubleshooting
+    - [Netshoot](https://github.com/nicolaka/netshoot) - Troubleshoot Networks
+- Cluster Creation tools
+    - [kind](https://kind.sigs.k8s.io/docs/user/quick-start/)
+    - [minikube](https://minikube.sigs.k8s.io/docs/start/)
+- MacOS users
+	- [docker-mac-net-connect](https://github.com/chipmk/docker-mac-net-connect) - See this [issue](https://github.com/kubernetes/minikube/issues/7332)
--- a/NEW_RELEASE_PROCESS.md
+++ b/NEW_RELEASE_PROCESS.md
@ -0,0 +1,9 @@
+# Semi-Automated Release Process 
+
+1. Update TAG
+2. Cloud Build 
+3. k8s.io PR 
+4. git pull origin main 
+5. git checkout -b $RELEASE_VERSION 
+6. mage release:newrelease $RELEASE_VERSION 
+7. Wait for PR
--- a/1
+++ b/1
@ -0,0 +1 @@
+registry.k8s.io/ingress-nginx/nginx:v2.0.0@sha256:3e7bda4cf5111d283ed1e4ff5cc9a2b5cdc5ebe62d50ba67473d3e25b1389133
--- a/16
+++ b/16
@ -1,11 +1,13 @@
-# See the OWNERS docs: https://github.com/kubernetes/community/blob/master/contributors/guide/owners.md
+# See the OWNERS docs: https://www.kubernetes.dev/docs/guide/owners

 approvers:
-  - ingress-nginx-admins
-  - ingress-nginx-maintainers
-  - ElvinEfendi
+- ingress-nginx-maintainers

 reviewers:
-  - aledbf
-  - ElvinEfendi
-  - cmluciano
+- ingress-nginx-reviewers
+
+emeritus_approvers:
+- aledbf # 2020-04-02
+- bowei # 2022-10-12
+- ElvinEfendi # 2023-04-23
+- rikatz # 2024-12-15
--- a/23
+++ b/23
@ -1,12 +1,17 @@
-# See the OWNERS docs: https://git.k8s.io/community/docs/devel/owners.md
+# See the OWNERS docs: https://www.kubernetes.dev/docs/guide/owners

 aliases:
-  sig-network-leads:
-    - caseydavenport
-    - dcbw
-    - thockin
-  ingress-nginx-admins:
-    - bowei
-    - aledbf
  ingress-nginx-maintainers:
-    - aledbf
+  - cpanato
+  - Gacko
+  - strongjz
+  - tao12345666333
+
+  ingress-nginx-reviewers:
+  - cpanato
+  - Gacko
+  - strongjz
+  - tao12345666333
+
+  ingress-nginx-docs-maintainers:
+  - longwuyuan
--- a/README.md
+++ b/README.md
@ -1,57 +1,94 @@
-## Help us to improve the NGINX Ingress controller [completing the survey](https://docs.google.com/forms/d/15ULTOvYDsV920V0GWrspew4yyjEmTAi740Wr34UgKwA/viewform)
+# Ingress NGINX Controller

---
-
-# NGINX Ingress Controller
-
-[![Coverage Status](https://codecov.io/gh/kubernetes/ingress-nginx/branch/master/graph/badge.svg)](https://codecov.io/gh/kubernetes/ingress-nginx)
+[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/5691/badge)](https://bestpractices.coreinfrastructure.org/projects/5691)
 [![Go Report Card](https://goreportcard.com/badge/github.com/kubernetes/ingress-nginx)](https://goreportcard.com/report/github.com/kubernetes/ingress-nginx)
-[![GitHub license](https://img.shields.io/github/license/kubernetes/ingress-nginx.svg)](https://github.com/kubernetes/ingress-nginx/blob/master/LICENSE)
+[![GitHub license](https://img.shields.io/github/license/kubernetes/ingress-nginx.svg)](https://github.com/kubernetes/ingress-nginx/blob/main/LICENSE)
 [![GitHub stars](https://img.shields.io/github/stars/kubernetes/ingress-nginx.svg)](https://github.com/kubernetes/ingress-nginx/stargazers)
-[![GitHub stars](https://img.shields.io/badge/contributions-welcome-orange.svg)](https://github.com/kubernetes/ingress-nginx/blob/master/CONTRIBUTING.md)
-[![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2Fkubernetes%2Fingress-nginx.svg?type=shield)](https://app.fossa.io/projects/git%2Bgithub.com%2Fkubernetes%2Fingress-nginx?ref=badge_shield)
+[![GitHub stars](https://img.shields.io/badge/contributions-welcome-orange.svg)](https://github.com/kubernetes/ingress-nginx/blob/main/CONTRIBUTING.md)

 ## Overview

-ingress-nginx is an Ingress controller for Kubernetes using [NGINX](https://www.nginx.org/) as a reverse proxy and load balancer.
+ingress-nginx is an Ingress controller for Kubernetes using [NGINX](https://www.nginx.org/) as a reverse proxy and load
+balancer.

-Learn more about Ingress on the main [Kubernetes](https://kubernetes.io/docs/concepts/services-networking/ingress/) documentation site.
+[Learn more about Ingress on the Kubernetes documentation site](https://kubernetes.io/docs/concepts/services-networking/ingress/).

 ## Get started

 See the [Getting Started](https://kubernetes.github.io/ingress-nginx/deploy/) document.

+Do not use in multi-tenant Kubernetes production installations. This project assumes that users that can create Ingress objects are administrators of the cluster. See the [FAQ](https://kubernetes.github.io/ingress-nginx/faq/#faq) for more.
+
 ## Troubleshooting

-If you encounter issues, review the [troubleshooting docs](docs/troubleshooting.md), [file an issue](https://github.com/kubernetes/ingress-nginx/issues), or talk to us on the [#ingress-nginx channel](https://kubernetes.slack.com/messages/ingress-nginx) on the Kubernetes Slack server.
-
-## Contributing
-
-Thanks for taking the time to join our community and start contributing!
-
- This project adheres to the [Kubernetes Community Code of Conduct](https://git.k8s.io/community/code-of-conduct.md). By participating in this project, you agree to abide by its terms.
- See [CONTRIBUTING.md](CONTRIBUTING.md) for information about setting up your environment, the workflow that we expect, and instructions on the developer certificate of origin that we require.
- Check out the [open issues](https://github.com/kubernetes/ingress-nginx).
- Join our Kubernetes Slack channel: [#ingress-nginx](https://kubernetes.slack.com/messages/CANQGM8BA/)
+If you encounter issues, review the [troubleshooting docs](docs/troubleshooting.md),
+[file an issue](https://github.com/kubernetes/ingress-nginx/issues), or talk to us on the
+[#ingress-nginx channel](https://kubernetes.slack.com/messages/ingress-nginx) on the Kubernetes Slack server.

 ## Changelog

-See [the list of releases](https://github.com/kubernetes/ingress-nginx/releases) to find out about feature changes
-For detailed changes for each release; please check the [Changelog.md](Changelog.md)
+See [the list of releases](https://github.com/kubernetes/ingress-nginx/releases) for all changes.
+For detailed changes for each release, please check the [changelog-$version.md](./changelog) file for the release version.
+For detailed changes on the `ingress-nginx` helm chart, please check the changelog folder for a specific version.
+[CHANGELOG-$current-version.md](./charts/ingress-nginx/changelog) file.

-# Get Involved
+### Supported Versions table

- **Contributing**: Pull requests are welcome!
-  - Read [`CONTRIBUTING.md`](CONTRIBUTING.md) and check out [help-wanted](https://github.com/kubernetes/ingress-nginx/labels/help%20wanted) issues
-  - Submit github issues for any feature enhancements, bugs or documentation problems
- **Support**: Join to [Kubernetes Slack](http://slack.kubernetes.io/) in the [#ingress-nginx](https://kubernetes.slack.com/messages/CANQGM8BA/) channel to ask questions to get support from the maintainers and other users
-  - The [github issues](https://github.com/kubernetes/ingress-nginx/issues) in the repository are **exclusively** for bug reports and feature requests.
- **Discuss**: Tweet using the `#IngressNginx` hashtag
+Supported versions for the ingress-nginx project mean that we have completed E2E tests, and they are passing for
+the versions listed. Ingress-Nginx versions **may** work on older versions, but the project does not make that guarantee.

-## Issues
+| Supported | Ingress-NGINX version | k8s supported version         | Alpine Version | Nginx Version | Helm Chart Version |
+| :-------: | --------------------- | ----------------------------- | -------------- | ------------- | ------------------ |
+|    🔄     | **v1.12.0**           | 1.32, 1.31, 1.30, 1.29, 1.28  | 3.21.0         | 1.25.5        | 4.12.0             |
+|    🔄     | **v1.12.0-beta.0**    | 1.32, 1.31, 1.30, 1.29, 1.28  | 3.20.3         | 1.25.5        | 4.12.0-beta.0      |
+|    🔄     | **v1.11.4**           | 1.30, 1.29, 1.28, 1.27, 1.26  | 3.21.0         | 1.25.5        | 4.11.4             |
+|    🔄     | **v1.11.3**           | 1.30, 1.29, 1.28, 1.27, 1.26  | 3.20.3         | 1.25.5        | 4.11.3             |
+|    🔄     | **v1.11.2**           | 1.30, 1.29, 1.28, 1.27, 1.26  | 3.20.0         | 1.25.5        | 4.11.2             |
+|    🔄     | **v1.11.1**           | 1.30, 1.29, 1.28, 1.27, 1.26  | 3.20.0         | 1.25.5        | 4.11.1             |
+|    🔄     | **v1.11.0**           | 1.30, 1.29, 1.28, 1.27, 1.26  | 3.20.0         | 1.25.5        | 4.11.0             |
+|           | **v1.10.6**           | 1.30, 1.29, 1.28, 1.27, 1.26  | 3.21.0         | 1.25.5        | 4.10.6             |
+|           | **v1.10.5**           | 1.30, 1.29, 1.28, 1.27, 1.26  | 3.20.3         | 1.25.5        | 4.10.5             |
+|           | **v1.10.4**           | 1.30, 1.29, 1.28, 1.27, 1.26  | 3.20.0         | 1.25.5        | 4.10.4             |
+|           | **v1.10.3**           | 1.30, 1.29, 1.28, 1.27, 1.26  | 3.20.0         | 1.25.5        | 4.10.3             |
+|           | **v1.10.2**           | 1.30, 1.29, 1.28, 1.27, 1.26  | 3.20.0         | 1.25.5        | 4.10.2             |
+|           | **v1.10.1**           | 1.30, 1.29, 1.28, 1.27, 1.26  | 3.19.1         | 1.25.3        | 4.10.1             |
+|           | **v1.10.0**           | 1.29, 1.28, 1.27, 1.26        | 3.19.1         | 1.25.3        | 4.10.0             |
+|           | v1.9.6                | 1.29, 1.28, 1.27, 1.26, 1.25  | 3.19.0         | 1.21.6        | 4.9.1              |
+|           | v1.9.5                | 1.28, 1.27, 1.26, 1.25        | 3.18.4         | 1.21.6        | 4.9.0              |
+|           | v1.9.4                | 1.28, 1.27, 1.26, 1.25        | 3.18.4         | 1.21.6        | 4.8.3              |
+|           | v1.9.3                | 1.28, 1.27, 1.26, 1.25        | 3.18.4         | 1.21.6        | 4.8.*              |
+|           | v1.9.1                | 1.28, 1.27, 1.26, 1.25        | 3.18.4         | 1.21.6        | 4.8.*              |
+|           | v1.9.0                | 1.28, 1.27, 1.26, 1.25        | 3.18.2         | 1.21.6        | 4.8.*              |
+|           | v1.8.4                | 1.27, 1.26, 1.25, 1.24        | 3.18.2         | 1.21.6        | 4.7.*              |
+|           | v1.7.1                | 1.27, 1.26, 1.25, 1.24        | 3.17.2         | 1.21.6        | 4.6.*              |
+|           | v1.6.4                | 1.26, 1.25, 1.24, 1.23        | 3.17.0         | 1.21.6        | 4.5.*              |
+|           | v1.5.1                | 1.25, 1.24, 1.23              | 3.16.2         | 1.21.6        | 4.4.*              |
+|           | v1.4.0                | 1.25, 1.24, 1.23, 1.22        | 3.16.2         | 1.19.10†      | 4.3.0              |
+|           | v1.3.1                | 1.24, 1.23, 1.22, 1.21, 1.20  | 3.16.2         | 1.19.10†      | 4.2.5              |

-Please make sure to read the [Issue Reporting Checklist](https://github.com/kubernetes/ingress-nginx/blob/master/CONTRIBUTING.md#issue-reporting-guidelines) before opening an issue. Issues not conforming to the guidelines **may be closed immediately**.
+See [this article](https://kubernetes.io/blog/2021/07/26/update-with-ingress-nginx/) if you want upgrade to the stable
+Ingress API.
+
+## Get Involved
+
+Thanks for taking the time to join our community and start contributing!
+
+- This project adheres to the [Kubernetes Community Code of Conduct](https://git.k8s.io/community/code-of-conduct.md).
+  By participating in this project, you agree to abide by its terms.
+- **Contributing**: Contributions of all kinds are welcome!
+
+  - Read [`CONTRIBUTING.md`](CONTRIBUTING.md) for information about setting up your environment, the workflow that we
+    expect, and instructions on the developer certificate of origin that we require.
+  - Join our Kubernetes Slack channel for developer discussion : [#ingress-nginx-dev](https://kubernetes.slack.com/archives/C021E147ZA4).
+  - Submit GitHub issues for any feature enhancements, bugs, or documentation problems.
+    - Please make sure to read the [Issue Reporting Checklist](https://github.com/kubernetes/ingress-nginx/blob/main/CONTRIBUTING.md#issue-reporting-guidelines) before opening an issue. Issues not conforming to the guidelines **may be closed immediately**.
+  - Join our [ingress-nginx-dev mailing list](https://groups.google.com/a/kubernetes.io/g/ingress-nginx-dev/c/ebbBMo-zX-w)
+- **Support**:
+
+  - Join the [#ingress-nginx-users](https://kubernetes.slack.com/messages/CANQGM8BA/) channel inside the [Kubernetes Slack](http://slack.kubernetes.io/) to ask questions or get support from the maintainers and other users.
+  - The [GitHub issues](https://github.com/kubernetes/ingress-nginx/issues) in the repository are **exclusively** for bug reports and feature requests.
+  - **Discuss**: Tweet using the `#IngressNginx` hashtag or sharing with us [@IngressNginx](https://twitter.com/IngressNGINX).

 ## License

-[Apache License 2.0](https://github.com/kubernetes/ingress-nginx/blob/master/LICENSE)
+[Apache License 2.0](https://github.com/kubernetes/ingress-nginx/blob/main/LICENSE)
--- a/SECURITY.md
+++ b/SECURITY.md
@ -0,0 +1,22 @@
+# Security Policy
+
+## Security Announcements
+
+Join the [kubernetes-security-announce] group for security and vulnerability announcements.
+
+You can also subscribe to an RSS feed of the above using [this link][kubernetes-security-announce-rss].
+
+## Reporting a Vulnerability
+
+Instructions for reporting a vulnerability can be found on the
+[Kubernetes Security and Disclosure Information] page.
+
+## Supported Versions
+
+Information about supported Kubernetes versions can be found on the
+[Kubernetes version and version skew support policy] page on the Kubernetes website.
+
+[kubernetes-security-announce]: https://groups.google.com/forum/#!forum/kubernetes-security-announce
+[kubernetes-security-announce-rss]: https://groups.google.com/forum/feed/kubernetes-security-announce/msgs/rss_v2_0.xml?num=50
+[Kubernetes version and version skew support policy]: https://kubernetes.io/docs/setup/release/version-skew-policy/#supported-versions
+[Kubernetes Security and Disclosure Information]: https://kubernetes.io/docs/reference/issues-security/security/#report-a-vulnerability
--- a/4
+++ b/4
@ -9,5 +9,5 @@
 #
 # DO NOT REPORT SECURITY VULNERABILITIES DIRECTLY TO THESE NAMES, FOLLOW THE
 # INSTRUCTIONS AT https://kubernetes.io/security/
-
-aledbf
+Gacko
+strongjz
--- a/build/build-ingress-controller.sh
+++ b/build/build-ingress-controller.sh
@ -1,55 +0,0 @@
-#!/bin/bash
-
-# Copyright 2019 The Kubernetes Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-if [ -n "$DEBUG" ]; then
-	set -x
-fi
-
-set -o errexit
-set -o nounset
-set -o pipefail
-
-DIR=$(cd $(dirname "${BASH_SOURCE}") && pwd -P)
-
-AWS_FILE="${DIR}/images/nginx/aws.tfvars"
-ENV_FILE="${DIR}/images/nginx/env.tfvars"
-
-if [ ! -f "${AWS_FILE}" ]; then
-  echo "File $AWS_FILE does not exist. Please create this file with keys access_key an secret_key"
-  exit 1
-fi
-
-if [ ! -f "${ENV_FILE}" ]; then
-  echo "File $ENV_FILE does not exist. Please create this file with keys docker_username and docker_password"
-  exit 1
-fi
-
-# build local terraform image to build nginx
-docker buildx build \
-  --load \
-  --platform linux/amd64 \
-  --tag build-ingress-controller-terraform $DIR/images/ingress-controller
-
-# build nginx and publish docker images to quay.io.
-# this can take up to two hours.
-docker run --rm -it \
-  --volume $DIR/images/ingress-controller:/tf \
-  -w /tf \
-  -v ${AWS_FILE}:/root/aws.tfvars:ro \
-  -v ${ENV_FILE}:/root/env.tfvars:ro \
-  build-ingress-controller-terraform
-
-docker rmi -f build-ingress-controller-terraform
--- a/build/build-nginx-image.sh
+++ b/build/build-nginx-image.sh
@ -1,57 +0,0 @@
-#!/bin/bash
-
-# Copyright 2019 The Kubernetes Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-if [ -n "$DEBUG" ]; then
-	set -x
-fi
-
-set -o errexit
-set -o nounset
-set -o pipefail
-
-DIR=$(cd $(dirname "${BASH_SOURCE}") && pwd -P)
-
-AWS_FILE="${DIR}/images/nginx/aws.tfvars"
-ENV_FILE="${DIR}/images/nginx/env.tfvars"
-
-if [ ! -f "${AWS_FILE}" ]; then
-  echo "File $AWS_FILE does not exist. Please create this file with keys access_key an secret_key"
-  exit 1
-fi
-
-if [ ! -f "${ENV_FILE}" ]; then
-  echo "File $ENV_FILE does not exist. Please create this file with keys docker_username and docker_password"
-  exit 1
-fi
-
-# build local terraform image to build nginx
-export DOCKER_CLI_EXPERIMENTAL=enabled
-docker buildx build \
-  --load \
-  --no-cache \
-  --platform linux/amd64 \
-  --tag build-nginx-terraform $DIR/images/nginx
-
-# build nginx and publish docker images to quay.io.
-# this can take up to two hours.
-docker run --rm -it \
-  --volume $DIR/images/nginx:/tf \
-  -w /tf \
-  -v ${AWS_FILE}:/root/aws.tfvars:ro \
-  -v ${ENV_FILE}:/root/env.tfvars:ro \
-  build-nginx-terraform
-
-docker rmi -f build-nginx-terraform
--- a/build/build-plugin.sh
+++ b/build/build-plugin.sh
@ -1,81 +0,0 @@
-#!/bin/bash
-
-# Copyright 2018 The Kubernetes Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-if [ -n "$DEBUG" ]; then
-	set -x
-fi
-
-set -o errexit
-set -o nounset
-set -o pipefail
-
-declare -a mandatory
-mandatory=(
-  PKG
-  ARCH
-  GIT_COMMIT
-  REPO_INFO
-  TAG
-)
-
-missing=false
-for var in "${mandatory[@]}"; do
-  if [[ -z "${!var:-}" ]]; then
-    echo "Environment variable $var must be set"
-    missing=true
-  fi
-done
-
-if [ "$missing" = true ]; then
-  exit 1
-fi
-
-export CGO_ENABLED=0
-# use vendor directory instead of go modules https://github.com/golang/go/wiki/Modules
-export GO111MODULE=off
-
-release=cmd/plugin/release
-
-function build_for_arch(){
-  os=$1
-  arch=$2
-  extension=$3
-
-  env GOOS="${os}" GOARCH="${arch}" go build \
-    "${GOBUILD_FLAGS}" \
-    -ldflags "-s -w \
-      -X ${PKG}/version.RELEASE=${TAG} \
-      -X ${PKG}/version.COMMIT=${GIT_COMMIT} \
-      -X ${PKG}/version.REPO=${REPO_INFO}" \
-    -o "${release}/kubectl-ingress_nginx${extension}" "${PKG}/cmd/plugin"
-
-    cp LICENSE ${release}
-    tar -C "${release}" -zcvf "${release}/kubectl-ingress_nginx-${os}-${arch}.tar.gz" "kubectl-ingress_nginx${extension}" LICENSE
-    rm "${release}/kubectl-ingress_nginx${extension}"
-    hash=$(sha256sum "${release}/kubectl-ingress_nginx-${os}-${arch}.tar.gz" | awk '{ print $1 }')
-    sed -i "s/%%%shasum_${os}_${arch}%%%/${hash}/g" "${release}/ingress-nginx.yaml"
-}
-
-rm -rf "${release}"
-mkdir "${release}"
-
-cp cmd/plugin/ingress-nginx.yaml.tmpl "${release}/ingress-nginx.yaml"
-
-sed -i "s/%%%tag%%%/${TAG}/g" ${release}/ingress-nginx.yaml
-
-build_for_arch darwin amd64 ''
-build_for_arch linux amd64 ''
-build_for_arch windows amd64 '.exe'
--- a/build/build.sh
+++ b/build/build.sh
@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/sh

 # Copyright 2018 The Kubernetes Authors.
 #
@ -14,59 +14,56 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

-if [ -n "$DEBUG" ]; then
-	set -x
-fi
+GO_BUILD_CMD="go build"
+
+#if [ -n "$DEBUG" ]; then
+#	set -x
+#	GO_BUILD_CMD="go build -v"
+#fi

 set -o errexit
 set -o nounset
 set -o pipefail

-declare -a mandatory
-mandatory=(
-  PKG
-  ARCH
-  GIT_COMMIT
-  REPO_INFO
-  TAG
-)

-missing=false
-for var in "${mandatory[@]}"; do
-  if [[ -z "${!var:-}" ]]; then
-    echo "Environment variable $var must be set"
-    missing=true
-  fi
-done
-
-if [ "$missing" = true ]; then
-  exit 1
+if [ -z "$PKG" ] || [ -z "$ARCH" ] || [ -z "$COMMIT_SHA" ] || [ -z "$REPO_INFO" ] || [ -z "$TAG" ]; then
+  echo "Environments PKG, ARCH, COMMIT_SHA, REPO_INFO and TAG are required"
+  exit 1 
 fi

+
 export CGO_ENABLED=0
-export GOARCH=${ARCH}
+export GOARCH="${ARCH}"

-go build \
-  "${GOBUILD_FLAGS}" \
-  -ldflags "-s -w \
-    -X ${PKG}/version.RELEASE=${TAG} \
-    -X ${PKG}/version.COMMIT=${GIT_COMMIT} \
-    -X ${PKG}/version.REPO=${REPO_INFO}" \
-  -o "bin/${ARCH}/nginx-ingress-controller" "${PKG}/cmd/nginx"
+TARGETS_DIR="rootfs/bin/${ARCH}"
+echo "Building targets for ${ARCH}, generated targets in ${TARGETS_DIR} directory."

-go build \
-  "${GOBUILD_FLAGS}" \
-  -ldflags "-s -w \
-    -X ${PKG}/version.RELEASE=${TAG} \
-    -X ${PKG}/version.COMMIT=${GIT_COMMIT} \
-    -X ${PKG}/version.REPO=${REPO_INFO}" \
-  -o "bin/${ARCH}/dbg" "${PKG}/cmd/dbg"
+echo "Building ${PKG}/cmd/nginx"

+${GO_BUILD_CMD} \
+  -trimpath -ldflags="-buildid= -w -s \
+  -X ${PKG}/version.RELEASE=${TAG} \
+  -X ${PKG}/version.COMMIT=${COMMIT_SHA} \
+  -X ${PKG}/version.REPO=${REPO_INFO}" \
+  -buildvcs=false \
+  -o "${TARGETS_DIR}/nginx-ingress-controller" "${PKG}/cmd/nginx"

-go build \
-  "${GOBUILD_FLAGS}" \
-  -ldflags "-s -w \
-    -X ${PKG}/version.RELEASE=${TAG} \
-    -X ${PKG}/version.COMMIT=${GIT_COMMIT} \
-    -X ${PKG}/version.REPO=${REPO_INFO}" \
-  -o "bin/${ARCH}/wait-shutdown" "${PKG}/cmd/waitshutdown"
+echo "Building ${PKG}/cmd/dbg"
+
+${GO_BUILD_CMD} \
+  -trimpath -ldflags="-buildid= -w -s \
+  -X ${PKG}/version.RELEASE=${TAG} \
+  -X ${PKG}/version.COMMIT=${COMMIT_SHA} \
+  -X ${PKG}/version.REPO=${REPO_INFO}" \
+  -buildvcs=false \
+  -o "${TARGETS_DIR}/dbg" "${PKG}/cmd/dbg"
+
+echo "Building ${PKG}/cmd/waitshutdown"
+
+${GO_BUILD_CMD} \
+  -trimpath -ldflags="-buildid= -w -s \
+  -X ${PKG}/version.RELEASE=${TAG} \
+  -X ${PKG}/version.COMMIT=${COMMIT_SHA} \
+  -X ${PKG}/version.REPO=${REPO_INFO}" \
+  -buildvcs=false \
+  -o "${TARGETS_DIR}/wait-shutdown" "${PKG}/cmd/waitshutdown"
--- a/build/cover.sh
+++ b/build/cover.sh
@ -27,11 +27,6 @@ if [ -z "${PKG}" ]; then
  exit 1
 fi

-export CGO_ENABLED=1
-export GODEBUG=netdns=cgo+2
-# use vendor directory instead of go modules https://github.com/golang/go/wiki/Modules
-export GO111MODULE=off
-
 rm -rf coverage.txt
 for d in $(go list "${PKG}/..." | grep -v vendor | grep -v '/test/e2e' | grep -v images); do
  t=$(date +%s);
--- a/build/dev-env.sh
+++ b/build/dev-env.sh
@ -25,10 +25,9 @@ set -o pipefail
 DIR=$(cd $(dirname "${BASH_SOURCE}") && pwd -P)

 export TAG=1.0.0-dev
-export ARCH=amd64
 export REGISTRY=${REGISTRY:-ingress-controller}

-DEV_IMAGE=${REGISTRY}/nginx-ingress-controller:${TAG}
+DEV_IMAGE=${REGISTRY}/controller:${TAG}

 if ! command -v kind &> /dev/null; then
  echo "kind is not installed"
@ -37,12 +36,7 @@ if ! command -v kind &> /dev/null; then
 fi

 if ! command -v kubectl &> /dev/null; then
-  echo "Please install kubectl 1.15 or higher"
-  exit 1
-fi
-
-if ! docker buildx version &> /dev/null; then
-  echo "Make sure you have Docker 19.03 or higher and experimental features enabled"
+  echo "Please install kubectl 1.24.0 or higher"
  exit 1
 fi

@ -51,44 +45,32 @@ if ! command -v helm &> /dev/null; then
  exit 1
 fi

-KUBE_CLIENT_VERSION=$(kubectl version --client --short | awk '{print $3}' | cut -d. -f2) || true
-if [[ ${KUBE_CLIENT_VERSION} -lt 14 ]]; then
-  echo "Please update kubectl to 1.15 or higher"
+function ver { printf "%d%03d%03d" $(echo "$1" | tr '.' ' '); }
+
+HELM_VERSION=$(helm version 2>&1 | cut -f1 -d"," | grep -oE '[0-9]+\.[0-9]+\.[0-9]+') || true
+echo $HELM_VERSION
+if [[ $(ver $HELM_VERSION) -lt $(ver "3.10.0") ]]; then
+  echo "Please upgrade helm to v3.10.0 or higher"
  exit 1
 fi

-echo "[dev-env] building container"
-make build container
-docker tag "${REGISTRY}/nginx-ingress-controller-${ARCH}:${TAG}" "${DEV_IMAGE}"
+KUBE_CLIENT_VERSION=$(kubectl version --client -oyaml 2>/dev/null | grep "minor:" | awk '{print $2}' | tr -d '"') || true
+if [[ ${KUBE_CLIENT_VERSION} -lt 24 ]]; then
+  echo "Please update kubectl to 1.24.2 or higher"
+  exit 1
+fi

-export K8S_VERSION=${K8S_VERSION:-v1.18.0@sha256:0e20578828edd939d25eb98496a685c76c98d54084932f76069f886ec315d694}
+echo "[dev-env] building image"
+make build image
+docker tag "${REGISTRY}/controller:${TAG}" "${DEV_IMAGE}"

-export DOCKER_CLI_EXPERIMENTAL=enabled
+export K8S_VERSION=${K8S_VERSION:-v1.32.0@sha256:c48c62eac5da28cdadcf560d1d8616cfa6783b58f0d94cf63ad1bf49600cb027}

 KIND_CLUSTER_NAME="ingress-nginx-dev"

 if ! kind get clusters -q | grep -q ${KIND_CLUSTER_NAME}; then
-echo "[dev-env] creating Kubernetes cluster with kind"
-cat <<EOF | kind create cluster --name ${KIND_CLUSTER_NAME} --image "kindest/node:${K8S_VERSION}" --config=-
-kind: Cluster
-apiVersion: kind.x-k8s.io/v1alpha4
-nodes:
- role: control-plane
-  kubeadmConfigPatches:
-  - |
-    kind: InitConfiguration
-    nodeRegistration:
-      kubeletExtraArgs:
-        node-labels: "ingress-ready=true"
-        authorization-mode: "AlwaysAllow"
-  extraPortMappings:
-  - containerPort: 80
-    hostPort: 80
-    protocol: TCP
-  - containerPort: 443
-    hostPort: 443
-    protocol: TCP
-EOF
+  echo "[dev-env] creating Kubernetes cluster with kind"
+  kind create cluster --name ${KIND_CLUSTER_NAME} --image "kindest/node:${K8S_VERSION}" --config ${DIR}/kind.yaml
 else
  echo "[dev-env] using existing Kubernetes kind cluster"
 fi
@ -102,8 +84,9 @@ kubectl create namespace ingress-nginx &> /dev/null || true
 cat << EOF | helm template ingress-nginx ${DIR}/../charts/ingress-nginx --namespace=ingress-nginx --values - | kubectl apply -n ingress-nginx -f -
 controller:
  image:
-    repository: ${REGISTRY}/nginx-ingress-controller
+    repository: ${REGISTRY}/controller
    tag: ${TAG}
+    digest:
  config:
    worker-processes: "1"
  podLabels:
--- a/build/images/ingress-controller/.dockerignore
+++ b/build/images/ingress-controller/.dockerignore
@ -1 +0,0 @@
-*.tfvars
--- a/build/images/ingress-controller/.gitignore
+++ b/build/images/ingress-controller/.gitignore
@ -1,7 +0,0 @@
-.terraform*
-terraform*
-*.tfstate
-*.tfstate.backup
-id_rsa*
-aws.tfvars
-env.tfvars
--- a/build/images/ingress-controller/Dockerfile
+++ b/build/images/ingress-controller/Dockerfile
@ -1,19 +0,0 @@
-FROM k8s.gcr.io/debian-base:v2.0.0
-
-ENV TERRAFORM_VERSION 0.12.19
-
-RUN clean-install \
-    bash \
-    curl \
-    ca-certificates \
-    unzip \
-    git \
-    openssh-client
-
-RUN curl -sSL -o /terraform.zip "https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_amd64.zip" \
-    && unzip /terraform.zip -d /usr/bin \
-    && rm -rf /terraform.zip
-
-COPY entrypoint.sh /
-
-CMD [ "/entrypoint.sh" ]
--- a/build/images/ingress-controller/build-ingress-controller.sh
+++ b/build/images/ingress-controller/build-ingress-controller.sh
@ -1,97 +0,0 @@
-#!/bin/bash
-
-# Copyright 2019 The Kubernetes Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-set -o errexit
-set -o nounset
-set -o pipefail
-
-function source_tfvars() {
-  eval "$(
-    awk 'BEGIN {FS=OFS="="}
-    !/^(#| *$)/ && /^.+=.+$/ {
-      gsub(/^[ \t]+|[ \t]+$/, "", $1);
-      gsub(/\./, "_", $1);
-      gsub(/^[ \t]+|[ \t]+$/, "", $2);
-      if ($1 && $2) print $0
-    }' "$@"
-  )"
-}
-
-source_tfvars /tmp/env
-
-export DEBIAN_FRONTEND=noninteractive
-
-apt -q=3 update
-
-apt -q=3 dist-upgrade --yes
-
-add-apt-repository universe   --yes
-add-apt-repository multiverse --yes
-
-apt -q=3 update
-
-apt -q=3 install \
-  apt-transport-https \
-  ca-certificates \
-  curl \
-  make \
-  htop \
-  software-properties-common --yes
-
-curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
-
-add-apt-repository \
-  "deb [arch=amd64] https://download.docker.com/linux/ubuntu \
-  $(lsb_release -cs) \
-  stable" --yes
-
-apt -q=3 update
-
-apt -q=3 install docker-ce --yes
-
-echo ${docker_password} | docker login -u ${docker_username} --password-stdin quay.io
-
-curl -sL -o /usr/local/bin/gimme https://raw.githubusercontent.com/travis-ci/gimme/master/gimme
-chmod +x /usr/local/bin/gimme
-
-eval "$(gimme 1.14.2)"
-
-export GOPATH="/tmp/go"
-
-INGRESS_DIRECTORY="${GOPATH}/src/k8s.io"
-
-mkdir -p ${INGRESS_DIRECTORY}
-cd ${INGRESS_DIRECTORY}
-
-git clone https://github.com/kubernetes/ingress-nginx
-
-cd ingress-nginx
-
-export DOCKER_CLI_EXPERIMENTAL=enabled
-
-make init-docker-buildx
-docker buildx use ingress-nginx --default --global
-
-# disable docker in docker tasks
-export DIND_TASKS=0
-
-echo "Building NGINX image..."
-ARCH=amd64 make build container push
-ARCH=arm   make build container push
-ARCH=arm64 make build container push
-
-echo "Creating multi-arch images..."
-make push-manifest
--- a/build/images/ingress-controller/entrypoint.sh
+++ b/build/images/ingress-controller/entrypoint.sh
@ -1,54 +0,0 @@
-#!/bin/bash
-
-# Copyright 2019 The Kubernetes Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-set -o errexit
-set -o nounset
-set -o pipefail
-
-catch() {
-  if [ "$1" == "0" ]; then
-    exit 0
-  fi
-
-  echo "Error $1 occurred on $2"
-
-  echo "Removing temporal resources..."
-  terraform destroy -auto-approve \
-    -var-file /root/aws.tfvars \
-    -var-file /root/env.tfvars \
-    -var valid_until="${EC2_VALID_UNTIL}"
-}
-trap 'catch $? $LINENO' ERR
-
-terraform init
-
-# destroy spot instance after two hours
-EC2_VALID_UNTIL=$(date -d "+2 hours" +%Y-%m-%dT%H:%M:%SZ)
-
-terraform plan \
-  -var-file /root/aws.tfvars \
-  -var-file /root/env.tfvars \
-  -var valid_until="${EC2_VALID_UNTIL}"
-
-terraform apply -auto-approve \
-  -var-file /root/aws.tfvars \
-  -var-file /root/env.tfvars \
-  -var valid_until="${EC2_VALID_UNTIL}"
-
-terraform destroy -auto-approve \
-  -var-file /root/aws.tfvars \
-  -var-file /root/env.tfvars \
-  -var valid_until="${EC2_VALID_UNTIL}"
--- a/build/images/ingress-controller/main.tf
+++ b/build/images/ingress-controller/main.tf
@ -1,184 +0,0 @@
-terraform {
-  backend "local" {
-    path = "terraform.tfstate"
-  }
-}
-
-provider "aws" {
-  access_key = var.access_key
-  secret_key = var.secret_key
-  region     = var.region
-}
-
-resource "aws_vpc" "vpc" {
-  cidr_block           = var.cidr_vpc
-  enable_dns_support   = true
-  enable_dns_hostnames = true
-  tags = {
-    "Project" = var.project_tag
-  }
-}
-
-resource "aws_internet_gateway" "igw" {
-  vpc_id = aws_vpc.vpc.id
-  tags = {
-    "Project" = var.project_tag
-  }
-}
-
-resource "aws_subnet" "subnet_public" {
-  vpc_id                  = aws_vpc.vpc.id
-  cidr_block              = var.cidr_subnet
-  map_public_ip_on_launch = "true"
-  availability_zone       = var.availability_zone
-  tags = {
-    "Project" = var.project_tag
-  }
-}
-
-resource "aws_route_table" "rtb_public" {
-  vpc_id = aws_vpc.vpc.id
-
-  route {
-    cidr_block = "0.0.0.0/0"
-    gateway_id = aws_internet_gateway.igw.id
-  }
-
-  tags = {
-    "Project" = var.project_tag
-  }
-}
-
-resource "aws_route_table_association" "rta_subnet_public" {
-  subnet_id      = aws_subnet.subnet_public.id
-  route_table_id = aws_route_table.rtb_public.id
-}
-
-resource "aws_security_group" "allow_ssh" {
-  name   = "ssh"
-  vpc_id = aws_vpc.vpc.id
-
-  ingress {
-    from_port   = 22
-    to_port     = 22
-    protocol    = "tcp"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-
-  egress {
-    from_port   = 0
-    to_port     = 0
-    protocol    = "-1"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-
-  tags = {
-    "Project" = var.project_tag
-  }
-}
-
-resource "tls_private_key" "bootstrap_private_key" {
-    algorithm = "RSA"
-    rsa_bits  = "4096"
-}
-
-resource "aws_key_pair" "ssh_key" {
-  key_name   = "ssh-key_${var.project_tag}"
-  public_key = chomp(tls_private_key.bootstrap_private_key.public_key_openssh)
-}
-
-resource "local_file" "public_key_openssh" {
-  count      = 1
-  depends_on = [tls_private_key.bootstrap_private_key]
-  content    = tls_private_key.bootstrap_private_key.public_key_pem
-  filename   = "id_rsa.pub"
-}
-
-resource "local_file" "private_key_openssh" {
-  count      = 1
-  depends_on = [tls_private_key.bootstrap_private_key]
-  content    = tls_private_key.bootstrap_private_key.private_key_pem
-  filename   = "id_rsa"
-}
-
-data "aws_ami" "latest-ubuntu" {
-  most_recent = true
-
-  owners = ["099720109477"]
-
-  filter {
-    name   = "name"
-    values = ["ubuntu/images/hvm-ssd/ubuntu-bionic-18.04-amd64-server-*"]
-  }
-
-  filter {
-    name   = "virtualization-type"
-    values = ["hvm"]
-  }
-
-  filter {
-    name = "root-device-type"
-    values = ["ebs"]
-  }
-
-  filter {
-    name = "block-device-mapping.volume-type"
-    values = ["gp2"]
-  }
-}
-
-resource "aws_spot_instance_request" "build_worker" {
-  ami                    = data.aws_ami.latest-ubuntu.id
-  instance_type          = var.instance_type
-  subnet_id              = aws_subnet.subnet_public.id
-  vpc_security_group_ids = [aws_security_group.allow_ssh.id]
-
-  valid_until = var.valid_until
-
-  key_name = aws_key_pair.ssh_key.key_name
-
-  spot_price = "2"
-  spot_type = "one-time"
-
-  ebs_optimized = true
-
-  root_block_device {
-    volume_size           = 32
-    volume_type           = "gp2"
-    delete_on_termination = true
-  }
-
-  wait_for_fulfillment = true
-  instance_initiated_shutdown_behavior = "terminate"
-
-  associate_public_ip_address = true
-
-  tags = {
-    "Project" = var.project_tag
-  }
-
-  connection {
-    host        = coalesce(self.public_ip, self.private_ip)
-    type        = "ssh"
-    user        = "ubuntu"
-    private_key = tls_private_key.bootstrap_private_key.private_key_pem
-  }
-
-  provisioner "file" {
-    source      = "build-ingress-controller.sh"
-    destination = "/tmp/build-ingress-controller.sh"
-  }
-
-  provisioner "file" {
-    source      = "/root/env.tfvars"
-    destination = "/tmp/env"
-  }
-
-  provisioner "remote-exec" {
-    inline = [
-      "echo Building ingress controller images...",
-      "chmod +x /tmp/build-ingress-controller.sh",
-      "sudo /tmp/build-ingress-controller.sh",
-    ]
-  }
-}
--- a/build/images/ingress-controller/variables.tf
+++ b/build/images/ingress-controller/variables.tf
@ -1,52 +0,0 @@
-variable "access_key" {
-}
-
-variable "secret_key" {
-}
-
-variable "valid_until" {
-}
-
-variable "docker_username" {
-}
-
-variable "docker_password" {
-}
-
-variable "region" {
-  default = "us-west-2"
-}
-
-variable "cidr_vpc" {
-  description = "CIDR block for the VPC"
-  default     = "10.4.0.0/16"
-}
-
-variable "cidr_subnet" {
-  description = "CIDR block for the subnet"
-  default     = "10.4.0.0/24"
-}
-
-variable "availability_zone" {
-  description = "availability zone to create subnet"
-  default     = "us-west-2b"
-}
-
-variable "ssh_key_path" {
-  description = "Path to the SSH key"
-  default     = "~/.ssh/id_rsa"
-}
-
-variable "ssh_public_key_path" {
-  description = "Path to the public SSH key"
-  default     = "~/.ssh/id_rsa.pub"
-}
-
-variable "instance_type" {
-  description = "EC2 instance"
-  default     = "c5.18xlarge"
-}
-
-variable "project_tag" {
-  default = "kubernetes/ingress-nginx"
-}
--- a/build/images/ingress-controller/versions.tf
+++ b/build/images/ingress-controller/versions.tf
@ -1,11 +0,0 @@
-
-terraform {
-  required_version = ">= 0.12"
-
-  required_providers {
-    aws   = "~> 2.0"
-    tls   = "~> 2.0"
-    local = "~> 1.3"
-    null  = "~> 2.1"
-  }
-}
--- a/build/images/nginx/.dockerignore
+++ b/build/images/nginx/.dockerignore
@ -1 +0,0 @@
-*.tfvars
--- a/build/images/nginx/.gitignore
+++ b/build/images/nginx/.gitignore
@ -1,7 +0,0 @@
-.terraform*
-terraform*
-*.tfstate
-*.tfstate.backup
-id_rsa*
-aws.tfvars
-env.tfvars
--- a/build/images/nginx/Dockerfile
+++ b/build/images/nginx/Dockerfile
@ -1,19 +0,0 @@
-FROM k8s.gcr.io/debian-base:v2.0.0
-
-ENV TERRAFORM_VERSION 0.12.19
-
-RUN clean-install \
-    bash \
-    curl \
-    ca-certificates \
-    unzip \
-    git \
-    openssh-client
-
-RUN curl -sSL -o /terraform.zip "https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_amd64.zip" \
-    && unzip /terraform.zip -d /usr/bin \
-    && rm -rf /terraform.zip
-
-COPY entrypoint.sh /
-
-CMD [ "/entrypoint.sh" ]
--- a/build/images/nginx/build-nginx.sh
+++ b/build/images/nginx/build-nginx.sh
@ -1,85 +0,0 @@
-#!/bin/bash
-
-# Copyright 2019 The Kubernetes Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-set -o errexit
-set -o nounset
-set -o pipefail
-
-function source_tfvars() {
-  eval "$(
-    awk 'BEGIN {FS=OFS="="}
-    !/^(#| *$)/ && /^.+=.+$/ {
-      gsub(/^[ \t]+|[ \t]+$/, "", $1);
-      gsub(/\./, "_", $1);
-      gsub(/^[ \t]+|[ \t]+$/, "", $2);
-      if ($1 && $2) print $0
-    }' "$@"
-  )"
-}
-
-source_tfvars /tmp/env
-
-export DEBIAN_FRONTEND=noninteractive
-export AR_FLAGS=cr
-
-apt -q=3 update
-
-apt -q=3 dist-upgrade --yes
-
-add-apt-repository universe   --yes
-add-apt-repository multiverse --yes
-
-apt -q=3 update
-
-apt -q=3 install \
-  apt-transport-https \
-  ca-certificates \
-  curl \
-  make \
-  htop \
-  software-properties-common --yes
-
-curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
-
-add-apt-repository \
-  "deb [arch=amd64] https://download.docker.com/linux/ubuntu \
-  $(lsb_release -cs) \
-  stable" --yes
-
-apt -q=3 update
-
-apt -q=3 install docker-ce --yes
-
-export DOCKER_CLI_EXPERIMENTAL=enabled
-
-echo ${docker_password} | docker login -u ${docker_username} --password-stdin quay.io
-
-curl -sL -o /usr/local/bin/gimme https://raw.githubusercontent.com/travis-ci/gimme/master/gimme
-chmod +x /usr/local/bin/gimme
-
-eval "$(gimme 1.14.2)"
-
-git clone https://github.com/kubernetes/ingress-nginx
-
-cd ingress-nginx/images/nginx
-
-export TAG=$(git rev-parse HEAD)
-
-make init-docker-buildx
-docker buildx use ingress-nginx --default --global
-
-echo "Building NGINX images..."
-make release
--- a/build/images/nginx/entrypoint.sh
+++ b/build/images/nginx/entrypoint.sh
@ -1,54 +0,0 @@
-#!/bin/bash
-
-# Copyright 2019 The Kubernetes Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-set -o errexit
-set -o nounset
-set -o pipefail
-
-catch() {
-  if [ "$1" == "0" ]; then
-    exit 0
-  fi
-
-  echo "Error $1 occurred on $2"
-
-  echo "Removing temporal resources..."
-  terraform destroy -auto-approve \
-    -var-file /root/aws.tfvars \
-    -var-file /root/env.tfvars \
-    -var valid_until="${EC2_VALID_UNTIL}"
-}
-trap 'catch $? $LINENO' ERR
-
-terraform init
-
-# destroy spot instance after two hours
-EC2_VALID_UNTIL=$(date -d "+2 hours" +%Y-%m-%dT%H:%M:%SZ)
-
-terraform plan \
-  -var-file /root/aws.tfvars \
-  -var-file /root/env.tfvars \
-  -var valid_until="${EC2_VALID_UNTIL}"
-
-terraform apply -auto-approve \
-  -var-file /root/aws.tfvars \
-  -var-file /root/env.tfvars \
-  -var valid_until="${EC2_VALID_UNTIL}"
-
-terraform destroy -auto-approve \
-  -var-file /root/aws.tfvars \
-  -var-file /root/env.tfvars \
-  -var valid_until="${EC2_VALID_UNTIL}"
--- a/build/images/nginx/main.tf
+++ b/build/images/nginx/main.tf
@ -1,184 +0,0 @@
-terraform {
-  backend "local" {
-    path = "terraform.tfstate"
-  }
-}
-
-provider "aws" {
-  access_key = var.access_key
-  secret_key = var.secret_key
-  region     = var.region
-}
-
-resource "aws_vpc" "vpc" {
-  cidr_block           = var.cidr_vpc
-  enable_dns_support   = true
-  enable_dns_hostnames = true
-  tags = {
-    "Project" = var.project_tag
-  }
-}
-
-resource "aws_internet_gateway" "igw" {
-  vpc_id = aws_vpc.vpc.id
-  tags = {
-    "Project" = var.project_tag
-  }
-}
-
-resource "aws_subnet" "subnet_public" {
-  vpc_id                  = aws_vpc.vpc.id
-  cidr_block              = var.cidr_subnet
-  map_public_ip_on_launch = "true"
-  availability_zone       = var.availability_zone
-  tags = {
-    "Project" = var.project_tag
-  }
-}
-
-resource "aws_route_table" "rtb_public" {
-  vpc_id = aws_vpc.vpc.id
-
-  route {
-    cidr_block = "0.0.0.0/0"
-    gateway_id = aws_internet_gateway.igw.id
-  }
-
-  tags = {
-    "Project" = var.project_tag
-  }
-}
-
-resource "aws_route_table_association" "rta_subnet_public" {
-  subnet_id      = aws_subnet.subnet_public.id
-  route_table_id = aws_route_table.rtb_public.id
-}
-
-resource "aws_security_group" "allow_ssh" {
-  name   = "ssh"
-  vpc_id = aws_vpc.vpc.id
-
-  ingress {
-    from_port   = 22
-    to_port     = 22
-    protocol    = "tcp"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-
-  egress {
-    from_port   = 0
-    to_port     = 0
-    protocol    = "-1"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-
-  tags = {
-    "Project" = var.project_tag
-  }
-}
-
-resource "tls_private_key" "bootstrap_private_key" {
-    algorithm = "RSA"
-    rsa_bits  = "4096"
-}
-
-resource "aws_key_pair" "ssh_key" {
-  key_name   = "ssh-key_${var.project_tag}"
-  public_key = chomp(tls_private_key.bootstrap_private_key.public_key_openssh)
-}
-
-resource "local_file" "public_key_openssh" {
-  count      = 1
-  depends_on = [tls_private_key.bootstrap_private_key]
-  content    = tls_private_key.bootstrap_private_key.public_key_pem
-  filename   = "id_rsa.pub"
-}
-
-resource "local_file" "private_key_openssh" {
-  count      = 1
-  depends_on = [tls_private_key.bootstrap_private_key]
-  content    = tls_private_key.bootstrap_private_key.private_key_pem
-  filename   = "id_rsa"
-}
-
-data "aws_ami" "latest-ubuntu" {
-  most_recent = true
-
-  owners = ["099720109477"]
-
-  filter {
-    name   = "name"
-    values = ["ubuntu/images/hvm-ssd/ubuntu-bionic-18.04-amd64-server-*"]
-  }
-
-  filter {
-    name   = "virtualization-type"
-    values = ["hvm"]
-  }
-
-  filter {
-    name = "root-device-type"
-    values = ["ebs"]
-  }
-
-  filter {
-    name = "block-device-mapping.volume-type"
-    values = ["gp2"]
-  }
-}
-
-resource "aws_spot_instance_request" "build_worker" {
-  ami                    = data.aws_ami.latest-ubuntu.id
-  instance_type          = var.instance_type
-  subnet_id              = aws_subnet.subnet_public.id
-  vpc_security_group_ids = [aws_security_group.allow_ssh.id]
-
-  valid_until = var.valid_until
-
-  key_name = aws_key_pair.ssh_key.key_name
-
-  spot_price = "2"
-  spot_type = "one-time"
-
-  ebs_optimized = true
-
-  root_block_device {
-    volume_size           = 32
-    volume_type           = "gp2"
-    delete_on_termination = true
-  }
-
-  wait_for_fulfillment = true
-  instance_initiated_shutdown_behavior = "terminate"
-
-  associate_public_ip_address = true
-
-  tags = {
-    "Project" = var.project_tag
-  }
-
-  connection {
-    host        = coalesce(self.public_ip, self.private_ip)
-    type        = "ssh"
-    user        = "ubuntu"
-    private_key = tls_private_key.bootstrap_private_key.private_key_pem
-  }
-
-  provisioner "file" {
-    source      = "build-nginx.sh"
-    destination = "/tmp/build-nginx.sh"
-  }
-
-  provisioner "file" {
-    source      = "/root/env.tfvars"
-    destination = "/tmp/env"
-  }
-
-  provisioner "remote-exec" {
-    inline = [
-      "echo Building nginx images...",
-      "chmod +x /tmp/build-nginx.sh",
-      "sudo /tmp/build-nginx.sh",
-    ]
-  }
-}
--- a/build/images/nginx/variables.tf
+++ b/build/images/nginx/variables.tf
@ -1,52 +0,0 @@
-variable "access_key" {
-}
-
-variable "secret_key" {
-}
-
-variable "valid_until" {
-}
-
-variable "docker_username" {
-}
-
-variable "docker_password" {
-}
-
-variable "region" {
-  default = "us-west-2"
-}
-
-variable "cidr_vpc" {
-  description = "CIDR block for the VPC"
-  default     = "10.4.0.0/16"
-}
-
-variable "cidr_subnet" {
-  description = "CIDR block for the subnet"
-  default     = "10.4.0.0/24"
-}
-
-variable "availability_zone" {
-  description = "availability zone to create subnet"
-  default     = "us-west-2b"
-}
-
-variable "ssh_key_path" {
-  description = "Path to the SSH key"
-  default     = "~/.ssh/id_rsa"
-}
-
-variable "ssh_public_key_path" {
-  description = "Path to the public SSH key"
-  default     = "~/.ssh/id_rsa.pub"
-}
-
-variable "instance_type" {
-  description = "EC2 instance"
-  default     = "c5.18xlarge"
-}
-
-variable "project_tag" {
-  default = "kubernetes/ingress-nginx"
-}
--- a/build/images/nginx/versions.tf
+++ b/build/images/nginx/versions.tf
@ -1,11 +0,0 @@
-
-terraform {
-  required_version = ">= 0.12"
-
-  required_providers {
-    aws   = "~> 2.0"
-    tls   = "~> 2.0"
-    local = "~> 1.3"
-    null  = "~> 2.1"
-  }
-}
--- a/build/kind.yaml
+++ b/build/kind.yaml
@ -0,0 +1,18 @@
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+nodes:
+  - role: control-plane
+    kubeadmConfigPatches:
+      - |
+        kind: InitConfiguration
+        nodeRegistration:
+          kubeletExtraArgs:
+            node-labels: "ingress-ready=true"
+            authorization-mode: "AlwaysAllow"
+    extraPortMappings:
+      - containerPort: 80
+        hostPort: 80
+        protocol: TCP
+      - containerPort: 443
+        hostPort: 443
+        protocol: TCP
--- a/build/run-e2e-suite.sh
+++ b/build/run-e2e-suite.sh
@ -1,83 +0,0 @@
-#!/bin/bash
-
-# Copyright 2018 The Kubernetes Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-if ! [ -z "$DEBUG" ]; then
-	set -x
-fi
-
-set -o errexit
-set -o nounset
-set -o pipefail
-
-RED='\e[35m'
-NC='\e[0m'
-BGREEN='\e[32m'
-
-declare -a mandatory
-mandatory=(
-  E2E_NODES
-  SLOW_E2E_THRESHOLD
-)
-
-missing=false
-for var in "${mandatory[@]}"; do
-  if [[ -z "${!var:-}" ]]; then
-    echo -e "${RED}Environment variable $var must be set${NC}"
-    missing=true
-  fi
-done
-
-if [ "$missing" = true ]; then
-  exit 1
-fi
-
-function cleanup {
-  kubectl delete pod e2e 2>/dev/null || true
-}
-trap cleanup EXIT
-
-E2E_CHECK_LEAKS=${E2E_CHECK_LEAKS:-}
-FOCUS=${FOCUS:-.*}
-
-export E2E_CHECK_LEAKS
-export FOCUS
-
-echo -e "${BGREEN}Granting permissions to ingress-nginx e2e service account...${NC}"
-kubectl create serviceaccount ingress-nginx-e2e || true
-kubectl create clusterrolebinding permissive-binding \
-  --clusterrole=cluster-admin \
-  --user=admin \
-  --user=kubelet \
-  --serviceaccount=default:ingress-nginx-e2e || true
-
-echo -e "${BGREEN}Waiting service account...${NC}"; \
-until kubectl get secret | grep -q -e ^ingress-nginx-e2e-token; do \
-  echo -e "waiting for api token"; \
-  sleep 3; \
-done
-
-echo -e "Starting the e2e test pod"
-
-kubectl run --rm \
-  --attach \
-  --restart=Never \
-  --generator=run-pod/v1 \
-  --env="E2E_NODES=${E2E_NODES}" \
-  --env="FOCUS=${FOCUS}" \
-  --env="E2E_CHECK_LEAKS=${E2E_CHECK_LEAKS}" \
-  --env="SLOW_E2E_THRESHOLD=${SLOW_E2E_THRESHOLD}" \
-  --overrides='{ "apiVersion": "v1", "spec":{"serviceAccountName": "ingress-nginx-e2e"}}' \
-  e2e --image=nginx-ingress-controller:e2e
--- a/build/run-in-docker.sh
+++ b/build/run-in-docker.sh
@ -14,29 +14,42 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

-if [ -n "$DEBUG" ]; then
+DEBUG=${DEBUG:-"false"}
+if [ "$DEBUG" == "true" ]; then
  set -x
 fi

+RUNTIME=${RUNTIME:-"docker"}
+
 set -o errexit
 set -o nounset
 set -o pipefail

 # temporal directory for the /etc/ingress-controller directory
-INGRESS_VOLUME=$(mktemp -d)
-
 if [[ "$OSTYPE" == darwin* ]]; then
-  INGRESS_VOLUME=/private$INGRESS_VOLUME
+  mkdir -p "tmp"
+  INGRESS_VOLUME=$(pwd)/$(mktemp -d tmp/XXXXXX)
+else
+  INGRESS_VOLUME=$(mktemp -d)
 fi

+# make sure directory for SSL cert storage exists under ingress volume
+mkdir "${INGRESS_VOLUME}/ssl"
+
 function cleanup {
  rm -rf "${INGRESS_VOLUME}"
 }
 trap cleanup EXIT

-E2E_IMAGE=quay.io/kubernetes-ingress-controller/e2e:v04212020-5d67794f4
+E2E_IMAGE=${E2E_IMAGE:-registry.k8s.io/ingress-nginx/e2e-test-runner:v20250112-a188f4eb@sha256:043038b1e30e5a0b64f3f919f096c5c9488ac3f617ac094b07fb9db8215f9441}
+
+if [[ "$RUNTIME" == podman ]]; then
+  # Podman does not support both tag and digest
+  E2E_IMAGE=$(echo $E2E_IMAGE | awk -F "@sha" '{print $1}')
+fi

 DOCKER_OPTS=${DOCKER_OPTS:-}
+DOCKER_IN_DOCKER_ENABLED=${DOCKER_IN_DOCKER_ENABLED:-}

 KUBE_ROOT=$(cd $(dirname "${BASH_SOURCE}")/.. && pwd -P)

@ -51,18 +64,33 @@ fi
 # create output directory as current user to avoid problem with docker.
 mkdir -p "${KUBE_ROOT}/bin" "${KUBE_ROOT}/bin/${ARCH}"

-docker run                                            \
-  --tty                                               \
-  --rm                                                \
-  ${DOCKER_OPTS}                                      \
-  -e GOCACHE="/go/src/${PKG}/.cache"                  \
-  -e GO111MODULE=off                                  \
-  -e DIND_TASKS=0                                     \
-  -v "${HOME}/.kube:${HOME}/.kube"                    \
-  -v "${KUBE_ROOT}:/go/src/${PKG}"                    \
-  -v "${KUBE_ROOT}/bin/${ARCH}:/go/bin/linux_${ARCH}" \
-  -v "/var/run/docker.sock:/var/run/docker.sock"      \
-  -v "${INGRESS_VOLUME}:/etc/ingress-controller/"     \
-  -w "/go/src/${PKG}"                                 \
-  -u $(id -u ${USER}):$(id -g ${USER})                \
-  ${E2E_IMAGE} /bin/bash -c "${FLAGS}"
+PLATFORM="${PLATFORM:-}"
+if [[ -n "$PLATFORM" ]]; then
+  PLATFORM_FLAG=--platform
+else
+  PLATFORM_FLAG=
+fi
+
+USER=${USER:-nobody}
+
+USE_SHELL=${USE_SHELL:-"/bin/bash"}
+
+if [[ "$DOCKER_IN_DOCKER_ENABLED" == "true" ]]; then
+  echo "..reached DIND check TRUE block, inside run-in-docker.sh"
+  echo "FLAGS=$FLAGS"
+  #go env
+  go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo@v2.22.2
+  find / -type f -name ginkgo 2>/dev/null
+  which ginkgo
+  /bin/bash -c "${FLAGS}"
+else
+  echo "Reached DIND check ELSE block, inside run-in-docker.sh"
+
+  args="${PLATFORM_FLAG} ${PLATFORM} --tty --rm ${DOCKER_OPTS} -e DEBUG=${DEBUG} -e GOCACHE="/go/src/${PKG}/.cache" -e GOMODCACHE="/go/src/${PKG}/.modcache" -e DOCKER_IN_DOCKER_ENABLED="true" -v "${HOME}/.kube:${HOME}/.kube" -v "${KUBE_ROOT}:/go/src/${PKG}" -v "${KUBE_ROOT}/bin/${ARCH}:/go/bin/linux_${ARCH}" -v "${INGRESS_VOLUME}:/etc/ingress-controller/" -w "/go/src/${PKG}""
+
+  if [[ "$RUNTIME" == "docker" ]]; then
+    args="$args -v /var/run/docker.sock:/var/run/docker.sock"
+  fi
+
+  ${RUNTIME} run $args ${E2E_IMAGE} ${USE_SHELL} -c "${FLAGS}"
+fi
--- a/build/run-ingress-controller.sh
+++ b/build/run-ingress-controller.sh
@ -49,7 +49,7 @@ fi
 SSL_VOLUME=$(mktemp -d)

 function cleanup {
-    echo -e "${BGREEN}Stoping kubectl proxy${NC}"
+    echo -e "${BGREEN}Stopping kubectl proxy${NC}"
    rm -rf "${SSL_VOLUME}"
    kill "$proxy_pid"
 }
@ -76,7 +76,7 @@ if [[ "${USE_EXISTING_IMAGE}" == "true" ]]; then
  docker pull "${IMAGE}-${ARCH}:${TAG}"
 else
  echo -e "${BGREEN}Building ingress controller image${NC}"
-  make -C "${KUBE_ROOT}" build "sub-container-${ARCH}"
+  make -C "${KUBE_ROOT}" build "sub-image-${ARCH}"
 fi

 CONTEXT=$(kubectl config current-context)
--- a/build/test-lua.sh
+++ b/build/test-lua.sh
@ -1,36 +0,0 @@
-#!/bin/bash
-
-# Copyright 2018 The Kubernetes Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-
-if [ -n "$DEBUG" ]; then
-	set -x
-fi
-
-set -o errexit
-set -o nounset
-set -o pipefail
-
-BUSTED_ARGS="-v --pattern=_test"
-
-resty \
-  -I ./rootfs/etc/nginx/lua \
-  --shdict "configuration_data 5M" \
-  --shdict "certificate_data 16M" \
-  --shdict "certificate_servers 1M" \
-  --shdict "balancer_ewma 1M" \
-  --shdict "balancer_ewma_last_touched_at 1M" \
-  --shdict "balancer_ewma_locks 512k" \
-  ./rootfs/etc/nginx/lua/test/run.lua ${BUSTED_ARGS} ./rootfs/etc/nginx/lua/test/ ./rootfs/etc/nginx/lua/plugins/**/test
--- a/build/test.sh
+++ b/build/test.sh
@ -1,38 +0,0 @@
-#!/bin/bash
-
-# Copyright 2018 The Kubernetes Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-
-if [ -n "$DEBUG" ]; then
-	set -x
-fi
-
-set -o errexit
-set -o nounset
-set -o pipefail
-
-if [ -z "${PKG}" ]; then
-  echo "PKG must be set"
-  exit 1
-fi
-
-# enabled to use host dns resolver
-export CGO_ENABLED=1
-export GODEBUG=netdns=cgo+2
-# use vendor directory instead of go modules https://github.com/golang/go/wiki/Modules
-export GO111MODULE=off
-
-go test -v \
-  $(go list "${PKG}/..." | grep -v vendor | grep -v '/test/e2e' | grep -v images | grep -v "docs/examples")
--- a/changelog/controller-1.10.0.md
+++ b/changelog/controller-1.10.0.md
@ -0,0 +1,68 @@
+# Changelog
+
+This release is the first using NGINX v1.25.0!
+
+## Breaking changes
+* This version does not support chroot image, this will be fixed on a future minor patch release
+* This version dropped Opentracing and zipkin modules, just Opentelemetry is supported
+* This version dropped support for PodSecurityPolicy
+* This version dropped support for GeoIP (legacy). Only GeoIP2 is supported
+
+### controller-v1.10.0
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.10.0@sha256:42b3f0e5d0846876b1791cd3afeb5f1cbbe4259d6f35651dcc1b5c980925379c
+
+### All changes:
+
+* Start the release of v1.10.0 (#11038)
+* bump nginx and Go, remove tag file and old CI jobs (#11037)
+* Fix kubewebhook image tag (#11033)
+* add missing backend-protocol annotation option (#9545)
+* Update controller-prometheusrules.yaml (#8902)
+* Stop reporting interrupted tests (#11027)
+* test(gzip): reach ingress (#9541)
+* fix datasource, $exported_namespace variable in grafana nginx dashboard (#9092)
+* Properly support a TLS-wrapped OCSP responder (#10164)
+* Fix print-e2e-suite (#9536)
+* chore(deps): upgrade headers-more module to 0.37 (#10991)
+* Update ingress-path-matching.md (#11008)
+* Update ingress-path-matching.md (#11007)
+* E2E Tests: Explicitly enable metrics. (#10962)
+* Chart: Set `--enable-metrics` depending on `controller.metrics.enabled`. (#10959)
+* Chart: Remove useless `default` from `_params.tpl`. (#10957)
+* Fix golang makefile var name (#10932)
+* Fixing image push (#10931)
+* fix: live-docs script (#10928)
+* docs: Add vouch-proxy OAuth example (#10929)
+* Add OTEL build test and for NGINX v1.25 (#10889)
+* docs: update annotations docs with missing session-cookie section (#10917)
+* Release controller 1.9.6 and helm 4.9.1 (#10919)
+
+### Dependency updates:
+
+* Bump kubewebhook certgen (#11034)
+* Bump go libraries (#11023)
+* Bump modsecurity on nginx 1.25 (#11024)
+* Bump grpc and reintroduce OTEL compilation (#11021)
+* Bump github/codeql-action from 3.24.0 to 3.24.5 (#11017)
+* Bump actions/dependency-review-action from 4.0.0 to 4.1.3 (#11016)
+* Bump dorny/paths-filter from 3.0.0 to 3.0.1 (#10994)
+* Bump github.com/prometheus/client_model from 0.5.0 to 0.6.0 (#10998)
+* Bump actions/upload-artifact from 4.3.0 to 4.3.1 (#10978)
+* Bump actions/download-artifact from 4.1.1 to 4.1.2 (#10981)
+* Bump aquasecurity/trivy-action from 0.16.1 to 0.17.0 (#10979)
+* Bump golangci/golangci-lint-action from 3.7.0 to 4.0.0 (#10980)
+* Bump golang.org/x/crypto from 0.18.0 to 0.19.0 (#10976)
+* Bump github/codeql-action from 3.23.2 to 3.24.0 (#10971)
+* Bump github.com/opencontainers/runc from 1.1.11 to 1.1.12 (#10951)
+* Bump google.golang.org/grpc from 1.60.1 to 1.61.0 (#10938)
+* Bump actions/upload-artifact from 4.2.0 to 4.3.0 (#10937)
+* Bump dorny/test-reporter from 1.7.0 to 1.8.0 (#10936)
+* Bump github/codeql-action from 3.23.1 to 3.23.2 (#10935)
+* Bump dorny/paths-filter from 2.11.1 to 3.0.0 (#10934)
+* Bump alpine to 3.19.1 (#10930)
+* Bump go to v1.21.6 and set a single source of truth (#10926)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.9.6...controller-v1.10.0
--- a/changelog/controller-1.10.1.md
+++ b/changelog/controller-1.10.1.md
@ -0,0 +1,57 @@
+# Changelog
+
+### controller-v1.10.1
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.10.1@sha256:e24f39d3eed6bcc239a56f20098878845f62baa34b9f2be2fd2c38ce9fb0f29e
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.10.1@sha256:c155954116b397163c88afcb3252462771bd7867017e8a17623e83601bab7ac7
+
+### All changes:
+
+* start 1.10.1 build (#11246)
+* force nginx rebuild (#11245)
+* update k8s version to latest kind release (#11241)
+* remove _ssl_expire_time_seconds metric by identifier (#11239)
+* update post submit helm ci and clean up (#11221)
+* Chart: Add unit tests for default backend & topology spread constraints. (#11219)
+* sort default backend hpa metrics (#11217)
+* updated certgen image shatag (#11216)
+* changed testrunner image sha (#11211)
+* bumped certgeimage tag (#11213)
+* updated baseimage & deleted a useless file (#11209)
+* bump ginkgo to 2-17-1 in testrunner (#11204)
+* chunking related faq update (#11205)
+* Fix-semver (#11199)
+* refactor helm ci tests part I (#11188)
+* Proposal: e2e tests for regex patterns (#11185)
+* bump ginkgo to v2.17.1 (#11186)
+* fixes brotli build issue (#11187)
+* fix geoip2 configuration docs (#11151)
+* Fix typos in OTel doc (#11081) (#11129)
+* Chart: Render `controller.ingressClassResource.parameters` natively. (#11126)
+* Fix admission controller logging of `admissionTime` and `testedConfigurationSize` (#11114)
+* Chart: Align HPA & KEDA conditions. (#11113)
+* Chart: Improve IngressClass documentation. (#11111)
+* Chart: Add Gacko to maintainers. Again. (#11112)
+* Chart: Deploy `PodDisruptionBudget` with KEDA. (#11105)
+* Chores: Pick patches from main. (#11103)
+
+### Dependency updates:
+
+* Bump google.golang.org/grpc from 1.63.0 to 1.63.2 (#11238)
+* Bump google.golang.org/grpc from 1.62.1 to 1.63.0 (#11234)
+* Bump github.com/prometheus/common from 0.51.1 to 0.52.2 (#11233)
+* Bump golang.org/x/crypto from 0.21.0 to 0.22.0 (#11232)
+* Bump github.com/prometheus/client_model in the all group (#11231)
+* Bump the all group with 3 updates (#11230)
+* Bump the all group with 2 updates (#11190)
+* Bump actions/add-to-project from 0.6.1 to 1.0.0 (#11189)
+* Bump the all group with 3 updates (#11166)
+* Bump github.com/prometheus/common from 0.50.0 to 0.51.1 (#11160)
+* Bump the all group with 4 updates (#11140)
+* Bump the all group with 1 update (#11136)
+* Bump google.golang.org/protobuf from 1.32.0 to 1.33.0 in /magefiles (#11127)
+* Bump google.golang.org/protobuf in /images/custom-error-pages/rootfs (#11128)
+* Bump google.golang.org/protobuf in /images/kube-webhook-certgen/rootfs (#11122)
+
--- a/changelog/controller-1.10.2.md
+++ b/changelog/controller-1.10.2.md
@ -0,0 +1,130 @@
+# Changelog
+
+### controller-v1.10.2
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.10.2@sha256:e3311b3d9671bc52d90572bcbfb7ee5b71c985d6d6cffd445c241f1e2703363c
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.10.2@sha256:c4395cba98f9721e3381d3c06e7994371bae20f5ab30e457cd7debe44a8c8c54
+
+### All changes:
+
+* update test runner to latest build (#11557)
+* add k8s 1.30 to ci build (#11553)
+* update test runner go base to 3.20 (#11550)
+* tag new test runner image with new nginx base 0.0.8 (#11549)
+* bump NGINX_BASE to v0.0.8 (#11543)
+* trigger build for NGINX-1.25 v0.0.8 (#11542)
+* Upgrade OWASP_MODSECURITY_CRS_VERSION 3.3.5 to 4.4.0 and update docs (#11548)
+* [feature] bump nginx to 1.25.5 and add http3 module (#11541)
+* add ssl patches to nginx-1.25 image for coroutines to work in lua client hello and cert ssl blocks (#11534)
+* bump alpine version to 3.20 to custom-error-pages (#11537)
+* fix: Ensure changes in MatchCN annotation are detected (#11528)
+* Docs: Add information about HTTP/3 support. (#11525)
+* Docs: Specify `ingressClass` for multi-controller setup. (#11520)
+* Docs: Improve default certificate usage. (#11519)
+* docs: Update Ingress-NGINX v1.10.1 compatibility with Kubernetes v1.30 (#11500)
+* Update getting-started.md with new prerequisites (#11487)
+* Fix boolean configuration (#11484)
+* Chores: Align security contacts & chart maintainers to actual owners. (#11480)
+* CI: Bump forgotten Ginkgo versions. (#11469)
+* Tests: Replace deprecated `grpc.Dial` by `grpc.NewClient`. (#11468)
+* Owners: Promote Gacko to admin. (#11464)
+* fixed fastcgi userguide (#11455)
+* Remove unnecessary space character (#11451)
+* fix for docs issue 11432 (#11446)
+* Update index.md (#11445)
+* upgrade to alpine 3.20 (#11438)
+* update golang to 1.22.4 (#11431)
+* Adapt dashboards for Grafana 11 compatibility (#11414)
+* Rename variable to fix typo (#11413)
+* Fix helm install on cloud provider admonition block (#11412)
+* edited helm-install tips (#11411)
+* added info for aws helm install (#11410)
+* added multiplecontrollers-howto to faq (#11409)
+* removed tlsv1 & tlsv1.1 (#11408)
+* Docs: Remove opentracing and zipkin from docs (#11405)
+* Go: Sync modules from `main`. (#11398)
+* add workflow to helm release and update ct for branch (#11317)
+* Merge pull request #11277 from strongjz/chart-1.10.1 (#11314)
+* Release Helm Chart on branch update (#11306)
+* Release controller 1.10.1 (#11298)
+* fix path in file changed detected message (#11286)
+* chore: fix function names in comment (#11281)
+* fix: update kube version requirement to 1.21 (#11279)
+* release helm chart from release branch (#11278)
+* start 1.10.1 build (#11246)
+* force nginx rebuild (#11245)
+* update k8s version to latest kind release (#11241)
+* remove _ssl_expire_time_seconds metric by identifier (#11239)
+* update post submit helm ci and clean up (#11221)
+* Chart: Add unit tests for default backend & topology spread constraints. (#11219)
+* sort default backend hpa metrics (#11217)
+* updated certgen image shatag (#11216)
+* changed testrunner image sha (#11211)
+* bumped certgeimage tag (#11213)
+* updated baseimage & deleted a useless file (#11209)
+* bump ginkgo to 2-17-1 in testrunner (#11204)
+* chunking related faq update (#11205)
+* Fix-semver (#11199)
+* refactor helm ci tests part I (#11188)
+* Proposal: e2e tests for regex patterns (#11185)
+* bump ginkgo to v2.17.1 (#11186)
+* fixes brotli build issue (#11187)
+* fix geoip2 configuration docs (#11151)
+* Fix typos in OTel doc (#11081) (#11129)
+* Chart: Render `controller.ingressClassResource.parameters` natively. (#11126)
+* Fix admission controller logging of `admissionTime` and `testedConfigurationSize` (#11114)
+* Chart: Align HPA & KEDA conditions. (#11113)
+* Chart: Improve IngressClass documentation. (#11111)
+* Chart: Add Gacko to maintainers. Again. (#11112)
+* Chart: Deploy `PodDisruptionBudget` with KEDA. (#11105)
+* Chores: Pick patches from main. (#11103)
+* Start the release of v1.10.0 (#11038)
+
+### Dependency updates:
+
+* Bump the all group with 2 updates (#11524)
+* Bump k8s.io/klog/v2 from 2.130.0 to 2.130.1 in the all group (#11521)
+* Bump aquasecurity/trivy-action from 0.22.0 to 0.23.0 in the all group (#11501)
+* Bump k8s.io/klog/v2 from 2.120.1 to 2.130.0 (#11479)
+* Bump the all group with 3 updates (#11478)
+* Bump the all group with 2 updates (#11477)
+* Bump golang.org/x/crypto from 0.23.0 to 0.24.0 (#11471)
+* Bump sigs.k8s.io/controller-runtime in the all group (#11449)
+* Bump github.com/prometheus/common from 0.53.0 to 0.54.0 (#11447)
+* Bump the all group with 3 updates (#11450)
+* Bump goreleaser/goreleaser-action from 5.1.0 to 6.0.0 (#11448)
+* Bump github.com/onsi/ginkgo/v2 from 2.17.2 to 2.19.0 (#11422)
+* Bump the all group with 2 updates (#11421)
+* Bump google.golang.org/grpc from 1.63.2 to 1.64.0 (#11423)
+* Bump the all group across 1 directory with 6 updates (#11407)
+* Bump golangci/golangci-lint-action from 5.3.0 to 6.0.1 (#11406)
+* Bump the all group with 3 updates (#11404)
+* Bump Kubernetes version on images (#11403)
+* Bump golangci/golangci-lint-action from 4.0.0 to 5.0.0 (#11402)
+* Bump the all group with 4 updates (#11380)
+* Bump k8s.io/component-base from 0.29.3 to 0.30.0 (#11301)
+* Bump github.com/prometheus/common from 0.52.3 to 0.53.0 (#11300)
+* Bump golang.org/x/net from 0.22.0 to 0.23.0 (#11285)
+* Bump golang.org/x/net in /images/kube-webhook-certgen/rootfs (#11284)
+* Bump the all group with 2 updates (#11266)
+* Bump azure/setup-helm from 3.5 to 4 (#11265)
+* Bump actions/add-to-project from 1.0.0 to 1.0.1 in the all group (#11264)
+* Bump google.golang.org/grpc from 1.63.0 to 1.63.2 (#11238)
+* Bump google.golang.org/grpc from 1.62.1 to 1.63.0 (#11234)
+* Bump github.com/prometheus/common from 0.51.1 to 0.52.2 (#11233)
+* Bump golang.org/x/crypto from 0.21.0 to 0.22.0 (#11232)
+* Bump github.com/prometheus/client_model in the all group (#11231)
+* Bump the all group with 3 updates (#11230)
+* Bump the all group with 2 updates (#11190)
+* Bump actions/add-to-project from 0.6.1 to 1.0.0 (#11189)
+* Bump the all group with 3 updates (#11166)
+* Bump github.com/prometheus/common from 0.50.0 to 0.51.1 (#11160)
+* Bump the all group with 4 updates (#11140)
+* Bump the all group with 1 update (#11136)
+* Bump google.golang.org/protobuf from 1.32.0 to 1.33.0 in /magefiles (#11127)
+* Bump google.golang.org/protobuf in /images/custom-error-pages/rootfs (#11128)
+* Bump google.golang.org/protobuf in /images/kube-webhook-certgen/rootfs (#11122)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.10.1...controller-v1.10.2
--- a/changelog/controller-1.10.3.md
+++ b/changelog/controller-1.10.3.md
@ -0,0 +1,37 @@
+# Changelog
+
+### controller-v1.10.3
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.10.3@sha256:b5a5082f8e508cc1aac1c0ef101dc2f87b63d51598a5747d81d6cf6e7ba058fd
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.10.3@sha256:9033e04bd3cd01f92414f8d5999c5095734d4caceb4923942298152a38373d4b
+
+### All changes:
+
+* Images: Trigger `controller` v1.10.3 build. (#11648)
+* Tests: Bump `test-runner` to v20240717-1fe74b5f. (#11646)
+* Images: Re-run `test-runner` build. (#11643)
+* Images: Trigger `test-runner` build. (#11639)
+* Images: Bump `NGINX_BASE` to v0.0.10. (#11637)
+* Images: Trigger NGINX build. (#11631)
+* bump testing runner (#11626)
+* remove modsecurity coreruleset test files from nginx image (#11619)
+* unskip the ocsp tests and update images to fix cfssl bug (#11615)
+* Fix indent in YAML for example pod (#11609)
+* Images: Bump `test-runner`. (#11604)
+* Images: Bump `NGINX_BASE` to v0.0.9. (#11601)
+* revert module upgrade (#11595)
+* README: Fix support matrix. (#11593)
+* Mage: Stop mutating release notes. (#11582)
+* Images: Bump `kube-webhook-certgen`. (#11583)
+
+### Dependency updates:
+
+* Bump github.com/prometheus/common from 0.54.0 to 0.55.0 (#11622)
+* Bump the all group with 5 updates (#11613)
+* Bump golang.org/x/crypto from 0.24.0 to 0.25.0 (#11579)
+* Bump google.golang.org/grpc from 1.64.0 to 1.65.0 (#11577)
+* Bump the all group with 4 updates (#11574)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.10.2...controller-v1.10.3
--- a/changelog/controller-1.10.4.md
+++ b/changelog/controller-1.10.4.md
@ -0,0 +1,53 @@
+# Changelog
+
+### controller-v1.10.4
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.10.4@sha256:505b9048c02dde3d6c8667bf0b52aba7b36adf7b03da34c47d5fa312d2d4c6fc
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.10.4@sha256:bf71acf6e71830a4470e2183e3bc93c4f006b954f8a05fb434242ef0f8a24858
+
+### All changes:
+
+* Chart: Bump Kube Webhook CertGen & OpenTelemetry. (#11811)
+* Images: Trigger controller build. (#11808)
+* Tests & Docs: Bump images. (#11804)
+* Images: Trigger failed builds. (#11801)
+* Images: Trigger other builds. (#11797)
+* Controller: Fix panic in alternative backend merging. (#11793)
+* Tests: Bump `e2e-test-runner` to v20240812-3f0129aa. (#11791)
+* Images: Trigger `test-runner` build. (#11786)
+* Images: Bump `NGINX_BASE` to v0.0.12. (#11783)
+* Images: Trigger NGINX build. (#11780)
+* Cloud Build: Add missing config, remove unused ones. (#11776)
+* Generate correct output on NumCPU() when using cgroups2 (#11775)
+* Cloud Build: Tweak timeouts. (#11762)
+* Cloud Build: Fix substitutions. (#11759)
+* Cloud Build: Some chores. (#11756)
+* Go: Bump to v1.22.6. (#11748)
+* Images: Bump `NGINX_BASE` to v0.0.11. (#11744)
+* Images: Trigger NGINX build. (#11736)
+* docs: update OpenSSL Roadmap link (#11734)
+* Go: Bump to v1.22.5. (#11731)
+* Docs: Fix typo in AWS LB Controller reference (#11724)
+* Perform some cleaning operations on line breaks. (#11722)
+* Missing anchors in regular expression. (#11718)
+* Docs: Fix `from-to-www` redirect description. (#11715)
+* Chart: Remove `isControllerTagValid`. (#11714)
+* Tests: Bump `e2e-test-runner` to v20240729-04899b27. (#11704)
+* Docs: Clarify `from-to-www` redirect direction. (#11692)
+* added real-client-ip faq (#11665)
+* Docs: Format NGINX configuration table. (#11660)
+
+### Dependency updates:
+
+* Bump github.com/onsi/ginkgo/v2 from 2.19.1 to 2.20.0 (#11772)
+* Bump the all group with 2 updates (#11770)
+* Bump golang.org/x/crypto from 0.25.0 to 0.26.0 (#11768)
+* Bump the all group with 3 updates (#11729)
+* Bump github.com/onsi/ginkgo/v2 from 2.19.0 to 2.19.1 in the all group (#11700)
+* Bump the all group with 2 updates (#11697)
+* Bump the all group with 4 updates (#11676)
+* Bump the all group with 2 updates (#11674)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.10.3...controller-v1.10.4
--- a/changelog/controller-1.10.5.md
+++ b/changelog/controller-1.10.5.md
@ -0,0 +1,90 @@
+# Changelog
+
+### controller-v1.10.5
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.10.5@sha256:c84d11b1f7bd14ebbf49918a7f0dc01b31c0c6e757e0129520ea93453096315c
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.10.5@sha256:030a43bdd5f0212a7e135cc4da76b15a6706ef65a6824eb4cc401f87a81c2987
+
+### All changes:
+
+* Images: Trigger controller build. (#12133)
+* Tests & Docs: Bump `e2e-test-echo` to v1.0.1. (#12146)
+* Images: Trigger `e2e-test-echo` build. (#12142)
+* Images: Drop `s390x`. (#12139)
+* Images: Build `s390x` controller. (#12128)
+* Chart: Bump Kube Webhook CertGen. (#12122)
+* Tests & Docs: Bump images. (#12120)
+* Cloud Build: Bump `gcb-docker-gcloud` to v20240718-5ef92b5c36. (#12116)
+* Images: Trigger other builds. (#12111)
+* Tests: Bump `e2e-test-runner` to v20241004-114a6abb. (#12104)
+* Images: Trigger `test-runner` build. (#12101)
+* Docs: Add a multi-tenant warning. (#12098)
+* Go: Bump to v1.22.8. (#12093)
+* Images: Bump `NGINX_BASE` to v0.1.0. (#12079)
+* Images: Trigger NGINX build. (#12077)
+* Images: Remove NGINX v1.21. (#12057)
+* GitHub: Improve Dependabot. (#12037)
+* Chart: Improve CI. (#12029)
+* Chart: Extend image tests. (#12026)
+* Docs: Add health check annotations for AWS. (#12021)
+* Docs: Convert `opentelemetry.md` from CRLF to LF. (#12007)
+* Chart: Test `controller.minAvailable` & `controller.maxUnavailable`. (#12001)
+* Chart: Align default backend `PodDisruptionBudget`. (#11998)
+* Metrics: Fix namespace in `nginx_ingress_controller_ssl_expire_time_seconds`. (#11985)
+* Chart: Improve default backend service account. (#11973)
+* Go: Bump to v1.22.7. (#11969)
+* Images: Bump OpenTelemetry C++ Contrib. (#11950)
+* Docs: Add note about `--watch-namespace`. (#11948)
+* Images: Use latest Alpine 3.20 everywhere. (#11945)
+* Fix minor typos (#11940)
+* Chart: Implement `controller.admissionWebhooks.service.servicePort`. (#11933)
+* Tests: Bump `e2e-test-runner` to v20240829-2c421762. (#11920)
+* Images: Trigger `test-runner` build. (#11918)
+* Chart: Add tests for `PrometheusRule` & `ServiceMonitor`. (#11888)
+* Annotations: Allow commas in URLs. (#11886)
+* CI: Grant checks write permissions to E2E Test Report. (#11884)
+* Update maxmind post link about geolite2 license changes (#11880)
+* Go: Sync `go.work.sum`. (#11876)
+* Replace deprecated queue method (#11858)
+* Auto-generate annotation docs (#11835)
+
+### Dependency updates:
+
+* Bump the actions group with 3 updates (#12150)
+* Bump golang.org/x/crypto from 0.27.0 to 0.28.0 (#12108)
+* Bump the actions group with 3 updates (#12096)
+* Bump sigs.k8s.io/mdtoc from 1.1.0 to 1.4.0 (#12088)
+* Bump github.com/prometheus/common from 0.59.1 to 0.60.0 (#12086)
+* Bump google.golang.org/grpc from 1.67.0 to 1.67.1 in the go group across 1 directory (#12084)
+* Bump k8s.io/cli-runtime from 0.30.0 to 0.31.1 (#12082)
+* Bump github/codeql-action from 3.26.9 to 3.26.10 in the actions group (#12054)
+* Bump the go group across 1 directory with 3 updates (#12052)
+* Bump k8s.io/kube-aggregator from 0.29.3 to 0.31.1 in /images/kube-webhook-certgen/rootfs (#12048)
+* Bump k8s.io/apimachinery from 0.23.1 to 0.31.1 in /images/ext-auth-example-authsvc/rootfs (#12044)
+* Bump github.com/prometheus/client_golang from 1.11.1 to 1.20.4 in /images/custom-error-pages/rootfs (#12045)
+* Bump the all group with 2 updates (#12035)
+* Bump github/codeql-action from 3.26.7 to 3.26.8 in the all group (#12015)
+* Bump google.golang.org/grpc from 1.66.2 to 1.67.0 (#12013)
+* Bump github.com/prometheus/client_golang from 1.20.3 to 1.20.4 in the all group (#12011)
+* Bump the all group with 2 updates (#11979)
+* Bump github/codeql-action from 3.26.6 to 3.26.7 in the all group (#11978)
+* Bump github.com/prometheus/common from 0.57.0 to 0.59.1 (#11960)
+* Bump golang.org/x/crypto from 0.26.0 to 0.27.0 (#11959)
+* Bump github.com/prometheus/client_golang from 1.20.2 to 1.20.3 in the all group (#11956)
+* Bump github.com/opencontainers/runc from 1.1.13 to 1.1.14 (#11929)
+* Bump the all group with 2 updates (#11924)
+* Bump github.com/onsi/ginkgo/v2 from 2.20.1 to 2.20.2 in the all group (#11912)
+* Bump google.golang.org/grpc from 1.65.0 to 1.66.0 (#11907)
+* Bump github.com/prometheus/common from 0.55.0 to 0.57.0 (#11906)
+* Bump github/codeql-action from 3.26.5 to 3.26.6 in the all group (#11905)
+* Bump the all group with 2 updates (#11870)
+* Bump github/codeql-action from 3.26.2 to 3.26.5 in the all group (#11869)
+* Bump github.com/prometheus/client_golang from 1.19.1 to 1.20.1 (#11848)
+* Bump sigs.k8s.io/controller-runtime from 0.18.4 to 0.19.0 (#11847)
+* Bump dario.cat/mergo from 1.0.0 to 1.0.1 in the all group (#11846)
+* Bump k8s.io/component-base from 0.30.3 to 0.31.0 (#11841)
+* Bump github/codeql-action from 3.26.0 to 3.26.2 in the all group (#11833)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.10.4...controller-v1.10.5
--- a/changelog/controller-1.10.6.md
+++ b/changelog/controller-1.10.6.md
@ -0,0 +1,92 @@
+# Changelog
+
+### controller-v1.10.6
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.10.6@sha256:b6fbd102255edb3ba8e5421feebe14fd3e94cf53d199af9e40687f536152189c
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.10.6@sha256:44ceedafc0e04a75521b5d472c1b6b5cc08afb8038b5bbfd79c21d066ccf300e
+
+### All changes:
+
+* Images: Trigger controller build. (#12611)
+* Chart: Bump Kube Webhook CertGen. (#12608)
+* Tests & Docs: Bump images. (#12605)
+* Images: Trigger other builds (2/2). (#12598)
+* Images: Trigger other builds (1/2). (#12597)
+* Tests: Bump `e2e-test-runner` to v20241224-68ed4e7b. (#12592)
+* Images: Trigger `test-runner` build. (#12586)
+* Images: Bump `NGINX_BASE` to v0.2.0. (#12584)
+* Images: Trigger NGINX build. (#12578)
+* Go: Clean `go.work.sum`. (#12575)
+* Repository: Update owners. (#12570)
+* Images: Bump `gcb-docker-gcloud` to v20241217-ff46a068cd. (#12563)
+* CI: Update KIND images. (#12559)
+* Images: Bump Alpine to v3.21. (#12530)
+* Docs: Add guide on how to set a Maintenance Page. (#12527)
+* rikatz is stepping down (#12518)
+* rikatz is stepping down (#12497)
+* Go: Bump to v1.23.4. (#12485)
+* Plugin: Bump `goreleaser` to v2. (#12442)
+* GitHub: Fix `exec` in issue template. (#12389)
+* CI: Update KIND images. (#12368)
+* Images: Bump `gcb-docker-gcloud` to v20241110-72bb0b1665. (#12341)
+* Go: Bump to v1.23.3. (#12339)
+* Auth TLS: Add `_` to redirect RegEx. (#12328)
+* Auth TLS: Improve redirect RegEx. (#12321)
+* Tests: Bump `e2e-test-runner` to v20241104-02a3933e. (#12314)
+* Images: Trigger `test-runner` build. (#12307)
+* Config: Fix panic on invalid `lua-shared-dict`. (#12282)
+* Docs: fix limit-rate-after references (#12280)
+* Chart: Rework ServiceMonitor. (#12268)
+* Chart: Add ServiceAccount tests. (#12266)
+* CI: Fix chart testing. (#12260)
+* [fix] fix nginx temp configs cleanup (#12224)
+* Chart: Suggest `matchLabelKeys` in Topology Spread Constraints. (#12204)
+* Docs: Add Pod Security Admission. (#12198)
+* Docs: Clarify external & service port in TCP/UDP services explanation. (#12194)
+
+### Dependency updates:
+
+* Bump k8s.io/apiextensions-apiserver from 0.31.3 to 0.32.0 (#12565)
+* Bump github.com/onsi/ginkgo/v2 from 2.22.0 to 2.22.1 (#12557)
+* Bump k8s.io/code-generator from 0.31.3 to 0.32.0 (#12552)
+* Bump k8s.io/cli-runtime from 0.31.3 to 0.32.0 (#12549)
+* Bump k8s.io/apiserver from 0.31.3 to 0.32.0 (#12546)
+* Bump the actions group with 2 updates (#12543)
+* Bump google.golang.org/grpc from 1.68.1 to 1.69.2 (#12540)
+* Bump k8s.io/client-go from 0.31.3 to 0.32.0 (#12514)
+* Bump github.com/opencontainers/runc from 1.2.2 to 1.2.3 in the go group across 1 directory (#12511)
+* Bump the actions group with 3 updates (#12508)
+* Bump k8s.io/kube-aggregator from 0.31.3 to 0.32.0 in /images/kube-webhook-certgen/rootfs (#12504)
+* Bump k8s.io/apimachinery from 0.31.3 to 0.32.0 in /images/ext-auth-example-authsvc/rootfs (#12501)
+* Bump golang.org/x/crypto from 0.30.0 to 0.31.0 (#12478)
+* Bump golang.org/x/crypto from 0.21.0 to 0.31.0 in /magefiles (#12473)
+* Bump github.com/prometheus/common from 0.60.1 to 0.61.0 (#12466)
+* Bump github/codeql-action from 3.27.5 to 3.27.6 in the actions group (#12463)
+* Bump the go group across 1 directory with 2 updates (#12459)
+* Bump github.com/onsi/ginkgo/v2 from 2.21.0 to 2.22.0 (#12425)
+* Bump github.com/stretchr/testify from 1.9.0 to 1.10.0 (#12416)
+* Bump the go group across 3 directories with 10 updates (#12414)
+* Bump the actions group with 3 updates (#12410)
+* Bump github.com/opencontainers/runc from 1.2.1 to 1.2.2 in the go group across 1 directory (#12382)
+* Bump github/codeql-action from 3.27.1 to 3.27.4 in the actions group (#12375)
+* Bump golangci-lint on actions and disable deprecated linters (#12363)
+* Bump google.golang.org/grpc from 1.67.1 to 1.68.0 (#12356)
+* Bump the actions group with 3 updates (#12353)
+* Bump golang.org/x/crypto from 0.28.0 to 0.29.0 (#12351)
+* Bump github.com/fsnotify/fsnotify from 1.7.0 to 1.8.0 (#12297)
+* Bump github.com/opencontainers/runc from 1.2.0 to 1.2.1 in the go group across 1 directory (#12294)
+* Bump github.com/onsi/ginkgo/v2 from 2.20.2 to 2.21.0 (#12290)
+* Bump actions/dependency-review-action from 4.3.5 to 4.4.0 in the actions group (#12275)
+* Bump the go group across 3 directories with 11 updates (#12246)
+* Bump github.com/opencontainers/runc from 1.1.15 to 1.2.0 (#12241)
+* Bump the actions group with 5 updates (#12243)
+* Bump github.com/ncabatoff/process-exporter from 0.8.3 to 0.8.4 in the go group across 1 directory (#12219)
+* Bump aquasecurity/trivy-action from 0.27.0 to 0.28.0 in the actions group (#12215)
+* Bump github/codeql-action from 3.26.12 to 3.26.13 in the actions group (#12191)
+* Bump the go group across 2 directories with 1 update (#12189)
+* Bump the actions group with 2 updates (#12185)
+* Bump github.com/opencontainers/runc from 1.1.14 to 1.1.15 in the go group across 1 directory (#12184)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.10.5...controller-v1.10.6
--- a/changelog/controller-1.11.0.md
+++ b/changelog/controller-1.11.0.md
@ -0,0 +1,164 @@
+# Changelog
+
+### controller-v1.11.0
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.11.0@sha256:a886e56d532d1388c77c8340261149d974370edca1093af4c97a96fb1467cb39
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.11.0@sha256:f16dfed1c94d216b65e5dcb7508ab46148641a99649c5a700749db6f01a7039e
+
+### All changes:
+
+* update test runner to latest build (#11558)
+* add k8s 1.30 to ci build (#11554)
+* update test runner go base to 3.20 (#11552)
+* tag new test runner image with new nginx base 0.0.8 (#11551)
+* bump NGINX_BASE to v0.0.8 (#11544)
+* add ssl patches to nginx-1.25 image for coroutines to work in lua client hello and cert ssl blocks (#11535)
+* trigger build for NGINX-1.25 v0.0.8 (#11539)
+* bump alpine version to 3.20 to custom-error-pages (#11538)
+* fix: Ensure changes in MatchCN annotation are detected (#11529)
+* Docs: Add information about HTTP/3 support. (#11513)
+* Docs: Specify `ingressClass` for multi-controller setup. (#11493)
+* Docs: Improve default certificate usage. (#11504)
+* Upgrade OWASP_MODSECURITY_CRS_VERSION 3.3.5 to 4.4.0 and update docs (#11511)
+* docs: Update Ingress-NGINX v1.10.1 compatibility with Kubernetes v1.30 (#11495)
+* Update getting-started.md with new prerequisites (#11486)
+* [feature] bump nginx to 1.25.5 and add http3 module (#11470)
+* Fix boolean configuration (#11483)
+* Chores: Align security contacts & chart maintainers to actual owners. (#11465)
+* CI: Bump forgotten Ginkgo versions. (#11467)
+* Tests: Replace deprecated `grpc.Dial` by `grpc.NewClient`. (#11462)
+* Owners: Promote Gacko to admin. (#11463)
+* Chart: Make pod affinity templatable. (#11453)
+* fixed fastcgi userguide (#11454)
+* Remove unnecessary space character (#11434)
+* upgrade to alpine 3.20 (#11428)
+* fix for docs issue 11432 (#11433)
+* Update index.md (#11437)
+* update golang to 1.22.4 (#11427)
+* Chart: Fix `IngressClass` annotations. (#11416)
+* Chart: Make admission webhook patch job RBAC configurable. (#11376)
+* Merge pull request #11277 from strongjz/chart-1.10.1 (#11415)
+* Chart: Remove `controller.enableWorkerSerialReloads`. (#11400)
+* Adapt dashboards for Grafana 11 compatibility (#11399)
+* Rename variable to fix typo (#11395)
+* Fix helm install on cloud provider admonition block (#11394)
+* edited helm-install tips (#11393)
+* added info for aws helm install (#11390)
+* added multiplecontrollers-howto to faq (#11389)
+* removed tlsv1 & tlsv1.1 (#11343)
+* feat: Add grpc timeouts annotations (#11258)
+* sfix position of options (#11379)
+* add workflow to helm release and update ct for branch (#11378)
+* Accept user defined annotations in IngressClass (#11362)
+* Docs: Remove opentracing and zipkin from docs (#11361)
+* Allow configuring nginx worker reload behaviour, to prevent multiple concurrent worker reloads which can lead to high resource usage and OOMKill (#10884)
+* chore(deps): group update k8s.io packages to v0.30.0 (#11344)
+* Fix function name in comment (#11296)
+* fix path in file changed detected message (#11271)
+* chore: fix function names in comment (#11280)
+* fix: update kube version requirement to 1.21 (#11275)
+* release helm chart from release branch (#11276)
+* update k8s version to latest kind release (#11240)
+* feat: add annotation to allow to add custom response headers (#9742)
+* remove _ssl_expire_time_seconds metric by identifier (#9706)
+* update post submit helm ci and clean up (#11220)
+* Chart: Add unit tests for default backend & topology spread constraints. (#11218)
+* sort default backend hpa metrics (#11215)
+* updated certgen image shatag (#11214)
+* feature(default_backend): topologySpreadConstraints on default backend (#11197)
+* bumped certgeimage tag (#11212)
+* changed testrunner image sha (#11207)
+* updated baseimage & deleted a useless file (#11208)
+* Chart: Make `controller.config` templatable. (#11181)
+* chunking related faq update (#11196)
+* bump ginkgo to 2-17-1 in testrunner (#11202)
+* Owners: Promote Gacko to `ingress-nginx-maintainers` & `ingress-nginx-reviewers`. (#11165)
+* Fix-semver (#11193)
+* refactor helm ci tests part I (#11178)
+* fixes brotli build issue (#10484)
+* bump ginkgo to v2.17.1 (#11177)
+* Proposal: e2e tests for regex patterns (#11174)
+* Controller: Make Leader Election TTL configurable. (#11142)
+* Chores: Remove recently added whitespaces. (#11156)
+* Add GRPC Buffer Size to the Configmap (#11155)
+* fix geoip2 configuration docs (#11150)
+* feature(geoip2_autoreload): Enable GeoIP2 auto_reload config  (#11079)
+* Chart: Add IngressClass aliases. (#11109)
+* Fix typos in OTel doc (#11081)
+* Chart: Render `controller.ingressClassResource.parameters` natively. (#11108)
+* Fix admission controller logging of `admissionTime` and `testedConfigurationSize` (#11089)
+* Chart: Align HPA & KEDA conditions. (#11110)
+* Chart: Add Gacko to maintainers. Again. (#11107)
+* Chart: Improve IngressClass documentation. (#11104)
+* Chart: Deploy `PodDisruptionBudget` with KEDA. (#11032)
+* Undo #11062 since it breaks the nginx config (#11082)
+* [mTLS] Fix acme verification when mTLS and Client CN verification is enabled (#11062)
+* golangci-lint update, ci cleanup, group dependabot updates (#11071)
+* bump golang (#11070)
+* feature(leader_election): flag to disable leader election feature on controller (#11064)
+* docs: update the 404 link to FAQ (#11069)
+* Update README.md (#11065)
+* quotes around numbers fort ports definitions (#11052)
+
+### Dependency updates:
+
+* Bump the all group with 2 updates (#11523)
+* Bump k8s.io/klog/v2 from 2.130.0 to 2.130.1 in the all group (#11499)
+* Bump aquasecurity/trivy-action from 0.22.0 to 0.23.0 in the all group (#11497)
+* Bump k8s.io/klog/v2 from 2.120.1 to 2.130.0 (#11475)
+* Bump the all group with 3 updates (#11474)
+* Bump the all group with 2 updates (#11476)
+* Bump golang.org/x/crypto from 0.23.0 to 0.24.0 (#11442)
+* Bump the all group with 3 updates (#11443)
+* Bump sigs.k8s.io/controller-runtime in the all group (#11440)
+* Bump goreleaser/goreleaser-action from 5.1.0 to 6.0.0 (#11444)
+* Bump github.com/prometheus/common from 0.53.0 to 0.54.0 (#11441)
+* Bump the all group with 2 updates (#11419)
+* Bump github.com/onsi/ginkgo/v2 from 2.17.2 to 2.19.0 (#11418)
+* Bump google.golang.org/grpc from 1.63.2 to 1.64.0 (#11417)
+* Bump the all group across 1 directory with 3 updates (#11384)
+* Bump the all group across 1 directory with 6 updates (#11383)
+* Bump golang.org/x/crypto from 0.22.0 to 0.23.0 (#11357)
+* Bump golangci/golangci-lint-action from 5.3.0 to 6.0.1 (#11355)
+* Bump the all group with 3 updates (#11348)
+* Bump Kubernetes version on images (#11346)
+* Bump sigs.k8s.io/controller-runtime from 0.17.3 to 0.18.1 (#11345)
+* Bump golangci/golangci-lint-action from 4.0.0 to 5.0.0 (#11328)
+* Bump the all group with 4 updates (#11327)
+* Bump k8s.io/component-base from 0.29.3 to 0.30.0 (#11291)
+* Bump github.com/prometheus/common from 0.52.3 to 0.53.0 (#11290)
+* Bump golang.org/x/net from 0.22.0 to 0.23.0 (#11282)
+* Bump golang.org/x/net in /images/kube-webhook-certgen/rootfs (#11283)
+* Bump the all group with 2 updates (#11261)
+* Bump azure/setup-helm from 3.5 to 4 (#11263)
+* Bump actions/add-to-project from 1.0.0 to 1.0.1 in the all group (#11262)
+* Bump google.golang.org/grpc from 1.63.0 to 1.63.2 (#11237)
+* Bump google.golang.org/grpc from 1.62.1 to 1.63.0 (#11228)
+* Bump github.com/prometheus/common from 0.51.1 to 0.52.2 (#11227)
+* Bump golang.org/x/crypto from 0.21.0 to 0.22.0 (#11229)
+* Bump github.com/prometheus/client_model in the all group (#11226)
+* Bump the all group with 3 updates (#11225)
+* Bump the all group with 2 updates (#11183)
+* Bump actions/add-to-project from 0.6.1 to 1.0.0 (#11184)
+* Bump the all group with 3 updates (#11157)
+* Bump github.com/prometheus/common from 0.50.0 to 0.51.1 (#11159)
+* Bump the all group with 4 updates (#11133)
+* Bump the all group with 1 update (#11134)
+* Bump google.golang.org/protobuf in /images/custom-error-pages/rootfs (#11119)
+* Bump google.golang.org/protobuf from 1.32.0 to 1.33.0 in /magefiles (#11121)
+* Bump google.golang.org/protobuf in /images/kube-webhook-certgen/rootfs (#11120)
+* Bump github.com/onsi/ginkgo/v2 from 2.15.0 to 2.16.0 (#11076)
+* Bump the all group with 1 update (#11073)
+* Bump the all group with 1 update (#11072)
+* Bump github.com/prometheus/common from 0.49.0 to 0.50.0 (#11075)
+* Bump actions/download-artifact from 4.1.2 to 4.1.4 (#11059)
+* Bump github.com/stretchr/testify from 1.8.4 to 1.9.0 (#11055)
+* Bump docker/setup-buildx-action from 3.0.0 to 3.1.0 (#11057)
+* Bump github.com/prometheus/common from 0.48.0 to 0.49.0 (#11056)
+* Bump github/codeql-action from 3.24.5 to 3.24.6 (#11060)
+* Bump aquasecurity/trivy-action from 0.17.0 to 0.18.0 (#11058)
+* Bump dorny/paths-filter from 3.0.1 to 3.0.2 (#11061)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.10.2...controller-v1.11.0
--- a/changelog/controller-1.11.1.md
+++ b/changelog/controller-1.11.1.md
@ -0,0 +1,45 @@
+# Changelog
+
+### controller-v1.11.1
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.11.1@sha256:e6439a12b52076965928e83b7b56aae6731231677b01e81818bce7fa5c60161a
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.11.1@sha256:7cabe4bd7558bfdf5b707976d7be56fd15ffece735d7c90fc238b6eda290fd8d
+
+### All changes:
+
+* Tests: Bump `test-runner` to v20240717-1fe74b5f. (#11647)
+* Images: Re-run `test-runner` build. (#11644)
+* Images: Trigger `test-runner` build. (#11640)
+* Images: Bump `NGINX_BASE` to v0.0.10. (#11638)
+* Images: Trigger NGINX build. (#11632)
+* bump testing runner (#11627)
+* remove modsecurity coreruleset test files from nginx image (#11620)
+* unskip the ocsp tests and update images to fix cfssl bug (#11616)
+* Fix indent in YAML for example pod (#11610)
+* Images: Bump `test-runner`. (#11605)
+* Images: Bump `NGINX_BASE` to v0.0.9. (#11602)
+* revert module upgrade (#11597)
+* Release: Apply changes from `main`. (#11589)
+* Mage: Stop mutating release notes. (#11581)
+* Images: Bump `kube-webhook-certgen`. (#11584)
+* update test runner to latest build (#11558)
+* add k8s 1.30 to ci build (#11554)
+* update test runner go base to 3.20 (#11552)
+* tag new test runner image with new nginx base 0.0.8 (#11551)
+* bump NGINX_BASE to v0.0.8 (#11544)
+* add ssl patches to nginx-1.25 image for coroutines to work in lua client hello and cert ssl blocks (#11535)
+* trigger build for NGINX-1.25 v0.0.8 (#11539)
+* bump alpine version to 3.20 to custom-error-pages (#11538)
+* fix: Ensure changes in MatchCN annotation are detected (#11529)
+
+### Dependency updates:
+
+* Bump github.com/prometheus/common from 0.54.0 to 0.55.0 (#11621)
+* Bump the all group with 5 updates (#11614)
+* Bump golang.org/x/crypto from 0.24.0 to 0.25.0 (#11580)
+* Bump google.golang.org/grpc from 1.64.0 to 1.65.0 (#11576)
+* Bump the all group with 4 updates (#11575)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.11.0...controller-v1.11.1
--- a/changelog/controller-1.11.2.md
+++ b/changelog/controller-1.11.2.md
@ -0,0 +1,54 @@
+# Changelog
+
+### controller-v1.11.2
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.11.2@sha256:d5f8217feeac4887cb1ed21f27c2674e58be06bd8f5184cacea2a69abaf78dce
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.11.2@sha256:21b55a2f0213a18b91612a8c0850167e00a8e34391fd595139a708f9c047e7a8
+
+### All changes:
+
+* Chart: Bump Kube Webhook CertGen & OpenTelemetry. (#11812)
+* Images: Trigger controller build. (#11807)
+* Tests & Docs: Bump images. (#11805)
+* Images: Trigger failed builds. (#11802)
+* Images: Trigger other builds. (#11798)
+* Controller: Fix panic in alternative backend merging. (#11794)
+* Tests: Bump `e2e-test-runner` to v20240812-3f0129aa. (#11792)
+* Images: Trigger `test-runner` build. (#11787)
+* Images: Bump `NGINX_BASE` to v0.0.12. (#11784)
+* Images: Trigger NGINX build. (#11781)
+* Cloud Build: Add missing config, remove unused ones. (#11777)
+* Generate correct output on NumCPU() when using cgroups2 (#11778)
+* Cloud Build: Tweak timeouts. (#11763)
+* Cloud Build: Fix substitutions. (#11760)
+* Cloud Build: Some chores. (#11757)
+* Go: Bump to v1.22.6. (#11749)
+* Images: Bump `NGINX_BASE` to v0.0.11. (#11743)
+* Images: Trigger NGINX build. (#11737)
+* docs: update OpenSSL Roadmap link (#11733)
+* Go: Bump to v1.22.5. (#11732)
+* Docs: Fix typo in AWS LB Controller reference (#11725)
+* Perform some cleaning operations on line breaks. (#11721)
+* Missing anchors in regular expression. (#11719)
+* Docs: Fix `from-to-www` redirect description. (#11716)
+* Chart: Remove `isControllerTagValid`. (#11713)
+* Tests: Bump `e2e-test-runner` to v20240729-04899b27. (#11705)
+* Docs: Clarify `from-to-www` redirect direction. (#11693)
+* added real-client-ip faq (#11664)
+* Docs: Format NGINX configuration table. (#11662)
+* Docs: Update version in `deploy/index.md`. (#11652)
+
+### Dependency updates:
+
+* Bump github.com/onsi/ginkgo/v2 from 2.19.1 to 2.20.0 (#11773)
+* Bump the all group with 2 updates (#11771)
+* Bump golang.org/x/crypto from 0.25.0 to 0.26.0 (#11769)
+* Bump the all group with 3 updates (#11728)
+* Bump github.com/onsi/ginkgo/v2 from 2.19.0 to 2.19.1 in the all group (#11701)
+* Bump the all group with 2 updates (#11698)
+* Bump the all group with 4 updates (#11677)
+* Bump the all group with 2 updates (#11675)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.11.1...controller-v1.11.2
--- a/changelog/controller-1.11.3.md
+++ b/changelog/controller-1.11.3.md
@ -0,0 +1,91 @@
+# Changelog
+
+### controller-v1.11.3
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.11.3@sha256:d56f135b6462cfc476447cfe564b83a45e8bb7da2774963b00d12161112270b7
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.11.3@sha256:22701f0fc0f2dd209ef782f4e281bfe2d8cccd50ededa00aec88e0cdbe7edd14
+
+### All changes:
+
+* Images: Trigger controller build. (#12134)
+* Tests & Docs: Bump `e2e-test-echo` to v1.0.1. (#12145)
+* Images: Trigger `e2e-test-echo` build. (#12141)
+* Images: Drop `s390x`. (#12138)
+* Images: Build `s390x` controller. (#12127)
+* Chart: Bump Kube Webhook CertGen. (#12123)
+* Tests & Docs: Bump images. (#12121)
+* Cloud Build: Bump `gcb-docker-gcloud` to v20240718-5ef92b5c36. (#12117)
+* Images: Trigger other builds. (#12112)
+* Tests: Bump `e2e-test-runner` to v20241004-114a6abb. (#12105)
+* Images: Trigger `test-runner` build. (#12102)
+* Docs: Add a multi-tenant warning. (#12099)
+* Go: Bump to v1.22.8. (#12094)
+* Images: Bump `NGINX_BASE` to v0.1.0. (#12080)
+* Images: Trigger NGINX build. (#12076)
+* Images: Remove NGINX v1.21. (#12058)
+* GitHub: Improve Dependabot. (#12038)
+* Chart: Improve CI. (#12030)
+* Chart: Extend image tests. (#12027)
+* Docs: Add health check annotations for AWS. (#12020)
+* Docs: Convert `opentelemetry.md` from CRLF to LF. (#12006)
+* Chart: Test `controller.minAvailable` & `controller.maxUnavailable`. (#12002)
+* Chart: Align default backend `PodDisruptionBudget`. (#11999)
+* Metrics: Fix namespace in `nginx_ingress_controller_ssl_expire_time_seconds`. (#11986)
+* Chart: Improve default backend service account. (#11974)
+* Go: Bump to v1.22.7. (#11970)
+* Images: Bump OpenTelemetry C++ Contrib. (#11951)
+* Docs: Add note about `--watch-namespace`. (#11949)
+* Images: Use latest Alpine 3.20 everywhere. (#11946)
+* Fix minor typos (#11941)
+* Chart: Implement `controller.admissionWebhooks.service.servicePort`. (#11934)
+* Tests: Bump `e2e-test-runner` to v20240829-2c421762. (#11921)
+* Images: Trigger `test-runner` build. (#11917)
+* Chart: Add tests for `PrometheusRule` & `ServiceMonitor`. (#11889)
+* Annotations: Allow commas in URLs. (#11887)
+* CI: Grant checks write permissions to E2E Test Report. (#11885)
+* Chart: Use generic values for `ConfigMap` test. (#11879)
+* Update maxmind post link about geolite2 license changes (#11881)
+* Go: Sync `go.work.sum`. (#11875)
+* Replace deprecated queue method (#11859)
+* Auto-generate annotation docs (#11831)
+
+### Dependency updates:
+
+* Bump the actions group with 3 updates (#12149)
+* Bump golang.org/x/crypto from 0.27.0 to 0.28.0 (#12109)
+* Bump the actions group with 3 updates (#12097)
+* Bump sigs.k8s.io/mdtoc from 1.1.0 to 1.4.0 (#12089)
+* Bump github.com/prometheus/common from 0.59.1 to 0.60.0 (#12087)
+* Bump google.golang.org/grpc from 1.67.0 to 1.67.1 in the go group across 1 directory (#12085)
+* Bump k8s.io/cli-runtime from 0.30.0 to 0.31.1 (#12083)
+* Bump github/codeql-action from 3.26.9 to 3.26.10 in the actions group (#12055)
+* Bump the go group across 1 directory with 3 updates (#12053)
+* Bump k8s.io/kube-aggregator from 0.29.3 to 0.31.1 in /images/kube-webhook-certgen/rootfs (#12049)
+* Bump k8s.io/apimachinery from 0.23.1 to 0.31.1 in /images/ext-auth-example-authsvc/rootfs (#12047)
+* Bump github.com/prometheus/client_golang from 1.11.1 to 1.20.4 in /images/custom-error-pages/rootfs (#12046)
+* Bump the all group with 2 updates (#12036)
+* Bump github/codeql-action from 3.26.7 to 3.26.8 in the all group (#12016)
+* Bump google.golang.org/grpc from 1.66.2 to 1.67.0 (#12014)
+* Bump github.com/prometheus/client_golang from 1.20.3 to 1.20.4 in the all group (#12012)
+* Bump the all group with 2 updates (#11981)
+* Bump github/codeql-action from 3.26.6 to 3.26.7 in the all group (#11980)
+* Bump github.com/prometheus/common from 0.57.0 to 0.59.1 (#11961)
+* Bump golang.org/x/crypto from 0.26.0 to 0.27.0 (#11958)
+* Bump github.com/prometheus/client_golang from 1.20.2 to 1.20.3 in the all group (#11957)
+* Bump github.com/opencontainers/runc from 1.1.13 to 1.1.14 (#11930)
+* Bump the all group with 2 updates (#11925)
+* Bump github.com/onsi/ginkgo/v2 from 2.20.1 to 2.20.2 in the all group (#11913)
+* Bump google.golang.org/grpc from 1.65.0 to 1.66.0 (#11910)
+* Bump github.com/prometheus/common from 0.55.0 to 0.57.0 (#11909)
+* Bump github/codeql-action from 3.26.5 to 3.26.6 in the all group (#11908)
+* Bump the all group with 2 updates (#11871)
+* Bump github/codeql-action from 3.26.2 to 3.26.5 in the all group (#11868)
+* Bump github.com/prometheus/client_golang from 1.19.1 to 1.20.1 (#11840)
+* Bump sigs.k8s.io/controller-runtime from 0.18.4 to 0.19.0 (#11839)
+* Bump dario.cat/mergo from 1.0.0 to 1.0.1 in the all group (#11837)
+* Bump k8s.io/component-base from 0.30.3 to 0.31.0 (#11836)
+* Bump github/codeql-action from 3.26.0 to 3.26.2 in the all group (#11834)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.11.2...controller-v1.11.3
--- a/changelog/controller-1.11.4.md
+++ b/changelog/controller-1.11.4.md
@ -0,0 +1,94 @@
+# Changelog
+
+### controller-v1.11.4
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.11.4@sha256:981a97d78bee3109c0b149946c07989f8f1478a9265031d2d23dea839ba05b52
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.11.4@sha256:f29d0f9e7a9ef4947eda59ed0c09ec13380b13639d1518cf1ab8ec09c3e22ef8
+
+### All changes:
+
+* Images: Trigger controller build. (#12610)
+* Chart: Bump Kube Webhook CertGen. (#12607)
+* Tests & Docs: Bump images. (#12604)
+* Images: Trigger other builds (2/2). (#12600)
+* Images: Trigger other builds (1/2). (#12596)
+* Tests: Bump `e2e-test-runner` to v20241224-68ed4e7b. (#12591)
+* Images: Trigger `test-runner` build. (#12588)
+* Images: Bump `NGINX_BASE` to v0.2.0. (#12583)
+* Images: Trigger NGINX build. (#12577)
+* Go: Clean `go.work.sum`. (#12574)
+* Repository: Update owners. (#12569)
+* Images: Bump `gcb-docker-gcloud` to v20241217-ff46a068cd. (#12562)
+* CI: Update KIND images. (#12558)
+* Images: Bump Alpine to v3.21. (#12529)
+* Docs: Add guide on how to set a Maintenance Page. (#12526)
+* rikatz is stepping down (#12517)
+* rikatz is stepping down (#12495)
+* Go: Bump to v1.23.4. (#12484)
+* Plugin: Bump `goreleaser` to v2. (#12441)
+* GitHub: Fix `exec` in issue template. (#12388)
+* CI: Update KIND images. (#12365)
+* Images: Bump `gcb-docker-gcloud` to v20241110-72bb0b1665. (#12343)
+* Go: Bump to v1.23.3. (#12338)
+* Auth TLS: Add `_` to redirect RegEx. (#12327)
+* Auth TLS: Improve redirect RegEx. (#12322)
+* Update custom headers annotation documentation (#12319)
+* Tests: Bump `e2e-test-runner` to v20241104-02a3933e. (#12313)
+* Images: Trigger `test-runner` build. (#12306)
+* Config: Fix panic on invalid `lua-shared-dict`. (#12284)
+* Docs: fix limit-rate-after references (#12279)
+* Chart: Rework ServiceMonitor. (#12270)
+* Chart: Add ServiceAccount tests. (#12264)
+* CI: Fix chart testing. (#12259)
+* [fix] fix nginx temp configs cleanup (#12223)
+* Chart: Suggest `matchLabelKeys` in Topology Spread Constraints. (#12203)
+* Docs: Add Pod Security Admission. (#12197)
+* Docs: Clarify external & service port in TCP/UDP services explanation. (#12193)
+* Docs: Goodbye, v1.10. (#12159)
+
+### Dependency updates:
+
+* Bump k8s.io/apiextensions-apiserver from 0.31.3 to 0.32.0 (#12567)
+* Bump github.com/onsi/ginkgo/v2 from 2.22.0 to 2.22.1 (#12556)
+* Bump k8s.io/code-generator from 0.31.3 to 0.32.0 (#12551)
+* Bump k8s.io/cli-runtime from 0.31.3 to 0.32.0 (#12548)
+* Bump k8s.io/apiserver from 0.31.3 to 0.32.0 (#12545)
+* Bump the actions group with 2 updates (#12542)
+* Bump google.golang.org/grpc from 1.68.1 to 1.69.2 (#12539)
+* Bump k8s.io/client-go from 0.31.3 to 0.32.0 (#12513)
+* Bump github.com/opencontainers/runc from 1.2.2 to 1.2.3 in the go group across 1 directory (#12510)
+* Bump the actions group with 3 updates (#12507)
+* Bump k8s.io/kube-aggregator from 0.31.3 to 0.32.0 in /images/kube-webhook-certgen/rootfs (#12503)
+* Bump k8s.io/apimachinery from 0.31.3 to 0.32.0 in /images/ext-auth-example-authsvc/rootfs (#12500)
+* Bump golang.org/x/crypto from 0.30.0 to 0.31.0 (#12477)
+* Bump golang.org/x/crypto from 0.21.0 to 0.31.0 in /magefiles (#12475)
+* Bump github.com/prometheus/common from 0.60.1 to 0.61.0 (#12465)
+* Bump github/codeql-action from 3.27.5 to 3.27.6 in the actions group (#12462)
+* Bump the go group across 1 directory with 2 updates (#12458)
+* Bump github.com/onsi/ginkgo/v2 from 2.21.0 to 2.22.0 (#12427)
+* Bump github.com/stretchr/testify from 1.9.0 to 1.10.0 (#12417)
+* Bump the go group across 3 directories with 10 updates (#12415)
+* Bump the actions group with 3 updates (#12411)
+* Bump github.com/opencontainers/runc from 1.2.1 to 1.2.2 in the go group across 1 directory (#12381)
+* Bump github/codeql-action from 3.27.1 to 3.27.4 in the actions group (#12374)
+* Bump golangci-lint on actions and disable deprecated linters (#12362)
+* Bump google.golang.org/grpc from 1.67.1 to 1.68.0 (#12355)
+* Bump the actions group with 3 updates (#12352)
+* Bump golang.org/x/crypto from 0.28.0 to 0.29.0 (#12350)
+* Bump github.com/fsnotify/fsnotify from 1.7.0 to 1.8.0 (#12298)
+* Bump github.com/opencontainers/runc from 1.2.0 to 1.2.1 in the go group across 1 directory (#12295)
+* Bump github.com/onsi/ginkgo/v2 from 2.20.2 to 2.21.0 (#12289)
+* Bump actions/dependency-review-action from 4.3.5 to 4.4.0 in the actions group (#12274)
+* Bump the go group across 3 directories with 11 updates (#12245)
+* Bump github.com/opencontainers/runc from 1.1.15 to 1.2.0 (#12239)
+* Bump the actions group with 5 updates (#12240)
+* Bump github.com/ncabatoff/process-exporter from 0.8.3 to 0.8.4 in the go group across 1 directory (#12220)
+* Bump aquasecurity/trivy-action from 0.27.0 to 0.28.0 in the actions group (#12216)
+* Bump github/codeql-action from 3.26.12 to 3.26.13 in the actions group (#12190)
+* Bump the go group across 2 directories with 1 update (#12187)
+* Bump the actions group with 2 updates (#12181)
+* Bump github.com/opencontainers/runc from 1.1.14 to 1.1.15 in the go group across 1 directory (#12179)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.11.3...controller-v1.11.4
--- a/changelog/controller-1.12.0-beta.0.md
+++ b/changelog/controller-1.12.0-beta.0.md
@ -0,0 +1,216 @@
+# Changelog
+
+### controller-v1.12.0-beta.0
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.12.0-beta.0@sha256:9724476b928967173d501040631b23ba07f47073999e80e34b120e8db5f234d5
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.12.0-beta.0@sha256:6e2f8f52e1f2571ff65bc4fc4826d5282d5def5835ec4ab433dcb8e659b2fbac
+
+### All changes:
+
+* Images: Trigger controller build. (#12154)
+* ⚠️ Metrics: Disable by default. (#12153) ⚠️
+
+  This changes the default of the following CLI arguments:
+
+  * `--enable-metrics` gets disabled by default.
+
+* Tests & Docs: Bump `e2e-test-echo` to v1.0.1. (#12147)
+* Images: Trigger `e2e-test-echo` build. (#12140)
+* ⚠️ Images: Drop `s390x`. (#12137) ⚠️
+
+  Support for the `s390x` architecture has already been removed from the controller image. This also removes it from the NGINX base image and CI relevant images.
+
+* Images: Build `s390x` controller. (#12126)
+* Chart: Bump Kube Webhook CertGen. (#12119)
+* Tests & Docs: Bump images. (#12118)
+* Cloud Build: Bump `gcb-docker-gcloud` to v20240718-5ef92b5c36. (#12113)
+* Images: Trigger other builds. (#12110)
+* Tests: Bump `e2e-test-runner` to v20241004-114a6abb. (#12103)
+* Images: Trigger `test-runner` build. (#12100)
+* Docs: Add a multi-tenant warning. (#12091)
+* Go: Bump to v1.22.8. (#12069)
+* Images: Bump `NGINX_BASE` to v1.0.0. (#12066)
+* Images: Trigger NGINX build. (#12063)
+* Images: Remove NGINX v1.21. (#12031)
+* Chart: Add `controller.metrics.service.enabled`. (#12056)
+* GitHub: Improve Dependabot. (#12033)
+* Chart: Add `global.image.registry`. (#12028)
+* ⚠️ Images: Remove OpenTelemetry. (#12024) ⚠️
+
+  OpenTelemetry is still supported, but since the module is built into the controller image since v1.10, we hereby remove the init container and image which were used to install it upon controller startup.
+
+* Chart: Improve CI. (#12003)
+* Chart: Extend image tests. (#12025)
+* Chart: Add `controller.progressDeadlineSeconds`. (#12017)
+* Docs: Add health check annotations for AWS. (#12018)
+* Docs: Convert `opentelemetry.md` from CRLF to LF. (#12005)
+* Chart: Implement `unhealthyPodEvictionPolicy`. (#11992)
+* Chart: Add `defaultBackend.maxUnavailable`. (#11995)
+* Chart: Test `controller.minAvailable` & `controller.maxUnavailable`. (#12000)
+* Chart: Align default backend `PodDisruptionBudget`. (#11993)
+* Metrics: Fix namespace in `nginx_ingress_controller_ssl_expire_time_seconds`. (#10274)
+* ⚠️ Chart: Remove Pod Security Policy. (#11971) ⚠️
+
+  This removes Pod Security Policies and related resources from the chart.
+
+* Chart: Improve default backend service account. (#11972)
+* Go: Bump to v1.22.7. (#11943)
+* NGINX: Remove inline Lua from template. (#11806)
+* Images: Bump OpenTelemetry C++ Contrib. (#11629)
+* Docs: Add note about `--watch-namespace`. (#11947)
+* Images: Use latest Alpine 3.20 everywhere. (#11944)
+* Fix minor typos (#11935)
+* Chart: Implement `controller.admissionWebhooks.service.servicePort`. (#11931)
+* Allow any protocol for cors origins (#11153)
+* Tests: Bump `e2e-test-runner` to v20240829-2c421762. (#11919)
+* Images: Trigger `test-runner` build. (#11916)
+* Chart: Add `controller.metrics.prometheusRule.annotations`. (#11849)
+* Chart: Add tests for `PrometheusRule` & `ServiceMonitor`. (#11883)
+* Annotations: Allow commas in URLs. (#11882)
+* CI: Grant checks write permissions to E2E Test Report. (#11862)
+* Chart: Use generic values for `ConfigMap` test. (#11877)
+* Security: Follow-up on recent changes. (#11874)
+* Lua: Remove plugins from `.luacheckrc` & E2E docs. (#11872)
+* Dashboard: Remove `ingress_upstream_latency_seconds`. (#11878)
+* Metrics: Add `--metrics-per-undefined-host` argument. (#11818)
+* Update maxmind post link about geolite2 license changes (#11861)
+* ⚠️ Remove global-rate-limit feature (#11851) ⚠️
+
+  This removes the following configuration options:
+
+  * `global-rate-limit-memcached-host`
+  * `global-rate-limit-memcached-port`
+  * `global-rate-limit-memcached-connect-timeout`
+  * `global-rate-limit-memcached-max-idle-timeout`
+  * `global-rate-limit-memcached-pool-size`
+  * `global-rate-limit-status-code`
+
+  It also removes the following annotations:
+
+  * `global-rate-limit`
+  * `global-rate-limit-window`
+  * `global-rate-limit-key`
+  * `global-rate-limit-ignored-cidrs`
+
+* Revert "docs: Add deployment for AWS NLB Proxy." (#11857)
+* Add custom code handling for temporal redirect (#10651)
+* Add native histogram support for histogram metrics (#9971)
+* Replace deprecated queue method (#11853)
+* ⚠️ Enable security features by default (#11819) ⚠️
+
+  This changes the default of the following CLI arguments:
+
+  * `--enable-annotation-validation` gets enabled by default.
+
+  It also changes the default of the following configuration options:
+
+  * `allow-cross-namespace-resources` gets disabled by default.
+  * `annotations-risk-level` gets lowered to "High" by default.
+  * `strict-validate-path-type` gets enabled by default.
+
+* docs: Add deployment for AWS NLB Proxy. (#9565)
+* ⚠️ Remove 3rd party lua plugin support (#11821) ⚠️
+
+  This removes the following configuration options:
+
+  * `plugins`
+
+  It also removes support for user provided Lua plugins in the `/etc/nginx/lua/plugins` directory.
+
+* Auto-generate annotation docs (#11820)
+* ⚠️ Metrics: Remove `ingress_upstream_latency_seconds`. (#11795) ⚠️
+
+  This metric has already been deprecated and is now getting removed.
+
+* Release controller v1.11.2/v1.10.4 & chart v4.11.2/v4.10.4. (#11816)
+* Chart: Bump Kube Webhook CertGen & OpenTelemetry. (#11809)
+* Tests & Docs: Bump images. (#11803)
+* Images: Trigger failed builds. (#11800)
+* Images: Trigger other builds. (#11796)
+* Controller: Fix panic in alternative backend merging. (#11789)
+* Tests: Bump `e2e-test-runner` to v20240812-3f0129aa. (#11788)
+* Images: Trigger `test-runner` build. (#11785)
+* Images: Bump `NGINX_BASE` to v0.0.12. (#11782)
+* Images: Trigger NGINX build. (#11779)
+* Cloud Build: Add missing config, remove unused ones. (#11774)
+* Cloud Build: Tweak timeouts. (#11761)
+* Cloud Build: Fix substitutions. (#11758)
+* Cloud Build: Some chores. (#11633)
+* Go: Bump to v1.22.6. (#11747)
+* Images: Bump `NGINX_BASE` to v0.0.11. (#11741)
+* Images: Trigger NGINX build. (#11735)
+* docs: update OpenSSL Roadmap link (#11730)
+* Go: Bump to v1.22.5. (#11634)
+* Docs: Fix typo in AWS LB Controller reference (#11723)
+* Perform some cleaning operations on line breaks. (#11720)
+* Missing anchors in regular expression. (#11717)
+* Docs: Fix `from-to-www` redirect description. (#11712)
+* Chart: Remove `isControllerTagValid`. (#11710)
+* Tests: Bump `e2e-test-runner` to v20240729-04899b27. (#11702)
+* Chart: Explicitly set `runAsGroup`. (#11679)
+* Docs: Clarify `from-to-www` redirect direction. (#11682)
+* added real-client-ip faq (#11663)
+* Docs: Format NGINX configuration table. (#11659)
+* Release controller v1.11.1/v1.10.3 & chart v4.11.1/v4.10.3. (#11654)
+* Tests: Bump `test-runner` to v20240717-1fe74b5f. (#11645)
+* Images: Trigger `test-runner` build. (#11636)
+* Images: Bump `NGINX_BASE` to v0.0.10. (#11635)
+* remove modsecurity coreruleset test files from nginx image (#11617)
+* unskip the ocsp tests and update images to fix cfssl bug (#11606)
+* Fix indent in YAML for example pod (#11598)
+* Images: Bump `test-runner`. (#11600)
+* Images: Bump `NGINX_BASE` to v0.0.9. (#11599)
+* revert module upgrade (#11594)
+* README: Fix support matrix. (#11586)
+* Repository: Add changelogs from `release-v1.10`. (#11587)
+
+### Dependency updates:
+
+* Bump the actions group with 3 updates (#12152)
+* Bump golang.org/x/crypto from 0.27.0 to 0.28.0 (#12107)
+* Bump the actions group with 3 updates (#12092)
+* Bump sigs.k8s.io/mdtoc from 1.1.0 to 1.4.0 (#12062)
+* Bump github.com/prometheus/common from 0.59.1 to 0.60.0 (#12060)
+* Bump google.golang.org/grpc from 1.67.0 to 1.67.1 in the go group across 1 directory (#12059)
+* Bump k8s.io/cli-runtime from 0.30.0 to 0.31.1 (#12061)
+* Bump github/codeql-action from 3.26.9 to 3.26.10 in the actions group (#12051)
+* Bump the go group across 1 directory with 3 updates (#12050)
+* Bump k8s.io/kube-aggregator from 0.29.3 to 0.31.1 in /images/kube-webhook-certgen/rootfs (#12043)
+* Bump k8s.io/apimachinery from 0.23.1 to 0.31.1 in /images/ext-auth-example-authsvc/rootfs (#12041)
+* Bump github.com/prometheus/client_golang from 1.11.1 to 1.20.4 in /images/custom-error-pages/rootfs (#12040)
+* Bump the all group with 2 updates (#12032)
+* Bump github/codeql-action from 3.26.7 to 3.26.8 in the all group (#12010)
+* Bump google.golang.org/grpc from 1.66.2 to 1.67.0 (#12009)
+* Bump github.com/prometheus/client_golang from 1.20.3 to 1.20.4 in the all group (#12008)
+* Bump the all group with 2 updates (#11977)
+* Bump github/codeql-action from 3.26.6 to 3.26.7 in the all group (#11976)
+* Bump github.com/prometheus/common from 0.57.0 to 0.59.1 (#11954)
+* Bump golang.org/x/crypto from 0.26.0 to 0.27.0 (#11955)
+* Bump github.com/prometheus/client_golang from 1.20.2 to 1.20.3 in the all group (#11953)
+* Bump github.com/opencontainers/runc from 1.1.13 to 1.1.14 (#11928)
+* Bump the all group with 2 updates (#11922)
+* Bump github.com/onsi/ginkgo/v2 from 2.20.1 to 2.20.2 in the all group (#11901)
+* Bump google.golang.org/grpc from 1.65.0 to 1.66.0 (#11902)
+* Bump github.com/prometheus/common from 0.55.0 to 0.57.0 (#11903)
+* Bump github/codeql-action from 3.26.5 to 3.26.6 in the all group (#11904)
+* Bump the all group with 2 updates (#11865)
+* Bump github/codeql-action from 3.26.2 to 3.26.5 in the all group (#11867)
+* Bump github.com/prometheus/client_golang from 1.19.1 to 1.20.1 (#11832)
+* Bump sigs.k8s.io/controller-runtime from 0.18.4 to 0.19.0 (#11823)
+* Bump dario.cat/mergo from 1.0.0 to 1.0.1 in the all group (#11822)
+* Bump k8s.io/component-base from 0.30.3 to 0.31.0 (#11825)
+* Bump github/codeql-action from 3.26.0 to 3.26.2 in the all group (#11826)
+* Bump github.com/onsi/ginkgo/v2 from 2.19.1 to 2.20.0 (#11766)
+* Bump the all group with 2 updates (#11767)
+* Bump golang.org/x/crypto from 0.25.0 to 0.26.0 (#11765)
+* Bump the all group with 3 updates (#11727)
+* Bump github.com/onsi/ginkgo/v2 from 2.19.0 to 2.19.1 in the all group (#11696)
+* Bump the all group with 2 updates (#11695)
+* Bump the all group with 4 updates (#11673)
+* Bump the all group with 2 updates (#11672)
+* Bump github.com/prometheus/common from 0.54.0 to 0.55.0 (#11522)
+* Bump the all group with 5 updates (#11611)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.11.0...controller-v1.12.0-beta.0
--- a/changelog/controller-1.12.0.md
+++ b/changelog/controller-1.12.0.md
@ -0,0 +1,294 @@
+# Changelog
+
+### controller-v1.12.0
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.12.0@sha256:e6b8de175acda6ca913891f0f727bca4527e797d52688cbe9fec9040d6f6b6fa
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.12.0@sha256:87c88e1c38a6c8d4483c8f70b69e2cca49853bb3ec3124b9b1be648edf139af3
+
+### All changes:
+
+* Images: Trigger controller build. (#12609)
+* Chart: Bump Kube Webhook CertGen. (#12606)
+* Tests & Docs: Bump images. (#12603)
+* Images: Trigger other builds (2/2). (#12599)
+* Images: Trigger other builds (1/2). (#12595)
+* Tests: Bump `e2e-test-runner` to v20241224-68ed4e7b. (#12590)
+* Images: Trigger `test-runner` build. (#12587)
+* Images: Bump `NGINX_BASE` to v1.1.0. (#12582)
+* Images: Trigger NGINX build. (#12579)
+* Go: Clean `go.work.sum`. (#12573)
+* Repository: Update owners. (#12568)
+* Images: Bump `gcb-docker-gcloud` to v20241217-ff46a068cd. (#12561)
+* CI: Update KIND images. (#12560)
+* Images: Bump Alpine to v3.21. (#12528)
+* Docs: Add guide on how to set a Maintenance Page. (#12525)
+* rikatz is stepping down (#12516)
+* rikatz is stepping down (#12494)
+* Go: Bump to v1.23.4. (#12483)
+* Plugin: Bump `goreleaser` to v2. (#12440)
+* GitHub: Fix `exec` in issue template. (#12387)
+* CI: Update KIND images. (#12367)
+* Images: Bump `gcb-docker-gcloud` to v20241110-72bb0b1665. (#12342)
+* Go: Bump to v1.23.3. (#12337)
+* Auth TLS: Add `_` to redirect RegEx. (#12326)
+* Auth TLS: Improve redirect RegEx. (#12323)
+* Update custom headers annotation documentation (#12318)
+* Tests: Bump `e2e-test-runner` to v20241104-02a3933e. (#12312)
+* Docs: Add CPU usage note for `--metrics-per-undefined-host`. (#12310)
+* Images: Trigger `test-runner` build. (#12308)
+* Config: Fix panic on invalid `lua-shared-dict`. (#12283)
+* Docs: fix limit-rate-after references (#12278)
+* Chart: Rework ServiceMonitor. (#12269)
+* Chart: Add ServiceAccount tests. (#12263)
+* CI: Fix chart testing. (#12258)
+* [fix] fix nginx temp configs cleanup (#12225)
+* Chart: Suggest `matchLabelKeys` in Topology Spread Constraints. (#12202)
+* Docs: Add Pod Security Admission. (#12195)
+* Docs: Clarify external & service port in TCP/UDP services explanation. (#12192)
+* Images: Trigger controller build. (#12154)
+* ⚠️ Metrics: Disable by default. (#12153) ⚠️
+
+  This changes the default of the following CLI arguments:
+
+  * `--enable-metrics` gets disabled by default.
+
+* Tests & Docs: Bump `e2e-test-echo` to v1.0.1. (#12147)
+* Images: Trigger `e2e-test-echo` build. (#12140)
+* ⚠️ Images: Drop `s390x`. (#12137) ⚠️
+
+  Support for the `s390x` architecture has already been removed from the controller image. This also removes it from the NGINX base image and CI relevant images.
+
+* Images: Build `s390x` controller. (#12126)
+* Chart: Bump Kube Webhook CertGen. (#12119)
+* Tests & Docs: Bump images. (#12118)
+* Cloud Build: Bump `gcb-docker-gcloud` to v20240718-5ef92b5c36. (#12113)
+* Images: Trigger other builds. (#12110)
+* Tests: Bump `e2e-test-runner` to v20241004-114a6abb. (#12103)
+* Images: Trigger `test-runner` build. (#12100)
+* Docs: Add a multi-tenant warning. (#12091)
+* Go: Bump to v1.22.8. (#12069)
+* Images: Bump `NGINX_BASE` to v1.0.0. (#12066)
+* Images: Trigger NGINX build. (#12063)
+* Images: Remove NGINX v1.21. (#12031)
+* Chart: Add `controller.metrics.service.enabled`. (#12056)
+* GitHub: Improve Dependabot. (#12033)
+* Chart: Add `global.image.registry`. (#12028)
+* ⚠️ Images: Remove OpenTelemetry. (#12024) ⚠️
+
+  OpenTelemetry is still supported, but since the module is built into the controller image since v1.10, we hereby remove the init container and image which were used to install it upon controller startup.
+
+* Chart: Improve CI. (#12003)
+* Chart: Extend image tests. (#12025)
+* Chart: Add `controller.progressDeadlineSeconds`. (#12017)
+* Docs: Add health check annotations for AWS. (#12018)
+* Docs: Convert `opentelemetry.md` from CRLF to LF. (#12005)
+* Chart: Implement `unhealthyPodEvictionPolicy`. (#11992)
+* Chart: Add `defaultBackend.maxUnavailable`. (#11995)
+* Chart: Test `controller.minAvailable` & `controller.maxUnavailable`. (#12000)
+* Chart: Align default backend `PodDisruptionBudget`. (#11993)
+* Metrics: Fix namespace in `nginx_ingress_controller_ssl_expire_time_seconds`. (#10274)
+* ⚠️ Chart: Remove Pod Security Policy. (#11971) ⚠️
+
+  This removes Pod Security Policies and related resources from the chart.
+
+* Chart: Improve default backend service account. (#11972)
+* Go: Bump to v1.22.7. (#11943)
+* NGINX: Remove inline Lua from template. (#11806)
+* Images: Bump OpenTelemetry C++ Contrib. (#11629)
+* Docs: Add note about `--watch-namespace`. (#11947)
+* Images: Use latest Alpine 3.20 everywhere. (#11944)
+* Fix minor typos (#11935)
+* Chart: Implement `controller.admissionWebhooks.service.servicePort`. (#11931)
+* Allow any protocol for cors origins (#11153)
+* Tests: Bump `e2e-test-runner` to v20240829-2c421762. (#11919)
+* Images: Trigger `test-runner` build. (#11916)
+* Chart: Add `controller.metrics.prometheusRule.annotations`. (#11849)
+* Chart: Add tests for `PrometheusRule` & `ServiceMonitor`. (#11883)
+* Annotations: Allow commas in URLs. (#11882)
+* CI: Grant checks write permissions to E2E Test Report. (#11862)
+* Chart: Use generic values for `ConfigMap` test. (#11877)
+* Security: Follow-up on recent changes. (#11874)
+* Lua: Remove plugins from `.luacheckrc` & E2E docs. (#11872)
+* Dashboard: Remove `ingress_upstream_latency_seconds`. (#11878)
+* Metrics: Add `--metrics-per-undefined-host` argument. (#11818)
+* Update maxmind post link about geolite2 license changes (#11861)
+* ⚠️ Remove global-rate-limit feature (#11851) ⚠️
+
+  This removes the following configuration options:
+
+  * `global-rate-limit-memcached-host`
+  * `global-rate-limit-memcached-port`
+  * `global-rate-limit-memcached-connect-timeout`
+  * `global-rate-limit-memcached-max-idle-timeout`
+  * `global-rate-limit-memcached-pool-size`
+  * `global-rate-limit-status-code`
+
+  It also removes the following annotations:
+
+  * `global-rate-limit`
+  * `global-rate-limit-window`
+  * `global-rate-limit-key`
+  * `global-rate-limit-ignored-cidrs`
+
+* Revert "docs: Add deployment for AWS NLB Proxy." (#11857)
+* Add custom code handling for temporal redirect (#10651)
+* Add native histogram support for histogram metrics (#9971)
+* Replace deprecated queue method (#11853)
+* ⚠️ Enable security features by default (#11819) ⚠️
+
+  This changes the default of the following CLI arguments:
+
+  * `--enable-annotation-validation` gets enabled by default.
+
+  It also changes the default of the following configuration options:
+
+  * `allow-cross-namespace-resources` gets disabled by default.
+  * `annotations-risk-level` gets lowered to "High" by default.
+  * `strict-validate-path-type` gets enabled by default.
+
+* docs: Add deployment for AWS NLB Proxy. (#9565)
+* ⚠️ Remove 3rd party lua plugin support (#11821) ⚠️
+
+  This removes the following configuration options:
+
+  * `plugins`
+
+  It also removes support for user provided Lua plugins in the `/etc/nginx/lua/plugins` directory.
+
+* Auto-generate annotation docs (#11820)
+* ⚠️ Metrics: Remove `ingress_upstream_latency_seconds`. (#11795) ⚠️
+
+  This metric has already been deprecated and is now getting removed.
+
+* Release controller v1.11.2/v1.10.4 & chart v4.11.2/v4.10.4. (#11816)
+* Chart: Bump Kube Webhook CertGen & OpenTelemetry. (#11809)
+* Tests & Docs: Bump images. (#11803)
+* Images: Trigger failed builds. (#11800)
+* Images: Trigger other builds. (#11796)
+* Controller: Fix panic in alternative backend merging. (#11789)
+* Tests: Bump `e2e-test-runner` to v20240812-3f0129aa. (#11788)
+* Images: Trigger `test-runner` build. (#11785)
+* Images: Bump `NGINX_BASE` to v0.0.12. (#11782)
+* Images: Trigger NGINX build. (#11779)
+* Cloud Build: Add missing config, remove unused ones. (#11774)
+* Cloud Build: Tweak timeouts. (#11761)
+* Cloud Build: Fix substitutions. (#11758)
+* Cloud Build: Some chores. (#11633)
+* Go: Bump to v1.22.6. (#11747)
+* Images: Bump `NGINX_BASE` to v0.0.11. (#11741)
+* Images: Trigger NGINX build. (#11735)
+* docs: update OpenSSL Roadmap link (#11730)
+* Go: Bump to v1.22.5. (#11634)
+* Docs: Fix typo in AWS LB Controller reference (#11723)
+* Perform some cleaning operations on line breaks. (#11720)
+* Missing anchors in regular expression. (#11717)
+* Docs: Fix `from-to-www` redirect description. (#11712)
+* Chart: Remove `isControllerTagValid`. (#11710)
+* Tests: Bump `e2e-test-runner` to v20240729-04899b27. (#11702)
+* Chart: Explicitly set `runAsGroup`. (#11679)
+* Docs: Clarify `from-to-www` redirect direction. (#11682)
+* added real-client-ip faq (#11663)
+* Docs: Format NGINX configuration table. (#11659)
+* Release controller v1.11.1/v1.10.3 & chart v4.11.1/v4.10.3. (#11654)
+* Tests: Bump `test-runner` to v20240717-1fe74b5f. (#11645)
+* Images: Trigger `test-runner` build. (#11636)
+* Images: Bump `NGINX_BASE` to v0.0.10. (#11635)
+* remove modsecurity coreruleset test files from nginx image (#11617)
+* unskip the ocsp tests and update images to fix cfssl bug (#11606)
+* Fix indent in YAML for example pod (#11598)
+* Images: Bump `test-runner`. (#11600)
+* Images: Bump `NGINX_BASE` to v0.0.9. (#11599)
+* revert module upgrade (#11594)
+* README: Fix support matrix. (#11586)
+* Repository: Add changelogs from `release-v1.10`. (#11587)
+
+### Dependency updates:
+
+* Bump k8s.io/apiextensions-apiserver from 0.31.3 to 0.32.0 (#12566)
+* Bump github.com/onsi/ginkgo/v2 from 2.22.0 to 2.22.1 (#12555)
+* Bump k8s.io/code-generator from 0.31.3 to 0.32.0 (#12550)
+* Bump k8s.io/cli-runtime from 0.31.3 to 0.32.0 (#12547)
+* Bump k8s.io/apiserver from 0.31.3 to 0.32.0 (#12544)
+* Bump the actions group with 2 updates (#12541)
+* Bump google.golang.org/grpc from 1.68.1 to 1.69.2 (#12538)
+* Bump k8s.io/client-go from 0.31.3 to 0.32.0 (#12512)
+* Bump github.com/opencontainers/runc from 1.2.2 to 1.2.3 in the go group across 1 directory (#12509)
+* Bump the actions group with 3 updates (#12506)
+* Bump k8s.io/kube-aggregator from 0.31.3 to 0.32.0 in /images/kube-webhook-certgen/rootfs (#12505)
+* Bump k8s.io/apimachinery from 0.31.3 to 0.32.0 in /images/ext-auth-example-authsvc/rootfs (#12502)
+* Bump golang.org/x/crypto from 0.30.0 to 0.31.0 (#12476)
+* Bump golang.org/x/crypto from 0.21.0 to 0.31.0 in /magefiles (#12472)
+* Bump github.com/prometheus/common from 0.60.1 to 0.61.0 (#12464)
+* Bump github/codeql-action from 3.27.5 to 3.27.6 in the actions group (#12461)
+* Bump the go group across 1 directory with 2 updates (#12460)
+* Bump github.com/onsi/ginkgo/v2 from 2.21.0 to 2.22.0 (#12426)
+* Bump github.com/stretchr/testify from 1.9.0 to 1.10.0 (#12418)
+* Bump the go group across 3 directories with 10 updates (#12413)
+* Bump the actions group with 3 updates (#12412)
+* Bump github.com/opencontainers/runc from 1.2.1 to 1.2.2 in the go group across 1 directory (#12380)
+* Bump github/codeql-action from 3.27.1 to 3.27.4 in the actions group (#12373)
+* Bump golangci-lint on actions and disable deprecated linters (#12361)
+* Bump google.golang.org/grpc from 1.67.1 to 1.68.0 (#12357)
+* Bump the actions group with 3 updates (#12354)
+* Bump golang.org/x/crypto from 0.28.0 to 0.29.0 (#12349)
+* Bump github.com/fsnotify/fsnotify from 1.7.0 to 1.8.0 (#12299)
+* Bump github.com/opencontainers/runc from 1.2.0 to 1.2.1 in the go group across 1 directory (#12296)
+* Bump github.com/onsi/ginkgo/v2 from 2.20.2 to 2.21.0 (#12288)
+* Bump actions/dependency-review-action from 4.3.5 to 4.4.0 in the actions group (#12273)
+* Bump the go group across 3 directories with 11 updates (#12244)
+* Bump github.com/opencontainers/runc from 1.1.15 to 1.2.0 (#12242)
+* Bump the actions group with 5 updates (#12236)
+* Bump github.com/ncabatoff/process-exporter from 0.8.3 to 0.8.4 in the go group across 1 directory (#12218)
+* Bump aquasecurity/trivy-action from 0.27.0 to 0.28.0 in the actions group (#12217)
+* Bump github/codeql-action from 3.26.12 to 3.26.13 in the actions group (#12188)
+* Bump the go group across 2 directories with 1 update (#12186)
+* Bump the actions group with 2 updates (#12180)
+* Bump github.com/opencontainers/runc from 1.1.14 to 1.1.15 in the go group across 1 directory (#12178)
+* Bump the actions group with 3 updates (#12152)
+* Bump golang.org/x/crypto from 0.27.0 to 0.28.0 (#12107)
+* Bump the actions group with 3 updates (#12092)
+* Bump sigs.k8s.io/mdtoc from 1.1.0 to 1.4.0 (#12062)
+* Bump github.com/prometheus/common from 0.59.1 to 0.60.0 (#12060)
+* Bump google.golang.org/grpc from 1.67.0 to 1.67.1 in the go group across 1 directory (#12059)
+* Bump k8s.io/cli-runtime from 0.30.0 to 0.31.1 (#12061)
+* Bump github/codeql-action from 3.26.9 to 3.26.10 in the actions group (#12051)
+* Bump the go group across 1 directory with 3 updates (#12050)
+* Bump k8s.io/kube-aggregator from 0.29.3 to 0.31.1 in /images/kube-webhook-certgen/rootfs (#12043)
+* Bump k8s.io/apimachinery from 0.23.1 to 0.31.1 in /images/ext-auth-example-authsvc/rootfs (#12041)
+* Bump github.com/prometheus/client_golang from 1.11.1 to 1.20.4 in /images/custom-error-pages/rootfs (#12040)
+* Bump the all group with 2 updates (#12032)
+* Bump github/codeql-action from 3.26.7 to 3.26.8 in the all group (#12010)
+* Bump google.golang.org/grpc from 1.66.2 to 1.67.0 (#12009)
+* Bump github.com/prometheus/client_golang from 1.20.3 to 1.20.4 in the all group (#12008)
+* Bump the all group with 2 updates (#11977)
+* Bump github/codeql-action from 3.26.6 to 3.26.7 in the all group (#11976)
+* Bump github.com/prometheus/common from 0.57.0 to 0.59.1 (#11954)
+* Bump golang.org/x/crypto from 0.26.0 to 0.27.0 (#11955)
+* Bump github.com/prometheus/client_golang from 1.20.2 to 1.20.3 in the all group (#11953)
+* Bump github.com/opencontainers/runc from 1.1.13 to 1.1.14 (#11928)
+* Bump the all group with 2 updates (#11922)
+* Bump github.com/onsi/ginkgo/v2 from 2.20.1 to 2.20.2 in the all group (#11901)
+* Bump google.golang.org/grpc from 1.65.0 to 1.66.0 (#11902)
+* Bump github.com/prometheus/common from 0.55.0 to 0.57.0 (#11903)
+* Bump github/codeql-action from 3.26.5 to 3.26.6 in the all group (#11904)
+* Bump the all group with 2 updates (#11865)
+* Bump github/codeql-action from 3.26.2 to 3.26.5 in the all group (#11867)
+* Bump github.com/prometheus/client_golang from 1.19.1 to 1.20.1 (#11832)
+* Bump sigs.k8s.io/controller-runtime from 0.18.4 to 0.19.0 (#11823)
+* Bump dario.cat/mergo from 1.0.0 to 1.0.1 in the all group (#11822)
+* Bump k8s.io/component-base from 0.30.3 to 0.31.0 (#11825)
+* Bump github/codeql-action from 3.26.0 to 3.26.2 in the all group (#11826)
+* Bump github.com/onsi/ginkgo/v2 from 2.19.1 to 2.20.0 (#11766)
+* Bump the all group with 2 updates (#11767)
+* Bump golang.org/x/crypto from 0.25.0 to 0.26.0 (#11765)
+* Bump the all group with 3 updates (#11727)
+* Bump github.com/onsi/ginkgo/v2 from 2.19.0 to 2.19.1 in the all group (#11696)
+* Bump the all group with 2 updates (#11695)
+* Bump the all group with 4 updates (#11673)
+* Bump the all group with 2 updates (#11672)
+* Bump github.com/prometheus/common from 0.54.0 to 0.55.0 (#11522)
+* Bump the all group with 5 updates (#11611)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.11.0...controller-v1.12.0
--- a/changelog/controller-1.6.4.md
+++ b/changelog/controller-1.6.4.md
@ -0,0 +1,138 @@
+# Changelog
+
+### 1.6.4
+
+Images:
+
+* registry.k8s.io/controller:controller-v1.6.4@sha256:15be4666c53052484dd2992efacf2f50ea77a78ae8aa21ccd91af6baaa7ea22f
+* registry.k8s.io/controller-chroot:controller-v1.6.4@sha256:0de01e2c316c3ca7847ca13b32d077af7910d07f21a4a82f81061839764f8f81
+
+### All changes:
+
+* remove tests and regex path checks (#9626)
+* Fix incorrect annotation name in upstream hashing configuration (#9617)
+* Release docs for Controller v1.6.3 and Helm v4.5.0 (#9614)
+* Revert Implement pathType validation (#9511) (#9607)
+* update history and allow to pass a target test  (#9605)
+* Allow to pass a target test (#9542)
+* Replace deprecated command with environment file (#9581)
+* build 1.6.2 to fix (#9569)
+* add lint on chart before release (#9570)
+* tcpproxy: increase buffer size to 16K (#9548)
+* Move and spell-check Kubernetes 1.22 migration FAQ (#9544)
+* Add CORS template check inside location for externalAuth.SignURL (#8814)
+* fix(grafana-dashboard): remove hardcoded namespace references (#9523)
+* Replace deprecated command with environment file (#9581)
+* add lint on chart before release (#9570)
+* Switch logic on path type validation and setting it to false (#9543)
+* tcpproxy: increase buffer size to 16K (#9548)
+* Move and spell-check Kubernetes 1.22 migration FAQ (#9544)
+* Add CORS template check inside location for externalAuth.SignURL (#8814)
+* fix(grafana-dashboard): remove hardcoded namespace references (#9523)
+* Align default value for keepalive_request with NGINX default (#9518)
+* feat(configmap): expose gzip-disable (#9505)
+* Values: Add missing `controller.metrics.service.labels`. (#9501)
+* Add docs about orphan_ingress metric (#9514)
+* Add new prometheus metric for orphaned ingress (#8230)
+* Sanitise request metrics in monitoring docs (#9384)
+* Change default value of enable-brotli (#9500)
+* feat: support topology aware hints (#9165)
+* Remove 1.5.2 from readme (#9498)
+* Remove nonexistent load flag from docker build commands (#9122)
+* added option to disable sync event creation (#8528)
+* Add buildResolvers to the stream module (#9184)
+* fix: disable auth access logs (#9049)
+* Adding ipdenylist annotation (#8795)
+* Add update updateStrategy and minReadySeconds for defaultBackend (#8506)
+* Fix indentation on serviceAccount annotation (#9129)
+* Update monitoring.md (#9269)
+* add github actions stale bot (#9439)
+* Admission Webhooks/Job: Add `NetworkPolicy`. (#9218)
+* update OpenTelemetry image (#9491)
+* bump OpenTelemetry (#9489)
+* Optional podman support (#9294)
+* fix change images (#9463)
+* move tests to gh actions (#9461)
+* Automated Release Controller 1.5.2 (#9455)
+* Add sslpassthrough tests (#9457)
+* updated the link in RELEASE.md file (#9456)
+* restart 1.5.2 release process (#9450)
+* Update command line arguments documentation (#9224)
+* start release 1.5.2 (#9445)
+* upgrade nginx base image (#9436)
+* test the new e2e test images (#9444)
+* avoid builds and tests for non-code changes (#9392)
+* CI updates (#9440)
+* HPA: Add `controller.autoscaling.annotations` to `values.yaml`. (#9253)
+* update the nginx run container for alpine:3.17.0 (#9430)
+* cleanup: remove ioutil for new go version (#9427)
+* start upgrade to golang 1.19.4 and alpine 3.17.0 (#9417)
+* ci: remove setup-helm step (#9404)
+* ci: remove setup-kind step (#9401)
+* Add reporter for all tests (#9395)
+* added action for issues to project (#9386)
+* doc: update NEW_CONTRIBUTOR.md (#9381)
+* feat(helm): Optionally use cert-manager instead admission patch (#9279)
+* integrated junit-reports with ghactions (#9361)
+* [user-guide configmap] fix doc for global-auth-snippet (#9372)
+* update OpenTelemetry image (#9308)
+* fix: missing CORS headers when auth fails (#9251)
+* Fix styling in canary annotation docs. (#9259)
+* resolved ginkgo deprecation message (#9365)
+* Enable profiler-address to be configured (#9311)
+* ModSecurity dependencies update to avoid Memory Leaks (#9330)
+* fix(hpa): deprecated api version, bump to v2 (#9348)
+* fix(typo): pluralize provider (#9346)
+* removed deprecation message for ingressClass annotation (#9357)
+* added ginkgo junit reports (#9350)
+* Fix typos found by codespell (#9353)
+* bumped ginkgo to v2.5.1 in testrunner (#9340)
+* create nsswitch-conf if missing (#9339)
+* remove the configmap related permissions (#9310)
+* remove hardcoded datasource from grafana dashboard (#9284)
+* update gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b to 3.0.0 (#9277)
+* added SAN to cert create command (#9295)
+* Missing controller.ingressClass (#9304)
+* OpenTelemetry static linking (#9286)
+* Fixed indentation in commented-out autoscaling (#9225)
+* run helm release on main only and when the chart/value changes only (#9290)
+* fix broken annotation yaml (#9243)
+* PDB: Add `maxUnavailable`. (#9278)
+* add containerSecurityContext to extraModules init containers (kubernetes#9016) (#9242)
+
+### Dependency updates:
+
+* Bump google.golang.org/grpc from 1.52.0 to 1.52.3 (#9555)
+* Bump k8s.io/klog/v2 from 2.80.1 to 2.90.0 (#9553)
+* Bump sigs.k8s.io/controller-runtime from 0.13.1 to 0.14.2 (#9552)
+* Bump google.golang.org/grpc from 1.51.0 to 1.52.0 (#9512)
+* Bump `client-go` to remove dependence on go-autorest dependency (#9488)
+* Bump google.golang.org/grpc from 1.52.0 to 1.52.3 (#9555)
+* Bump k8s.io/klog/v2 from 2.80.1 to 2.90.0 (#9553)
+* Bump sigs.k8s.io/controller-runtime from 0.13.1 to 0.14.2 (#9552)
+* Bump google.golang.org/grpc from 1.51.0 to 1.52.0 (#9512)
+* Bump `client-go` to remove dependence on go-autorest dependency (#9488)
+* Bump golang.org/x/crypto from 0.4.0 to 0.5.0 (#9494)
+* Bump golang.org/x/crypto from 0.3.0 to 0.4.0 (#9397)
+* Bump github.com/onsi/ginkgo/v2 from 2.6.0 to 2.6.1 (#9432)
+* Bump github.com/onsi/ginkgo/v2 from 2.6.0 to 2.6.1 (#9421)
+* Bump github/codeql-action from 2.1.36 to 2.1.37 (#9423)
+* Bump actions/checkout from 3.1.0 to 3.2.0 (#9425)
+* Bump goreleaser/goreleaser-action from 3.2.0 to 4.1.0 (#9426)
+* Bump actions/dependency-review-action from 3.0.1 to 3.0.2 (#9424)
+* Bump ossf/scorecard-action from 2.0.6 to 2.1.0 (#9422)
+* Bump github.com/prometheus/common from 0.37.0 to 0.39.0 (#9416)
+* Bump github.com/onsi/ginkgo/v2 from 2.5.1 to 2.6.0 (#9408)
+* Bump github.com/onsi/ginkgo/v2 from 2.5.1 to 2.6.0 (#9398)
+* Bump github/codeql-action from 2.1.35 to 2.1.36 (#9400)
+* Bump actions/setup-go from 3.3.1 to 3.4.0 (#9370)
+* Bump github/codeql-action from 2.1.31 to 2.1.35 (#9369)
+* Bump google.golang.org/grpc from 1.50.1 to 1.51.0 (#9316)
+* Bump github.com/prometheus/client_golang from 1.13.1 to 1.14.0 (#9298)
+* Bump actions/dependency-review-action from 3.0.0 to 3.0.1 (#9319)
+* Bump golang.org/x/crypto from 0.1.0 to 0.3.0 (#9318)
+* Bump github.com/onsi/ginkgo/v2 from 2.4.0 to 2.5.1 (#9317)
+* Bump actions/dependency-review-action from 2.5.1 to 3.0.0 (#9301)
+* Bump k8s.io/component-base from 0.25.3 to 0.25.4 (#9300)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.5.1...controller-controller-v1.6.4
--- a/changelog/controller-1.7.0.md
+++ b/changelog/controller-1.7.0.md
@ -0,0 +1,80 @@
+# Changelog
+
+### 1.7.0
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.7.0@sha256:7612338342a1e7b8090bef78f2a04fffcadd548ccaabe8a47bf7758ff549a5f7
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.7.0@sha256:e84ef3b44c8efeefd8b0aa08770a886bfea1f04c53b61b4ba9a7204e9f1a7edc
+
+### All changes:
+
+* kick off 1.7.0 build (#9775)
+* Update exposing-tcp-udp-services.md (#9777)
+* feat: OpenTelemetry module integration (#9062)
+* drop k8s 1.23 support (#9772)
+* Fix canary-weight-total annotation ignored in rule backends (#9729)
+* fix: controller psp's volume config (#9740)
+* Fix several Helm YAML issues with extraModules and extraInitContainers (#9709)
+* docs(helm): fix value key in readme for enabling certManager (#9640)
+* updated digest and sha for e2e-test-echo (#9760)
+* updated digest and sha for e2e-test-fastcgi-helloserver (#9759)
+* updated digest and sha for opentelemetry (#9758)
+* updated digest and sha for e2e-test-cfssl (#9757)
+* updated kube-webhook-certgen digest and tags (#9756)
+* updated nginx-error digest and tags (#9755)
+* added upgrade ginkgo documentation for contributors (#9753)
+* changes Makefile of echo folder to trigger code-build (#9754)
+* Chart: Drop `controller.headers`, rework DH param secret. (#9659)
+* updated NGINX_BASE image with latest tag (#9747)
+* Deployment/DaemonSet: Label pods using `ingress-nginx.labels`. (#9732)
+* bumped ginkgo to v2.9.0 (#9722)
+* HPA: autoscaling/v2beta1 deprecated, bump apiVersion to v2 for defaultBackend (#9731)
+* update to golang 1.20 (#9690)
+* Indent values.yaml using 2 instead of 4 spaces (#9656)
+* fix some comments (#9688)
+* migrate mitchellh/hashstructure to v2 (#9651)
+* changed v1.6.3 to v1.6.4 on deploy docs (#9647)
+* controller: Don't panic when ready condition in a endpointslice is missing (#9550)
+* Rework Ginkgo usage (#9522)
+* code clean for fsnotify (#9571)
+* Optimize the document for readability (#9551)
+* sets.String is deprecated: use generic Set instead. new ways: s1 := Set[string]{} s2 := New[string]() (#9589)
+* Adjust the import package order and use http library variables (#9587)
+* Optimize the judgment mode to remove redundant transformations (#9588)
+* Fix rewrite example (#9633)
+* remove tests and regex path checks (#9626)
+* Fix incorrect annotation name in upstream hashing configuration (#9617)
+* Release docs for Controller v1.6.3 and Helm v4.5.0 (#9614)
+
+### Dependency updates:
+
+* Bump aquasecurity/trivy-action from 0.8.0 to 0.9.2 (#9767)
+* Bump k8s.io/component-base from 0.26.2 to 0.26.3 (#9764)
+* Bump actions/dependency-review-action from 3.0.3 to 3.0.4 (#9766)
+* Bump actions/add-to-project from 0.4.0 to 0.4.1 (#9765)
+* Bump actions/dependency-review-action from 3.0.2 to 3.0.3 (#9727)
+* Bump github.com/prometheus/common from 0.41.0 to 0.42.0 (#9724)
+* Bump golang.org/x/crypto from 0.6.0 to 0.7.0 (#9723)
+* Bump actions/download-artifact from 3.0.1 to 3.0.2 (#9721)
+* Bump goreleaser/goreleaser-action from 4.1.0 to 4.2.0 (#9718)
+* Bump actions/upload-artifact from 3.1.1 to 3.1.2 (#9717)
+* Bump docker/setup-buildx-action from 2.2.1 to 2.5.0 (#9719)
+* Bump helm/chart-releaser-action from 1.4.1 to 1.5.0 (#9720)
+* Bump github.com/onsi/ginkgo/v2 from 2.6.1 to 2.9.0 (#9695)
+* Bump k8s.io/klog/v2 from 2.90.0 to 2.90.1 (#9694)
+* Bump golang.org/x/crypto in /magefiles (#9691)
+* Bump k8s.io/component-base from 0.26.1 to 0.26.2 (#9696)
+* Bump github.com/prometheus/common from 0.40.0 to 0.41.0 (#9698)
+* Bump sigs.k8s.io/controller-runtime from 0.14.2 to 0.14.5 (#9697)
+* Bump golang.org/x/net in /magefiles (#9692)
+* Bump golang.org/x/sys in /images/custom-error-pages/rootfs (#9671)
+* Bump github.com/stretchr/testify from 1.8.1 to 1.8.2 (#9675)
+* Bump github.com/prometheus/common from 0.39.0 to 0.40.0 (#9653)
+* Bump golang.org/x/net from 0.6.0 to 0.7.0 (#9646)
+* Bump golang.org/x/net in /images/kube-webhook-certgen/rootfs (#9645)
+* Bump google.golang.org/grpc from 1.52.3 to 1.53.0 (#9610)
+* Bump github.com/prometheus/client_golang (#9630)
+* Bump golang.org/x/crypto from 0.5.0 to 0.6.0 (#9609)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.6.3...controller-controller-v1.7.0
--- a/changelog/controller-1.7.1.md
+++ b/changelog/controller-1.7.1.md
@ -0,0 +1,54 @@
+# Changelog
+
+### 1.7.1
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.7.1@sha256:7244b95ea47bddcb8267c1e625fb163fc183ef55448855e3ac52a7b260a60407
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.7.1@sha256:e35d5ab487861b9d419c570e3530589229224a0762c7b4d2e2222434abb8d988
+
+### All changes:
+
+* Update TAG - 1.7.1 (#9922)
+* Update dependabot to watch docker images (#9600)
+* [helm] Support custom port configuration for internal service (#9846)
+* Add support for --container flag (#9703)
+* Fix typo in OpenTelemetry (#9903)
+* ensure make lua-test runs locally (#9902)
+* update k8s.io dependencies to v0.26.4 (#9893)
+* Adding resource type to default HPA configuration to resolve issues with Terraform helm chart usage (#9803)
+* I have not been able to fulfill my maintainer responsibilities for a while already, making it official now. (#9883)
+* Update k8s versions (#9879)
+* README: Update `external-dns` link. (#9866)
+* Fastcgi configmap should be on the same namespace of ingress (#9863)
+* Deprecate and remove influxdb feature (#9861)
+* Remove deprecated annotation secure-upstream (#9862)
+* Exclude socket metrics (#9770)
+* Chart: Improve `README.md`. (#9831)
+* update all container tags with date and sha, upgrade all containers (#9834)
+* updated NGINX_BASE image in project (#9829)
+* ISO 8601 date format (#9682)
+* Values: Fix indention of commented values. (#9812)
+* The Ingress-Nginx project recently released version 1.7.0 of the controller, but the deployment documentation still referenced version 1.6.4. This commit updates the documentation to reference the latest version, ensuring that users have access to the most up-to-date information. Fixes#9787 (#9788)
+
+### Dependency updates:
+
+* Bump github.com/opencontainers/runc from 1.1.6 to 1.1.7 (#9912)
+* Bump github.com/prometheus/client_golang from 1.14.0 to 1.15.0 (#9868)
+* Bump aquasecurity/trivy-action from 0.9.2 to 0.10.0 (#9888)
+* Bump github.com/opencontainers/runc from 1.1.5 to 1.1.6 (#9867)
+* Bump actions/checkout from 3.5.0 to 3.5.2 (#9870)
+* Bump golang.org/x/crypto from 0.7.0 to 0.8.0 (#9838)
+* Bump github.com/spf13/cobra from 1.6.1 to 1.7.0 (#9839)
+* Bump actions/add-to-project from 0.4.1 to 0.5.0 (#9840)
+* Bump actions/checkout from 3.4.0 to 3.5.0 (#9798)
+* Bump ossf/scorecard-action from 2.1.2 to 2.1.3 (#9823)
+* Bump github.com/opencontainers/runc from 1.1.4 to 1.1.5 (#9806)
+* Bump actions/stale from 7.0.0 to 8.0.0 (#9799)
+* Bump rajatjindal/krew-release-bot from 0.0.43 to 0.0.46 (#9797)
+* Bump actions/setup-go from 3.5.0 to 4.0.0 (#9796)
+* Bump github.com/imdario/mergo from 0.3.13 to 0.3.15 (#9795)
+* Bump google.golang.org/grpc from 1.53.0 to 1.54.0 (#9794)
+* Bump sigs.k8s.io/controller-runtime from 0.14.5 to 0.14.6 (#9822)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.7.0...controller-controller-v1.7.1
--- a/changelog/controller-1.8.0.md
+++ b/changelog/controller-1.8.0.md
@ -0,0 +1,64 @@
+# Changelog
+
+### 1.8.0
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.8.0@sha256:744ae2afd433a395eeb13dc03d3313facba92e96ad71d9feaafc85925493fee3
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.8.0@sha256:a45e41cd2b7670adf829759878f512d4208d0aec1869dae593a0fecd09a5e49e
+
+### Important changes:
+
+* Validate path types (#9967)
+* images: upgrade to Alpine 3.18 (#9997)
+* Update documentation to reflect project name; Ingress-Nginx Controller
+
+For improving security, our 1.8.0 release includes a [new, **optional** validation ](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#strict-validate-path-type) that limits the characters accepted  on ".spec paths.path" when pathType=Exact or athType=Prefix, to alphanumeric characters only.
+
+More information can be found on our [Google doc](https://docs.google.com/document/d/1HPvaEwHRuMSkXYkVIJ-w7IpijKdHfNynm_4N2Akt0CQ/edit?usp=sharing), our new [ingress-nginx-dev mailing list](https://groups.google.com/a/kubernetes.io/g/ingress-nginx-dev/c/ebbBMo-zX-w) or in our [docs](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#strict-validate-path-type)
+
+### Community Updates
+
+We are now posting updates and release to our twitter handle, [@IngressNginx](https://twitter.com/IngressNGINX) and
+on our new [ingress-nginx-dev mailing list](https://groups.google.com/a/kubernetes.io/g/ingress-nginx-dev/c/ebbBMo-zX-w)
+
+### All changes:
+
+* Add legacy to OpenTelemetry migration doc (#10011)
+* changed tagsha to recent builds (#10001)
+* change to alpine318 baseimage (#10000)
+* images: upgrade to Alpine 3.18 (#9997)
+* openssl CVE fix (#9996)
+* PodDisruptionBudget spec logic update (#9904)
+* Admission warning (#9975)
+* Add OPA examples on pathType restrictions (#9992)
+* updated testrunner image tag+sha (#9987)
+* bumped ginkgo to v2.9.5 (#9985)
+* helm: Fix opentelemetry module installation for daemonset (#9792)
+* OpenTelemetry default config (#9978)
+* Correct annotations in monitoring docs (#9976)
+* fix: avoid builds and tests for changes to markdown (#9962)
+* Validate path types (#9967)
+* HPA: Use capabilities & align manifests. (#9521)
+* Use dl.k8s.io instead of hardcoded GCS URIs (#9946)
+* add option for annotations in PodDisruptionBudget (#9843)
+* chore: update httpbin to httpbun (#9919)
+* image_update (#9942)
+* Add geoname id value into $geoip2_*_geoname_id variables (#9527)
+* Update annotations.md (#9933)
+* Update charts/* to keep project name display aligned (#9931)
+* Keep project name display aligned (#9920)
+
+### Dependencies updates:
+* Bump github.com/imdario/mergo from 0.3.15 to 0.3.16 (#10008)
+* Bump github.com/prometheus/common from 0.43.0 to 0.44.0 (#10007)
+* Bump k8s.io/klog/v2 from 2.90.1 to 2.100.1 (#9913)
+* Bump github.com/onsi/ginkgo/v2 from 2.9.0 to 2.9.5 (#9980)
+* Bump golang.org/x/crypto from 0.8.0 to 0.9.0 (#9982)
+* Bump actions/setup-go from 4.0.0 to 4.0.1 (#9984)
+* Bump securego/gosec from 2.15.0 to 2.16.0 (#9983)
+* Bump github.com/prometheus/common from 0.42.0 to 0.43.0 (#9981)
+* Bump github.com/prometheus/client_model from 0.3.0 to 0.4.0 (#9937)
+* Bump google.golang.org/grpc from 1.54.0 to 1.55.0 (#9936)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.7.1...controller-controller-v1.8.0
--- a/changelog/controller-1.8.1.md
+++ b/changelog/controller-1.8.1.md
@ -0,0 +1,69 @@
+# Changelog
+
+### 1.8.1
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.8.1@sha256:e5c4824e7375fcf2a393e1c03c293b69759af37a9ca6abdb91b13d78a93da8bd
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.8.1@sha256:e0d4121e3c5e39de9122e55e331a32d5ebf8d4d257227cb93ab54a1b912a7627
+
+### All changes:
+
+* netlify: Only trigger preview when there are changes in docs. (#10144)
+* changed to updated baseimage and reverted tag (#10143)
+* Fix loadBalancerClass value (#10139)
+* Added a doc line to the missing helm value service.internal.loadBalancerIP (#9406)
+* Set grpc :authority header from request header (#8912)
+* bump pinned golang to 1.20.5 (#10127)
+* update test runner (#10125)
+* chore: remove echo from snippet tests (#10110)
+* Update typo in docs for lb scheme (#10117)
+* golang 1.20.5 bump (#10120)
+* feat(helm): Add loadBalancerClass (#9562)
+* chore: remove echo friom canary tests (#10089)
+* fix: obsolete warnings (#10029)
+* docs: change Dockefile url ref main (#10087)
+* Revert "Remove fastcgi feature" (#10081)
+* docs: add netlify configuration (#10073)
+* add distroless otel init (#10035)
+* chore: move httpbun to be part of framework (#9955)
+* Remove fastcgi feature (#9864)
+* Fix mirror-target values without path separator and port (#9889)
+* Adding feature to upgrade Oracle Cloud Infrastructure's Flexible Load Balancer and adjusting Health Check that were critical in the previous configuration (#9961)
+* add support for keda fallback settings (#9993)
+* unnecessary use of fmt.Sprint (S1039) (#10049)
+* chore: pkg imported more than once (#10048)
+* tracing: upgrade to dd-opentracing-cpp v1.3.7 (#10031)
+* fix: add canary to sidebar in examples (#10068)
+* docs: add lua testing documentation (#10060)
+* docs: canary weighted deployments example (#10067)
+* Update Internal Load Balancer docs (#10062)
+* fix broken kubernetes.io/user-guide/ docs links (#10055)
+* docs: Updated the content of deploy/rbac.md (#10054)
+* ensured hpa mem spec before cpu spec (#10043)
+* Fix typo in controller_test (#10034)
+* chore(dep): upgrade github.com/emicklei/go-restful/v3 to 3.10 (#10028)
+* Upgrade to Golang 1.20.4 (#10016)
+* perf: avoid unnecessary byte/string conversion (#10012)
+* added note on dns for localtesting (#10021)
+* added helmshowvalues example (#10019)
+* release controller 1.8.0 and chart 4.7.0 (#10017)
+
+### Dependency updates:
+
+* Bump ossf/scorecard-action from 2.1.3 to 2.2.0 (#10133)
+* Bump google.golang.org/grpc from 1.56.0 to 1.56.1 (#10134)
+* Bump github.com/prometheus/client_golang from 1.15.1 to 1.16.0 (#10106)
+* Bump golang.org/x/crypto from 0.9.0 to 0.10.0 (#10105)
+* Bump google.golang.org/grpc from 1.55.0 to 1.56.0 (#10103)
+* Bump goreleaser/goreleaser-action from 4.2.0 to 4.3.0 (#10101)
+* Bump docker/setup-buildx-action from 2.6.0 to 2.7.0 (#10102)
+* Bump actions/checkout from 3.5.2 to 3.5.3 (#10076)
+* Bump docker/setup-qemu-action from 2.1.0 to 2.2.0 (#10075)
+* Bump aquasecurity/trivy-action from 0.10.0 to 0.11.2 (#10078)
+* Bump docker/setup-buildx-action from 2.5.0 to 2.6.0 (#10077)
+* Bump actions/dependency-review-action from 3.0.4 to 3.0.6 (#10042)
+* Bump github.com/stretchr/testify from 1.8.3 to 1.8.4 (#10041)
+* Bump github.com/stretchr/testify from 1.8.2 to 1.8.3 (#10005)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.8.0...controller-controller-v1.8.1
--- a/changelog/controller-1.8.2.md
+++ b/changelog/controller-1.8.2.md
@ -0,0 +1,19 @@
+# Changelog
+
+### 1.8.2
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.8.2@sha256:74834d3d25b336b62cabeb8bf7f1d788706e2cf1cfd64022de4137ade8881ff2
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.8.2@sha256:1317a563219f755a6094d990057c78e5c4dcea5e31f4ce1db8641e732a7d6133
+
+### All changes:
+
+* Release v1.8.2 and Update Go to v1.21.1 (#10379)
+* Making auth access logs optional (#10380)
+* [release-1.8] Disable Modsecurity from internal processing which affects large ingresses  (#10375)
+* promote distroless otel init image (#10270)
+* [release-1.8] Update images tags after adding git data in gcloud (#10233)
+* [release-1.8] Golang 1.20.6 for test runner (#10231)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.8.1...controller-controller-v1.8.2
--- a/changelog/controller-1.9.0-beta.0.md
+++ b/changelog/controller-1.9.0-beta.0.md
@ -0,0 +1,95 @@
+# Changelog
+
+### 1.9.0-beta.0
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.9.0-beta.0@sha256:531377e4cc9dc62af40d742402222603259673f5a755a64d74122f256dfad8f9
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.9.0-beta.0@sha256:60b4c95349ce2a81a3b2a76423ee483b847b89d3fa8cb148468434f606f3fa0c
+
+### All changes:
+
+* Rework mage (#10418)
+* Start release of v1.9.0 beta0 (#10407)
+* Update k8s versions on CI (#10406)
+* Add a flag to enable or disable aio_write (#10394)
+* Update external-articles.md - advanced setup with GKE/Cloud Armor/IAP (#10372)
+* Fix e2e test suite doc (#10396)
+* Disable user snippets per default (#10393)
+* Deployment/DaemonSet: Fix templating & value. (#10240)
+* Fix deferInLoop error (#10387)
+* Remove gofmt (#10385)
+* Deployment/DaemonSet: Template `topologySpreadConstraints`. (#10259)
+* release notes 1.8.2 (#10389)
+* fix: remove curl on base container #9716 (#10306)
+* Fix http default backend test (#10382)
+* Add golangci github action and replace the deprecated golint (#10187)
+* BUGFIX incorrect indentation (#10254)
+* Upgrade OpenTelemetry to v1.11.0 and gRPC to v1.57.0 (#10352)
+* fix: path with special characters warning #10281 #10308 (#10330)
+* Fix golangci-lint errors (#10196)
+* chore(build): Fix Run make dev-env syntax error (#10294)
+* Add firewall configuration to quick start documentation (#10357)
+* Making auth access logs optional (#10335)
+* Fix “dev-env” Makefile target to work with kubectl 1.28+ (#10350)
+* fix: update action file to auto release plugin #10197 (#10321)
+* Use gzip instead of pigz in CI (#10348)
+* Disable Modsecurity from internal processing which affects large ingresses  (#10316)
+* fix: add /etc/mime.types #10309 (#10310)
+* Remove curl dependencies in e2e tests #9716 (#10296)
+* docs: swap explanation to match example (#10220)
+* ci(helm): fix Helm Chart release action 422 error (#10237)
+* helm: Use .Release.Namespace as default for ServiceMonitor namespace (#10249)
+* Updated index.md - Fix typos (#10256)
+* Handle request_id variable correctly in auth requests (#9219)
+* test kind updates (#10272)
+* promote distroless otel init image (#10257)
+* [helm] configure allow to configure hostAliases (#10180)
+* Add rolling update strategy to each static deployment file (#10129)
+* Implement annotation validation (#9673)
+* Golang 1.20.6 for test runner (#10230)
+* [helm] pass service annotations through helm tpl engine (#10084)
+* Ignore deployment template's replicas if KEDA is enabled (#9534)
+* chore: bump OpenResty to v1.21.4.2 (#10219)
+* Scanning port 10247 lead to tcp connection 502 error (#9815)
+* revise Datadog trace sampling configuration (#10151)
+* Clarify TCP/UDP service docs (#10146)
+* Exposed continent data as  variable in the case of Maxmind city files (#10157)
+* Cleanup errcheck code (#10166)
+* Fix golang-ci linter errors (#10128)
+* Deprecate and remove AJP support (#10158)
+* release notes 1.8.1 (#10161)
+
+### Dependency updates:
+
+* Bump github.com/onsi/ginkgo/v2 from 2.9.5 to 2.12.0 (#10355)
+* Bump golang.org/x/crypto from 0.12.0 to 0.13.0 (#10399)
+* Bump actions/setup-go from 4.0.1 to 4.1.0 (#10403)
+* Bump goreleaser/goreleaser-action from 4.4.0 to 4.6.0 (#10402)
+* Bump actions/upload-artifact from 3.1.2 to 3.1.3 (#10404)
+* Bump golangci/golangci-lint-action from 3.6.0 to 3.7.0 (#10400)
+* Bump google.golang.org/grpc from 1.57.0 to 1.58.0 (#10398)
+* Bump actions/dependency-review-action from 3.0.8 to 3.1.0 (#10401)
+* Bump github.com/cyphar/filepath-securejoin from 0.2.3 to 0.2.4 (#10373)
+* Bump github.com/cyphar/filepath-securejoin in /magefiles (#10374)
+* Bump Go version to 1.21.1 (#10377)
+* Bump Go version to 1.21.1 on testrunner (#10378)
+* Bump aquasecurity/trivy-action from 0.11.2 to 0.12.0 (#10365)
+* Bump docker/setup-buildx-action from 2.9.1 to 2.10.0 (#10353)
+* Bump actions/checkout from 3.5.3 to 3.6.0 (#10354)
+* Bump actions/dependency-review-action from 3.0.6 to 3.0.8 (#10333)
+* Bump actions/setup-go from 4.0.1 to 4.1.0 (#10313)
+* Bump securego/gosec from 2.16.0 to 2.17.0 (#10332)
+* Bump goreleaser/goreleaser-action from 4.3.0 to 4.4.0 (#10314)
+* Bump github.com/opencontainers/runc from 1.1.8 to 1.1.9 (#10298)
+* Bump k8s.io/component-base from 0.26.4 to 0.27.4 (Replace Topology Aware Hints with Topology Aware Routing) (#10282)
+* Bump google.golang.org/grpc from 1.56.2 to 1.57.0 (#10258)
+* Bump golang.org/x/crypto from 0.11.0 to 0.12.0 (#10280)
+* Bump github.com/opencontainers/runc from 1.1.7 to 1.1.8 (#10244)
+* Bump google.golang.org/grpc from 1.56.1 to 1.56.2 (#10193)
+* Bump docker/setup-buildx-action from 2.9.0 to 2.9.1 (#10207)
+* Bump golang.org/x/crypto from 0.10.0 to 0.11.0 (#10192)
+* Bump docker/setup-buildx-action from 2.8.0 to 2.9.0 (#10191)
+* Bump docker/setup-buildx-action from 2.7.0 to 2.8.0 (#10165)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-release-1.8...controller-controller-v1.9.0-beta.0
--- a/changelog/controller-1.9.0.md
+++ b/changelog/controller-1.9.0.md
@ -0,0 +1,95 @@
+# Changelog
+
+### 1.9.0
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.9.0@sha256:c15d1a617858d90fb8f8a2dd60b0676f2bb85c54e3ed11511794b86ec30c8c60
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.9.0@sha256:d9fa7a136de2104fb2ecfcf1666978bfab927f4a125b75c0fb471e6104366ab5
+
+### All changes:
+
+* Rework mage (#10418)
+* Start release of v1.9.0 beta0 (#10407)
+* Update k8s versions on CI (#10406)
+* Add a flag to enable or disable aio_write (#10394)
+* Update external-articles.md - advanced setup with GKE/Cloud Armor/IAP (#10372)
+* Fix e2e test suite doc (#10396)
+* Disable user snippets per default (#10393)
+* Deployment/DaemonSet: Fix templating & value. (#10240)
+* Fix deferInLoop error (#10387)
+* Remove gofmt (#10385)
+* Deployment/DaemonSet: Template `topologySpreadConstraints`. (#10259)
+* release notes 1.8.2 (#10389)
+* fix: remove curl on base container #9716 (#10306)
+* Fix http default backend test (#10382)
+* Add golangci github action and replace the deprecated golint (#10187)
+* BUGFIX incorrect indentation (#10254)
+* Upgrade OpenTelemetry to v1.11.0 and gRPC to v1.57.0 (#10352)
+* fix: path with special characters warning #10281 #10308 (#10330)
+* Fix golangci-lint errors (#10196)
+* chore(build): Fix Run make dev-env syntax error (#10294)
+* Add firewall configuration to quick start documentation (#10357)
+* Making auth access logs optional (#10335)
+* Fix “dev-env” Makefile target to work with kubectl 1.28+ (#10350)
+* fix: update action file to auto release plugin #10197 (#10321)
+* Use gzip instead of pigz in CI (#10348)
+* Disable Modsecurity from internal processing which affects large ingresses  (#10316)
+* fix: add /etc/mime.types #10309 (#10310)
+* Remove curl dependencies in e2e tests #9716 (#10296)
+* docs: swap explanation to match example (#10220)
+* ci(helm): fix Helm Chart release action 422 error (#10237)
+* helm: Use .Release.Namespace as default for ServiceMonitor namespace (#10249)
+* Updated index.md - Fix typos (#10256)
+* Handle request_id variable correctly in auth requests (#9219)
+* test kind updates (#10272)
+* promote distroless otel init image (#10257)
+* [helm] configure allow to configure hostAliases (#10180)
+* Add rolling update strategy to each static deployment file (#10129)
+* Implement annotation validation (#9673)
+* Golang 1.20.6 for test runner (#10230)
+* [helm] pass service annotations through helm tpl engine (#10084)
+* Ignore deployment template's replicas if KEDA is enabled (#9534)
+* chore: bump OpenResty to v1.21.4.2 (#10219)
+* Scanning port 10247 lead to tcp connection 502 error (#9815)
+* revise Datadog trace sampling configuration (#10151)
+* Clarify TCP/UDP service docs (#10146)
+* Exposed continent data as  variable in the case of Maxmind city files (#10157)
+* Cleanup errcheck code (#10166)
+* Fix golang-ci linter errors (#10128)
+* Deprecate and remove AJP support (#10158)
+* release notes 1.8.1 (#10161)
+
+### Dependency updates:
+
+* Bump github.com/onsi/ginkgo/v2 from 2.9.5 to 2.12.0 (#10355)
+* Bump golang.org/x/crypto from 0.12.0 to 0.13.0 (#10399)
+* Bump actions/setup-go from 4.0.1 to 4.1.0 (#10403)
+* Bump goreleaser/goreleaser-action from 4.4.0 to 4.6.0 (#10402)
+* Bump actions/upload-artifact from 3.1.2 to 3.1.3 (#10404)
+* Bump golangci/golangci-lint-action from 3.6.0 to 3.7.0 (#10400)
+* Bump google.golang.org/grpc from 1.57.0 to 1.58.0 (#10398)
+* Bump actions/dependency-review-action from 3.0.8 to 3.1.0 (#10401)
+* Bump github.com/cyphar/filepath-securejoin from 0.2.3 to 0.2.4 (#10373)
+* Bump github.com/cyphar/filepath-securejoin in /magefiles (#10374)
+* Bump Go version to 1.21.1 (#10377)
+* Bump Go version to 1.21.1 on testrunner (#10378)
+* Bump aquasecurity/trivy-action from 0.11.2 to 0.12.0 (#10365)
+* Bump docker/setup-buildx-action from 2.9.1 to 2.10.0 (#10353)
+* Bump actions/checkout from 3.5.3 to 3.6.0 (#10354)
+* Bump actions/dependency-review-action from 3.0.6 to 3.0.8 (#10333)
+* Bump actions/setup-go from 4.0.1 to 4.1.0 (#10313)
+* Bump securego/gosec from 2.16.0 to 2.17.0 (#10332)
+* Bump goreleaser/goreleaser-action from 4.3.0 to 4.4.0 (#10314)
+* Bump github.com/opencontainers/runc from 1.1.8 to 1.1.9 (#10298)
+* Bump k8s.io/component-base from 0.26.4 to 0.27.4 (Replace Topology Aware Hints with Topology Aware Routing) (#10282)
+* Bump google.golang.org/grpc from 1.56.2 to 1.57.0 (#10258)
+* Bump golang.org/x/crypto from 0.11.0 to 0.12.0 (#10280)
+* Bump github.com/opencontainers/runc from 1.1.7 to 1.1.8 (#10244)
+* Bump google.golang.org/grpc from 1.56.1 to 1.56.2 (#10193)
+* Bump docker/setup-buildx-action from 2.9.0 to 2.9.1 (#10207)
+* Bump golang.org/x/crypto from 0.10.0 to 0.11.0 (#10192)
+* Bump docker/setup-buildx-action from 2.8.0 to 2.9.0 (#10191)
+* Bump docker/setup-buildx-action from 2.7.0 to 2.8.0 (#10165)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-release-1.8...controller-controller-v1.9.0
--- a/changelog/controller-1.9.1.md
+++ b/changelog/controller-1.9.1.md
@ -0,0 +1,21 @@
+# Changelog
+
+### 1.9.1
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.9.1@sha256:605a737877de78969493a4b1213b21de4ee425d2926906857b98050f57a95b25
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.9.1@sha256:2ac744ef08850ee86ad7162451a6879f47c1a41c6a757f6b6f913c52103b8836
+
+### All changes:
+
+* upgrade owasp modsecurity core rule set to v3.3.5 (#10437)
+* Start v1.9.1 release (#10463)
+* Accept backend protocol on any case (#10461)
+* Chart: Rework network policies. (#10438)
+
+### Dependency updates:
+
+* Bump google.golang.org/grpc from 1.58.0 to 1.58.1 (#10436)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.9.0...controller-controller-v1.9.1
--- a/changelog/controller-1.9.3.md
+++ b/changelog/controller-1.9.3.md
@ -0,0 +1,29 @@
+# Changelog
+
+### 1.9.3
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.9.3@sha256:8fd21d59428507671ce0fb47f818b1d859c92d2ad07bb7c947268d433030ba98
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.9.3@sha256:df4931fd6859fbf1a71e785f02a44b2f9a16f010ae852c442e9bb779cbefdc86
+
+### All changes:
+
+* update nginx base, httpbun, e2e, helm webhook cert gen (#10506)
+* added warning for configuration-snippets usage (#10492)
+* Remove legacy GeoIP from controller (#10495)
+* add upstream patch for CVE-2023-44487 (#10494)
+* Revert "Remove curl from nginx base image (#10477)" (#10479)
+* update error and otel to have all the arch we support (#10476)
+* Remove curl from nginx base image (#10477)
+
+### Dependency updates:
+
+* Bump x/net (#10514)
+* Bump curl and Go version (#10503)
+* Bump google.golang.org/grpc from 1.58.2 to 1.58.3 (#10496)
+* Bump github.com/prometheus/client_model (#10486)
+* Bump ossf/scorecard-action from 2.2.0 to 2.3.0 (#10487)
+* Bump golang.org/x/crypto from 0.13.0 to 0.14.0 (#10485)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.9.1...controller-controller-v1.9.3
--- a/changelog/controller-1.9.4.md
+++ b/changelog/controller-1.9.4.md
@ -0,0 +1,14 @@
+# Changelog
+
+### 1.9.4
+
+Images:
+
+* registry.k8s.io/ingress-nginx/controller:v1.9.4@sha256:5b161f051d017e55d358435f295f5e9a297e66158f136321d9b04520ec6c48a3
+* registry.k8s.io/ingress-nginx/controller-chroot:v1.9.4@sha256:5976b1067cfbca8a21d0ba53d71f83543a73316a61ea7f7e436d6cf84ddf9b26
+
+### All changes:
+
+* Cherry pick fcgi fix and release v1.9.4 (#10544)
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.9.3...controller-controller-v1.9.4
--- a/Show more
+++ b/Show more
				`@ -0,0 +1 @@`
				`registry.k8s.io/ingress-nginx/nginx:v2.0.0@sha256:3e7bda4cf5111d283ed1e4ff5cc9a2b5cdc5ebe62d50ba67473d3e25b1389133`