diff --git a/.github/workflows/build-oss.yml b/.github/workflows/build-oss.yml index f6a4338b7c..749c04d8d0 100644 --- a/.github/workflows/build-oss.yml +++ b/.github/workflows/build-oss.yml @@ -34,7 +34,7 @@ jobs: fetch-depth: 0 - name: Fetch Cached Artifacts - uses: actions/cache@940f3d7cf195ba83374c77632d1e2cbb2f24ae68 # v3.3.0 + uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 with: path: ${{ github.workspace }}/dist key: nginx-ingress-${{ github.run_id }}-${{ github.run_number }} @@ -46,7 +46,7 @@ jobs: if: github.event_name != 'pull_request' - name: Docker Buildx - uses: docker/setup-buildx-action@f03ac48505955848960e80bbb68046aa35c7b9e7 # v2.4.1 + uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c # v2.5.0 - name: DockerHub Login uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0 @@ -134,6 +134,8 @@ jobs: push: ${{ github.event_name != 'pull_request' }} pull: true no-cache: ${{ github.event_name != 'pull_request' }} + sbom: ${{ github.event_name != 'pull_request' }} + provenance: false build-args: | BUILD_OS=${{ inputs.image }} IC_VERSION=${{ github.event_name == 'pull_request' && 'CI' || steps.meta.outputs.version }} @@ -148,7 +150,7 @@ jobs: ignore-unfixed: 'true' - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@32dc499307d133bb5085bae78498c0ac2cf762d5 # v2.2.5 + uses: github/codeql-action/upload-sarif@16964e90ba004cdf0cd845b866b5df21038b7723 # v2.2.6 continue-on-error: true with: sarif_file: 'trivy-results-${{ inputs.image }}.sarif' diff --git a/.github/workflows/build-plus.yml b/.github/workflows/build-plus.yml index 78c1af77c0..0c761735c8 100644 --- a/.github/workflows/build-plus.yml +++ b/.github/workflows/build-plus.yml @@ -36,7 +36,7 @@ jobs: fetch-depth: 0 - name: Fetch Cached Artifacts - uses: actions/cache@940f3d7cf195ba83374c77632d1e2cbb2f24ae68 # v3.3.0 + uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 with: path: ${{ github.workspace }}/dist key: nginx-ingress-${{ github.run_id }}-${{ github.run_number }} @@ -48,7 +48,7 @@ jobs: if: github.event_name != 'pull_request' - name: Docker Buildx - uses: docker/setup-buildx-action@f03ac48505955848960e80bbb68046aa35c7b9e7 # v2.4.1 + uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c # v2.5.0 - name: GCR Login uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0 @@ -114,6 +114,8 @@ jobs: push: ${{ github.event_name != 'pull_request' }} pull: true no-cache: ${{ github.event_name != 'pull_request' }} + sbom: ${{ github.event_name != 'pull_request' }} + provenance: false build-args: | BUILD_OS=${{ inputs.image }} IC_VERSION=${{ startsWith(github.ref, 'refs/tags/') && steps.meta.outputs.version || 'CI' }} @@ -153,7 +155,7 @@ jobs: ignore-unfixed: 'true' - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@32dc499307d133bb5085bae78498c0ac2cf762d5 # v2.2.5 + uses: github/codeql-action/upload-sarif@16964e90ba004cdf0cd845b866b5df21038b7723 # v2.2.6 continue-on-error: true with: sarif_file: 'trivy-results-${{ inputs.image }}.sarif' diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 57ada493bb..4e384dd075 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -127,7 +127,7 @@ jobs: AZURE_BUCKET_NAME: ${{ secrets.AZURE_BUCKET_NAME }} - name: Store Artifacts in Cache - uses: actions/cache@940f3d7cf195ba83374c77632d1e2cbb2f24ae68 # v3.3.0 + uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 with: path: ${{ github.workspace }}/dist key: nginx-ingress-${{ github.run_id }}-${{ github.run_number }} @@ -202,12 +202,12 @@ jobs: - name: Checkout Repository uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 - name: Fetch Cached Artifacts - uses: actions/cache@940f3d7cf195ba83374c77632d1e2cbb2f24ae68 # v3.3.0 + uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 with: path: ${{ github.workspace }}/dist key: nginx-ingress-${{ github.run_id }}-${{ github.run_number }} - name: Docker Buildx - uses: docker/setup-buildx-action@f03ac48505955848960e80bbb68046aa35c7b9e7 # v2.4.1 + uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c # v2.5.0 - name: Build Docker Image ${{ matrix.image }} uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # v4.0.0 with: @@ -242,8 +242,7 @@ jobs: working-directory: ${{ github.workspace }}/deployments/helm-chart - name: Expose Test Ingresses run: | - kubectl port-forward service/${{ matrix.type }}-nginx-ingress 8080:80 & - kubectl port-forward service/${{ matrix.type }}-nginx-ingress 8443:443 & + kubectl port-forward service/${{ matrix.type }}-nginx-ingress-controller 8080:80 8443:443 & - name: Test HTTP run: | counter=0 @@ -298,7 +297,7 @@ jobs: - name: Checkout Repository uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 - name: Docker Buildx - uses: docker/setup-buildx-action@f03ac48505955848960e80bbb68046aa35c7b9e7 # v2.4.1 + uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c # v2.5.0 - name: Build Test-Runner Container uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # v4.0.0 with: @@ -342,9 +341,6 @@ jobs: runs-on: ubuntu-22.04 needs: helm-tests if: ${{ github.event_name == 'push' }} - permissions: - contents: read - packages: write steps: - name: Checkout Repository uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 @@ -396,8 +392,8 @@ jobs: run: | mv ${{ steps.package.outputs.path }} ${{ github.workspace }}/helm-charts/${{ steps.package-helm.outputs.type }}/ cd ${{ github.workspace }}/helm-charts - helm repo index ${{ needs.package-helm.outputs.type }} --url https://helm.nginx.com/${{ needs.package-helm.outputs.type }} + helm repo index ${{ steps.package-helm.outputs.type }} --url https://helm.nginx.com/${{ steps.package-helm.outputs.type }} git add -A git -c user.name='NGINX Kubernetes Team' -c user.email='kubernetes@nginx.com' \ - commit -m "NGINX Ingress Controller - Release ${{ needs.package-helm.outputs.type }} ${{ needs.package-helm.outputs.version }}" + commit -m "NGINX Ingress Controller - Release ${{ steps.package-helm.outputs.type }} ${{ steps.package-helm.outputs.version }}" git push -u origin master diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 7fbe6135da..36557039b2 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -36,7 +36,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@32dc499307d133bb5085bae78498c0ac2cf762d5 # v2.2.5 + uses: github/codeql-action/init@16964e90ba004cdf0cd845b866b5df21038b7723 # v2.2.6 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -47,7 +47,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@32dc499307d133bb5085bae78498c0ac2cf762d5 # v2.2.5 + uses: github/codeql-action/autobuild@16964e90ba004cdf0cd845b866b5df21038b7723 # v2.2.6 # ℹ️ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -61,4 +61,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@32dc499307d133bb5085bae78498c0ac2cf762d5 # v2.2.5 + uses: github/codeql-action/analyze@16964e90ba004cdf0cd845b866b5df21038b7723 # v2.2.6 diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 59b764bfda..3a73e74ed7 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -53,6 +53,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@32dc499307d133bb5085bae78498c0ac2cf762d5 # v2.2.5 + uses: github/codeql-action/upload-sarif@16964e90ba004cdf0cd845b866b5df21038b7723 # v2.2.6 with: sarif_file: results.sarif diff --git a/.github/workflows/update-docker-images.yml b/.github/workflows/update-docker-images.yml index 0c79f0a022..c66202680b 100644 --- a/.github/workflows/update-docker-images.yml +++ b/.github/workflows/update-docker-images.yml @@ -108,7 +108,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GOPATH: ${{ steps.go.outputs.go_path }} - name: Store Artifacts in Cache - uses: actions/cache@940f3d7cf195ba83374c77632d1e2cbb2f24ae68 # v3.3.0 + uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 with: path: ${{ github.workspace }}/dist key: nginx-ingress-${{ github.run_id }}-${{ github.run_number }} @@ -136,7 +136,7 @@ jobs: ref: refs/tags/v${{ needs.variables.outputs.kic-tag }} if: ${{ matrix.needs-updating == 'true' }} - name: Fetch Cached Artifacts - uses: actions/cache@940f3d7cf195ba83374c77632d1e2cbb2f24ae68 # v3.3.0 + uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 with: path: ${{ github.workspace }}/dist key: nginx-ingress-${{ github.run_id }}-${{ github.run_number }} diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 93f14ce3c2..c4bebece10 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -57,7 +57,7 @@ repos: hooks: - id: black - repo: https://github.com/python-jsonschema/check-jsonschema - rev: 0.21.0 + rev: 0.22.0 hooks: - id: check-jsonschema name: "Check Helm Chart JSON Schema" diff --git a/README.md b/README.md index 03d361ade7..00f045bfa3 100644 --- a/README.md +++ b/README.md @@ -48,7 +48,6 @@ Read [this doc](https://docs.nginx.com/nginx-ingress-controller/intro/nginx-plus 1. See additional configuration [examples](https://github.com/nginxinc/kubernetes-ingress/tree/main/examples). 1. Learn more about all available configuration and customization in the [docs](https://docs.nginx.com/nginx-ingress-controller/). - ## NGINX Ingress Controller Releases We publish Ingress Controller releases on GitHub. See our [releases page](https://github.com/nginxinc/kubernetes-ingress/releases). @@ -71,6 +70,23 @@ The table below summarizes the options regarding the images, manifests, helm cha | Latest stable release | For production use | Use the 3.0.2 images from [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/), [GitHub Container](https://github.com/nginxinc/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress) or [build your own image](https://docs.nginx.com/nginx-ingress-controller/installation/building-ingress-controller-image/). | Use the 3.0.2 images from the [F5 Container Registry](https://docs.nginx.com/nginx-ingress-controller/installation/pulling-ingress-controller-image/) or the [AWS Marketplace](https://aws.amazon.com/marketplace/search/?CREATOR=741df81b-dfdc-4d36-b8da-945ea66b522c&FULFILLMENT_OPTION_TYPE=CONTAINER&filters=CREATOR%2CFULFILLMENT_OPTION_TYPE) or [Build your own image](https://docs.nginx.com/nginx-ingress-controller/installation/building-ingress-controller-image/). | [Manifests](https://github.com/nginxinc/kubernetes-ingress/tree/v3.0.2/deployments). [Helm chart](https://github.com/nginxinc/kubernetes-ingress/tree/v3.0.2/deployments/helm-chart). | [Documentation](https://docs.nginx.com/nginx-ingress-controller/). [Examples](https://docs.nginx.com/nginx-ingress-controller/configuration/configuration-examples/). | | Edge/Nightly | For testing and experimenting | Use the edge or nightly images from [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/), [GitHub Container](https://github.com/nginxinc/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress) or [build your own image](https://github.com/nginxinc/kubernetes-ingress/tree/main/docs/content/installation/building-ingress-controller-image.md). | [Build your own image](https://github.com/nginxinc/kubernetes-ingress/tree/main/docs/content/installation/building-ingress-controller-image.md). | [Manifests](https://github.com/nginxinc/kubernetes-ingress/tree/main/deployments). [Helm chart](https://github.com/nginxinc/kubernetes-ingress/tree/main/deployments/helm-chart). | [Documentation](https://github.com/nginxinc/kubernetes-ingress/tree/main/docs/content). [Examples](https://github.com/nginxinc/kubernetes-ingress/tree/main/examples). | +## SBOM (Software Bill of Materials) + +We generate SBOMs for the binaries and the Docker images. + +### Binaries + +The SBOMs for the binaries are available in the releases page. The SBOMs are generated using [syft](https://github.com/anchore/syft) and are available in SPDX format. + +### Docker Images + +The SBOMs for the Docker images are available in the [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/), [GitHub Container](https://github.com/nginxinc/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress) repositories. The SBOMs are generated using [syft](https://github.com/anchore/syft) and stored as an attestation in the image manifest. + +For example to retrieve the SBOM for `linux/amd64` from Docker Hub and analyze it using [grype](https://github.com/anchore/grype) you can run the following command: +``` +$ docker buildx imagetools inspect nginx/nginx-ingress:edge --format '{{ json (index .SBOM "linux/amd64").SPDX }}' | grype +``` + ## Contacts We’d like to hear your feedback! If you have any suggestions or experience issues with our Ingress Controller, please create an issue or send a pull request on GitHub. diff --git a/build/Dockerfile b/build/Dockerfile index 572289554a..be498b2e13 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -1,4 +1,4 @@ -# syntax=docker/dockerfile:1.4 +# syntax=docker/dockerfile:1.5 ARG BUILD_OS=debian ARG NGINX_PLUS_VERSION=R28 ARG DOWNLOAD_TAG=edge @@ -142,7 +142,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode && microdnf clean all ############################################# Base image for UBI with NGINX Plus and App Protect WAF/DoS ############################################# -FROM redhat/ubi8:8.6 as ubi-plus-nap +FROM redhat/ubi8 as ubi-plus-nap ARG NGINX_PLUS_VERSION ARG NAP_MODULES @@ -150,7 +150,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode --mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ --mount=type=secret,id=rhel_license,dst=/tmp/rhel_license,mode=0644 \ source /tmp/rhel_license \ - ## the code below is duplicated from the ubi-plus image because NAP doesn't support UBI versions newer than 8.6 + ## the code below is duplicated from the ubi-plus image because NAP doesn't support UBI 9 and minimal versions dnf --nodocs install -y shadow-utils ca-certificates \ && groupadd --system --gid 101 nginx \ && useradd --system --gid nginx --no-create-home --home-dir /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \ @@ -159,6 +159,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode && sed -i "0,/centos/s;;${NGINX_PLUS_VERSION}/centos;" /etc/yum.repos.d/nginx-plus.repo \ && dnf --nodocs install -y nginx-plus nginx-plus-module-njs \ ## end of duplicated code + && sed -i 's/\(def in_container():\)/\1\n return False/g' /usr/lib64/python*/*-packages/rhsm/config.py \ && subscription-manager register --org=${RHEL_ORGANIZATION} --activationkey=${RHEL_ACTIVATION_KEY} || true \ && subscription-manager attach \ && dnf config-manager --set-enabled codeready-builder-for-rhel-8-x86_64-rpms \ @@ -173,8 +174,8 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode sed -i "0,/centos/s;;${NGINX_PLUS_VERSION}/centos;" /etc/yum.repos.d/app-protect-dos-8.repo; \ dnf --nodocs install -y app-protect-dos; \ fi \ - # fix for CVEs - && dnf --nodocs upgrade -y libcom_err libxml2 krb5-libs dbus expat systemd libtasn1 sqlite-libs libksba platform-python platform-python-setuptools python3-setuptools-wheel tar curl \ + # temp fix for CVE-2023-23916 + && dnf --nodocs upgrade -y curl \ && rm /etc/yum.repos.d/app-protect*.repo \ && subscription-manager unregister \ && dnf clean all && rm -rf /var/cache/dnf diff --git a/cmd/nginx-ingress/main.go b/cmd/nginx-ingress/main.go index 914ef7618e..c2022230cc 100644 --- a/cmd/nginx-ingress/main.go +++ b/cmd/nginx-ingress/main.go @@ -43,8 +43,8 @@ import ( var version string const ( - nginxVersionAnnotation = "app.nginx.org/version" - versionAnnotation = "app.kubernetes.io/version" + nginxVersionLabel = "app.nginx.org/version" + versionLabel = "app.kubernetes.io/version" ) func main() { @@ -762,21 +762,21 @@ func updateSelfWithVersionInfo(kubeClient *kubernetes.Clientset, version string, return } - // Copy pod and update the annotations. + // Copy pod and update the labels. newPod := pod.DeepCopy() - ann := newPod.ObjectMeta.Annotations - if ann == nil { - ann = make(map[string]string) + labels := newPod.ObjectMeta.Labels + if labels == nil { + labels = make(map[string]string) } - ann[nginxVersionAnnotation] = strings.Split(nginxVersion, "/")[1] - ann[versionAnnotation] = version - newPod.ObjectMeta.Annotations = ann + labels[nginxVersionLabel] = strings.TrimSuffix(strings.Split(nginxVersion, "/")[1], "\n") + labels[versionLabel] = strings.TrimPrefix(version, "v") + newPod.ObjectMeta.Labels = labels _, err = kubeClient.CoreV1().Pods(newPod.ObjectMeta.Namespace).Update(context.TODO(), newPod, meta_v1.UpdateOptions{}) if err != nil { - glog.Errorf("Error updating pod with annotations: %v", err) + glog.Errorf("Error updating pod with labels: %v", err) return } - glog.Infof("Pod annotation updated: %s", pod.ObjectMeta.Name) + glog.Infof("Pod label updated: %s", pod.ObjectMeta.Name) } diff --git a/deployments/daemon-set/nginx-ingress.yaml b/deployments/daemon-set/nginx-ingress.yaml index 58f988ac5d..31be3de079 100644 --- a/deployments/daemon-set/nginx-ingress.yaml +++ b/deployments/daemon-set/nginx-ingress.yaml @@ -20,6 +20,8 @@ spec: serviceAccountName: nginx-ingress automountServiceAccountToken: true securityContext: + seccompProfile: + type: RuntimeDefault sysctls: - name: "net.ipv4.ip_unprivileged_port_start" value: "0" diff --git a/deployments/daemon-set/nginx-plus-ingress.yaml b/deployments/daemon-set/nginx-plus-ingress.yaml index 3d2ee496d1..9b7f94ec02 100644 --- a/deployments/daemon-set/nginx-plus-ingress.yaml +++ b/deployments/daemon-set/nginx-plus-ingress.yaml @@ -20,6 +20,8 @@ spec: serviceAccountName: nginx-ingress automountServiceAccountToken: true securityContext: + seccompProfile: + type: RuntimeDefault sysctls: - name: "net.ipv4.ip_unprivileged_port_start" value: "0" diff --git a/deployments/deployment/nginx-ingress.yaml b/deployments/deployment/nginx-ingress.yaml index 95faf6a256..1d1aeefaec 100644 --- a/deployments/deployment/nginx-ingress.yaml +++ b/deployments/deployment/nginx-ingress.yaml @@ -21,6 +21,8 @@ spec: serviceAccountName: nginx-ingress automountServiceAccountToken: true securityContext: + seccompProfile: + type: RuntimeDefault sysctls: - name: "net.ipv4.ip_unprivileged_port_start" value: "0" diff --git a/deployments/deployment/nginx-plus-ingress.yaml b/deployments/deployment/nginx-plus-ingress.yaml index 3151d1ff8e..08f5bb6977 100644 --- a/deployments/deployment/nginx-plus-ingress.yaml +++ b/deployments/deployment/nginx-plus-ingress.yaml @@ -21,6 +21,8 @@ spec: serviceAccountName: nginx-ingress automountServiceAccountToken: true securityContext: + seccompProfile: + type: RuntimeDefault sysctls: - name: "net.ipv4.ip_unprivileged_port_start" value: "0" diff --git a/deployments/helm-chart/templates/_helpers.tpl b/deployments/helm-chart/templates/_helpers.tpl index fb83b9e8f1..24262f516c 100644 --- a/deployments/helm-chart/templates/_helpers.tpl +++ b/deployments/helm-chart/templates/_helpers.tpl @@ -4,18 +4,61 @@ Expand the name of the chart. */}} {{- define "nginx-ingress.name" -}} -{{- printf "%s-%s" .Release.Name .Chart.Name | trunc 63 | trimSuffix "-" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "nginx-ingress.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create a default fully qualified controller name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "nginx-ingress.controller.fullname" -}} +{{- printf "%s-%s" (include "nginx-ingress.fullname" .) .Values.controller.name | trunc 63 | trimSuffix "-" -}} {{- end -}} {{/* -Create labels +Create chart name and version as used by the chart label. +*/}} +{{- define "nginx-ingress.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels */}} {{- define "nginx-ingress.labels" -}} -app.kubernetes.io/name: {{ .Chart.Name }} -helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }} +helm.sh/chart: {{ include "nginx-ingress.chart" . }} +{{ include "nginx-ingress.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "nginx-ingress.selectorLabels" -}} +app.kubernetes.io/name: {{ include "nginx-ingress.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} -{{- end -}} +{{- end }} {{/* Expand the name of the configmap. @@ -24,7 +67,7 @@ Expand the name of the configmap. {{- if .Values.controller.customConfigMap -}} {{ .Values.controller.customConfigMap }} {{- else -}} -{{- default (include "nginx-ingress.name" .) .Values.controller.config.name -}} +{{- default (include "nginx-ingress.fullname" .) .Values.controller.config.name -}} {{- end -}} {{- end -}} @@ -35,7 +78,7 @@ Expand leader election lock name. {{- if .Values.controller.reportIngressStatus.leaderElectionLockName -}} {{ .Values.controller.reportIngressStatus.leaderElectionLockName }} {{- else -}} -{{- printf "%s-%s" (include "nginx-ingress.name" .) "leader-election" -}} +{{- printf "%s-%s" (include "nginx-ingress.fullname" .) "leader-election" -}} {{- end -}} {{- end -}} @@ -43,42 +86,21 @@ Expand leader election lock name. Expand service account name. */}} {{- define "nginx-ingress.serviceAccountName" -}} -{{- default (include "nginx-ingress.name" .) .Values.controller.serviceAccount.name -}} -{{- end -}} - -{{/* -Expand service name. -*/}} -{{- define "nginx-ingress.serviceName" -}} -{{- default (include "nginx-ingress.name" .) .Values.controller.service.name }} -{{- end -}} - -{{/* -Expand serviceMonitor name. -*/}} -{{- define "nginx-ingress.serviceMonitorName" -}} -{{- default (include "nginx-ingress.name" .) .Values.controller.serviceMonitor.name }} +{{- default (include "nginx-ingress.fullname" .) .Values.controller.serviceAccount.name -}} {{- end -}} {{/* Expand default TLS name. */}} {{- define "nginx-ingress.defaultTLSName" -}} -{{- printf "%s-%s" (include "nginx-ingress.name" .) "default-server-tls" -}} +{{- printf "%s-%s" (include "nginx-ingress.fullname" .) "default-server-tls" -}} {{- end -}} {{/* Expand wildcard TLS name. */}} {{- define "nginx-ingress.wildcardTLSName" -}} -{{- printf "%s-%s" (include "nginx-ingress.name" .) "wildcard-tls" -}} -{{- end -}} - -{{/* -Expand app name. -*/}} -{{- define "nginx-ingress.appName" -}} -{{- default (include "nginx-ingress.name" .) .Values.controller.name -}} +{{- printf "%s-%s" (include "nginx-ingress.fullname" .) "wildcard-tls" -}} {{- end -}} {{- define "nginx-ingress.tag" -}} diff --git a/deployments/helm-chart/templates/controller-daemonset.yaml b/deployments/helm-chart/templates/controller-daemonset.yaml index 64663d28ae..b3d4f01c86 100644 --- a/deployments/helm-chart/templates/controller-daemonset.yaml +++ b/deployments/helm-chart/templates/controller-daemonset.yaml @@ -2,7 +2,7 @@ apiVersion: apps/v1 kind: DaemonSet metadata: - name: {{ default (include "nginx-ingress.name" .) .Values.controller.name }} + name: {{ include "nginx-ingress.controller.fullname" . }} namespace: {{ .Release.Namespace }} labels: {{- include "nginx-ingress.labels" . | nindent 4 }} @@ -12,14 +12,13 @@ metadata: spec: selector: matchLabels: - app: {{ include "nginx-ingress.appName" . }} + {{- include "nginx-ingress.selectorLabels" . | nindent 6 }} template: metadata: labels: - app: {{ include "nginx-ingress.appName" . }} - app.kubernetes.io/name: nginx-ingress + {{- include "nginx-ingress.selectorLabels" . | nindent 8 }} {{- if .Values.nginxServiceMesh.enable }} - nsm.nginx.com/daemonset: {{ default (include "nginx-ingress.name" .) .Values.controller.name }} + nsm.nginx.com/daemonset: {{ include "nginx-ingress.controller.fullname" . }} spiffe.io/spiffeid: "true" {{- end }} {{- if .Values.controller.pod.extraLabels }} @@ -44,6 +43,8 @@ spec: serviceAccountName: {{ include "nginx-ingress.serviceAccountName" . }} automountServiceAccountToken: true securityContext: + seccompProfile: + type: RuntimeDefault sysctls: - name: "net.ipv4.ip_unprivileged_port_start" value: "0" @@ -196,7 +197,7 @@ spec: {{- else if .Values.controller.reportIngressStatus.externalService }} - -external-service={{ .Values.controller.reportIngressStatus.externalService }} {{- else if and (.Values.controller.service.create) (eq .Values.controller.service.type "LoadBalancer") }} - - -external-service={{ include "nginx-ingress.serviceName" . }} + - -external-service={{ include "nginx-ingress.controller.fullname" . }} {{- end }} {{- end }} - -enable-leader-election={{ .Values.controller.reportIngressStatus.enableLeaderElection }} diff --git a/deployments/helm-chart/templates/controller-deployment.yaml b/deployments/helm-chart/templates/controller-deployment.yaml index d0a65e127b..fb475483af 100644 --- a/deployments/helm-chart/templates/controller-deployment.yaml +++ b/deployments/helm-chart/templates/controller-deployment.yaml @@ -2,10 +2,9 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: {{ default (include "nginx-ingress.name" .) .Values.controller.name }} + name: {{ include "nginx-ingress.controller.fullname" . }} namespace: {{ .Release.Namespace }} labels: - app.kubernetes.io/name: nginx-ingress {{- include "nginx-ingress.labels" . | nindent 4 }} {{- if .Values.controller.annotations }} annotations: {{ toYaml .Values.controller.annotations | nindent 4 }} @@ -14,14 +13,13 @@ spec: replicas: {{ .Values.controller.replicaCount }} selector: matchLabels: - app: {{ include "nginx-ingress.appName" . }} + {{- include "nginx-ingress.selectorLabels" . | nindent 6 }} template: metadata: labels: - app: {{ include "nginx-ingress.appName" . }} - app.kubernetes.io/name: nginx-ingress + {{- include "nginx-ingress.selectorLabels" . | nindent 8 }} {{- if .Values.nginxServiceMesh.enable }} - nsm.nginx.com/deployment: {{ default (include "nginx-ingress.name" .) .Values.controller.name }} + nsm.nginx.com/deployment: {{ include "nginx-ingress.controller.fullname" . }} spiffe.io/spiffeid: "true" {{- end }} {{- if .Values.controller.pod.extraLabels }} @@ -77,6 +75,8 @@ spec: serviceAccountName: {{ include "nginx-ingress.serviceAccountName" . }} automountServiceAccountToken: true securityContext: + seccompProfile: + type: RuntimeDefault sysctls: - name: "net.ipv4.ip_unprivileged_port_start" value: "0" @@ -96,9 +96,9 @@ spec: containerPort: 80 - name: https containerPort: 443 -{{ if .Values.controller.customPorts }} +{{- if .Values.controller.customPorts }} {{ toYaml .Values.controller.customPorts | indent 8 }} -{{ end }} +{{- end }} {{- if .Values.prometheus.create }} - name: prometheus containerPort: {{ .Values.prometheus.port }} @@ -200,7 +200,7 @@ spec: {{- else if .Values.controller.reportIngressStatus.externalService }} - -external-service={{ .Values.controller.reportIngressStatus.externalService }} {{- else if and (.Values.controller.service.create) (eq .Values.controller.service.type "LoadBalancer") }} - - -external-service={{ include "nginx-ingress.serviceName" . }} + - -external-service={{ include "nginx-ingress.controller.fullname" . }} {{- end }} {{- end }} - -enable-leader-election={{ .Values.controller.reportIngressStatus.enableLeaderElection }} diff --git a/deployments/helm-chart/templates/controller-globalconfiguration.yaml b/deployments/helm-chart/templates/controller-globalconfiguration.yaml index b0bba48704..a9231b0979 100644 --- a/deployments/helm-chart/templates/controller-globalconfiguration.yaml +++ b/deployments/helm-chart/templates/controller-globalconfiguration.yaml @@ -2,7 +2,7 @@ apiVersion: k8s.nginx.org/v1alpha1 kind: GlobalConfiguration metadata: - name: {{ include "nginx-ingress.name" . }} + name: {{ include "nginx-ingress.fullname" . }} namespace: {{ .Release.Namespace }} labels: {{- include "nginx-ingress.labels" . | nindent 4 }} diff --git a/deployments/helm-chart/templates/controller-hpa.yaml b/deployments/helm-chart/templates/controller-hpa.yaml index 1d705f15d1..6bfe1d9d49 100644 --- a/deployments/helm-chart/templates/controller-hpa.yaml +++ b/deployments/helm-chart/templates/controller-hpa.yaml @@ -2,7 +2,7 @@ apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: - name: {{ include "nginx-ingress.serviceName" . }} + name: {{ include "nginx-ingress.controller.fullname" . }} namespace: {{ .Release.Namespace }} labels: {{- include "nginx-ingress.labels" . | nindent 4 }} @@ -14,7 +14,7 @@ spec: scaleTargetRef: apiVersion: apps/v1 kind: Deployment - name: {{ default (include "nginx-ingress.name" .) .Values.controller.name }} + name: {{ include "nginx-ingress.controller.fullname" . }} minReplicas: {{ .Values.controller.autoscaling.minReplicas }} maxReplicas: {{ .Values.controller.autoscaling.maxReplicas }} metrics: diff --git a/deployments/helm-chart/templates/controller-ingress-class.yaml b/deployments/helm-chart/templates/controller-ingress-class.yaml index bc071b47cf..c3fc202b2e 100644 --- a/deployments/helm-chart/templates/controller-ingress-class.yaml +++ b/deployments/helm-chart/templates/controller-ingress-class.yaml @@ -2,6 +2,8 @@ apiVersion: networking.k8s.io/v1 kind: IngressClass metadata: name: {{ .Values.controller.ingressClass }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} {{- if .Values.controller.setAsDefaultIngress }} annotations: ingressclass.kubernetes.io/is-default-class: "true" diff --git a/deployments/helm-chart/templates/controller-pdb.yaml b/deployments/helm-chart/templates/controller-pdb.yaml index 67eade0783..1c3ddc8ae5 100644 --- a/deployments/helm-chart/templates/controller-pdb.yaml +++ b/deployments/helm-chart/templates/controller-pdb.yaml @@ -1,8 +1,8 @@ -{{- if .Values.controller.podDisruptionBudget -}} +{{- if .Values.controller.podDisruptionBudget.enabled -}} apiVersion: policy/v1 kind: PodDisruptionBudget metadata: - name: {{ include "nginx-ingress.serviceName" . }} + name: {{ include "nginx-ingress.controller.fullname" . }} namespace: {{ .Release.Namespace }} labels: {{- include "nginx-ingress.labels" . | nindent 4 }} @@ -13,7 +13,7 @@ metadata: spec: selector: matchLabels: - app: {{ include "nginx-ingress.appName" . }} + {{- include "nginx-ingress.selectorLabels" . | nindent 6 }} {{- if .Values.controller.podDisruptionBudget.minAvailable }} minAvailable: {{ .Values.controller.podDisruptionBudget.minAvailable }} {{- end }} diff --git a/deployments/helm-chart/templates/controller-service.yaml b/deployments/helm-chart/templates/controller-service.yaml index 9a125cdd38..f3e4aecd3d 100644 --- a/deployments/helm-chart/templates/controller-service.yaml +++ b/deployments/helm-chart/templates/controller-service.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: Service metadata: - name: {{ include "nginx-ingress.serviceName" . }} + name: {{ include "nginx-ingress.controller.fullname" . }} namespace: {{ .Release.Namespace }} labels: {{- include "nginx-ingress.labels" . | nindent 4 }} @@ -61,7 +61,7 @@ spec: {{- end }} {{- end }} selector: - app: {{ include "nginx-ingress.appName" . }} + {{- include "nginx-ingress.selectorLabels" . | nindent 4 }} {{- if .Values.controller.service.externalIPs }} externalIPs: {{ toYaml .Values.controller.service.externalIPs | indent 4 }} diff --git a/deployments/helm-chart/templates/controller-serviceaccount.yaml b/deployments/helm-chart/templates/controller-serviceaccount.yaml index e1a3b51a06..0553a0e23a 100644 --- a/deployments/helm-chart/templates/controller-serviceaccount.yaml +++ b/deployments/helm-chart/templates/controller-serviceaccount.yaml @@ -2,10 +2,10 @@ apiVersion: v1 kind: ServiceAccount metadata: + name: {{ include "nginx-ingress.serviceAccountName" . }} {{- if .Values.controller.serviceAccount.annotations }} annotations: {{- toYaml .Values.controller.serviceAccount.annotations | nindent 4 }} {{- end }} - name: {{ include "nginx-ingress.serviceAccountName" . }} namespace: {{ .Release.Namespace }} labels: {{- include "nginx-ingress.labels" . | nindent 4 }} diff --git a/deployments/helm-chart/templates/controller-servicemonitor.yaml b/deployments/helm-chart/templates/controller-servicemonitor.yaml index 3638d56e09..a279af3382 100644 --- a/deployments/helm-chart/templates/controller-servicemonitor.yaml +++ b/deployments/helm-chart/templates/controller-servicemonitor.yaml @@ -2,14 +2,20 @@ apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: - name: {{ include "nginx-ingress.serviceMonitorName" . }} + name: {{ include "nginx-ingress.controller.fullname" . }} namespace: {{ .Release.Namespace }} labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} + {{- if .Values.controller.serviceMonitor.labels -}} {{- toYaml .Values.controller.serviceMonitor.labels | nindent 4 }} + {{- end }} spec: selector: matchLabels: - {{- toYaml .Values.controller.serviceMonitor.selectorMatchLabels | nindent 6 }} + {{- if .Values.controller.serviceMonitor.selectorMatchLabels -}} + {{- toYaml .Values.controller.serviceMonitor.selectorMatchLabels | nindent 6 }} + {{- end }} + {{- include "nginx-ingress.selectorLabels" . | nindent 6 }} endpoints: {{- toYaml .Values.controller.serviceMonitor.endpoints | nindent 4 }} {{- end }} diff --git a/deployments/helm-chart/templates/rbac.yaml b/deployments/helm-chart/templates/rbac.yaml index b69c54d7b6..1410642d9c 100644 --- a/deployments/helm-chart/templates/rbac.yaml +++ b/deployments/helm-chart/templates/rbac.yaml @@ -2,7 +2,7 @@ kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: {{ include "nginx-ingress.name" . }} + name: {{ include "nginx-ingress.fullname" . }} labels: {{- include "nginx-ingress.labels" . | nindent 4 }} rules: @@ -192,7 +192,7 @@ rules: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: {{ include "nginx-ingress.name" . }} + name: {{ include "nginx-ingress.fullname" . }} labels: {{- include "nginx-ingress.labels" . | nindent 4 }} subjects: @@ -201,6 +201,6 @@ subjects: namespace: {{ .Release.Namespace }} roleRef: kind: ClusterRole - name: {{ include "nginx-ingress.name" . }} + name: {{ include "nginx-ingress.fullname" . }} apiGroup: rbac.authorization.k8s.io {{- end }} diff --git a/deployments/helm-chart/values-icp.yaml b/deployments/helm-chart/values-icp.yaml index 9279563e8c..be491aefee 100644 --- a/deployments/helm-chart/values-icp.yaml +++ b/deployments/helm-chart/values-icp.yaml @@ -1,4 +1,5 @@ controller: + name: controller kind: daemonset nginxplus: true image: diff --git a/deployments/helm-chart/values-nsm.yaml b/deployments/helm-chart/values-nsm.yaml index 60e91a91e6..47d11e0571 100644 --- a/deployments/helm-chart/values-nsm.yaml +++ b/deployments/helm-chart/values-nsm.yaml @@ -1,4 +1,5 @@ controller: + name: controller enableLatencyMetrics: true nginxServiceMesh: enable: true diff --git a/deployments/helm-chart/values-plus.yaml b/deployments/helm-chart/values-plus.yaml index 9122bd0d27..6c74cee087 100644 --- a/deployments/helm-chart/values-plus.yaml +++ b/deployments/helm-chart/values-plus.yaml @@ -1,4 +1,5 @@ controller: + name: controller nginxplus: true image: repository: nginx-plus-ingress diff --git a/deployments/helm-chart/values.schema.json b/deployments/helm-chart/values.schema.json index 47123b797f..3a2bc3afdd 100644 --- a/deployments/helm-chart/values.schema.json +++ b/deployments/helm-chart/values.schema.json @@ -16,6 +16,7 @@ "default": {}, "title": "The Ingress Controller Helm Schema", "required": [ + "name", "kind", "image" ], @@ -25,7 +26,7 @@ "default": "", "title": "The name of the Ingress Controller", "examples": [ - "nginx-ingress" + "controller" ] }, "kind": { @@ -826,14 +827,6 @@ [] ] }, - "name": { - "type": "string", - "default": "", - "title": "The name", - "examples": [ - "" - ] - }, "allocateLoadBalancerNodePorts": { "type": "boolean", "default": false, @@ -1039,14 +1032,6 @@ false ] }, - "name": { - "type": "string", - "default": "", - "title": "The name", - "examples": [ - "" - ] - }, "labels": { "type": "object", "default": {}, @@ -1070,7 +1055,6 @@ "examples": [ { "create": false, - "name": "", "labels": {}, "selectorMatchLabels": {}, "endpoints": [] @@ -1357,7 +1341,6 @@ "loadBalancerIP": "", "externalIPs": [], "loadBalancerSourceRanges": [], - "name": "", "allocateLoadBalancerNodePorts": false, "ipFamilyPolicy": "", "ipFamilies": [], @@ -1379,7 +1362,6 @@ }, "serviceMonitor": { "create": false, - "name": "", "labels": {}, "selectorMatchLabels": {}, "endpoints": {} @@ -1658,7 +1640,6 @@ "loadBalancerIP": "", "externalIPs": [], "loadBalancerSourceRanges": [], - "name": "", "allocateLoadBalancerNodePorts": false, "ipFamilyPolicy": "", "ipFamilies": [], @@ -1688,7 +1669,6 @@ }, "serviceMonitor": { "create": false, - "name": "", "labels": {}, "selectorMatchLabels": {}, "endpoints": {} diff --git a/deployments/helm-chart/values.yaml b/deployments/helm-chart/values.yaml index 092bc088ba..908cbc1b8a 100644 --- a/deployments/helm-chart/values.yaml +++ b/deployments/helm-chart/values.yaml @@ -1,7 +1,6 @@ controller: ## The name of the Ingress Controller daemonset or deployment. - ## Autogenerated if not set or set to "". - # name: nginx-ingress + name: controller ## The kind of the Ingress Controller installation - deployment or daemonset. kind: deployment @@ -303,10 +302,6 @@ controller: ## The IP ranges (CIDR) that are allowed to access the load balancer. Requires controller.service.type set to LoadBalancer. The cloud provider must support this feature. loadBalancerSourceRanges: [] - ## The name of the service - ## Autogenerated if not set or set to "". - # name: nginx-ingress - ## Whether to automatically allocate NodePorts (only for LoadBalancers). # allocateLoadBalancerNodePorts: false @@ -364,11 +359,6 @@ controller: ## Creates a serviceMonitor to expose statistics on the kubernetes pods. create: false - ## The name of the serviceMonitor - ## Autogenerated if not set or set to "". - # name: nginx-ingress - - ## Kubernetes object labels to attach to the serviceMonitor object. labels: {} diff --git a/go.mod b/go.mod index a08e82dd29..f615c678f9 100644 --- a/go.mod +++ b/go.mod @@ -3,8 +3,8 @@ module github.com/nginxinc/kubernetes-ingress go 1.20 require ( - github.com/aws/aws-sdk-go-v2/config v1.18.15 - github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.14.5 + github.com/aws/aws-sdk-go-v2/config v1.18.17 + github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.14.6 github.com/cert-manager/cert-manager v1.11.0 github.com/go-chi/chi/v5 v5.0.8 github.com/golang-jwt/jwt/v4 v4.5.0 @@ -29,16 +29,16 @@ require ( require ( github.com/Azure/go-ntlmssp v0.0.0-20220621081337-cb9428e4ac1e // indirect github.com/Microsoft/go-winio v0.6.0 // indirect - github.com/aws/aws-sdk-go-v2 v1.17.5 // indirect - github.com/aws/aws-sdk-go-v2/credentials v1.13.15 // indirect - github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.23 // indirect - github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.29 // indirect - github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.23 // indirect - github.com/aws/aws-sdk-go-v2/internal/ini v1.3.30 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.23 // indirect - github.com/aws/aws-sdk-go-v2/service/sso v1.12.4 // indirect - github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.4 // indirect - github.com/aws/aws-sdk-go-v2/service/sts v1.18.5 // indirect + github.com/aws/aws-sdk-go-v2 v1.17.6 // indirect + github.com/aws/aws-sdk-go-v2/credentials v1.13.17 // indirect + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.0 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.30 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.24 // indirect + github.com/aws/aws-sdk-go-v2/internal/ini v1.3.31 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.24 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.12.5 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.5 // indirect + github.com/aws/aws-sdk-go-v2/service/sts v1.18.6 // indirect github.com/aws/smithy-go v1.13.5 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/blang/semver/v4 v4.0.0 // indirect diff --git a/go.sum b/go.sum index 34e6de24bf..c2c50733ac 100644 --- a/go.sum +++ b/go.sum @@ -47,30 +47,30 @@ github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRF github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho= github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= -github.com/aws/aws-sdk-go-v2 v1.17.5 h1:TzCUW1Nq4H8Xscph5M/skINUitxM5UBAyvm2s7XBzL4= -github.com/aws/aws-sdk-go-v2 v1.17.5/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw= -github.com/aws/aws-sdk-go-v2/config v1.18.15 h1:509yMO0pJUGUugBP2H9FOFyV+7Mz7sRR+snfDN5W4NY= -github.com/aws/aws-sdk-go-v2/config v1.18.15/go.mod h1:vS0tddZqpE8cD9CyW0/kITHF5Bq2QasW9Y1DFHD//O0= -github.com/aws/aws-sdk-go-v2/credentials v1.13.15 h1:0rZQIi6deJFjOEgHI9HI2eZcLPPEGQPictX66oRFLL8= -github.com/aws/aws-sdk-go-v2/credentials v1.13.15/go.mod h1:vRMLMD3/rXU+o6j2MW5YefrGMBmdTvkLLGqFwMLBHQc= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.23 h1:Kbiv9PGnQfG/imNI4L/heyUXvzKmcWSBeDvkrQz5pFc= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.23/go.mod h1:mOtmAg65GT1HIL/HT/PynwPbS+UG0BgCZ6vhkPqnxWo= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.29 h1:9/aKwwus0TQxppPXFmf010DFrE+ssSbzroLVYINA+xE= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.29/go.mod h1:Dip3sIGv485+xerzVv24emnjX5Sg88utCL8fwGmCeWg= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.23 h1:b/Vn141DBuLVgXbhRWIrl9g+ww7G+ScV5SzniWR13jQ= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.23/go.mod h1:mr6c4cHC+S/MMkrjtSlG4QA36kOznDep+0fga5L/fGQ= -github.com/aws/aws-sdk-go-v2/internal/ini v1.3.30 h1:IVx9L7YFhpPq0tTnGo8u8TpluFu7nAn9X3sUDMb11c0= -github.com/aws/aws-sdk-go-v2/internal/ini v1.3.30/go.mod h1:vsbq62AOBwQ1LJ/GWKFxX8beUEYeRp/Agitrxee2/qM= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.23 h1:QoOybhwRfciWUBbZ0gp9S7XaDnCuSTeK/fySB99V1ls= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.23/go.mod h1:9uPh+Hrz2Vn6oMnQYiUi/zbh3ovbnQk19YKINkQny44= -github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.14.5 h1:L5uD73sZtrTDxn/WTv0LEL00NHCDZmbMUItKHrSdHFs= -github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.14.5/go.mod h1:Nlw/9tgFims+/X+xwFLy/EG6E+NYkZKFXDtLmKJNDA0= -github.com/aws/aws-sdk-go-v2/service/sso v1.12.4 h1:qJdM48OOLl1FBSzI7ZrA1ZfLwOyCYqkXV5lko1hYDBw= -github.com/aws/aws-sdk-go-v2/service/sso v1.12.4/go.mod h1:jtLIhd+V+lft6ktxpItycqHqiVXrPIRjWIsFIlzMriw= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.4 h1:YRkWXQveFb0tFC0TLktmmhGsOcCgLwvq88MC2al47AA= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.4/go.mod h1:zVwRrfdSmbRZWkUkWjOItY7SOalnFnq/Yg2LVPqDjwc= -github.com/aws/aws-sdk-go-v2/service/sts v1.18.5 h1:L1600eLr0YvTT7gNh3Ni24yGI7NSHkq9Gp62vijPRCs= -github.com/aws/aws-sdk-go-v2/service/sts v1.18.5/go.mod h1:1mKZHLLpDMHTNSYPJ7qrcnCQdHCWsNQaT0xRvq2u80s= +github.com/aws/aws-sdk-go-v2 v1.17.6 h1:Y773UK7OBqhzi5VDXMi1zVGsoj+CVHs2eaC2bDsLwi0= +github.com/aws/aws-sdk-go-v2 v1.17.6/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw= +github.com/aws/aws-sdk-go-v2/config v1.18.17 h1:jwTkhULSrbr/SQA8tfdYqZxpG8YsRycmIXxJcbrqY5E= +github.com/aws/aws-sdk-go-v2/config v1.18.17/go.mod h1:Lj3E7XcxJnxMa+AYo89YiL68s1cFJRGduChynYU67VA= +github.com/aws/aws-sdk-go-v2/credentials v1.13.17 h1:IubQO/RNeIVKF5Jy77w/LfUvmmCxTnk2TP1UZZIMiF4= +github.com/aws/aws-sdk-go-v2/credentials v1.13.17/go.mod h1:K9xeFo1g/YPMguMUD69YpwB4Nyi6W/5wn706xIInJFg= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.0 h1:/2Cb3SK3xVOQA7Xfr5nCWCo5H3UiNINtsVvVdk8sQqA= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.0/go.mod h1:neYVaeKr5eT7BzwULuG2YbLhzWZ22lpjKdCybR7AXrQ= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.30 h1:y+8n9AGDjikyXoMBTRaHHHSaFEB8267ykmvyPodJfys= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.30/go.mod h1:LUBAO3zNXQjoONBKn/kR1y0Q4cj/D02Ts0uHYjcCQLM= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.24 h1:r+Kv+SEJquhAZXaJ7G4u44cIwXV3f8K+N482NNAzJZA= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.24/go.mod h1:gAuCezX/gob6BSMbItsSlMb6WZGV7K2+fWOvk8xBSto= +github.com/aws/aws-sdk-go-v2/internal/ini v1.3.31 h1:hf+Vhp5WtTdcSdE+yEcUz8L73sAzN0R+0jQv+Z51/mI= +github.com/aws/aws-sdk-go-v2/internal/ini v1.3.31/go.mod h1:5zUjguZfG5qjhG9/wqmuyHRyUftl2B5Cp6NNxNC6kRA= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.24 h1:c5qGfdbCHav6viBwiyDns3OXqhqAbGjfIB4uVu2ayhk= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.24/go.mod h1:HMA4FZG6fyib+NDo5bpIxX1EhYjrAOveZJY2YR0xrNE= +github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.14.6 h1:3yAJmDgUzVGGp5PkHA/HGFquEJRK0uEaep22XZj4UJg= +github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.14.6/go.mod h1:kFXyTQKLc5KyBUhJ0kUckwncHElnSEbXbBeGpNJUMEY= +github.com/aws/aws-sdk-go-v2/service/sso v1.12.5 h1:bdKIX6SVF3nc3xJFw6Nf0igzS6Ff/louGq8Z6VP/3Hs= +github.com/aws/aws-sdk-go-v2/service/sso v1.12.5/go.mod h1:vuWiaDB30M/QTC+lI3Wj6S/zb7tpUK2MSYgy3Guh2L0= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.5 h1:xLPZMyuZ4GuqRCIec/zWuIhRFPXh2UOJdLXBSi64ZWQ= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.5/go.mod h1:QjxpHmCwAg0ESGtPQnLIVp7SedTOBMYy+Slr3IfMKeI= +github.com/aws/aws-sdk-go-v2/service/sts v1.18.6 h1:rIFn5J3yDoeuKCE9sESXqM5POTAhOP1du3bv/qTL+tE= +github.com/aws/aws-sdk-go-v2/service/sts v1.18.6/go.mod h1:48WJ9l3dwP0GSHWGc5sFGGlCkuA82Mc2xnw+T6Q8aDw= github.com/aws/smithy-go v1.13.5 h1:hgz0X/DX0dGqTYpGALqXJoRKRj5oQ7150i5FdTePzO8= github.com/aws/smithy-go v1.13.5/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8= diff --git a/internal/externaldns/sync.go b/internal/externaldns/sync.go index cc607cb661..96d2273c24 100644 --- a/internal/externaldns/sync.go +++ b/internal/externaldns/sync.go @@ -44,7 +44,7 @@ func SyncFnFor(rec record.EventRecorder, client clientset.Interface, ig map[stri } if vs.Status.ExternalEndpoints == nil { - // It can take time for the external endpoints to sync + // It can take time for the external endpoints to sync - kick it back to the queue glog.V(3).Info("Failed to determine external endpoints - retrying") return fmt.Errorf("failed to determine external endpoints") } @@ -60,7 +60,7 @@ func SyncFnFor(rec record.EventRecorder, client clientset.Interface, ig map[stri newDNSEndpoint, updateDNSEndpoint, err := buildDNSEndpoint(nsi.extdnslister, vs, targets, recordType) if err != nil { - glog.Errorf("error message here %s", err) + glog.Errorf("incorrect DNSEndpoint config for VirtualServer resource: %s", err) rec.Eventf(vs, corev1.EventTypeWarning, reasonBadConfig, "Incorrect DNSEndpoint config for VirtualServer resource: %s", err) return err } @@ -72,6 +72,11 @@ func SyncFnFor(rec record.EventRecorder, client clientset.Interface, ig map[stri glog.V(3).Infof("Creating DNSEndpoint for VirtualServer resource: %v", vs.Name) dep, err = client.ExternaldnsV1().DNSEndpoints(newDNSEndpoint.Namespace).Create(ctx, newDNSEndpoint, metav1.CreateOptions{}) if err != nil { + if apierrors.IsAlreadyExists(err) { + // Another replica likely created the DNSEndpoint since we last checked - kick it back to the queue + glog.V(3).Info("DNSEndpoint has been created since we last checked - retrying") + return fmt.Errorf("DNSEndpoint has already been created") + } glog.Errorf("Error creating DNSEndpoint for VirtualServer resource: %v", err) rec.Eventf(vs, corev1.EventTypeWarning, reasonBadConfig, "Error creating DNSEndpoint for VirtualServer resource %s", err) return err @@ -175,7 +180,7 @@ func buildDNSEndpoint(extdnsLister extdnslisters.DNSEndpointLister, vs *vsapi.Vi vs = vs.DeepCopy() if existingDNSEndpoint != nil { - glog.V(3).Infof("DNDEndpoint already exist for this object, ensuring it is up to date") + glog.V(3).Infof("DNSEndpoint already exists for this object, ensuring it is up to date") if metav1.GetControllerOf(existingDNSEndpoint) == nil { glog.V(3).Infof("DNSEndpoint has no owner. refusing to update non-owned resource") return nil, nil, nil diff --git a/perf-tests/requirements.txt b/perf-tests/requirements.txt index f760fff4bb..17f2d8e05c 100644 --- a/perf-tests/requirements.txt +++ b/perf-tests/requirements.txt @@ -7,4 +7,4 @@ pytest-html==3.2.0 pytest-repeat==0.9.1 PyYAML==6.0 requests==2.28.2 -urllib3==1.26.14 +urllib3==1.26.15 diff --git a/tests/docker/Dockerfile b/tests/docker/Dockerfile index 96ad0ee538..7cbf6352a3 100644 --- a/tests/docker/Dockerfile +++ b/tests/docker/Dockerfile @@ -1,6 +1,6 @@ -# syntax=docker/dockerfile:1.4 +# syntax=docker/dockerfile:1.5 # this is here so we can grab the latest version of kind and have dependabot keep it up to date -FROM kindest/node:v1.26.0 +FROM kindest/node:v1.26.2 FROM python:3.11 diff --git a/tests/requirements.txt b/tests/requirements.txt index 59328ce1d2..9f33780916 100644 --- a/tests/requirements.txt +++ b/tests/requirements.txt @@ -505,9 +505,9 @@ six==1.16.0 \ # kubernetes # pytest-profiling # python-dateutil -urllib3==1.26.14 \ - --hash=sha256:076907bf8fd355cde77728471316625a4d2f7e713c125f51953bb5b3eecf4f72 \ - --hash=sha256:75edcdc2f7d85b137124a6c3c9fc3933cdeaa12ecb9a6a959f22797a0feca7e1 +urllib3==1.26.15 \ + --hash=sha256:8a388717b9476f934a21484e8c8e61875ab60644d29b9b39e11e4b9dc1c6b305 \ + --hash=sha256:aa751d169e23c7479ce47a0cb0da579e3ede798f994f5816a74e4f4500dcea42 # via # -r requirements.txt # kubernetes diff --git a/tests/suite/test_virtual_server_externaldns.py b/tests/suite/test_virtual_server_externaldns.py index dc1382d502..86b27e6685 100644 --- a/tests/suite/test_virtual_server_externaldns.py +++ b/tests/suite/test_virtual_server_externaldns.py @@ -1,7 +1,7 @@ import pytest from settings import TEST_DATA -from suite.utils.custom_assertions import assert_event -from suite.utils.custom_resources_utils import is_dnsendpoint_present +from suite.utils.custom_assertions import assert_event, assert_event_not_present +from suite.utils.custom_resources_utils import is_dnsendpoint_present, read_custom_resource from suite.utils.resources_utils import get_events, patch_namespace_with_label, wait_before_test from suite.utils.vs_vsr_resources_utils import patch_virtual_server_from_yaml from suite.utils.yaml_utils import get_name_from_yaml, get_namespace_from_yaml @@ -48,6 +48,21 @@ def test_responses_after_setup( wait_before_test(1) print(f"External DNS not updated, retrying... #{retry}") assert wanted_string in log_contents + print("\nStep 3: Verify VS status is Valid and no bad config events occurred") + events = get_events(kube_apis.v1, virtual_server_setup.namespace) + vs_bad_config_event = "Error creating DNSEndpoint for VirtualServer resource" + assert_event_not_present(vs_bad_config_event, events) + response = read_custom_resource( + kube_apis.custom_objects, + virtual_server_setup.namespace, + "virtualservers", + virtual_server_setup.vs_name, + ) + assert ( + response["status"] + and response["status"]["reason"] == "AddedOrUpdated" + and response["status"]["state"] == "Valid" + ) def test_update_to_ed_in_vs( self, kube_apis, crd_ingress_controller_with_ed, create_externaldns, virtual_server_setup @@ -65,6 +80,18 @@ def test_update_to_ed_in_vs( wait_before_test(5) events = get_events(kube_apis.v1, virtual_server_setup.namespace) assert_event(vs_event_update_text, events) + print("\nStep 3: Verify VS status is Valid") + response = read_custom_resource( + kube_apis.custom_objects, + virtual_server_setup.namespace, + "virtualservers", + virtual_server_setup.vs_name, + ) + assert ( + response["status"] + and response["status"]["reason"] == "AddedOrUpdated" + and response["status"]["state"] == "Valid" + ) @pytest.mark.vs @@ -122,3 +149,18 @@ def test_responses_after_setup( wait_before_test(1) print(f"External DNS not updated, retrying... #{retry}") assert wanted_string in log_contents + print("\nStep 3: Verify VS status is Valid and no bad config events occurred") + events = get_events(kube_apis.v1, virtual_server_setup.namespace) + vs_bad_config_event = "Error creating DNSEndpoint for VirtualServer resource" + assert_event_not_present(vs_bad_config_event, events) + response = read_custom_resource( + kube_apis.custom_objects, + virtual_server_setup.namespace, + "virtualservers", + virtual_server_setup.vs_name, + ) + assert ( + response["status"] + and response["status"]["reason"] == "AddedOrUpdated" + and response["status"]["state"] == "Valid" + ) diff --git a/tests/suite/utils/custom_assertions.py b/tests/suite/utils/custom_assertions.py index d8f97e6826..340c024114 100644 --- a/tests/suite/utils/custom_assertions.py +++ b/tests/suite/utils/custom_assertions.py @@ -143,6 +143,19 @@ def assert_event(event_text, events_list) -> None: pytest.fail(f'Failed to find the event "{event_text}" in the list. Exiting...') +def assert_event_not_present(event_text, events_list) -> None: + """ + Search for the event in the list. + + :param event_text: event text + :param events_list: list of events + :return: + """ + for i in range(len(events_list) - 1, -1, -1): + if event_text in events_list[i].message: + pytest.fail(f'Event "{event_text}" exists in the list. Exiting...') + + def assert_event_starts_with_text_and_contains_errors(event_text, events_list, fields_list) -> None: """ Search for the event starting with the expected text in the list and check its message.