From 7fbb01087157146c64009d7d6249ac59b8f43fbd Mon Sep 17 00:00:00 2001 From: 9bany Date: Wed, 26 Jul 2023 17:07:08 +0700 Subject: [PATCH 1/3] feature: unable to use CRDs imported as modules --- .github/ISSUE_TEMPLATE/bug_report.md | 10 +- .github/PULL_REQUEST_TEMPLATE.md | 5 +- .github/dependabot.yml | 4 +- .github/labeler.yml | 28 +- .github/labels.yml | 75 - .github/workflows/build-oss.yml | 57 +- .github/workflows/build-plus.yml | 102 +- .github/workflows/ci.yml | 229 ++- .github/workflows/codeql-analysis.yml | 69 +- .github/workflows/dependency-review.yml | 28 + .github/workflows/dockerhub-description.yml | 6 +- .github/workflows/draft-release.yaml | 32 - .github/workflows/fossa.yml | 12 +- .github/workflows/issues.yaml | 12 +- .github/workflows/labeler.yml | 12 +- .github/workflows/lint.yml | 44 +- .github/workflows/notifications.yml | 6 + .github/workflows/release.yml | 57 - .github/workflows/scorecards.yml | 11 +- .github/workflows/stale.yml | 24 +- .github/workflows/sync.yml | 34 - .github/workflows/update-docker-images.yml | 46 +- .github/workflows/updates-notification.yml | 12 +- .goreleaser.yml | 24 +- .markdownlint-cli2.yaml | 19 + .pre-commit-config.yaml | 22 +- CHANGELOG.md | 1830 +++++++++++------ CODE_OF_CONDUCT.md | 22 +- CONTRIBUTING.md | 76 +- ISSUE_LIFECYCLE.md | 46 +- Makefile | 61 +- README.md | 149 +- SECURITY.md | 17 +- build/Dockerfile | 67 +- build/README.md | 2 +- cmd/nginx-ingress/main.go | 24 +- deployments/README.md | 3 +- ...otectdos.f5.com_dosprotectedresources.yaml | 2 +- .../externaldns.nginx.org_dnsendpoints.yaml | 2 +- .../k8s.nginx.org_globalconfigurations.yaml | 2 +- .../common/crds/k8s.nginx.org_policies.yaml | 2 +- .../crds/k8s.nginx.org_transportservers.yaml | 2 +- .../k8s.nginx.org_virtualserverroutes.yaml | 4 +- .../crds/k8s.nginx.org_virtualservers.yaml | 4 +- deployments/daemon-set/nginx-ingress.yaml | 6 +- .../daemon-set/nginx-plus-ingress.yaml | 6 +- deployments/deployment/nginx-ingress.yaml | 5 +- .../deployment/nginx-plus-ingress.yaml | 5 +- deployments/helm-chart/Chart.yaml | 8 +- deployments/helm-chart/README.md | 134 +- ...otectdos.f5.com_dosprotectedresources.yaml | 2 +- .../externaldns.nginx.org_dnsendpoints.yaml | 2 +- .../k8s.nginx.org_globalconfigurations.yaml | 2 +- .../crds/k8s.nginx.org_policies.yaml | 2 +- .../crds/k8s.nginx.org_transportservers.yaml | 2 +- .../k8s.nginx.org_virtualserverroutes.yaml | 4 +- .../crds/k8s.nginx.org_virtualservers.yaml | 4 +- deployments/helm-chart/templates/_helpers.tpl | 14 +- .../templates/controller-daemonset.yaml | 9 +- .../templates/controller-deployment.yaml | 9 +- .../helm-chart/templates/controller-hpa.yaml | 2 +- .../templates/controller-service.yaml | 4 +- deployments/helm-chart/values-icp.yaml | 2 +- deployments/helm-chart/values-plus.yaml | 2 +- deployments/helm-chart/values.yaml | 10 +- docs/README.md | 15 +- docs/config/_default/config.toml | 1 - docs/content/app-protect-dos/configuration.md | 10 +- docs/content/app-protect-dos/dos-protected.md | 27 +- docs/content/app-protect-dos/installation.md | 23 +- docs/content/app-protect-waf/configuration.md | 161 +- docs/content/app-protect-waf/installation.md | 18 +- .../configuration/configuration-examples.md | 5 +- .../command-line-arguments.md | 55 +- .../configmap-resource.md | 21 +- .../global-configuration/custom-templates.md | 2 +- .../globalconfiguration-resource.md | 22 +- .../reporting-resources-status.md | 12 +- .../handling-host-and-listener-collisions.md | 36 +- ...advanced-configuration-with-annotations.md | 53 +- .../advanced-configuration-with-snippets.md | 15 +- .../ingress-resources/basic-configuration.md | 43 +- .../cross-namespace-configuration.md | 4 +- .../ingress-resources/custom-annotations.md | 39 +- docs/content/configuration/policy-resource.md | 131 +- docs/content/configuration/security.md | 22 +- .../configuration/transportserver-resource.md | 85 +- ...server-and-virtualserverroute-resources.md | 144 +- docs/content/f5-ingresslink.md | 17 +- .../building-ingress-controller-image.md | 120 +- .../installation/installation-with-helm.md | 70 +- .../installation-with-manifests.md | 357 ++-- .../installation-with-operator.md | 29 +- .../pulling-ingress-controller-image.md | 72 +- .../running-multiple-ingress-controllers.md | 29 +- .../using-aws-marketplace-image.md | 8 +- .../using-gcp-marketplace-package.md | 9 +- .../using-the-jwt-token-docker-secret.md | 46 +- .../how-nginx-ingress-controller-works.md | 122 +- .../intro/nginx-ingress-controllers.md | 4 +- docs/content/intro/nginx-plus.md | 10 +- docs/content/intro/overview.md | 9 +- .../content/logging-and-monitoring/logging.md | 12 +- .../logging-and-monitoring/prometheus.md | 50 +- .../logging-and-monitoring/service-insight.md | 14 +- .../logging-and-monitoring/status-page.md | 18 +- docs/content/releases.md | 1607 +++++++++------ docs/content/technical-specifications.md | 59 +- .../third-party-modules/opentracing.md | 13 +- docs/content/troubleshooting/_index.md | 2 +- .../troubleshooting/troubleshoot-common.md | 203 ++ .../troubleshoot-configmap-policy.md | 44 + .../troubleshoot-ingress-controller.md | 148 -- .../troubleshooting/troubleshoot-ingress.md | 24 + .../troubleshoot-transportserver.md | 9 + .../troubleshoot-virtualserver.md | 34 + ....md => troubleshooting-app-protect-dos.md} | 68 +- ....md => troubleshooting-app-protect-waf.md} | 69 +- docs/content/tutorials/_index.md | 2 +- docs/content/tutorials/custom-listen-ports.md | 160 ++ docs/content/tutorials/nginx-ingress-istio.md | 35 +- .../tutorials/nginx-ingress-linkerd.md | 183 ++ docs/content/tutorials/nginx-ingress-osm.md | 48 +- .../tutorials/oidc-custom-configuration.md | 209 ++ docs/content/usage-reporting.md | 230 +++ docs/go.mod | 2 +- docs/go.sum | 2 + .../custom-resources/access-control/README.md | 57 +- .../advanced-routing/README.md | 74 +- .../app-protect-dos/README.md | 77 +- .../app-protect-dos/syslog.yaml | 2 +- .../app-protect-dos/syslog2.yaml | 2 +- .../app-protect-waf/README.md | 79 +- .../app-protect-waf/syslog.yaml | 2 +- .../custom-resources/basic-auth/README.md | 59 +- .../basic-configuration/README.md | 62 +- .../custom-resources/basic-tcp-udp/README.md | 91 +- .../custom-resources/certmanager/README.md | 59 +- .../cross-namespace-configuration/README.md | 108 +- .../custom-templates/README.md | 5 +- .../custom-resources/egress-mtls/README.md | 49 +- .../custom-resources/external-dns/README.md | 39 +- .../externalname-services/README.md | 21 +- .../transport-server/README.md | 65 +- .../custom-resources/grpc-upstreams/README.md | 13 +- .../custom-resources/health-checks/README.md | 15 +- .../custom-resources/ingress-mtls/README.md | 64 +- examples/custom-resources/jwks/README.md | 165 +- examples/custom-resources/jwt/README.md | 69 +- examples/custom-resources/oidc/README.md | 103 +- .../custom-resources/oidc/keycloak_setup.md | 32 +- .../custom-resources/rate-limit/README.md | 51 +- examples/custom-resources/rewrites/README.md | 36 +- .../service-insight/README.md | 102 +- .../session-persistence/README.md | 26 +- .../tls-passthrough/README.md | 67 +- .../traffic-splitting/README.md | 57 +- .../app-protect-dos/README.md | 89 +- .../app-protect-dos/syslog.yaml | 2 +- .../app-protect-dos/syslog2.yaml | 2 +- .../app-protect-waf/README.md | 93 +- .../app-protect-waf/syslog.yaml | 2 +- .../ingress-resources/basic-auth/README.md | 69 +- .../complete-example/README.md | 55 +- .../custom-annotations/README.md | 71 +- .../custom-templates/README.md | 5 +- .../ingress-resources/customization/README.md | 5 +- .../ingress-resources/daemon-set/README.md | 6 +- .../externalname-services/README.md | 21 +- .../ingress-resources/grpc-services/README.md | 16 +- .../ingress-resources/health-checks/README.md | 28 +- examples/ingress-resources/jwt/README.md | 39 +- .../mergeable-ingress-types/README.md | 248 ++- examples/ingress-resources/rewrites/README.md | 25 +- .../session-persistence/README.md | 41 +- .../ingress-resources/ssl-services/README.md | 11 +- examples/ingress-resources/tcp-udp/README.md | 128 +- .../ingress-resources/websocket/README.md | 12 +- .../custom-log-format/README.md | 8 +- .../custom-templates/README.md | 40 +- .../shared-examples/proxy-protocol/README.md | 27 +- examples/shared-examples/rbac/README.md | 4 +- .../usage-reporting/cluster-connector.yaml | 130 ++ .../wildcard-tls-certificate/README.md | 16 +- go.mod | 125 +- go.sum | 349 ++-- grafana/README.md | 72 +- hack/common-release-prep.sh | 2 +- hack/docker.sh | 4 +- hack/minor-changelog-template.txt | 2 +- internal/certmanager/cm_controller.go | 8 +- internal/certmanager/cm_controller_test.go | 6 +- internal/certmanager/helper.go | 2 +- internal/certmanager/helper_test.go | 2 +- internal/certmanager/sync.go | 2 +- internal/certmanager/sync_test.go | 4 +- internal/certmanager/test_files/context.go | 56 + .../certmanager/test_files/context_builder.go | 57 +- internal/configs/config_params.go | 2 +- internal/configs/configmaps.go | 2 +- internal/configs/configurator.go | 16 +- internal/configs/configurator_test.go | 10 +- internal/configs/dos_test.go | 2 +- internal/configs/ingress.go | 6 +- internal/configs/ingress_test.go | 4 +- internal/configs/oidc/openid_connect.js | 140 +- internal/configs/transportserver.go | 6 +- internal/configs/transportserver_test.go | 6 +- .../configs/version1/nginx-plus.ingress.tmpl | 1 + internal/configs/version1/nginx-plus.tmpl | 1 + internal/configs/version2/http.go | 1 + .../version2/nginx-plus.virtualserver.tmpl | 3 +- internal/configs/version2/template_helper.go | 10 + internal/configs/version2/templates_test.go | 368 ++++ internal/configs/virtualserver.go | 9 +- internal/configs/virtualserver_test.go | 23 +- internal/externaldns/controller.go | 12 +- internal/externaldns/handlers.go | 4 +- internal/externaldns/sync.go | 8 +- internal/externaldns/sync_test.go | 6 +- internal/healthcheck/healthcheck.go | 2 +- internal/healthcheck/healthcheck_test.go | 2 +- .../appprotect/app_protect_configuration.go | 4 +- .../app_protect_dos_configuration.go | 8 +- .../app_protect_dos_configuration_test.go | 4 +- internal/k8s/configuration.go | 8 +- internal/k8s/configuration_test.go | 16 +- internal/k8s/controller.go | 162 +- internal/k8s/controller_test.go | 159 +- internal/k8s/handlers.go | 8 +- internal/k8s/handlers_test.go | 2 + internal/k8s/reference_checkers.go | 6 +- internal/k8s/reference_checkers_test.go | 34 +- internal/k8s/status.go | 6 +- internal/k8s/status_test.go | 17 +- internal/k8s/task_queue.go | 10 +- internal/k8s/validation.go | 213 +- internal/k8s/validation_test.go | 6 + internal/metrics/collectors/latency_test.go | 8 +- internal/metrics/listener.go | 142 +- internal/metrics/syslog_listener.go | 2 +- internal/nginx/manager.go | 2 +- perf-tests/README.md | 37 +- perf-tests/conftest.py | 29 +- perf-tests/requirements.txt | 10 - perf-tests/suite/test_ap_reload_perf.py | 7 +- pkg/apis/configuration/v1/register.go | 2 +- pkg/apis/configuration/v1/types.go | 1 + pkg/apis/configuration/v1alpha1/register.go | 2 +- pkg/apis/configuration/validation/common.go | 5 +- .../validation/globalconfiguration.go | 2 +- .../validation/globalconfiguration_test.go | 2 +- pkg/apis/configuration/validation/policy.go | 88 +- .../configuration/validation/policy_test.go | 219 +- .../validation/transportserver.go | 2 +- .../validation/transportserver_test.go | 105 +- .../configuration/validation/virtualserver.go | 14 +- .../validation/virtualserver_test.go | 71 +- pkg/apis/dos/v1beta1/register.go | 2 +- pkg/apis/dos/validation/dos.go | 30 +- pkg/apis/dos/validation/dos_test.go | 40 +- pkg/apis/externaldns/v1/register.go | 2 +- .../externaldns/validation/externaldns.go | 2 +- .../validation/externaldns_test.go | 4 +- pkg/client/clientset/versioned/clientset.go | 8 +- .../versioned/fake/clientset_generated.go | 18 +- .../clientset/versioned/fake/register.go | 8 +- .../clientset/versioned/scheme/register.go | 8 +- .../configuration/v1/configuration_client.go | 4 +- .../v1/fake/fake_configuration_client.go | 2 +- .../configuration/v1/fake/fake_policy.go | 2 +- .../v1/fake/fake_virtualserver.go | 2 +- .../v1/fake/fake_virtualserverroute.go | 2 +- .../typed/configuration/v1/policy.go | 4 +- .../typed/configuration/v1/virtualserver.go | 4 +- .../configuration/v1/virtualserverroute.go | 4 +- .../v1alpha1/configuration_client.go | 4 +- .../fake/fake_configuration_client.go | 2 +- .../v1alpha1/fake/fake_globalconfiguration.go | 2 +- .../v1alpha1/fake/fake_policy.go | 2 +- .../v1alpha1/fake/fake_transportserver.go | 2 +- .../v1alpha1/globalconfiguration.go | 4 +- .../typed/configuration/v1alpha1/policy.go | 4 +- .../configuration/v1alpha1/transportserver.go | 4 +- .../versioned/typed/dos/v1beta1/dos_client.go | 4 +- .../typed/dos/v1beta1/dosprotectedresource.go | 4 +- .../typed/dos/v1beta1/fake/fake_dos_client.go | 2 +- .../v1beta1/fake/fake_dosprotectedresource.go | 2 +- .../typed/externaldns/v1/dnsendpoint.go | 4 +- .../externaldns/v1/externaldns_client.go | 4 +- .../externaldns/v1/fake/fake_dnsendpoint.go | 2 +- .../v1/fake/fake_externaldns_client.go | 2 +- .../configuration/interface.go | 6 +- .../configuration/v1/interface.go | 2 +- .../configuration/v1/policy.go | 8 +- .../configuration/v1/virtualserver.go | 8 +- .../configuration/v1/virtualserverroute.go | 8 +- .../v1alpha1/globalconfiguration.go | 8 +- .../configuration/v1alpha1/interface.go | 2 +- .../configuration/v1alpha1/policy.go | 8 +- .../configuration/v1alpha1/transportserver.go | 8 +- .../externalversions/dos/interface.go | 4 +- .../dos/v1beta1/dosprotectedresource.go | 8 +- .../externalversions/dos/v1beta1/interface.go | 2 +- .../externalversions/externaldns/interface.go | 4 +- .../externaldns/v1/dnsendpoint.go | 8 +- .../externaldns/v1/interface.go | 2 +- .../informers/externalversions/factory.go | 10 +- .../informers/externalversions/generic.go | 8 +- .../internalinterfaces/factory_interfaces.go | 2 +- pkg/client/listers/configuration/v1/policy.go | 2 +- .../listers/configuration/v1/virtualserver.go | 2 +- .../configuration/v1/virtualserverroute.go | 2 +- .../v1alpha1/globalconfiguration.go | 2 +- .../listers/configuration/v1alpha1/policy.go | 2 +- .../configuration/v1alpha1/transportserver.go | 2 +- .../dos/v1beta1/dosprotectedresource.go | 2 +- .../listers/externaldns/v1/dnsendpoint.go | 2 +- tests/README.md | 86 +- tests/data/ap-waf-grpc/syslog.yaml | 2 +- tests/data/ap-waf/syslog.yaml | 2 +- tests/data/ap-waf/syslog2.yaml | 2 +- tests/data/appprotect/syslog.yaml | 2 +- tests/data/appprotect/syslog2.yaml | 2 +- tests/data/dos/dos-syslog.yaml | 2 +- .../ingress-mtls/client-auth/crl/webapp.crl | 26 +- .../client-auth/not-revoked/client-cert.pem | 152 +- .../client-auth/not-revoked/client-key.pem | 52 +- .../client-auth/revoked/client-cert.pem | 154 +- .../client-auth/revoked/client-key.pem | 52 +- .../secret/ingress-mtls-secret-crl.yaml | 4 +- .../external-svc-deployment.yaml | 2 +- .../standard/service_deployment.yaml | 2 +- tests/data/virtual-server-dos/syslog.yaml | 2 +- tests/docker/Dockerfile | 2 +- tests/requirements.txt | 568 ++--- tests/suite/grpc/README.md | 7 +- tests/suite/test_jwt_policies_jwksuri.py | 1 + tests/suite/test_jwt_policies_jwksuri_vsr.py | 3 +- .../test_virtual_server_upstream_options.py | 61 +- 340 files changed, 9940 insertions(+), 5774 deletions(-) delete mode 100644 .github/labels.yml create mode 100644 .github/workflows/dependency-review.yml delete mode 100644 .github/workflows/draft-release.yaml delete mode 100644 .github/workflows/release.yml delete mode 100644 .github/workflows/sync.yml create mode 100644 .markdownlint-cli2.yaml create mode 100644 docs/content/troubleshooting/troubleshoot-common.md create mode 100644 docs/content/troubleshooting/troubleshoot-configmap-policy.md delete mode 100644 docs/content/troubleshooting/troubleshoot-ingress-controller.md create mode 100644 docs/content/troubleshooting/troubleshoot-ingress.md create mode 100644 docs/content/troubleshooting/troubleshoot-transportserver.md create mode 100644 docs/content/troubleshooting/troubleshoot-virtualserver.md rename docs/content/troubleshooting/{troubleshooting-with-app-protect-dos.md => troubleshooting-app-protect-dos.md} (62%) rename docs/content/troubleshooting/{troubleshooting-with-app-protect.md => troubleshooting-app-protect-waf.md} (64%) create mode 100644 docs/content/tutorials/custom-listen-ports.md create mode 100644 docs/content/tutorials/nginx-ingress-linkerd.md create mode 100644 docs/content/tutorials/oidc-custom-configuration.md create mode 100644 docs/content/usage-reporting.md create mode 100644 examples/shared-examples/usage-reporting/cluster-connector.yaml create mode 100644 internal/certmanager/test_files/context.go delete mode 100644 perf-tests/requirements.txt diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md index a1dec93f78..f4e9de75ca 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -12,6 +12,7 @@ A clear and concise description of what the bug is. **To Reproduce** Steps to reproduce the behavior: + 1. Deploy x to '...' using some.yaml 2. View logs on '....' 3. See error @@ -20,10 +21,11 @@ Steps to reproduce the behavior: A clear and concise description of what you expected to happen. **Your environment** -* Version of the Ingress Controller - release version or a specific commit -* Version of Kubernetes -* Kubernetes platform (e.g. Mini-kube or GCP) -* Using NGINX or NGINX Plus + +- Version of the Ingress Controller - release version or a specific commit +- Version of Kubernetes +- Kubernetes platform (e.g. Mini-kube or GCP) +- Using NGINX or NGINX Plus **Additional context** diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md index 5281f1e1f0..c9afef021b 100644 --- a/.github/PULL_REQUEST_TEMPLATE.md +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -1,7 +1,10 @@ ### Proposed changes -Describe the use case and detail of the change. If this PR addresses an issue on GitHub, make sure to include a link to that issue here in this description (not in the title of the PR). + +Describe the use case and detail of the change. If this PR addresses an issue on GitHub, make sure to include a link to +that issue here in this description (not in the title of the PR). ### Checklist + Before creating a PR, run through this checklist and mark each as complete. - [ ] I have read the [CONTRIBUTING](https://github.com/nginxinc/kubernetes-ingress/blob/main/CONTRIBUTING.md) doc diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 28503287aa..3deeabcdce 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -25,7 +25,7 @@ updates: schedule: interval: weekly - - package-ecosystem: pip - directory: /perf-tests + - package-ecosystem: gomod + directory: /docs schedule: interval: weekly diff --git a/.github/labeler.yml b/.github/labeler.yml index 336e4b6192..ffbc8e3bc6 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -1,25 +1,29 @@ +change: + - head-branch: ['^change/'] + enhancement: -- branch: ['feature/**', 'feat/**', 'enhancement/**', 'enh/**'] + - head-branch: ['^feature/', '^feat/', '^enhancement/', '^enh/'] bug: -- branch: ['fix/**', 'bug/**'] + - head-branch: ['^fix/', '^bug/'] chore: -- branch: ['chore/**'] + - head-branch: ['^chore/'] tests: -- branch: ['tests/**', 'test/**'] -- tests/**/* -- perf-tests/**/* + - any: + - head-branch: ['^tests/', '^test/'] + - changed-files: ['tests/**/*', 'perf-tests/**/*'] + - all: + - changed-files: ['!tests/requirements.txt', '!perf-tests/requirements.txt'] documentation: -- branch: ['docs/**', 'doc/**'] -- '**/*.md' + - head-branch: ['^docs/', '^doc/'] + - changed-files: '**/*.md' dependencies: -- branch: ['deps/**', 'dep/**', 'dependabot/**'] -- go.mod -- go.sum + - head-branch: ['^deps/', '^dep/', '^dependabot/', 'pre-commit-ci-update-config'] + - changed-files: ['go.mod', 'go.sum'] helm_chart: -- deployments/helm-chart/**/* + - changed-files: ['deployments/helm-chart/**/*'] diff --git a/.github/labels.yml b/.github/labels.yml deleted file mode 100644 index 9f2ec6347e..0000000000 --- a/.github/labels.yml +++ /dev/null @@ -1,75 +0,0 @@ -- color: 77BC7C - description: Pull requests/issues that are backlog items - name: backlog -- color: A90EA3 - description: Pull requests/issues that are candidates to be backlog items - name: backlog candidate -- color: fc2929 - description: An issue reporting a potential bug - name: bug -- color: b60205 - description: Pull requests that introduce a change - name: change -- color: 3a2716 - description: Pull requests for routine tasks - name: chore -- color: 0366d6 - description: Pull requests that update a dependency file - name: dependencies -- color: 21ceff - description: Pull requests that update Docker code - name: docker -- color: c5def5 - description: Pull requests/issues for documentation - name: documentation -- color: 84b6eb - description: Pull requests for new features/feature enhancements - name: enhancement -- color: "000000" - description: Pull requests that update Github_actions code - name: github_actions -- color: 16e2e2 - description: Pull requests that update Go code - name: go -- color: 5319E7 - description: Issues identified as good for first-time contributors - name: good first issue -- color: 0e8a16 - description: Pull requests that update the Helm Chart - name: helm_chart -- color: FBCA04 - description: Issues identified as good community contribution opportunities - name: help wanted -- color: c5def5 - description: Gathering information - name: in review -- color: 68E39B - description: Issues that require more information - name: needs more info -- color: F345AD - description: Issues that are not in scope - name: out of scope -- color: db754c - description: An issue that proposes a feature request - name: proposal -- color: 2b67c6 - description: Pull requests that update Python code - name: python -- color: cc317c - description: An issue asking a question - name: question -- color: FEF2C0 - description: Pull requests that don't need to be added to the changelog - name: skip changelog -- color: 8E7888 - description: Pull requests/issues with no activity - name: stale -- color: A4EF7D - description: Pull requests that update tests - name: tests -- color: C2E0C6 - description: Waiting for author's response - name: waiting for response -- color: ffffff - description: An issue that does not need to be fixed - name: wontfix diff --git a/.github/workflows/build-oss.yml b/.github/workflows/build-oss.yml index 86e19f4391..7c95189c49 100644 --- a/.github/workflows/build-oss.yml +++ b/.github/workflows/build-oss.yml @@ -17,6 +17,9 @@ defaults: run: shell: bash +permissions: + contents: read + jobs: build: runs-on: ubuntu-22.04 @@ -30,7 +33,7 @@ jobs: image_digest: ${{ steps.build-push.outputs.digest }} steps: - name: Checkout Repository - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 with: ref: ${{ inputs.tag != '' && format('refs/tags/v{0}', inputs.tag) || github.ref }} fetch-depth: 0 @@ -42,49 +45,49 @@ jobs: key: nginx-ingress-${{ github.run_id }}-${{ github.run_number }} - name: Setup QEMU - uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0 + uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0 with: platforms: arm,arm64,ppc64le,s390x - if: github.event_name != 'pull_request' + if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }} - name: Docker Buildx - uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c # v2.5.0 + uses: docker/setup-buildx-action@4c0219f9ac95b02789c1075625400b2acbff50b1 # v2.9.1 - name: DockerHub Login - uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0 + uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} - if: github.event_name != 'pull_request' + if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }} - name: Login to GitHub Container Registry - uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0 + uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - if: github.event_name != 'pull_request' + if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }} - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0 + uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0 with: aws-region: us-east-1 role-to-assume: ${{ secrets.AWS_ROLE_PUBLIC_ECR }} - if: github.event_name != 'pull_request' + if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }} - name: Login to Public ECR - uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0 + uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0 with: registry: public.ecr.aws - if: github.event_name != 'pull_request' + if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }} - name: Login to Quay.io - uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0 + uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0 with: registry: quay.io username: ${{ secrets.QUAY_USERNAME }} password: ${{ secrets.QUAY_ROBOT_TOKEN }} - if: github.event_name != 'pull_request' + if: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }} - name: Get short tag id: tag @@ -96,7 +99,7 @@ jobs: - name: Docker meta id: meta - uses: docker/metadata-action@c4ee3adeed93b1fa6a762f209fb01608c1a22f1e # v4.4.0 + uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175 # v4.6.0 with: context: ${{ inputs.tag != '' && 'git' || 'workflow' }} images: | @@ -110,7 +113,8 @@ jobs: tags: | type=edge type=ref,event=pr - type=schedule + type=ref,event=branch,enable=${{ startsWith(github.ref, 'refs/heads/release-') }} + type=schedule,enable=${{ inputs.tag == '' }} type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} type=raw,value=${{ inputs.tag }},enable=${{ inputs.tag != '' }} @@ -126,7 +130,7 @@ jobs: io.artifacthub.package.keywords=kubernetes,ingress,nginx,controller - name: Build Docker image - uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # v4.0.0 + uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1 id: build-push with: file: build/Dockerfile @@ -136,19 +140,19 @@ jobs: target: goreleaser tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} - platforms: ${{ github.event_name != 'pull_request' && inputs.platforms || '' }} - load: ${{ github.event_name == 'pull_request' }} - push: ${{ github.event_name != 'pull_request' }} + platforms: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && inputs.platforms || '' }} + load: ${{ github.event_name == 'pull_request' || startsWith(github.ref, 'refs/heads/release-') }} + push: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }} pull: true - no-cache: ${{ github.event_name != 'pull_request' }} - sbom: ${{ github.event_name != 'pull_request' }} + no-cache: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }} + sbom: ${{ github.event_name != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }} provenance: false build-args: | BUILD_OS=${{ inputs.image }} - IC_VERSION=${{ github.event_name == 'pull_request' && 'CI' || steps.meta.outputs.version }} + IC_VERSION=${{ (github.event_name == 'pull_request' || startsWith(github.ref, 'refs/heads/release-')) && 'CI' || steps.meta.outputs.version }} - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@e5f43133f6e8736992c9f3c1b3296e24b37e17f2 # 0.10.0 + uses: aquasecurity/trivy-action@41f05d9ecffa2ed3f1580af306000f734b733e54 # 0.11.2 continue-on-error: true with: image-ref: nginx/nginx-ingress:${{ steps.meta.outputs.version }} @@ -157,7 +161,7 @@ jobs: ignore-unfixed: "true" - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@f3feb00acb00f31a6f60280e6ace9ca31d91c76a # v2.3.2 + uses: github/codeql-action/upload-sarif@1813ca74c3faaa3a2da2070b9b8a0b3e7373a0d8 # v2.21.0 continue-on-error: true with: sarif_file: "trivy-results-${{ inputs.image }}.sarif" @@ -178,5 +182,8 @@ jobs: tag: ${{ inputs.tag }} version: ${{ needs.build.outputs.version }} image_digest: ${{ needs.build.outputs.image_digest }} + permissions: + contents: read + actions: read secrets: inherit if: ${{ inputs.tag != '' }} diff --git a/.github/workflows/build-plus.yml b/.github/workflows/build-plus.yml index 34a956a8b5..de81868129 100644 --- a/.github/workflows/build-plus.yml +++ b/.github/workflows/build-plus.yml @@ -15,24 +15,27 @@ on: nap_modules: required: false type: string + release-url: + required: false + type: string defaults: run: shell: bash -permissions: # added using https://github.com/step-security/secure-workflows +permissions: contents: read jobs: build: - permissions: - contents: read # for docker/build-push-action to read repo content - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - id-token: write # for OIDC login to AWS - runs-on: ubuntu-22.04 - steps: + permissions: + contents: read # for docker/build-push-action to read repo content + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + id-token: write # for OIDC login to AWS + runs-on: ubuntu-22.04 + steps: - name: Checkout Repository - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 with: fetch-depth: 0 @@ -43,17 +46,17 @@ jobs: key: nginx-ingress-${{ github.run_id }}-${{ github.run_number }} - name: Setup QEMU - uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0 + uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0 with: platforms: arm64 if: github.event_name != 'pull_request' - name: Docker Buildx - uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c # v2.5.0 + uses: docker/setup-buildx-action@4c0219f9ac95b02789c1075625400b2acbff50b1 # v2.9.1 - name: Authenticate to Google Cloud id: auth - uses: google-github-actions/auth@e8df18b60c5dd38ba618c121b779307266153fbf # v1.1.0 + uses: google-github-actions/auth@35b0e87d162680511bf346c299f71c9c5c379033 # v1.1.1 with: token_format: access_token workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} @@ -61,7 +64,7 @@ jobs: if: github.event_name != 'pull_request' - name: Login to GCR - uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0 + uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0 with: registry: gcr.io username: oauth2accesstoken @@ -69,32 +72,33 @@ jobs: if: github.event_name != 'pull_request' - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0 + uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0 with: aws-region: us-east-1 role-to-assume: ${{ secrets.AWS_ROLE_MARKETPLACE }} if: startsWith(github.ref, 'refs/tags/') && contains(inputs.target, 'aws') - name: Login to ECR - uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0 + uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0 with: registry: 709825985650.dkr.ecr.us-east-1.amazonaws.com if: startsWith(github.ref, 'refs/tags/') && contains(inputs.target, 'aws') - name: Docker meta id: meta - uses: docker/metadata-action@c4ee3adeed93b1fa6a762f209fb01608c1a22f1e # v4.4.0 + uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175 # v4.6.0 with: images: | name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic${{ contains(inputs.nap_modules, 'dos') && '-dos' || '' }}${{ contains(inputs.nap_modules, 'waf') && '-nap' || '' }}/nginx-plus-ingress name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic${{ contains(inputs.nap_modules, 'dos') && '-dos' || '' }}${{ contains(inputs.nap_modules, 'waf') && '-nap' || '' }}/nginx-plus-ingress,enable=${{ startsWith(github.ref, 'refs/tags/') }} name=709825985650.dkr.ecr.us-east-1.amazonaws.com/nginx/nginx-plus-ingress${{ contains(inputs.nap_modules, 'dos') && '-dos' || '' }}${{ contains(inputs.nap_modules, 'waf') && '-nap' || '' }},enable=${{ startsWith(github.ref, 'refs/tags/') && contains(inputs.target, 'aws') }} flavor: | - suffix=${{ contains(inputs.image, 'ubi') && '-ubi' || '' }}${{ contains(inputs.image, 'alpine') && '-alpine' || '' }}${{ contains(inputs.target, 'aws') && '-mktpl' || '' }},onlatest=true + suffix=${{ contains(inputs.image, 'ubi') && '-ubi' || '' }}${{ contains(inputs.image, 'alpine') && '-alpine' || '' }}${{ contains(inputs.target, 'aws') && '-mktpl' || '' }}${{ contains(inputs.image, 'fips') && '-fips' || ''}},onlatest=true latest=${{ contains(inputs.target, 'aws') && 'false' || 'auto' }} tags: | type=edge type=ref,event=pr + type=ref,event=branch,enable=${{ startsWith(github.ref, 'refs/heads/release-') }} type=schedule,pattern={{date 'YYYYMMDD'}} type=semver,pattern={{version}} labels: | @@ -105,20 +109,15 @@ jobs: - name: NAP modules id: nap_modules run: | - modules="" - if [[ "${{ inputs.nap_modules }}" == "waf,dos" ]]; then - modules="both" - else - modules="${{ inputs.nap_modules }}" - fi + [[ "${{ inputs.nap_modules }}" == "waf,dos" ]] && modules="both" || modules="${{ inputs.nap_modules }}" echo "modules=${modules}" >> $GITHUB_OUTPUT if: ${{ inputs.nap_modules != '' }} - name: Build Plus Docker image - uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # v4.0.0 + uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1 with: file: build/Dockerfile - context: '.' + context: "." cache-from: type=gha,scope=${{ inputs.image }}${{ contains(inputs.nap_modules, 'dos') && '-dos' || '' }}${{ contains(inputs.nap_modules, 'waf') && '-nap' || '' }} cache-to: type=gha,scope=${{ inputs.image }}${{ contains(inputs.nap_modules, 'dos') && '-dos' || '' }}${{ contains(inputs.nap_modules, 'waf') && '-nap' || '' }},mode=max target: ${{ inputs.target }} @@ -141,11 +140,46 @@ jobs: "nginx-repo.key=${{ inputs.nap_modules != '' && secrets.NGINX_AP_KEY || secrets.NGINX_KEY }}" ${{ inputs.nap_modules != '' && contains(inputs.image, 'ubi') && format('"rhel_license={0}"', secrets.RHEL_LICENSE) || '' }} + - name: AWS variables + id: aws + run: | + aws_registry=$(echo "${{ steps.meta.outputs.tags }}" | grep -oP "709825985650.dkr.ecr.us-east-1.amazonaws.com/[^[:space:]]+") + version=$(echo ${{ steps.meta.outputs.version }} | sed 's/-mktpl//') + declare -A nap_mapping=( + ["waf"]=_NAP_WAF + ["dos"]=_NAP_DOS + ["waf,dos"]=_NAP_WAF_DOS + ) + modules=${{ inputs.nap_modules }} + [[ -n $modules && ${nap_mapping[$modules]+_} ]] && nap=${nap_mapping[$modules]} + + echo "version=$version" >> $GITHUB_OUTPUT + echo "product_code=AWS${nap}_PRODUCT_ID" >> $GITHUB_OUTPUT + echo "registry=${aws_registry}" >> $GITHUB_OUTPUT + if: startsWith(github.ref, 'refs/tags/') && contains(inputs.target, 'aws') + + - name: Publish to AWS Marketplace + uses: nginxinc/aws-marketplace-publish@93e03c5ce4baa842a8e5baad0a3f35d07b38460c # v0.1.2 + continue-on-error: true + with: + version: ${{ steps.aws.outputs.version }} + product-id: ${{ secrets[steps.aws.outputs.product_code] }} + registry: ${{ steps.aws.outputs.registry }} + release-notes: ${{ inputs.release-url }} + description: | + Best-in-class traffic management solution for services in Amazon EKS. + This is the official implementation of NGINX Ingress Controller (based on NGINX Plus) from NGINX. + usage-instructions: | + This container requires Kubernetes and can be deployed to EKS. + Review the installation instructions https://docs.nginx.com/nginx-ingress-controller/installation/ and utilize the deployment resources available https://github.com/nginxinc/kubernetes-ingress/tree/master/deployments + Use this image instead of building your own. + if: ${{ startsWith(github.ref, 'refs/tags/') && contains(inputs.target, 'aws') }} + - name: Load image for Trivy - uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # v4.0.0 + uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1 with: file: build/Dockerfile - context: '.' + context: "." cache-from: type=gha,scope=${{ inputs.image }} target: ${{ inputs.target }} tags: docker.io/${{ inputs.image }}:${{ steps.meta.outputs.version }} @@ -161,24 +195,24 @@ jobs: ${{ inputs.nap_modules != '' && contains(inputs.image, 'ubi') && format('"rhel_license={0}"', secrets.RHEL_LICENSE) || '' }} - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@e5f43133f6e8736992c9f3c1b3296e24b37e17f2 # 0.10.0 + uses: aquasecurity/trivy-action@41f05d9ecffa2ed3f1580af306000f734b733e54 # 0.11.2 continue-on-error: true with: image-ref: docker.io/${{ inputs.image }}:${{ steps.meta.outputs.version }} - format: 'sarif' - output: 'trivy-results-${{ inputs.image }}.sarif' - ignore-unfixed: 'true' + format: "sarif" + output: "trivy-results-${{ inputs.image }}.sarif" + ignore-unfixed: "true" - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@f3feb00acb00f31a6f60280e6ace9ca31d91c76a # v2.3.2 + uses: github/codeql-action/upload-sarif@1813ca74c3faaa3a2da2070b9b8a0b3e7373a0d8 # v2.21.0 continue-on-error: true with: - sarif_file: 'trivy-results-${{ inputs.image }}.sarif' + sarif_file: "trivy-results-${{ inputs.image }}.sarif" - name: Upload Scan Results uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 continue-on-error: true with: - name: 'trivy-results-${{ inputs.image }}.sarif' - path: 'trivy-results-${{ inputs.image }}.sarif' + name: "trivy-results-${{ inputs.image }}.sarif" + path: "trivy-results-${{ inputs.image }}.sarif" if: always() diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 5dd7624e01..0ba7245364 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -4,18 +4,15 @@ on: push: branches: - main + - release-* tags: - - 'v[0-9]+.[0-9]+.[0-9]+' + - "v[0-9]+.[0-9]+.[0-9]+" pull_request: branches: - main - release-* - types: - - opened - - reopened - - synchronize schedule: - - cron: '0 4 * * *' # run every day at 04:00 UTC + - cron: "0 4 * * *" # run every day at 04:00 UTC defaults: run: @@ -25,34 +22,39 @@ concurrency: group: ${{ github.ref_name }}-ci cancel-in-progress: true -jobs: +permissions: + contents: read +jobs: checks: name: Checks and variables runs-on: ubuntu-22.04 outputs: - go_path: ${{ steps.go.outputs.go_path }} + go_path: ${{ steps.vars.outputs.go_path }} k8s_latest: ${{ steps.vars.outputs.k8s_latest }} + chart_version: ${{ steps.vars.outputs.chart_version }} steps: - name: Checkout Repository - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + + - name: Setup Golang Environment + uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 + with: + go-version-file: go.mod + - name: Output Variables id: vars run: | echo "k8s_latest=$(grep -m1 'FROM kindest/node' > $GITHUB_OUTPUT - - name: Setup Golang Environment - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 - with: - go-version-file: go.mod - - name: Determine GOPATH - id: go - run: echo "go_path=$(go env GOPATH)" >> $GITHUB_OUTPUT + echo "chart_version=$(yq '.version' > $GITHUB_OUTPUT + echo "go_path=$(go env GOPATH)" >> $GITHUB_OUTPUT + - name: Check if go.mod and go.sum are up to date - run: | - go mod tidy && git diff --exit-code -- go.mod go.sum + run: go mod tidy && git diff --exit-code -- go.mod go.sum + - name: Check if CRDs changed - run: | - make update-crds && git diff --name-only --exit-code deployments/common/crds* deployments/helm-chart/crds* + run: make update-crds && git diff --name-only --exit-code deployments/common/crds* deployments/helm-chart/crds* + - name: Check if Codegen changed run: | cd ../.. && mkdir -p github.com/nginxinc && mv kubernetes-ingress/kubernetes-ingress github.com/nginxinc/ && cd github.com/nginxinc/kubernetes-ingress @@ -65,48 +67,69 @@ jobs: needs: checks steps: - name: Checkout Repository - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - name: Setup Golang Environment - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 + uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 with: go-version-file: go.mod - name: Run Tests run: make cover - name: Upload coverage to Codecov - uses: codecov/codecov-action@894ff025c7b54547a9a2a1e9f228beae737ad3c2 # v3.1.3 + uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4 with: files: ./coverage.txt - release: - name: Release - if: startsWith(github.ref, 'refs/tags/') - uses: ./.github/workflows/release.yml - secrets: inherit - binaries: name: Build Binaries runs-on: ubuntu-22.04 needs: [checks, unit-tests] + outputs: + release-url: ${{ steps.release-notes.outputs.release-url }} + permissions: + contents: write # for lucacome/draft-release and goreleaser/goreleaser-action to manage releases steps: - name: Checkout Repository - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 with: fetch-depth: 0 - name: Setup Golang Environment - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 + uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 with: go-version-file: go.mod - name: Download Syft - uses: anchore/sbom-action/download-syft@422cb34a0f8b599678c41b21163ea6088edb2624 # v0.14.1 + uses: anchore/sbom-action/download-syft@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1 # v0.14.3 if: startsWith(github.ref, 'refs/tags/') + - name: Create/Update Draft + uses: lucacome/draft-release@f6dc37dcdf44be100a649b72c62c628776750190 # v0.2.2 + id: release-notes + with: + minor-label: "enhancement" + major-label: "change" + publish: ${{ startsWith(github.ref, 'refs/tags/') }} + collapse-after: 50 + variables: | + helm-chart=${{ needs.checks.outputs.chart_version }} + notes-footer: | + ## Upgrade + - For NGINX, use the {{version}} images from our [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name={{version-number}}), [GitHub Container](https://github.com/nginxinc/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress). + - For NGINX Plus, use the {{version}} images from the F5 Container registry, the [AWS Marketplace](https://aws.amazon.com/marketplace/search/?CREATOR=741df81b-dfdc-4d36-b8da-945ea66b522c&FULFILLMENT_OPTION_TYPE=CONTAINER&filters=CREATOR%2CFULFILLMENT_OPTION_TYPE), the [GCP Marketplace](https://console.cloud.google.com/marketplace/browse?filter=partner:F5,%20Inc.&filter=solution-type:k8s&filter=category:networking) or build your own image using the {{version}} source code. + - For Helm, use version {{helm-chart}} of the chart. + + ## Resources + - Documentation -- https://docs.nginx.com/nginx-ingress-controller/ + - Configuration examples -- https://github.com/nginxinc/kubernetes-ingress/tree/{{version}}/examples + - Helm Chart -- https://github.com/nginxinc/kubernetes-ingress/tree/{{version}}/deployments/helm-chart + - Operator -- https://github.com/nginxinc/nginx-ingress-operator/ + if: ${{ github.event_name == 'push' && github.ref != 'refs/heads/main' }} + - name: Build binaries - uses: goreleaser/goreleaser-action@f82d6c1c344bcacabba2c841718984797f664a6b # v4.2.0 + uses: goreleaser/goreleaser-action@336e29918d653399e599bfca99fadc1d7ffbc9f7 # v4.3.0 with: version: latest - args: ${{ startsWith(github.ref, 'refs/tags/') && 'release' || 'build --snapshot' }} ${{ github.event_name == 'pull_request' && '--single-target' || '' }} --rm-dist + args: ${{ startsWith(github.ref, 'refs/tags/') && 'release' || 'build --snapshot' }} ${{ github.event_name == 'pull_request' && '--single-target' || '' }} --clean env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GOPATH: ${{ needs.checks.outputs.go_path }} @@ -136,25 +159,28 @@ jobs: strategy: matrix: include: - - image: debian - type: oss - - image: debian-plus - type: plus + - image: debian + type: oss + - image: debian-plus + type: plus steps: - name: Checkout Repository - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + - name: Fetch Cached Artifacts uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 with: path: ${{ github.workspace }}/dist key: nginx-ingress-${{ github.run_id }}-${{ github.run_number }} + - name: Docker Buildx - uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c # v2.5.0 + uses: docker/setup-buildx-action@4c0219f9ac95b02789c1075625400b2acbff50b1 # v2.9.1 + - name: Build Docker Image ${{ matrix.image }} - uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # v4.0.0 + uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1 with: file: build/Dockerfile - context: '.' + context: "." cache-from: type=gha,scope=${{ matrix.image }} target: goreleaser tags: ${{ matrix.type }}:${{ github.sha }} @@ -166,11 +192,13 @@ jobs: secrets: | ${{ contains(matrix.type, 'plus') && format('"nginx-repo.crt={0}"', secrets.NGINX_CRT) || '' }} ${{ contains(matrix.type, 'plus') && format('"nginx-repo.key={0}"', secrets.NGINX_KEY) || '' }} + - name: Deploy Kubernetes id: k8s run: | kind create cluster --name ${{ github.run_id }} --image=kindest/node:v${{ needs.checks.outputs.k8s_latest }} --wait 75s kind load docker-image ${{ matrix.type }}:${{ github.sha }} --name ${{ github.run_id }} + - name: Install Chart run: > helm install @@ -182,9 +210,11 @@ jobs: --set controller.nginxplus=${{ contains(matrix.type, 'plus') && 'true' || 'false' }} --wait working-directory: ${{ github.workspace }}/deployments/helm-chart + - name: Expose Test Ingresses run: | kubectl port-forward service/${{ matrix.type }}-nginx-ingress-controller 8080:80 8443:443 & + - name: Test HTTP run: | counter=0 @@ -195,6 +225,7 @@ jobs: fi printf '.'; counter=$(($counter+1)); sleep 5; done + - name: Test HTTPS run: | counter=0 @@ -210,7 +241,6 @@ jobs: name: Setup Matrix for Smoke Tests runs-on: ubuntu-22.04 needs: [checks, binaries] - if: ${{ ! startsWith(github.ref, 'refs/tags/') }} outputs: matrix: ${{ steps.set-matrix.outputs.matrix }} steps: @@ -228,23 +258,24 @@ jobs: {\"image\": \"alpine-plus\", \"marker\":\"ingresses\"}, \ {\"image\": \"alpine-plus\", \"marker\": \"vsr\"}, \ {\"image\": \"ubi-plus\", \"marker\": \"policies\"}, \ - {\"image\": \"debian-plus-nap\", \"marker\": \"dos\"}, \ - {\"image\": \"debian-plus-nap\", \"marker\": \"appprotect\"}], \ + {\"image\": \"debian-plus-nap\", \"marker\": \"dos\"}], \ \"k8s\": [\"${{ needs.checks.outputs.k8s_latest }}\"]}" >> $GITHUB_OUTPUT else - echo "matrix={\"k8s\": [\"1.22.17\", \"1.23.17\", \"1.24.12\", \"1.25.8\", \"1.26.3\", \"${{ needs.checks.outputs.k8s_latest }}\"], \ + echo "matrix={\"k8s\": [\"1.22.17\", \"1.23.17\", \"1.24.15\", \"1.25.11\", \"1.26.6\", \"${{ needs.checks.outputs.k8s_latest }}\"], \ \"images\": [{\"image\": \"debian\"}, {\"image\": \"debian-plus\"}]}" >> $GITHUB_OUTPUT fi - name: Checkout Repository - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + - name: Docker Buildx - uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c # v2.5.0 + uses: docker/setup-buildx-action@4c0219f9ac95b02789c1075625400b2acbff50b1 # v2.9.1 + - name: Build Test-Runner Container - uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # v4.0.0 + uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1 with: file: tests/docker/Dockerfile - context: '.' + context: "." cache-from: type=gha,scope=test-runner cache-to: type=gha,scope=test-runner,mode=max tags: test-runner:${{ github.sha }} @@ -260,7 +291,8 @@ jobs: matrix: ${{ fromJSON(needs.setup-matrix.outputs.matrix) }} steps: - name: Checkout Repository - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + - name: Run Smoke Tests id: smoke-tests uses: ./.github/actions/smoke-tests @@ -271,6 +303,7 @@ jobs: nginx-crt: ${{ contains(matrix.images.image, 'nap') && secrets.NGINX_AP_CRT || secrets.NGINX_CRT }} nginx-key: ${{ contains(matrix.images.image, 'nap') && secrets.NGINX_AP_KEY || secrets.NGINX_KEY }} azure-ad-secret: ${{ secrets.AZURE_AD_AUTOMATION }} + - name: Upload Test Results uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: @@ -282,77 +315,96 @@ jobs: name: Build Docker OSS needs: smoke-tests strategy: - fail-fast: false - matrix: - image: [debian, alpine] - platforms: ["linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x"] - include: - - image: ubi - platforms: "linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" + fail-fast: false + matrix: + image: [debian, alpine] + platforms: + ["linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x"] + include: + - image: ubi + platforms: "linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" uses: ./.github/workflows/build-oss.yml with: platforms: ${{ matrix.platforms }} image: ${{ matrix.image }} + permissions: + contents: read + actions: read + security-events: write + id-token: write + packages: write secrets: inherit build-docker-plus: name: Build Docker Plus - needs: build-docker + needs: [binaries, build-docker] strategy: - fail-fast: false - matrix: - image: [debian-plus, alpine-plus] - platforms: ["linux/arm64, linux/amd64"] - target: [goreleaser, aws] - include: - - image: ubi-plus - platforms: "linux/arm64, linux/amd64, linux/s390x" - target: goreleaser + fail-fast: false + matrix: + image: [debian-plus, alpine-plus, alpine-plus-fips] + platforms: ["linux/arm64, linux/amd64"] + target: [goreleaser, aws] + include: + - image: ubi-plus + platforms: "linux/arm64, linux/amd64, linux/s390x" + target: goreleaser uses: ./.github/workflows/build-plus.yml with: platforms: ${{ matrix.platforms }} image: ${{ matrix.image }} target: ${{ matrix.target }} + release-url: ${{ needs.binaries.outputs.release-url }} + permissions: + contents: read + security-events: write + id-token: write secrets: inherit build-docker-nap: name: Build Docker NAP needs: build-docker-plus strategy: - fail-fast: false - matrix: - image: [debian-plus-nap, ubi-plus-nap] - platforms: ["linux/amd64"] - target: [goreleaser, aws] - nap_modules: [dos, waf, "waf,dos"] + fail-fast: false + matrix: + image: [debian-plus-nap, ubi-plus-nap] + platforms: ["linux/amd64"] + target: [goreleaser, aws] + nap_modules: [dos, waf, "waf,dos"] uses: ./.github/workflows/build-plus.yml with: platforms: ${{ matrix.platforms }} image: ${{ matrix.image }} target: ${{ matrix.target }} nap_modules: ${{ matrix.nap_modules }} + permissions: + contents: read + security-events: write + id-token: write secrets: inherit publish-helm: name: Package and Publish Helm Chart runs-on: ubuntu-22.04 - needs: helm-tests - if: ${{ github.event_name == 'push' }} + needs: [checks, helm-tests] + if: ${{ github.event_name == 'push' && ! startsWith(github.ref, 'refs/heads/release-') }} + permissions: + contents: write # for pushing to Helm Charts repository + packages: write # for helm to push to GHCR steps: - name: Checkout Repository - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 with: path: kic - name: Login to GitHub Container Registry - uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0 + uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: DockerHub Login - uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0 + uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} @@ -369,28 +421,21 @@ jobs: helm push ${{ steps.package.outputs.path }} oci://registry-1.docker.io/nginxcharts - name: Checkout Repository - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 with: repository: nginxinc/helm-charts fetch-depth: 1 token: ${{ secrets.NGINX_PAT }} path: helm-charts - - - name: Get Chart type - id: package-helm - run: | - echo "type=${{ contains(steps.package.outputs.path, 'edge') && 'edge' || 'stable' }}" >> $GITHUB_OUTPUT - - - name: Remove previous Chart - if: ${{ ! startsWith(github.ref, 'refs/tags/') }} - run: rm -f ${{ github.workspace }}/helm-charts/edge/nginx-ingress-0.0.0-edge.tgz + if: ${{ startsWith(github.ref, 'refs/tags/') }} - name: Push Helm Chart to Helm Charts Repository run: | - mv ${{ steps.package.outputs.path }} ${{ github.workspace }}/helm-charts/${{ steps.package-helm.outputs.type }}/ + mv ${{ steps.package.outputs.path }} ${{ github.workspace }}/helm-charts/stable/ cd ${{ github.workspace }}/helm-charts - helm repo index ${{ steps.package-helm.outputs.type }} --url https://helm.nginx.com/${{ steps.package-helm.outputs.type }} + helm repo index stable --url https://helm.nginx.com/stable git add -A git -c user.name='NGINX Kubernetes Team' -c user.email='kubernetes@nginx.com' \ - commit -m "NGINX Ingress Controller - Release ${{ steps.package-helm.outputs.type }} ${{ steps.package-helm.outputs.version }}" + commit -m "NGINX Ingress Controller - Release ${{ needs.checks.outputs.chart_version }}" git push -u origin master + if: ${{ startsWith(github.ref, 'refs/tags/') }} diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index c98d84b654..dff2ead42d 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -2,63 +2,66 @@ name: "CodeQL" on: push: - branches: [ main, release-* ] + branches: + - main + - release-* pull_request: # The branches below must be a subset of the branches above - branches: [ main ] + branches: + - main schedule: - - cron: '36 6 * * 4' # run every Thursday at 06:36 UTC + - cron: "36 6 * * 4" # run every Thursday at 06:36 UTC concurrency: group: ${{ github.ref_name }}-codeql cancel-in-progress: true -permissions: # added using https://github.com/step-security/secure-workflows +permissions: contents: read jobs: analyze: permissions: - actions: read # for github/codeql-action/init to get workflow details - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/autobuild to send a status report + actions: read # for github/codeql-action/init to get workflow details + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/autobuild to send a status report name: Analyze runs-on: ubuntu-latest strategy: fail-fast: false matrix: - language: [ 'go', 'python' ] + language: ["go", "python"] steps: - - name: Checkout repository - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + - name: Checkout repository + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@f3feb00acb00f31a6f60280e6ace9ca31d91c76a # v2.3.2 - with: - languages: ${{ matrix.language }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - # queries: ./path/to/local/query, your-org/your-repo/queries@main + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@1813ca74c3faaa3a2da2070b9b8a0b3e7373a0d8 # v2.21.0 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + # queries: ./path/to/local/query, your-org/your-repo/queries@main - # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). - # If this step fails, then you should remove it and run the build manually (see below) - - name: Autobuild - uses: github/codeql-action/autobuild@f3feb00acb00f31a6f60280e6ace9ca31d91c76a # v2.3.2 + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@1813ca74c3faaa3a2da2070b9b8a0b3e7373a0d8 # v2.21.0 - # ℹ️ Command-line programs to run using the OS shell. - # 📚 https://git.io/JvXDl + # ℹ️ Command-line programs to run using the OS shell. + # 📚 https://git.io/JvXDl - # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines - # and modify them (or add more) to build your code if your project - # uses a compiled language + # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines + # and modify them (or add more) to build your code if your project + # uses a compiled language - #- run: | - # make bootstrap - # make release + #- run: | + # make bootstrap + # make release - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@f3feb00acb00f31a6f60280e6ace9ca31d91c76a # v2.3.2 + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@1813ca74c3faaa3a2da2070b9b8a0b3e7373a0d8 # v2.21.0 diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 0000000000..bc91de1059 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,28 @@ +name: "Dependency Review" +on: + pull_request: + branches: + - main + - release-* + +concurrency: + group: ${{ github.ref_name }}-deps-review + cancel-in-progress: true + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-22.04 + permissions: + contents: read # for actions/checkout + pull-requests: write # for actions/dependency-review-action to post comments + steps: + - name: "Checkout Repository" + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + + - name: "Dependency Review" + uses: actions/dependency-review-action@1360a344ccb0ab6e9475edef90ad2f46bf8003b1 # v3.0.6 + with: + config-file: "nginxinc/k8s-common/dependency-review-config.yml@main" diff --git a/.github/workflows/dockerhub-description.yml b/.github/workflows/dockerhub-description.yml index c33ce1d83c..822b33721f 100644 --- a/.github/workflows/dockerhub-description.yml +++ b/.github/workflows/dockerhub-description.yml @@ -11,20 +11,22 @@ concurrency: group: ${{ github.ref_name }}-dockerhub cancel-in-progress: true +permissions: + contents: read jobs: dockerHubDescription: runs-on: ubuntu-22.04 if: ${{ github.event.repository.fork == false }} steps: - - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - name: Modify readme for DockerHub run: | sed -i '3,4d' README.md - name: Docker Hub Description - uses: peter-evans/dockerhub-description@579f64ca0abced29dbbc44ab4c6a0b9e33ab3588 # v3.4.1 + uses: peter-evans/dockerhub-description@dc67fad7001ef9e8e3c124cb7a64e16d0a63d864 # v3.4.2 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} diff --git a/.github/workflows/draft-release.yaml b/.github/workflows/draft-release.yaml deleted file mode 100644 index 1d525588a8..0000000000 --- a/.github/workflows/draft-release.yaml +++ /dev/null @@ -1,32 +0,0 @@ -name: Create Release Draft - -on: - push: - branches: - - release-* - -jobs: - - draft-release: - name: Create Release Draft - runs-on: ubuntu-22.04 - steps: - - name: Checkout Repository - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - - - name: Create/Update Draft - uses: lucacome/draft-release@b79be3ff634f771230b2b6ee9f47308c5793671a # v0.2.0 - with: - minor-label: 'enhancement' - major-label: 'change' - notes-footer: | - ## Upgrade - - For NGINX, use the {{version}} image from our [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name={{version-number}}), [GitHub Container](https://github.com/nginxinc/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress). - - For NGINX Plus, use the {{version}} image from the F5 Container registry or the [AWS Marketplace](https://aws.amazon.com/marketplace/search/?CREATOR=741df81b-dfdc-4d36-b8da-945ea66b522c&FULFILLMENT_OPTION_TYPE=CONTAINER&filters=CREATOR%2CFULFILLMENT_OPTION_TYPE) or build your own image using the {{version}} source code. - - For Helm, use version %HELM_CHART_VERSION% of the chart. - - ## Resources - - Documentation -- https://docs.nginx.com/nginx-ingress-controller/ - - Configuration examples -- https://github.com/nginxinc/kubernetes-ingress/tree/{{version}}/examples - - Helm Chart -- https://github.com/nginxinc/kubernetes-ingress/tree/{{version}}/deployments/helm-chart - - Operator -- https://github.com/nginxinc/nginx-ingress-operator/ diff --git a/.github/workflows/fossa.yml b/.github/workflows/fossa.yml index 29629feaa2..753771538f 100644 --- a/.github/workflows/fossa.yml +++ b/.github/workflows/fossa.yml @@ -5,26 +5,26 @@ on: branches: - main paths-ignore: - - 'docs/**' - - 'examples/**' - - '**.md' + - "docs/**" + - "examples/**" + - "**.md" concurrency: group: ${{ github.ref_name }}-fossa cancel-in-progress: true -permissions: # added using https://github.com/step-security/secure-workflows +permissions: contents: read jobs: - scan: name: Fossa runs-on: ubuntu-22.04 if: ${{ github.event.repository.fork == false }} steps: - name: Checkout Repository - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + - name: Scan uses: fossas/fossa-action@f61a4c0c263690f2ddb54b9822a719c25a7b608f # v1.3.1 with: diff --git a/.github/workflows/issues.yaml b/.github/workflows/issues.yaml index 33387953e9..ed434bf72c 100644 --- a/.github/workflows/issues.yaml +++ b/.github/workflows/issues.yaml @@ -4,11 +4,17 @@ on: issues: types: [opened] +permissions: + contents: read + jobs: comment: name: Issue comment if: ${{ !github.event.issue.pull_request }} runs-on: ubuntu-22.04 + permissions: + contents: read + issues: write # for actions/github-script to create comments steps: - name: text id: controller @@ -16,11 +22,12 @@ jobs: run: | text="\n\n I\'ve parsed the text of your issue and it looks like you might be mixing up the two Ingress Controllers, please take a look at this [page](https://docs.nginx.com/nginx-ingress-controller/intro/nginx-ingress-controllers) to see the differences between \`nginxinc/kubernetes-ingress\` (this repo) and \`kubernetes/ingress-nginx\`." echo "text=$text" >> $GITHUB_OUTPUT + - name: Check if Issue author is Org member id: membercheck uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1 with: - github-token: ${{ secrets.GITHUB_TOKEN }} + retries: 3 script: | let member try { @@ -35,11 +42,12 @@ jobs: member = false } return member + - name: Send message uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1 if: steps.membercheck.outputs.result == 'false' with: - github-token: ${{secrets.GITHUB_TOKEN}} + retries: 3 script: | github.rest.issues.createComment({ issue_number: context.issue.number, diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 608cd83339..924b984d1b 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -2,16 +2,16 @@ name: "Pull Request Labeler" on: - pull_request_target -permissions: # added using https://github.com/step-security/secure-workflows +permissions: contents: read jobs: triage: permissions: contents: read - pull-requests: write - runs-on: ubuntu-latest + pull-requests: write # for actions/labeler to add labels + runs-on: ubuntu-22.04 steps: - - uses: joshdales/labeler@7b1327b4c44a8794dfc7573d60637cd60ce4b697 # if https://github.com/actions/labeler/pull/203 is merged, use the official action actions/labeler - with: - repo-token: "${{ secrets.GITHUB_TOKEN }}" + - uses: actions/labeler@4f052778de9a9b80cb16cfb9079b02287285a4cb # v5.0.0-alpha.1 + with: + repo-token: "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 1c0b3ae314..f197f56160 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -4,14 +4,6 @@ on: pull_request: branches: - main - paths-ignore: - - 'docs/**' - - 'examples/**' - - '**.md' - types: - - opened - - reopened - - synchronize defaults: run: @@ -21,20 +13,27 @@ concurrency: group: ${{ github.ref_name }}-lint cancel-in-progress: true -jobs: +permissions: + contents: read +jobs: lint: name: Lint runs-on: ubuntu-22.04 + permissions: + contents: read + pull-requests: read # for golangci-lint-action steps: - name: Checkout Repository - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + - name: Setup Golang Environment - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 + uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 with: go-version-file: go.mod + - name: Lint Code - uses: golangci/golangci-lint-action@08e2f20817b15149a52b5b3ebe7de50aff2ba8c5 # v3.4.0 + uses: golangci/golangci-lint-action@639cd343e1d3b897ff35927a75193d57cfcba299 # v3.6.0 with: only-new-issues: true @@ -43,8 +42,9 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout Repository - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - - uses: reviewdog/action-actionlint@42de1e3a0f52d5f8b8390894de87bc603844e530 # v1.37.0 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + + - uses: reviewdog/action-actionlint@7485c2136bd093d2317a854c72910eebaee35238 # v1.37.1 with: actionlint_flags: -shellcheck "" @@ -53,6 +53,20 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout Repository - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + - name: Lint chart run: helm lint deployments/helm-chart + + markdown-lint: + name: Markdown Lint + runs-on: ubuntu-22.04 + steps: + - name: Checkout Repository + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + + - uses: DavidAnson/markdownlint-cli2-action@8f3516061301755c97ff833a8e933f09282cc5b5 # v11.0.0 + with: + config: .markdownlint-cli2.yaml + globs: "**/*.md" + fix: false diff --git a/.github/workflows/notifications.yml b/.github/workflows/notifications.yml index 4059f18e04..f28257b155 100644 --- a/.github/workflows/notifications.yml +++ b/.github/workflows/notifications.yml @@ -15,10 +15,16 @@ on: types: - completed +permissions: + contents: read + jobs: on-failure: runs-on: ubuntu-22.04 if: ${{ github.event.workflow_run.conclusion == 'failure' && github.event.repository.fork == false }} + permissions: + contents: read + actions: read # for 8398a7/action-slack steps: - name: Data uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml deleted file mode 100644 index f68080386f..0000000000 --- a/.github/workflows/release.yml +++ /dev/null @@ -1,57 +0,0 @@ -name: Publish Release - -on: - workflow_call: - -defaults: - run: - shell: bash - -jobs: - release: - runs-on: ubuntu-22.04 - steps: - - name: Checkout Repository - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - - - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 - - run: npm install js-yaml - continue-on-error: true - - - name: Publish release on tag - uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1 - continue-on-error: true - with: - retries: 3 - script: | - const ref = context.ref.split("/")[2] - const yaml = require('js-yaml'); - - const releases = (await github.rest.repos.listReleases({ - owner: context.payload.repository.owner.login, - repo: context.payload.repository.name, - per_page: 100, - })).data - - const draft_release = releases.find(release => release.draft && release.tag_name === ref) - - const helm_file = (await github.rest.repos.getContent({ - owner: context.payload.repository.owner.login, - repo: context.payload.repository.name, - path: "deployments/helm-chart/Chart.yaml", - ref: ref, - })).data.content - - const helm_yaml = yaml.load(Buffer.from(helm_file, 'base64').toString()) - const helm_version = helm_yaml.version - console.log(`Helm version: ${helm_version}`) - - const update = await github.rest.repos.updateRelease({ - owner: context.payload.repository.owner.login, - repo: context.payload.repository.name, - release_id: draft_release.id, - body: draft_release.body.replace("%HELM_CHART_VERSION%", helm_version), - draft: false - }); - console.log(`Release published: ${update.data.html_url}`) - console.log(`Release notes: ${update.data.body}`) diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 690851a914..a70050557b 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -3,9 +3,10 @@ on: # Only the default branch is supported. branch_protection_rule: schedule: - - cron: '43 20 * * 0' # run every Sunday at 20:43 UTC + - cron: "43 20 * * 0" # run every Sunday at 20:43 UTC push: - branches: [ "main" ] + branches: + - main # Declare default permissions as read only. permissions: read-all @@ -25,12 +26,12 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 with: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@80e868c13c90f172d68d1f4501dee99e2479f7af # v2.1.3 + uses: ossf/scorecard-action@08b4669551908b1024bb425080c797723083c031 # v2.2.0 with: results_file: results.sarif results_format: sarif @@ -53,6 +54,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@f3feb00acb00f31a6f60280e6ace9ca31d91c76a # v2.3.2 + uses: github/codeql-action/upload-sarif@1813ca74c3faaa3a2da2070b9b8a0b3e7373a0d8 # v2.21.0 with: sarif_file: results.sarif diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 4e7abaa2ec..8ce30056b4 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -1,29 +1,29 @@ -name: 'Close stale issues and PRs' +name: "Close stale issues and PRs" on: schedule: - - cron: '30 1 * * *' # run every day at 01:30 UTC + - cron: "30 1 * * *" # run every day at 01:30 UTC -permissions: # added using https://github.com/step-security/secure-workflows +permissions: contents: read jobs: stale: permissions: - issues: write # for actions/stale to close stale issues - pull-requests: write # for actions/stale to close stale PRs + issues: write # for actions/stale to close stale issues + pull-requests: write # for actions/stale to close stale PRs runs-on: ubuntu-22.04 steps: - uses: actions/stale@1160a2240286f5da8ec72b1c0816ce2481aabf84 # v8.0.0 with: repo-token: ${{ secrets.GITHUB_TOKEN }} - stale-issue-message: 'This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 10 days.' - stale-pr-message: 'This PR is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 10 days.' - close-issue-message: 'This issue was closed because it has been stalled for 10 days with no activity.' - close-pr-message: 'This PR was closed because it has been stalled for 10 days with no activity.' - stale-issue-label: 'stale' - stale-pr-label: 'stale' + stale-issue-message: "This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 10 days." + stale-pr-message: "This PR is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 10 days." + close-issue-message: "This issue was closed because it has been stalled for 10 days with no activity." + close-pr-message: "This PR was closed because it has been stalled for 10 days with no activity." + stale-issue-label: "stale" + stale-pr-label: "stale" exempt-all-assignees: true - exempt-issue-labels: 'proposal' + exempt-issue-labels: "proposal" operations-per-run: 100 days-before-stale: 90 days-before-close: 10 diff --git a/.github/workflows/sync.yml b/.github/workflows/sync.yml deleted file mode 100644 index 225668cd97..0000000000 --- a/.github/workflows/sync.yml +++ /dev/null @@ -1,34 +0,0 @@ -name: Sync labels - -on: - schedule: - - cron: '8 0 * * 1' # run every Monday at 00:08 UTC - workflow_dispatch: - -concurrency: - group: ${{ github.ref_name }}-sync - cancel-in-progress: true - -jobs: - # This job sync the labels across the various repos - labels-sync: - runs-on: ubuntu-22.04 - if: ${{ github.event.repository.fork == false }} - strategy: - fail-fast: false - matrix: - repo: - - nginxinc/kubernetes-ingress - - nginxinc/nginx-ingress-helm-operator - - nginxinc/nginx-prometheus-exporter - - nginxinc/nginx-plus-go-client - - nginxinc/nginx-asg-sync - steps: - - name: Checkout - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - - name: Sync Labels - uses: micnncim/action-label-syncer@3abd5ab72fda571e69fffd97bd4e0033dd5f495c # v1.3.0 - with: - repository: ${{ matrix.repo }} - token: ${{ secrets.NGINX_PAT }} - prune: true diff --git a/.github/workflows/update-docker-images.yml b/.github/workflows/update-docker-images.yml index 2e4e35c086..6bcdbc106d 100644 --- a/.github/workflows/update-docker-images.yml +++ b/.github/workflows/update-docker-images.yml @@ -13,6 +13,9 @@ concurrency: group: ${{ github.ref_name }}-update cancel-in-progress: true +permissions: + contents: read + jobs: variables: name: Get versions of base images @@ -23,18 +26,21 @@ jobs: k8s_version: ${{ steps.vars.outputs.k8s_version }} steps: - name: Checkout Repository - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 with: fetch-depth: 0 + - name: Set KIC version id: kic run: | tag="$(git tag --sort=-version:refname | head -n1)" echo "tag=${tag//v}" >> $GITHUB_OUTPUT + - name: Checkout Repository at ${{ steps.kic.outputs.tag }} - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 with: ref: refs/tags/v${{ steps.kic.outputs.tag }} + - name: Set NGINX versions id: versions run: | @@ -42,6 +48,7 @@ jobs: nginx_alpine=library/nginx:$(grep -m1 "FROM.*nginx:.*alpine" < build/Dockerfile | awk -F"[ :]" '{print $3}') nginx_ubi=$(grep -m1 "FROM nginxcontrib/nginx:" < build/Dockerfile | awk -F" " '{print $2}') echo "matrix=[{\"version\": \"${nginx}\", \"distro\": \"debian\"}, {\"version\": \"${nginx_alpine}\", \"distro\": \"alpine\"}, {\"version\": \"${nginx_ubi}\", \"distro\": \"ubi\"}]" >> $GITHUB_OUTPUT + - name: Set other variables id: vars run: | @@ -64,6 +71,7 @@ jobs: run: | if [ ${{ matrix.base_image.distro }} == "debian" ]; then dist=""; else dist="-${{ matrix.base_image.distro }}"; fi echo "tag=${{ needs.variables.outputs.kic-tag }}${dist}" >> $GITHUB_OUTPUT + - name: Check if update available for ${{ matrix.base_image.version }} id: update uses: lucacome/docker-image-update-checker@f50d56412b948cfdbb842c5419372681e0db3df1 # v1.2.1 @@ -72,6 +80,7 @@ jobs: image: nginx/nginx-ingress:${{ steps.dist.outputs.tag }} env: DEBUG: ${{ secrets.ACTIONS_STEP_DEBUG }} + - id: needs run: echo "${{ matrix.base_image.distro }}=${{ steps.update.outputs.needs-updating }}" >> $GITHUB_OUTPUT @@ -82,25 +91,29 @@ jobs: needs: [check, variables] steps: - name: Checkout Repository - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 with: fetch-depth: 0 ref: refs/tags/v${{ needs.variables.outputs.kic-tag }} + - name: Setup Golang Environment - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 + uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 with: go-version-file: go.mod + - name: Determine GOPATH id: go run: echo "go_path=$(go env GOPATH)" >> $GITHUB_OUTPUT + - name: Build binaries - uses: goreleaser/goreleaser-action@f82d6c1c344bcacabba2c841718984797f664a6b # v4.2.0 + uses: goreleaser/goreleaser-action@336e29918d653399e599bfca99fadc1d7ffbc9f7 # v4.3.0 with: version: latest args: build --rm-dist --id kubernetes-ingress env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GOPATH: ${{ steps.go.outputs.go_path }} + - name: Store Artifacts in Cache uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 with: @@ -125,16 +138,18 @@ jobs: needs-updating: ${{ needs.check.outputs.needs-updating-ubi }} steps: - name: Checkout Repository - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 with: ref: refs/tags/v${{ needs.variables.outputs.kic-tag }} if: ${{ matrix.needs-updating == 'true' }} + - name: Fetch Cached Artifacts uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 with: path: ${{ github.workspace }}/dist key: nginx-ingress-${{ github.run_id }}-${{ github.run_number }} if: ${{ matrix.needs-updating == 'true' }} + - name: Run Smoke Tests id: smoke-tests uses: ./.github/actions/smoke-tests @@ -143,6 +158,7 @@ jobs: marker: ${{ matrix.marker }} k8s-version: ${{ needs.variables.outputs.k8s_version }} if: ${{ matrix.needs-updating == 'true' }} + - name: Upload Test Results uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: @@ -158,6 +174,12 @@ jobs: platforms: linux/arm,linux/arm64,linux/amd64,linux/ppc64le,linux/s390x image: debian tag: ${{ needs.variables.outputs.kic-tag }} + permissions: + contents: read + actions: read + security-events: write + id-token: write + packages: write secrets: inherit if: ${{ needs.check.outputs.needs-updating-debian == 'true' }} @@ -169,6 +191,12 @@ jobs: platforms: linux/arm,linux/arm64,linux/amd64,linux/ppc64le,linux/s390x image: alpine tag: ${{ needs.variables.outputs.kic-tag }} + permissions: + contents: read + actions: read + security-events: write + id-token: write + packages: write secrets: inherit if: ${{ needs.check.outputs.needs-updating-alpine == 'true' }} @@ -180,5 +208,11 @@ jobs: platforms: linux/arm64,linux/amd64,linux/ppc64le,linux/s390x image: ubi tag: ${{ needs.variables.outputs.kic-tag }} + permissions: + contents: read + actions: read + security-events: write + id-token: write + packages: write secrets: inherit if: ${{ needs.check.outputs.needs-updating-ubi == 'true' }} diff --git a/.github/workflows/updates-notification.yml b/.github/workflows/updates-notification.yml index ba769990d3..037c046382 100644 --- a/.github/workflows/updates-notification.yml +++ b/.github/workflows/updates-notification.yml @@ -17,15 +17,22 @@ defaults: run: shell: bash +permissions: + contents: read + jobs: send-notifications: name: Send Notifications runs-on: ubuntu-22.04 + permissions: + contents: read + actions: read # for 8398a7/action-slack steps: - name: Checkout Repository - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 with: - ref: ${{ inputs.tag }} + ref: refs/tags/v${{ inputs.tag }} + - name: Get variables for Slack id: slack run: | @@ -33,6 +40,7 @@ jobs: echo "date=$(date +%s)" >> $GITHUB_OUTPUT echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT echo "sha_long=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT + - name: Send Notification uses: 8398a7/action-slack@fbd6aa58ba854a740e11a35d0df80cb5d12101d8 # v3.15.1 with: diff --git a/.goreleaser.yml b/.goreleaser.yml index 8ecdbf5d60..eaac2c88bd 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -93,36 +93,38 @@ builds: tags: - aws -archives: - - id: kubernetes-ingress - builds: [kubernetes-ingress] - changelog: skip: true -checksum: - name_template: 'checksums.txt' +archives: + - id: kubernetes-ingress + builds: [kubernetes-ingress] sboms: - artifacts: archive ids: [kubernetes-ingress] + documents: + - "${artifact}.spdx.json" release: ids: [kubernetes-ingress] extra_files: - - glob: ./dist/**.sbom + - glob: ./dist/**.spdx.json blobs: - provider: azblob bucket: '{{.Env.AZURE_BUCKET_NAME}}' extra_files: - - glob: ./dist/**.sbom - -milestones: - - close: true + - glob: ./dist/**.spdx.json announce: slack: enabled: true channel: '#announcements' message_template: 'NGINX Ingress Controller {{ .Tag }} is out! Check it out: {{ .ReleaseURL }}' + +milestones: + - close: true + +snapshot: + name_template: 'edge' diff --git a/.markdownlint-cli2.yaml b/.markdownlint-cli2.yaml new file mode 100644 index 0000000000..cc3ac91b9f --- /dev/null +++ b/.markdownlint-cli2.yaml @@ -0,0 +1,19 @@ +# Rule configuration. +# For rule descriptions and how to fix: https://github.com/DavidAnson/markdownlint/tree/main#rules--aliases +config: + ul-style: + style: dash + no-duplicate-heading: + siblings_only: true + line-length: + line_length: 120 + code_blocks: false + tables: false + +# Define glob expressions to ignore +ignores: + - ".github/" + - "docs/" # Ignore docs folder for now + +# Fix any fixable errors +fix: true diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 75f0a8aa75..2c9eec3116 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -31,6 +31,7 @@ repos: - id: fix-byte-order-marker - id: detect-private-key exclude: ^(examples/|tests/|internal/k8s/secrets/) + - repo: local hooks: - id: golang-diff @@ -39,30 +40,41 @@ repos: language: system types: [go] pass_filenames: false + - repo: https://github.com/golangci/golangci-lint - rev: v1.52.2 + rev: v1.53.3 hooks: - id: golangci-lint args: [--new-from-patch=/tmp/diff.patch] + - repo: https://github.com/asottile/pyupgrade - rev: v3.3.2 + rev: v3.9.0 hooks: - id: pyupgrade + - repo: https://github.com/PyCQA/isort rev: 5.12.0 hooks: - id: isort + - repo: https://github.com/psf/black - rev: 23.3.0 + rev: 23.7.0 hooks: - id: black + - repo: https://github.com/python-jsonschema/check-jsonschema - rev: 0.22.0 + rev: 0.23.3 hooks: - id: check-jsonschema name: "Check Helm Chart JSON Schema" files: deployments/helm-chart/values.yaml types: [yaml] args: ['--schemafile', 'deployments/helm-chart/values.schema.json'] + + - repo: https://github.com/DavidAnson/markdownlint-cli2 + rev: v0.8.1 + hooks: + - id: markdownlint-cli2 + ci: - skip: [golang-diff, golangci-lint, check-jsonschema] + skip: [golang-diff, golangci-lint, check-jsonschema, markdownlint-cli2] diff --git a/CHANGELOG.md b/CHANGELOG.md index 20d14a8a48..cd55aea27e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,1102 +1,1614 @@ # Changelog -### 3.1.1 +## Changed -An automatically generated list of changes can be found on GitHub at: [3.1.1 Release](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v3.1.1) +Unable to use CRDs imported as modules [#3770](https://github.com/nginxinc/kubernetes-ingress/issues/3770) -A curated list of changes can be found on the [Releases](http://docs.nginx.com/nginx-ingress-controller/releases/) page on the NGINX Documentation website. +## 3.2.0 -### 3.1.0 +An automatically generated list of changes can be found on GitHub at: [3.2.0 +Release](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v3.2.0) -An automatically generated list of changes can be found on GitHub at: [3.1.0 Release](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v3.1.0) +A curated list of changes can be found on the [Releases](http://docs.nginx.com/nginx-ingress-controller/releases/) page +on the NGINX Documentation website. -A curated list of changes can be found on the [Releases](http://docs.nginx.com/nginx-ingress-controller/releases/) page on the NGINX Documentation website. +## 3.1.1 -### 3.0.2 +An automatically generated list of changes can be found on GitHub at: [3.1.1 +Release](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v3.1.1) -An automatically generated list of changes can be found on GitHub at: [3.0.2 Release](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v3.0.2) +A curated list of changes can be found on the [Releases](http://docs.nginx.com/nginx-ingress-controller/releases/) page +on the NGINX Documentation website. -A curated list of changes can be found on the [Releases](http://docs.nginx.com/nginx-ingress-controller/releases/) page on the NGINX Documentation website. +## 3.1.0 -### 3.0.1 +An automatically generated list of changes can be found on GitHub at: [3.1.0 +Release](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v3.1.0) -An automatically generated list of changes can be found on GitHub at: [3.0.1 Release](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v3.0.1) +A curated list of changes can be found on the [Releases](http://docs.nginx.com/nginx-ingress-controller/releases/) page +on the NGINX Documentation website. -A curated list of changes can be found on the [Releases](http://docs.nginx.com/nginx-ingress-controller/releases/) page on the NGINX Documentation website. +## 3.0.2 -### 3.0.0 +An automatically generated list of changes can be found on GitHub at: [3.0.2 +Release](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v3.0.2) -An automatically generated list of changes can be found on GitHub at: [3.0.0 Release](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v3.0.0) +A curated list of changes can be found on the [Releases](http://docs.nginx.com/nginx-ingress-controller/releases/) page +on the NGINX Documentation website. -A curated list of changes can be found on the [Releases](http://docs.nginx.com/nginx-ingress-controller/releases/) page on the NGINX Documentation website. +## 3.0.1 -### 2.4.2 +An automatically generated list of changes can be found on GitHub at: [3.0.1 +Release](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v3.0.1) -An automatically generated list of changes can be found on GitHub at: [2.4.2 Release](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v2.4.2) +A curated list of changes can be found on the [Releases](http://docs.nginx.com/nginx-ingress-controller/releases/) page +on the NGINX Documentation website. -A curated list of changes can be found on the [Releases](http://docs.nginx.com/nginx-ingress-controller/releases/) page on the NGINX Documentation website. +## 3.0.0 -### 2.4.1 +An automatically generated list of changes can be found on GitHub at: [3.0.0 +Release](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v3.0.0) -An automatically generated list of changes can be found on GitHub at: [2.4.1 Release](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v2.4.1) +A curated list of changes can be found on the [Releases](http://docs.nginx.com/nginx-ingress-controller/releases/) page +on the NGINX Documentation website. -A curated list of changes can be found on the [Releases](http://docs.nginx.com/nginx-ingress-controller/releases/) page on the NGINX Documentation website. +## 2.4.2 -### 2.4.0 +An automatically generated list of changes can be found on GitHub at: [2.4.2 +Release](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v2.4.2) -An automatically generated list of changes can be found on GitHub at: [2.4.0 Release](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v2.4.0) +A curated list of changes can be found on the [Releases](http://docs.nginx.com/nginx-ingress-controller/releases/) page +on the NGINX Documentation website. -A curated list of changes can be found on the [Releases](http://docs.nginx.com/nginx-ingress-controller/releases/) page on the NGINX Documentation website. +## 2.4.1 -### 2.3.1 +An automatically generated list of changes can be found on GitHub at: [2.4.1 +Release](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v2.4.1) -An automatically generated list of changes can be found on GitHub at: [2.3.1 Release](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v2.3.1) +A curated list of changes can be found on the [Releases](http://docs.nginx.com/nginx-ingress-controller/releases/) page +on the NGINX Documentation website. -A curated list of changes can be found on the [Releases](http://docs.nginx.com/nginx-ingress-controller/releases/) page on the NGINX Documentation website. +## 2.4.0 -### 2.3.0 +An automatically generated list of changes can be found on GitHub at: [2.4.0 +Release](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v2.4.0) -An automatically generated list of changes can be found on GitHub at: [2.3.0 Release](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v2.3.0) +A curated list of changes can be found on the [Releases](http://docs.nginx.com/nginx-ingress-controller/releases/) page +on the NGINX Documentation website. -A curated list of changes can be found on the [Releases](http://docs.nginx.com/nginx-ingress-controller/releases/) page on the NGINX Documentation website. +## 2.3.1 -### 2.2.2 +An automatically generated list of changes can be found on GitHub at: [2.3.1 +Release](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v2.3.1) -An automatically generated list of changes can be found on Github at: [2.2.2 Release](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v2.2.2) +A curated list of changes can be found on the [Releases](http://docs.nginx.com/nginx-ingress-controller/releases/) page +on the NGINX Documentation website. -A curated list of changes can be found on the [Releases](http://docs.nginx.com/nginx-ingress-controller/releases/) page on the NGINX Documentation website. +## 2.3.0 -### 2.2.1 +An automatically generated list of changes can be found on GitHub at: [2.3.0 +Release](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v2.3.0) -An automatically generated list of changes can be found on Github at: [2.2.1 Release](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v2.2.1) +A curated list of changes can be found on the [Releases](http://docs.nginx.com/nginx-ingress-controller/releases/) page +on the NGINX Documentation website. -A curated list of changes can be found on the [Releases](http://docs.nginx.com/nginx-ingress-controller/releases/) page on the NGINX Documentation website. +## 2.2.2 -### 2.2.0 +An automatically generated list of changes can be found on Github at: [2.2.2 +Release](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v2.2.2) -An automatically generated list of changes can be found on GitHub at: [2.2.0 Release](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v2.2.0) +A curated list of changes can be found on the [Releases](http://docs.nginx.com/nginx-ingress-controller/releases/) page +on the NGINX Documentation website. -A curated list of changes can be found on the [Releases](http://docs.nginx.com/nginx-ingress-controller/releases/) page on the NGINX Documentation website. +## 2.2.1 -### 2.1.2 +An automatically generated list of changes can be found on Github at: [2.2.1 +Release](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v2.2.1) -An automatically generated list of changes can be found on GitHub at: [2.1.2 Release](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v2.1.2) +A curated list of changes can be found on the [Releases](http://docs.nginx.com/nginx-ingress-controller/releases/) page +on the NGINX Documentation website. -A curated list of changes can be found in the [Releases](http://docs.nginx.com/nginx-ingress-controller/releases/) page on NGINX Documentation website. +## 2.2.0 -### 1.12.4 +An automatically generated list of changes can be found on GitHub at: [2.2.0 +Release](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v2.2.0) -An automatically generated list of changes can be found on GitHub at: [1.12.4 Release](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v1.12.4) +A curated list of changes can be found on the [Releases](http://docs.nginx.com/nginx-ingress-controller/releases/) page +on the NGINX Documentation website. -A curated list of changes can be found in the [Releases](http://docs.nginx.com/nginx-ingress-controller/releases/) page on NGINX Documentation website. +## 2.1.2 -### 2.1.1 +An automatically generated list of changes can be found on GitHub at: [2.1.2 +Release](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v2.1.2) -An automatically generated list of changes can be found on GitHub at: [2.1.1 Release](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v2.1.1) +A curated list of changes can be found in the [Releases](http://docs.nginx.com/nginx-ingress-controller/releases/) page +on NGINX Documentation website. -A curated list of changes can be found in the [Releases](http://docs.nginx.com/nginx-ingress-controller/releases/) page on NGINX Documentation website. +## 1.12.4 -### 2.1.0 +An automatically generated list of changes can be found on GitHub at: [1.12.4 +Release](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v1.12.4) -An automatically generated list of changes can be found on GitHub at: [2.1.0 Release](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v2.1.0) +A curated list of changes can be found in the [Releases](http://docs.nginx.com/nginx-ingress-controller/releases/) page +on NGINX Documentation website. -A curated list of changes can be found in the [Releases](http://docs.nginx.com/nginx-ingress-controller/releases/) page on NGINX Documentation website. +## 2.1.1 -### 2.0.3 +An automatically generated list of changes can be found on GitHub at: [2.1.1 +Release](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v2.1.1) -An automatically generated list of changes can be found on GitHub at: [2.0.3 Release](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v2.0.3) +A curated list of changes can be found in the [Releases](http://docs.nginx.com/nginx-ingress-controller/releases/) page +on NGINX Documentation website. -A curated list of changes can be found in the [Releases](http://docs.nginx.com/nginx-ingress-controller/releases/) page on NGINX Documentation website. +## 2.1.0 -### 1.12.3 +An automatically generated list of changes can be found on GitHub at: [2.1.0 +Release](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v2.1.0) -An automatically generated list of changes can be found on GitHub at: [1.12.3 Release](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v1.12.3) +A curated list of changes can be found in the [Releases](http://docs.nginx.com/nginx-ingress-controller/releases/) page +on NGINX Documentation website. -A curated list of changes can be found in the [Releases](http://docs.nginx.com/nginx-ingress-controller/releases/) page on NGINX Documentation website. +## 2.0.3 -### 2.0.2 +An automatically generated list of changes can be found on GitHub at: [2.0.3 +Release](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v2.0.3) -An automatically generated list of changes can be found on GitHub at: [2.0.2 Release](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v2.0.2) +A curated list of changes can be found in the [Releases](http://docs.nginx.com/nginx-ingress-controller/releases/) page +on NGINX Documentation website. -A curated list of changes can be found in the [Releases](http://docs.nginx.com/nginx-ingress-controller/releases/) page on NGINX Documentation website. +## 1.12.3 -### 2.0.1 +An automatically generated list of changes can be found on GitHub at: [1.12.3 +Release](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v1.12.3) -An automatically generated list of changes can be found on GitHub at: [2.0.1 Release](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v2.0.1) +A curated list of changes can be found in the [Releases](http://docs.nginx.com/nginx-ingress-controller/releases/) page +on NGINX Documentation website. -A curated list of changes can be found in the [Releases](http://docs.nginx.com/nginx-ingress-controller/releases/) page on NGINX Documentation website. +## 2.0.2 -### 1.12.2 +An automatically generated list of changes can be found on GitHub at: [2.0.2 +Release](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v2.0.2) -An automatically generated list of changes can be found on GitHub at: [1.12.2 Release](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v1.12.2) +A curated list of changes can be found in the [Releases](http://docs.nginx.com/nginx-ingress-controller/releases/) page +on NGINX Documentation website. -A curated list of changes can be found in the [Releases](http://docs.nginx.com/nginx-ingress-controller/releases/) page on NGINX Documentation website. +## 2.0.1 -### 2.0.0 +An automatically generated list of changes can be found on GitHub at: [2.0.1 +Release](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v2.0.1) -An automatically generated list of changes can be found on GitHub at: [2.0.0 Release](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v2.0.0) +A curated list of changes can be found in the [Releases](http://docs.nginx.com/nginx-ingress-controller/releases/) page +on NGINX Documentation website. -A curated list of changes can be found in the [Releases](http://docs.nginx.com/nginx-ingress-controller/releases/) page on NGINX Documentation website. +## 1.12.2 -### 1.12.1 +An automatically generated list of changes can be found on GitHub at: [1.12.2 +Release](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v1.12.2) -An automatically generated list of changes can be found on GitHub at: [1.12.1 Release](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v1.12.1) +A curated list of changes can be found in the [Releases](http://docs.nginx.com/nginx-ingress-controller/releases/) page +on NGINX Documentation website. -A curated list of changes can be found in the [Releases](http://docs.nginx.com/nginx-ingress-controller/releases/) page on NGINX Documentation website. +## 2.0.0 -### 1.12.0 +An automatically generated list of changes can be found on GitHub at: [2.0.0 +Release](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v2.0.0) -An automatically generated list of changes can be found on GitHub at: [1.12.0 Release](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v1.12.0) +A curated list of changes can be found in the [Releases](http://docs.nginx.com/nginx-ingress-controller/releases/) page +on NGINX Documentation website. -A curated list of changes can be found in the [Releases](http://docs.nginx.com/nginx-ingress-controller/releases/) page on NGINX Documentation website. +## 1.12.1 -### 1.11.3 +An automatically generated list of changes can be found on GitHub at: [1.12.1 +Release](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v1.12.1) -An automatically generated list of changes can be found on GitHub at: [1.11.3 Release](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v1.11.3) +A curated list of changes can be found in the [Releases](http://docs.nginx.com/nginx-ingress-controller/releases/) page +on NGINX Documentation website. -A curated list of changes can be found in the [Releases](http://docs.nginx.com/nginx-ingress-controller/releases/) page on NGINX Documentation website. +## 1.12.0 -### 1.11.2 +An automatically generated list of changes can be found on GitHub at: [1.12.0 +Release](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v1.12.0) -An automatically generated list of changes can be found on GitHub at: [1.11.2 Release](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v1.11.2) +A curated list of changes can be found in the [Releases](http://docs.nginx.com/nginx-ingress-controller/releases/) page +on NGINX Documentation website. -A curated list of changes can be found in the [Releases](http://docs.nginx.com/nginx-ingress-controller/releases/) page on NGINX Documentation website. +## 1.11.3 -### 1.11.1 +An automatically generated list of changes can be found on GitHub at: [1.11.3 +Release](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v1.11.3) -An automatically generated list of changes can be found on GitHub at: [1.11.1 Release](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v1.11.1) +A curated list of changes can be found in the [Releases](http://docs.nginx.com/nginx-ingress-controller/releases/) page +on NGINX Documentation website. -A curated list of changes can be found in the [Releases](http://docs.nginx.com/nginx-ingress-controller/releases/) page on NGINX Documentation website. +## 1.11.2 -### 1.11.0 +An automatically generated list of changes can be found on GitHub at: [1.11.2 +Release](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v1.11.2) -An automatically generated list of changes can be found on GitHub at: [1.11.0 Release](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v1.11.0) +A curated list of changes can be found in the [Releases](http://docs.nginx.com/nginx-ingress-controller/releases/) page +on NGINX Documentation website. -A curated list of changes can be found in the [Releases](http://docs.nginx.com/nginx-ingress-controller/releases/) page on NGINX Documentation website. +## 1.11.1 -### 1.10.1 +An automatically generated list of changes can be found on GitHub at: [1.11.1 +Release](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v1.11.1) + +A curated list of changes can be found in the [Releases](http://docs.nginx.com/nginx-ingress-controller/releases/) page +on NGINX Documentation website. + +## 1.11.0 + +An automatically generated list of changes can be found on GitHub at: [1.11.0 +Release](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v1.11.0) + +A curated list of changes can be found in the [Releases](http://docs.nginx.com/nginx-ingress-controller/releases/) page +on NGINX Documentation website. + +## 1.10.1 CHANGES: -* Update NGINX version to 1.19.8. -* Add Kubernetes 1.20 support. -* [1373](https://github.com/nginxinc/kubernetes-ingress/pull/1373), [1439](https://github.com/nginxinc/kubernetes-ingress/pull/1439), [1440](https://github.com/nginxinc/kubernetes-ingress/pull/1440): Fix various issues in the Makefile. In 1.10.0, a bug was introduced that prevented building Ingress Controller images on versions of make < 4.1. + +- Update NGINX version to 1.19.8. +- Add Kubernetes 1.20 support. +- [1373](https://github.com/nginxinc/kubernetes-ingress/pull/1373), + [1439](https://github.com/nginxinc/kubernetes-ingress/pull/1439), + [1440](https://github.com/nginxinc/kubernetes-ingress/pull/1440): Fix various issues in the Makefile. In 1.10.0, a bug + was introduced that prevented building Ingress Controller images on versions of make < 4.1. HELM CHART: -* The version of the Helm chart is now 0.8.1. + +- The version of the Helm chart is now 0.8.1. UPGRADE: -* For NGINX, use the 1.10.1 image from our DockerHub: `nginx/nginx-ingress:1.10.1`, `nginx/nginx-ingress:1.10.1-alpine` or `nginx/nginx-ingress:1.10.1-ubi` -* For NGINX Plus, please build your own image using the 1.10.1 source code. -* For Helm, use version 0.8.1 of the chart. -### 1.10.0 +- For NGINX, use the 1.10.1 image from our DockerHub: `nginx/nginx-ingress:1.10.1`, `nginx/nginx-ingress:1.10.1-alpine` + or `nginx/nginx-ingress:1.10.1-ubi` +- For NGINX Plus, please build your own image using the 1.10.1 source code. +- For Helm, use version 0.8.1 of the chart. + +## 1.10.0 OVERVIEW: Release 1.10.0 includes: -* Open ID Connect authentication policy. -* Improved handling of Secret resources with extended validation and error reporting. -* Improved visibility with Prometheus metrics for the configuration workqueue and the ability to annotate NGINX logs with the metadata of Kubernetes resources. -* NGINX App Protect User-Defined signatures support. -* Improved validation of Ingress annotations. + +- Open ID Connect authentication policy. +- Improved handling of Secret resources with extended validation and error reporting. +- Improved visibility with Prometheus metrics for the configuration workqueue and the ability to annotate NGINX logs + with the metadata of Kubernetes resources. +- NGINX App Protect User-Defined signatures support. +- Improved validation of Ingress annotations. You will find the complete changelog for release 1.10.0, including bug fixes, improvements, and changes below. FEATURES FOR POLICY RESOURCE: -* [1304](https://github.com/nginxinc/kubernetes-ingress/pull/1304) Add Open ID Connect policy. + +- [1304](https://github.com/nginxinc/kubernetes-ingress/pull/1304) Add Open ID Connect policy. FEATURES FOR NGINX APP PROTECT: -* [1281](https://github.com/nginxinc/kubernetes-ingress/pull/1281) Add support for App Protect User Defined Signatures. + +- [1281](https://github.com/nginxinc/kubernetes-ingress/pull/1281) Add support for App Protect User Defined Signatures. FEATURES: -* [1266](https://github.com/nginxinc/kubernetes-ingress/pull/1266) Add workqueue metrics to Prometheus metrics. -* [1233](https://github.com/nginxinc/kubernetes-ingress/pull/1233) Annotate tcp metrics with k8s object labels. -* [1231](https://github.com/nginxinc/kubernetes-ingress/pull/1231) Support k8s objects variables in log format. + +- [1266](https://github.com/nginxinc/kubernetes-ingress/pull/1266) Add workqueue metrics to Prometheus metrics. +- [1233](https://github.com/nginxinc/kubernetes-ingress/pull/1233) Annotate tcp metrics with k8s object labels. +- [1231](https://github.com/nginxinc/kubernetes-ingress/pull/1231) Support k8s objects variables in log format. IMPROVEMENTS: -* [1270](https://github.com/nginxinc/kubernetes-ingress/pull/1270) and [1277](https://github.com/nginxinc/kubernetes-ingress/pull/1277) Improve validation of Ingress annotations. -* [1265](https://github.com/nginxinc/kubernetes-ingress/pull/1265) Report warnings for misconfigured TLS and JWK secrets. -* [1262](https://github.com/nginxinc/kubernetes-ingress/pull/1262) Use setcap(8) only once. [1263](https://github.com/nginxinc/kubernetes-ingress/pull/1263) Use chown(8) only once. [1264](https://github.com/nginxinc/kubernetes-ingress/pull/1264) Use mkdir(1) only once. Thanks to [Sergey A. Osokin](https://github.com/osokin). -* [1256](https://github.com/nginxinc/kubernetes-ingress/pull/1256) and [1260](https://github.com/nginxinc/kubernetes-ingress/pull/1260) Improve handling of secret resources. -* [1240](https://github.com/nginxinc/kubernetes-ingress/pull/1240) Validate TLS and CA secrets. -* [1235](https://github.com/nginxinc/kubernetes-ingress/pull/1235) Use buildkit secret flag for NGINX plus images. -* Documentation improvements: [1282](https://github.com/nginxinc/kubernetes-ingress/pull/1282), [1293](https://github.com/nginxinc/kubernetes-ingress/pull/1293), [1303](https://github.com/nginxinc/kubernetes-ingress/pull/1303), [1315](https://github.com/nginxinc/kubernetes-ingress/pull/1315). + +- [1270](https://github.com/nginxinc/kubernetes-ingress/pull/1270) and + [1277](https://github.com/nginxinc/kubernetes-ingress/pull/1277) Improve validation of Ingress annotations. +- [1265](https://github.com/nginxinc/kubernetes-ingress/pull/1265) Report warnings for misconfigured TLS and JWK + secrets. +- [1262](https://github.com/nginxinc/kubernetes-ingress/pull/1262) Use setcap(8) only once. + [1263](https://github.com/nginxinc/kubernetes-ingress/pull/1263) Use chown(8) only once. + [1264](https://github.com/nginxinc/kubernetes-ingress/pull/1264) Use mkdir(1) only once. Thanks to [Sergey A. + Osokin](https://github.com/osokin). +- [1256](https://github.com/nginxinc/kubernetes-ingress/pull/1256) and + [1260](https://github.com/nginxinc/kubernetes-ingress/pull/1260) Improve handling of secret resources. +- [1240](https://github.com/nginxinc/kubernetes-ingress/pull/1240) Validate TLS and CA secrets. +- [1235](https://github.com/nginxinc/kubernetes-ingress/pull/1235) Use buildkit secret flag for NGINX plus images. +- Documentation improvements: [1282](https://github.com/nginxinc/kubernetes-ingress/pull/1282), + [1293](https://github.com/nginxinc/kubernetes-ingress/pull/1293), + [1303](https://github.com/nginxinc/kubernetes-ingress/pull/1303), + [1315](https://github.com/nginxinc/kubernetes-ingress/pull/1315). HELM CHART: -* The version of the helm chart is now 0.8.0. -* [1290](https://github.com/nginxinc/kubernetes-ingress/pull/1290) Add new preview policies parameter to chart. `controller.enablePreviewPolicies` was added. -* [1232](https://github.com/nginxinc/kubernetes-ingress/pull/1232) Replace deprecated imagePullSecrets helm setting. `controller.serviceAccount.imagePullSecrets` was removed. `controller.serviceAccount.imagePullSecretName` was added. -* [1228](https://github.com/nginxinc/kubernetes-ingress/pull/1228) Fix installation of ingressclass on Kubernetes versions `v1.18.x-*` + +- The version of the helm chart is now 0.8.0. +- [1290](https://github.com/nginxinc/kubernetes-ingress/pull/1290) Add new preview policies parameter to chart. + `controller.enablePreviewPolicies` was added. +- [1232](https://github.com/nginxinc/kubernetes-ingress/pull/1232) Replace deprecated imagePullSecrets helm setting. + `controller.serviceAccount.imagePullSecrets` was removed. `controller.serviceAccount.imagePullSecretName` was added. +- [1228](https://github.com/nginxinc/kubernetes-ingress/pull/1228) Fix installation of ingressclass on Kubernetes + versions `v1.18.x-*` CHANGES: -* [1299](https://github.com/nginxinc/kubernetes-ingress/pull/1299) Update NGINX App Protect version to 2.3 and debian distribution to `debian:buster-slim`. -* [1291](https://github.com/nginxinc/kubernetes-ingress/pull/1291) Update NGINX OSS to `1.19.6`. Update NGINX Plus to `R23`. -* [1290](https://github.com/nginxinc/kubernetes-ingress/pull/1290) Graduate policy resource and accessControl policy to generally available. -* [1225](https://github.com/nginxinc/kubernetes-ingress/pull/1225) Require secrets to have types. -* [1237](https://github.com/nginxinc/kubernetes-ingress/pull/1237) Deprecate support for helm2 clients. + +- [1299](https://github.com/nginxinc/kubernetes-ingress/pull/1299) Update NGINX App Protect version to 2.3 and debian + distribution to `debian:buster-slim`. +- [1291](https://github.com/nginxinc/kubernetes-ingress/pull/1291) Update NGINX OSS to `1.19.6`. Update NGINX Plus to + `R23`. +- [1290](https://github.com/nginxinc/kubernetes-ingress/pull/1290) Graduate policy resource and accessControl policy to + generally available. +- [1225](https://github.com/nginxinc/kubernetes-ingress/pull/1225) Require secrets to have types. +- [1237](https://github.com/nginxinc/kubernetes-ingress/pull/1237) Deprecate support for helm2 clients. UPGRADE: -* For NGINX, use the 1.10.0 image from our DockerHub: `nginx/nginx-ingress:1.10.0`, `nginx/nginx-ingress:1.10.0-alpine` or `nginx-ingress:1.10.0-ubi` -* For NGINX Plus, please build your own image using the 1.10.0 source code. -* For Helm, use version 0.8.0 of the chart. -* As a result of [1270](https://github.com/nginxinc/kubernetes-ingress/pull/1270) and [1277](https://github.com/nginxinc/kubernetes-ingress/pull/1277), the Ingress Controller improved validation of Ingress annotations: more annotations are validated and validation errors are reported via events for Ingress resources. Additionally, the default behavior for invalid annotation values was changed: instead of using the default values, the Ingress Controller will reject a resource with an invalid annotation value, which will make clients see `404` responses from NGINX. See this [document](https://docs.nginx.com/nginx-ingress-controller/configuration/ingress-resources/advanced-configuration-with-annotations/#validation) to learn more. Before upgrading, ensure the Ingress resources don't have annotations with invalid values. Otherwise, after the upgrade, the Ingress Controller will reject such resources. -* In [1232](https://github.com/nginxinc/kubernetes-ingress/pull/1232) `controller.serviceAccount.imagePullSecrets` was removed. Use the new `controller.serviceAccount.imagePullSecretName` instead. -* The Policy resource was promoted to `v1`. If you used the `alpha1` version, the policies are needed to be recreated with the `v1` version. Before upgrading the Ingress Controller, run the following command to remove the `alpha1` policies CRD (that will also remove all existing `alpha1` policies): - ``` + +- For NGINX, use the 1.10.0 image from our DockerHub: `nginx/nginx-ingress:1.10.0`, `nginx/nginx-ingress:1.10.0-alpine` + or `nginx-ingress:1.10.0-ubi` +- For NGINX Plus, please build your own image using the 1.10.0 source code. +- For Helm, use version 0.8.0 of the chart. +- As a result of [1270](https://github.com/nginxinc/kubernetes-ingress/pull/1270) and + [1277](https://github.com/nginxinc/kubernetes-ingress/pull/1277), the Ingress Controller improved validation of + Ingress annotations: more annotations are validated and validation errors are reported via events for Ingress + resources. Additionally, the default behavior for invalid annotation values was changed: instead of using the default + values, the Ingress Controller will reject a resource with an invalid annotation value, which will make clients see + `404` responses from NGINX. See this + [document](https://docs.nginx.com/nginx-ingress-controller/configuration/ingress-resources/advanced-configuration-with-annotations/#validation) + to learn more. Before upgrading, ensure the Ingress resources don't have annotations with invalid values. Otherwise, + after the upgrade, the Ingress Controller will reject such resources. +- In [1232](https://github.com/nginxinc/kubernetes-ingress/pull/1232) `controller.serviceAccount.imagePullSecrets` was + removed. Use the new `controller.serviceAccount.imagePullSecretName` instead. +- The Policy resource was promoted to `v1`. If you used the `alpha1` version, the policies are needed to be recreated + with the `v1` version. Before upgrading the Ingress Controller, run the following command to remove the `alpha1` + policies CRD (that will also remove all existing `alpha1` policies): + + ```console kubectl delete crd policies.k8s.nginx.org ``` - As part of the upgrade, make sure to create the `v1` policies CRD. See the corresponding instructions for the [manifests](https://docs.nginx.com/nginx-ingress-controller/installation/installation-with-manifests/#create-custom-resources) and [Helm](https://docs.nginx.com/nginx-ingress-controller/installation/installation-with-helm/#upgrading-the-crds) installations. - Also note that all policies except for `accessControl` are still in preview. To enable them, run the Ingress Controller with `- -enable-preview-policies` command-line argument (`controller.enablePreviewPolicies` Helm parameter). -* It is necessary to update secret resources. See the section UPDATING SECRETS below. + As part of the upgrade, make sure to create the `v1` policies CRD. See the corresponding instructions for the + [manifests](https://docs.nginx.com/nginx-ingress-controller/installation/installation-with-manifests/#create-custom-resources) + and [Helm](https://docs.nginx.com/nginx-ingress-controller/installation/installation-with-helm/#upgrading-the-crds) + installations. + + Also note that all policies except for `accessControl` are still in preview. To enable them, run the Ingress + Controller with `- -enable-preview-policies` command-line argument (`controller.enablePreviewPolicies` Helm + parameter). +- It is necessary to update secret resources. See the section UPDATING SECRETS below. UPDATING SECRETS: -In [1225](https://github.com/nginxinc/kubernetes-ingress/pull/1225), as part of improving how the Ingress Controller handles secret resources, we added a requirement for secrets to be of one of the following types: +In [1225](https://github.com/nginxinc/kubernetes-ingress/pull/1225), as part of improving how the Ingress Controller +handles secret resources, we added a requirement for secrets to be of one of the following types: + - `kubernetes.io/tls` for TLS secrets. - `nginx.org/jwk` for JWK secrets. - `nginx.org/ca` for CA secrets. -The Ingress Controller now ignores secrets that are not of a supported type. As a consequence, special upgrade steps are required. +The Ingress Controller now ignores secrets that are not of a supported type. As a consequence, special upgrade steps are +required. + +Before upgrading, ensure that the secrets referenced in Ingress, VirtualServer or Policies resources are of a supported +type, which is configured via the `type` field. Because that field is immutable, it is necessary to either: -Before upgrading, ensure that the secrets referenced in Ingress, VirtualServer or Policies resources are of a supported type, which is configured via the `type` field. Because that field is immutable, it is necessary to either: -* Recreate the secrets. Note that in this case, the client traffic for the affected resources will be rejected for the period during which a secret doesn't exist in the cluster. -* Create copies of the secrets and update the affected resources to reference the copies. The copies need to be of a supported type. In contrast with the previous options, this will not make NGINX reject the client traffic. +- Recreate the secrets. Note that in this case, the client traffic for the affected resources will be rejected for the + period during which a secret doesn't exist in the cluster. +- Create copies of the secrets and update the affected resources to reference the copies. The copies need to be of a + supported type. In contrast with the previous options, this will not make NGINX reject the client traffic. -It is also necessary to update the default server secret and the wildcard secret (if it was configured) in case their type is not `kubernetes.io/tls`. The steps depend on how you installed the Ingress Controller: via manifests or Helm. Performing the steps will not lead to a disruption of the client traffic, as the Ingress Controller retains the default and wildcard secrets if they are removed. +It is also necessary to update the default server secret and the wildcard secret (if it was configured) in case their +type is not `kubernetes.io/tls`. The steps depend on how you installed the Ingress Controller: via manifests or Helm. +Performing the steps will not lead to a disruption of the client traffic, as the Ingress Controller retains the default +and wildcard secrets if they are removed. For *manifests installation*: + 1. Recreate the default server secret and the wildcard secret with the type `kubernetes.io/tls`. 1. Upgrade the Ingress Controller. For *Helm installation*, there two cases: -1. If Helm created the secrets (you configured `controller.defaultTLS.cert` and `controller.defaultTLS.key` for the default secret and `controller.wildcardTLS.cert` and `controller.wildcardTLS.key` for the wildcard secret), then no special upgrade steps are required: during the upgrade, the Helm will remove the existing default and wildcard secrets and create new ones with different names with the type `kubernetes.io/tls`. -1. If you created the secrets separately from Helm (you configured `controller.defaultTLS.secret` for the default secret and `controller.wildcardTLS.secret` for the wildcard secret): + +1. If Helm created the secrets (you configured `controller.defaultTLS.cert` and `controller.defaultTLS.key` for the + default secret and `controller.wildcardTLS.cert` and `controller.wildcardTLS.key` for the wildcard secret), then no + special upgrade steps are required: during the upgrade, the Helm will remove the existing default and wildcard + secrets and create new ones with different names with the type `kubernetes.io/tls`. +1. If you created the secrets separately from Helm (you configured `controller.defaultTLS.secret` for the default secret + and `controller.wildcardTLS.secret` for the wildcard secret): 1. Recreate the secrets with the type `kubernetes.io/tls`. 1. Upgrade to the new Helm release. NOTES: -* Helm 2 clients are no longer supported due to reaching End of Life: https://helm.sh/blog/helm-2-becomes-unsupported/ -### 1.9.1 +- Helm 2 clients are no longer supported due to reaching End of Life: + +## 1.9.1 CHANGES: -* Fix deployment of ingressclass resource via helm on some versions of Kubernetes. -* Update the base ubi images to 8.3. -* Renew CA cert for egress-mtls example. -* Add imagePullSecretName support to helm chart. + +- Fix deployment of ingressclass resource via helm on some versions of Kubernetes. +- Update the base ubi images to 8.3. +- Renew CA cert for egress-mtls example. +- Add imagePullSecretName support to helm chart. HELM CHART: -* The version of the Helm chart is now 0.7.1. + +- The version of the Helm chart is now 0.7.1. UPGRADE: -* For NGINX, use the 1.9.1 image from our DockerHub: `nginx/nginx-ingress:1.9.1`, `nginx/nginx-ingress:1.9.1-alpine` or `nginx/nginx-ingress:1.9.1-ubi` -* For NGINX Plus, please build your own image using the 1.9.1 source code. -* For Helm, use version 0.7.1 of the chart. -### 1.9.0 +- For NGINX, use the 1.9.1 image from our DockerHub: `nginx/nginx-ingress:1.9.1`, `nginx/nginx-ingress:1.9.1-alpine` or + `nginx/nginx-ingress:1.9.1-ubi` +- For NGINX Plus, please build your own image using the 1.9.1 source code. +- For Helm, use version 0.7.1 of the chart. + +## 1.9.0 OVERVIEW: Release 1.9.0 includes: -* Support for new Prometheus metrics and enhancements of the existing ones, including configuration reload reason, NGINX worker processes count, upstream latency, and more. -* Support for rate limiting, JWT authentication, ingress(client) and egress(upstream) mutual TLS via the Policy resource. -* Support for the latest Ingress resource features and the IngressClass resource. -* Support for NGINX Service Mesh. + +- Support for new Prometheus metrics and enhancements of the existing ones, including configuration reload reason, NGINX + worker processes count, upstream latency, and more. +- Support for rate limiting, JWT authentication, ingress(client) and egress(upstream) mutual TLS via the Policy + resource. +- Support for the latest Ingress resource features and the IngressClass resource. +- Support for NGINX Service Mesh. You will find the complete changelog for release 1.9.0, including bug fixes, improvements, and changes below. FEATURES FOR POLICY RESOURCE: -* [1180](https://github.com/nginxinc/kubernetes-ingress/pull/1180) Add support for EgressMTLS. -* [1166](https://github.com/nginxinc/kubernetes-ingress/pull/1166) Add IngressMTLS policy support. -* [1154](https://github.com/nginxinc/kubernetes-ingress/pull/1154) Add JWT policy support. -* [1120](https://github.com/nginxinc/kubernetes-ingress/pull/1120) Add RateLimit policy support. -* [1058](https://github.com/nginxinc/kubernetes-ingress/pull/1058) Support policies in VS routes and VSR subroutes. + +- [1180](https://github.com/nginxinc/kubernetes-ingress/pull/1180) Add support for EgressMTLS. +- [1166](https://github.com/nginxinc/kubernetes-ingress/pull/1166) Add IngressMTLS policy support. +- [1154](https://github.com/nginxinc/kubernetes-ingress/pull/1154) Add JWT policy support. +- [1120](https://github.com/nginxinc/kubernetes-ingress/pull/1120) Add RateLimit policy support. +- [1058](https://github.com/nginxinc/kubernetes-ingress/pull/1058) Support policies in VS routes and VSR subroutes. FEATURES FOR NGINX APP PROTECT: -* [1147](https://github.com/nginxinc/kubernetes-ingress/pull/1147) Add option to specify other log destinations in AppProtect. -* [1131](https://github.com/nginxinc/kubernetes-ingress/pull/1131) Update packages and CRDs to AppProtect 2.0. This update includes features such as: [JSON Schema Validation](https://docs.nginx.com/nginx-app-protect/configuration#applying-a-json-schema), [User-Defined URLs](https://docs.nginx.com/nginx-app-protect/configuration/#user-defined-urls) and [User-Defined Parameters](https://docs.nginx.com/nginx-app-protect/configuration/#user-defined-parameters). See the [release notes](https://docs.nginx.com/nginx-app-protect/releases/#release-2-0) for a complete feature list. -* [1100](https://github.com/nginxinc/kubernetes-ingress/pull/1100) Add external references to AppProtect. -* [1085](https://github.com/nginxinc/kubernetes-ingress/pull/1085) Add installation of threat campaigns package. + +- [1147](https://github.com/nginxinc/kubernetes-ingress/pull/1147) Add option to specify other log destinations in + AppProtect. +- [1131](https://github.com/nginxinc/kubernetes-ingress/pull/1131) Update packages and CRDs to AppProtect 2.0. This + update includes features such as: [JSON Schema + Validation](https://docs.nginx.com/nginx-app-protect/configuration#applying-a-json-schema), [User-Defined + URLs](https://docs.nginx.com/nginx-app-protect/configuration/#user-defined-urls) and [User-Defined + Parameters](https://docs.nginx.com/nginx-app-protect/configuration/#user-defined-parameters). See the [release + notes](https://docs.nginx.com/nginx-app-protect/releases/#release-2-0) for a complete feature list. +- [1100](https://github.com/nginxinc/kubernetes-ingress/pull/1100) Add external references to AppProtect. +- [1085](https://github.com/nginxinc/kubernetes-ingress/pull/1085) Add installation of threat campaigns package. FEATURES: -* [1133](https://github.com/nginxinc/kubernetes-ingress/pull/1133) Add support for IngressClass resources. -* [1130](https://github.com/nginxinc/kubernetes-ingress/pull/1130) Add prometheus latency collector. -* [1076](https://github.com/nginxinc/kubernetes-ingress/pull/1076) Add prometheus worker process metrics. -* [1075](https://github.com/nginxinc/kubernetes-ingress/pull/1075) Add support for NGINX Service Mesh internal routes. + +- [1133](https://github.com/nginxinc/kubernetes-ingress/pull/1133) Add support for IngressClass resources. +- [1130](https://github.com/nginxinc/kubernetes-ingress/pull/1130) Add prometheus latency collector. +- [1076](https://github.com/nginxinc/kubernetes-ingress/pull/1076) Add prometheus worker process metrics. +- [1075](https://github.com/nginxinc/kubernetes-ingress/pull/1075) Add support for NGINX Service Mesh internal routes. IMPROVEMENTS: -* [1178](https://github.com/nginxinc/kubernetes-ingress/pull/1178) Resolve host collisions in VirtualServer and Ingresses. -* [1158](https://github.com/nginxinc/kubernetes-ingress/pull/1158) Support variables in action proxy headers. -* [1137](https://github.com/nginxinc/kubernetes-ingress/pull/1137) Add pod_owner label to metrics when -spire-agent-address is set. -* [1107](https://github.com/nginxinc/kubernetes-ingress/pull/1107) Extend Upstream Servers with pod_name label. -* [1099](https://github.com/nginxinc/kubernetes-ingress/pull/1099) Add reason label to total_reload metrics. -* [1088](https://github.com/nginxinc/kubernetes-ingress/pull/1088) Extend Upstream Servers and Server Zones metrics, thanks to [Raúl](https://github.com/Rulox). -* [1080](https://github.com/nginxinc/kubernetes-ingress/pull/1080) Support pathType field in the Ingress resource. -* [1078](https://github.com/nginxinc/kubernetes-ingress/pull/1078) Remove trailing blank lines in vs/vsr snippets. -* Documentation improvements: [1083](https://github.com/nginxinc/kubernetes-ingress/pull/1083), [1092](https://github.com/nginxinc/kubernetes-ingress/pull/1092), [1089](https://github.com/nginxinc/kubernetes-ingress/pull/1089), [1174](https://github.com/nginxinc/kubernetes-ingress/pull/1174), [1175](https://github.com/nginxinc/kubernetes-ingress/pull/1175), [1171](https://github.com/nginxinc/kubernetes-ingress/pull/1171). + +- [1178](https://github.com/nginxinc/kubernetes-ingress/pull/1178) Resolve host collisions in VirtualServer and + Ingresses. +- [1158](https://github.com/nginxinc/kubernetes-ingress/pull/1158) Support variables in action proxy headers. +- [1137](https://github.com/nginxinc/kubernetes-ingress/pull/1137) Add pod_owner label to metrics when + -spire-agent-address is set. +- [1107](https://github.com/nginxinc/kubernetes-ingress/pull/1107) Extend Upstream Servers with pod_name label. +- [1099](https://github.com/nginxinc/kubernetes-ingress/pull/1099) Add reason label to total_reload metrics. +- [1088](https://github.com/nginxinc/kubernetes-ingress/pull/1088) Extend Upstream Servers and Server Zones metrics, + thanks to [Raúl](https://github.com/Rulox). +- [1080](https://github.com/nginxinc/kubernetes-ingress/pull/1080) Support pathType field in the Ingress resource. +- [1078](https://github.com/nginxinc/kubernetes-ingress/pull/1078) Remove trailing blank lines in vs/vsr snippets. +- Documentation improvements: [1083](https://github.com/nginxinc/kubernetes-ingress/pull/1083), + [1092](https://github.com/nginxinc/kubernetes-ingress/pull/1092), + [1089](https://github.com/nginxinc/kubernetes-ingress/pull/1089), + [1174](https://github.com/nginxinc/kubernetes-ingress/pull/1174), + [1175](https://github.com/nginxinc/kubernetes-ingress/pull/1175), + [1171](https://github.com/nginxinc/kubernetes-ingress/pull/1171). BUGFIXES: -* [1179](https://github.com/nginxinc/kubernetes-ingress/pull/1179) Fix TransportServers in debian AppProtect image. -* [1129](https://github.com/nginxinc/kubernetes-ingress/pull/1129) Support real-ip in default server. -* [1110](https://github.com/nginxinc/kubernetes-ingress/pull/1110) Add missing threat campaigns key to AppProtect CRD. + +- [1179](https://github.com/nginxinc/kubernetes-ingress/pull/1179) Fix TransportServers in debian AppProtect image. +- [1129](https://github.com/nginxinc/kubernetes-ingress/pull/1129) Support real-ip in default server. +- [1110](https://github.com/nginxinc/kubernetes-ingress/pull/1110) Add missing threat campaigns key to AppProtect CRD. HELM CHART: -* The version of the helm chart is now 0.7.0 -* [1105](https://github.com/nginxinc/kubernetes-ingress/pull/1105) Fix GlobalConfiguration support in helm chart. -* Add new parameters to the Chart: `controller.setAsDefaultIngress`, `controller.enableLatencyMetrics`. Added in [1133](https://github.com/nginxinc/kubernetes-ingress/pull/1133) and [1148](https://github.com/nginxinc/kubernetes-ingress/pull/1148). + +- The version of the helm chart is now 0.7.0 +- [1105](https://github.com/nginxinc/kubernetes-ingress/pull/1105) Fix GlobalConfiguration support in helm chart. +- Add new parameters to the Chart: `controller.setAsDefaultIngress`, `controller.enableLatencyMetrics`. Added in + [1133](https://github.com/nginxinc/kubernetes-ingress/pull/1133) and + [1148](https://github.com/nginxinc/kubernetes-ingress/pull/1148). CHANGES: -* [1182](https://github.com/nginxinc/kubernetes-ingress/pull/1182) Update NGINX version to 1.19.3. + +- [1182](https://github.com/nginxinc/kubernetes-ingress/pull/1182) Update NGINX version to 1.19.3. UPGRADE: -* For NGINX, use the 1.9.0 image from our DockerHub: `nginx/nginx-ingress:1.9.0`, `nginx/nginx-ingress:1.9.0-alpine` or `nginx-ingress:1.9.0-ubi` -* For NGINX Plus, please build your own image using the 1.9.0 source code. -* For Helm, use version 0.7.0 of the chart. -For Kubernetes >= 1.18, when upgrading using the [manifests](https://docs.nginx.com/nginx-ingress-controller/installation/installation-with-manifests/), make sure to update the [ClusterRole](deployments/rbac/rbac.yaml) and create the [IngressClass resource](deployments/common/ingress-class.yaml), which is required for Kubernetes >= 1.18. Otherwise, the Ingress Controller will fail to start. If you run multiple NGINX Ingress Controllers in the cluster, each Ingress Controller has to have its own IngressClass resource. Make sure your Ingress resources have the `ingressClassName` field or the `kubernetes.io/ingress.class` annotation set to the name of the IngressClass resource. Otherwise, the Ingress Controller will ignore them. +- For NGINX, use the 1.9.0 image from our DockerHub: `nginx/nginx-ingress:1.9.0`, `nginx/nginx-ingress:1.9.0-alpine` or + `nginx-ingress:1.9.0-ubi` +- For NGINX Plus, please build your own image using the 1.9.0 source code. +- For Helm, use version 0.7.0 of the chart. + +For Kubernetes >= 1.18, when upgrading using the +[manifests](https://docs.nginx.com/nginx-ingress-controller/installation/installation-with-manifests/), make sure to +update the [ClusterRole](deployments/rbac/rbac.yaml) and create the [IngressClass +resource](deployments/common/ingress-class.yaml), which is required for Kubernetes >= 1.18. Otherwise, the Ingress +Controller will fail to start. If you run multiple NGINX Ingress Controllers in the cluster, each Ingress Controller has +to have its own IngressClass resource. Make sure your Ingress resources have the `ingressClassName` field or the +`kubernetes.io/ingress.class` annotation set to the name of the IngressClass resource. Otherwise, the Ingress Controller +will ignore them. HELM UPGRADE: -* If you're using custom resources like VirtualServer and TransportServer (`controller.enableCustomResources` is set to `true`), after you run the `helm upgrade` command, the CRDs will not be upgraded. After running the `helm upgrade` command, run `kubectl apply -f deployments/helm-chart/crds` to upgrade the CRDs. -* For Kubernetes >= 1.18, a dedicated IngressClass resource, which is configured by `controller.ingressClass`, is required per helm release. Ensure `controller.ingressClass` is not set to the name of the IngressClass of other releases or Ingress Controllers. Make sure your Ingress resources have the `ingressClassName` field or the `kubernetes.io/ingress.class` annotation set to the value of `controller.ingressClass`. Otherwise, the Ingress Controller will ignore them. + +- If you're using custom resources like VirtualServer and TransportServer (`controller.enableCustomResources` is set to + `true`), after you run the `helm upgrade` command, the CRDs will not be upgraded. After running the `helm upgrade` + command, run `kubectl apply -f deployments/helm-chart/crds` to upgrade the CRDs. +- For Kubernetes >= 1.18, a dedicated IngressClass resource, which is configured by `controller.ingressClass`, is + required per helm release. Ensure `controller.ingressClass` is not set to the name of the IngressClass of other + releases or Ingress Controllers. Make sure your Ingress resources have the `ingressClassName` field or the + `kubernetes.io/ingress.class` annotation set to the value of `controller.ingressClass`. Otherwise, the Ingress + Controller will ignore them. NOTES: -* When using Kubernetes >= 1.18 the Ingress Controller will only process resources that belong to its class. See [IngressClass doc](https://docs.nginx.com/nginx-ingress-controller/installation/running-multiple-ingress-controllers/#ingress-class) to learn more. -* For Kubernetes >= 1.18, a dedicated IngressClass resource, which is configured by `controller.ingressClass`, is required per helm release. When upgrading or installing releases, ensure `controller.ingressClass` is not set to the name of the IngressClass of other releases or Ingress Controllers. -### 1.8.1 +- When using Kubernetes >= 1.18 the Ingress Controller will only process resources that belong to its class. See + [IngressClass + doc](https://docs.nginx.com/nginx-ingress-controller/installation/running-multiple-ingress-controllers/#ingress-class) + to learn more. +- For Kubernetes >= 1.18, a dedicated IngressClass resource, which is configured by `controller.ingressClass`, is + required per helm release. When upgrading or installing releases, ensure `controller.ingressClass` is not set to the + name of the IngressClass of other releases or Ingress Controllers. + +## 1.8.1 CHANGES: -* Update NGINX version to 1.19.2. + +- Update NGINX version to 1.19.2. HELM CHART: -* The version of the Helm chart is now 0.6.1. + +- The version of the Helm chart is now 0.6.1. UPGRADE: -* For NGINX, use the 1.8.1 image from our DockerHub: `nginx/nginx-ingress:1.8.1`, `nginx/nginx-ingress:1.8.1-alpine` or `nginx/nginx-ingress:1.8.1-ubi` -* For NGINX Plus, please build your own image using the 1.8.1 source code. -* For Helm, use version 0.6.1 of the chart. +- For NGINX, use the 1.8.1 image from our DockerHub: `nginx/nginx-ingress:1.8.1`, `nginx/nginx-ingress:1.8.1-alpine` or + `nginx/nginx-ingress:1.8.1-ubi` +- For NGINX Plus, please build your own image using the 1.8.1 source code. +- For Helm, use version 0.6.1 of the chart. -### 1.8.0 +## 1.8.0 OVERVIEW: Release 1.8.0 includes: -* Support for NGINX App Protect Web Application Firewall. -* Support for configuration snippets and custom template for VirtualServer and VirtualServerRoute resources. -* Support for request/response header manipulation and request URI rewriting for VirtualServer/VirtualServerRoute. -* Introducing a new configuration resource - Policy - with the first policy for IP-based access control. + +- Support for NGINX App Protect Web Application Firewall. +- Support for configuration snippets and custom template for VirtualServer and VirtualServerRoute resources. +- Support for request/response header manipulation and request URI rewriting for VirtualServer/VirtualServerRoute. +- Introducing a new configuration resource - Policy - with the first policy for IP-based access control. You will find the complete changelog for release 1.8.0, including bug fixes, improvements, and changes below. FEATURES FOR VIRTUALSERVER AND VIRTUALSERVERROUTE RESOURCES: -* [1036](https://github.com/nginxinc/kubernetes-ingress/pull/1036): Add VirtualServer custom template support. -* [1028](https://github.com/nginxinc/kubernetes-ingress/pull/1028): Add access control policy. -* [1019](https://github.com/nginxinc/kubernetes-ingress/pull/1019): Add VirtualServer/VirtualServerRoute snippets support. -* [1006](https://github.com/nginxinc/kubernetes-ingress/pull/1006): Add request/response modifiers to VS and VSR. -* [994](https://github.com/nginxinc/kubernetes-ingress/pull/994): Support Class Field in VS/VSR. -* [973](https://github.com/nginxinc/kubernetes-ingress/pull/973): Add status to VirtualServer and VirtualServerRoute. + +- [1036](https://github.com/nginxinc/kubernetes-ingress/pull/1036): Add VirtualServer custom template support. +- [1028](https://github.com/nginxinc/kubernetes-ingress/pull/1028): Add access control policy. +- [1019](https://github.com/nginxinc/kubernetes-ingress/pull/1019): Add VirtualServer/VirtualServerRoute snippets + support. +- [1006](https://github.com/nginxinc/kubernetes-ingress/pull/1006): Add request/response modifiers to VS and VSR. +- [994](https://github.com/nginxinc/kubernetes-ingress/pull/994): Support Class Field in VS/VSR. +- [973](https://github.com/nginxinc/kubernetes-ingress/pull/973): Add status to VirtualServer and VirtualServerRoute. FEATURES: -* [1035](https://github.com/nginxinc/kubernetes-ingress/pull/1035): Support for App Protect module. -* [1029](https://github.com/nginxinc/kubernetes-ingress/pull/1029): Add readiness endpoint. + +- [1035](https://github.com/nginxinc/kubernetes-ingress/pull/1035): Support for App Protect module. +- [1029](https://github.com/nginxinc/kubernetes-ingress/pull/1029): Add readiness endpoint. IMPROVEMENTS: -* [995](https://github.com/nginxinc/kubernetes-ingress/pull/995): Emit event for orphaned VirtualServerRoutes. -* Documentation improvements: [946](https://github.com/nginxinc/kubernetes-ingress/pull/946) thanks to [谭九鼎](https://github.com/imba-tjd), [948](https://github.com/nginxinc/kubernetes-ingress/pull/948), [972](https://github.com/nginxinc/kubernetes-ingress/pull/972), [965](https://github.com/nginxinc/kubernetes-ingress/pull/965). + +- [995](https://github.com/nginxinc/kubernetes-ingress/pull/995): Emit event for orphaned VirtualServerRoutes. +- Documentation improvements: [946](https://github.com/nginxinc/kubernetes-ingress/pull/946) thanks to [谭九 + 鼎](https://github.com/imba-tjd), [948](https://github.com/nginxinc/kubernetes-ingress/pull/948), + [972](https://github.com/nginxinc/kubernetes-ingress/pull/972), + [965](https://github.com/nginxinc/kubernetes-ingress/pull/965). BUGFIXES: -* [1030](https://github.com/nginxinc/kubernetes-ingress/pull/1030): Fix port range validation in cli arguments. -* [953](https://github.com/nginxinc/kubernetes-ingress/pull/953): Fix error logging of master/minion ingresses. + +- [1030](https://github.com/nginxinc/kubernetes-ingress/pull/1030): Fix port range validation in cli arguments. +- [953](https://github.com/nginxinc/kubernetes-ingress/pull/953): Fix error logging of master/minion ingresses. HELM CHART: -* The version of the helm chart is now 0.6.0. -* Add new parameters to the Chart: `controller.appprotect.enable`, `controller.globalConfiguration.create`, `controller.globalConfiguration.spec`, `controller.readyStatus.enable`, `controller.readyStatus.port`, `controller.config.annotations`, `controller.reportIngressStatus.annotations`. Added in [1035](https://github.com/nginxinc/kubernetes-ingress/pull/1035), [1034](https://github.com/nginxinc/kubernetes-ingress/pull/1034), [1029](https://github.com/nginxinc/kubernetes-ingress/pull/1029), [1003](https://github.com/nginxinc/kubernetes-ingress/pull/1003) thanks to [RubyLangdon](https://github.com/RubyLangdon). -* [1047](https://github.com/nginxinc/kubernetes-ingress/pull/1047) and [1009](https://github.com/nginxinc/kubernetes-ingress/pull/1009): Change how Helm manages the custom resource definitions (CRDs) to support installing multiple Ingress Controller releases. **Note**: If you're using the custom resources (`controller.enableCustomResources` is set to `true`), this is a breaking change. See the HELM UPGRADE section below for the upgrade instructions. + +- The version of the helm chart is now 0.6.0. +- Add new parameters to the Chart: `controller.appprotect.enable`, `controller.globalConfiguration.create`, + `controller.globalConfiguration.spec`, `controller.readyStatus.enable`, `controller.readyStatus.port`, + `controller.config.annotations`, `controller.reportIngressStatus.annotations`. Added in + [1035](https://github.com/nginxinc/kubernetes-ingress/pull/1035), + [1034](https://github.com/nginxinc/kubernetes-ingress/pull/1034), + [1029](https://github.com/nginxinc/kubernetes-ingress/pull/1029), + [1003](https://github.com/nginxinc/kubernetes-ingress/pull/1003) thanks to + [RubyLangdon](https://github.com/RubyLangdon). +- [1047](https://github.com/nginxinc/kubernetes-ingress/pull/1047) and + [1009](https://github.com/nginxinc/kubernetes-ingress/pull/1009): Change how Helm manages the custom resource + definitions (CRDs) to support installing multiple Ingress Controller releases. **Note**: If you're using the custom + resources (`controller.enableCustomResources` is set to `true`), this is a breaking change. See the HELM UPGRADE + section below for the upgrade instructions. CHANGES: -* Update NGINX version to 1.19.1. -* Update NGINX Plus to R22. -* [1029](https://github.com/nginxinc/kubernetes-ingress/pull/1029): Add readiness endpoint. The Ingress Controller now exposes a readiness endpoint on port `8081` and the path `/nginx-ready`. The endpoint returns a `200` response after the Ingress Controller finishes the initial configuration of NGINX at the start. The pod template was updated to use that endpoint in a readiness probe. -* [980](https://github.com/nginxinc/kubernetes-ingress/pull/980): Enable leader election by default. + +- Update NGINX version to 1.19.1. +- Update NGINX Plus to R22. +- [1029](https://github.com/nginxinc/kubernetes-ingress/pull/1029): Add readiness endpoint. The Ingress Controller now + exposes a readiness endpoint on port `8081` and the path `/nginx-ready`. The endpoint returns a `200` response after + the Ingress Controller finishes the initial configuration of NGINX at the start. The pod template was updated to use + that endpoint in a readiness probe. +- [980](https://github.com/nginxinc/kubernetes-ingress/pull/980): Enable leader election by default. UPGRADE: -* For NGINX, use the 1.8.0 image from our DockerHub: `nginx/nginx-ingress:1.8.0`, `nginx/nginx-ingress:1.8.0-alpine` or `nginx-ingress:1.8.0-ubi` -* For NGINX Plus, please build your own image using the 1.8.0 source code. -* For Helm, use version 0.6.0 of the chart. + +- For NGINX, use the 1.8.0 image from our DockerHub: `nginx/nginx-ingress:1.8.0`, `nginx/nginx-ingress:1.8.0-alpine` or + `nginx-ingress:1.8.0-ubi` +- For NGINX Plus, please build your own image using the 1.8.0 source code. +- For Helm, use version 0.6.0 of the chart. HELM UPGRADE: -If you're using custom resources like VirtualServer and TransportServer (`controller.enableCustomResources` is set to `true`), after you run the `helm upgrade` command, the CRDs and the corresponding custom resources will be removed from the cluster. Before upgrading, make sure to back up the custom resources. After running the `helm upgrade` command, run `kubectl apply -f deployments/helm-chart/crds` to re-install the CRDs and then restore the custom resources. +If you're using custom resources like VirtualServer and TransportServer (`controller.enableCustomResources` is set to +`true`), after you run the `helm upgrade` command, the CRDs and the corresponding custom resources will be removed from +the cluster. Before upgrading, make sure to back up the custom resources. After running the `helm upgrade` command, run +`kubectl apply -f deployments/helm-chart/crds` to re-install the CRDs and then restore the custom resources. NOTES: -* As part of installing a release, Helm will install the CRDs unless that step is disabled (see the [corresponding doc](https://docs.nginx.com/nginx-ingress-controller/installation/installation-with-helm/)). The installed CRDs include the CRDs for all Ingress Controller features, including the ones disabled by default (like App Protect with `aplogconfs.appprotect.f5.com` and `appolicies.appprotect.f5.com` CRDs). -### 1.7.2 +- As part of installing a release, Helm will install the CRDs unless that step is disabled (see the [corresponding + doc](https://docs.nginx.com/nginx-ingress-controller/installation/installation-with-helm/)). The installed CRDs + include the CRDs for all Ingress Controller features, including the ones disabled by default (like App Protect with + `aplogconfs.appprotect.f5.com` and `appolicies.appprotect.f5.com` CRDs). + +## 1.7.2 CHANGES: -* Update NGINX Plus version to R22. + +- Update NGINX Plus version to R22. HELM CHART: -* The version of the Helm chart is now 0.5.2. + +- The version of the Helm chart is now 0.5.2. UPGRADE: -* For NGINX, use the 1.7.2 image from our DockerHub: `nginx/nginx-ingress:1.7.2`, `nginx/nginx-ingress:1.7.2-alpine` or `nginx/nginx-ingress:1.7.2-ubi` -* For NGINX Plus, please build your own image using the 1.7.2 source code. -* For Helm, use version 0.5.2 of the chart. -### 1.7.1 +- For NGINX, use the 1.7.2 image from our DockerHub: `nginx/nginx-ingress:1.7.2`, `nginx/nginx-ingress:1.7.2-alpine` or + `nginx/nginx-ingress:1.7.2-ubi` +- For NGINX Plus, please build your own image using the 1.7.2 source code. +- For Helm, use version 0.5.2 of the chart. + +## 1.7.1 CHANGES: -* Update NGINX version to 1.19.0. + +- Update NGINX version to 1.19.0. HELM CHART: -* The version of the Helm chart is now 0.5.1. + +- The version of the Helm chart is now 0.5.1. UPGRADE: -* For NGINX, use the 1.7.1 image from our DockerHub: `nginx/nginx-ingress:1.7.1`, `nginx/nginx-ingress:1.7.1-alpine` or `nginx/nginx-ingress:1.7.1-ubi` -* For NGINX Plus, please build your own image using the 1.7.1 source code. -* For Helm, use version 0.5.1 of the chart. -### 1.7.0 +- For NGINX, use the 1.7.1 image from our DockerHub: `nginx/nginx-ingress:1.7.1`, `nginx/nginx-ingress:1.7.1-alpine` or + `nginx/nginx-ingress:1.7.1-ubi` +- For NGINX Plus, please build your own image using the 1.7.1 source code. +- For Helm, use version 0.5.1 of the chart. + +## 1.7.0 OVERVIEW: Release 1.7.0 includes: -* Support for TCP, UDP, and TLS Passthrough load balancing with the new configuration resources: TransportServer and GlobalConfiguration. The resources allow users to deliver complex, non-HTTP-based applications from Kubernetes using the NGINX Ingress Controller. -* Support for error pages in VirtualServer and VirtualServerRoute resources. A user can now specify custom error responses for errors returned by backend applications or generated by NGINX, such as a 502 response. -* Improved validation of VirtualServer and VirtualServerRoute resources. kubectl and the Kubernetes API server can now detect violations of the structure of VirtualServer/VirtualServerRoute resources and return an error. -* Support for an operator which manages the lifecycle of the Ingress Controller on Kubernetes or OpenShift. See the [NGINX Ingress Operator GitHub repo](https://github.com/nginxinc/nginx-ingress-operator). -See the [1.7.0 release announcement blog post](https://www.nginx.com/blog/announcing-nginx-ingress-controller-for-kubernetes-release-1-7-0/), which includes an overview of each feature. +- Support for TCP, UDP, and TLS Passthrough load balancing with the new configuration resources: TransportServer and + GlobalConfiguration. The resources allow users to deliver complex, non-HTTP-based applications from Kubernetes using + the NGINX Ingress Controller. +- Support for error pages in VirtualServer and VirtualServerRoute resources. A user can now specify custom error + responses for errors returned by backend applications or generated by NGINX, such as a 502 response. +- Improved validation of VirtualServer and VirtualServerRoute resources. kubectl and the Kubernetes API server can now + detect violations of the structure of VirtualServer/VirtualServerRoute resources and return an error. +- Support for an operator which manages the lifecycle of the Ingress Controller on Kubernetes or OpenShift. See the + [NGINX Ingress Operator GitHub repo](https://github.com/nginxinc/nginx-ingress-operator). + +See the [1.7.0 release announcement blog +post](https://www.nginx.com/blog/announcing-nginx-ingress-controller-for-kubernetes-release-1-7-0/), which includes an +overview of each feature. You will find the complete changelog for release 1.7.0, including bug fixes, improvements, and changes below. FEATURES FOR VIRTUALSERVER AND VIRTUALSERVERROUTE RESOURCES: -* [868](https://github.com/nginxinc/kubernetes-ingress/pull/868): Add OpenAPI CRD schema validation. -* [847](https://github.com/nginxinc/kubernetes-ingress/pull/847): Add support for error pages for VS/VSR. + +- [868](https://github.com/nginxinc/kubernetes-ingress/pull/868): Add OpenAPI CRD schema validation. +- [847](https://github.com/nginxinc/kubernetes-ingress/pull/847): Add support for error pages for VS/VSR. FEATURES: -* [902](https://github.com/nginxinc/kubernetes-ingress/pull/902): Add TransportServer and GlobalConfiguration Resources. -* [894](https://github.com/nginxinc/kubernetes-ingress/pull/894): Add Dockerfile for NGINX Open Source for Openshift. -* [857](https://github.com/nginxinc/kubernetes-ingress/pull/857): Add Openshift Dockerfile for NGINX Plus. -* [852](https://github.com/nginxinc/kubernetes-ingress/pull/852): Add default-server-access-log-off to configmap. -* [845](https://github.com/nginxinc/kubernetes-ingress/pull/845): Add log-format-escaping and stream-log-format-escaping configmap keys. Thanks to [Alexey Maslov](https://github.com/alxmsl). -* [827](https://github.com/nginxinc/kubernetes-ingress/pull/827): Add ingress class label to all Prometheus metrics. +- [902](https://github.com/nginxinc/kubernetes-ingress/pull/902): Add TransportServer and GlobalConfiguration Resources. +- [894](https://github.com/nginxinc/kubernetes-ingress/pull/894): Add Dockerfile for NGINX Open Source for Openshift. +- [857](https://github.com/nginxinc/kubernetes-ingress/pull/857): Add Openshift Dockerfile for NGINX Plus. +- [852](https://github.com/nginxinc/kubernetes-ingress/pull/852): Add default-server-access-log-off to configmap. +- [845](https://github.com/nginxinc/kubernetes-ingress/pull/845): Add log-format-escaping and stream-log-format-escaping + configmap keys. Thanks to [Alexey Maslov](https://github.com/alxmsl). +- [827](https://github.com/nginxinc/kubernetes-ingress/pull/827): Add ingress class label to all Prometheus metrics. IMPROVEMENTS: -* [850](https://github.com/nginxinc/kubernetes-ingress/pull/850): Extend redirect URI validation with protocol check in VS/VSR. -* [832](https://github.com/nginxinc/kubernetes-ingress/pull/832): Update the examples to run the `nginxdemos/nginx-hello:plain-text` image, that doesn't require root user. -* [825](https://github.com/nginxinc/kubernetes-ingress/pull/825): Add multi-stage docker builds. + +- [850](https://github.com/nginxinc/kubernetes-ingress/pull/850): Extend redirect URI validation with protocol check in + VS/VSR. +- [832](https://github.com/nginxinc/kubernetes-ingress/pull/832): Update the examples to run the + `nginxdemos/nginx-hello:plain-text` image, that doesn't require root user. +- [825](https://github.com/nginxinc/kubernetes-ingress/pull/825): Add multi-stage docker builds. BUGFIXES: -* [828](https://github.com/nginxinc/kubernetes-ingress/pull/828): Fix error messages for actions of the type return. + +- [828](https://github.com/nginxinc/kubernetes-ingress/pull/828): Fix error messages for actions of the type return. HELM CHART: -* The version of the helm chart is now 0.5.0. -* Add new parameters to the Chart: `controller.enableTLSPassthrough`, `controller.volumes`, `controller.volumeMounts`, `controller.priorityClassName`. Added in [921](https://github.com/nginxinc/kubernetes-ingress/pull/921), [878](https://github.com/nginxinc/kubernetes-ingress/pull/878), [807](https://github.com/nginxinc/kubernetes-ingress/pull/807) thanks to [Greg Snow](https://github.com/gsnegovskiy). + +- The version of the helm chart is now 0.5.0. +- Add new parameters to the Chart: `controller.enableTLSPassthrough`, `controller.volumes`, `controller.volumeMounts`, + `controller.priorityClassName`. Added in [921](https://github.com/nginxinc/kubernetes-ingress/pull/921), + [878](https://github.com/nginxinc/kubernetes-ingress/pull/878), + [807](https://github.com/nginxinc/kubernetes-ingress/pull/807) thanks to [Greg Snow](https://github.com/gsnegovskiy). CHANGES: -* Update NGINX version to 1.17.10. -* Update NGINX Plus to R21. -* [854](https://github.com/nginxinc/kubernetes-ingress/pull/854): Update the Debian base images for NGINX Plus to `debian:buster-slim`. -* [852](https://github.com/nginxinc/kubernetes-ingress/pull/852): Add default-server-access-log-off to configmap. The access logs for the default server are now enabled by default. -* [847](https://github.com/nginxinc/kubernetes-ingress/pull/847): Add support for error pages for VS/VSR. The PR affects how the Ingress Controller generates configuration for VirtualServer and VirtualServerRoutes. See [this comment](https://github.com/nginxinc/kubernetes-ingress/pull/847) for more details. -* [827](https://github.com/nginxinc/kubernetes-ingress/pull/827): Add ingress class label to all Prometheus metrics. Every Prometheus metric exposed by the Ingress Controller now includes the label `class` with the value of the Ingress Controller class (by default `nginx`), -* [825](https://github.com/nginxinc/kubernetes-ingress/pull/825): Add multi-stage docker builds. When building the Ingress Controller image in Docker, we now use a multi-stage docker build. + +- Update NGINX version to 1.17.10. +- Update NGINX Plus to R21. +- [854](https://github.com/nginxinc/kubernetes-ingress/pull/854): Update the Debian base images for NGINX Plus to + `debian:buster-slim`. +- [852](https://github.com/nginxinc/kubernetes-ingress/pull/852): Add default-server-access-log-off to configmap. The + access logs for the default server are now enabled by default. +- [847](https://github.com/nginxinc/kubernetes-ingress/pull/847): Add support for error pages for VS/VSR. The PR affects + how the Ingress Controller generates configuration for VirtualServer and VirtualServerRoutes. See [this + comment](https://github.com/nginxinc/kubernetes-ingress/pull/847) for more details. +- [827](https://github.com/nginxinc/kubernetes-ingress/pull/827): Add ingress class label to all Prometheus metrics. + Every Prometheus metric exposed by the Ingress Controller now includes the label `class` with the value of the Ingress + Controller class (by default `nginx`), +- [825](https://github.com/nginxinc/kubernetes-ingress/pull/825): Add multi-stage docker builds. When building the + Ingress Controller image in Docker, we now use a multi-stage docker build. UPGRADE: -* For NGINX, use the 1.7.0 image from our DockerHub: `nginx/nginx-ingress:1.7.0`, `nginx/nginx-ingress:1.7.0-alpine` or `nginx-ingress:1.7.0-ubi` -* For NGINX Plus, please build your own image using the 1.7.0 source code. -* For Helm, use version 0.5.0 of the chart. -When upgrading using the [manifests](https://docs.nginx.com/nginx-ingress-controller/installation/installation-with-manifests/), make sure to deploy the new TransportServer CRD (`common/ts-definition.yaml`), as it is required by the Ingress Controller. Otherwise, you will get error messages in the Ingress Controller logs. +- For NGINX, use the 1.7.0 image from our DockerHub: `nginx/nginx-ingress:1.7.0`, `nginx/nginx-ingress:1.7.0-alpine` or + `nginx-ingress:1.7.0-ubi` +- For NGINX Plus, please build your own image using the 1.7.0 source code. +- For Helm, use version 0.5.0 of the chart. + +When upgrading using the +[manifests](https://docs.nginx.com/nginx-ingress-controller/installation/installation-with-manifests/), make sure to +deploy the new TransportServer CRD (`common/ts-definition.yaml`), as it is required by the Ingress Controller. +Otherwise, you will get error messages in the Ingress Controller logs. -### 1.6.3 +## 1.6.3 CHANGES: -* Update NGINX version to 1.17.9. + +- Update NGINX version to 1.17.9. HELM CHART: -* The version of the Helm chart is now 0.4.3. + +- The version of the Helm chart is now 0.4.3. UPGRADE: -* For NGINX, use the 1.6.3 image from our DockerHub: `nginx/nginx-ingress:1.6.3` or `nginx/nginx-ingress:1.6.3-alpine` -* For NGINX Plus, please build your own image using the 1.6.3 source code. -* For Helm, use version 0.4.3 of the chart. -### 1.6.2 +- For NGINX, use the 1.6.3 image from our DockerHub: `nginx/nginx-ingress:1.6.3` or `nginx/nginx-ingress:1.6.3-alpine` +- For NGINX Plus, please build your own image using the 1.6.3 source code. +- For Helm, use version 0.4.3 of the chart. + +## 1.6.2 CHANGES: -* Update NGINX version to 1.17.8. + +- Update NGINX version to 1.17.8. HELM CHART: -* The version of the Helm chart is now 0.4.2. + +- The version of the Helm chart is now 0.4.2. UPGRADE: -* For NGINX, use the 1.6.2 image from our DockerHub: `nginx/nginx-ingress:1.6.2` or `nginx/nginx-ingress:1.6.2-alpine` -* For NGINX Plus, please build your own image using the 1.6.2 source code. -* For Helm, use version 0.4.2 of the chart. -### 1.6.1 +- For NGINX, use the 1.6.2 image from our DockerHub: `nginx/nginx-ingress:1.6.2` or `nginx/nginx-ingress:1.6.2-alpine` +- For NGINX Plus, please build your own image using the 1.6.2 source code. +- For Helm, use version 0.4.2 of the chart. + +## 1.6.1 CHANGES: -* Update NGINX version to 1.17.7. + +- Update NGINX version to 1.17.7. HELM CHART: -* The version of the Helm chart is now 0.4.1. + +- The version of the Helm chart is now 0.4.1. UPGRADE: -* For NGINX, use the 1.6.1 image from our DockerHub: `nginx/nginx-ingress:1.6.1` or `nginx/nginx-ingress:1.6.1-alpine` -* For NGINX Plus, please build your own image using the 1.6.1 source code. -* For Helm, use version 0.4.1 of the chart. -### 1.6.0 +- For NGINX, use the 1.6.1 image from our DockerHub: `nginx/nginx-ingress:1.6.1` or `nginx/nginx-ingress:1.6.1-alpine` +- For NGINX Plus, please build your own image using the 1.6.1 source code. +- For Helm, use version 0.4.1 of the chart. + +## 1.6.0 OVERVIEW: Release 1.6.0 includes: -* Improvements to VirtualServer and VirtualServerRoute resources, adding support for richer load balancing behavior, more sophisticated request routing, redirects, direct responses, and blue-green and circuit breaker patterns. The VirtualServer and VirtualServerRoute resources are enabled by default and are ready for production use. -* Support for OpenTracing, helping you to monitor and debug complex transactions. -* An improved security posture, with support to run the Ingress Controller as a non-root user. -The release announcement blog post includes the overview for each feature. See https://www.nginx.com/blog/announcing-nginx-ingress-controller-for-kubernetes-release-1-6-0/ +- Improvements to VirtualServer and VirtualServerRoute resources, adding support for richer load balancing behavior, + more sophisticated request routing, redirects, direct responses, and blue-green and circuit breaker patterns. The + VirtualServer and VirtualServerRoute resources are enabled by default and are ready for production use. +- Support for OpenTracing, helping you to monitor and debug complex transactions. +- An improved security posture, with support to run the Ingress Controller as a non-root user. + +The release announcement blog post includes the overview for each feature. See + You will find the complete changelog for release 1.6.0, including bug fixes, improvements, and changes below. FEATURES FOR VIRTUALSERVER AND VIRTUALSERVERROUTE RESOURCES: -* [780](https://github.com/nginxinc/kubernetes-ingress/pull/780): Add support for canned responses to VS/VSR. -* [778](https://github.com/nginxinc/kubernetes-ingress/pull/778): Add redirect support in VS/VSR. -* [766](https://github.com/nginxinc/kubernetes-ingress/pull/766): Add exact matches and regex support to location paths in VS/VSR. -* [748](https://github.com/nginxinc/kubernetes-ingress/pull/748): Add TLS redirect support in Virtualserver. -* [745](https://github.com/nginxinc/kubernetes-ingress/pull/745): Improve routing rules in VS/VSR -* [728](https://github.com/nginxinc/kubernetes-ingress/pull/728): Add session persistence in VS/VSR. -* [724](https://github.com/nginxinc/kubernetes-ingress/pull/724): Add VS/VSR Prometheus metrics. -* [712](https://github.com/nginxinc/kubernetes-ingress/pull/712): Add service subselector support in vs/vsr. -* [707](https://github.com/nginxinc/kubernetes-ingress/pull/707): Emit warning events in VS/VSR. -* [701](https://github.com/nginxinc/kubernetes-ingress/pull/701): Add support queue in upstreams for plus in VS/VSR. -* [693](https://github.com/nginxinc/kubernetes-ingress/pull/693): Add ServerStatusZones support in vs/vsr. -* [670](https://github.com/nginxinc/kubernetes-ingress/pull/670): Add buffering support for vs/vsr. -* [660](https://github.com/nginxinc/kubernetes-ingress/pull/660): Add ClientBodyMaxSize support in vs/vsr. -* [659](https://github.com/nginxinc/kubernetes-ingress/pull/659): Support configuring upstream zone sizes in VS/VSR. -* [655](https://github.com/nginxinc/kubernetes-ingress/pull/655): Add slow-start support in vs/vsr. -* [653](https://github.com/nginxinc/kubernetes-ingress/pull/653): Add websockets support for vs/vsr upstreams. -* [641](https://github.com/nginxinc/kubernetes-ingress/pull/641): Add support for ExternalName Services for vs/vsr. -* [635](https://github.com/nginxinc/kubernetes-ingress/pull/635): Add HealthChecks support for vs/vsr. -* [634](https://github.com/nginxinc/kubernetes-ingress/pull/634): Add Active Connections support to vs/vsr. -* [628](https://github.com/nginxinc/kubernetes-ingress/pull/628): Add retries support for vs/vsr. -* [621](https://github.com/nginxinc/kubernetes-ingress/pull/621): Add TLS support for vs/vsr upstreams. -* [617](https://github.com/nginxinc/kubernetes-ingress/pull/617): Add keepalive support to vs/vsr. -* [612](https://github.com/nginxinc/kubernetes-ingress/pull/612): Add timeouts support to vs/vsr. -* [607](https://github.com/nginxinc/kubernetes-ingress/pull/607): Add fail-timeout and max-fails support to vs/vsr. -* [596](https://github.com/nginxinc/kubernetes-ingress/pull/596): Add lb-method support in vs and vsr. + +- [780](https://github.com/nginxinc/kubernetes-ingress/pull/780): Add support for canned responses to VS/VSR. +- [778](https://github.com/nginxinc/kubernetes-ingress/pull/778): Add redirect support in VS/VSR. +- [766](https://github.com/nginxinc/kubernetes-ingress/pull/766): Add exact matches and regex support to location paths + in VS/VSR. +- [748](https://github.com/nginxinc/kubernetes-ingress/pull/748): Add TLS redirect support in Virtualserver. +- [745](https://github.com/nginxinc/kubernetes-ingress/pull/745): Improve routing rules in VS/VSR +- [728](https://github.com/nginxinc/kubernetes-ingress/pull/728): Add session persistence in VS/VSR. +- [724](https://github.com/nginxinc/kubernetes-ingress/pull/724): Add VS/VSR Prometheus metrics. +- [712](https://github.com/nginxinc/kubernetes-ingress/pull/712): Add service subselector support in vs/vsr. +- [707](https://github.com/nginxinc/kubernetes-ingress/pull/707): Emit warning events in VS/VSR. +- [701](https://github.com/nginxinc/kubernetes-ingress/pull/701): Add support queue in upstreams for plus in VS/VSR. +- [693](https://github.com/nginxinc/kubernetes-ingress/pull/693): Add ServerStatusZones support in vs/vsr. +- [670](https://github.com/nginxinc/kubernetes-ingress/pull/670): Add buffering support for vs/vsr. +- [660](https://github.com/nginxinc/kubernetes-ingress/pull/660): Add ClientBodyMaxSize support in vs/vsr. +- [659](https://github.com/nginxinc/kubernetes-ingress/pull/659): Support configuring upstream zone sizes in VS/VSR. +- [655](https://github.com/nginxinc/kubernetes-ingress/pull/655): Add slow-start support in vs/vsr. +- [653](https://github.com/nginxinc/kubernetes-ingress/pull/653): Add websockets support for vs/vsr upstreams. +- [641](https://github.com/nginxinc/kubernetes-ingress/pull/641): Add support for ExternalName Services for vs/vsr. +- [635](https://github.com/nginxinc/kubernetes-ingress/pull/635): Add HealthChecks support for vs/vsr. +- [634](https://github.com/nginxinc/kubernetes-ingress/pull/634): Add Active Connections support to vs/vsr. +- [628](https://github.com/nginxinc/kubernetes-ingress/pull/628): Add retries support for vs/vsr. +- [621](https://github.com/nginxinc/kubernetes-ingress/pull/621): Add TLS support for vs/vsr upstreams. +- [617](https://github.com/nginxinc/kubernetes-ingress/pull/617): Add keepalive support to vs/vsr. +- [612](https://github.com/nginxinc/kubernetes-ingress/pull/612): Add timeouts support to vs/vsr. +- [607](https://github.com/nginxinc/kubernetes-ingress/pull/607): Add fail-timeout and max-fails support to vs/vsr. +- [596](https://github.com/nginxinc/kubernetes-ingress/pull/596): Add lb-method support in vs and vsr. FEATURES: -* [750](https://github.com/nginxinc/kubernetes-ingress/pull/750): Add support for health status uri customisation. -* [691](https://github.com/nginxinc/kubernetes-ingress/pull/691): Helper Functions for custom annotations. -* [631](https://github.com/nginxinc/kubernetes-ingress/pull/631): Add max_conns support for NGINX plus. -* [629](https://github.com/nginxinc/kubernetes-ingress/pull/629): Added upstream zone directive annotation. Thanks to [Victor Regalado](https://github.com/vrrs). -* [616](https://github.com/nginxinc/kubernetes-ingress/pull/616): Add proxy-send-timeout to configmap key and annotation. -* [615](https://github.com/nginxinc/kubernetes-ingress/pull/615): Add support for Opentracing. -* [614](https://github.com/nginxinc/kubernetes-ingress/pull/614): Add max-conns annotation. Thanks to [Victor Regalado](https://github.com/vrrs). +- [750](https://github.com/nginxinc/kubernetes-ingress/pull/750): Add support for health status uri customisation. +- [691](https://github.com/nginxinc/kubernetes-ingress/pull/691): Helper Functions for custom annotations. +- [631](https://github.com/nginxinc/kubernetes-ingress/pull/631): Add max_conns support for NGINX plus. +- [629](https://github.com/nginxinc/kubernetes-ingress/pull/629): Added upstream zone directive annotation. Thanks to + [Victor Regalado](https://github.com/vrrs). +- [616](https://github.com/nginxinc/kubernetes-ingress/pull/616): Add proxy-send-timeout to configmap key and + annotation. +- [615](https://github.com/nginxinc/kubernetes-ingress/pull/615): Add support for Opentracing. +- [614](https://github.com/nginxinc/kubernetes-ingress/pull/614): Add max-conns annotation. Thanks to [Victor + Regalado](https://github.com/vrrs). IMPROVEMENTS: -* [678](https://github.com/nginxinc/kubernetes-ingress/pull/678): Increase defaults for server-names-hash-max-size and servers-names-hash-bucket-size ConfigMap keys. -* [694](https://github.com/nginxinc/kubernetes-ingress/pull/694): Reject VS/VSR resources with enabled plus features for OSS. -* Documentation improvements: [713](https://github.com/nginxinc/kubernetes-ingress/pull/713) thanks to [Matthew Wahner](https://github.com/mattwahner). + +- [678](https://github.com/nginxinc/kubernetes-ingress/pull/678): Increase defaults for server-names-hash-max-size and + servers-names-hash-bucket-size ConfigMap keys. +- [694](https://github.com/nginxinc/kubernetes-ingress/pull/694): Reject VS/VSR resources with enabled plus features for + OSS. +- Documentation improvements: [713](https://github.com/nginxinc/kubernetes-ingress/pull/713) thanks to [Matthew + Wahner](https://github.com/mattwahner). BUGFIXES: -* [788](https://github.com/nginxinc/kubernetes-ingress/pull/788): Fix VSR updates when namespace is set implicitly. -* [736](https://github.com/nginxinc/kubernetes-ingress/pull/736): Init Ingress labeled metrics on start. -* [686](https://github.com/nginxinc/kubernetes-ingress/pull/686): Check if config map created for leader-election. -* [664](https://github.com/nginxinc/kubernetes-ingress/pull/664): Fix reporting events for Ingress minions. -* [632](https://github.com/nginxinc/kubernetes-ingress/pull/632): Fix hsts support when not using SSL. Thanks to [Martín Fernández](https://github.com/bilby91). + +- [788](https://github.com/nginxinc/kubernetes-ingress/pull/788): Fix VSR updates when namespace is set implicitly. +- [736](https://github.com/nginxinc/kubernetes-ingress/pull/736): Init Ingress labeled metrics on start. +- [686](https://github.com/nginxinc/kubernetes-ingress/pull/686): Check if config map created for leader-election. +- [664](https://github.com/nginxinc/kubernetes-ingress/pull/664): Fix reporting events for Ingress minions. +- [632](https://github.com/nginxinc/kubernetes-ingress/pull/632): Fix hsts support when not using SSL. Thanks to [Martín + Fernández](https://github.com/bilby91). HELM CHART: -* The version of the helm chart is now 0.4.0. -* Add new parameters to the Chart: `controller.healthCheckURI`, `controller.resources`, `controller.logLevel`, `controller.customPorts`, `controller.service.customPorts`. Added in [750](https://github.com/nginxinc/kubernetes-ingress/pull/750), [636](https://github.com/nginxinc/kubernetes-ingress/pull/636) thanks to [Guilherme Oki](https://github.com/guilhermeoki), [600](https://github.com/nginxinc/kubernetes-ingress/pull/600), [581](https://github.com/nginxinc/kubernetes-ingress/pull/581) thanks to [Alex Meijer](https://github.com/ameijer-corsha). -* [722](https://github.com/nginxinc/kubernetes-ingress/pull/722): Fix trailing leader election cm when using helm. This change might lead to a failed upgrade. See the helm upgrade instruction below. -* [573](https://github.com/nginxinc/kubernetes-ingress/pull/573): Use Controller name value for app selectors. + +- The version of the helm chart is now 0.4.0. +- Add new parameters to the Chart: `controller.healthCheckURI`, `controller.resources`, `controller.logLevel`, + `controller.customPorts`, `controller.service.customPorts`. Added in + [750](https://github.com/nginxinc/kubernetes-ingress/pull/750), + [636](https://github.com/nginxinc/kubernetes-ingress/pull/636) thanks to [Guilherme + Oki](https://github.com/guilhermeoki), [600](https://github.com/nginxinc/kubernetes-ingress/pull/600), + [581](https://github.com/nginxinc/kubernetes-ingress/pull/581) thanks to [Alex + Meijer](https://github.com/ameijer-corsha). +- [722](https://github.com/nginxinc/kubernetes-ingress/pull/722): Fix trailing leader election cm when using helm. This + change might lead to a failed upgrade. See the helm upgrade instruction below. +- [573](https://github.com/nginxinc/kubernetes-ingress/pull/573): Use Controller name value for app selectors. CHANGES: -* Update NGINX versions to 1.17.6. -* Update NGINX Plus version to R20. -* [799](https://github.com/nginxinc/kubernetes-ingress/pull/779): Enable CRDs by default. VirtualServer and VirtualServerRoute resources are now enabled by default. -* [772](https://github.com/nginxinc/kubernetes-ingress/pull/772): Update VS/VSR version from v1alpha1 to v1. Make sure to update the `apiVersion` of your VirtualServer and VirtualServerRoute resources. -* [748](https://github.com/nginxinc/kubernetes-ingress/pull/748): Add TLS redirect support in VirtualServer. The `redirect-to-https` and `ssl-redirect` ConfigMap keys no longer have any effect on generated configs for VirtualServer resources. -* [745](https://github.com/nginxinc/kubernetes-ingress/pull/745): Improve routing rules. Update the spec of VirtualServer and VirtualServerRoute accordingly. See YAML examples of the changes [here](https://github.com/nginxinc/kubernetes-ingress/pull/745). -* [710](https://github.com/nginxinc/kubernetes-ingress/pull/710): Run IC as non-root. Make sure to use the updated manifests to install/upgrade the Ingress Controller. -* [603](https://github.com/nginxinc/kubernetes-ingress/pull/603): Update apiVersion in Deployments and DaemonSets to apps/v1. + +- Update NGINX versions to 1.17.6. +- Update NGINX Plus version to R20. +- [799](https://github.com/nginxinc/kubernetes-ingress/pull/779): Enable CRDs by default. VirtualServer and + VirtualServerRoute resources are now enabled by default. +- [772](https://github.com/nginxinc/kubernetes-ingress/pull/772): Update VS/VSR version from v1alpha1 to v1. Make sure + to update the `apiVersion` of your VirtualServer and VirtualServerRoute resources. +- [748](https://github.com/nginxinc/kubernetes-ingress/pull/748): Add TLS redirect support in VirtualServer. The + `redirect-to-https` and `ssl-redirect` ConfigMap keys no longer have any effect on generated configs for VirtualServer + resources. +- [745](https://github.com/nginxinc/kubernetes-ingress/pull/745): Improve routing rules. Update the spec of + VirtualServer and VirtualServerRoute accordingly. See YAML examples of the changes + [here](https://github.com/nginxinc/kubernetes-ingress/pull/745). +- [710](https://github.com/nginxinc/kubernetes-ingress/pull/710): Run IC as non-root. Make sure to use the updated + manifests to install/upgrade the Ingress Controller. +- [603](https://github.com/nginxinc/kubernetes-ingress/pull/603): Update apiVersion in Deployments and DaemonSets to + apps/v1. UPGRADE: -* For NGINX, use the 1.6.0 image from our DockerHub: `nginx/nginx-ingress:1.6.0` or `nginx/nginx-ingress:1.6.0-alpine` -* For NGINX Plus, please build your own image using the 1.6.0 source code. -* For Helm, use version 0.4.0 of the chart. + +- For NGINX, use the 1.6.0 image from our DockerHub: `nginx/nginx-ingress:1.6.0` or `nginx/nginx-ingress:1.6.0-alpine` +- For NGINX Plus, please build your own image using the 1.6.0 source code. +- For Helm, use version 0.4.0 of the chart. HELM UPGRADE: -If leader election (the `controller.reportIngressStatus.enableLeaderElection` parameter) is enabled, when upgrading to the new version of the Helm chart: -1. Make sure to specify a new ConfigMap lock name (`controller.reportIngressStatus.leaderElectionLockName`) different from the one that was created by the current version. To find out the current name, check ConfigMap resources in the namespace where the Ingress Controller is running. +If leader election (the `controller.reportIngressStatus.enableLeaderElection` parameter) is enabled, when upgrading to +the new version of the Helm chart: + +1. Make sure to specify a new ConfigMap lock name (`controller.reportIngressStatus.leaderElectionLockName`) different + from the one that was created by the current version. To find out the current name, check ConfigMap resources in the + namespace where the Ingress Controller is running. 1. After the upgrade, delete the old ConfigMap. Otherwise, the helm upgrade will not succeed. -### 1.5.8 +## 1.5.8 CHANGES: -* Update NGINX version to 1.17.6. -* Update deployment and daemonset manifests to apps/v1. + +- Update NGINX version to 1.17.6. +- Update deployment and daemonset manifests to apps/v1. HELM CHART: -* The version of the Helm chart is now 0.3.8. + +- The version of the Helm chart is now 0.3.8. UPGRADE: -* For NGINX, use the 1.5.8 image from our DockerHub: `nginx/nginx-ingress:1.5.8` or `nginx/nginx-ingress:1.5.8-alpine` -* For NGINX Plus, please build your own image using the 1.5.8 source code. -* For Helm, use version 0.3.8 of the chart. -### 1.5.7 +- For NGINX, use the 1.5.8 image from our DockerHub: `nginx/nginx-ingress:1.5.8` or `nginx/nginx-ingress:1.5.8-alpine` +- For NGINX Plus, please build your own image using the 1.5.8 source code. +- For Helm, use version 0.3.8 of the chart. + +## 1.5.7 CHANGES: -* Update NGINX version to 1.17.5. + +- Update NGINX version to 1.17.5. HELM CHART: -* The version of the Helm chart is now 0.3.7. + +- The version of the Helm chart is now 0.3.7. UPGRADE: -* For NGINX, use the 1.5.7 image from our DockerHub: `nginx/nginx-ingress:1.5.7` or `nginx/nginx-ingress:1.5.7-alpine` -* For NGINX Plus, please build your own image using the 1.5.7 source code. -* For Helm, use version 0.3.7 of the chart. -### 1.5.6 +- For NGINX, use the 1.5.7 image from our DockerHub: `nginx/nginx-ingress:1.5.7` or `nginx/nginx-ingress:1.5.7-alpine` +- For NGINX Plus, please build your own image using the 1.5.7 source code. +- For Helm, use version 0.3.7 of the chart. + +## 1.5.6 CHANGES: -* Update NGINX version to 1.17.4. + +- Update NGINX version to 1.17.4. HELM CHART: -* The version of the Helm chart is now 0.3.6. + +- The version of the Helm chart is now 0.3.6. UPGRADE: -* For NGINX, use the 1.5.6 image from our DockerHub: `nginx/nginx-ingress:1.5.6` or `nginx/nginx-ingress:1.5.6-alpine` -* For NGINX Plus, please build your own image using the 1.5.6 source code. -* For Helm, use version 0.3.6 of the chart. -### 1.5.5 +- For NGINX, use the 1.5.6 image from our DockerHub: `nginx/nginx-ingress:1.5.6` or `nginx/nginx-ingress:1.5.6-alpine` +- For NGINX Plus, please build your own image using the 1.5.6 source code. +- For Helm, use version 0.3.6 of the chart. + +## 1.5.5 CHANGES: -* Update NGINX Plus version to R19. + +- Update NGINX Plus version to R19. HELM CHART: -* The version of the Helm chart is now 0.3.5. + +- The version of the Helm chart is now 0.3.5. UPGRADE: -* For NGINX, use the 1.5.5 image from our DockerHub: `nginx/nginx-ingress:1.5.5` or `nginx/nginx-ingress:1.5.5-alpine` -* For NGINX Plus, please build your own image using the 1.5.5 source code. -* For Helm, use version 0.3.5 of the chart. -### 1.5.4 +- For NGINX, use the 1.5.5 image from our DockerHub: `nginx/nginx-ingress:1.5.5` or `nginx/nginx-ingress:1.5.5-alpine` +- For NGINX Plus, please build your own image using the 1.5.5 source code. +- For Helm, use version 0.3.5 of the chart. + +## 1.5.4 CHANGES: -* Update NGINX version to 1.17.3. + +- Update NGINX version to 1.17.3. HELM CHART: -* The version of the Helm chart is now 0.3.4. + +- The version of the Helm chart is now 0.3.4. UPGRADE: -* For NGINX, use the 1.5.4 image from our DockerHub: `nginx/nginx-ingress:1.5.4` or `nginx/nginx-ingress:1.5.4-alpine` -* For NGINX Plus, please build your own image using the 1.5.4 source code. -* For Helm, use version 0.3.4 of the chart. -### 1.5.3 +- For NGINX, use the 1.5.4 image from our DockerHub: `nginx/nginx-ingress:1.5.4` or `nginx/nginx-ingress:1.5.4-alpine` +- For NGINX Plus, please build your own image using the 1.5.4 source code. +- For Helm, use version 0.3.4 of the chart. + +## 1.5.3 CHANGES: -* Update NGINX Plus version to R18p1. + +- Update NGINX Plus version to R18p1. HELM CHART: -* The version of the Helm chart is now 0.3.3. + +- The version of the Helm chart is now 0.3.3. UPGRADE: -* For NGINX, use the 1.5.3 image from our DockerHub: `nginx/nginx-ingress:1.5.3` or `nginx/nginx-ingress:1.5.3-alpine` -* For NGINX Plus, please build your own image using the 1.5.3 source code. -* For Helm, use version 0.3.3 of the chart. -### 1.5.2 +- For NGINX, use the 1.5.3 image from our DockerHub: `nginx/nginx-ingress:1.5.3` or `nginx/nginx-ingress:1.5.3-alpine` +- For NGINX Plus, please build your own image using the 1.5.3 source code. +- For Helm, use version 0.3.3 of the chart. + +## 1.5.2 CHANGES: -* Update NGINX version to 1.17.2. + +- Update NGINX version to 1.17.2. HELM CHART: -* The version of the Helm chart is now 0.3.2. + +- The version of the Helm chart is now 0.3.2. UPGRADE: -* For NGINX, use the 1.5.2 image from our DockerHub: `nginx/nginx-ingress:1.5.2` or `nginx/nginx-ingress:1.5.2-alpine` -* For NGINX Plus, please build your own image using the 1.5.2 source code. -* For Helm, use version 0.3.2 of the chart. -### 1.5.1 +- For NGINX, use the 1.5.2 image from our DockerHub: `nginx/nginx-ingress:1.5.2` or `nginx/nginx-ingress:1.5.2-alpine` +- For NGINX Plus, please build your own image using the 1.5.2 source code. +- For Helm, use version 0.3.2 of the chart. + +## 1.5.1 CHANGES: -* Update NGINX version to 1.17.1. + +- Update NGINX version to 1.17.1. HELM CHART: -* The version of the Helm chart is now 0.3.1. -* [593](https://github.com/nginxinc/kubernetes-ingress/pull/593): Fix the selector in the Ingress Controller service when the `controller.name` parameter is set. This introduces a change, see the HELM UPGRADE section. + +- The version of the Helm chart is now 0.3.1. +- [593](https://github.com/nginxinc/kubernetes-ingress/pull/593): Fix the selector in the Ingress Controller service + when the `controller.name` parameter is set. This introduces a change, see the HELM UPGRADE section. UPGRADE: -* For NGINX, use the 1.5.1 image from our DockerHub: `nginx/nginx-ingress:1.5.1` or `nginx/nginx-ingress:1.5.1-alpine` -* For NGINX Plus, please build your own image using the 1.5.1 source code. -* For Helm, use version 0.3.1 of the chart. + +- For NGINX, use the 1.5.1 image from our DockerHub: `nginx/nginx-ingress:1.5.1` or `nginx/nginx-ingress:1.5.1-alpine` +- For NGINX Plus, please build your own image using the 1.5.1 source code. +- For Helm, use version 0.3.1 of the chart. HELM UPGRADE: -In the changelog of Release 1.5.0, we advised not to upgrade the helm chart from `0.2.1` to `0.3.0` unless the mentioned in the changelog problems were acceptable. This release we provide mitigation instructions on how to upgrade from `0.2.1` to `0.3.1` without disruptions. +In the changelog of Release 1.5.0, we advised not to upgrade the helm chart from `0.2.1` to `0.3.0` unless the mentioned +in the changelog problems were acceptable. This release we provide mitigation instructions on how to upgrade from +`0.2.1` to `0.3.1` without disruptions. When you upgrade from `0.2.1` to `0.3.1`, make sure to configure the following parameters: -* `controller.name` is set to `nginx-ingress` or the previously used value in case you customized it. This ensures the Deployment/Daemonset will not be recreated. -* `controller.service.name` is set to `nginx-ingress`. This ensures the service will not be recreated. -* `controller.config.name` is set to `nginx-config`. This ensures the ConfigMap will not be recreated. -Upgrading from `0.3.0` to `0.3.1`: Upgrading is not affected unless you customized `controller.name`. In that case, because of the fix [593](https://github.com/nginxinc/kubernetes-ingress/pull/593), the upgraded service will have a new selector, and the upgraded pod spec will have a new label. As a result, during an upgrade, the old pods will be immediately excluded from the service. Also, for the Deployment, the old pods will not terminate but continue to run. To terminate the old pods, manually remove the corresponding ReplicaSet. +- `controller.name` is set to `nginx-ingress` or the previously used value in case you customized it. This ensures the + Deployment/Daemonset will not be recreated. +- `controller.service.name` is set to `nginx-ingress`. This ensures the service will not be recreated. +- `controller.config.name` is set to `nginx-config`. This ensures the ConfigMap will not be recreated. + +Upgrading from `0.3.0` to `0.3.1`: Upgrading is not affected unless you customized `controller.name`. In that case, +because of the fix [593](https://github.com/nginxinc/kubernetes-ingress/pull/593), the upgraded service will have a new +selector, and the upgraded pod spec will have a new label. As a result, during an upgrade, the old pods will be +immediately excluded from the service. Also, for the Deployment, the old pods will not terminate but continue to run. To +terminate the old pods, manually remove the corresponding ReplicaSet. -### 1.5.0 +## 1.5.0 FEATURES: -* [560](https://github.com/nginxinc/kubernetes-ingress/pull/560): Add new configuration resources -- VirtualServer and VirtualServerRoute. -* [554](https://github.com/nginxinc/kubernetes-ingress/pull/554): Add new Prometheus metrics related to the Ingress Controller's operation (as opposed to NGINX/NGINX Plus metrics). -* [496](https://github.com/nginxinc/kubernetes-ingress/pull/496): Support a wildcard TLS certificate for TLS-enabled Ingress resources. -* [485](https://github.com/nginxinc/kubernetes-ingress/pull/485): Support ExternalName services in Ingress backends. + +- [560](https://github.com/nginxinc/kubernetes-ingress/pull/560): Add new configuration resources -- VirtualServer and + VirtualServerRoute. +- [554](https://github.com/nginxinc/kubernetes-ingress/pull/554): Add new Prometheus metrics related to the Ingress + Controller's operation (as opposed to NGINX/NGINX Plus metrics). +- [496](https://github.com/nginxinc/kubernetes-ingress/pull/496): Support a wildcard TLS certificate for TLS-enabled + Ingress resources. +- [485](https://github.com/nginxinc/kubernetes-ingress/pull/485): Support ExternalName services in Ingress backends. IMPROVEMENTS: -* Add new ConfigMap keys: `keepalive-timeout`, `keepalive-requests`, `access-log-off`, `variables-hash-bucket-size`, `variables-hash-max-size`. Added in [565](https://github.com/nginxinc/kubernetes-ingress/pull/565), [511](https://github.com/nginxinc/kubernetes-ingress/pull/511). -* [504](https://github.com/nginxinc/kubernetes-ingress/pull/504): Run the Prometheus exporter inside the Ingress Controller process instead of a sidecar container. + +- Add new ConfigMap keys: `keepalive-timeout`, `keepalive-requests`, `access-log-off`, `variables-hash-bucket-size`, + `variables-hash-max-size`. Added in [565](https://github.com/nginxinc/kubernetes-ingress/pull/565), + [511](https://github.com/nginxinc/kubernetes-ingress/pull/511). +- [504](https://github.com/nginxinc/kubernetes-ingress/pull/504): Run the Prometheus exporter inside the Ingress + Controller process instead of a sidecar container. BUGFIXES: -* [520](https://github.com/nginxinc/kubernetes-ingress/pull/520): Fix the type of the Prometheus port annotation in manifests. -* [481](https://github.com/nginxinc/kubernetes-ingress/pull/481): Fix the HSTS support. -* [439](https://github.com/nginxinc/kubernetes-ingress/pull/439): Fix the validation of the `lb-method` ConfigMap key and `nginx.org/lb-method` annotation. + +- [520](https://github.com/nginxinc/kubernetes-ingress/pull/520): Fix the type of the Prometheus port annotation in + manifests. +- [481](https://github.com/nginxinc/kubernetes-ingress/pull/481): Fix the HSTS support. +- [439](https://github.com/nginxinc/kubernetes-ingress/pull/439): Fix the validation of the `lb-method` ConfigMap key + and `nginx.org/lb-method` annotation. HELM CHART: -* The version of the helm chart is now 0.3.0. -* The helm chart is now available in our helm chart repo `helm.nginx.com/stable`. -* Add new parameters to the Chart: `controller.service.httpPort.targetPort`, `controller.service.httpsPort.targetPort`, `controller.service.name`, `controller.pod.annotations`, `controller.config.name`, `controller.reportIngressStatus.leaderElectionLockName`, `controller.service.httpPort`, `controller.service.httpsPort`, `controller.service.loadBalancerIP`, `controller.service.loadBalancerSourceRanges`, `controller.tolerations`, `controller.affinity`. Added in [562](https://github.com/nginxinc/kubernetes-ingress/pull/562), [561](https://github.com/nginxinc/kubernetes-ingress/pull/561), [553](https://github.com/nginxinc/kubernetes-ingress/pull/553), [534](https://github.com/nginxinc/kubernetes-ingress/pull/534) thanks to [Paulo Ribeiro](https://github.com/paigr), [479](https://github.com/nginxinc/kubernetes-ingress/pull/479) thanks to [Alejandro Llanes](https://github.com/sombralibre), [468](https://github.com/nginxinc/kubernetes-ingress/pull/468), [456](https://github.com/nginxinc/kubernetes-ingress/pull/456). -* [546](https://github.com/nginxinc/kubernetes-ingress/pull/546): Support deploying multiple Ingress Controllers in a cluster. **Note**: The generated resources have new names that are unique for each Ingress Controller. As a consequence, the name change affects the upgrade. See the HELM UPGRADE section for more information. -* [542](https://github.com/nginxinc/kubernetes-ingress/pull/542): Reduce the required privileges in the RBAC manifests. + +- The version of the helm chart is now 0.3.0. +- The helm chart is now available in our helm chart repo `helm.nginx.com/stable`. +- Add new parameters to the Chart: `controller.service.httpPort.targetPort`, `controller.service.httpsPort.targetPort`, + `controller.service.name`, `controller.pod.annotations`, `controller.config.name`, + `controller.reportIngressStatus.leaderElectionLockName`, `controller.service.httpPort`, + `controller.service.httpsPort`, `controller.service.loadBalancerIP`, `controller.service.loadBalancerSourceRanges`, + `controller.tolerations`, `controller.affinity`. Added in + [562](https://github.com/nginxinc/kubernetes-ingress/pull/562), + [561](https://github.com/nginxinc/kubernetes-ingress/pull/561), + [553](https://github.com/nginxinc/kubernetes-ingress/pull/553), + [534](https://github.com/nginxinc/kubernetes-ingress/pull/534) thanks to [Paulo Ribeiro](https://github.com/paigr), + [479](https://github.com/nginxinc/kubernetes-ingress/pull/479) thanks to [Alejandro + Llanes](https://github.com/sombralibre), [468](https://github.com/nginxinc/kubernetes-ingress/pull/468), + [456](https://github.com/nginxinc/kubernetes-ingress/pull/456). +- [546](https://github.com/nginxinc/kubernetes-ingress/pull/546): Support deploying multiple Ingress Controllers in a + cluster. **Note**: The generated resources have new names that are unique for each Ingress Controller. As a + consequence, the name change affects the upgrade. See the HELM UPGRADE section for more information. +- [542](https://github.com/nginxinc/kubernetes-ingress/pull/542): Reduce the required privileges in the RBAC manifests. CHANGES: -* Update NGINX version to 1.15.12. -* Prometheus metrics for NGINX/NGINX Plus have new namespace `nginx_ingress`. Examples: `nginx_http_requests_total` -> `nginx_ingress_http_requests_total`, `nginxplus_http_requests_total` -> `nginx_ingress_nginxplus_http_requests_total`. + +- Update NGINX version to 1.15.12. +- Prometheus metrics for NGINX/NGINX Plus have new namespace `nginx_ingress`. Examples: `nginx_http_requests_total` -> + `nginx_ingress_http_requests_total`, `nginxplus_http_requests_total` -> `nginx_ingress_nginxplus_http_requests_total`. UPGRADE: -* For NGINX, use the 1.5.0 image from our DockerHub: `nginx/nginx-ingress:1.5.0` or `nginx/nginx-ingress:1.5.0-alpine` -* For NGINX Plus, please build your own image using the 1.5.0 source code. -* For Helm, use version 0.3.0 of the chart. + +- For NGINX, use the 1.5.0 image from our DockerHub: `nginx/nginx-ingress:1.5.0` or `nginx/nginx-ingress:1.5.0-alpine` +- For NGINX Plus, please build your own image using the 1.5.0 source code. +- For Helm, use version 0.3.0 of the chart. HELM UPGRADE: -The new version of the helm chart uses different names for the generated resources. This makes it possible to deploy multiple Ingress Controllers in a cluster. However, as a side effect, during the upgrade from the previous version, helm will recreate the resources, instead of updating the existing ones. This, in turn, might cause problems for the following resources: -* Service: If the service was created with the type LoadBalancer, the public IP of the new service might change. Additionally, helm updates the selector of the service, so that the old pods will be immediately excluded from the service. -* Deployment/DaemonSet: Because the resource is recreated, the old pods will be removed and the new ones will be launched, instead of the default Deployment/Daemonset upgrade strategy. -* ConfigMap: After the helm removes the resource, the old Ingress Controller pods will be immediately reconfigured to use the default values of the ConfigMap keys. During a small window between the reconfiguration and the shutdown of the old pods, NGINX will use the configuration with the default values. +The new version of the helm chart uses different names for the generated resources. This makes it possible to deploy +multiple Ingress Controllers in a cluster. However, as a side effect, during the upgrade from the previous version, helm +will recreate the resources, instead of updating the existing ones. This, in turn, might cause problems for the +following resources: + +- Service: If the service was created with the type LoadBalancer, the public IP of the new service might change. + Additionally, helm updates the selector of the service, so that the old pods will be immediately excluded from the + service. +- Deployment/DaemonSet: Because the resource is recreated, the old pods will be removed and the new ones will be + launched, instead of the default Deployment/Daemonset upgrade strategy. +- ConfigMap: After the helm removes the resource, the old Ingress Controller pods will be immediately reconfigured to + use the default values of the ConfigMap keys. During a small window between the reconfiguration and the shutdown of + the old pods, NGINX will use the configuration with the default values. -We advise not to upgrade to the new version of the helm chart unless the mentioned problems are acceptable for your case. We will provide special upgrade instructions for helm that mitigate the problems for the next minor release of the Ingress Controller (1.5.1). +We advise not to upgrade to the new version of the helm chart unless the mentioned problems are acceptable for your +case. We will provide special upgrade instructions for helm that mitigate the problems for the next minor release of the +Ingress Controller (1.5.1). -### 1.4.6 +## 1.4.6 CHANGES: -* Update NGINX version to 1.15.11. -* Update NGINX Plus version to R18. + +- Update NGINX version to 1.15.11. +- Update NGINX Plus version to R18. HELM CHART: -* The version of the Helm chart is now 0.2.1. + +- The version of the Helm chart is now 0.2.1. UPGRADE: -* For NGINX, use the 1.4.6 image from our DockerHub: `nginx/nginx-ingress:1.4.6` or `nginx/nginx-ingress:1.4.6-alpine` -* For NGINX Plus, please build your own image using the 1.4.6 source code. -* For Helm, use version 0.2.1 of the chart. -### 1.4.5 +- For NGINX, use the 1.4.6 image from our DockerHub: `nginx/nginx-ingress:1.4.6` or `nginx/nginx-ingress:1.4.6-alpine` +- For NGINX Plus, please build your own image using the 1.4.6 source code. +- For Helm, use version 0.2.1 of the chart. + +## 1.4.5 CHANGES: -* Update NGINX version to 1.15.10. + +- Update NGINX version to 1.15.10. UPGRADE: -* For NGINX, use the 1.4.5 image from our DockerHub: `nginx/nginx-ingress:1.4.5` or `nginx/nginx-ingress:1.4.5-alpine` -* For NGINX Plus, please build your own image using the 1.4.5 source code. -### 1.4.4 +- For NGINX, use the 1.4.5 image from our DockerHub: `nginx/nginx-ingress:1.4.5` or `nginx/nginx-ingress:1.4.5-alpine` +- For NGINX Plus, please build your own image using the 1.4.5 source code. + +## 1.4.4 CHANGES: -* Update NGINX version to 1.15.9. + +- Update NGINX version to 1.15.9. UPGRADE: -* For NGINX, use the 1.4.4 image from our DockerHub: `nginx/nginx-ingress:1.4.4` or `nginx/nginx-ingress:1.4.4-alpine` -* For NGINX Plus, please build your own image using the 1.4.4 source code. -### 1.4.3 +- For NGINX, use the 1.4.4 image from our DockerHub: `nginx/nginx-ingress:1.4.4` or `nginx/nginx-ingress:1.4.4-alpine` +- For NGINX Plus, please build your own image using the 1.4.4 source code. + +## 1.4.3 CHANGES: -* Update NGINX version to 1.15.8. + +- Update NGINX version to 1.15.8. UPGRADE: -* For NGINX, use the 1.4.3 image from our DockerHub: `nginx/nginx-ingress:1.4.3` or `nginx/nginx-ingress:1.4.3-alpine` -* For NGINX Plus, please build your own image using the 1.4.3 source code. -### 1.4.2 +- For NGINX, use the 1.4.3 image from our DockerHub: `nginx/nginx-ingress:1.4.3` or `nginx/nginx-ingress:1.4.3-alpine` +- For NGINX Plus, please build your own image using the 1.4.3 source code. + +## 1.4.2 CHANGES: -* Update NGINX Plus version to R17. + +- Update NGINX Plus version to R17. UPGRADE: -* For NGINX, use the 1.4.2 image from our DockerHub: `nginx/nginx-ingress:1.4.2` or `nginx/nginx-ingress:1.4.2-alpine` -* For NGINX Plus, please build your own image using the 1.4.2 source code. -### 1.4.1 +- For NGINX, use the 1.4.2 image from our DockerHub: `nginx/nginx-ingress:1.4.2` or `nginx/nginx-ingress:1.4.2-alpine` +- For NGINX Plus, please build your own image using the 1.4.2 source code. + +## 1.4.1 CHANGES: -* Update NGINX version to 1.15.7. + +- Update NGINX version to 1.15.7. UPGRADE: -* For NGINX, use the 1.4.1 image from our DockerHub: `nginx/nginx-ingress:1.4.1` or `nginx/nginx-ingress:1.4.1-alpine` -* For NGINX Plus, please build your own image using the 1.4.1 source code. -### 1.4.0 +- For NGINX, use the 1.4.1 image from our DockerHub: `nginx/nginx-ingress:1.4.1` or `nginx/nginx-ingress:1.4.1-alpine` +- For NGINX Plus, please build your own image using the 1.4.1 source code. + +## 1.4.0 FEATURES: -* [401](https://github.com/nginxinc/kubernetes-ingress/pull/401): Add the `-nginx-debug` flag for enabling debugging of NGINX using the `nginx-debug` binary. -* [387](https://github.com/nginxinc/kubernetes-ingress/pull/387): Add the `-nginx-status-allow-cidrs` command-line argument for white listing IPv4 IP/CIDR blocks to allow access to NGINX stub_status or the NGINX Plus API. Thanks to [Jasmine Hegman](https://github.com/r4j4h). -* [376](https://github.com/nginxinc/kubernetes-ingress/pull/376): Support the [random](http://nginx.org/en/docs/http/ngx_http_upstream_module.html#random) load balancing method. -* [375](https://github.com/nginxinc/kubernetes-ingress/pull/375): Support custom annotations. -* [346](https://github.com/nginxinc/kubernetes-ingress/pull/346): Support the Prometheus exporter for NGINX (the stub_status metrics). -* [344](https://github.com/nginxinc/kubernetes-ingress/pull/344): Expose NGINX Plus API/NGINX stub_status on a custom port via the `-nginx-status-port` command-line argument. See also the CHANGES section. -* [342](https://github.com/nginxinc/kubernetes-ingress/pull/342): Add the `error-log-level` configmap key. Thanks to [boran seref](https://github.com/boranx). -* [320](https://github.com/nginxinc/kubernetes-ingress/pull/340): Support TCP/UDP load balancing via the `stream-snippets` configmap key. + +- [401](https://github.com/nginxinc/kubernetes-ingress/pull/401): Add the `-nginx-debug` flag for enabling debugging of + NGINX using the `nginx-debug` binary. +- [387](https://github.com/nginxinc/kubernetes-ingress/pull/387): Add the `-nginx-status-allow-cidrs` command-line + argument for white listing IPv4 IP/CIDR blocks to allow access to NGINX stub_status or the NGINX Plus API. Thanks to + [Jasmine Hegman](https://github.com/r4j4h). +- [376](https://github.com/nginxinc/kubernetes-ingress/pull/376): Support the + [random](http://nginx.org/en/docs/http/ngx_http_upstream_module.html#random) load balancing method. +- [375](https://github.com/nginxinc/kubernetes-ingress/pull/375): Support custom annotations. +- [346](https://github.com/nginxinc/kubernetes-ingress/pull/346): Support the Prometheus exporter for NGINX (the + stub_status metrics). +- [344](https://github.com/nginxinc/kubernetes-ingress/pull/344): Expose NGINX Plus API/NGINX stub_status on a custom + port via the `-nginx-status-port` command-line argument. See also the CHANGES section. +- [342](https://github.com/nginxinc/kubernetes-ingress/pull/342): Add the `error-log-level` configmap key. Thanks to + [boran seref](https://github.com/boranx). +- [320](https://github.com/nginxinc/kubernetes-ingress/pull/340): Support TCP/UDP load balancing via the + `stream-snippets` configmap key. IMPROVEMENTS: -* [434](https://github.com/nginxinc/kubernetes-ingress/pull/434): Improve consistency of templates. -* [432](https://github.com/nginxinc/kubernetes-ingress/pull/432): Fix cli-docs and Improve main test. -* [419](https://github.com/nginxinc/kubernetes-ingress/pull/419): Refactor config writing. Thanks to [feifeiiiiiiiiii](https://github.com/feifeiiiiiiiiiii). -* [403](https://github.com/nginxinc/kubernetes-ingress/pull/403): Improve NGINX start. -* [400](https://github.com/nginxinc/kubernetes-ingress/pull/400): Fix error message in internal/controller/controller.go. Thanks to [Alex O Regan](https://github.com/aaaaaaaalex). -* [399](https://github.com/nginxinc/kubernetes-ingress/pull/399): Improve secret handling. See also the CHANGES section. -* [391](https://github.com/nginxinc/kubernetes-ingress/pull/391): Update default lb-method to be random two least_conn. See also the CHANGES section. -* [389](https://github.com/nginxinc/kubernetes-ingress/pull/389): Improve parsing nginx.org/rewrites annotation. -* [380](https://github.com/nginxinc/kubernetes-ingress/pull/380): Verify reloads & cache secrets. -* [362](https://github.com/nginxinc/kubernetes-ingress/pull/362): Reduce reloads. -* [357](https://github.com/nginxinc/kubernetes-ingress/pull/357): Improve Project Layout and Refactor Controller Package. See also the CHANGES section. -* [351](https://github.com/nginxinc/kubernetes-ingress/pull/351): Make socket address obvious. + +- [434](https://github.com/nginxinc/kubernetes-ingress/pull/434): Improve consistency of templates. +- [432](https://github.com/nginxinc/kubernetes-ingress/pull/432): Fix cli-docs and Improve main test. +- [419](https://github.com/nginxinc/kubernetes-ingress/pull/419): Refactor config writing. Thanks to + [feifeiiiiiiiiii](https://github.com/feifeiiiiiiiiiii). +- [403](https://github.com/nginxinc/kubernetes-ingress/pull/403): Improve NGINX start. +- [400](https://github.com/nginxinc/kubernetes-ingress/pull/400): Fix error message in + internal/controller/controller.go. Thanks to [Alex O Regan](https://github.com/aaaaaaaalex). +- [399](https://github.com/nginxinc/kubernetes-ingress/pull/399): Improve secret handling. See also the CHANGES section. +- [391](https://github.com/nginxinc/kubernetes-ingress/pull/391): Update default lb-method to be random two least_conn. + See also the CHANGES section. +- [389](https://github.com/nginxinc/kubernetes-ingress/pull/389): Improve parsing nginx.org/rewrites annotation. +- [380](https://github.com/nginxinc/kubernetes-ingress/pull/380): Verify reloads & cache secrets. +- [362](https://github.com/nginxinc/kubernetes-ingress/pull/362): Reduce reloads. +- [357](https://github.com/nginxinc/kubernetes-ingress/pull/357): Improve Project Layout and Refactor Controller + Package. See also the CHANGES section. +- [351](https://github.com/nginxinc/kubernetes-ingress/pull/351): Make socket address obvious. BUGFIXES: -* [429](https://github.com/nginxinc/kubernetes-ingress/pull/429): Fix panic with health checks. -* [386](https://github.com/nginxinc/kubernetes-ingress/pull/386): Fix Configmap/Mergeable Ingress Add/Update event logging. -* [379](https://github.com/nginxinc/kubernetes-ingress/pull/379): Fix configmap update. -* [365](https://github.com/nginxinc/kubernetes-ingress/pull/365): Don't enqueue ingress for some service changes. -* [348](https://github.com/nginxinc/kubernetes-ingress/pull/348): Fix Configurator error check. + +- [429](https://github.com/nginxinc/kubernetes-ingress/pull/429): Fix panic with health checks. +- [386](https://github.com/nginxinc/kubernetes-ingress/pull/386): Fix Configmap/Mergeable Ingress Add/Update event + logging. +- [379](https://github.com/nginxinc/kubernetes-ingress/pull/379): Fix configmap update. +- [365](https://github.com/nginxinc/kubernetes-ingress/pull/365): Don't enqueue ingress for some service changes. +- [348](https://github.com/nginxinc/kubernetes-ingress/pull/348): Fix Configurator error check. HELM CHART: -* [430](https://github.com/nginxinc/kubernetes-ingress/pull/430): Add the `controller.serviceAccount.imagePullSecrets` parameter to the helm chart. See also the CHANGES section. -* [420](https://github.com/nginxinc/kubernetes-ingress/pull/420): Simplify values files for Helm Chart. -* [398](https://github.com/nginxinc/kubernetes-ingress/pull/398): Add the `controller.nginxStatus.allowCidrs` and `controller.service.externalIPs` parameters to helm chart. -* [393](https://github.com/nginxinc/kubernetes-ingress/pull/393): Refactor Helm Chart templates. -* [390](https://github.com/nginxinc/kubernetes-ingress/pull/390): Add the `controller.service.loadBalancerIP` parameter to the helm chat. -* [377](https://github.com/nginxinc/kubernetes-ingress/pull/377): Add the `controller.nginxStatus` parameters to the helm chart. -* [335](https://github.com/nginxinc/kubernetes-ingress/pull/335): Add the `controller.reportIngressStatus` parameters to the helm chart. -* The version of the Helm chart is now 0.2.0. + +- [430](https://github.com/nginxinc/kubernetes-ingress/pull/430): Add the `controller.serviceAccount.imagePullSecrets` + parameter to the helm chart. See also the CHANGES section. +- [420](https://github.com/nginxinc/kubernetes-ingress/pull/420): Simplify values files for Helm Chart. +- [398](https://github.com/nginxinc/kubernetes-ingress/pull/398): Add the `controller.nginxStatus.allowCidrs` and + `controller.service.externalIPs` parameters to helm chart. +- [393](https://github.com/nginxinc/kubernetes-ingress/pull/393): Refactor Helm Chart templates. +- [390](https://github.com/nginxinc/kubernetes-ingress/pull/390): Add the `controller.service.loadBalancerIP` parameter + to the helm chat. +- [377](https://github.com/nginxinc/kubernetes-ingress/pull/377): Add the `controller.nginxStatus` parameters to the + helm chart. +- [335](https://github.com/nginxinc/kubernetes-ingress/pull/335): Add the `controller.reportIngressStatus` parameters to + the helm chart. +- The version of the Helm chart is now 0.2.0. CHANGES: -* Update NGINX version to 1.15.6. -* Update NGINX Plus version to R16p1. -* Update NGINX Prometheus Exporter to 0.2.0. -* [430](https://github.com/nginxinc/kubernetes-ingress/pull/430): Add the `controller.serviceAccount.imagePullSecrets` parameter to the helm chart. **Note**: the `controller.serviceAccountName` parameter has been changed to `controller.serviceAccount.name`. -* [399](https://github.com/nginxinc/kubernetes-ingress/pull/399): Improve secret handling. **Note**: the PR changed how the Ingress Controller processes Ingress resources with TLS termination enabled but without any referenced (or with invalid) secrets and Ingress resources with JWT validation enabled but without any referenced (or with invalid) JWK. Please read [here](https://github.com/nginxinc/kubernetes-ingress/pull/399) for more details. -* [357](https://github.com/nginxinc/kubernetes-ingress/pull/357): Improve Project Layout and Refactor Controller Package. **Note**: the PR significantly changed the layout of the project to follow best practices. -* [347](https://github.com/nginxinc/kubernetes-ingress/pull/347): Use edge version in manifests and Helm chart. **Note**: the manifests and the helm chart in the master branch now reference the edge version of the Ingress Controller instead of the latest stable version used previously. -* [391](https://github.com/nginxinc/kubernetes-ingress/pull/391): Update default lb-method to be random two least_conn. **Note**: the default load balancing method is now the power of two choices as it better suits the Ingress Controller use case. Please read the [blog post](https://www.nginx.com/blog/nginx-power-of-two-choices-load-balancing-algorithm/) about the method for more details. -* [344](https://github.com/nginxinc/kubernetes-ingress/pull/344): Expose NGINX Plus API/NGINX stub_status on a custom port via the `-nginx-status-port` command-line argument. **Note**: For NGINX the stub_status is now exposed on port 8080 at the /stub_status URL by default. Previously, the stub_status was not exposed on any port. The stub_status can be disabled via the `-nginx-status` flag. - -DOC AND EXAMPLES FIXES/IMPROVEMENTS: [435](https://github.com/nginxinc/kubernetes-ingress/pull/435), [433](https://github.com/nginxinc/kubernetes-ingress/pull/433), [432](https://github.com/nginxinc/kubernetes-ingress/pull/432), [418](https://github.com/nginxinc/kubernetes-ingress/pull/418) (Thanks to [Hal Deadman](https://github.com/hdeadman)), [406](https://github.com/nginxinc/kubernetes-ingress/pull/406), [381](https://github.com/nginxinc/kubernetes-ingress/pull/381), [349](https://github.com/nginxinc/kubernetes-ingress/pull/349) (Thanks to [Artur Geraschenko](https://github.com/arturgspb)), [343](https://github.com/nginxinc/kubernetes-ingress/pull/343) + +- Update NGINX version to 1.15.6. +- Update NGINX Plus version to R16p1. +- Update NGINX Prometheus Exporter to 0.2.0. +- [430](https://github.com/nginxinc/kubernetes-ingress/pull/430): Add the `controller.serviceAccount.imagePullSecrets` + parameter to the helm chart. **Note**: the `controller.serviceAccountName` parameter has been changed to + `controller.serviceAccount.name`. +- [399](https://github.com/nginxinc/kubernetes-ingress/pull/399): Improve secret handling. **Note**: the PR changed how + the Ingress Controller processes Ingress resources with TLS termination enabled but without any referenced (or with + invalid) secrets and Ingress resources with JWT validation enabled but without any referenced (or with invalid) JWK. + Please read [here](https://github.com/nginxinc/kubernetes-ingress/pull/399) for more details. +- [357](https://github.com/nginxinc/kubernetes-ingress/pull/357): Improve Project Layout and Refactor Controller + Package. **Note**: the PR significantly changed the layout of the project to follow best practices. +- [347](https://github.com/nginxinc/kubernetes-ingress/pull/347): Use edge version in manifests and Helm chart. + **Note**: the manifests and the helm chart in the master branch now reference the edge version of the Ingress + Controller instead of the latest stable version used previously. +- [391](https://github.com/nginxinc/kubernetes-ingress/pull/391): Update default lb-method to be random two least_conn. + **Note**: the default load balancing method is now the power of two choices as it better suits the Ingress Controller + use case. Please read the [blog post](https://www.nginx.com/blog/nginx-power-of-two-choices-load-balancing-algorithm/) + about the method for more details. +- [344](https://github.com/nginxinc/kubernetes-ingress/pull/344): Expose NGINX Plus API/NGINX stub_status on a custom + port via the `-nginx-status-port` command-line argument. **Note**: For NGINX the stub_status is now exposed on port + 8080 at the /stub_status URL by default. Previously, the stub_status was not exposed on any port. The stub_status can + be disabled via the `-nginx-status` flag. + +DOC AND EXAMPLES FIXES/IMPROVEMENTS: [435](https://github.com/nginxinc/kubernetes-ingress/pull/435), +[433](https://github.com/nginxinc/kubernetes-ingress/pull/433), +[432](https://github.com/nginxinc/kubernetes-ingress/pull/432), +[418](https://github.com/nginxinc/kubernetes-ingress/pull/418) (Thanks to [Hal Deadman](https://github.com/hdeadman)), +[406](https://github.com/nginxinc/kubernetes-ingress/pull/406), +[381](https://github.com/nginxinc/kubernetes-ingress/pull/381), +[349](https://github.com/nginxinc/kubernetes-ingress/pull/349) (Thanks to [Artur +Geraschenko](https://github.com/arturgspb)), [343](https://github.com/nginxinc/kubernetes-ingress/pull/343) UPGRADE: -* For NGINX, use the 1.4.0 image from our DockerHub: `nginx/nginx-ingress:1.4.0` or `nginx/nginx-ingress:1.4.0-alpine` -* For NGINX Plus, please build your own image using the 1.4.0 source code. -### 1.3.2 +- For NGINX, use the 1.4.0 image from our DockerHub: `nginx/nginx-ingress:1.4.0` or `nginx/nginx-ingress:1.4.0-alpine` +- For NGINX Plus, please build your own image using the 1.4.0 source code. + +## 1.3.2 CHANGES: -* Update NGINX version to 1.15.6. + +- Update NGINX version to 1.15.6. UPGRADE: -* For NGINX, use the 1.3.2 image from our DockerHub: `nginx/nginx-ingress:1.3.2` or `nginx/nginx-ingress:1.3.2-alpine` -* For NGINX Plus, please build your own image using the 1.3.2 source code. -### 1.3.1 +- For NGINX, use the 1.3.2 image from our DockerHub: `nginx/nginx-ingress:1.3.2` or `nginx/nginx-ingress:1.3.2-alpine` +- For NGINX Plus, please build your own image using the 1.3.2 source code. + +## 1.3.1 CHANGES: -* Update NGINX Plus version to R15p2. + +- Update NGINX Plus version to R15p2. UPGRADE: -* For NGINX, use the 1.3.1 image from our DockerHub: `nginx/nginx-ingress:1.3.1` or `nginx/nginx-ingress:1.3.1-alpine` -* For NGINX Plus, please build your own image using the 1.3.1 source code. -### 1.3.0 +- For NGINX, use the 1.3.1 image from our DockerHub: `nginx/nginx-ingress:1.3.1` or `nginx/nginx-ingress:1.3.1-alpine` +- For NGINX Plus, please build your own image using the 1.3.1 source code. + +## 1.3.0 IMPROVEMENTS: -* [325](https://github.com/nginxinc/kubernetes-ingress/pull/325): Report ingress status. -* [311](https://github.com/nginxinc/kubernetes-ingress/pull/311): Support JWT auth in mergeable minions. -* [310](https://github.com/nginxinc/kubernetes-ingress/pull/310): NGINX configuration template custom path support. -* [308](https://github.com/nginxinc/kubernetes-ingress/pull/308): Add prometheus exporter support to helm chart. -* [303](https://github.com/nginxinc/kubernetes-ingress/pull/303): Add fetch custom NGINX template from ConfigMap. -* [301](https://github.com/nginxinc/kubernetes-ingress/pull/301): Update prometheus exporter image for Plus. -* [298](https://github.com/nginxinc/kubernetes-ingress/pull/298): Prefetch ConfigMap before initial NGINX Config generation. -* [296](https://github.com/nginxinc/kubernetes-ingress/pull/296): Improve Helm Chart. -* [295](https://github.com/nginxinc/kubernetes-ingress/pull/295): Report version information. -* [294](https://github.com/nginxinc/kubernetes-ingress/pull/294): Support dynamic reconfiguration in mergeable ingresses for Plus. -* [287](https://github.com/nginxinc/kubernetes-ingress/pull/287): Support slow-start for Plus. -* [286](https://github.com/nginxinc/kubernetes-ingress/pull/286): Add support for active health checks for Plus. + +- [325](https://github.com/nginxinc/kubernetes-ingress/pull/325): Report ingress status. +- [311](https://github.com/nginxinc/kubernetes-ingress/pull/311): Support JWT auth in mergeable minions. +- [310](https://github.com/nginxinc/kubernetes-ingress/pull/310): NGINX configuration template custom path support. +- [308](https://github.com/nginxinc/kubernetes-ingress/pull/308): Add prometheus exporter support to helm chart. +- [303](https://github.com/nginxinc/kubernetes-ingress/pull/303): Add fetch custom NGINX template from ConfigMap. +- [301](https://github.com/nginxinc/kubernetes-ingress/pull/301): Update prometheus exporter image for Plus. +- [298](https://github.com/nginxinc/kubernetes-ingress/pull/298): Prefetch ConfigMap before initial NGINX Config + generation. +- [296](https://github.com/nginxinc/kubernetes-ingress/pull/296): Improve Helm Chart. +- [295](https://github.com/nginxinc/kubernetes-ingress/pull/295): Report version information. +- [294](https://github.com/nginxinc/kubernetes-ingress/pull/294): Support dynamic reconfiguration in mergeable ingresses + for Plus. +- [287](https://github.com/nginxinc/kubernetes-ingress/pull/287): Support slow-start for Plus. +- [286](https://github.com/nginxinc/kubernetes-ingress/pull/286): Add support for active health checks for Plus. CHANGES: -* [330](https://github.com/nginxinc/kubernetes-ingress/pull/330): Update NGINX version to 1.15.2. -* [329](https://github.com/nginxinc/kubernetes-ingress/pull/329): Enforce annotations inheritance in minions. + +- [330](https://github.com/nginxinc/kubernetes-ingress/pull/330): Update NGINX version to 1.15.2. +- [329](https://github.com/nginxinc/kubernetes-ingress/pull/329): Enforce annotations inheritance in minions. BUGFIXES: -* [326](https://github.com/nginxinc/kubernetes-ingress/pull/326): Fix find ingress for secret ns bug. -* [284](https://github.com/nginxinc/kubernetes-ingress/pull/284): Correct Logs for Mergeable Types with Duplicate Location. Thanks to [Fernando Diaz](https://github.com/diazjf). +- [326](https://github.com/nginxinc/kubernetes-ingress/pull/326): Fix find ingress for secret ns bug. +- [284](https://github.com/nginxinc/kubernetes-ingress/pull/284): Correct Logs for Mergeable Types with Duplicate + Location. Thanks to [Fernando Diaz](https://github.com/diazjf). UPGRADE: -* For NGINX, use the 1.3.0 image from our DockerHub: `nginx/nginx-ingress:1.3.0` -* For NGINX Plus, please build your own image using the 1.3.0 source code. - -### 1.2.0 - -* [279](https://github.com/nginxinc/kubernetes-ingress/pull/279): Update dependencies. -* [278](https://github.com/nginxinc/kubernetes-ingress/pull/278): Fix mergeable Ingress types. -* [277](https://github.com/nginxinc/kubernetes-ingress/pull/277): Support grpc error responses. -* [276](https://github.com/nginxinc/kubernetes-ingress/pull/276): Add gRPC support. -* [274](https://github.com/nginxinc/kubernetes-ingress/pull/274): Change the default load balancing method to least_conn. -* [272](https://github.com/nginxinc/kubernetes-ingress/pull/272): Move nginx-ingress image to the official nginx DockerHub. -* [268](https://github.com/nginxinc/kubernetes-ingress/pull/268): Correct Mergeable Types misspelling and optimize blacklists. Thanks to [Fernando Diaz](https://github.com/diazjf). -* [266](https://github.com/nginxinc/kubernetes-ingress/pull/266): Add support for passive health checks. -* [261](https://github.com/nginxinc/kubernetes-ingress/pull/261): Update Customization Example. -* [258](https://github.com/nginxinc/kubernetes-ingress/pull/258): Handle annotations and conflicting paths for MergeableTypes. Thanks to [Fernando Diaz](https://github.com/diazjf). -* [256](https://github.com/nginxinc/kubernetes-ingress/pull/256): Add helm chart support. -* [249](https://github.com/nginxinc/kubernetes-ingress/pull/249): Add support for prometheus for Plus. -* [241](https://github.com/nginxinc/kubernetes-ingress/pull/241): Update the doc about building the Docker image. -* [240](https://github.com/nginxinc/kubernetes-ingress/pull/240): Use new NGINX Plus API. -* [239](https://github.com/nginxinc/kubernetes-ingress/pull/239): Fix a typo in a variable name. Thanks to [Tony Li](https://github.com/mysterytony). -* [238](https://github.com/nginxinc/kubernetes-ingress/pull/238): Remove apt-get upgrade from Plus Dockerfile. -* [237](https://github.com/nginxinc/kubernetes-ingress/pull/237): Add unit test for ingress-class handling. -* [236](https://github.com/nginxinc/kubernetes-ingress/pull/236): Always respect `-ingress-class` option. Thanks to [Nick Novitski](https://github.com/nicknovitski). -* [235](https://github.com/nginxinc/kubernetes-ingress/pull/235): Change the base image to Debian Stretch for Plus controller. -* [234](https://github.com/nginxinc/kubernetes-ingress/pull/234): Update installation manifests and instructions. -* [233](https://github.com/nginxinc/kubernetes-ingress/pull/233): Add docker build options to Makefile. -* [231](https://github.com/nginxinc/kubernetes-ingress/pull/231): Prevent a possible failure of building Plus image. -* Documentation Fixes: [248](https://github.com/nginxinc/kubernetes-ingress/pull/248), thanks to [zariye](https://github.com/zariye). [252](https://github.com/nginxinc/kubernetes-ingress/pull/252). [270](https://github.com/nginxinc/kubernetes-ingress/pull/270). -* Update NGINX version to 1.13.12. -* Update NGINX Plus version to R15 P1. - - -### 1.1.1 - -* [228](https://github.com/nginxinc/kubernetes-ingress/pull/228): Add worker-rlimit-nofile configmap key. Thanks to [Aleksandr Lysenko](https://github.com/Sarga). -* [223](https://github.com/nginxinc/kubernetes-ingress/pull/223): Add worker-connections configmap key. Thanks to [Aleksandr Lysenko](https://github.com/Sarga). -* Update NGINX version to 1.13.8. - -### 1.1.0 - -* [221](https://github.com/nginxinc/kubernetes-ingress/pull/221): Add git commit info to the IC log. -* [220](https://github.com/nginxinc/kubernetes-ingress/pull/220): Update dependencies. -* [213](https://github.com/nginxinc/kubernetes-ingress/pull/213): Add main snippets to allow Main context customization. Thanks to [Dewen Kong](https://github.com/kongdewen). -* [211](https://github.com/nginxinc/kubernetes-ingress/pull/211): Minimize the number of configuration reloads when the Ingress Controller starts; fix a problem with endpoints updates for Plus. -* [208](https://github.com/nginxinc/kubernetes-ingress/pull/208): Add worker-shutdown-timeout configmap key. Thanks to [Aleksandr Lysenko](https://github.com/Sarga). -* [199](https://github.com/nginxinc/kubernetes-ingress/pull/199): Add support for Kubernetes ssl-redirect annotation. Thanks to [Luke Seelenbinder](https://github.com/lseelenbinder). -* [194](https://github.com/nginxinc/kubernetes-ingress/pull/194) Add keepalive configmap key and annotation. -* [193](https://github.com/nginxinc/kubernetes-ingress/pull/193): Add worker-cpu-affinity configmap key. -* [192](https://github.com/nginxinc/kubernetes-ingress/pull/192): Add worker-processes configmap key. -* [186](https://github.com/nginxinc/kubernetes-ingress/pull/186): Fix hardcoded controller class. Thanks to [Serhii M](https://github.com/SiriusRed). -* [184](https://github.com/nginxinc/kubernetes-ingress/pull/184): Return a meaningful error when there is no cert and key for the default server. -* Update NGINX version to 1.13.7. -* Makefile updates: golang container was updated to 1.9. - -### 1.0.0 - -* [175](https://github.com/nginxinc/kubernetes-ingress/pull/175): Add support for JWT for NGINX Plus. -* [171](https://github.com/nginxinc/kubernetes-ingress/pull/171): Allow NGINX to listen on non-standard ports. Thanks to [Stanislav Seletskiy](https://github.com/seletskiy). -* [170](https://github.com/nginxinc/kubernetes-ingress/pull/170): Add the default server. **Note**: The Ingress Controller will fail to start if there are no cert and key for the default server. You can pass a TLS Secret for the default server as an argument to the Ingress Controller or add a cert and a key to the Docker image. -* [169](https://github.com/nginxinc/kubernetes-ingress/pull/169): Ignore Ingress resources with empty hostnames. -* [168](https://github.com/nginxinc/kubernetes-ingress/pull/168): Add the `nginx.org/lb-method` annotation. Thanks to [Sajal Kayan](https://github.com/sajal). -* [166](https://github.com/nginxinc/kubernetes-ingress/pull/166): Watch Secret resources for updates. **Note**: If a Secret referenced by one or more Ingress resources becomes invalid or gets removed, the configuration for those Ingress resources will be disabled until there is a valid Secret. -* [160](https://github.com/nginxinc/kubernetes-ingress/pull/160): Add support for events. See the details [here](https://github.com/nginxinc/kubernetes-ingress/pull/160). -* [157](https://github.com/nginxinc/kubernetes-ingress/pull/157): Add graceful termination - when the Ingress Controller receives `SIGTERM`, it shutdowns itself as well as NGINX, using `nginx -s quit`. - -### 0.9.0 - -* [156](https://github.com/nginxinc/kubernetes-ingress/pull/156): Write a pem file with an SSL certificate and key atomically. -* [155](https://github.com/nginxinc/kubernetes-ingress/pull/155): Remove http2 annotation (http/2 can be enabled globally in the ConfigMap). -* [154](https://github.com/nginxinc/kubernetes-ingress/pull/154): Merge NGINX and NGINX Plus Ingress Controller implementations. -* [151](https://github.com/nginxinc/kubernetes-ingress/pull/151): Use k8s.io/client-go. -* [146](https://github.com/nginxinc/kubernetes-ingress/pull/146): Fix health status. -* [141](https://github.com/nginxinc/kubernetes-ingress/pull/141): Set `worker_processes` to `auto` in NGINX configuration. Thanks to [Andreas Krüger](https://github.com/woopstar). -* [140](https://github.com/nginxinc/kubernetes-ingress/pull/140): Fix an error message. Thanks to [Andreas Krüger](https://github.com/woopstar). -* Update NGINX to version 1.13.3. - -### 0.8.1 - -* Update NGINX version to 1.13.0. - -### 0.8.0 - -* [117](https://github.com/nginxinc/kubernetes-ingress/pull/117): Add a customization option: location-snippets, server-snippets and http-snippets. Thanks to [rchicoli](https://github.com/rchicoli). -* [116](https://github.com/nginxinc/kubernetes-ingress/pull/116): Add support for the 301 redirect to https based on the `http_x_forwarded_proto` header. Thanks to [Chris](https://github.com/cwhenderson20). -* Update NGINX version to 1.11.13. -* Makefile updates: gcloud docker push command; golang container was updated to 1.8. -* Documentation fixes: [113](https://github.com/nginxinc/kubernetes-ingress/pull/113). Thanks to [Linus Lewandowski](https://github.com/LEW21). - -### 0.7.0 - -* [108](https://github.com/nginxinc/kubernetes-ingress/pull/108): Support for the `server_tokens` directive via the annotation and in the configmap. Thanks to [David Radcliffe](https://github.com/dwradcliffe). -* [103](https://github.com/nginxinc/kubernetes-ingress/pull/103): Improve error reporting when NGINX fails to start. -* [100](https://github.com/nginxinc/kubernetes-ingress/pull/100): Add the health check location. Thanks to [Julian](https://github.com/jmastr). -* [95](https://github.com/nginxinc/kubernetes-ingress/pull/95): Fix the runtime.TypeAssertionError issue, which sometimes occurred when deleting resources. Thanks to [Tang Le](https://github.com/tangle329). -* [93](https://github.com/nginxinc/kubernetes-ingress/pull/93): Fix overwriting of Secrets with the same name from different namespaces. -* [92](https://github.com/nginxinc/kubernetes-ingress/pull/92/files): Add overwriting of the HSTS header. Previously, when HSTS was enabled, if a backend issued the HSTS header, the controller would add the second HSTS header. Now the controller overwrites the HSTS header, if a backend also issues it. -* [91](https://github.com/nginxinc/kubernetes-ingress/pull/91): -Fix the issue with single service Ingress resources without any Ingress rules: the controller didn't pick up any updates of the endpoints of the service of such an Ingress resource. Thanks to [Tang Le](https://github.com/tangle329). -* [88](https://github.com/nginxinc/kubernetes-ingress/pull/88): Support for the `proxy_hide_header` and the `proxy_pass_header` directives via annotations and in the configmap. Thanks to [Nico Schieder](https://github.com/thetechnick). -* [85](https://github.com/nginxinc/kubernetes-ingress/pull/85): Add the configmap settings to support perfect forward secrecy. Thanks to [Nico Schieder](https://github.com/thetechnick). -* [84](https://github.com/nginxinc/kubernetes-ingress/pull/84): Secret retry: If a certificate Secret referenced in an Ingress object is not found, -the Ingress Controller will reject the Ingress object. but retries every 5s. Thanks to [Nico Schieder](https://github.com/thetechnick). -* [81](https://github.com/nginxinc/kubernetes-ingress/pull/81): Add configmap options to turn on the PROXY protocol. Thanks to [Nico Schieder](https://github.com/thetechnick). -* Update NGINX version to 1.11.8. -* Documentation fixes: [104](https://github.com/nginxinc/kubernetes-ingress/pull/104/files) and [97](https://github.com/nginxinc/kubernetes-ingress/pull/97/files). Thanks to [Ruilin Huang](https://github.com/hrl) and [Justin Garrison](https://github.com/rothgar). - -### 0.6.0 - -* [75](https://github.com/nginxinc/kubernetes-ingress/pull/75): Add the HSTS settings in the configmap and annotations. Thanks to [Nico Schieder](https://github.com/thetechnick). -* [74](https://github.com/nginxinc/kubernetes-ingress/pull/74): Fix the issue of the `kubernetes.io/ingress.class` annotation handling. Thanks to [Tang Le](https://github.com/tangle329). -* [70](https://github.com/nginxinc/kubernetes-ingress/pull/70): Add support for the alpine-based image for the NGINX controller. -* [68](https://github.com/nginxinc/kubernetes-ingress/pull/68): Support for proxy-buffering settings in the configmap and annotations. Thanks to [Mark Daniel Reidel](https://github.com/df-mreidel). -* [66](https://github.com/nginxinc/kubernetes-ingress/pull/66): Support for custom log-format in the configmap. Thanks to [Mark Daniel Reidel](https://github.com/df-mreidel). -* [65](https://github.com/nginxinc/kubernetes-ingress/pull/65): Add HTTP/2 as an option in the configmap and annotations. Thanks to [Nico Schieder](https://github.com/thetechnick). -* The NGINX Plus controller image is now based on Ubuntu Xenial. - -### 0.5.0 - -* Update NGINX version to 1.11.5. -* [64](https://github.com/nginxinc/kubernetes-ingress/pull/64): Add the `nginx.org/rewrites` annotation, which allows to rewrite the URI of a request before sending it to the application. Thanks to [Julian](https://github.com/jmastr). -* [62](https://github.com/nginxinc/kubernetes-ingress/pull/62): Add the `nginx.org/ssl-services` annotation, which allows load balancing of HTTPS applications. Thanks to [Julian](https://github.com/jmastr). - -### 0.4.0 - -* [54](https://github.com/nginxinc/kubernetes-ingress/pull/54): Previously, when specifying the port of a service in an Ingress rule, you had to use the value of the target port of that port of the service, which was incorrect. Now you must use the port value or the name of the port of the service instead of the target port value. **Note**: Please make necessary changes to your Ingress resources, if ports of your services have different values of the port and the target port fields. -* [55](https://github.com/nginxinc/kubernetes-ingress/pull/55): Add support for the `kubernetes.io/ingress.class` annotation in Ingress resources. -* [58](https://github.com/nginxinc/kubernetes-ingress/pull/58): Add the version information to the controller. For each version of the NGINX controller, you can find a corresponding image on [DockerHub](https://hub.docker.com/r/nginxdemos/nginx-ingress/tags/) with a tag equal to the version. The latest version is available through the `latest` tag. -The previous version was 0.3 +- For NGINX, use the 1.3.0 image from our DockerHub: `nginx/nginx-ingress:1.3.0` +- For NGINX Plus, please build your own image using the 1.3.0 source code. + +## 1.2.0 + +- [279](https://github.com/nginxinc/kubernetes-ingress/pull/279): Update dependencies. +- [278](https://github.com/nginxinc/kubernetes-ingress/pull/278): Fix mergeable Ingress types. +- [277](https://github.com/nginxinc/kubernetes-ingress/pull/277): Support grpc error responses. +- [276](https://github.com/nginxinc/kubernetes-ingress/pull/276): Add gRPC support. +- [274](https://github.com/nginxinc/kubernetes-ingress/pull/274): Change the default load balancing method to + least_conn. +- [272](https://github.com/nginxinc/kubernetes-ingress/pull/272): Move nginx-ingress image to the official nginx + DockerHub. +- [268](https://github.com/nginxinc/kubernetes-ingress/pull/268): Correct Mergeable Types misspelling and optimize + blacklists. Thanks to [Fernando Diaz](https://github.com/diazjf). +- [266](https://github.com/nginxinc/kubernetes-ingress/pull/266): Add support for passive health checks. +- [261](https://github.com/nginxinc/kubernetes-ingress/pull/261): Update Customization Example. +- [258](https://github.com/nginxinc/kubernetes-ingress/pull/258): Handle annotations and conflicting paths for + MergeableTypes. Thanks to [Fernando Diaz](https://github.com/diazjf). +- [256](https://github.com/nginxinc/kubernetes-ingress/pull/256): Add helm chart support. +- [249](https://github.com/nginxinc/kubernetes-ingress/pull/249): Add support for prometheus for Plus. +- [241](https://github.com/nginxinc/kubernetes-ingress/pull/241): Update the doc about building the Docker image. +- [240](https://github.com/nginxinc/kubernetes-ingress/pull/240): Use new NGINX Plus API. +- [239](https://github.com/nginxinc/kubernetes-ingress/pull/239): Fix a typo in a variable name. Thanks to [Tony + Li](https://github.com/mysterytony). +- [238](https://github.com/nginxinc/kubernetes-ingress/pull/238): Remove apt-get upgrade from Plus Dockerfile. +- [237](https://github.com/nginxinc/kubernetes-ingress/pull/237): Add unit test for ingress-class handling. +- [236](https://github.com/nginxinc/kubernetes-ingress/pull/236): Always respect `-ingress-class` option. Thanks to + [Nick Novitski](https://github.com/nicknovitski). +- [235](https://github.com/nginxinc/kubernetes-ingress/pull/235): Change the base image to Debian Stretch for Plus + controller. +- [234](https://github.com/nginxinc/kubernetes-ingress/pull/234): Update installation manifests and instructions. +- [233](https://github.com/nginxinc/kubernetes-ingress/pull/233): Add docker build options to Makefile. +- [231](https://github.com/nginxinc/kubernetes-ingress/pull/231): Prevent a possible failure of building Plus image. +- Documentation Fixes: [248](https://github.com/nginxinc/kubernetes-ingress/pull/248), thanks to + [zariye](https://github.com/zariye). [252](https://github.com/nginxinc/kubernetes-ingress/pull/252). + [270](https://github.com/nginxinc/kubernetes-ingress/pull/270). +- Update NGINX version to 1.13.12. +- Update NGINX Plus version to R15 P1. + +## 1.1.1 + +- [228](https://github.com/nginxinc/kubernetes-ingress/pull/228): Add worker-rlimit-nofile configmap key. Thanks to + [Aleksandr Lysenko](https://github.com/Sarga). +- [223](https://github.com/nginxinc/kubernetes-ingress/pull/223): Add worker-connections configmap key. Thanks to + [Aleksandr Lysenko](https://github.com/Sarga). +- Update NGINX version to 1.13.8. + +## 1.1.0 + +- [221](https://github.com/nginxinc/kubernetes-ingress/pull/221): Add git commit info to the IC log. +- [220](https://github.com/nginxinc/kubernetes-ingress/pull/220): Update dependencies. +- [213](https://github.com/nginxinc/kubernetes-ingress/pull/213): Add main snippets to allow Main context customization. + Thanks to [Dewen Kong](https://github.com/kongdewen). +- [211](https://github.com/nginxinc/kubernetes-ingress/pull/211): Minimize the number of configuration reloads when the + Ingress Controller starts; fix a problem with endpoints updates for Plus. +- [208](https://github.com/nginxinc/kubernetes-ingress/pull/208): Add worker-shutdown-timeout configmap key. Thanks to + [Aleksandr Lysenko](https://github.com/Sarga). +- [199](https://github.com/nginxinc/kubernetes-ingress/pull/199): Add support for Kubernetes ssl-redirect annotation. + Thanks to [Luke Seelenbinder](https://github.com/lseelenbinder). +- [194](https://github.com/nginxinc/kubernetes-ingress/pull/194) Add keepalive configmap key and annotation. +- [193](https://github.com/nginxinc/kubernetes-ingress/pull/193): Add worker-cpu-affinity configmap key. +- [192](https://github.com/nginxinc/kubernetes-ingress/pull/192): Add worker-processes configmap key. +- [186](https://github.com/nginxinc/kubernetes-ingress/pull/186): Fix hardcoded controller class. Thanks to [Serhii + M](https://github.com/SiriusRed). +- [184](https://github.com/nginxinc/kubernetes-ingress/pull/184): Return a meaningful error when there is no cert and + key for the default server. +- Update NGINX version to 1.13.7. +- Makefile updates: golang container was updated to 1.9. + +## 1.0.0 + +- [175](https://github.com/nginxinc/kubernetes-ingress/pull/175): Add support for JWT for NGINX Plus. +- [171](https://github.com/nginxinc/kubernetes-ingress/pull/171): Allow NGINX to listen on non-standard ports. Thanks to + [Stanislav Seletskiy](https://github.com/seletskiy). +- [170](https://github.com/nginxinc/kubernetes-ingress/pull/170): Add the default server. **Note**: The Ingress + Controller will fail to start if there are no cert and key for the default server. You can pass a TLS Secret for the + default server as an argument to the Ingress Controller or add a cert and a key to the Docker image. +- [169](https://github.com/nginxinc/kubernetes-ingress/pull/169): Ignore Ingress resources with empty hostnames. +- [168](https://github.com/nginxinc/kubernetes-ingress/pull/168): Add the `nginx.org/lb-method` annotation. Thanks to + [Sajal Kayan](https://github.com/sajal). +- [166](https://github.com/nginxinc/kubernetes-ingress/pull/166): Watch Secret resources for updates. **Note**: If a + Secret referenced by one or more Ingress resources becomes invalid or gets removed, the configuration for those + Ingress resources will be disabled until there is a valid Secret. +- [160](https://github.com/nginxinc/kubernetes-ingress/pull/160): Add support for events. See the details + [here](https://github.com/nginxinc/kubernetes-ingress/pull/160). +- [157](https://github.com/nginxinc/kubernetes-ingress/pull/157): Add graceful termination - when the Ingress Controller + receives `SIGTERM`, it shutdowns itself as well as NGINX, using `nginx -s quit`. + +## 0.9.0 + +- [156](https://github.com/nginxinc/kubernetes-ingress/pull/156): Write a pem file with an SSL certificate and key + atomically. +- [155](https://github.com/nginxinc/kubernetes-ingress/pull/155): Remove http2 annotation (http/2 can be enabled + globally in the ConfigMap). +- [154](https://github.com/nginxinc/kubernetes-ingress/pull/154): Merge NGINX and NGINX Plus Ingress Controller + implementations. +- [151](https://github.com/nginxinc/kubernetes-ingress/pull/151): Use k8s.io/client-go. +- [146](https://github.com/nginxinc/kubernetes-ingress/pull/146): Fix health status. +- [141](https://github.com/nginxinc/kubernetes-ingress/pull/141): Set `worker_processes` to `auto` in NGINX + configuration. Thanks to [Andreas Krüger](https://github.com/woopstar). +- [140](https://github.com/nginxinc/kubernetes-ingress/pull/140): Fix an error message. Thanks to [Andreas + Krüger](https://github.com/woopstar). +- Update NGINX to version 1.13.3. + +## 0.8.1 + +- Update NGINX version to 1.13.0. + +## 0.8.0 + +- [117](https://github.com/nginxinc/kubernetes-ingress/pull/117): Add a customization option: location-snippets, + server-snippets and http-snippets. Thanks to [rchicoli](https://github.com/rchicoli). +- [116](https://github.com/nginxinc/kubernetes-ingress/pull/116): Add support for the 301 redirect to https based on the + `http_x_forwarded_proto` header. Thanks to [Chris](https://github.com/cwhenderson20). +- Update NGINX version to 1.11.13. +- Makefile updates: gcloud docker push command; golang container was updated to 1.8. +- Documentation fixes: [113](https://github.com/nginxinc/kubernetes-ingress/pull/113). Thanks to [Linus + Lewandowski](https://github.com/LEW21). + +## 0.7.0 + +- [108](https://github.com/nginxinc/kubernetes-ingress/pull/108): Support for the `server_tokens` directive via the + annotation and in the configmap. Thanks to [David Radcliffe](https://github.com/dwradcliffe). +- [103](https://github.com/nginxinc/kubernetes-ingress/pull/103): Improve error reporting when NGINX fails to start. +- [100](https://github.com/nginxinc/kubernetes-ingress/pull/100): Add the health check location. Thanks to + [Julian](https://github.com/jmastr). +- [95](https://github.com/nginxinc/kubernetes-ingress/pull/95): Fix the runtime.TypeAssertionError issue, which + sometimes occurred when deleting resources. Thanks to [Tang Le](https://github.com/tangle329). +- [93](https://github.com/nginxinc/kubernetes-ingress/pull/93): Fix overwriting of Secrets with the same name from + different namespaces. +- [92](https://github.com/nginxinc/kubernetes-ingress/pull/92/files): Add overwriting of the HSTS header. Previously, + when HSTS was enabled, if a backend issued the HSTS header, the controller would add the second HSTS header. Now the + controller overwrites the HSTS header, if a backend also issues it. +- [91](https://github.com/nginxinc/kubernetes-ingress/pull/91): Fix the issue with single service Ingress resources +without any Ingress rules: the controller didn't pick up any updates of the endpoints of the service of such an Ingress +resource. Thanks to [Tang Le](https://github.com/tangle329). +- [88](https://github.com/nginxinc/kubernetes-ingress/pull/88): Support for the `proxy_hide_header` and the + `proxy_pass_header` directives via annotations and in the configmap. Thanks to [Nico + Schieder](https://github.com/thetechnick). +- [85](https://github.com/nginxinc/kubernetes-ingress/pull/85): Add the configmap settings to support perfect forward + secrecy. Thanks to [Nico Schieder](https://github.com/thetechnick). +- [84](https://github.com/nginxinc/kubernetes-ingress/pull/84): Secret retry: If a certificate Secret referenced in an +Ingress object is not found, the Ingress Controller will reject the Ingress object. but retries every 5s. Thanks to +[Nico Schieder](https://github.com/thetechnick). +- [81](https://github.com/nginxinc/kubernetes-ingress/pull/81): Add configmap options to turn on the PROXY protocol. + Thanks to [Nico Schieder](https://github.com/thetechnick). +- Update NGINX version to 1.11.8. +- Documentation fixes: [104](https://github.com/nginxinc/kubernetes-ingress/pull/104/files) and + [97](https://github.com/nginxinc/kubernetes-ingress/pull/97/files). Thanks to [Ruilin Huang](https://github.com/hrl) + and [Justin Garrison](https://github.com/rothgar). + +## 0.6.0 + +- [75](https://github.com/nginxinc/kubernetes-ingress/pull/75): Add the HSTS settings in the configmap and annotations. + Thanks to [Nico Schieder](https://github.com/thetechnick). +- [74](https://github.com/nginxinc/kubernetes-ingress/pull/74): Fix the issue of the `kubernetes.io/ingress.class` + annotation handling. Thanks to [Tang Le](https://github.com/tangle329). +- [70](https://github.com/nginxinc/kubernetes-ingress/pull/70): Add support for the alpine-based image for the NGINX + controller. +- [68](https://github.com/nginxinc/kubernetes-ingress/pull/68): Support for proxy-buffering settings in the configmap + and annotations. Thanks to [Mark Daniel Reidel](https://github.com/df-mreidel). +- [66](https://github.com/nginxinc/kubernetes-ingress/pull/66): Support for custom log-format in the configmap. Thanks + to [Mark Daniel Reidel](https://github.com/df-mreidel). +- [65](https://github.com/nginxinc/kubernetes-ingress/pull/65): Add HTTP/2 as an option in the configmap and + annotations. Thanks to [Nico Schieder](https://github.com/thetechnick). +- The NGINX Plus controller image is now based on Ubuntu Xenial. + +## 0.5.0 + +- Update NGINX version to 1.11.5. +- [64](https://github.com/nginxinc/kubernetes-ingress/pull/64): Add the `nginx.org/rewrites` annotation, which allows to + rewrite the URI of a request before sending it to the application. Thanks to [Julian](https://github.com/jmastr). +- [62](https://github.com/nginxinc/kubernetes-ingress/pull/62): Add the `nginx.org/ssl-services` annotation, which + allows load balancing of HTTPS applications. Thanks to [Julian](https://github.com/jmastr). + +## 0.4.0 + +- [54](https://github.com/nginxinc/kubernetes-ingress/pull/54): Previously, when specifying the port of a service in an + Ingress rule, you had to use the value of the target port of that port of the service, which was incorrect. Now you + must use the port value or the name of the port of the service instead of the target port value. **Note**: Please make + necessary changes to your Ingress resources, if ports of your services have different values of the port and the + target port fields. +- [55](https://github.com/nginxinc/kubernetes-ingress/pull/55): Add support for the `kubernetes.io/ingress.class` + annotation in Ingress resources. +- [58](https://github.com/nginxinc/kubernetes-ingress/pull/58): Add the version information to the controller. For each + version of the NGINX controller, you can find a corresponding image on + [DockerHub](https://hub.docker.com/r/nginxdemos/nginx-ingress/tags/) with a tag equal to the version. The latest + version is available through the `latest` tag. +The previous version was 0.3 -### Notes +## Notes -* Except when mentioned otherwise, the controller refers both to the NGINX and the NGINX Plus Ingress Controllers. +- Except when mentioned otherwise, the controller refers both to the NGINX and the NGINX Plus Ingress Controllers. diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md index bc3c7d3617..4deb7b91de 100644 --- a/CODE_OF_CONDUCT.md +++ b/CODE_OF_CONDUCT.md @@ -16,21 +16,21 @@ appearance, race, religion, or sexual identity and orientation. Examples of behavior that contributes to creating a positive environment include: -* Using welcoming and inclusive language -* Being respectful of differing viewpoints and experiences -* Gracefully accepting constructive criticism -* Focusing on what is best for the community -* Showing empathy towards other community members +- Using welcoming and inclusive language +- Being respectful of differing viewpoints and experiences +- Gracefully accepting constructive criticism +- Focusing on what is best for the community +- Showing empathy towards other community members Examples of unacceptable behavior by participants include: -* The use of sexualized language or imagery and unwelcome sexual attention or +- The use of sexualized language or imagery and unwelcome sexual attention or advances -* Trolling, insulting/derogatory comments, and personal or political attacks -* Public or private harassment -* Publishing others' private information, such as a physical or electronic +- Trolling, insulting/derogatory comments, and personal or political attacks +- Public or private harassment +- Publishing others' private information, such as a physical or electronic address, without explicit permission -* Other conduct which could reasonably be considered inappropriate in a +- Other conduct which could reasonably be considered inappropriate in a professional setting ## Our Responsibilities @@ -70,6 +70,6 @@ members of the project's leadership. ## Attribution This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, -available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html +available at [homepage]: https://www.contributor-covenant.org diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 24ee97078e..19cfe17f6a 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1,8 +1,9 @@ # Contributing Guidelines -The following is a set of guidelines for contributing to the NGINX Ingress Controller. We really appreciate that you are considering contributing! +The following is a set of guidelines for contributing to the NGINX Ingress Controller. We really appreciate that you are +considering contributing! -#### Table Of Contents +## Table Of Contents [Ask a Question](#ask-a-question) @@ -11,8 +12,9 @@ The following is a set of guidelines for contributing to the NGINX Ingress Contr [Contributing](#contributing) [Style Guides](#style-guides) - * [Git Style Guide](#git-style-guide) - * [Go Style Guide](#go-style-guide) + +- [Git Style Guide](#git-style-guide) +- [Go Style Guide](#go-style-guide) [Code of Conduct](CODE_OF_CONDUCT.md) @@ -26,36 +28,41 @@ Please reserve GitHub issues for feature requests and bugs rather than general q ## Getting Started -Follow our [Installation Guide](https://github.com/nginxinc/kubernetes-ingress/blob/main/docs/content/installation) to get the NGINX Ingress Controller up and running. +Follow our [Installation Guide](https://github.com/nginxinc/kubernetes-ingress/blob/main/docs/content/installation) to +get the NGINX Ingress Controller up and running. -Read the [documentation](https://github.com/nginxinc/kubernetes-ingress/tree/main/docs) and [configuration](https://github.com/nginxinc/kubernetes-ingress/tree/main/examples) examples +Read the [documentation](https://github.com/nginxinc/kubernetes-ingress/tree/main/docs) and +[configuration](https://github.com/nginxinc/kubernetes-ingress/tree/main/examples) examples ### Project Structure -* This Ingress Controller is written in Go and supports both the open source NGINX software and NGINX Plus. -* The project follows a standard Go project layout - * The main code is found at `cmd/nginx-ingress/` - * The internal code is found at `internal/` - * Build files for Docker are found at `build/` - * CI files are found at `.github/workflows/` - * Deployment yaml files, and Helm files are found at `deployments/` - * We use [Go modules](https://github.com/golang/go/wiki/Modules) for managing dependencies. +- This Ingress Controller is written in Go and supports both the open source NGINX software and NGINX Plus. +- The project follows a standard Go project layout + - The main code is found at `cmd/nginx-ingress/` + - The internal code is found at `internal/` + - Build files for Docker are found at `build/` + - CI files are found at `.github/workflows/` + - Deployment yaml files, and Helm files are found at `deployments/` + - We use [Go modules](https://github.com/golang/go/wiki/Modules) for managing dependencies. ## Contributing ### Report a Bug -To report a bug, open an issue on GitHub and choose the type 'Bug report'. Please ensure the issue has not already been reported, and that you fill in the template as provided, as this can reduce turnaround time. +To report a bug, open an issue on GitHub and choose the type 'Bug report'. Please ensure the issue has not already been +reported, and that you fill in the template as provided, as this can reduce turnaround time. ### Suggest a new feature or other improvement -To suggest an new feature or other improvement, create an issue on Github and choose the type 'Feature request'. Please fill in the template as provided. +To suggest an new feature or other improvement, create an issue on Github and choose the type 'Feature request'. Please +fill in the template as provided. ### Open a Pull Request -* Before working on a possible pull request, first open an associated issue describing the proposed change. This allows the core development team to discuss the potential pull request with you before you do the work. -* Fork the repo, create a branch, submit a PR when your changes are tested and ready for review -* Fill in [our pull request template](.github/PULL_REQUEST_TEMPLATE.md) +- Before working on a possible pull request, first open an associated issue describing the proposed change. This allows + the core development team to discuss the potential pull request with you before you do the work. +- Fork the repo, create a branch, submit a PR when your changes are tested and ready for review +- Fill in [our pull request template](.github/PULL_REQUEST_TEMPLATE.md) > **Note** > @@ -63,23 +70,30 @@ To suggest an new feature or other improvement, create an issue on Github and ch ### Issue lifecycle -* When an issue or PR is created, it will be triaged by the core development team and assigned a label to indicate the type of issue it is (bug, feature request, etc) and to determine the milestone. Please see the [Issue Lifecycle](ISSUE_LIFECYCLE.md) document for more information. +- When an issue or PR is created, it will be triaged by the core development team and assigned a label to indicate the + type of issue it is (bug, feature request, etc) and to determine the milestone. Please see the [Issue + Lifecycle](ISSUE_LIFECYCLE.md) document for more information. ## Style Guides ### Git Style Guide -* Keep a clean, concise and meaningful git commit history on your branch, rebasing locally and squashing before submitting a PR -* Follow the guidelines of writing a good commit message as described here https://chris.beams.io/posts/git-commit/ and summarized in the next few points - * In the subject line, use the present tense ("Add feature" not "Added feature") - * In the subject line, use the imperative mood ("Move cursor to..." not "Moves cursor to...") - * Limit the subject line to 72 characters or less - * Reference issues and pull requests liberally after the subject line - * Add more detailed description in the body of the git message (`git commit -a` to give you more space and time in your text editor to write a good message instead of `git commit -am`) +- Keep a clean, concise and meaningful git commit history on your branch, rebasing locally and squashing before + submitting a PR +- Follow the guidelines of writing a good commit message as described here + and summarized in the next few points + - In the subject line, use the present tense ("Add feature" not "Added feature") + - In the subject line, use the imperative mood ("Move cursor to..." not "Moves cursor to...") + - Limit the subject line to 72 characters or less + - Reference issues and pull requests liberally after the subject line + - Add more detailed description in the body of the git message (`git commit -a` to give you more space and time in + your text editor to write a good message instead of `git commit -am`) ### Go Style Guide -* Run `gofmt` over your code to automatically resolve a lot of style issues. Most editors support this running automatically when saving a code file. -* Run `go lint` and `go vet` on your code too to catch any other issues. -* Follow this guide on some good practice and idioms for Go - https://github.com/golang/go/wiki/CodeReviewComments -* To check for extra issues, install [golangci-lint](https://github.com/golangci/golangci-lint) and run `make lint` or `golangci-lint run` +- Run `gofmt` over your code to automatically resolve a lot of style issues. Most editors support this running + automatically when saving a code file. +- Run `go lint` and `go vet` on your code too to catch any other issues. +- Follow this guide on some good practice and idioms for Go - +- To check for extra issues, install [golangci-lint](https://github.com/golangci/golangci-lint) and run `make lint` or + `golangci-lint run` diff --git a/ISSUE_LIFECYCLE.md b/ISSUE_LIFECYCLE.md index c57bc03775..545af55fa2 100644 --- a/ISSUE_LIFECYCLE.md +++ b/ISSUE_LIFECYCLE.md @@ -1,36 +1,52 @@ # Issue Lifecycle -To ensure a balance between work carried out by the NGINX engineering team while encouraging community involvement on this project, we use the following issue lifecycle. (Note: The issue *creator* refers to the community member that created the issue. The issue *owner* refers to the NGINX team member that is responsible for managing the issue lifecycle.) +To ensure a balance between work carried out by the NGINX engineering team while encouraging community involvement on +this project, we use the following issue lifecycle. (Note: The issue *creator* refers to the community member that +created the issue. The issue *owner* refers to the NGINX team member that is responsible for managing the issue +lifecycle.) 1. New issue created by community member. +2. Assign issue owner: All new issues are assigned an owner on the NGINX engineering team. This owner shepherds the + issue through the subsequent stages in the issue lifecycle. -2. Assign issue owner: All new issues are assigned an owner on the NGINX engineering team. This owner shepherds the issue through the subsequent stages in the issue lifecycle. +3. Determine issue type: This is done with automation where possible, and manually by the owner where necessary. The + associated label is applied to the issue. + Possible Issue Types: -3. Determine issue type: This is done with automation where possible, and manually by the owner where necessary. The associated label is applied to the issue. - #### Possible Issue Types - `needs more info`: The owner should use the issue to request information from the creator. If we don't receive the needed information within 7 days, automation closes the issue. + - `needs more info`: The owner should use the issue to request information from the creator. If we don't receive the + needed information within 7 days, automation closes the issue. - `bug`: The implementation of a feature is not correct. + - `bug`: The implementation of a feature is not correct. - `proposal`: Request for a change. This can be a new feature, tackling technical debt, documentation changes, or improving existing features. + - `proposal`: Request for a change. This can be a new feature, tackling technical debt, documentation changes, or + improving existing features. - `question`: The owner converts the issue to a github discussion and engages the creator. + - `question`: The owner converts the issue to a github discussion and engages the creator. +4. Determine milestone: The owner, in collaboration with the wider team (PM & engineering), determines what milestone to + attach to an issue. Generally, milestones correspond to product releases - however there are two 'magic' milestones + with special meanings (not tied to a specific release): -4. Determine milestone: The owner, in collaboration with the wider team (PM & engineering), determines what milestone to attach to an issue. Generally, milestones correspond to product releases - however there are two 'magic' milestones with special meanings (not tied to a specific release): + - Issues assigned to backlog: Our team is in favour of implementing the feature request/fixing the issue, however the + implementation is not yet assigned to a concrete release. If and when a `backlog` issue aligns well with our + roadmap, it will be scheduled for a concrete iteration. We review and update our roadmap at least once every + quarter. The `backlog` list helps us shape our roadmap, but it is not the only source of input. Therefore, some + `backlog` items may eventually be closed as `out of scope`, or relabelled as `backlog candidate` once it becomes + clear that they do not align with our evolving roadmap. - - Issues assigned to backlog: Our team is in favour of implementing the feature request/fixing the issue, however the implementation is not yet assigned to a concrete release. If and when a `backlog` issue aligns well with our roadmap, it will be scheduled for a concrete iteration. We review and update our roadmap at least once every quarter. The `backlog` list helps us shape our roadmap, but it is not the only source of input. Therefore, some `backlog` items may eventually be closed as `out of scope`, or relabelled as `backlog candidate` once it becomes clear that they do not align with our evolving roadmap. - - - Issues assigned to `backlog candidate`: Our team does not intend to implement the feature/fix request described in the issue and wants the community to weigh in before we make our final decision. + - Issues assigned to `backlog candidate`: Our team does not intend to implement the feature/fix request described in + the issue and wants the community to weigh in before we make our final decision. `backlog` issues can be labeled by the owner as `help wanted` and/or `good first issue` as appropriate. +5. Promotion of `backlog candidate` issue to `backlog` issue: If an issue labelled `backlog candidate` receives more + than 30 upvotes within 60 days, we promote the issue by applying the `backlog` label. While issues promoted in this + manner have not been committed to a particular release, we welcome PRs from the community on them. -5. Promotion of `backlog candidate` issue to `backlog` issue: If an issue labelled `backlog candidate` receives more than 30 upvotes within 60 days, we promote the issue by applying the `backlog` label. While issues promoted in this manner have not been committed to a particular release, we welcome PRs from the community on them. - - If an issue does not make our roadmap and has not been moved to a discussion, it is closed with the label `out of scope`. The goal is to get every issue in the issues list to one of the following end states: + If an issue does not make our roadmap and has not been moved to a discussion, it is closed with the label `out of + scope`. The goal is to get every issue in the issues list to one of the following end states: - An assigned release. - The `backlog` label. diff --git a/Makefile b/Makefile index b9b72a2dd7..2377c8b9c3 100644 --- a/Makefile +++ b/Makefile @@ -1,19 +1,17 @@ # variables that should not be overridden by the user -GIT_COMMIT = $(shell git rev-parse HEAD || echo unknown) -GIT_COMMIT_SHORT = $(shell echo ${GIT_COMMIT} | cut -c1-7) GIT_TAG = $(shell git describe --tags --abbrev=0 || echo untagged) -VERSION = $(GIT_TAG)-SNAPSHOT-$(GIT_COMMIT_SHORT) +VERSION = $(GIT_TAG)-SNAPSHOT PLUS_ARGS = --secret id=nginx-repo.crt,src=nginx-repo.crt --secret id=nginx-repo.key,src=nginx-repo.key # variables that can be overridden by the user -PREFIX ?= nginx/nginx-ingress## The name of the image. For example, nginx/nginx-ingress -TAG ?= $(VERSION:v%=%)## The tag of the image. For example, 2.0.0 -TARGET ?= local## The target of the build. Possible values: local, container and download -override DOCKER_BUILD_OPTIONS += --build-arg IC_VERSION=$(VERSION) --build-arg GIT_COMMIT=$(GIT_COMMIT)## The options for the docker build command. For example, --pull. -ARCH ?= amd64## The architecture of the image or binary. For example: amd64, arm64, ppc64le, s390x. Not all architectures are supported for all targets. +PREFIX ?= nginx/nginx-ingress ## The name of the image. For example, nginx/nginx-ingress +TAG ?= $(VERSION:v%=%) ## The tag of the image. For example, 2.0.0 +TARGET ?= local ## The target of the build. Possible values: local, container and download +override DOCKER_BUILD_OPTIONS += --build-arg IC_VERSION=$(VERSION) ## The options for the docker build command. For example, --pull +ARCH ?= amd64 ## The architecture of the image or binary. For example: amd64, arm64, ppc64le, s390x. Not all architectures are supported for all targets # final docker build command -DOCKER_CMD = docker build --platform linux/$(ARCH) $(strip $(DOCKER_BUILD_OPTIONS)) --target $(strip $(TARGET)) -f build/Dockerfile -t $(strip $(PREFIX)):$(strip $(TAG)) . +DOCKER_CMD = docker build --platform linux/$(strip $(ARCH)) $(strip $(DOCKER_BUILD_OPTIONS)) --target $(strip $(TARGET)) -f build/Dockerfile -t $(strip $(PREFIX)):$(strip $(TAG)) . export DOCKER_BUILDKIT = 1 @@ -22,7 +20,7 @@ export DOCKER_BUILDKIT = 1 .PHONY: help help: Makefile ## Display this help @grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "; printf "Usage:\n\n make \033[36m\033[0m [VARIABLE=value...]\n\nTargets:\n\n"}; {printf " \033[36m%-30s\033[0m %s\n", $$1, $$2}' - @grep -E '^(override )?[a-zA-Z_-]+ \??\+?= .*?## .*$$' $< | sort | awk 'BEGIN {FS = " \\??\\+?= .*?## "; printf "\nVariables:\n\n"}; {gsub(/override /, "", $$1); printf " \033[36m%-30s\033[0m %s\n", $$1, $$2}' + @grep -E '^(override )?[a-zA-Z_-]+ \??\+?= .*? ## .*$$' $< | sort | awk 'BEGIN {FS = " \\??\\+?= .*? ## "; printf "\nVariables:\n\n"}; {gsub(/override /, "", $$1); printf " \033[36m%-30s\033[0m %s\n", $$1, $$2}' .PHONY: all all: test lint verify-codegen update-crds debian-image @@ -75,17 +73,17 @@ certificate-and-key: ## Create default cert and key .PHONY: build build: ## Build Ingress Controller binary @docker -v || (code=$$?; printf "\033[0;31mError\033[0m: there was a problem with Docker\n"; exit $$code) -ifeq (${TARGET},local) +ifeq ($(strip $(TARGET)),local) @go version || (code=$$?; printf "\033[0;31mError\033[0m: unable to build locally, try using the parameter TARGET=container or TARGET=download\n"; exit $$code) - CGO_ENABLED=0 GOOS=linux GOARCH=$(ARCH) go build -trimpath -ldflags "-s -w -X main.version=${VERSION}" -o nginx-ingress github.com/nginxinc/kubernetes-ingress/cmd/nginx-ingress -else ifeq (${TARGET},download) + CGO_ENABLED=0 GOOS=linux GOARCH=$(strip $(ARCH)) go build -trimpath -ldflags "-s -w -X main.version=${VERSION}" -o nginx-ingress github.com/nginxinc/kubernetes-ingress/cmd/nginx-ingress +else ifeq ($(strip $(TARGET)),download) @$(MAKE) download-binary-docker endif .PHONY: download-binary-docker download-binary-docker: ## Download Docker image from which to extract Ingress Controller binary, TARGET=download is required -ifeq (${TARGET},download) -DOWNLOAD_TAG := $(shell ./hack/docker.sh $(GIT_COMMIT) $(GIT_TAG)) +ifeq ($(strip $(TARGET)),download) +DOWNLOAD_TAG := $(shell ./hack/docker.sh $(GIT_TAG)) ifeq ($(DOWNLOAD_TAG),fail) $(error unable to build with TARGET=download, this function is only available when building from a git tag or from the latest commit matching the edge image) endif @@ -95,7 +93,7 @@ endif .PHONY: build-goreleaser build-goreleaser: ## Build Ingress Controller binary using GoReleaser @goreleaser -v || (code=$$?; printf "\033[0;31mError\033[0m: there was a problem with GoReleaser. Follow the docs to install it https://goreleaser.com/install\n"; exit $$code) - GOOS=linux GOPATH=$(shell go env GOPATH) GOARCH=$(ARCH) goreleaser build --rm-dist --debug --snapshot --id kubernetes-ingress --single-target + GOOS=linux GOPATH=$(shell go env GOPATH) GOARCH=$(strip $(ARCH)) goreleaser build --clean --debug --snapshot --id kubernetes-ingress --single-target .PHONY: debian-image debian-image: build ## Create Docker image for Ingress Controller (Debian) @@ -109,20 +107,24 @@ alpine-image: build ## Create Docker image for Ingress Controller (Alpine) alpine-image-plus: build ## Create Docker image for Ingress Controller (Alpine with NGINX Plus) $(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=alpine-plus +.PHONY: alpine-image-plus-fips +alpine-image-plus-fips: build ## Create Docker image for Ingress Controller (Alpine with NGINX Plus and FIPS) + $(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=alpine-plus-fips + .PHONY: debian-image-plus debian-image-plus: build ## Create Docker image for Ingress Controller (Debian with NGINX Plus) $(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=debian-plus .PHONY: debian-image-nap-plus -debian-image-nap-plus: build ## Create Docker image for Ingress Controller (Debian with NGINX Plus and App Protect WAF) +debian-image-nap-plus: build ## Create Docker image for Ingress Controller (Debian with NGINX Plus and NGINX App Protect WAF) $(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=debian-plus-nap --build-arg NAP_MODULES=waf .PHONY: debian-image-dos-plus -debian-image-dos-plus: build ## Create Docker image for Ingress Controller (Debian with NGINX Plus and App Protect DoS) +debian-image-dos-plus: build ## Create Docker image for Ingress Controller (Debian with NGINX Plus and NGINX App Protect DoS) $(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=debian-plus-nap --build-arg NAP_MODULES=dos .PHONY: debian-image-nap-dos-plus -debian-image-nap-dos-plus: build ## Create Docker image for Ingress Controller (Debian with NGINX Plus, App Protect WAF and DoS) +debian-image-nap-dos-plus: build ## Create Docker image for Ingress Controller (Debian with NGINX Plus, NGINX App Protect WAF and DoS) $(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=debian-plus-nap --build-arg NAP_MODULES=waf,dos .PHONY: ubi-image @@ -134,36 +136,23 @@ ubi-image-plus: build ## Create Docker image for Ingress Controller (UBI with NG $(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=ubi-plus .PHONY: ubi-image-nap-plus -ubi-image-nap-plus: build ## Create Docker image for Ingress Controller (UBI with NGINX Plus and App Protect WAF) +ubi-image-nap-plus: build ## Create Docker image for Ingress Controller (UBI with NGINX Plus and NGINX App Protect WAF) $(DOCKER_CMD) $(PLUS_ARGS) --secret id=rhel_license,src=rhel_license --build-arg BUILD_OS=ubi-plus-nap --build-arg NAP_MODULES=waf .PHONY: ubi-image-dos-plus -ubi-image-dos-plus: build ## Create Docker image for Ingress Controller (UBI with NGINX Plus and App Protect DoS) +ubi-image-dos-plus: build ## Create Docker image for Ingress Controller (UBI with NGINX Plus and NGINX App Protect DoS) $(DOCKER_CMD) $(PLUS_ARGS) --secret id=rhel_license,src=rhel_license --build-arg BUILD_OS=ubi-plus-nap --build-arg NAP_MODULES=dos .PHONY: ubi-image-nap-dos-plus -ubi-image-nap-dos-plus: build ## Create Docker image for Ingress Controller (UBI with NGINX Plus, App Protect WAF and DoS) +ubi-image-nap-dos-plus: build ## Create Docker image for Ingress Controller (UBI with NGINX Plus, NGINX App Protect WAF and DoS) $(DOCKER_CMD) $(PLUS_ARGS) --secret id=rhel_license,src=rhel_license --build-arg BUILD_OS=ubi-plus-nap --build-arg NAP_MODULES=waf,dos -.PHONY: openshift-image openshift-image-plus openshift-image-nap-plus openshift-image-dos-plus openshift-image-nap-dos-plus -openshift-image openshift-image-plus openshift-image-nap-plus openshift-image-dos-plus openshift-image-nap-dos-plus: - @printf "\033[0;31mWarning\033[0m: The target $(filter openshift-%,$(MAKECMDGOALS)) was renamed to $(subst openshift,ubi,$(filter openshift-%,$(MAKECMDGOALS))) and will be removed in a future release.\n" - @$(MAKE) $(subst openshift,ubi,$(MAKECMDGOALS)) $(MAKEFLAGS) - -.PHONY: alpine-image-opentracing -alpine-image-opentracing: - @echo "OpenTracing is now included in all Alpine based images" - -.PHONY: debian-image-opentracing debian-image-opentracing-plus -debian-image-opentracing debian-image-opentracing-plus: - @echo "OpenTracing is now included in all Debian based images" - .PHONY: all-images ## Create all the Docker images for Ingress Controller all-images: alpine-image alpine-image-plus debian-image debian-image-plus debian-image-nap-plus debian-image-dos-plus debian-image-nap-dos-plus ubi-image ubi-image-plus ubi-image-nap-plus ubi-image-dos-plus ubi-image-nap-dos-plus .PHONY: push push: ## Docker push to PREFIX and TAG - docker push $(PREFIX):$(TAG) + docker push $(strip $(PREFIX)):$(strip $(TAG)) .PHONY: clean clean: ## Remove nginx-ingress binary diff --git a/README.md b/README.md index 51a4841c19..cb222c436a 100644 --- a/README.md +++ b/README.md @@ -1,73 +1,124 @@ - -[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/nginxinc/kubernetes-ingress/badge)](https://api.securityscorecards.dev/projects/github.com/nginxinc/kubernetes-ingress) [![CI](https://github.com/nginxinc/kubernetes-ingress/actions/workflows/ci.yml/badge.svg)](https://github.com/nginxinc/kubernetes-ingress/actions/workflows/ci.yml) [![FOSSA Status](https://app.fossa.com/api/projects/custom%2B5618%2Fgithub.com%2Fnginxinc%2Fkubernetes-ingress.svg?type=shield)](https://app.fossa.com/projects/custom%2B5618%2Fgithub.com%2Fnginxinc%2Fkubernetes-ingress?ref=badge_shield) [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) [![Go Report Card](https://goreportcard.com/badge/github.com/nginxinc/kubernetes-ingress)](https://goreportcard.com/report/github.com/nginxinc/kubernetes-ingress) [![codecov](https://codecov.io/gh/nginxinc/kubernetes-ingress/branch/main/graph/badge.svg?token=snCn7Y0zC7)](https://codecov.io/gh/nginxinc/kubernetes-ingress) [![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/nginxinc/kubernetes-ingress?logo=github&sort=semver)](https://github.com/nginxinc/kubernetes-ingress/releases/latest) ![GitHub go.mod Go version](https://img.shields.io/github/go-mod/go-version/nginxinc/kubernetes-ingress?logo=go) [![Docker Pulls](https://img.shields.io/docker/pulls/nginx/nginx-ingress?logo=docker&logoColor=white)](https://hub.docker.com/r/nginx/nginx-ingress) ![Docker Image Size (latest semver)](https://img.shields.io/docker/image-size/nginx/nginx-ingress?logo=docker&logoColor=white&sort=semver) [![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/nginx-ingress)](https://artifacthub.io/packages/container/nginx-ingress/kubernetes-ingress) [![Slack](https://img.shields.io/badge/slack-%23nginx--ingress--controller-green?logo=slack)](https://nginxcommunity.slack.com/channels/nginx-ingress-controller) - -# 🚀 *Help make the NGINX Ingress Controller better by participating in our [survey](https://forms.office.com/Pages/ResponsePage.aspx?id=L_093Ttq0UCb4L-DJ9gcUKLQ7uTJaE1PitM_37KR881UMEs0Rk5PMkYzMTJTWVA0V1hUVTRLUUMyNS4u)!* 🚀 + +[![OpenSSFScorecard](https://api.securityscorecards.dev/projects/github.com/nginxinc/kubernetes-ingress/badge)](https://api.securityscorecards.dev/projects/github.com/nginxinc/kubernetes-ingress) +[![CI](https://github.com/nginxinc/kubernetes-ingress/actions/workflows/ci.yml/badge.svg)](https://github.com/nginxinc/kubernetes-ingress/actions/workflows/ci.yml) +[![FOSSA Status](https://app.fossa.com/api/projects/custom%2B5618%2Fgithub.com%2Fnginxinc%2Fkubernetes-ingress.svg?type=shield)](https://app.fossa.com/projects/custom%2B5618%2Fgithub.com%2Fnginxinc%2Fkubernetes-ingress?ref=badge_shield) +[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) +[![Go Report Card](https://goreportcard.com/badge/github.com/nginxinc/kubernetes-ingress)](https://goreportcard.com/report/github.com/nginxinc/kubernetes-ingress) +[![codecov](https://codecov.io/gh/nginxinc/kubernetes-ingress/branch/main/graph/badge.svg?token=snCn7Y0zC7)](https://codecov.io/gh/nginxinc/kubernetes-ingress) +[![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/nginxinc/kubernetes-ingress?logo=github&sort=semver)](https://github.com/nginxinc/kubernetes-ingress/releases/latest) +![GitHub go.mod Go version](https://img.shields.io/github/go-mod/go-version/nginxinc/kubernetes-ingress?logo=go) +[![Docker Pulls](https://img.shields.io/docker/pulls/nginx/nginx-ingress?logo=docker&logoColor=white)](https://hub.docker.com/r/nginx/nginx-ingress) +![Docker Image Size (latest semver)](https://img.shields.io/docker/image-size/nginx/nginx-ingress?logo=docker&logoColor=white&sort=semver) +[![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/nginx-ingress)](https://artifacthub.io/packages/container/nginx-ingress/kubernetes-ingress) +[![Slack](https://img.shields.io/badge/slack-%23nginx--ingress--controller-green?logo=slack)](https://nginxcommunity.slack.com/channels/nginx-ingress-controller) +[![Project Status: Active – The project has reached a stable, usable state and is being actively developed.](https://www.repostatus.org/badges/latest/active.svg)](https://www.repostatus.org/#active) +![Commercial Support](https://badgen.net/badge/support/commercial/green?icon=awesome) # NGINX Ingress Controller -This repo provides an implementation of an Ingress Controller for NGINX and NGINX Plus. +This repo provides an implementation of an Ingress Controller for NGINX and NGINX Plus from the people behind NGINX. -**Note**: this project is different from the NGINX Ingress Controller in [kubernetes/ingress-nginx](https://github.com/kubernetes/ingress-nginx) repo. See [this doc](https://docs.nginx.com/nginx-ingress-controller/intro/nginx-ingress-controllers) to find out about the key differences. +NGINX Ingress Controller works with both NGINX and NGINX Plus and supports the standard Ingress features - content-based +routing and TLS/SSL termination. -## What is the Ingress? +Additionally, several NGINX and NGINX Plus features are available as extensions to the Ingress resource via annotations +and the ConfigMap resource. In addition to HTTP, NGINX Ingress Controller supports load balancing Websocket, gRPC, TCP +and UDP applications. See +[ConfigMap](https://docs.nginx.com/nginx-ingress-controller/configuration/global-configuration/configmap-resource/) and +[Annotations](https://docs.nginx.com/nginx-ingress-controller/configuration/ingress-resources/advanced-configuration-with-annotations/) +docs to learn more about the supported features and customization options. -The Ingress is a Kubernetes resource that lets you configure an HTTP load balancer for applications running on Kubernetes, represented by one or more [Services](https://kubernetes.io/docs/concepts/services-networking/service/). Such a load balancer is necessary to deliver those applications to clients outside of the Kubernetes cluster. +As an alternative to the Ingress, NGINX Ingress Controller supports the VirtualServer and VirtualServerRoute resources. +They enable use cases not supported with the Ingress resource, such as traffic splitting and advanced content-based +routing. See [VirtualServer and VirtualServerRoute resources +doc](https://docs.nginx.com/nginx-ingress-controller/configuration/virtualserver-and-virtualserverroute-resources/). -The Ingress resource supports the following features: -* **Content-based routing**: - * *Host-based routing*. For example, routing requests with the host header `foo.example.com` to one group of services and the host header `bar.example.com` to another group. - * *Path-based routing*. For example, routing requests with the URI that starts with `/serviceA` to service A and requests with the URI that starts with `/serviceB` to service B. -* **TLS/SSL termination** for each hostname, such as `foo.example.com`. +TCP, UDP and TLS Passthrough load balancing is also supported. See the [TransportServer resource +doc](https://docs.nginx.com/nginx-ingress-controller/configuration/transportserver-resource/). -See the [Ingress User Guide](https://kubernetes.io/docs/user-guide/ingress/) to learn more about the Ingress resource. +Read [this doc](https://docs.nginx.com/nginx-ingress-controller/intro/nginx-plus) to learn more about NGINX Ingress +Controller with NGINX Plus. -## What is the Ingress Controller? +> **Note** +> +> This project is different from the NGINX Ingress Controller in +[kubernetes/ingress-nginx](https://github.com/kubernetes/ingress-nginx) repo. See [this +doc](https://docs.nginx.com/nginx-ingress-controller/intro/nginx-ingress-controllers) to find out about the key +differences. -The Ingress Controller is an application that runs in a cluster and configures an HTTP load balancer according to Ingress resources. The load balancer can be a software load balancer running in the cluster or a hardware or cloud load balancer running externally. Different load balancers require different Ingress Controller implementations. +## Ingress and Ingress Controller -In the case of NGINX, the Ingress Controller is deployed in a pod along with the load balancer. +### What is the Ingress? -## NGINX Ingress Controller +The Ingress is a Kubernetes resource that lets you configure an HTTP load balancer for applications running on +Kubernetes, represented by one or more [Services](https://kubernetes.io/docs/concepts/services-networking/service/). +Such a load balancer is necessary to deliver those applications to clients outside of the Kubernetes cluster. -NGINX Ingress Controller works with both NGINX and NGINX Plus and supports the standard Ingress features - content-based routing and TLS/SSL termination. +The Ingress resource supports the following features: -Additionally, several NGINX and NGINX Plus features are available as extensions to the Ingress resource via annotations and the ConfigMap resource. In addition to HTTP, NGINX Ingress Controller supports load balancing Websocket, gRPC, TCP and UDP applications. See [ConfigMap](https://docs.nginx.com/nginx-ingress-controller/configuration/global-configuration/configmap-resource/) and [Annotations](https://docs.nginx.com/nginx-ingress-controller/configuration/ingress-resources/advanced-configuration-with-annotations/) docs to learn more about the supported features and customization options. +- **Content-based routing**: + - *Host-based routing*. For example, routing requests with the host header `foo.example.com` to one group of services + and the host header `bar.example.com` to another group. + - *Path-based routing*. For example, routing requests with the URI that starts with `/serviceA` to service A and + requests with the URI that starts with `/serviceB` to service B. +- **TLS/SSL termination** for each hostname, such as `foo.example.com`. -As an alternative to the Ingress, NGINX Ingress Controller supports the VirtualServer and VirtualServerRoute resources. They enable use cases not supported with the Ingress resource, such as traffic splitting and advanced content-based routing. See [VirtualServer and VirtualServerRoute resources doc](https://docs.nginx.com/nginx-ingress-controller/configuration/virtualserver-and-virtualserverroute-resources/). +See the [Ingress User Guide](https://kubernetes.io/docs/user-guide/ingress/) to learn more about the Ingress resource. -TCP, UDP and TLS Passthrough load balancing is also supported. See the [TransportServer resource doc](https://docs.nginx.com/nginx-ingress-controller/configuration/transportserver-resource/). +### What is the Ingress Controller? -Read [this doc](https://docs.nginx.com/nginx-ingress-controller/intro/nginx-plus) to learn more about NGINX Ingress Controller with NGINX Plus. +The Ingress Controller is an application that runs in a cluster and configures an HTTP load balancer according to +Ingress resources. The load balancer can be a software load balancer running in the cluster or a hardware or cloud load +balancer running externally. Different load balancers require different Ingress Controller implementations. + +In the case of NGINX, the Ingress Controller is deployed in a pod along with the load balancer. ## Getting Started -1. Install the NGINX Ingress Controller using the Kubernetes [manifests](https://docs.nginx.com/nginx-ingress-controller/installation/installation-with-manifests/) or the [helm chart](https://docs.nginx.com/nginx-ingress-controller/installation/installation-with-helm/). +> **Note** +> +> All documentation should only be used with the latest stable release, indicated on [the releases +> page](https://github.com/nginxinc/kubernetes-ingress/releases) of the GitHub repository. + +1. Install the NGINX Ingress Controller using the [Helm + chart](https://docs.nginx.com/nginx-ingress-controller/installation/installation-with-helm/) or the Kubernetes + [manifests](https://docs.nginx.com/nginx-ingress-controller/installation/installation-with-manifests/). 1. Configure load balancing for a simple web application: - * Use the Ingress resource. See the [Cafe example](https://github.com/nginxinc/kubernetes-ingress/tree/main/examples/ingress-resources/complete-example). - * Or the VirtualServer resource. See the [Basic configuration](https://github.com/nginxinc/kubernetes-ingress/tree/main/examples/custom-resources/basic-configuration) example. + - Use the Ingress resource. See the [Cafe + example](https://github.com/nginxinc/kubernetes-ingress/tree/main/examples/ingress-resources/complete-example). + - Or the VirtualServer resource. See the [Basic + configuration](https://github.com/nginxinc/kubernetes-ingress/tree/main/examples/custom-resources/basic-configuration) + example. 1. See additional configuration [examples](https://github.com/nginxinc/kubernetes-ingress/tree/main/examples). -1. Learn more about all available configuration and customization in the [docs](https://docs.nginx.com/nginx-ingress-controller/). +1. Learn more about all available configuration and customization in the + [docs](https://docs.nginx.com/nginx-ingress-controller/). ## NGINX Ingress Controller Releases -We publish Ingress Controller releases on GitHub. See our [releases page](https://github.com/nginxinc/kubernetes-ingress/releases). +We publish NGINX Ingress Controller releases on GitHub. See our [releases +page](https://github.com/nginxinc/kubernetes-ingress/releases). -The latest stable release is [3.1.1](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v3.1.1). For production use, we recommend that you choose the latest stable release. +The latest stable release is [3.2.0](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v3.2.0). For production +use, we recommend that you choose the latest stable release. -The edge version is useful for experimenting with new features that are not yet published in a stable release. To use it, choose the *edge* version built from the [latest commit](https://github.com/nginxinc/kubernetes-ingress/commits/main) from the main branch. +The edge version is useful for experimenting with new features that are not yet published in a stable release. To use +it, choose the *edge* version built from the [latest +commit](https://github.com/nginxinc/kubernetes-ingress/commits/main) from the main branch. -To use the Ingress Controller, you need to have access to: -* An Ingress Controller image. -* Installation manifests or a Helm chart. -* Documentation and examples. +To use the NGINX Ingress Controller, you need to have access to: + +- An NGINX Ingress Controller image. +- Installation manifests or a Helm chart. +- Documentation and examples. It is important that the versions of those things above match. -The table below summarizes the options regarding the images, manifests, helm chart, documentation and examples and gives your links to the correct versions: +The table below summarizes the options regarding the images, Helm chart, manifests, documentation and examples and gives +your links to the correct versions: | Version | Description | Image for NGINX | Image for NGINX Plus | Installation Manifests and Helm Chart | Documentation and Examples | | ------- | ----------- | --------------- | -------------------- | ---------------------------------------| -------------------------- | -| Latest stable release | For production use | Use the 3.1.1 images from [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/), [GitHub Container](https://github.com/nginxinc/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress) or [build your own image](https://docs.nginx.com/nginx-ingress-controller/installation/building-ingress-controller-image/). | Use the 3.1.1 images from the [F5 Container Registry](https://docs.nginx.com/nginx-ingress-controller/installation/pulling-ingress-controller-image/) or the [AWS Marketplace](https://aws.amazon.com/marketplace/search/?CREATOR=741df81b-dfdc-4d36-b8da-945ea66b522c&FULFILLMENT_OPTION_TYPE=CONTAINER&filters=CREATOR%2CFULFILLMENT_OPTION_TYPE) or [Build your own image](https://docs.nginx.com/nginx-ingress-controller/installation/building-ingress-controller-image/). | [Manifests](https://github.com/nginxinc/kubernetes-ingress/tree/v3.1.1/deployments). [Helm chart](https://github.com/nginxinc/kubernetes-ingress/tree/v3.1.1/deployments/helm-chart). | [Documentation](https://docs.nginx.com/nginx-ingress-controller/). [Examples](https://docs.nginx.com/nginx-ingress-controller/configuration/configuration-examples/). | +| Latest stable release | For production use | Use the 3.2.0 images from [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/), [GitHub Container](https://github.com/nginxinc/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress) or [build your own image](https://docs.nginx.com/nginx-ingress-controller/installation/building-ingress-controller-image/). | Use the 3.2.0 images from the [F5 Container Registry](https://docs.nginx.com/nginx-ingress-controller/installation/pulling-ingress-controller-image/) or the [AWS Marketplace](https://aws.amazon.com/marketplace/search/?CREATOR=741df81b-dfdc-4d36-b8da-945ea66b522c&FULFILLMENT_OPTION_TYPE=CONTAINER&filters=CREATOR%2CFULFILLMENT_OPTION_TYPE) or [Build your own image](https://docs.nginx.com/nginx-ingress-controller/installation/building-ingress-controller-image/). | [Manifests](https://github.com/nginxinc/kubernetes-ingress/tree/v3.2.0/deployments). [Helm chart](https://github.com/nginxinc/kubernetes-ingress/tree/v3.2.0/deployments/helm-chart). | [Documentation](https://docs.nginx.com/nginx-ingress-controller/). [Examples](https://docs.nginx.com/nginx-ingress-controller/configuration/configuration-examples/). | | Edge/Nightly | For testing and experimenting | Use the edge or nightly images from [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/), [GitHub Container](https://github.com/nginxinc/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress) or [build your own image](https://github.com/nginxinc/kubernetes-ingress/tree/main/docs/content/installation/building-ingress-controller-image.md). | [Build your own image](https://github.com/nginxinc/kubernetes-ingress/tree/main/docs/content/installation/building-ingress-controller-image.md). | [Manifests](https://github.com/nginxinc/kubernetes-ingress/tree/main/deployments). [Helm chart](https://github.com/nginxinc/kubernetes-ingress/tree/main/deployments/helm-chart). | [Documentation](https://github.com/nginxinc/kubernetes-ingress/tree/main/docs/content). [Examples](https://github.com/nginxinc/kubernetes-ingress/tree/main/examples). | ## SBOM (Software Bill of Materials) @@ -76,21 +127,30 @@ We generate SBOMs for the binaries and the Docker images. ### Binaries -The SBOMs for the binaries are available in the releases page. The SBOMs are generated using [syft](https://github.com/anchore/syft) and are available in SPDX format. +The SBOMs for the binaries are available in the releases page. The SBOMs are generated using +[syft](https://github.com/anchore/syft) and are available in SPDX format. ### Docker Images -The SBOMs for the Docker images are available in the [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/), [GitHub Container](https://github.com/nginxinc/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress) repositories. The SBOMs are generated using [syft](https://github.com/anchore/syft) and stored as an attestation in the image manifest. +The SBOMs for the Docker images are available in the [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/), [GitHub +Container](https://github.com/nginxinc/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public +Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress) +repositories. The SBOMs are generated using [syft](https://github.com/anchore/syft) and stored as an attestation in the +image manifest. -For example to retrieve the SBOM for `linux/amd64` from Docker Hub and analyze it using [grype](https://github.com/anchore/grype) you can run the following command: -``` -$ docker buildx imagetools inspect nginx/nginx-ingress:edge --format '{{ json (index .SBOM "linux/amd64").SPDX }}' | grype +For example to retrieve the SBOM for `linux/amd64` from Docker Hub and analyze it using +[grype](https://github.com/anchore/grype) you can run the following command: + +```console +docker buildx imagetools inspect nginx/nginx-ingress:edge --format '{{ json (index .SBOM "linux/amd64").SPDX }}' | grype ``` ## Contacts -We’d like to hear your feedback! If you have any suggestions or experience issues with our Ingress Controller, please create an issue or send a pull request on GitHub. -You can contact us directly via [kubernetes@nginx.com](mailto:kubernetes@nginx.com) or on the [NGINX Community Slack](https://nginxcommunity.slack.com/channels/nginx-ingress-controller). +We’d like to hear your feedback! If you have any suggestions or experience issues with our Ingress Controller, please +create an issue or send a pull request on GitHub. You can contact us directly via +[kubernetes@nginx.com](mailto:kubernetes@nginx.com) or on the [NGINX Community +Slack](https://nginxcommunity.slack.com/channels/nginx-ingress-controller). ## Contributing @@ -98,5 +158,4 @@ If you'd like to contribute to the project, please read our [Contributing guide] ## Support -For NGINX Plus customers NGINX Ingress Controller (when used with NGINX Plus) is covered -by the support contract. +For NGINX Plus customers NGINX Ingress Controller (when used with NGINX Plus) is covered by the support contract. diff --git a/SECURITY.md b/SECURITY.md index 04bd826f70..fa1507de15 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -2,15 +2,20 @@ ## Supported Versions -We advise users to run the most recent release of the NGINX Ingress Controller, and we issue software updates to the most recent release. We provide technical support for F5 customers who are using the most recent version of the NGINX Ingress Controller, and any version released within two years of the current release. +We advise users to run the most recent release of the NGINX Ingress Controller, and we issue software updates to the +most recent release. We provide technical support for F5 customers who are using the most recent version of the NGINX +Ingress Controller, and any version released within two years of the current release. -For more information visit https://docs.nginx.com/nginx-ingress-controller/technical-specifications/ +For more information visit ## Reporting a Vulnerability -The F5 Security Incident Response Team (F5 SIRT) has an email alias that makes it easy to report potential security vulnerabilities. +The F5 Security Incident Response Team (F5 SIRT) has an email alias that makes it easy to report potential security +vulnerabilities. -- If you’re an F5 customer with an active support contract, please contact [F5 Technical Support](https://www.f5.com/services/support). -- If you aren’t an F5 customer, please report any potential or current instances of security vulnerabilities with any F5 product to the F5 Security Incident Response Team at F5SIRT@f5.com +- If you’re an F5 customer with an active support contract, please contact [F5 Technical + Support](https://www.f5.com/services/support). +- If you aren’t an F5 customer, please report any potential or current instances of security vulnerabilities with any F5 + product to the F5 Security Incident Response Team at -For more information visit https://www.f5.com/services/support/report-a-vulnerability +For more information visit diff --git a/build/Dockerfile b/build/Dockerfile index 1f6bebc825..3d958a1426 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -4,19 +4,18 @@ ARG NGINX_PLUS_VERSION=R29 ARG DOWNLOAD_TAG=edge -############################################# Base images containing libs for Opentracing ############################################# -FROM opentracing/nginx-opentracing:nginx-1.23.4 as opentracing-lib -FROM opentracing/nginx-opentracing:nginx-1.23.4-alpine as alpine-opentracing-lib +############################################# Base images containing libs for Opentracing and FIPS ############################################# +FROM opentracing/nginx-opentracing:nginx-1.25.1 as opentracing-lib +FROM opentracing/nginx-opentracing:nginx-1.25.1-alpine as alpine-opentracing-lib +FROM ghcr.io/nginxinc/alpine-fips:0.1.1-alpine3.18 as alpine-fips ############################################# Base image for Debian ############################################# -FROM nginx:1.23.4 AS debian +FROM nginx:1.25.1 AS debian RUN --mount=type=bind,from=opentracing-lib,target=/tmp/ot/ \ apt-get update \ && apt-get install --no-install-recommends --no-install-suggests -y libcap2-bin \ - # temp fix for CVE-2022-3821, CVE-2022-29458, CVE-2023-28484 and CVE-2022-44617 - && apt-get install ncurses-base ncurses-bin libudev1 libsystemd0 libtinfo6 libxml2 libxpm4 \ && rm -rf /var/lib/apt/lists/* \ && cp -av /tmp/ot/usr/local/lib/libopentracing.so* /tmp/ot/usr/local/lib/libjaegertracing*so* /tmp/ot/usr/local/lib/libzipkin*so* /tmp/ot/usr/local/lib/libdd*so* /tmp/ot/usr/local/lib/libyaml*so* /usr/local/lib/ \ && cp -av /tmp/ot/usr/lib/nginx/modules/ngx_http_opentracing_module.so /usr/lib/nginx/modules/ \ @@ -24,19 +23,19 @@ RUN --mount=type=bind,from=opentracing-lib,target=/tmp/ot/ \ ############################################# Base image for Alpine ############################################# -FROM nginx:1.23.4-alpine AS alpine +FROM nginx:1.25.1-alpine AS alpine RUN --mount=type=bind,from=alpine-opentracing-lib,target=/tmp/ot/ \ apk add --no-cache libcap libstdc++ \ - # temp fix for CVE-2023-1255 and CVE-2023-28484 - && apk upgrade --no-cache libcrypto3 libssl3 libxml2 \ + # temp fix for CVE-2023-3138 + && apk upgrade --no-cache libx11 \ && cp -av /tmp/ot/usr/local/lib/libopentracing.so* /tmp/ot/usr/local/lib/libjaegertracing*so* /tmp/ot/usr/local/lib/libzipkin*so* /tmp/ot/usr/local/lib/libdd*so* /tmp/ot/usr/local/lib/libyaml*so* /usr/local/lib/ \ && cp -av /tmp/ot/usr/lib/nginx/modules/ngx_http_opentracing_module.so /usr/lib/nginx/modules/ \ && ldconfig /usr/local/lib/ ############################################# Base image for Alpine with NGINX Plus ############################################# -FROM alpine:3.17 as alpine-plus +FROM alpine:3.18 as alpine-plus ARG NGINX_PLUS_VERSION RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/apk/cert.pem,mode=0644 \ @@ -44,15 +43,23 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/apk/cert.pem,mode=0644 \ --mount=type=bind,from=alpine-opentracing-lib,target=/tmp/ot/ \ wget -nv -O /etc/apk/keys/nginx_signing.rsa.pub https://cs.nginx.com/static/keys/nginx_signing.rsa.pub \ && printf "%s\n" "https://pkgs.nginx.com/plus/${NGINX_PLUS_VERSION}/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ - && apk add --no-cache nginx-plus nginx-plus-module-njs nginx-plus-module-opentracing libcap libcurl \ - # temp fix for CVE-2023-1255 - && apk upgrade --no-cache libcrypto3 libssl3 \ + && apk add --no-cache nginx-plus nginx-plus-module-njs nginx-plus-module-opentracing nginx-plus-module-fips-check libcap libcurl \ && cp -av /tmp/ot/usr/local/lib/libjaegertracing*so* /tmp/ot/usr/local/lib/libzipkin*so* /tmp/ot/usr/local/lib/libdd*so* /tmp/ot/usr/local/lib/libyaml*so* /usr/local/lib/ \ && ldconfig /usr/local/lib/ +############################################# Base image for Alpine with NGINX Plus and FIPS ############################################# +FROM alpine-plus as alpine-plus-fips + +RUN --mount=type=bind,from=alpine-fips,target=/tmp/fips/ \ + mkdir -p /usr/ssl \ + && cp -av /tmp/fips/usr/lib/ossl-modules/fips.so /usr/lib/ossl-modules/fips.so \ + && cp -av /tmp/fips/usr/ssl/fipsmodule.cnf /usr/ssl/fipsmodule.cnf \ + && cp -av /tmp/fips/etc/ssl/openssl.cnf /etc/ssl/openssl.cnf + + ############################################# Base image for Debian with NGINX Plus ############################################# -FROM debian:11-slim AS debian-plus +FROM debian:12-slim AS debian-plus ARG IC_VERSION ARG NGINX_PLUS_VERSION ARG BUILD_OS @@ -69,9 +76,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode && printf "%s\n" "Acquire::https::pkgs.nginx.com::User-Agent \"k8s-ic-$IC_VERSION${BUILD_OS##debian-plus}-apt\";" >> /etc/apt/apt.conf.d/90pkgs-nginx \ && printf "%s\n" "deb https://pkgs.nginx.com/plus/${NGINX_PLUS_VERSION}/debian ${DEBIAN_VERSION} nginx-plus" > /etc/apt/sources.list.d/nginx-plus.list \ && apt-get update \ - && apt-get install --no-install-recommends --no-install-suggests -y nginx-plus nginx-plus-module-njs nginx-plus-module-opentracing libcap2-bin libcurl4 \ - # temp fix for CVE-2022-3821 and CVE-2022-29458 - && apt-get install ncurses-base ncurses-bin libudev1 libsystemd0 \ + && apt-get install --no-install-recommends --no-install-suggests -y nginx-plus nginx-plus-module-njs nginx-plus-module-opentracing nginx-plus-module-fips-check libcap2-bin libcurl4 \ && apt-get purge --auto-remove -y apt-transport-https gnupg curl \ && cp -av /tmp/ot/usr/local/lib/libjaegertracing*so* /tmp/ot/usr/local/lib/libzipkin*so* /tmp/ot/usr/local/lib/libdd*so* /tmp/ot/usr/local/lib/libyaml*so* /usr/local/lib/ \ && ldconfig \ @@ -79,15 +84,25 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode ############################################# Base image for Debian with NGINX Plus and App Protect WAF/DoS ############################################# -FROM debian-plus as debian-plus-nap +FROM debian:11-slim as debian-plus-nap +ARG IC_VERSION ARG NGINX_PLUS_VERSION ARG NAP_MODULES RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ --mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ + --mount=type=bind,from=opentracing-lib,target=/tmp/ot/ \ apt-get update \ - && apt-get install --no-install-recommends --no-install-suggests -y gnupg curl apt-transport-https \ + ## the code below is duplicated from the debian-plus image because NAP doesn't support debian 12 + && apt-get install --no-install-recommends --no-install-suggests -y ca-certificates gnupg curl apt-transport-https \ + && curl -fsSL https://cs.nginx.com/static/keys/nginx_signing.key | gpg --dearmor > /etc/apt/trusted.gpg.d/nginx_signing.gpg \ + && curl -fsSL -o /etc/apt/apt.conf.d/90pkgs-nginx https://cs.nginx.com/static/files/90pkgs-nginx \ && DEBIAN_VERSION=$(awk -F '=' '/^VERSION_CODENAME=/ {print $2}' /etc/os-release) \ + && printf "%s\n" "Acquire::https::pkgs.nginx.com::User-Agent \"k8s-ic-$IC_VERSION${BUILD_OS##debian-plus}-apt\";" >> /etc/apt/apt.conf.d/90pkgs-nginx \ + && printf "%s\n" "deb https://pkgs.nginx.com/plus/${NGINX_PLUS_VERSION}/debian ${DEBIAN_VERSION} nginx-plus" > /etc/apt/sources.list.d/nginx-plus.list \ + && apt-get update \ + && apt-get install --no-install-recommends --no-install-suggests -y nginx-plus nginx-plus-module-njs nginx-plus-module-opentracing nginx-plus-module-fips-check libcap2-bin libcurl4 \ + ## end of duplicated code && if [ -z "${NAP_MODULES##*waf*}" ]; then \ curl -fsSL https://cs.nginx.com/static/keys/app-protect-security-updates.key | gpg --dearmor > /etc/apt/trusted.gpg.d/nginx_app_signing.gpg \ && printf "%s\n" "deb https://pkgs.nginx.com/app-protect/${NGINX_PLUS_VERSION}/debian ${DEBIAN_VERSION} nginx-plus" \ @@ -101,6 +116,10 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode && apt-get install --no-install-recommends --no-install-suggests -y app-protect-dos; \ fi \ && apt-get purge --auto-remove -y apt-transport-https gnupg curl \ + ## the code below is duplicated from the debian-plus image because NAP doesn't support debian 12 + && cp -av /tmp/ot/usr/local/lib/libjaegertracing*so* /tmp/ot/usr/local/lib/libzipkin*so* /tmp/ot/usr/local/lib/libdd*so* /tmp/ot/usr/local/lib/libyaml*so* /usr/local/lib/ \ + && ldconfig \ + ## end of duplicated code && rm -rf /var/lib/apt/lists/* \ && rm /etc/apt/sources.list.d/nginx-app-protect*.list @@ -110,7 +129,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode ############################################# Base image for UBI ############################################# -FROM nginxcontrib/nginx:1.23.4-ubi AS ubi +FROM nginxcontrib/nginx:1.25.1-ubi AS ubi ARG IC_VERSION LABEL name="NGINX Ingress Controller" \ @@ -139,7 +158,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode && rpm --import https://cs.nginx.com/static/keys/nginx_signing.key \ && curl -fsSL "https://cs.nginx.com/static/files/plus-$(grep -E -o '[0-9]+\.[0-9]+' /etc/redhat-release | cut -d"." -f1).repo" | tr 0 1 > /etc/yum.repos.d/nginx-plus.repo \ && sed -i "0,/centos/s;;${NGINX_PLUS_VERSION}/centos;" /etc/yum.repos.d/nginx-plus.repo \ - && microdnf --nodocs install -y nginx-plus nginx-plus-module-njs \ + && microdnf --nodocs install -y nginx-plus nginx-plus-module-njs nginx-plus-module-fips-check \ && microdnf remove -y shadow-utils \ && microdnf clean all @@ -160,7 +179,9 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode && rpm --import https://cs.nginx.com/static/keys/nginx_signing.key \ && curl -fsSL "https://cs.nginx.com/static/files/nginx-plus-$(grep -E -o '[0-9]+\.[0-9]+' /etc/redhat-release | cut -d"." -f1).repo" | tr 0 1 > /etc/yum.repos.d/nginx-plus.repo \ && sed -i "0,/centos/s;;${NGINX_PLUS_VERSION}/centos;" /etc/yum.repos.d/nginx-plus.repo \ - && dnf --nodocs install -y nginx-plus nginx-plus-module-njs \ + && dnf --nodocs install -y nginx-plus nginx-plus-module-njs nginx-plus-module-fips-check \ + # temp fix for CVE-2023-24329 + && dnf upgrade -y platform-python \ ## end of duplicated code && sed -i 's/\(def in_container():\)/\1\n return False/g' /usr/lib64/python*/*-packages/rhsm/config.py \ && subscription-manager register --org=${RHEL_ORGANIZATION} --activationkey=${RHEL_ACTIVATION_KEY} || true \ @@ -191,7 +212,6 @@ FROM ${BUILD_OS} as common ARG BUILD_OS ARG IC_VERSION -ARG GIT_COMMIT ARG TARGETPLATFORM ARG NAP_MODULES=none @@ -228,7 +248,6 @@ ENTRYPOINT ["/nginx-ingress"] USER 101 LABEL org.opencontainers.image.version="${IC_VERSION}" -LABEL org.opencontainers.image.revision="${GIT_COMMIT}" LABEL org.nginx.kic.image.build.target="${TARGETPLATFORM}" LABEL org.nginx.kic.image.build.os="${BUILD_OS}" LABEL org.nginx.kic.image.build.nginx.version="${NGINX_PLUS_VERSION}${NGINX_VERSION}" diff --git a/build/README.md b/build/README.md index 8bc31e68ab..c983fb9b84 100644 --- a/build/README.md +++ b/build/README.md @@ -1,3 +1,3 @@ # NGINX Ingress Controller -This doc is now available at https://docs.nginx.com/nginx-ingress-controller/installation/building-ingress-controller-image/ +This doc is now available at diff --git a/cmd/nginx-ingress/main.go b/cmd/nginx-ingress/main.go index dc4db316c5..86b44a3216 100644 --- a/cmd/nginx-ingress/main.go +++ b/cmd/nginx-ingress/main.go @@ -13,18 +13,18 @@ import ( "time" "github.com/golang/glog" - "github.com/nginxinc/kubernetes-ingress/internal/configs" - "github.com/nginxinc/kubernetes-ingress/internal/configs/version1" - "github.com/nginxinc/kubernetes-ingress/internal/configs/version2" - "github.com/nginxinc/kubernetes-ingress/internal/healthcheck" - "github.com/nginxinc/kubernetes-ingress/internal/k8s" - "github.com/nginxinc/kubernetes-ingress/internal/k8s/secrets" - "github.com/nginxinc/kubernetes-ingress/internal/metrics" - "github.com/nginxinc/kubernetes-ingress/internal/metrics/collectors" - "github.com/nginxinc/kubernetes-ingress/internal/nginx" - cr_validation "github.com/nginxinc/kubernetes-ingress/pkg/apis/configuration/validation" - k8s_nginx "github.com/nginxinc/kubernetes-ingress/pkg/client/clientset/versioned" - conf_scheme "github.com/nginxinc/kubernetes-ingress/pkg/client/clientset/versioned/scheme" + "github.com/nginxinc/kubernetes-ingress/v3/internal/configs" + "github.com/nginxinc/kubernetes-ingress/v3/internal/configs/version1" + "github.com/nginxinc/kubernetes-ingress/v3/internal/configs/version2" + "github.com/nginxinc/kubernetes-ingress/v3/internal/healthcheck" + "github.com/nginxinc/kubernetes-ingress/v3/internal/k8s" + "github.com/nginxinc/kubernetes-ingress/v3/internal/k8s/secrets" + "github.com/nginxinc/kubernetes-ingress/v3/internal/metrics" + "github.com/nginxinc/kubernetes-ingress/v3/internal/metrics/collectors" + "github.com/nginxinc/kubernetes-ingress/v3/internal/nginx" + cr_validation "github.com/nginxinc/kubernetes-ingress/v3/pkg/apis/configuration/validation" + k8s_nginx "github.com/nginxinc/kubernetes-ingress/v3/pkg/client/clientset/versioned" + conf_scheme "github.com/nginxinc/kubernetes-ingress/v3/pkg/client/clientset/versioned/scheme" "github.com/nginxinc/nginx-plus-go-client/client" nginxCollector "github.com/nginxinc/nginx-prometheus-exporter/collector" "github.com/prometheus/client_golang/prometheus" diff --git a/deployments/README.md b/deployments/README.md index 813085d3b6..f552136f7e 100644 --- a/deployments/README.md +++ b/deployments/README.md @@ -1,3 +1,4 @@ # Installation -This folder includes Kubernetes manifests for installing NGINX or NGINX Plus Ingress Controller. Read the installation instructions [here](https://docs.nginx.com/nginx-ingress-controller/installation/). +This folder includes Kubernetes manifests for installing NGINX or NGINX Plus Ingress Controller. Read the installation +instructions [here](https://docs.nginx.com/nginx-ingress-controller/installation/). diff --git a/deployments/common/crds/appprotectdos.f5.com_dosprotectedresources.yaml b/deployments/common/crds/appprotectdos.f5.com_dosprotectedresources.yaml index b6dffb3f4c..0e64a1cdcb 100644 --- a/deployments/common/crds/appprotectdos.f5.com_dosprotectedresources.yaml +++ b/deployments/common/crds/appprotectdos.f5.com_dosprotectedresources.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.4 + controller-gen.kubebuilder.io/version: v0.12.1 name: dosprotectedresources.appprotectdos.f5.com spec: group: appprotectdos.f5.com diff --git a/deployments/common/crds/externaldns.nginx.org_dnsendpoints.yaml b/deployments/common/crds/externaldns.nginx.org_dnsendpoints.yaml index e48f4a5e34..1e07fa1a75 100644 --- a/deployments/common/crds/externaldns.nginx.org_dnsendpoints.yaml +++ b/deployments/common/crds/externaldns.nginx.org_dnsendpoints.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.4 + controller-gen.kubebuilder.io/version: v0.12.1 name: dnsendpoints.externaldns.nginx.org spec: group: externaldns.nginx.org diff --git a/deployments/common/crds/k8s.nginx.org_globalconfigurations.yaml b/deployments/common/crds/k8s.nginx.org_globalconfigurations.yaml index 3177169116..65d5c048be 100644 --- a/deployments/common/crds/k8s.nginx.org_globalconfigurations.yaml +++ b/deployments/common/crds/k8s.nginx.org_globalconfigurations.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.4 + controller-gen.kubebuilder.io/version: v0.12.1 name: globalconfigurations.k8s.nginx.org spec: group: k8s.nginx.org diff --git a/deployments/common/crds/k8s.nginx.org_policies.yaml b/deployments/common/crds/k8s.nginx.org_policies.yaml index 39c780f17e..b93bc6001b 100644 --- a/deployments/common/crds/k8s.nginx.org_policies.yaml +++ b/deployments/common/crds/k8s.nginx.org_policies.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.4 + controller-gen.kubebuilder.io/version: v0.12.1 name: policies.k8s.nginx.org spec: group: k8s.nginx.org diff --git a/deployments/common/crds/k8s.nginx.org_transportservers.yaml b/deployments/common/crds/k8s.nginx.org_transportservers.yaml index 3608e27b7a..7c3a05a84b 100644 --- a/deployments/common/crds/k8s.nginx.org_transportservers.yaml +++ b/deployments/common/crds/k8s.nginx.org_transportservers.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.4 + controller-gen.kubebuilder.io/version: v0.12.1 name: transportservers.k8s.nginx.org spec: group: k8s.nginx.org diff --git a/deployments/common/crds/k8s.nginx.org_virtualserverroutes.yaml b/deployments/common/crds/k8s.nginx.org_virtualserverroutes.yaml index 22048b9075..75ac646162 100644 --- a/deployments/common/crds/k8s.nginx.org_virtualserverroutes.yaml +++ b/deployments/common/crds/k8s.nginx.org_virtualserverroutes.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.4 + controller-gen.kubebuilder.io/version: v0.12.1 name: virtualserverroutes.k8s.nginx.org spec: group: k8s.nginx.org @@ -588,6 +588,8 @@ spec: type: string path: type: string + samesite: + type: string secure: type: boolean slow-start: diff --git a/deployments/common/crds/k8s.nginx.org_virtualservers.yaml b/deployments/common/crds/k8s.nginx.org_virtualservers.yaml index b288111874..78afe01102 100644 --- a/deployments/common/crds/k8s.nginx.org_virtualservers.yaml +++ b/deployments/common/crds/k8s.nginx.org_virtualservers.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.4 + controller-gen.kubebuilder.io/version: v0.12.1 name: virtualservers.k8s.nginx.org spec: group: k8s.nginx.org @@ -675,6 +675,8 @@ spec: type: string path: type: string + samesite: + type: string secure: type: boolean slow-start: diff --git a/deployments/daemon-set/nginx-ingress.yaml b/deployments/daemon-set/nginx-ingress.yaml index 732f3ceecb..ae07ff43dc 100644 --- a/deployments/daemon-set/nginx-ingress.yaml +++ b/deployments/daemon-set/nginx-ingress.yaml @@ -22,7 +22,6 @@ spec: securityContext: seccompProfile: type: RuntimeDefault -# fsGroup: 101 #nginx # volumes: # - name: nginx-etc # emptyDir: {} @@ -33,7 +32,7 @@ spec: # - name: nginx-log # emptyDir: {} containers: - - image: nginx/nginx-ingress:3.1.1 + - image: nginx/nginx-ingress:3.2.0 imagePullPolicy: IfNotPresent name: nginx-ingress ports: @@ -63,6 +62,7 @@ spec: allowPrivilegeEscalation: false # readOnlyRootFilesystem: true runAsUser: 101 #nginx + runAsNonRoot: true capabilities: drop: - ALL @@ -96,7 +96,7 @@ spec: #- -enable-prometheus-metrics #- -global-configuration=$(POD_NAMESPACE)/nginx-configuration # initContainers: -# - image: nginx/nginx-ingress:3.1.1 +# - image: nginx/nginx-ingress:3.2.0 # imagePullPolicy: IfNotPresent # name: init-nginx-ingress # command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc'] diff --git a/deployments/daemon-set/nginx-plus-ingress.yaml b/deployments/daemon-set/nginx-plus-ingress.yaml index 8fc2e6e93c..20dd7f095a 100644 --- a/deployments/daemon-set/nginx-plus-ingress.yaml +++ b/deployments/daemon-set/nginx-plus-ingress.yaml @@ -22,7 +22,6 @@ spec: securityContext: seccompProfile: type: RuntimeDefault -# fsGroup: 101 #nginx # volumes: # - name: nginx-etc # emptyDir: {} @@ -33,7 +32,7 @@ spec: # - name: nginx-log # emptyDir: {} containers: - - image: nginx-plus-ingress:3.1.1 + - image: nginx-plus-ingress:3.2.0 imagePullPolicy: IfNotPresent name: nginx-plus-ingress ports: @@ -63,6 +62,7 @@ spec: allowPrivilegeEscalation: false # readOnlyRootFilesystem: true runAsUser: 101 #nginx + runAsNonRoot: true capabilities: drop: - ALL @@ -99,7 +99,7 @@ spec: #- -enable-prometheus-metrics #- -global-configuration=$(POD_NAMESPACE)/nginx-configuration # initContainers: -# - image: nginx/nginx-ingress:3.1.1 +# - image: nginx/nginx-ingress:3.2.0 # imagePullPolicy: IfNotPresent # name: init-nginx-ingress # command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc'] diff --git a/deployments/deployment/nginx-ingress.yaml b/deployments/deployment/nginx-ingress.yaml index fb4cd531f8..43c9152000 100644 --- a/deployments/deployment/nginx-ingress.yaml +++ b/deployments/deployment/nginx-ingress.yaml @@ -23,7 +23,6 @@ spec: securityContext: seccompProfile: type: RuntimeDefault -# fsGroup: 101 #nginx # volumes: # - name: nginx-etc # emptyDir: {} @@ -34,7 +33,7 @@ spec: # - name: nginx-log # emptyDir: {} containers: - - image: nginx/nginx-ingress:3.1.1 + - image: nginx/nginx-ingress:3.2.0 imagePullPolicy: IfNotPresent name: nginx-ingress ports: @@ -98,7 +97,7 @@ spec: #- -enable-prometheus-metrics #- -global-configuration=$(POD_NAMESPACE)/nginx-configuration # initContainers: -# - image: nginx/nginx-ingress:3.1.1 +# - image: nginx/nginx-ingress:3.2.0 # imagePullPolicy: IfNotPresent # name: init-nginx-ingress # command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc'] diff --git a/deployments/deployment/nginx-plus-ingress.yaml b/deployments/deployment/nginx-plus-ingress.yaml index 107c77981d..24c3bcc6b5 100644 --- a/deployments/deployment/nginx-plus-ingress.yaml +++ b/deployments/deployment/nginx-plus-ingress.yaml @@ -23,7 +23,6 @@ spec: securityContext: seccompProfile: type: RuntimeDefault -# fsGroup: 101 #nginx # volumes: # - name: nginx-etc # emptyDir: {} @@ -34,7 +33,7 @@ spec: # - name: nginx-log # emptyDir: {} containers: - - image: nginx-plus-ingress:3.1.1 + - image: nginx-plus-ingress:3.2.0 imagePullPolicy: IfNotPresent name: nginx-plus-ingress ports: @@ -104,7 +103,7 @@ spec: #- -enable-service-insight #- -global-configuration=$(POD_NAMESPACE)/nginx-configuration # initContainers: -# - image: nginx/nginx-ingress:3.1.1 +# - image: nginx/nginx-ingress:3.2.0 # imagePullPolicy: IfNotPresent # name: init-nginx-ingress # command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc'] diff --git a/deployments/helm-chart/Chart.yaml b/deployments/helm-chart/Chart.yaml index cb8377dc78..3f0c0f39c1 100644 --- a/deployments/helm-chart/Chart.yaml +++ b/deployments/helm-chart/Chart.yaml @@ -1,14 +1,14 @@ apiVersion: v2 name: nginx-ingress -version: 0.17.1 -appVersion: 3.1.1 +version: 0.18.0 +appVersion: 3.2.0 kubeVersion: ">= 1.22.0-0" type: application description: NGINX Ingress Controller -icon: https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.1.1/deployments/helm-chart/chart-icon.png +icon: https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.2.0/deployments/helm-chart/chart-icon.png home: https://github.com/nginxinc/kubernetes-ingress sources: - - https://github.com/nginxinc/kubernetes-ingress/tree/v3.1.1/deployments/helm-chart + - https://github.com/nginxinc/kubernetes-ingress/tree/v3.2.0/deployments/helm-chart keywords: - ingress - nginx diff --git a/deployments/helm-chart/README.md b/deployments/helm-chart/README.md index 15a4ade5d1..fada8f7041 100644 --- a/deployments/helm-chart/README.md +++ b/deployments/helm-chart/README.md @@ -6,71 +6,98 @@ This chart deploys the NGINX Ingress Controller in your Kubernetes cluster. ## Prerequisites - - A [Kubernetes Version Supported by the Ingress Controller](https://docs.nginx.com/nginx-ingress-controller/technical-specifications/#supported-kubernetes-versions) - - Helm 3.0+. - - If you’d like to use NGINX Plus: - - To pull from the F5 Container registry, configure a docker registry secret using your JWT token from the MyF5 portal by following the instructions from [here](https://docs.nginx.com/nginx-ingress-controller/installation/using-the-jwt-token-docker-secret). Make sure to specify the secret using `controller.serviceAccount.imagePullSecretName` parameter. - - Alternatively, pull an Ingress Controller image with NGINX Plus and push it to your private registry by following the instructions from [here](https://docs.nginx.com/nginx-ingress-controller/installation/pulling-ingress-controller-image). - - Alternatively, you can build an Ingress Controller image with NGINX Plus and push it to your private registry by following the instructions from [here](https://docs.nginx.com/nginx-ingress-controller/installation/building-ingress-controller-image). - - Update the `controller.image.repository` field of the `values-plus.yaml` accordingly. - - If you’d like to use App Protect DoS, please install App Protect DoS Arbitrator [helm chart](https://github.com/nginxinc/nap-dos-arbitrator-helm-chart). Make sure to install in the same namespace as the NGINX Ingress Controller. Note that if you install multiple NGINX Ingress Controllers in the same namespace, they will need to share the same Arbitrator because it is not possible to install more than one Arbitrator in a single namespace. +- A [Kubernetes Version Supported by the Ingress + Controller](https://docs.nginx.com/nginx-ingress-controller/technical-specifications/#supported-kubernetes-versions) +- Helm 3.0+. +- If you’d like to use NGINX Plus: + - To pull from the F5 Container registry, configure a docker registry secret using your JWT token from the MyF5 portal + by following the instructions from + [here](https://docs.nginx.com/nginx-ingress-controller/installation/using-the-jwt-token-docker-secret). Make sure to + specify the secret using `controller.serviceAccount.imagePullSecretName` parameter. + - Alternatively, pull an Ingress Controller image with NGINX Plus and push it to your private registry by following + the instructions from + [here](https://docs.nginx.com/nginx-ingress-controller/installation/pulling-ingress-controller-image). + - Alternatively, you can build an Ingress Controller image with NGINX Plus and push it to your private registry by + following the instructions from + [here](https://docs.nginx.com/nginx-ingress-controller/installation/building-ingress-controller-image). + - Update the `controller.image.repository` field of the `values-plus.yaml` accordingly. +- If you’d like to use App Protect DoS, please install App Protect DoS Arbitrator [helm + chart](https://github.com/nginxinc/nap-dos-arbitrator-helm-chart). Make sure to install in the same namespace as the + NGINX Ingress Controller. Note that if you install multiple NGINX Ingress Controllers in the same namespace, they will + need to share the same Arbitrator because it is not possible to install more than one Arbitrator in a single + namespace. ## CRDs -By default, the Ingress Controller requires a number of custom resource definitions (CRDs) installed in the cluster. The Helm client will install those CRDs. If the CRDs are not installed, the Ingress Controller pods will not become `Ready`. +By default, the Ingress Controller requires a number of custom resource definitions (CRDs) installed in the cluster. The +Helm client will install those CRDs. If the CRDs are not installed, the Ingress Controller pods will not become `Ready`. -If you do not use the custom resources that require those CRDs (which corresponds to `controller.enableCustomResources` set to `false` and `controller.appprotect.enable` set to `false` and `controller.appprotectdos.enable` set to `false`), the installation of the CRDs can be skipped by specifying `--skip-crds` for the helm install command. +If you do not use the custom resources that require those CRDs (which corresponds to `controller.enableCustomResources` +set to `false` and `controller.appprotect.enable` set to `false` and `controller.appprotectdos.enable` set to `false`), +the installation of the CRDs can be skipped by specifying `--skip-crds` for the helm install command. ### Upgrading the CRDs To upgrade the CRDs, pull the chart sources as described in [Pulling the Chart](#pulling-the-chart) and then run: ```console -$ kubectl apply -f crds/ +kubectl apply -f crds/ ``` + > **Note** > -> The following warning is expected and can be ignored: `Warning: kubectl apply should be used on resource created by either kubectl create --save-config or kubectl apply`. +> The following warning is expected and can be ignored: `Warning: kubectl apply should be used on resource created by +> either kubectl create --save-config or kubectl apply`. > -> Make sure to check the [release notes](https://www.github.com/nginxinc/kubernetes-ingress/releases) for a new release for any special upgrade procedures. +> Make sure to check the [release notes](https://www.github.com/nginxinc/kubernetes-ingress/releases) for a new release +> for any special upgrade procedures. ### Uninstalling the CRDs To remove the CRDs, pull the chart sources as described in [Pulling the Chart](#pulling-the-chart) and then run: ```console -$ kubectl delete -f crds/ +kubectl delete -f crds/ ``` + > **Note** > -> This command will delete all the corresponding custom resources in your cluster across all namespaces. Please ensure there are no custom resources that you want to keep and there are no other Ingress Controller releases running in the cluster. - +> This command will delete all the corresponding custom resources in your cluster across all namespaces. Please ensure +> there are no custom resources that you want to keep and there are no other Ingress Controller releases running in the +> cluster. ## Managing the Chart via OCI Registry + ### Installing the Chart To install the chart with the release name my-release (my-release is the name that you choose): For NGINX: + ```console -$ helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 0.17.1 +helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 0.18.0 ``` -For NGINX Plus: (assuming you have pushed the Ingress Controller image `nginx-plus-ingress` to your private registry `myregistry.example.com`) +For NGINX Plus: (assuming you have pushed the Ingress Controller image `nginx-plus-ingress` to your private registry +`myregistry.example.com`) + ```console -$ helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 0.17.1 --set controller.image.repository=myregistry.example.com/nginx-plus-ingress --set controller.nginxplus=true +helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 0.18.0 --set controller.image.repository=myregistry.example.com/nginx-plus-ingress --set controller.nginxplus=true ``` -This will install the latest `edge` version of the Ingress Controller from GitHub Container Registry. If you prefer to use Docker Hub, you can replace `ghcr.io/nginxinc/charts/nginx-ingress` with `registry-1.docker.io/nginxcharts/nginx-ingress`. +This will install the latest `edge` version of the Ingress Controller from GitHub Container Registry. If you prefer to +use Docker Hub, you can replace `ghcr.io/nginxinc/charts/nginx-ingress` with +`registry-1.docker.io/nginxcharts/nginx-ingress`. ### Upgrading the Chart -Helm does not upgrade the CRDs during a release upgrade. Before you upgrade a release, see [Upgrading the CRDs](#upgrading-the-crds). +Helm does not upgrade the CRDs during a release upgrade. Before you upgrade a release, see [Upgrading the +CRDs](#upgrading-the-crds). To upgrade the release `my-release`: ```console -$ helm upgrade my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 0.17.1 +helm upgrade my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 0.18.0 ``` ### Uninstalling the Chart @@ -78,40 +105,46 @@ $ helm upgrade my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version To uninstall/delete the release `my-release`: ```console -$ helm uninstall my-release +helm uninstall my-release ``` + The command removes all the Kubernetes components associated with the release and deletes the release. -Uninstalling the release does not remove the CRDs. To remove the CRDs, see [Uninstalling the CRDs](#uninstalling-the-crds). +Uninstalling the release does not remove the CRDs. To remove the CRDs, see [Uninstalling the +CRDs](#uninstalling-the-crds). ### Edge Version -To test the latest changes in NGINX Ingress Controller before a new release, you can install the `edge` version. This version is built from the `main` branch of the NGINX Ingress Controller repository. -You can install the `edge` version by specifying the `--version` flag with the value `0.0.0-edge`: +To test the latest changes in NGINX Ingress Controller before a new release, you can install the `edge` version. This +version is built from the `main` branch of the NGINX Ingress Controller repository. You can install the `edge` version +by specifying the `--version` flag with the value `0.0.0-edge`: ```console -$ helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 0.0.0-edge +helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 0.0.0-edge ``` > **Warning** > > The `edge` version is not intended for production use. It is intended for testing and development purposes only. - ## Managing the Chart via Sources ### Pulling the Chart -This step is required if you're installing the chart using its sources. Additionally, the step is also required for managing the custom resource definitions (CRDs), which the Ingress Controller requires by default, or for upgrading/deleting the CRDs. +This step is required if you're installing the chart using its sources. Additionally, the step is also required for +managing the custom resource definitions (CRDs), which the Ingress Controller requires by default, or for +upgrading/deleting the CRDs. 1. Pull the chart sources: + ```console - $ helm pull oci://ghcr.io/nginxinc/charts/nginx-ingress --untar --version 0.17.1 + helm pull oci://ghcr.io/nginxinc/charts/nginx-ingress --untar --version 0.18.0 ``` 2. Change your working directory to nginx-ingress: + ```console - $ cd nginx-ingress + cd nginx-ingress ``` ### Installing the Chart @@ -119,25 +152,29 @@ This step is required if you're installing the chart using its sources. Addition To install the chart with the release name my-release (my-release is the name that you choose): For NGINX: + ```console -$ helm install my-release . +helm install my-release . ``` For NGINX Plus: + ```console -$ helm install my-release -f values-plus.yaml . +helm install my-release -f values-plus.yaml . ``` -The command deploys the Ingress Controller in your Kubernetes cluster in the default configuration. The configuration section lists the parameters that can be configured during installation. +The command deploys the Ingress Controller in your Kubernetes cluster in the default configuration. The configuration +section lists the parameters that can be configured during installation. ### Upgrading the Chart -Helm does not upgrade the CRDs during a release upgrade. Before you upgrade a release, see [Upgrading the CRDs](#upgrading-the-crds). +Helm does not upgrade the CRDs during a release upgrade. Before you upgrade a release, see [Upgrading the +CRDs](#upgrading-the-crds). To upgrade the release `my-release`: ```console -$ helm upgrade my-release . +helm upgrade my-release . ``` ### Uninstalling the Chart @@ -145,19 +182,23 @@ $ helm upgrade my-release . To uninstall/delete the release `my-release`: ```console -$ helm uninstall my-release +helm uninstall my-release ``` The command removes all the Kubernetes components associated with the release and deletes the release. -Uninstalling the release does not remove the CRDs. To remove the CRDs, see [Uninstalling the CRDs](#uninstalling-the-crds). +Uninstalling the release does not remove the CRDs. To remove the CRDs, see [Uninstalling the +CRDs](#uninstalling-the-crds). ## Running Multiple Ingress Controllers -If you are running multiple Ingress Controller releases in your cluster with enabled custom resources, the releases will share a single version of the CRDs. As a result, make sure that the Ingress Controller versions match the version of the CRDs. Additionally, when uninstalling a release, ensure that you don’t remove the CRDs until there are no other Ingress Controller releases running in the cluster. - -See [running multiple Ingress Controllers](https://docs.nginx.com/nginx-ingress-controller/installation/running-multiple-ingress-controllers/) for more details. +If you are running multiple Ingress Controller releases in your cluster with enabled custom resources, the releases will +share a single version of the CRDs. As a result, make sure that the Ingress Controller versions match the version of the +CRDs. Additionally, when uninstalling a release, ensure that you don’t remove the CRDs until there are no other Ingress +Controller releases running in the cluster. +See [running multiple Ingress Controllers](https://docs.nginx.com/nginx-ingress-controller/installation/running-multiple-ingress-controllers/) +for more details. ## Configuration @@ -174,9 +215,9 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont |`controller.dnsPolicy` | DNS policy for the Ingress Controller pods. | ClusterFirst | |`controller.nginxDebug` | Enables debugging for NGINX. Uses the `nginx-debug` binary. Requires `error-log-level: debug` in the ConfigMap via `controller.config.entries`. | false | |`controller.logLevel` | The log level of the Ingress Controller. | 1 | -|`controller.image.digest ` | The image digest of the Ingress Controller. | None | +|`controller.image.digest` | The image digest of the Ingress Controller. | None | |`controller.image.repository` | The image repository of the Ingress Controller. | nginx/nginx-ingress | -|`controller.image.tag` | The tag of the Ingress Controller image. | 3.1.1 | +|`controller.image.tag` | The tag of the Ingress Controller image. | 3.2.0 | |`controller.image.pullPolicy` | The pull policy for the Ingress Controller image. | IfNotPresent | |`controller.lifecycle` | The lifecycle of the Ingress Controller pods. | {} | |`controller.customConfigMap` | The name of the custom ConfigMap used by the Ingress Controller. If set, then the default config is ignored. | "" | @@ -293,5 +334,8 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont |`nginxServiceMesh.enableEgress` | Enable NGINX Service Mesh workloads to route egress traffic through the Ingress Controller. See the NGINX Service Mesh [docs](https://docs.nginx.com/nginx-service-mesh/tutorials/kic/deploy-with-kic/#enabling-egress) for more details. Requires `nginxServiceMesh.enable`. | false | ## Notes -* The values-icp.yaml file is used for deploying the Ingress Controller on IBM Cloud Private. See the [blog post](https://www.nginx.com/blog/nginx-ingress-controller-ibm-cloud-private/) for more details. -* The values-nsm.yaml file is used for deploying the Ingress Controller with NGINX Service Mesh. See the NGINX Service Mesh [docs](https://docs.nginx.com/nginx-service-mesh/tutorials/kic/deploy-with-kic/) for more details. + +- The values-icp.yaml file is used for deploying the Ingress Controller on IBM Cloud Private. See the [blog + post](https://www.nginx.com/blog/nginx-ingress-controller-ibm-cloud-private/) for more details. +- The values-nsm.yaml file is used for deploying the Ingress Controller with NGINX Service Mesh. See the NGINX Service + Mesh [docs](https://docs.nginx.com/nginx-service-mesh/tutorials/kic/deploy-with-kic/) for more details. diff --git a/deployments/helm-chart/crds/appprotectdos.f5.com_dosprotectedresources.yaml b/deployments/helm-chart/crds/appprotectdos.f5.com_dosprotectedresources.yaml index b6dffb3f4c..0e64a1cdcb 100644 --- a/deployments/helm-chart/crds/appprotectdos.f5.com_dosprotectedresources.yaml +++ b/deployments/helm-chart/crds/appprotectdos.f5.com_dosprotectedresources.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.4 + controller-gen.kubebuilder.io/version: v0.12.1 name: dosprotectedresources.appprotectdos.f5.com spec: group: appprotectdos.f5.com diff --git a/deployments/helm-chart/crds/externaldns.nginx.org_dnsendpoints.yaml b/deployments/helm-chart/crds/externaldns.nginx.org_dnsendpoints.yaml index e48f4a5e34..1e07fa1a75 100644 --- a/deployments/helm-chart/crds/externaldns.nginx.org_dnsendpoints.yaml +++ b/deployments/helm-chart/crds/externaldns.nginx.org_dnsendpoints.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.4 + controller-gen.kubebuilder.io/version: v0.12.1 name: dnsendpoints.externaldns.nginx.org spec: group: externaldns.nginx.org diff --git a/deployments/helm-chart/crds/k8s.nginx.org_globalconfigurations.yaml b/deployments/helm-chart/crds/k8s.nginx.org_globalconfigurations.yaml index 3177169116..65d5c048be 100644 --- a/deployments/helm-chart/crds/k8s.nginx.org_globalconfigurations.yaml +++ b/deployments/helm-chart/crds/k8s.nginx.org_globalconfigurations.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.4 + controller-gen.kubebuilder.io/version: v0.12.1 name: globalconfigurations.k8s.nginx.org spec: group: k8s.nginx.org diff --git a/deployments/helm-chart/crds/k8s.nginx.org_policies.yaml b/deployments/helm-chart/crds/k8s.nginx.org_policies.yaml index 39c780f17e..b93bc6001b 100644 --- a/deployments/helm-chart/crds/k8s.nginx.org_policies.yaml +++ b/deployments/helm-chart/crds/k8s.nginx.org_policies.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.4 + controller-gen.kubebuilder.io/version: v0.12.1 name: policies.k8s.nginx.org spec: group: k8s.nginx.org diff --git a/deployments/helm-chart/crds/k8s.nginx.org_transportservers.yaml b/deployments/helm-chart/crds/k8s.nginx.org_transportservers.yaml index 3608e27b7a..7c3a05a84b 100644 --- a/deployments/helm-chart/crds/k8s.nginx.org_transportservers.yaml +++ b/deployments/helm-chart/crds/k8s.nginx.org_transportservers.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.4 + controller-gen.kubebuilder.io/version: v0.12.1 name: transportservers.k8s.nginx.org spec: group: k8s.nginx.org diff --git a/deployments/helm-chart/crds/k8s.nginx.org_virtualserverroutes.yaml b/deployments/helm-chart/crds/k8s.nginx.org_virtualserverroutes.yaml index 22048b9075..75ac646162 100644 --- a/deployments/helm-chart/crds/k8s.nginx.org_virtualserverroutes.yaml +++ b/deployments/helm-chart/crds/k8s.nginx.org_virtualserverroutes.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.4 + controller-gen.kubebuilder.io/version: v0.12.1 name: virtualserverroutes.k8s.nginx.org spec: group: k8s.nginx.org @@ -588,6 +588,8 @@ spec: type: string path: type: string + samesite: + type: string secure: type: boolean slow-start: diff --git a/deployments/helm-chart/crds/k8s.nginx.org_virtualservers.yaml b/deployments/helm-chart/crds/k8s.nginx.org_virtualservers.yaml index b288111874..78afe01102 100644 --- a/deployments/helm-chart/crds/k8s.nginx.org_virtualservers.yaml +++ b/deployments/helm-chart/crds/k8s.nginx.org_virtualservers.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.4 + controller-gen.kubebuilder.io/version: v0.12.1 name: virtualservers.k8s.nginx.org spec: group: k8s.nginx.org @@ -675,6 +675,8 @@ spec: type: string path: type: string + samesite: + type: string secure: type: boolean slow-start: diff --git a/deployments/helm-chart/templates/_helpers.tpl b/deployments/helm-chart/templates/_helpers.tpl index 24262f516c..b1351130a0 100644 --- a/deployments/helm-chart/templates/_helpers.tpl +++ b/deployments/helm-chart/templates/_helpers.tpl @@ -33,6 +33,14 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this {{- printf "%s-%s" (include "nginx-ingress.fullname" .) .Values.controller.name | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{/* +Create a default fully qualified controller service name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "nginx-ingress.controller.service.name" -}} +{{- default (include "nginx-ingress.controller.fullname" .) .Values.serviceNameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + {{/* Create chart name and version as used by the chart label. */}} @@ -56,9 +64,13 @@ app.kubernetes.io/managed-by: {{ .Release.Service }} Selector labels */}} {{- define "nginx-ingress.selectorLabels" -}} +{{- if .Values.controller.selectorLabels -}} +{{ toYaml .Values.controller.selectorLabels }} +{{- else -}} app.kubernetes.io/name: {{ include "nginx-ingress.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} -{{- end }} +{{- end -}} +{{- end -}} {{/* Expand the name of the configmap. diff --git a/deployments/helm-chart/templates/controller-daemonset.yaml b/deployments/helm-chart/templates/controller-daemonset.yaml index 0b8c0d0980..b94ff9ad1c 100644 --- a/deployments/helm-chart/templates/controller-daemonset.yaml +++ b/deployments/helm-chart/templates/controller-daemonset.yaml @@ -42,9 +42,6 @@ spec: securityContext: seccompProfile: type: RuntimeDefault -{{- if .Values.controller.readOnlyRootFilesystem }} - fsGroup: 101 #nginx -{{- end }} terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} {{- if .Values.controller.nodeSelector }} nodeSelector: @@ -171,8 +168,8 @@ spec: - -enable-app-protect-dos={{ .Values.controller.appprotectdos.enable }} {{- if .Values.controller.appprotectdos.enable }} - -app-protect-dos-debug={{ .Values.controller.appprotectdos.debug }} - - -app-protect-dos-max-daemons={{ .Values.controller.appprotectdos.maxWorkers }} - - -app-protect-dos-max-workers={{ .Values.controller.appprotectdos.maxDaemons }} + - -app-protect-dos-max-daemons={{ .Values.controller.appprotectdos.maxDaemons }} + - -app-protect-dos-max-workers={{ .Values.controller.appprotectdos.maxWorkers }} - -app-protect-dos-memory={{ .Values.controller.appprotectdos.memory }} {{ end }} - -nginx-configmaps=$(POD_NAMESPACE)/{{ include "nginx-ingress.configName" . }} @@ -207,7 +204,7 @@ spec: {{- else if .Values.controller.reportIngressStatus.externalService }} - -external-service={{ .Values.controller.reportIngressStatus.externalService }} {{- else if and (.Values.controller.service.create) (eq .Values.controller.service.type "LoadBalancer") }} - - -external-service={{ include "nginx-ingress.controller.fullname" . }} + - -external-service={{ include "nginx-ingress.controller.service.name" . }} {{- end }} {{- end }} - -enable-leader-election={{ .Values.controller.reportIngressStatus.enableLeaderElection }} diff --git a/deployments/helm-chart/templates/controller-deployment.yaml b/deployments/helm-chart/templates/controller-deployment.yaml index 97d3b49c48..0c1b9ad5dd 100644 --- a/deployments/helm-chart/templates/controller-deployment.yaml +++ b/deployments/helm-chart/templates/controller-deployment.yaml @@ -80,9 +80,6 @@ spec: securityContext: seccompProfile: type: RuntimeDefault -{{- if .Values.controller.readOnlyRootFilesystem }} - fsGroup: 101 #nginx -{{- end }} terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} hostNetwork: {{ .Values.controller.hostNetwork }} dnsPolicy: {{ .Values.controller.dnsPolicy }} @@ -176,8 +173,8 @@ spec: - -enable-app-protect-dos={{ .Values.controller.appprotectdos.enable }} {{- if .Values.controller.appprotectdos.enable }} - -app-protect-dos-debug={{ .Values.controller.appprotectdos.debug }} - - -app-protect-dos-max-daemons={{ .Values.controller.appprotectdos.maxWorkers }} - - -app-protect-dos-max-workers={{ .Values.controller.appprotectdos.maxDaemons }} + - -app-protect-dos-max-daemons={{ .Values.controller.appprotectdos.maxDaemons }} + - -app-protect-dos-max-workers={{ .Values.controller.appprotectdos.maxWorkers }} - -app-protect-dos-memory={{ .Values.controller.appprotectdos.memory }} {{ end }} - -nginx-configmaps=$(POD_NAMESPACE)/{{ include "nginx-ingress.configName" . }} @@ -212,7 +209,7 @@ spec: {{- else if .Values.controller.reportIngressStatus.externalService }} - -external-service={{ .Values.controller.reportIngressStatus.externalService }} {{- else if and (.Values.controller.service.create) (eq .Values.controller.service.type "LoadBalancer") }} - - -external-service={{ include "nginx-ingress.controller.fullname" . }} + - -external-service={{ include "nginx-ingress.controller.service.name" . }} {{- end }} {{- end }} - -enable-leader-election={{ .Values.controller.reportIngressStatus.enableLeaderElection }} diff --git a/deployments/helm-chart/templates/controller-hpa.yaml b/deployments/helm-chart/templates/controller-hpa.yaml index bc71463900..b8691648e9 100644 --- a/deployments/helm-chart/templates/controller-hpa.yaml +++ b/deployments/helm-chart/templates/controller-hpa.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.controller.autoscaling.enabled (eq .Values.controller.kind "deployment") (semverCompare ">=1.23.0" .Capabilities.KubeVersion.Version) -}} +{{- if and .Values.controller.autoscaling.enabled (eq .Values.controller.kind "deployment") (.Capabilities.APIVersions.Has "autoscaling/v2") -}} apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: diff --git a/deployments/helm-chart/templates/controller-service.yaml b/deployments/helm-chart/templates/controller-service.yaml index aa02dbf2e2..6daa941133 100644 --- a/deployments/helm-chart/templates/controller-service.yaml +++ b/deployments/helm-chart/templates/controller-service.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: Service metadata: - name: {{ default (include "nginx-ingress.controller.fullname" .) .Values.serviceNameOverride }} + name: {{ include "nginx-ingress.controller.service.name" . }} namespace: {{ .Release.Namespace }} labels: {{- include "nginx-ingress.labels" . | nindent 4 }} @@ -20,7 +20,7 @@ spec: {{- end }} {{- end }} {{- if eq .Values.controller.service.type "LoadBalancer" }} - {{- if and (semverCompare ">=1.22.0-0" .Capabilities.KubeVersion.Version) (.Values.controller.service.allocateLoadBalancerNodePorts) }} + {{- if hasKey .Values.controller.service "allocateLoadBalancerNodePorts" }} allocateLoadBalancerNodePorts: {{ .Values.controller.service.allocateLoadBalancerNodePorts }} {{- end }} {{- if .Values.controller.service.loadBalancerIP }} diff --git a/deployments/helm-chart/values-icp.yaml b/deployments/helm-chart/values-icp.yaml index 4eb2c6d65d..1b68d4321d 100644 --- a/deployments/helm-chart/values-icp.yaml +++ b/deployments/helm-chart/values-icp.yaml @@ -4,7 +4,7 @@ controller: nginxplus: true image: repository: mycluster.icp:8500/kube-system/nginx-plus-ingress - tag: "3.1.1" + tag: "3.2.0" nodeSelector: beta.kubernetes.io/arch: "amd64" proxy: true diff --git a/deployments/helm-chart/values-plus.yaml b/deployments/helm-chart/values-plus.yaml index 60e00179c6..210ee505a3 100644 --- a/deployments/helm-chart/values-plus.yaml +++ b/deployments/helm-chart/values-plus.yaml @@ -3,4 +3,4 @@ controller: nginxplus: true image: repository: nginx-plus-ingress - tag: "3.1.1" + tag: "3.2.0" diff --git a/deployments/helm-chart/values.yaml b/deployments/helm-chart/values.yaml index d99ff35b98..c42a9c3793 100644 --- a/deployments/helm-chart/values.yaml +++ b/deployments/helm-chart/values.yaml @@ -5,6 +5,9 @@ controller: ## The kind of the Ingress Controller installation - deployment or daemonset. kind: deployment + ## The selectorLabels used to overide the default values. + selectorLabels: {} + ## Annotations for deployments and daemonsets annotations: {} @@ -54,7 +57,7 @@ controller: repository: nginx/nginx-ingress ## The tag of the Ingress Controller image. If not specified the appVersion from Chart.yaml is used as a tag. - # tag: "3.1.1" + # tag: "3.2.0" ## The digest of the Ingress Controller image. ## If digest is specified it has precedence over tag and will be used instead @@ -82,11 +85,11 @@ controller: ## It is recommended to use your own TLS certificates and keys defaultTLS: - ## The base64-encoded TLS certificate for the default HTTPS server. By default, a pre-generated self-signed certificate is used. + ## The base64-encoded TLS certificate for the default HTTPS server. ## Note: It is recommended that you specify your own certificate. Alternatively, omitting the default server secret completely will configure NGINX to reject TLS connections to the default server. cert: "" - ## The base64-encoded TLS key for the default HTTPS server. By default, a pre-generated key is used. + ## The base64-encoded TLS key for the default HTTPS server. ## Note: It is recommended that you specify your own key. Alternatively, omitting the default server secret completely will configure NGINX to reject TLS connections to the default server. key: "" @@ -142,7 +145,6 @@ controller: # cpu: 1 # memory: 1Gi - ## The tolerations of the Ingress Controller pods. tolerations: [] diff --git a/docs/README.md b/docs/README.md index f2f42b608c..3bc669ae5d 100644 --- a/docs/README.md +++ b/docs/README.md @@ -1,5 +1,7 @@ # How To Contribute + ## Introduction + The NGINX Ingress Controller makes use of the [Hugo](https://gohugo.io/) static site generator. Documentation is stored within the `docs/` subfolder of the main repository, and is where `hugo` commands should be run. @@ -7,12 +9,15 @@ Documentation is stored within the `docs/` subfolder of the main repository, and Hugo will watch and reload any changes made, so you can review your work in real time. ## Set-up -**Requirements** -* [git](https://git-scm.com/downloads) -* [hugo](https://gohugo.io/installation/) -**Quick Start** -``` +### Requirements + +- [git](https://git-scm.com/downloads) +- [hugo](https://gohugo.io/installation/) + +### Quick Start** + +```console git clone git@github.com:nginxinc/kubernetes-ingress.git cd docs/ hugo server diff --git a/docs/config/_default/config.toml b/docs/config/_default/config.toml index 7edece741d..de2bb45ad4 100644 --- a/docs/config/_default/config.toml +++ b/docs/config/_default/config.toml @@ -24,7 +24,6 @@ canonifyURLs = true lineNoStart = 1 lineNos = false lineNumbersInTable = true - noClasses = false style = "monokai" tabWidth = 4 [markup.goldmark] diff --git a/docs/content/app-protect-dos/configuration.md b/docs/content/app-protect-dos/configuration.md index 22d57dd5a9..579e78d8fc 100644 --- a/docs/content/app-protect-dos/configuration.md +++ b/docs/content/app-protect-dos/configuration.md @@ -9,7 +9,7 @@ docs: "DOCS-580" --- This document describes how to configure the NGINX App Protect DoS module -> Check out the complete [NGINX Ingress Controller with App Protect DoS example for VirtualServer](https://github.com/nginxinc/kubernetes-ingress/tree/v3.1.1/examples/custom-resources/app-protect-dos) and the [NGINX Ingress Controller with App Protect DoS example for Ingress](https://github.com/nginxinc/kubernetes-ingress/tree/v3.1.1/examples/ingress-resources/app-protect-dos). +> Check out the complete [NGINX Ingress Controller with App Protect DoS example for VirtualServer](https://github.com/nginxinc/kubernetes-ingress/tree/v3.2.0/examples/custom-resources/app-protect-dos) and the [NGINX Ingress Controller with App Protect DoS example for Ingress](https://github.com/nginxinc/kubernetes-ingress/tree/v3.2.0/examples/ingress-resources/app-protect-dos). ## App Protect DoS Configuration @@ -17,6 +17,7 @@ A `DosProtectedResource` is a [Custom Resource](https://kubernetes.io/docs/conce An [Ingress](/nginx-ingress-controller/configuration/ingress-resources/basic-configuration), [VirtualServer and VirtualServerRoute](/nginx-ingress-controller/configuration/virtualserver-and-virtualserverroute-resources/) can be protected by specifying a reference to the DosProtectedResource. 1. Create an `DosProtectedResource` Custom resource manifest. As an example: + ```yaml apiVersion: appprotectdos.f5.com/v1beta1 kind: DosProtectedResource @@ -30,7 +31,9 @@ spec: protocol: "http1" timeout: 5 ``` + 2. Enable App Protect DoS on an Ingress by adding an annotation on the Ingress. Set the value of the annotation to the qualified identifier(`namespace/name`) of a DosProtectedResource: + ```yaml apiVersion: networking.k8s.io/v1 kind: Ingress @@ -39,7 +42,9 @@ spec: annotations: appprotectdos.f5.com/app-protect-dos-resource: "default/dos-protected" ``` + 3. Enable App Protect DoS on a VirtualServer by setting the `dos` field value to the qualified identifier(`namespace/name`) of a DosProtectedResource: + ```yaml apiVersion: k8s.nginx.org/v1 kind: VirtualServer @@ -90,6 +95,7 @@ You would create an `APDosPolicy` resource with the policy defined in the `spec` ``` Then add a reference in the `DosProtectedResource` to the `ApDosPolicy`: + ```yaml apiVersion: appprotectdos.f5.com/v1beta1 kind: DosProtectedResource @@ -134,6 +140,7 @@ spec: ``` Then add a reference in the `DosProtectedResource` to the `APDosLogConf`: + ```yaml apiVersion: appprotectdos.f5.com/v1beta1 kind: DosProtectedResource @@ -149,6 +156,7 @@ Then add a reference in the `DosProtectedResource` to the `APDosLogConf`: apDosLogConf: "doslogconf" dosLogDest: "syslog-svc.default.svc.cluster.local:514" ``` + ## Global Configuration The NGINX Ingress Controller has a set of global configuration parameters that align with those available in the NGINX App Protect DoS module. See [ConfigMap keys](/nginx-ingress-controller/configuration/global-configuration/configmap-resource/#modules) for the complete list. The App Protect parameters use the `app-protect-dos*` prefix. diff --git a/docs/content/app-protect-dos/dos-protected.md b/docs/content/app-protect-dos/dos-protected.md index 1a2623156d..4fb9bcef81 100644 --- a/docs/content/app-protect-dos/dos-protected.md +++ b/docs/content/app-protect-dos/dos-protected.md @@ -12,10 +12,10 @@ docs: "DOCS-581" > Note: The feature is implemented using the NGINX Plus [NGINX App Protect Dos Module](/nginx-app-protect-dos/deployment-guide/learn-about-deployment/). - ## DoS Protected Resource Specification Below is an example of a dos protected resource. + ```yaml apiVersion: appprotectdos.f5.com/v1beta1 kind: DosProtectedResource @@ -40,7 +40,7 @@ spec: |``apDosPolicy`` | The [App Protect DoS policy](#dosprotectedresourceapdospolicy) of the dos. Accepts an optional namespace. | ``string`` | No | |``dosSecurityLog.enable`` | Enables security log. | ``bool`` | No | |``dosSecurityLog.apDosLogConf`` | The [App Protect DoS log conf](/nginx-ingress-controller/app-protect-dos/configuration/#app-protect-dos-logs) resource. Accepts an optional namespace. | ``string`` | No | -|``dosSecurityLog.dosLogDest`` | The log destination for the security log. Accepted variables are ``syslog:server=:``, ``stderr``, ````. Default is ``"syslog:server=127.0.0.1:514"``. | ``string`` | No | +|``dosSecurityLog.dosLogDest`` | The log destination for the security log. Accepted variables are ``syslog:server=:``,``stderr``,````. Default is``"syslog:server=127.0.0.1:514"``. | ``string`` | No | {{% /table %}} ### DosProtectedResource.apDosPolicy @@ -54,26 +54,32 @@ This is how NGINX App Protect DoS monitors the stress level of the protected obj ### Invalid DoS Protected Resources NGINX will treat a dos protected resource as invalid if one of the following conditions is met: -* The dos protected resource doesn't pass the [comprehensive validation](#comprehensive-validation). -* The dos protected resource isn't present in the cluster. + +- The dos protected resource doesn't pass the [comprehensive validation](#comprehensive-validation). +- The dos protected resource isn't present in the cluster. ### Validation Two types of validation are available for the dos protected resource: -* *Structural validation*, done by `kubectl` and the Kubernetes API server. -* *Comprehensive validation*, done by the Ingress Controller. + +- *Structural validation*, done by `kubectl` and the Kubernetes API server. +- *Comprehensive validation*, done by the Ingress Controller. #### Structural Validation The custom resource definition for the dos protected resource includes a structural OpenAPI schema, which describes the type of every field of the resource. If you try to create (or update) a resource that violates the structural schema -- for example, the resource uses a string value instead of a bool in the `enable` field -- `kubectl` and the Kubernetes API server will reject the resource. -* Example of `kubectl` validation: + +- Example of `kubectl` validation: + ``` $ kubectl apply -f apdos-protected.yaml error: error validating "examples/app-protect-dos/apdos-protected.yaml": error validating data: ValidationError(DosProtectedResource.spec.enable): invalid type for com.f5.appprotectdos.v1beta1.DosProtectedResource.spec.enable: got "string", expected "boolean"; if you choose to ignore these errors, turn validation off with --validate=false ``` -* Example of Kubernetes API server validation: + +- Example of Kubernetes API server validation: + ``` $ kubectl apply -f access-control-policy-allow.yaml --validate=false The DosProtectedResource "dos-protected" is invalid: spec.enable: Invalid value: "string": spec.enable in body must be of type boolean: "string" @@ -81,12 +87,12 @@ If you try to create (or update) a resource that violates the structural schema If a resource passes structural validation, then the Ingress Controller's comprehensive validation runs. - #### Comprehensive Validation The Ingress Controller validates the fields of a dos protected resource. If a resource is invalid, the Ingress Controller will reject it. The resource will continue to exist in the cluster, but the Ingress Controller will ignore it. You can use `kubectl` to check if the Ingress Controller successfully applied a dos protected resource configuration. For our example `dos-protected` dos protected resource, we can run: + ``` $ kubectl describe dosprotectedresource dos-protected . . . @@ -95,9 +101,11 @@ Events: ---- ------ ---- ---- ------- Normal AddedOrUpdated 12s (x2 over 18h) nginx-ingress-controller Configuration for default/dos-protected was added or updated ``` + Note how the events section includes a Normal event with the AddedOrUpdated reason that informs us that the configuration was successfully applied. If you create an invalid resource, the Ingress Controller will reject it and emit a Rejected event. For example, if you create a dos protected resource `dos-protected` with an invalid URI `bad` in the `dosSecurityLog/dosLogDest` field, you will get: + ``` $ kubectl describe policy webapp-policy . . . @@ -106,6 +114,7 @@ Events: ---- ------ ---- ---- ------- Warning Rejected 2s nginx-ingress-controller error validating DosProtectedResource: dos-protected invalid field: dosSecurityLog/dosLogDest err: invalid log destination: bad, must follow format: : or stderr ``` + Note how the events section includes a Warning event with the Rejected reason. **Note**: If you make an existing resource invalid, the Ingress Controller will reject it. diff --git a/docs/content/app-protect-dos/installation.md b/docs/content/app-protect-dos/installation.md index d516eb3e8f..9842de9bdf 100644 --- a/docs/content/app-protect-dos/installation.md +++ b/docs/content/app-protect-dos/installation.md @@ -14,13 +14,14 @@ This document provides an overview of the steps required to use NGINX App Protec ## Prerequisites 1. Make sure you have access to the Ingress Controller image: - * For NGINX Plus Ingress Controller, see [here](/nginx-ingress-controller/installation/pulling-ingress-controller-image) for details on how to pull the image from the F5 Docker registry. - * To pull from the F5 Container registry in your Kubernetes cluster, configure a docker registry secret using your JWT token from the MyF5 portal by following the instructions from [here](/nginx-ingress-controller/installation/using-the-jwt-token-docker-secret). - * It is also possible to build your own image and push it to your private Docker registry by following the instructions from [here](/nginx-ingress-controller/installation/building-ingress-controller-image). + - For NGINX Plus Ingress Controller, see [here](/nginx-ingress-controller/installation/pulling-ingress-controller-image) for details on how to pull the image from the F5 Docker registry. + - To pull from the F5 Container registry in your Kubernetes cluster, configure a docker registry secret using your JWT token from the MyF5 portal by following the instructions from [here](/nginx-ingress-controller/installation/using-the-jwt-token-docker-secret). + - It is also possible to build your own image and push it to your private Docker registry by following the instructions from [here](/nginx-ingress-controller/installation/building-ingress-controller-image). 2. Clone the Ingress Controller repo: + ``` - $ git clone https://github.com/nginxinc/kubernetes-ingress.git --branch v3.1.1 - $ cd kubernetes-ingress/deployments + git clone https://github.com/nginxinc/kubernetes-ingress.git --branch v3.2.0 + cd kubernetes-ingress/deployments ``` ## Install the App Protect DoS Arbitrator @@ -30,7 +31,7 @@ This document provides an overview of the steps required to use NGINX App Protec The App Protect DoS Arbitrator can be installed using the [NGINX App Protect DoS Helm Chart](https://github.com/nginxinc/nap-dos-arbitrator-helm-chart). If you have the NGINX Helm Repository already added, you can install the App Protect DoS Arbitrator by running the following command: -```bash +```console helm install my-release-dos nginx-stable/nginx-appprotect-dos-arbitrator ``` @@ -40,12 +41,13 @@ Alternatively, you can install the App Protect DoS Arbitrator using the YAML man - Create the namespace and service account -```bash +```console kubectl apply -f common/ns-and-sa.yaml ``` - Deploy the app protect dos arbitrator - ```bash + + ```console kubectl apply -f deployment/appprotect-dos-arb.yaml kubectl apply -f service/appprotect-dos-arb-svc.yaml ``` @@ -58,9 +60,10 @@ Take the steps below to create the Docker image that you'll use to deploy NGINX When running the `make` command to build the image, be sure to use the `debian-image-dos-plus` target. For example: - ```bash + ```console make debian-image-dos-plus PREFIX=/nginx-plus-ingress ``` + Alternatively, if you want to run on an [OpenShift](https://www.openshift.com/) cluster, use the `ubi-image-dos-plus` target. If you want to include the App Protect WAF module in the image, you can use the `debian-image-nap-dos-plus` target or the `ubi-image-nap-dos-plus` target for OpenShift. @@ -79,4 +82,4 @@ Take the steps below to set up and deploy the NGINX Ingress Controller and App P 3. Enable the App Protect Dos module by adding the `enable-app-protect-dos` [cli argument](/nginx-ingress-controller/configuration/global-configuration/command-line-arguments/#cmdoption-enable-app-protect-dos) to your Deployment or DaemonSet file. 4. [Deploy the Ingress Controller](/nginx-ingress-controller/installation/installation-with-manifests/#3-deploy-the-ingress-controller). -For more information, see the [Configuration guide](/nginx-ingress-controller/app-protect-dos/configuration),the [NGINX Ingress Controller with App Protect DoS example for VirtualServer](https://github.com/nginxinc/kubernetes-ingress/tree/v3.1.1/examples/custom-resources/app-protect-dos) and the [NGINX Ingress Controller with App Protect DoS example for Ingress](https://github.com/nginxinc/kubernetes-ingress/tree/v3.1.1/examples/ingress-resources/app-protect-dos). +For more information, see the [Configuration guide](/nginx-ingress-controller/app-protect-dos/configuration),the [NGINX Ingress Controller with App Protect DoS example for VirtualServer](https://github.com/nginxinc/kubernetes-ingress/tree/v3.2.0/examples/custom-resources/app-protect-dos) and the [NGINX Ingress Controller with App Protect DoS example for Ingress](https://github.com/nginxinc/kubernetes-ingress/tree/v3.2.0/examples/ingress-resources/app-protect-dos). diff --git a/docs/content/app-protect-waf/configuration.md b/docs/content/app-protect-waf/configuration.md index a20b306a96..a094c13dc0 100644 --- a/docs/content/app-protect-waf/configuration.md +++ b/docs/content/app-protect-waf/configuration.md @@ -1,7 +1,6 @@ --- title: Configuration - -description: "This document describes how to configure the NGINX App Protect WAF module." +description: "Learn how to use NGINX Ingress Controller to configure NGINX App Protect WAF." weight: 1900 doctypes: [""] toc: true @@ -9,40 +8,39 @@ docs: "DOCS-578" aliases: ["/app-protect/configuration/"] --- -> Check out the complete NGINX Ingress Controller with App Protect WAF example resources on GitHub [for VirtualServer resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.1.1/examples/custom-resources/app-protect-waf) and [for Ingress resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.1.1/examples/ingress-resources/app-protect-waf). +> Check out the complete NGINX Ingress Controller with NGINX App Protect WAF example resources on GitHub [for VirtualServer resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.2.0/examples/custom-resources/app-protect-waf) and [for Ingress resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.2.0/examples/ingress-resources/app-protect-waf). ## Global Configuration -The NGINX Ingress Controller has a set of global configuration parameters that align with those available in the NGINX App Protect WAF module. See [ConfigMap keys](/nginx-ingress-controller/configuration/global-configuration/configmap-resource/#modules) for the complete list. The App Protect parameters use the `app-protect*` prefix. +NGINX Ingress Controller has a set of global configuration parameters that align with those available in NGINX App Protect WAF. See [ConfigMap keys](/nginx-ingress-controller/configuration/global-configuration/configmap-resource/#modules) for the complete list. The NGINX App Protect WAF parameters use the `app-protect*` prefix. -## Enabling App Protect +## Enable NGINX App Protect WAF You can enable and configure NGINX App Protect WAF on the Custom Resources (VirtualServer, VirtualServerRoute) or on the Ingress-resource basis. -To configure NGINX App Protect WAF on a VirtualServer resource, you would create a Policy Custom Resource referencing the APPolicy Custom Resource, and add this to the VirtualServer definition. See the documentation on the [App Protect WAF Policy](/nginx-ingress-controller/configuration/policy-resource/#waf). - -To configure NGINX App Protect WAF on an Ingress resource, you would apply the [App Protect annotations](/nginx-ingress-controller/configuration/ingress-resources/advanced-configuration-with-annotations/#app-protect) to each desired resource. +To configure NGINX App Protect WAF on a VirtualServer resource, you would create a Policy Custom Resource referencing the APPolicy Custom Resource, and add this to the VirtualServer definition. See the documentation on the [NGINX App Protect WAF Policy](/nginx-ingress-controller/configuration/policy-resource/#waf). +To configure NGINX App Protect WAF on an Ingress resource, you would apply the [`app-protect` annotations](/nginx-ingress-controller/configuration/ingress-resources/advanced-configuration-with-annotations/#app-protect) to each desired resource. -## App Protect WAF Policies +## NGINX App Protect WAF Policies -You can define App Protect WAF policies for your VirtualServer, VirtualServerRoute, or Ingress resources by creating an `APPolicy` [Custom Resource](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/). +You can define NGINX App Protect WAF policies for your VirtualServer, VirtualServerRoute, or Ingress resources by creating an `APPolicy` [Custom Resource](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/). - > **Note**: The fields `policy.signature-requirements[].minRevisionDatetime` and `policy.signature-requirements[].maxRevisionDatetime` are not currently supported. + > **Note**: The fields `policy.signature-requirements[].minRevisionDatetime` and `policy.signature-requirements[].maxRevisionDatetime` are not supported. - > **Note**: [The Advanced gRPC Protection for Unary Traffic](/nginx-app-protect/configuration/#advanced-grpc-protection-for-unary-traffic) only supports providing an `idl-file` inline. The fields `policy.idl-files[].link`, `policy.idl-files[].$ref`, and + > **Note**: [The Advanced gRPC Protection for Unary Traffic](/nginx-app-protect-waf/configuration-guide/configuration/#grpc-protection-for-unary-traffic) only supports providing an `idl-file` inline. The fields `policy.idl-files[].link`, `policy.idl-files[].$ref`, and `policy.idl-files[].file` are not supported. The IDL file should be provided in field `policy.idl-files[].contents`. The value of this field can be base64 encoded. In this case the field `policy.idl-files[].isBase64` should be set to `true`. - > **Note**: [External References](/nginx-app-protect/configuration-guide/configuration/#external-references) in the Ingress Controller are deprecated and will not be supported in future releases. + > **Note**: [External References](/nginx-app-protect-waf/configuration-guide/configuration/#external-references) in the Ingress Controller are deprecated and will not be supported in future releases. -To add any [App Protect WAF policy](/nginx-app-protect/declarative-policy/policy/) to an Ingress resource: +To add any [NGINX App Protect WAF policy](/nginx-app-protect-waf/declarative-policy/policy/) to an Ingress resource: 1. Create an `APPolicy` Custom resource manifest. 2. Add the desired policy to the `spec` field in the `APPolicy` resource. > **Note**: The relationship between the Policy JSON and the resource spec is 1:1. If you're defining your resources in YAML, as we do in our examples, you'll need to represent the policy as YAML. The fields must match those in the source JSON exactly in name and level. - For example, say you want to use the [DataGuard policy](/nginx-app-protect/declarative-policy/policy/#policy/data-guard) shown below: + For example, say you want to use the [DataGuard policy](/nginx-app-protect-waf/declarative-policy/policy/#policy/data-guard) shown below: ```json { @@ -100,22 +98,21 @@ To add any [App Protect WAF policy](/nginx-app-protect/declarative-policy/policy enforcementUrls: [] ``` - > Notice how the fields match exactly in name and level. The Ingress Controller will transform the YAML into a valid JSON App Protect WAF policy config. -
+ > Notice how the fields match exactly in name and level. NGINX Ingress Controller will transform the YAML into a valid JSON WAF policy config. -## App Protect WAF Logs +## NGINX App Protect WAF Logs -You can set the [App Protect WAF log configurations](/nginx-app-protect/troubleshooting/#app-protect-logging-overview) by creating an `APLogConf` [Custom Resource](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/). +You can set the [NGINX App Protect WAF log configurations](/nginx-app-protect-waf/logging-overview/logs-overview/) by creating an `APLogConf` [Custom Resource](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/). -To add the [App Protect WAF log configurations](/nginx-app-protect/configuration/#security-logs) to a VirtualServer or an Ingress resource: +To add the [log configurations](/nginx-app-protect-waf/logging-overview/security-log/) to a VirtualServer or an Ingress resource: 1. Create an `APLogConf` Custom Resource manifest. 2. Add the desired log configuration to the `spec` field in the `APLogConf` resource. 3. Add the `APLogConf` reference to the [VirtualServer Policy resource](/nginx-ingress-controller/configuration/policy-resource/#waf) or the [Ingress resource](/nginx-ingress-controller/configuration/ingress-resources/advanced-configuration-with-annotations/#app-protect) as per the documentation. - > **Note**: The fields from the JSON must be presented in the YAML *exactly* the same, in name and level. The Ingress Controller will transform the YAML into a valid JSON App Protect WAF log config. + > **Note**: The fields from the JSON must be presented in the YAML *exactly* the same, in name and level. NGINX Ingress Controller will transform the YAML into a valid JSON WAF log config. -For example, say you want to [log state changing requests](/nginx-app-protect/configuration/#security-log-configuration-file) for your VirtualServer or Ingress resources using App Protect WAF. The App Protect WAF log configuration looks like this: +For example, say you want to [log state changing requests](/nginx-app-protect-waf/logging-overview/security-log/#security-log-configuration-file) for your VirtualServer or Ingress resources using NGINX App Protect WAF. The log configuration looks like this: ```json { @@ -145,20 +142,21 @@ spec: max_request_size: any max_message_size: 5k ``` -## App Protect WAF User Defined Signatures -You can define App Protect WAF [User Defined Signatures](https://docs.nginx.com/nginx-app-protect/configuration/#user-defined-signature-definitions) for your VirtualServer or Ingress resources by creating an `APUserSig` [Custom Resource](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/). +## NGINX App Protect WAF User Defined Signatures + +You can define NGINX App Protect WAF [User-Defined Signatures](/nginx-app-protect-waf/configuration-guide/configuration/#user-defined-signatures) for your VirtualServer or Ingress resources by creating an `APUserSig` [Custom Resource](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/). > **Note**: The field `revisionDatetime` is not currently supported. > **Note**: `APUserSig` resources increase the reload time of NGINX Plus compared with `APPolicy` and `APLogConf` resources. Refer to [NGINX Fails to Start or Reload](/nginx-ingress-controller/app-protect/troubleshooting/#nginx-fails-to-start-or-reload) for more information. -To add the [User Defined Signatures](https://docs.nginx.com/nginx-app-protect/configuration/#user-defined-signature-definitions) to a VirtualServer or Ingress resource: +To add the [User Defined Signatures](https://docs.nginx.com/nginx-app-protect-waf/configuration-guide/configuration/#user-defined-signatures) to a VirtualServer or Ingress resource: 1. Create an `APUserSig` Custom resource manifest. 2. Add the desired User defined signature to the `spec` field in the `APUserSig` resource. - > **Note**: The fields from the JSON must be presented in the YAML *exactly* the same, in name and level. The Ingress Controller will transform the YAML into a valid JSON App Protect WAF User Defined signature. There is no need to reference the user defined signature resource in the Policy or Ingress resources. + > **Note**: The fields from the JSON must be presented in the YAML *exactly* the same, in name and level. The Ingress Controller will transform the YAML into a valid JSON User-Defined signature. There is no need to reference the user defined signature resource in the Policy or Ingress resources. For example, say you want to create the following user defined signature: @@ -211,15 +209,16 @@ spec: ## OpenAPI Specification in NGINX Ingress Controller -The OpenAPI Specification defines the spec file format needed to describe RESTful APIs. The spec file can be written either in JSON or YAML. Using a spec file simplifies the work of implementing API protection. Refer to the [OpenAPI Specification](#https://github.com/OAI/OpenAPI-Specification) (formerly called Swagger) for details. +The OpenAPI Specification defines the spec file format needed to describe RESTful APIs. The spec file can be written either in JSON or YAML. Using a spec file simplifies the work of implementing API protection. Refer to the [OpenAPI Specification](https://github.com/OAI/OpenAPI-Specification) (formerly called Swagger) for details. NGINX Ingress Controller supports OpenAPI Specification versions 2.0 and 3.0. The simplest way to create an API protection policy is using an OpenAPI Specification file to import the details of the APIs. If you use an OpenAPI Specification file, NGINX App Protect WAF will automatically create a policy for the following properties (depending on what's included in the spec file): -* Methods -* URLs -* Parameters -* JSON profiles + +- Methods +- URLs +- Parameters +- JSON profiles An OpenAPI-ready policy template is provided with the NGINX App Protect WAF packages and is located in: `/etc/app_protect/conf/NginxApiSecurityPolicy.json` @@ -227,7 +226,7 @@ It contains violations related to OpenAPI set to blocking (enforced). ### Types of OpenAPI References -There are different ways of referencing OpenAPI Specification files. The configuration is similar to [External References](/nginx-app-protect/configuration-guide/configuration/#external-references). +There are different ways of referencing OpenAPI Specification files. The configuration is similar to [External References](/nginx-app-protect-waf/configuration-guide/configuration/#external-references). **Note**: Any update of an OpenAPI Specification file referenced in the policy will not trigger a policy compilation. This action needs to be done actively by reloading the NGINX configuration. @@ -235,7 +234,7 @@ There are different ways of referencing OpenAPI Specification files. The configu URL reference is the method of referencing an external source by providing its full URL. -Make sure to configure certificates prior to using the HTTPS protocol - see the [External References](/nginx-app-protect/configuration-guide/configuration/#types-of-references) for details. +Make sure to configure certificates prior to using the HTTPS protocol - see the [External References](/nginx-app-protect-waf/configuration-guide/configuration/#types-of-references) for details. ## Configuration in NGINX Ingress Controller @@ -245,19 +244,19 @@ These are the typical steps to deploy an OpenAPI protection Policy in NGINX Ingr 2. Add the reference to the desired OpenAPI file. 3. Make other custom changes if needed (e.g. enable Data Guard protection). 4. Use a tool to convert the result to YAML. There are many, for example: [`yq` utility](https://github.com/mikefarah/yq). -5. Add the YAML properties to create an `APPolicy` Custom Resource putting the policy itself (as in step 4) within the `spec` property of the Custom Resource. Refer to [App Protect Policies](#app-protect-policies) section above. -6. Create a `Policy` object which references the `APPolicy` Custom Resource as in [this example](https://github.com/nginxinc/kubernetes-ingress/blob/v3.1.1/examples/custom-resources/app-protect-waf/waf.yaml). -7. Finally, attach the `Policy` object to a `VirtualServer` resource as in [this example](https://github.com/nginxinc/kubernetes-ingress/blob/v3.1.1/examples/custom-resources/app-protect-waf/virtual-server.yaml). +5. Add the YAML properties to create an `APPolicy` Custom Resource putting the policy itself (as in step 4) within the `spec` property of the Custom Resource. Refer to the [NGINX App Protect Policies](#nginx-app-protect-waf-policies) section above. +6. Create a `Policy` object which references the `APPolicy` Custom Resource as in [this example](https://github.com/nginxinc/kubernetes-ingress/blob/v3.2.0/examples/custom-resources/app-protect-waf/waf.yaml). +7. Finally, attach the `Policy` object to a `VirtualServer` resource as in [this example](https://github.com/nginxinc/kubernetes-ingress/blob/v3.2.0/examples/custom-resources/app-protect-waf/virtual-server.yaml). **Note**: You need to make sure that the server where the resource files are located is always available when you are compiling your policy. -##### Example Configuration +### Example Configuration In this example, we are adding an OpenAPI Specification file reference to `/etc/app_protect/conf/NginxApiSecurityPolicy.yaml` using the [link](https://raw.githubusercontent.com/aws-samples/api-gateway-secure-pet-store/master/src/main/resources/swagger.yaml). This will configure allowed data types for `query_int` and `query_str` parameters values. **Policy configuration:** -~~~yaml +```yaml --- apiVersion: appprotect.f5.com/v1beta1 kind: APPolicy @@ -327,12 +326,11 @@ apiVersion: appprotect.f5.com/v1beta1 - block: true description: Illegal repeated parameter name name: VIOL_PARAMETER_REPEATED - -~~~ +``` Content of the referenced file `myapi.yaml`: -~~~yaml +```yaml openapi: 3.0.1 info: title: 'Primitive data types' @@ -365,7 +363,7 @@ paths: description: OK 404: description: NotFound -~~~ +``` In this case, the following request will trigger an `Illegal parameter data type` violation, as we expect to have an integer value in the `query_int` parameter: @@ -375,65 +373,73 @@ http://localhost/query?query_int=abc The request will be blocked. -The `link` option is also available in the `openApiFileReference` property and is synonymous with the `open-api-files` property as seen in the App Protect WAF policy example above. +The `link` option is also available in the `openApiFileReference` property and is synonymous with the `open-api-files` property as seen in the policy example above. **Note**: `openApiFileReference` is not an array. - ## Configuration in NGINX Plus Ingress Controller using Virtual Server Resource -In this example we deploy the NGINX Plus Ingress Controller with NGINX App Protect WAF, a simple web application and then configure load balancing and WAF protection for that application using the VirtualServer resource. -**Note:** You can find the example, and the files referenced, on [GitHub](https://github.com/nginxinc/kubernetes-ingress/tree/v3.1.1/examples/custom-resources/app-protect-waf). +In this example we deploy NGINX Ingress Controller with NGINX Plus and NGINX App Protect WAF, deploy a simple web application, and then configure load balancing and WAF protection for that application using the VirtualServer resource. + +**Note:** You can find the example, and the files referenced, on [GitHub](https://github.com/nginxinc/kubernetes-ingress/tree/v3.2.0/examples/custom-resources/app-protect-waf). ## Prerequisites -1. Follow the installation [instructions](https://docs.nginx.com/nginx-ingress-controller/installation) to deploy the Ingress Controller with NGINX App Protect WAF. -2. Save the public IP address of the Ingress Controller into a shell variable: - ``` - $ IC_IP=XXX.YYY.ZZZ.III +1. Follow the installation [instructions](https://docs.nginx.com/nginx-ingress-controller/installation) to deploy NGINX Ingress Controller with NGINX Plus and NGINX App Protect WAF. +2. Save the public IP address of NGINX Ingress Controller into a shell variable: + + ```console + IC_IP=XXX.YYY.ZZZ.III ``` -3. Save the HTTP port of the Ingress Controller into a shell variable: +3. Save the HTTP port of NGINX Ingress Controller into a shell variable: + + ```console + IC_HTTP_PORT= ``` - $ IC_HTTP_PORT= - ``` ### Step 1. Deploy a Web Application Create the application deployment and service: - ``` - $ kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.1.1/examples/custom-resources/app-protect-waf/webapp.yaml + + ```console + kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.2.0/examples/custom-resources/app-protect-waf/webapp.yaml ``` ### Step 2. Deploy the AP Policy -1. Create the syslog service and pod for the App Protect security logs: - ``` - $ kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.1.1/examples/custom-resources/app-protect-waf/syslog.yaml +1. Create the syslog service and pod for the NGINX App Protect WAF security logs: + + ```console + kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.2.0/examples/custom-resources/app-protect-waf/syslog.yaml ``` -2. Create the User Defined Signature, App Protect WAF policy, and log configuration: +2. Create the User-Defined Signature, WAF policy, and log configuration: - ``` - $ kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.1.1/examples/custom-resources/app-protect-waf/ap-apple-uds.yaml - $ kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.1.1/examples/custom-resources/app-protect-waf/ap-dataguard-alarm-policy.yaml - $ kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.1.1/examples/custom-resources/app-protect-waf/ap-logconf.yaml + ```console + kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.2.0/examples/custom-resources/app-protect-waf/ap-apple-uds.yaml + kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.2.0/examples/custom-resources/app-protect-waf/ap-dataguard-alarm-policy.yaml + kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.2.0/examples/custom-resources/app-protect-waf/ap-logconf.yaml ``` ### Step 3 - Deploy the WAF Policy Create the WAF policy + + ```console + kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.2.0/examples/custom-resources/app-protect-waf/waf.yaml ``` - $ kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.1.1/examples/custom-resources/app-protect-waf/waf.yaml - ``` - Note the App Protect configuration settings in the Policy resource. They enable WAF protection by configuring App Protect with the policy and log configuration created in the previous step. + + Note the NGINX App Protect WAF configuration settings in the Policy resource. They enable WAF protection by configuring NGINX App Protect WAF with the policy and log configuration created in the previous step. ### Step 4 - Configure Load Balancing 1. Create the VirtualServer Resource: + + ```console + kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.2.0/examples/custom-resources/app-protect-waf/virtual-server.yaml ``` - $ kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.1.1/examples/custom-resources/app-protect-waf/virtual-server.yaml - ``` + Note that the VirtualServer references the policy waf-policy created in Step 3. ### Step 5 - Test the Application @@ -441,33 +447,38 @@ Note that the VirtualServer references the policy waf-policy created in Step 3. To access the application, curl the coffee and the tea services. We'll use the --resolve option to set the Host header of a request with `webapp.example.com` 1. Send a request to the application: - ``` + + ```console $ curl --resolve webapp.example.com:$IC_HTTP_PORT:$IC_IP http://webapp.example.com:$IC_HTTP_PORT/ Server address: 10.12.0.18:80 Server name: webapp-7586895968-r26zn ``` 2. Now, let's try to send a request with a suspicious URL: - ``` + + ```console $ curl --resolve webapp.example.com:$IC_HTTP_PORT:$IC_IP "http://webapp.example.com:$IC_HTTP_PORT/