charts,salt: Bump NGINX Ingress chart to v4.10.0

Bump the NGINX Ingress chart to v4.10.0 and also bump the Ingress
Controller image to v1.10.0

Upgrade NGINX Ingress chart using:
```
rm -rf charts/ingress-nginx
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update
helm fetch -d charts --untar ingress-nginx/ingress-nginx
```

Re-render NGINX Ingress salt states using:
```
./doit.sh codegen:chart_ingress-nginx
```

Also update the dashboards with
```
curl https://raw.githubusercontent.com/kubernetes/ingress-nginx/helm-chart-4.10.0/deploy/grafana/dashboards/request-handling-performance.json \
  -Lo salt/metalk8s/addons/nginx-ingress/deployed/files/ingress-nginx-performance.json
curl https://raw.githubusercontent.com/kubernetes/ingress-nginx/helm-chart-4.10.0/deploy/grafana/dashboards/request-handling-performance.json \
  -Lo salt/metalk8s/addons/nginx-ingress/deployed/files/ingress-nginx-performance.json
```

CHANGELOG.md

@@ -29,6 +29,12 @@
   [2.2.2](https://github.com/fluent/fluent-bit/releases/tag/v2.2.2)
   (PR[#4286](https://github.com/scality/metalk8s/pull/4286))
 
+- Bump ingress-nginx chart version to
+  [4.10.0](https://github.com/kubernetes/ingress-nginx/releases/tag/helm-chart-4.10.0)
+  The controller image has been bumped accordingly to
+  [v1.10.0](https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v1.10.0)
+  (PR[#4289](https://github.com/scality/metalk8s/pull/4289))
+
 ## Release 127.0.1 (in development)
 
 ### Bug fixes

buildchain/buildchain/versions.py

@@ -182,8 +182,8 @@ def _version_prefix(version: str, prefix: str = "v") -> str:
     ),
     Image(
         name="nginx-ingress-controller",
-        version="v1.9.4",
-        digest="sha256:5b161f051d017e55d358435f295f5e9a297e66158f136321d9b04520ec6c48a3",
+        version="v1.10.0",
+        digest="sha256:42b3f0e5d0846876b1791cd3afeb5f1cbbe4259d6f35651dcc1b5c980925379c",
     ),
     Image(
         name="node-exporter",

charts/ingress-nginx-control-plane.yaml

@@ -3,7 +3,7 @@ controller:
 
   image:
     digest: null
-    repository: '{%- endraw -%}{{ build_image_name(\"nginx-ingress-controller\", False) }}{%- raw -%}'
+    repository: __image__(nginx-ingress-controller)
 
   electionID: ingress-control-plane-controller-leader
 

charts/ingress-nginx.yaml

@@ -3,7 +3,7 @@ controller:
 
   image:
     digest: null
-    repository: '{%- endraw -%}{{ build_image_name(\"nginx-ingress-controller\", False) }}{%- raw -%}'
+    repository: __image__(nginx-ingress-controller)
 
   hostPort:
     enabled: true

charts/ingress-nginx/Chart.yaml

@@ -1,8 +1,8 @@
 annotations:
-  artifacthub.io/changes: '- "Update Ingress-Nginx version controller-v1.9.4"'
+  artifacthub.io/changes: '- "Update Ingress-Nginx version controller-v1.10.0"'
   artifacthub.io/prerelease: "false"
 apiVersion: v2
-appVersion: 1.9.4
+appVersion: 1.10.0
 description: Ingress controller for Kubernetes using NGINX as a reverse proxy and
   load balancer
 home: https://github.com/kubernetes/ingress-nginx
@@ -18,4 +18,4 @@ maintainers:
 name: ingress-nginx
 sources:
 - https://github.com/kubernetes/ingress-nginx
-version: 4.8.4
+version: 4.10.0

charts/ingress-nginx/changelog/helm-chart-4.10.0.md

@@ -0,0 +1,9 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.10.0
+
+* - "Update Ingress-Nginx version controller-v1.10.0"
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.9.1...helm-chart-4.10.0

charts/ingress-nginx/changelog/helm-chart-4.9.0.md

@@ -0,0 +1,13 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.9.0
+
+* - "Add controller.metrics.serviceMonitor.annotations in Helm chart"
+* - "fix(labels): use complete labels variable on default-backend deployment"
+* - "chart: allow setting allocateLoadBalancerNodePorts (#10693)"
+* - "[release-1.9] feat(helm): add documentation about metric args (#10695)"
+* - "Update Ingress-Nginx version controller-v1.9.5"
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.8.3...helm-chart-4.9.0

charts/ingress-nginx/changelog/helm-chart-4.9.1.md

@@ -0,0 +1,10 @@
+# Changelog
+
+This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
+
+### 4.9.1
+
+* - "update web hook cert gen to latest release v20231226-1a7112e06"
+* - "Update Ingress-Nginx version controller-v1.9.6"
+
+**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.9.0...helm-chart-4.9.1

charts/ingress-nginx/ci/daemonset-extra-modules.yaml

@@ -7,4 +7,7 @@ controller:
     type: ClusterIP
   extraModules:
     - name: opentelemetry
-      image: busybox
+      image:
+        registry: registry.k8s.io
+        image: busybox
+        tag: latest

charts/ingress-nginx/ci/deployment-extra-modules-default-container-sec-context.yaml

@@ -9,4 +9,7 @@ controller:
     allowPrivilegeEscalation: false
   extraModules:
     - name: opentelemetry
-      image: busybox
+      image:
+        registry: registry.k8s.io
+        image: busybox
+        tag: latest

charts/ingress-nginx/ci/deployment-extra-modules-specific-container-sec-context.yaml

@@ -7,6 +7,9 @@ controller:
     type: ClusterIP
   extraModules:
     - name: opentelemetry
-      image: busybox
+      image:
+        registry: registry.k8s.io
+        image: busybox
+        tag: latest
       containerSecurityContext:
         allowPrivilegeEscalation: false

charts/ingress-nginx/ci/deployment-extra-modules.yaml

@@ -7,4 +7,7 @@ controller:
     type: ClusterIP
   extraModules:
     - name: opentelemetry
-      image: busybox
+      image:
+        registry: registry.k8s.io
+        image: busybox
+        tag: latest

charts/ingress-nginx/ci/deployment-opentelemetry-customregistry-values.yaml

@@ -0,0 +1,9 @@
+controller:
+  image:
+    repository: ingress-controller/controller
+    tag: 1.0.0-dev
+    digest: null
+  service:
+    type: ClusterIP
+  opentelemetry:
+    enabled: true

charts/ingress-nginx/templates/_helpers.tpl

@@ -257,7 +257,8 @@ Extra modules.
 */}}
 {{- define "extraModules" -}}
 - name: {{ .name }}
-  image: {{ .image }}
+  {{- with .image }}
+  image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{ end }}:{{ .tag }}{{ if .digest }}@{{ .digest }}{{ end }}
   command:
   {{- if .distroless }}
     - /init_module
@@ -266,6 +267,7 @@ Extra modules.
     - -c
     - /usr/local/bin/init_module.sh
   {{- end }}
+  {{- end }}
   {{- if .containerSecurityContext }}
   securityContext: {{ toYaml .containerSecurityContext | nindent 4 }}
   {{- end }}

charts/ingress-nginx/templates/_params.tpl

@@ -29,7 +29,7 @@
 - --watch-namespace={{ default "$(POD_NAMESPACE)" .Values.controller.scope.namespace }}
 {{- end }}
 {{- if and (not .Values.controller.scope.enabled) .Values.controller.scope.namespaceSelector }}
-- --watch-namespace-selector={{ default "" .Values.controller.scope.namespaceSelector }}
+- --watch-namespace-selector={{ .Values.controller.scope.namespaceSelector }}
 {{- end }}
 {{- if and .Values.controller.reportNodeInternalIp .Values.controller.hostNetwork }}
 - --report-node-internal-ip-address={{ .Values.controller.reportNodeInternalIp }}
@@ -54,6 +54,9 @@
 {{- if .Values.controller.watchIngressWithoutClass }}
 - --watch-ingress-without-class=true
 {{- end }}
+{{- if not .Values.controller.metrics.enabled }}
+- --enable-metrics={{ .Values.controller.metrics.enabled }}
+{{- end }}
 {{- if .Values.controller.enableTopologyAwareRouting }}
 - --enable-topology-aware-routing=true
 {{- end }}

charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml

@@ -43,7 +43,7 @@ spec:
       containers:
         - name: create
           {{- with .Values.controller.admissionWebhooks.patch.image }}
-          image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{- end -}}:{{ .tag }}{{- if (.digest) -}} @{{.digest}} {{- end -}}"
+          image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{ end }}:{{ .tag }}{{ if .digest }}@{{ .digest }}{{ end }}
           {{- end }}
           imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.image.pullPolicy }}
           args:

charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml

@@ -43,7 +43,7 @@ spec:
       containers:
         - name: patch
           {{- with .Values.controller.admissionWebhooks.patch.image }}
-          image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{- end -}}:{{ .tag }}{{- if (.digest) -}} @{{.digest}} {{- end -}}"
+          image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{ end }}:{{ .tag }}{{ if .digest }}@{{ .digest }}{{ end }}
           {{- end }}
           imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.image.pullPolicy }}
           args:

charts/ingress-nginx/templates/controller-daemonset.yaml

@@ -77,7 +77,7 @@ spec:
       containers:
         - name: {{ .Values.controller.containerName }}
           {{- with .Values.controller.image }}
-          image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ include "ingress-nginx.image" . }}{{- end -}}:{{ .tag }}{{ include "ingress-nginx.imageDigest" . }}"
+          image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ include "ingress-nginx.image" . }}{{ end }}:{{ .tag }}{{ include "ingress-nginx.imageDigest" . }}
           {{- end }}
           imagePullPolicy: {{ .Values.controller.image.pullPolicy }}
         {{- if .Values.controller.lifecycle }}
@@ -183,13 +183,13 @@ spec:
       {{- if .Values.controller.extraModules }}
         {{- range .Values.controller.extraModules }}
           {{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }}
-          {{- include "extraModules" (dict "name" .name "image" .image "distroless" .distroless "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }}
+          {{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }}
         {{- end }}
       {{- end }}
       {{- if .Values.controller.opentelemetry.enabled }}
         {{- with .Values.controller.opentelemetry }}
           {{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }}
-          {{- include "extraModules" (dict "name" .name "image" .image "distroless" .distroless "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }}
+          {{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }}
         {{- end }}
       {{- end }}
     {{- end }}

charts/ingress-nginx/templates/controller-deployment.yaml

@@ -80,7 +80,7 @@ spec:
       containers:
         - name: {{ .Values.controller.containerName }}
           {{- with .Values.controller.image }}
-          image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ include "ingress-nginx.image" . }}{{- end -}}:{{ .tag }}{{ include "ingress-nginx.imageDigest" . }}"
+          image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ include "ingress-nginx.image" . }}{{ end }}:{{ .tag }}{{ include "ingress-nginx.imageDigest" . }}
           {{- end }}
           imagePullPolicy: {{ .Values.controller.image.pullPolicy }}
         {{- if .Values.controller.lifecycle }}
@@ -186,13 +186,13 @@ spec:
       {{- if .Values.controller.extraModules }}
         {{- range .Values.controller.extraModules }}
           {{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }}
-          {{- include "extraModules" (dict "name" .name "image" .image "distroless" .distroless "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }}
+          {{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }}
         {{- end }}
       {{- end }}
       {{- if .Values.controller.opentelemetry.enabled }}
         {{- with .Values.controller.opentelemetry }}
           {{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }}
-          {{- include "extraModules" (dict "name" .name "image" .image "distroless" .distroless "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }}
+          {{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }}
         {{- end }}
       {{- end }}
     {{- end }}

charts/ingress-nginx/templates/controller-prometheusrules.yaml

@@ -1,4 +1,4 @@
-{{- if and ( .Values.controller.metrics.enabled ) ( .Values.controller.metrics.prometheusRule.enabled ) ( .Capabilities.APIVersions.Has "monitoring.coreos.com/v1" ) -}}
+{{- if and .Values.controller.metrics.enabled .Values.controller.metrics.prometheusRule.enabled -}}
 apiVersion: monitoring.coreos.com/v1
 kind: PrometheusRule
 metadata:

charts/ingress-nginx/templates/controller-role.yaml

@@ -44,12 +44,15 @@ rules:
       - get
       - list
       - watch
+  # Omit Ingress status permissions if `--update-status` is disabled.
+  {{- if ne (index .Values.controller.extraArgs "update-status") "false" }}
   - apiGroups:
       - networking.k8s.io
     resources:
       - ingresses/status
     verbs:
       - update
+  {{- end }}
   - apiGroups:
       - networking.k8s.io
     resources:

charts/ingress-nginx/templates/controller-service-internal.yaml

@@ -1,4 +1,4 @@
-{{- if and .Values.controller.service.enabled .Values.controller.service.internal.enabled .Values.controller.service.internal.annotations}}
+{{- if and .Values.controller.service.enabled .Values.controller.service.internal.enabled .Values.controller.service.internal.annotations -}}
 apiVersion: v1
 kind: Service
 metadata:
@@ -15,18 +15,41 @@ metadata:
   name: {{ include "ingress-nginx.controller.fullname" . }}-internal
   namespace: {{ include "ingress-nginx.namespace" . }}
 spec:
-  type: "{{ .Values.controller.service.type }}"
-{{- if hasKey .Values.controller.service.internal "allocateLoadBalancerNodePorts" }}
-  allocateLoadBalancerNodePorts: {{ .Values.controller.service.internal.allocateLoadBalancerNodePorts }}
+  type: {{ .Values.controller.service.internal.type | default .Values.controller.service.type }}
+{{- if .Values.controller.service.internal.clusterIP }}
+  clusterIP: {{ .Values.controller.service.internal.clusterIP }}
+{{- end }}
+{{- if .Values.controller.service.internal.externalIPs }}
+  externalIPs: {{ toYaml .Values.controller.service.internal.externalIPs | nindent 4 }}
 {{- end }}
 {{- if .Values.controller.service.internal.loadBalancerIP }}
   loadBalancerIP: {{ .Values.controller.service.internal.loadBalancerIP }}
 {{- end }}
 {{- if .Values.controller.service.internal.loadBalancerSourceRanges }}
   loadBalancerSourceRanges: {{ toYaml .Values.controller.service.internal.loadBalancerSourceRanges | nindent 4 }}
 {{- end }}
+{{- if .Values.controller.service.internal.loadBalancerClass }}
+  loadBalancerClass: {{ .Values.controller.service.internal.loadBalancerClass }}
+{{- end }}
+{{- if hasKey .Values.controller.service.internal "allocateLoadBalancerNodePorts" }}
+  allocateLoadBalancerNodePorts: {{ .Values.controller.service.internal.allocateLoadBalancerNodePorts }}
+{{- end }}
 {{- if .Values.controller.service.internal.externalTrafficPolicy }}
   externalTrafficPolicy: {{ .Values.controller.service.internal.externalTrafficPolicy }}
+{{- end }}
+{{- if .Values.controller.service.internal.sessionAffinity }}
+  sessionAffinity: {{ .Values.controller.service.internal.sessionAffinity }}
+{{- end }}
+{{- if .Values.controller.service.internal.healthCheckNodePort }}
+  healthCheckNodePort: {{ .Values.controller.service.internal.healthCheckNodePort }}
+{{- end }}
+{{- if semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version -}}
+{{- if .Values.controller.service.internal.ipFamilyPolicy }}
+  ipFamilyPolicy: {{ .Values.controller.service.internal.ipFamilyPolicy }}
+{{- end }}
+{{- if .Values.controller.service.internal.ipFamilies }}
+  ipFamilies: {{ toYaml .Values.controller.service.internal.ipFamilies | nindent 4 }}
+{{- end }}
 {{- end }}
   ports:
   {{- $setNodePorts := (or (eq .Values.controller.service.type "NodePort") (eq .Values.controller.service.type "LoadBalancer")) }}
@@ -35,33 +58,33 @@ spec:
       port: {{ .Values.controller.service.internal.ports.http | default .Values.controller.service.ports.http }}
       protocol: TCP
       targetPort: {{ .Values.controller.service.internal.targetPorts.http | default .Values.controller.service.targetPorts.http }}
-    {{- if semverCompare ">=1.20" .Capabilities.KubeVersion.Version }}
+    {{- if and (semverCompare ">=1.20" .Capabilities.KubeVersion.Version) (.Values.controller.service.internal.appProtocol) }}
       appProtocol: http
     {{- end }}
-    {{- if (and $setNodePorts (not (empty .Values.controller.service.nodePorts.http))) }}
-      nodePort: {{ .Values.controller.service.nodePorts.http }}
+    {{- if (and $setNodePorts (not (empty .Values.controller.service.internal.nodePorts.http))) }}
+      nodePort: {{ .Values.controller.service.internal.nodePorts.http }}
     {{- end }}
   {{- end }}
   {{- if .Values.controller.service.enableHttps }}
     - name: https
       port: {{ .Values.controller.service.internal.ports.https | default .Values.controller.service.ports.https }}
       protocol: TCP
       targetPort: {{ .Values.controller.service.internal.targetPorts.https | default .Values.controller.service.targetPorts.https }}
-    {{- if semverCompare ">=1.20" .Capabilities.KubeVersion.Version }}
+    {{- if and (semverCompare ">=1.20" .Capabilities.KubeVersion.Version) (.Values.controller.service.internal.appProtocol) }}
       appProtocol: https
     {{- end }}
-    {{- if (and $setNodePorts (not (empty .Values.controller.service.nodePorts.https))) }}
-      nodePort: {{ .Values.controller.service.nodePorts.https }}
+    {{- if (and $setNodePorts (not (empty .Values.controller.service.internal.nodePorts.https))) }}
+      nodePort: {{ .Values.controller.service.internal.nodePorts.https }}
     {{- end }}
   {{- end }}
   {{- range $key, $value := .Values.tcp }}
     - name: {{ if $.Values.portNamePrefix }}{{ $.Values.portNamePrefix }}-{{ end }}{{ $key }}-tcp
       port: {{ $key }}
       protocol: TCP
       targetPort: {{ if $.Values.portNamePrefix }}{{ $.Values.portNamePrefix }}-{{ end }}{{ $key }}-tcp
-    {{- if $.Values.controller.service.nodePorts.tcp }}
-    {{- if index $.Values.controller.service.nodePorts.tcp $key }}
-      nodePort: {{ index $.Values.controller.service.nodePorts.tcp $key }}
+    {{- if $.Values.controller.service.internal.nodePorts.tcp }}
+    {{- if index $.Values.controller.service.internal.nodePorts.tcp $key }}
+      nodePort: {{ index $.Values.controller.service.internal.nodePorts.tcp $key }}
     {{- end }}
     {{- end }}
   {{- end }}
@@ -70,9 +93,9 @@ spec:
       port: {{ $key }}
       protocol: UDP
       targetPort: {{ if $.Values.portNamePrefix }}{{ $.Values.portNamePrefix }}-{{ end }}{{ $key }}-udp
-    {{- if $.Values.controller.service.nodePorts.udp }}
-    {{- if index $.Values.controller.service.nodePorts.udp $key }}
-      nodePort: {{ index $.Values.controller.service.nodePorts.udp $key }}
+    {{- if $.Values.controller.service.internal.nodePorts.udp }}
+    {{- if index $.Values.controller.service.internal.nodePorts.udp $key }}
+      nodePort: {{ index $.Values.controller.service.internal.nodePorts.udp $key }}
     {{- end }}
     {{- end }}
   {{- end }}