diff --git a/apps.yaml b/apps.yaml index eb2b8bc2d5..c54d21440c 100644 --- a/apps.yaml +++ b/apps.yaml @@ -105,7 +105,7 @@ appsInfo: integration: Harbor can be enabled to provide each team with a private registry. Harbor has been made user and tenant aware. APL runs automated tasks that take care of creating a project in Harbor for each team, creating a bot-account for each team, and creating a Kubernetes pull secret in the team namespace to enable pulling of images out of the local registry. ingress-nginx: title: Ingress-NGINX - appVersion: 1.13.3 + appVersion: 1.14.0 repo: https://github.com/kubernetes/ingress-nginx maintainers: NGINX relatedLinks: diff --git a/chart/chart-index/Chart.yaml b/chart/chart-index/Chart.yaml index 4f919a62a7..030301f61d 100644 --- a/chart/chart-index/Chart.yaml +++ b/chart/chart-index/Chart.yaml @@ -41,7 +41,7 @@ dependencies: version: 1.18.0 repository: https://helm.goharbor.io - name: ingress-nginx - version: 4.13.3 + version: 4.14.0 repository: https://kubernetes.github.io/ingress-nginx - name: base alias: istio-base diff --git a/charts/ingress-nginx/Chart.yaml b/charts/ingress-nginx/Chart.yaml index c28d8ce6b8..262fe3ac2c 100644 --- a/charts/ingress-nginx/Chart.yaml +++ b/charts/ingress-nginx/Chart.yaml @@ -1,9 +1,9 @@ annotations: artifacthub.io/changes: | - - Update Ingress-Nginx version controller-v1.13.3 + - Update Ingress-Nginx version controller-v1.14.0 artifacthub.io/prerelease: "false" apiVersion: v2 -appVersion: 1.13.3 +appVersion: 1.14.0 description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer home: https://github.com/kubernetes/ingress-nginx @@ -20,4 +20,4 @@ maintainers: name: ingress-nginx sources: - https://github.com/kubernetes/ingress-nginx -version: 4.13.3 +version: 4.14.0 diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index eb03c49cf0..1b233336a1 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -2,7 +2,7 @@ [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer -![Version: 4.13.3](https://img.shields.io/badge/Version-4.13.3-informational?style=flat-square) ![AppVersion: 1.13.3](https://img.shields.io/badge/AppVersion-1.13.3-informational?style=flat-square) +![Version: 4.14.0](https://img.shields.io/badge/Version-4.14.0-informational?style=flat-square) ![AppVersion: 1.14.0](https://img.shields.io/badge/AppVersion-1.14.0-informational?style=flat-square) To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources. @@ -264,6 +264,8 @@ metadata: | controller.admissionWebhooks.createSecretJob.name | string | `"create"` | | | controller.admissionWebhooks.createSecretJob.resources | object | `{}` | | | controller.admissionWebhooks.createSecretJob.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsGroup":65532,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for secret creation containers | +| controller.admissionWebhooks.createSecretJob.volumeMounts | list | `[]` | Volume mounts for secret creation containers | +| controller.admissionWebhooks.createSecretJob.volumes | list | `[]` | Volumes for secret creation pod | | controller.admissionWebhooks.enabled | bool | `true` | | | controller.admissionWebhooks.extraEnvs | list | `[]` | Additional environment variables to set | | controller.admissionWebhooks.failurePolicy | string | `"Fail"` | Admission Webhook failure policy to use | @@ -273,10 +275,10 @@ metadata: | controller.admissionWebhooks.namespaceSelector | object | `{}` | | | controller.admissionWebhooks.objectSelector | object | `{}` | | | controller.admissionWebhooks.patch.enabled | bool | `true` | | -| controller.admissionWebhooks.patch.image.digest | string | `"sha256:3d671cf20a35cd94efc5dcd484970779eb21e7938c98fbc3673693b8a117cf39"` | | +| controller.admissionWebhooks.patch.image.digest | string | `"sha256:bcfc926ed57831edf102d62c5c0e259572591df4796ef1420b87f9cf6092497f"` | | | controller.admissionWebhooks.patch.image.image | string | `"ingress-nginx/kube-webhook-certgen"` | | | controller.admissionWebhooks.patch.image.pullPolicy | string | `"IfNotPresent"` | | -| controller.admissionWebhooks.patch.image.tag | string | `"v1.6.3"` | | +| controller.admissionWebhooks.patch.image.tag | string | `"v1.6.4"` | | | controller.admissionWebhooks.patch.labels | object | `{}` | Labels to be added to patch job resources | | controller.admissionWebhooks.patch.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not | | controller.admissionWebhooks.patch.nodeSelector."kubernetes.io/os" | string | `"linux"` | | @@ -295,6 +297,8 @@ metadata: | controller.admissionWebhooks.patchWebhookJob.name | string | `"patch"` | | | controller.admissionWebhooks.patchWebhookJob.resources | object | `{}` | | | controller.admissionWebhooks.patchWebhookJob.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsGroup":65532,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for webhook patch containers | +| controller.admissionWebhooks.patchWebhookJob.volumeMounts | list | `[]` | Volume mounts for webhook patch containers | +| controller.admissionWebhooks.patchWebhookJob.volumes | list | `[]` | Volumes for webhook patch pod | | controller.admissionWebhooks.port | int | `8443` | | | controller.admissionWebhooks.service.annotations | object | `{}` | | | controller.admissionWebhooks.service.externalIPs | list | `[]` | | @@ -331,7 +335,7 @@ metadata: | controller.extraArgs | object | `{}` | Additional command line arguments to pass to Ingress-Nginx Controller E.g. to specify the default SSL certificate you can use | | controller.extraContainers | list | `[]` | Additional containers to be added to the controller pod. See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example. | | controller.extraEnvs | list | `[]` | Additional environment variables to set | -| controller.extraInitContainers | list | `[]` | Containers, which are run before the app containers are started. | +| controller.extraInitContainers | list | `[]` | Containers, which are run before the app containers are started. Values may contain Helm templates. | | controller.extraModules | list | `[]` | Modules, which are mounted into the core nginx image. | | controller.extraVolumeMounts | list | `[]` | Additional volumeMounts to the controller main container. | | controller.extraVolumes | list | `[]` | Additional volumes to the controller pod. | @@ -345,8 +349,8 @@ metadata: | controller.hostname | object | `{}` | Optionally customize the pod hostname. | | controller.image.allowPrivilegeEscalation | bool | `false` | | | controller.image.chroot | bool | `false` | | -| controller.image.digest | string | `"sha256:1b044f6dcac3afbb59e05d98463f1dec6f3d3fb99940bc12ca5d80270358e3bd"` | | -| controller.image.digestChroot | string | `"sha256:27de15aea4ec7639f7cec6ae96bff11ce57bb1171040351a0b0eedf66655d0dd"` | | +| controller.image.digest | string | `"sha256:e4127065d0317bd11dc64c4dd38dcf7fb1c3d72e468110b4086e636dbaac943d"` | | +| controller.image.digestChroot | string | `"sha256:d0158a50630981a945325c15a638e52c2d0691bc528caf5c04d2cf2051c5665f"` | | | controller.image.image | string | `"ingress-nginx/controller"` | | | controller.image.pullPolicy | string | `"IfNotPresent"` | | | controller.image.readOnlyRootFilesystem | bool | `false` | | @@ -354,7 +358,7 @@ metadata: | controller.image.runAsNonRoot | bool | `true` | | | controller.image.runAsUser | int | `101` | This value must not be changed using the official image. uid=101(www-data) gid=82(www-data) groups=82(www-data) | | controller.image.seccompProfile.type | string | `"RuntimeDefault"` | | -| controller.image.tag | string | `"v1.13.3"` | | +| controller.image.tag | string | `"v1.14.0"` | | | controller.ingressClass | string | `"nginx"` | For backwards compatibility with ingress.class annotation, use ingressClass. Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation | | controller.ingressClassByName | bool | `false` | Process IngressClass per name (additionally as per spec.controller). | | controller.ingressClassResource | object | `{"aliases":[],"annotations":{},"controllerValue":"k8s.io/ingress-nginx","default":false,"enabled":true,"name":"nginx","parameters":{}}` | This section refers to the creation of the IngressClass resource. IngressClasses are immutable and cannot be changed after creation. We do not support namespaced IngressClasses, yet, so a ClusterRole and a ClusterRoleBinding is required. | @@ -413,6 +417,7 @@ metadata: | controller.metrics.serviceMonitor.relabelings | list | `[]` | | | controller.metrics.serviceMonitor.sampleLimit | int | `0` | Defines a per-scrape limit on the number of scraped samples that will be accepted. | | controller.metrics.serviceMonitor.scrapeInterval | string | `"30s"` | | +| controller.metrics.serviceMonitor.scrapeTimeout | string | `""` | Timeout after which the scrape is ended. Not being set if empty and therefore defaults to the global Prometheus scrape timeout. | | controller.metrics.serviceMonitor.targetLabels | list | `[]` | | | controller.metrics.serviceMonitor.targetLimit | int | `0` | Defines a limit on the number of scraped targets that will be accepted. | | controller.minAvailable | int | `1` | Minimum available pods set in PodDisruptionBudget. Define either 'minAvailable' or 'maxUnavailable', never both. | @@ -439,6 +444,7 @@ metadata: | controller.readinessProbe.timeoutSeconds | int | `1` | | | controller.replicaCount | int | `1` | | | controller.reportNodeInternalIp | bool | `false` | Bare-metal considerations via the host network https://kubernetes.github.io/ingress-nginx/deploy/baremetal/#via-the-host-network Ingress status was blank because there is no Service exposing the Ingress-Nginx Controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply | +| controller.resizePolicy | list | `[]` | Resize policy for controller containers. Ref: https://kubernetes.io/docs/tasks/configure-pod-container/resize-container-resources | | controller.resources.requests.cpu | string | `"100m"` | | | controller.resources.requests.memory | string | `"90Mi"` | | | controller.runtimeClassName | string | `""` | Instruct the kubelet to use the named RuntimeClass to run the pod | diff --git a/charts/ingress-nginx/changelog/helm-chart-4.12.5.md b/charts/ingress-nginx/changelog/helm-chart-4.12.5.md new file mode 100644 index 0000000000..9d7eb96d38 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-4.12.5.md @@ -0,0 +1,10 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.12.5 + +* Make: Add `helm-test` target. (#13660) +* Update Ingress-Nginx version controller-v1.12.5 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.12.4...helm-chart-4.12.5 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.12.6.md b/charts/ingress-nginx/changelog/helm-chart-4.12.6.md new file mode 100644 index 0000000000..50c0a0d17a --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-4.12.6.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.12.6 + +* Update Ingress-Nginx version controller-v1.12.6 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.12.5...helm-chart-4.12.6 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.12.7.md b/charts/ingress-nginx/changelog/helm-chart-4.12.7.md new file mode 100644 index 0000000000..9b7460ae3c --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-4.12.7.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.12.7 + +* Update Ingress-Nginx version controller-v1.12.7 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.12.7...helm-chart-4.12.7 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.12.8.md b/charts/ingress-nginx/changelog/helm-chart-4.12.8.md new file mode 100644 index 0000000000..ec4d5605ac --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-4.12.8.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.12.8 + +* Update Ingress-Nginx version controller-v1.12.8 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.12.7...helm-chart-4.12.8 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.13.4.md b/charts/ingress-nginx/changelog/helm-chart-4.13.4.md new file mode 100644 index 0000000000..5242b31e72 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-4.13.4.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.13.4 + +* Update Ingress-Nginx version controller-v1.13.4 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.13.3...helm-chart-4.13.4 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.14.0.md b/charts/ingress-nginx/changelog/helm-chart-4.14.0.md new file mode 100644 index 0000000000..cae539a6ca --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-4.14.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.14.0 + +* Update Ingress-Nginx version controller-v1.14.0 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.13.3...helm-chart-4.14.0 diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml index d25ece1f56..f0df819d2d 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml @@ -68,6 +68,9 @@ spec: {{- if .Values.controller.admissionWebhooks.createSecretJob.resources }} resources: {{ toYaml .Values.controller.admissionWebhooks.createSecretJob.resources | nindent 12 }} {{- end }} + {{- if .Values.controller.admissionWebhooks.createSecretJob.volumeMounts }} + volumeMounts: {{- toYaml .Values.controller.admissionWebhooks.createSecretJob.volumeMounts | nindent 12 }} + {{- end }} restartPolicy: OnFailure serviceAccountName: {{ include "ingress-nginx.admissionWebhooks.patch.serviceAccountName" . }} automountServiceAccountToken: {{ .Values.controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken }} @@ -80,4 +83,7 @@ spec: {{- if .Values.controller.admissionWebhooks.patch.securityContext }} securityContext: {{ toYaml .Values.controller.admissionWebhooks.patch.securityContext | nindent 8 }} {{- end }} + {{- if .Values.controller.admissionWebhooks.createSecretJob.volumes }} + volumes: {{- toYaml .Values.controller.admissionWebhooks.createSecretJob.volumes | nindent 8 }} + {{- end }} {{- end }} diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml index 11f99470a6..cd05f704bb 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml @@ -70,6 +70,9 @@ spec: {{- if .Values.controller.admissionWebhooks.patchWebhookJob.resources }} resources: {{ toYaml .Values.controller.admissionWebhooks.patchWebhookJob.resources | nindent 12 }} {{- end }} + {{- if .Values.controller.admissionWebhooks.patchWebhookJob.volumeMounts }} + volumeMounts: {{- toYaml .Values.controller.admissionWebhooks.patchWebhookJob.volumeMounts | nindent 12 }} + {{- end }} restartPolicy: OnFailure serviceAccountName: {{ include "ingress-nginx.admissionWebhooks.patch.serviceAccountName" . }} automountServiceAccountToken: {{ .Values.controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken }} @@ -82,4 +85,7 @@ spec: {{- if .Values.controller.admissionWebhooks.patch.securityContext }} securityContext: {{ toYaml .Values.controller.admissionWebhooks.patch.securityContext | nindent 8 }} {{- end }} + {{- if .Values.controller.admissionWebhooks.patchWebhookJob.volumes }} + volumes: {{- toYaml .Values.controller.admissionWebhooks.patchWebhookJob.volumes | nindent 8 }} + {{- end }} {{- end }} diff --git a/charts/ingress-nginx/templates/controller-daemonset.yaml b/charts/ingress-nginx/templates/controller-daemonset.yaml index a9a3dee399..3cc1520e2d 100644 --- a/charts/ingress-nginx/templates/controller-daemonset.yaml +++ b/charts/ingress-nginx/templates/controller-daemonset.yaml @@ -174,13 +174,18 @@ spec: {{- if .Values.controller.resources }} resources: {{ toYaml .Values.controller.resources | nindent 12 }} {{- end }} + {{- if semverCompare ">=1.33.0-0" .Capabilities.KubeVersion.Version }} + {{- if .Values.controller.resizePolicy }} + resizePolicy: {{ toYaml .Values.controller.resizePolicy | nindent 12 }} + {{- end }} + {{- end }} {{- if .Values.controller.extraContainers }} {{- toYaml .Values.controller.extraContainers | nindent 8 }} {{- end }} {{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules) }} initContainers: {{- if .Values.controller.extraInitContainers }} - {{- toYaml .Values.controller.extraInitContainers | nindent 8 }} + {{- tpl (toYaml .Values.controller.extraInitContainers) $ | nindent 8 }} {{- end }} {{- if .Values.controller.extraModules }} {{- range .Values.controller.extraModules }} diff --git a/charts/ingress-nginx/templates/controller-deployment.yaml b/charts/ingress-nginx/templates/controller-deployment.yaml index 224694d1b3..a20b417bee 100644 --- a/charts/ingress-nginx/templates/controller-deployment.yaml +++ b/charts/ingress-nginx/templates/controller-deployment.yaml @@ -180,13 +180,18 @@ spec: {{- if .Values.controller.resources }} resources: {{ toYaml .Values.controller.resources | nindent 12 }} {{- end }} + {{- if semverCompare ">=1.33.0-0" .Capabilities.KubeVersion.Version }} + {{- if .Values.controller.resizePolicy }} + resizePolicy: {{ toYaml .Values.controller.resizePolicy | nindent 12 }} + {{- end }} + {{- end }} {{- if .Values.controller.extraContainers }} {{- toYaml .Values.controller.extraContainers | nindent 8 }} {{- end }} {{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules) }} initContainers: {{- if .Values.controller.extraInitContainers }} - {{- toYaml .Values.controller.extraInitContainers | nindent 8 }} + {{- tpl (toYaml .Values.controller.extraInitContainers) $ | nindent 8 }} {{- end }} {{- if .Values.controller.extraModules }} {{- range .Values.controller.extraModules }} diff --git a/charts/ingress-nginx/templates/controller-servicemonitor.yaml b/charts/ingress-nginx/templates/controller-servicemonitor.yaml index 85bb84186a..defdf00f03 100644 --- a/charts/ingress-nginx/templates/controller-servicemonitor.yaml +++ b/charts/ingress-nginx/templates/controller-servicemonitor.yaml @@ -32,6 +32,9 @@ spec: endpoints: - port: {{ .Values.controller.metrics.portName }} interval: {{ .Values.controller.metrics.serviceMonitor.scrapeInterval }} + {{- if .Values.controller.metrics.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ .Values.controller.metrics.serviceMonitor.scrapeTimeout }} + {{- end }} {{- if .Values.controller.metrics.serviceMonitor.honorLabels }} honorLabels: true {{- end }} diff --git a/charts/ingress-nginx/templates/default-backend-deployment.yaml b/charts/ingress-nginx/templates/default-backend-deployment.yaml index 75c3d09cbf..a25dd4e247 100644 --- a/charts/ingress-nginx/templates/default-backend-deployment.yaml +++ b/charts/ingress-nginx/templates/default-backend-deployment.yaml @@ -118,6 +118,6 @@ spec: {{- end }} terminationGracePeriodSeconds: 60 {{- if .Values.defaultBackend.extraVolumes }} - volumes: {{ toYaml .Values.defaultBackend.extraVolumes | nindent 8 }} + volumes: {{ tpl (toYaml .Values.defaultBackend.extraVolumes) $ | nindent 8 }} {{- end }} {{- end }} diff --git a/charts/ingress-nginx/tests/admission-webhooks/job-patch/job-createSecret_test.yaml b/charts/ingress-nginx/tests/admission-webhooks/job-patch/job-createSecret_test.yaml index 875dda1520..752e68c427 100644 --- a/charts/ingress-nginx/tests/admission-webhooks/job-patch/job-createSecret_test.yaml +++ b/charts/ingress-nginx/tests/admission-webhooks/job-patch/job-createSecret_test.yaml @@ -18,3 +18,61 @@ tests: - equal: path: spec.activeDeadlineSeconds value: 1 + + - it: should create a Job with custom volumes and volume mounts if `controller.admissionWebhooks.createSecretJob.volumes` and `controller.admissionWebhooks.createSecretJob.volumeMounts` are set + set: + controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken: false + controller.admissionWebhooks.createSecretJob.volumeMounts: + - name: kube-api-access + mountPath: /var/run/secrets/kubernetes.io/serviceaccount + readOnly: true + controller.admissionWebhooks.createSecretJob.volumes: + - name: kube-api-access + projected: + defaultMode: 0444 + sources: + - serviceAccountToken: + path: token + expirationSeconds: 3600 + - configMap: + name: kube-root-ca.crt + items: + - key: ca.crt + path: ca.crt + - downwardAPI: + items: + - path: namespace + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + asserts: + - equal: + path: spec.template.spec.automountServiceAccountToken + value: false + - equal: + path: spec.template.spec.containers[0].volumeMounts + value: + - name: kube-api-access + mountPath: /var/run/secrets/kubernetes.io/serviceaccount + readOnly: true + - equal: + path: spec.template.spec.volumes + value: + - name: kube-api-access + projected: + defaultMode: 0444 + sources: + - serviceAccountToken: + path: token + expirationSeconds: 3600 + - configMap: + name: kube-root-ca.crt + items: + - key: ca.crt + path: ca.crt + - downwardAPI: + items: + - path: namespace + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace diff --git a/charts/ingress-nginx/tests/admission-webhooks/job-patch/job-patchWebhook_test.yaml b/charts/ingress-nginx/tests/admission-webhooks/job-patch/job-patchWebhook_test.yaml index ef8e497cfb..2ad589b711 100644 --- a/charts/ingress-nginx/tests/admission-webhooks/job-patch/job-patchWebhook_test.yaml +++ b/charts/ingress-nginx/tests/admission-webhooks/job-patch/job-patchWebhook_test.yaml @@ -18,3 +18,61 @@ tests: - equal: path: spec.activeDeadlineSeconds value: 1 + + - it: should create a Job with custom volumes and volume mounts if `controller.admissionWebhooks.patchWebhookJob.volumes` and `controller.admissionWebhooks.patchWebhookJob.volumeMounts` are set + set: + controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken: false + controller.admissionWebhooks.patchWebhookJob.volumeMounts: + - name: kube-api-access + mountPath: /var/run/secrets/kubernetes.io/serviceaccount + readOnly: true + controller.admissionWebhooks.patchWebhookJob.volumes: + - name: kube-api-access + projected: + defaultMode: 0444 + sources: + - serviceAccountToken: + path: token + expirationSeconds: 3600 + - configMap: + name: kube-root-ca.crt + items: + - key: ca.crt + path: ca.crt + - downwardAPI: + items: + - path: namespace + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + asserts: + - equal: + path: spec.template.spec.automountServiceAccountToken + value: false + - equal: + path: spec.template.spec.containers[0].volumeMounts + value: + - name: kube-api-access + mountPath: /var/run/secrets/kubernetes.io/serviceaccount + readOnly: true + - equal: + path: spec.template.spec.volumes + value: + - name: kube-api-access + projected: + defaultMode: 0444 + sources: + - serviceAccountToken: + path: token + expirationSeconds: 3600 + - configMap: + name: kube-root-ca.crt + items: + - key: ca.crt + path: ca.crt + - downwardAPI: + items: + - path: namespace + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace diff --git a/charts/ingress-nginx/tests/controller-daemonset_test.yaml b/charts/ingress-nginx/tests/controller-daemonset_test.yaml index 9f79a3b23d..4366082ff3 100644 --- a/charts/ingress-nginx/tests/controller-daemonset_test.yaml +++ b/charts/ingress-nginx/tests/controller-daemonset_test.yaml @@ -96,6 +96,24 @@ tests: maxSkew: 1 whenUnsatisfiable: ScheduleAnyway + - it: should create a DaemonSet with templated init containers if `controller.extraInitContainers` contains Helm templates + set: + controller.kind: DaemonSet + controller.extraInitContainers: + - name: '{{ .Release.Name }}-init' + image: busybox + command: + - sh + - -c + - echo '{{ .Release.Namespace }}'; + asserts: + - equal: + path: spec.template.spec.initContainers[0].name + value: RELEASE-NAME-init + - contains: + path: spec.template.spec.initContainers[0].command + content: echo 'NAMESPACE'; + - it: should create a DaemonSet with affinity if `controller.affinity` is set set: controller.kind: DaemonSet @@ -208,3 +226,23 @@ tests: - equal: path: spec.template.spec.runtimeClassName value: myClass + + - it: should create a DaemonSet with resize policy if `controller.resizePolicy` is set + capabilities: + majorVersion: 1 + minorVersion: 33 + set: + controller.kind: DaemonSet + controller.resizePolicy: + - resourceName: cpu + restartPolicy: NotRequired + - resourceName: memory + restartPolicy: RestartContainer + asserts: + - equal: + path: spec.template.spec.containers[0].resizePolicy + value: + - resourceName: cpu + restartPolicy: NotRequired + - resourceName: memory + restartPolicy: RestartContainer diff --git a/charts/ingress-nginx/tests/controller-deployment_test.yaml b/charts/ingress-nginx/tests/controller-deployment_test.yaml index 37b6908853..38431ccbed 100644 --- a/charts/ingress-nginx/tests/controller-deployment_test.yaml +++ b/charts/ingress-nginx/tests/controller-deployment_test.yaml @@ -119,6 +119,23 @@ tests: maxSkew: 1 whenUnsatisfiable: ScheduleAnyway + - it: should create a Deployment with templated init containers if `controller.extraInitContainers` contains Helm templates + set: + controller.extraInitContainers: + - name: '{{ .Release.Name }}-init' + image: busybox + command: + - sh + - -c + - echo '{{ .Release.Namespace }}'; + asserts: + - equal: + path: spec.template.spec.initContainers[0].name + value: RELEASE-NAME-init + - contains: + path: spec.template.spec.initContainers[0].command + content: echo 'NAMESPACE'; + - it: should create a Deployment with affinity if `controller.affinity` is set set: controller.affinity: @@ -231,3 +248,22 @@ tests: - equal: path: spec.template.spec.runtimeClassName value: myClass + + - it: should create a Deployment with resize policy if `controller.resizePolicy` is set + capabilities: + majorVersion: 1 + minorVersion: 33 + set: + controller.resizePolicy: + - resourceName: cpu + restartPolicy: NotRequired + - resourceName: memory + restartPolicy: RestartContainer + asserts: + - equal: + path: spec.template.spec.containers[0].resizePolicy + value: + - resourceName: cpu + restartPolicy: NotRequired + - resourceName: memory + restartPolicy: RestartContainer diff --git a/charts/ingress-nginx/tests/controller-servicemonitor_test.yaml b/charts/ingress-nginx/tests/controller-servicemonitor_test.yaml index 7edee98c54..2fed3bc425 100644 --- a/charts/ingress-nginx/tests/controller-servicemonitor_test.yaml +++ b/charts/ingress-nginx/tests/controller-servicemonitor_test.yaml @@ -77,3 +77,22 @@ tests: - equal: path: spec.targetLimit value: 100 + + - it: should create a ServiceMonitor with `scrapeTimeout` if `controller.metrics.serviceMonitor.scrapeTimeout` is set + set: + controller.metrics.enabled: true + controller.metrics.serviceMonitor.enabled: true + controller.metrics.serviceMonitor.scrapeTimeout: 60s + asserts: + - equal: + path: spec.endpoints[0].scrapeTimeout + value: 60s + + - it: should create a ServiceMonitor without `scrapeTimeout` if `controller.metrics.serviceMonitor.scrapeTimeout` is unset + set: + controller.metrics.enabled: true + controller.metrics.serviceMonitor.enabled: true + controller.metrics.serviceMonitor.scrapeTimeout: "" + asserts: + - notExists: + path: spec.endpoints[0].scrapeTimeout diff --git a/charts/ingress-nginx/tests/default-backend-deployment_test.yaml b/charts/ingress-nginx/tests/default-backend-deployment_test.yaml index 11d400c462..ed3bb87417 100644 --- a/charts/ingress-nginx/tests/default-backend-deployment_test.yaml +++ b/charts/ingress-nginx/tests/default-backend-deployment_test.yaml @@ -196,3 +196,26 @@ tests: - equal: path: spec.template.spec.automountServiceAccountToken value: false + + - it: should create a Deployment with extra volumes if `defaultBackend.extraVolumes` is set + set: + defaultBackend.enabled: true + defaultBackend.extraVolumes: + - name: extra-volume + configMap: + name: '{{ .Release.Name }}' + defaultBackend.extraVolumeMounts: + - name: extra-volume + mountPath: /extra + asserts: + - equal: + path: spec.template.spec.volumes + value: + - name: extra-volume + configMap: + name: RELEASE-NAME + - equal: + path: spec.template.spec.containers[0].volumeMounts + value: + - name: extra-volume + mountPath: /extra diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index 47ab9b9b06..21fb0f4f36 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -30,9 +30,9 @@ controller: ## for backwards compatibility consider setting the full image url via the repository value below ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail ## repository: - tag: "v1.13.3" - digest: sha256:1b044f6dcac3afbb59e05d98463f1dec6f3d3fb99940bc12ca5d80270358e3bd - digestChroot: sha256:27de15aea4ec7639f7cec6ae96bff11ce57bb1171040351a0b0eedf66655d0dd + tag: "v1.14.0" + digest: sha256:e4127065d0317bd11dc64c4dd38dcf7fb1c3d72e468110b4086e636dbaac943d + digestChroot: sha256:d0158a50630981a945325c15a638e52c2d0691bc528caf5c04d2cf2051c5665f pullPolicy: IfNotPresent runAsNonRoot: true # -- This value must not be changed using the official image. @@ -401,6 +401,13 @@ controller: requests: cpu: 100m memory: 90Mi + # -- Resize policy for controller containers. + # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/resize-container-resources + resizePolicy: [] + # - resourceName: cpu + # restartPolicy: NotRequired + # - resourceName: memory + # restartPolicy: RestartContainer # Mutually exclusive with keda autoscaling autoscaling: enabled: false @@ -702,11 +709,17 @@ controller: # - name: copy-portal-skins # emptyDir: {} - # -- Containers, which are run before the app containers are started. + # -- Containers, which are run before the app containers are started. Values may contain Helm templates. extraInitContainers: [] # - name: init-myservice # image: busybox # command: ['sh', '-c', 'until nslookup myservice; do echo waiting for myservice; sleep 2; done;'] + # - name: init-dynamic + # image: busybox + # command: + # - sh + # - -c + # - echo "Release={{ .Release.Name }} Namespace={{ .Release.Namespace }}" # -- Modules, which are mounted into the core nginx image. extraModules: [] @@ -795,6 +808,16 @@ controller: # requests: # cpu: 10m # memory: 20Mi + # -- Volume mounts for secret creation containers + volumeMounts: [] + # - name: certs + # mountPath: /etc/webhook/certs + # readOnly: true + # -- Volumes for secret creation pod + volumes: [] + # - name: certs + # secret: + # secretName: my-webhook-secret patchWebhookJob: name: patch # -- Deadline in seconds for the job to complete. Must be greater than 0 to enforce. If unset or 0, no deadline is enforced. @@ -812,6 +835,16 @@ controller: - ALL readOnlyRootFilesystem: true resources: {} + # -- Volume mounts for webhook patch containers + volumeMounts: [] + # - name: certs + # mountPath: /etc/webhook/certs + # readOnly: true + # -- Volumes for webhook patch pod + volumes: [] + # - name: certs + # secret: + # secretName: my-webhook-secret patch: enabled: true image: @@ -820,8 +853,8 @@ controller: ## for backwards compatibility consider setting the full image url via the repository value below ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail ## repository: - tag: v1.6.3 - digest: sha256:3d671cf20a35cd94efc5dcd484970779eb21e7938c98fbc3673693b8a117cf39 + tag: v1.6.4 + digest: sha256:bcfc926ed57831edf102d62c5c0e259572591df4796ef1420b87f9cf6092497f pullPolicy: IfNotPresent # -- Provide a priority class name to the webhook patching job ## @@ -910,6 +943,8 @@ controller: ## namespaceSelector: ## any: true scrapeInterval: 30s + # -- Timeout after which the scrape is ended. Not being set if empty and therefore defaults to the global Prometheus scrape timeout. + scrapeTimeout: "" # honorLabels: true targetLabels: [] relabelings: []