From 8763aa7b48af58dfbe1bf2e64c49f077c5ee4d7d Mon Sep 17 00:00:00 2001 From: Paul Abel <128620221+pdabelf5@users.noreply.github.com> Date: Tue, 19 Dec 2023 14:25:18 +0000 Subject: [PATCH 01/22] minor docs updates (#4821) --- .../installation/installing-nic/installation-with-operator.md | 2 +- docs/content/releases.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/content/installation/installing-nic/installation-with-operator.md b/docs/content/installation/installing-nic/installation-with-operator.md index 3452fef579..3b8a91ad28 100644 --- a/docs/content/installation/installing-nic/installation-with-operator.md +++ b/docs/content/installation/installing-nic/installation-with-operator.md @@ -17,7 +17,7 @@ h2 { {{< note >}} -NGINX Ingress Operator isn't compatible with NGINX Ingress Controller 3.2.0 at this time. We'll update this guide and remove this note when we release a compatible version. +NGINX Ingress Operator isn't compatible with NGINX Ingress Controller 3.4.0 at this time. We'll update this guide and remove this note when we release a compatible version. {{< /note >}} ## Before you start diff --git a/docs/content/releases.md b/docs/content/releases.md index 4ed5e44936..c6019e7c82 100644 --- a/docs/content/releases.md +++ b/docs/content/releases.md @@ -8,7 +8,7 @@ docs: "DOCS-616" --- ## 3.4.0 -%%RELEASE_DATE%% +19 Dec 2023 The default_server listeners for ports 80 and 443 can now be fully customized giving you the flexibility to shift the HTTP and HTTPS default listeners to other ports as your needs require. From dd82122457f9961bd5afbd8251a6ed707accc91b Mon Sep 17 00:00:00 2001 From: Venktesh Shivam Patel Date: Thu, 21 Dec 2023 11:29:06 +0000 Subject: [PATCH 02/22] Update operator install document (#4830) --- .../installation/installing-nic/installation-with-operator.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/docs/content/installation/installing-nic/installation-with-operator.md b/docs/content/installation/installing-nic/installation-with-operator.md index 3b8a91ad28..399cea5324 100644 --- a/docs/content/installation/installing-nic/installation-with-operator.md +++ b/docs/content/installation/installing-nic/installation-with-operator.md @@ -16,10 +16,6 @@ h2 { } -{{< note >}} -NGINX Ingress Operator isn't compatible with NGINX Ingress Controller 3.4.0 at this time. We'll update this guide and remove this note when we release a compatible version. -{{< /note >}} - ## Before you start {{}} We recommend the most recent stable version of NGINX Ingress Controller, available on the GitHub repository's [releases page]({{< relref "releases.md" >}}). {{}} From f136a4ff26c63f0c75e72aaf713eb6fdd93a4dd1 Mon Sep 17 00:00:00 2001 From: Alan Dooley Date: Wed, 27 Dec 2023 15:16:54 +0000 Subject: [PATCH 03/22] Cherry-pick NGINX App Protect WAF & VirtualServer documentation changes (#4844) --- .../installation/create-custom-resources.md | 48 ++++ .../installation/deploy-controller.md | 10 + .../app-protect-dos/installation.md | 49 +++- .../app-protect-waf/configuration.md | 164 ++++++------ .../app-protect-waf/installation.md | 237 ++++++++++++++---- ...rtual-server-with-custom-listener-ports.md | 8 +- 6 files changed, 371 insertions(+), 145 deletions(-) create mode 100644 docs/content/includes/installation/create-custom-resources.md create mode 100644 docs/content/includes/installation/deploy-controller.md diff --git a/docs/content/includes/installation/create-custom-resources.md b/docs/content/includes/installation/create-custom-resources.md new file mode 100644 index 0000000000..20dbf6c54f --- /dev/null +++ b/docs/content/includes/installation/create-custom-resources.md @@ -0,0 +1,48 @@ +To make sure your NGINX Ingress Controller pods reach the `Ready` state, you'll need to create custom resource definitions (CRDs) for various components. + +Alternatively, you can disable this requirement by setting the `-enable-custom-resources` command-line argument to `false`. + +There are two ways you can install the custom resource definitions: + +1. Using a URL to apply a single CRD yaml file, which we recommend. +1. Applying your local copy of the CRD yaml files, which requires you to clone the repository. + +{{}} + +{{%tab name="Install CRDs from single YAML"%}} + +This single YAML file creates CRDs for the following resources: + +- [VirtualServer and VirtualServerRoute]({{< relref "configuration/virtualserver-and-virtualserverroute-resources.md" >}}) +- [TransportServer]({{< relref "configuration/transportserver-resource.md" >}}) +- [Policy]({{< relref "configuration/policy-resource.md" >}}) +- [GlobalConfiguration]({{< relref "configuration/global-configuration/globalconfiguration-resource.md" >}}) + +```shell +kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.3.2/deploy/crds.yaml +``` + +{{%/tab%}} + +{{%tab name="Install CRDs after cloning the repo"%}} + +{{< note >}} If you are installing the CRDs this way, ensure you have first cloned the repository. {{< /note >}} + +These YAML files create CRDs for the following resources: + +- [VirtualServer and VirtualServerRoute]({{< relref "configuration/virtualserver-and-virtualserverroute-resources.md" >}}) +- [TransportServer]({{< relref "configuration/transportserver-resource.md" >}}) +- [Policy]({{< relref "configuration/policy-resource.md" >}}) +- [GlobalConfiguration]({{< relref "configuration/global-configuration/globalconfiguration-resource.md" >}}) + +```shell +kubectl apply -f config/crd/bases/k8s.nginx.org_virtualservers.yaml +kubectl apply -f config/crd/bases/k8s.nginx.org_virtualserverroutes.yaml +kubectl apply -f config/crd/bases/k8s.nginx.org_transportservers.yaml +kubectl apply -f config/crd/bases/k8s.nginx.org_policies.yaml +kubectl apply -f config/crd/bases/k8s.nginx.org_globalconfigurations.yaml +``` + +{{%/tab%}} + +{{}} diff --git a/docs/content/includes/installation/deploy-controller.md b/docs/content/includes/installation/deploy-controller.md new file mode 100644 index 0000000000..d1d86c3260 --- /dev/null +++ b/docs/content/includes/installation/deploy-controller.md @@ -0,0 +1,10 @@ +--- +docs: +--- + +You have two options for deploying NGINX Ingress Controller: + +- **Deployment**. Choose this method for the flexibility to dynamically change the number of NGINX Ingress Controller replicas. +- **DaemonSet**. Choose this method if you want NGINX Ingress Controller to run on all nodes or a subset of nodes. + +Before you start, update the [command-line arguments]({{< relref "configuration/global-configuration/command-line-arguments.md" >}}) for the NGINX Ingress Controller container in the relevant manifest file to meet your specific requirements. diff --git a/docs/content/installation/integrations/app-protect-dos/installation.md b/docs/content/installation/integrations/app-protect-dos/installation.md index 750df96918..270d8e9af4 100644 --- a/docs/content/installation/integrations/app-protect-dos/installation.md +++ b/docs/content/installation/integrations/app-protect-dos/installation.md @@ -116,14 +116,53 @@ make push PREFIX=/nginx-plus-ingress --- -## Deploy NGINX Ingress Controller {#deploy-ingress-controller} +## Create custom resources {#create-custom-resources} + +{{< include "installation/create-custom-resources.md" >}} + +--- + +## Create App Protect DoS custom resources + +{{}} + +{{%tab name="Install CRDs from single YAML"%}} + +This single YAML file creates CRDs for the following resources: + +- `APDosPolicy` +- `APDosLogConf` +- `DosProtectedResource` + +```shell +kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.3.2/deploy/crds-nap-dos.yaml +``` -You have two options for deploying NGINX Ingress Controller: +{{%/tab%}} -- **Deployment**. Choose this method for the flexibility to dynamically change the number of NGINX Ingress Controller replicas. -- **DaemonSet**. Choose this method if you want NGINX Ingress Controller to run on all nodes or a subset of nodes. +{{%tab name="Install CRDs after cloning the repo"%}} + +These YAML files create CRDs for the following resources: + +- `APDosPolicy` +- `APDosLogConf` +- `DosProtectedResource` + +```shell +kubectl apply -f config/crd/bases/appprotectdos.f5.com_apdoslogconfs.yaml +kubectl apply -f config/crd/bases/appprotectdos.f5.com_apdospolicy.yaml +kubectl apply -f config/crd/bases/appprotectdos.f5.com_dosprotectedresources.yaml +``` + +{{%/tab%}} + +{{}} + +--- + +## Deploy NGINX Ingress Controller {#deploy-ingress-controller} -Before you start, update the [command-line arguments]({{< relref "configuration/global-configuration/command-line-arguments.md" >}}) for the NGINX Ingress Controller container in the relevant manifest file to meet your specific requirements. +{{< include "installation/deploy-controller.md" >}} ### Using a Deployment diff --git a/docs/content/installation/integrations/app-protect-waf/configuration.md b/docs/content/installation/integrations/app-protect-waf/configuration.md index 2bfc4e2e9b..0e3dc796e7 100644 --- a/docs/content/installation/integrations/app-protect-waf/configuration.md +++ b/docs/content/installation/integrations/app-protect-waf/configuration.md @@ -1,6 +1,6 @@ --- title: Configuration -description: "Learn how to use NGINX Ingress Controller to configure NGINX App Protect WAF." +description: "This document explains how to use F5 NGINX Ingress Controller to configure NGINX App Protect WAF." weight: 1900 doctypes: [""] toc: true @@ -8,107 +8,108 @@ docs: "DOCS-578" aliases: ["/app-protect/configuration/"] --- -> Check out the complete NGINX Ingress Controller with NGINX App Protect WAF example resources on GitHub [for VirtualServer resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.0/examples/custom-resources/app-protect-waf) and [for Ingress resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.0/examples/ingress-resources/app-protect-waf). +{{< note >}} The NGINX Ingress Controller repository has complete NGINX App Protect WAF examples with [VirtualServer resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.3.2/examples/custom-resources/app-protect-waf) and [Ingress resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.3.2/examples/ingress-resources/app-protect-waf). {{< /note >}} ## Global Configuration -NGINX Ingress Controller has a set of global configuration parameters that align with those available in NGINX App Protect WAF. See [ConfigMap keys]({{< relref "configuration/global-configuration/configmap-resource.md#modules" >}}) for the complete list. The NGINX App Protect WAF parameters use the `app-protect*` prefix. +NGINX Ingress Controller has global configuration parameters that match those in NGINX App Protect WAF. They are found in the [ConfigMap resource]({{< relref "configuration/global-configuration/configmap-resource.md#modules" >}}): the NGINX App Protect WAF parameters are prefixed with `app-protect*`. ## Enable NGINX App Protect WAF -You can enable and configure NGINX App Protect WAF on the Custom Resources (VirtualServer, VirtualServerRoute) or on the Ingress-resource basis. +NGINX App Protect WAF can be enabled and configured for custom resources (VirtualServer, VirtualServerRoute) or Ingress resources. -To configure NGINX App Protect WAF on a VirtualServer resource, you would create a Policy Custom Resource referencing the `APPolicy` Custom Resource or `APPolicy` Bundle, and add this to the VirtualServer definition. See the documentation on the [NGINX App Protect WAF Policy]({{< relref "configuration/policy-resource.md#waf" >}}). +- For custom resources, you need to create a Policy Custom Resource referencing the `APPolicy` custom resource or bundle, then add it to the VirtualServer definition. Additional detail can be found in the [Policy Resource documentation]({{< relref "configuration/policy-resource.md#waf" >}}). +- For Ingress resources, apply the [`app-protect` annotations]({{< relref "configuration/ingress-resources/advanced-configuration-with-annotations.md#app-protect" >}}) to each desired resource. -To configure NGINX App Protect WAF on an Ingress resource, you would apply the [`app-protect` annotations]({{< relref "configuration/ingress-resources/advanced-configuration-with-annotations.md#app-protect" >}}) to each desired resource. ## NGINX App Protect WAF Policies -You can define NGINX App Protect WAF policies for your VirtualServer, VirtualServerRoute, or Ingress resources by creating an `APPolicy` [Custom Resource](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/). +NGINX App Protect WAF Policies can be created for VirtualServer, VirtualServerRoute, or Ingress resources by creating an `APPolicy` [custom resource](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/). There are some caveats: - > **Note**: The fields `policy.signature-requirements[].minRevisionDatetime` and `policy.signature-requirements[].maxRevisionDatetime` are not supported. - - > **Note**: [The Advanced gRPC Protection for Unary Traffic](/nginx-app-protect-waf/configuration-guide/configuration/#grpc-protection-for-unary-traffic) only supports providing an `idl-file` inline. The fields `policy.idl-files[].link`, `policy.idl-files[].$ref`, and +- The fields `policy.signature-requirements[].minRevisionDatetime` and `policy.signature-requirements[].maxRevisionDatetime` are not supported. +- [The Advanced gRPC Protection for Unary Traffic](/nginx-app-protect-waf/configuration-guide/configuration/#grpc-protection-for-unary-traffic) only supports providing an `idl-file` inline. The fields `policy.idl-files[].link`, `policy.idl-files[].$ref`, and `policy.idl-files[].file` are not supported. The IDL file should be provided in field `policy.idl-files[].contents`. The value of this field can be base64 encoded. In this case the field `policy.idl-files[].isBase64` should be set to `true`. - > **Note**: [External References](/nginx-app-protect-waf/configuration-guide/configuration/#external-references) in the Ingress Controller are deprecated and will not be supported in future releases. - -To add any [NGINX App Protect WAF policy](/nginx-app-protect-waf/declarative-policy/policy/) to an Ingress resource: - -1. Create an `APPolicy` Custom resource manifest. -2. Add the desired policy to the `spec` field in the `APPolicy` resource. - - > **Note**: The relationship between the Policy JSON and the resource spec is 1:1. If you're defining your resources in YAML, as we do in our examples, you'll need to represent the policy as YAML. The fields must match those in the source JSON exactly in name and level. - - For example, say you want to use the [DataGuard policy](/nginx-app-protect-waf/declarative-policy/policy/#policy/data-guard) shown below: - - ```json - { - "policy": { - "name": "dataguard_blocking", - "template": { "name": "POLICY_TEMPLATE_NGINX_BASE" }, - "applicationLanguage": "utf-8", - "enforcementMode": "blocking", - "blocking-settings": { - "violations": [ - { - "name": "VIOL_DATA_GUARD", - "alarm": true, - "block": true - } - ] - }, - "data-guard": { - "enabled": true, - "maskData": true, - "creditCardNumbers": true, - "usSocialSecurityNumbers": true, - "enforcementMode": "ignore-urls-in-list", - "enforcementUrls": [] - } - } - } - ``` +{{}} External references are deprecated in NGINX Ingress Controller and will not be supported in future releases. {{}} - You would create an `APPolicy` resource with the policy defined in the `spec`, as shown below: +To add an [NGINX App Protect WAF policy](/nginx-app-protect-waf/declarative-policy/policy/) to an Ingress resource: - ```yaml - apiVersion: appprotect.f5.com/v1beta1 - kind: APPolicy - metadata: - name: dataguard-blocking - spec: - policy: - name: dataguard_blocking - template: - name: POLICY_TEMPLATE_NGINX_BASE - applicationLanguage: utf-8 - enforcementMode: blocking - blocking-settings: - violations: - - name: VIOL_DATA_GUARD - alarm: true - block: true - data-guard: - enabled: true - maskData: true - creditCardNumbers: true - usSocialSecurityNumbers: true - enforcementMode: ignore-urls-in-list - enforcementUrls: [] +1. Create an `APPolicy` custom resource manifest. +1. Add the policy to the `spec` field in the `APPolicy` resource. + +A resource specification and its Policy JSON **must** match. The fields must be identical in name and nesting level. If the resources are defined with YAML, the policy must also be represented in YAML. + +As an example, this is a [DataGuard policy](/nginx-app-protect-waf/declarative-policy/policy/#policy/data-guard): + +```json +{ + "policy": { + "name": "dataguard_blocking", + "template": { "name": "POLICY_TEMPLATE_NGINX_BASE" }, + "applicationLanguage": "utf-8", + "enforcementMode": "blocking", + "blocking-settings": { + "violations": [ + { + "name": "VIOL_DATA_GUARD", + "alarm": true, + "block": true + } + ] + }, + "data-guard": { + "enabled": true, + "maskData": true, + "creditCardNumbers": true, + "usSocialSecurityNumbers": true, + "enforcementMode": "ignore-urls-in-list", + "enforcementUrls": [] + } + } +} ``` - > Notice how the fields match exactly in name and level. NGINX Ingress Controller will transform the YAML into a valid JSON WAF policy config. +This is what its corresponding `APPolicy` resource defined in the `spec` would look like: + +```yaml +apiVersion: appprotect.f5.com/v1beta1 +kind: APPolicy +metadata: + name: dataguard-blocking +spec: + policy: + name: dataguard_blocking + template: + name: POLICY_TEMPLATE_NGINX_BASE + applicationLanguage: utf-8 + enforcementMode: blocking + blocking-settings: + violations: + - name: VIOL_DATA_GUARD + alarm: true + block: true + data-guard: + enabled: true + maskData: true + creditCardNumbers: true + usSocialSecurityNumbers: true + enforcementMode: ignore-urls-in-list + enforcementUrls: [] +``` + +Notice that the fields match in name and nesting: NGINX Ingress Controller will transform the YAML into a valid JSON WAF policy config. ## NGINX App Protect WAF Logs +Configuring + You can set the [NGINX App Protect WAF log configurations](/nginx-app-protect-waf/logging-overview/logs-overview/) by creating an `APLogConf` [Custom Resource](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/). To add the [log configurations](/nginx-app-protect-waf/logging-overview/security-log/) to a VirtualServer or an Ingress resource: 1. Create an `APLogConf` Custom Resource manifest. -2. Add the desired log configuration to the `spec` field in the `APLogConf` resource. -3. Add the `APLogConf` reference to the [VirtualServer Policy resource]({{< relref "configuration/policy-resource.md#waf" >}}) or the [Ingress resource]({{< relref "configuration/ingress-resources/advanced-configuration-with-annotations.md#app-protect" >}}) as per the documentation. +1. Add the log configuration to the `spec` field in the `APLogConf` resource. +1. Add a reference to `APLogConf` in the [VirtualServer Policy resource]({{< relref "configuration/policy-resource.md#waf" >}}) or the [Ingress resource]({{< relref "configuration/ingress-resources/advanced-configuration-with-annotations.md#app-protect" >}}) as per the documentation. > **Note**: The fields from the JSON must be presented in the YAML *exactly* the same, in name and level. NGINX Ingress Controller will transform the YAML into a valid JSON WAF log config. @@ -209,12 +210,15 @@ spec: ## App Protect WAF Bundles -You can define App Protect WAF bundles for VirtualServers by creating policy bundles and putting them on a mounted volume accessible from NGINX Ingress Controller. +You can define App Protect WAF bundles for VirtualServer custom resources by creating policy bundles and putting them on a mounted volume accessible from NGINX Ingress Controller. +Before applying a policy, a WAF policy bundle must be created, then copied to a volume mounted to `/etc/nginx/waf/bundles`. + +{{< note >}} NGINX Ingress Controller does not currently support `securityLogs` for policy bundles. {{< /note >}} + +This example show how a policy is configured by referencing a generated WAF Policy Bundle: -For example, you can configure a policy by referencing generated WAF Policy Bundle: -> **Note**: Currently we do not support `securityLogs` for policy bundles. ```yaml apiVersion: k8s.nginx.org/v1 kind: Policy @@ -226,8 +230,6 @@ spec: apBundle: ".tgz" ``` -> **Note**: Before applying the policy, a WAF Policy Bundle must be created, copied to a volume, and the volume must be mounted to `/etc/nginx/waf/bundles`. - ## OpenAPI Specification in NGINX Ingress Controller The OpenAPI Specification defines the spec file format needed to describe RESTful APIs. The spec file can be written either in JSON or YAML. Using a spec file simplifies the work of implementing API protection. Refer to the [OpenAPI Specification](https://github.com/OAI/OpenAPI-Specification) (formerly called Swagger) for details. diff --git a/docs/content/installation/integrations/app-protect-waf/installation.md b/docs/content/installation/integrations/app-protect-waf/installation.md index e739a772fa..61f34f1d16 100644 --- a/docs/content/installation/integrations/app-protect-waf/installation.md +++ b/docs/content/installation/integrations/app-protect-waf/installation.md @@ -1,6 +1,6 @@ --- -title: Installation with NGINX App Protect WAF -description: "This document provides an overview of the steps required to use NGINX App Protect WAF with your NGINX Ingress Controller deployment." +title: Building NGINX Ingress Controller with NGINX App Protect WAF +description: "This document explains how to build a F5 NGINX Ingress Controller image with F5 NGINX App Protect WAF from source code." weight: 1800 doctypes: [""] toc: true @@ -8,86 +8,213 @@ docs: "DOCS-579" aliases: ["/app-protect/installation/"] --- -> **Note**: The NGINX Kubernetes Ingress Controller integration with NGINX App Protect WAF requires the use of NGINX Plus. +{{< custom-styles >}} -This document provides an overview of the steps required to use NGINX App Protect WAF with your NGINX Ingress Controller deployment. You can visit the linked documents to find additional information and instructions. +{{}} If you'd rather not build your own NGINX Ingress Controller image, see the [pre-built image options](#pre-built-images) at the end of this guide.{{}} -You can also [install the Ingress Controller with App Protect WAF by using Helm]({{< relref "installation/installing-nic/installation-with-helm.md" >}}). Use the `controller.appprotect.*` parameters of the chart. +## Before you start -## Prerequisites +- To use NGINX App Protect WAF with NGINX Ingress Controller, you must have NGINX Plus. -1. Make sure you have access to the Ingress Controller image: - - For NGINX Plus Ingress Controller, see [here]({{< relref "installation/nic-images/pulling-ingress-controller-image" >}}) for details on how to pull the image from the F5 Docker registry. - - To pull from the F5 Container registry in your Kubernetes cluster, configure a docker registry secret using your JWT token from the MyF5 portal by following the instructions from [here]({{< relref "installation/nic-images/using-the-jwt-token-docker-secret" >}}). - - It is also possible to build your own image and push it to your private Docker registry by following the instructions from [here]({{< relref "installation/building-nginx-ingress-controller.md" >}})). -2. Clone the Ingress Controller repo: +## Prepare the environment + +Get your system ready for building and pushing the NGINX Ingress Controller image with NGINX App Protect WAF. + +1. Sign in to your private registry. Replace `` with the path to your own private registry. + + ```shell + docker login + ``` + +1. Clone the NGINX Ingress Controller repository: ```console git clone https://github.com/nginxinc/kubernetes-ingress.git --branch v3.4.0 cd kubernetes-ingress ``` -## Build the Docker Image +--- -Take the steps below to create the Docker image that you'll use to deploy NGINX Ingress Controller with App Protect in Kubernetes. +## Build the image -- [Build the NGINX Ingress Controller image]({{< relref "installation/building-nginx-ingress-controller.md" >}})). +Follow these steps to build the NGINX Controller Image with NGINX App Protect WAF. - When running the `make` command to build the image, be sure to use the `debian-image-nap-plus` target. For example: +1. Place your NGINX Plus license files (_nginx-repo.crt_ and _nginx-repo.key_) in the project's root folder. To verify they're in place, run: - ```console - make debian-image-nap-plus PREFIX=/nginx-plus-ingress + ```shell + ls nginx-repo.* + ``` + + You should see: + + ```shell + nginx-repo.crt nginx-repo.key ``` - Alternatively, if you want to run on an [OpenShift](https://www.openshift.com/) cluster, you can use the `ubi-image-nap-plus` target. +2. Build the image. Replace `` with your chosen build option and `` with your private registry's path. Refer to the [Makefile targets](#makefile-targets) table below for the list of build options. + + ```shell + make PREFIX=/nginx-plus-ingress TARGET=download + ``` + + For example, to build a Debian-based image with NGINX Plus and NGINX App Protect DoS, run: + + ```shell + make debian-image-dos-plus PREFIX=/nginx-plus-ingress TARGET=download + ``` + + **What to expect**: The image is built and tagged with a version number, which is derived from the `VERSION` variable in the [_Makefile_]({{< relref "installation/building-nginx-ingress-controller.md#makefile-details" >}}). This version number is used for tracking and deployment purposes. + +{{}} In the event a patch of NGINX Plus is released, make sure to rebuild your image to get the latest version. If your system is caching the Docker layers and not updating the packages, add `DOCKER_BUILD_OPTIONS="--pull --no-cache"` to the make command. {{}} + +### Makefile targets {#makefile-targets} + +{{}} +| Makefile Target | Description | Compatible Systems | +|---------------------------|-------------------------------------------------------------------|---------------------| +| **debian-image-nap-plus** | Builds a Debian-based image with NGINX Plus and the [NGINX App Protect WAF](/nginx-app-protect-waf/) module. | Debian | +| **debian-image-nap-dos-plus** | Builds a Debian-based image with NGINX Plus, [NGINX App Protect WAF](/nginx-app-protect-waf/), and [NGINX App Protect DoS](/nginx-app-protect-dos/) | Debian | +| **ubi-image-nap-plus** | Builds a UBI-based image with NGINX Plus and the [NGINX App Protect WAF](/nginx-app-protect-waf/) module. | OpenShift | +| **ubi-image-nap-dos-plus** | Builds a UBNI-based image with NGINX Plus, [NGINX App Protect WAF](/nginx-app-protect-waf/), and [NGINX App Protect DoS](/nginx-app-protect-dos/). | OpenShift | +{{}} + +
+ +{{}} For the complete list of _Makefile_ targets and customizable variables, see the [Building NGINX Ingress Controller]({{< relref "installation/building-nginx-ingress-controller.md#makefile-details" >}}) guide. {{}} + +If you intend to use [external references](/nginx-app-protect-waf/configuration/#external-references) in NGINX App Protect WAF policies, you may want to provide a custom CA certificate to authenticate with the hosting server. + +To do so, place the `*.crt` file in the build folder and uncomment the lines following this comment: +`#Uncomment the lines below if you want to install a custom CA certificate` + +{{}} External references are deprecated in NGINX Ingress Controller and will not be supported in future releases. {{}} + +--- + +## Push the image to your private registry + +Once you've successfully built the NGINX Ingress Controller image with NGINX App Protect WAF, the next step is to upload it to your private Docker registry. This makes the image available for deployment to your Kubernetes cluster. + +To upload the image, run the following command. If you're using a custom tag, add `TAG=your-tag` to the end of the command. Replace `` with your private registry's path. + +```shell +make push PREFIX=/nginx-plus-ingress +``` + +--- + +## Set up role-based access control (RBAC) {#set-up-rbac} + +{{< include "rbac/set-up-rbac.md" >}} + +--- + +## Create common resources {#create-common-resources} + +{{< include "installation/create-common-resources.md" >}} + +--- + +## Create core custom resources {#create-custom-resources} + + +{{< include "installation/create-custom-resources.md" >}} + +--- + +## Create App Protect WAF custom resources + +{{< note >}} If you're using NGINX Ingress Controller with the App Protect WAF module and policy bundles, you can skip this section. You will need to create and configure [Persistent Volume and Persistent Volume Claim](https://kubernetes.io/docs/concepts/storage/persistent-volumes/) in your Kubernetes cluster. {{< /note >}} + +
+ +{{}} + +{{%tab name="Install CRDs from single YAML"%}} + +This single YAML file creates CRDs for the following resources: + +- `APPolicy` +- `APLogConf` +- `APUserSig` + +```shell +kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.3.2/deploy/crds-nap-waf.yaml +``` + +{{%/tab%}} - If you want to include the App Protect DoS module in the image, you can use the `debian-image-nap-dos-plus` target or the `ubi-image-nap-dos-plus` target for OpenShift. +{{%tab name="Install CRDs after cloning the repo"%}} - If you intend to use [external references](https://docs.nginx.com/nginx-app-protect/configuration/#external-references) in NGINX App Protect WAF policies, you may want to provide a custom CA certificate to authenticate with the hosting server. - In order to do so, place the `*.crt` file in the build folder and uncomment the lines that follow this comment: - `#Uncomment the lines below if you want to install a custom CA certificate` +{{< note >}} If you are installing the CRDs this way, ensure you have first cloned the repository. {{< /note >}} - > **Note**: [External References](/nginx-app-protect/configuration-guide/configuration/#external-references) in the Ingress Controller are deprecated and will not be supported in future releases. +These YAML files create CRDs for the following resources: - **Note**: In the event of a patch version of NGINX Plus being [released](/nginx/releases/), make sure to rebuild your image to get the latest version. The Dockerfile will use the latest available version of the [Attack Signatures](/nginx-app-protect/configuration/#attack-signatures) and [Threat Campaigns](/nginx-app-protect/configuration/#threat-campaigns) packages at the time of build. If your system is caching the Docker layers and not updating the packages, add `DOCKER_BUILD_OPTIONS="--no-cache"` to the `make` command. +- `APPolicy` +- `APLogConf` +- `APUserSig` -- [Push the image to your local Docker registry]({{< relref "installation/building-nginx-ingress-controller.md#build-image-push-to-private-repo" >}}. +```shell +kubectl apply -f config/crd/bases/appprotect.f5.com_appolicies.yaml +kubectl apply -f config/crd/bases/appprotect.f5.com_aplogconfs.yaml +kubectl apply -f config/crd/bases/appprotect.f5.com_apusersigs.yaml +``` -## Install the Ingress Controller +{{%/tab%}} -Take the steps below to set up and deploy the NGINX Ingress Controller and App Protect WAF module in your Kubernetes cluster. +{{}} -1. [Configure role-based access control (RBAC)]({{< relref "installation/installing-nic/installation-with-manifests.md#configure-rbac" >}}). +--- + +## Deploy NGINX Ingress Controller {#deploy-ingress-controller} + +{{< include "installation/deploy-controller.md" >}} + +{{< note >}} If you're using NGINX Ingress Controller with the AppProtect WAF module and policy bundles, you will need to modify the Deployment or DaemonSet file to include volumes and volume mounts. + +NGINX Ingress Controller **requires** the volume mount path to be `/etc/nginx/waf/bundles`. {{< /note >}} + +Add a `volumes` section to deployment template spec: + +```yaml +... +volumes: +- name: +persistentVolumeClaim: + claimName: +... +``` + +Add volume mounts to the `containers` section: + +```yaml +... +volumeMounts: +- name: + mountPath: /etc/nginx/waf/bundles +... +``` - > **Important**: You must have an admin role to configure RBAC in your Kubernetes cluster. +### Using a Deployment -2. [Create the common Kubernetes resources]({{< relref "installation/installing-nic/installation-with-manifests.md#create-common-resources" >}}). -3. Enable the App Protect WAF module by adding the `enable-app-protect` [cli argument]({{< relref "configuration/global-configuration/command-line-arguments.md#cmdoption-enable-app-protect" >}}) to your Deployment or DaemonSet file. - If you intend to use the NGINX Ingress Controller with the AppProtect WAF module and policy bundles, follow these additional steps: - - Skip configuring custom resource definition for `APPolicy` `APLogConf` and `APUserSig`. - - Create and configure [Persistent Volume and Persistent Volume Claim](https://kubernetes.io/docs/concepts/storage/persistent-volumes/) in your Kubernetes cluster. - - Modify NGINX Ingress Controller Deployment or DaemonSet file to include volumes and volume mounts. +{{< include "installation/manifests/deployment.md" >}} + +### Using a DaemonSet + +{{< include "installation/manifests/daemonset.md" >}} + +--- + +## Enable NGINX App Protect WAF module + +To enable the NGINX App Protect DoS Module: + +- Add the `enable-app-protect` [command-line argument]({{< relref "configuration/global-configuration/command-line-arguments.md#cmdoption-enable-app-protect" >}}) to your Deployment or DaemonSet file. + +--- - Make the following changes: - Add `volumes` section to deployment template spec: - ```yaml - ... - volumes: - - name: - persistentVolumeClaim: - claimName: - ... - ``` - Add volume mounts to `containers` section: - ```yaml - ... - volumeMounts: - - name: - mountPath: /etc/nginx/waf/bundles - ... - ``` - > **Important**: NGINX Ingress Controller requires the volume mount path to be `/etc/nginx/waf/bundles` +## Confirm NGINX Ingress Controller is running -4. [Deploy the Ingress Controller]({{< relref "installation/installing-nic/installation-with-manifests.md#deploy-ingress-controller" >}}). +{{< include "installation/manifests/verify-pods-are-running.md" >}} For more information, see the [Configuration guide]({{< relref "installation/integrations/app-protect-waf/configuration.md" >}}) and the NGINX Ingress Controller with App Protect example resources on GitHub [for VirtualServer resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.0/examples/custom-resources/app-protect-waf) and [for Ingress resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.0/examples/ingress-resources/app-protect-waf" >}}). diff --git a/docs/content/tutorials/virtual-server-with-custom-listener-ports.md b/docs/content/tutorials/virtual-server-with-custom-listener-ports.md index a0badbe88f..9c9d569eb6 100644 --- a/docs/content/tutorials/virtual-server-with-custom-listener-ports.md +++ b/docs/content/tutorials/virtual-server-with-custom-listener-ports.md @@ -9,7 +9,7 @@ toc: true ## Configuring a VirtualServer with custom HTTP and HTTPS listener ports. VirtualServer can explicitly define custom HTTP and HTTPS listener ports using the `spec.listener.http` and `spec.listener.https` fields. -Each field must reference a valid listener defined by in a [GlobalConfiguration](/nginx-ingress-controller/configuration/global-configuration/globalconfiguration-resource/) resource. +Each field must reference a valid listener defined by in a [GlobalConfiguration]({{< relref "/configuration/global-configuration/globalconfiguration-resource.md" >}}) resource. ## Deploy GlobalConfiguration @@ -55,7 +55,7 @@ kubectl apply -f nginx-configuration.yaml ssl: true ``` -1. Follow the [Installation with Helm](/nginx-ingress-controller/installation/installation-with-helm/) instructions to deploy the NGINX Ingress Controller with custom resources enabled. +1. Follow the [Installation with Helm]({{< relref "/installation/installing-nic/installation-with-helm.md" >}}) instructions to deploy the NGINX Ingress Controller with custom resources enabled. 1. Ensure your NodePort or LoadBalancer service is configured to expose the custom listener ports. This is set in the `customPorts` section under `controller.service.customPorts`: @@ -82,7 +82,7 @@ kubectl apply -f nginx-configuration.yaml - -$(POD_NAMESPACE)/nginx-configuration ``` -2. Follow the [Installation with Manifests](/nginx-ingress-controller/installation/installation-with-manifests/) instructions to deploy the NGINX Ingress Controller with custom resources enabled. +2. Follow the [Installation with Manifests]({{< relref "/installation/installing-nic/installation-with-manifests.md" >}}) instructions to deploy the NGINX Ingress Controller with custom resources enabled. 3. Ensure your NodePort or LoadBalancer service is configured to expose the custom listener ports. Below is an example yaml configuration using NodePort, which would also apply to a LoadBalancer service: @@ -112,7 +112,7 @@ kubectl apply -f nginx-configuration.yaml {{}} ## Deploying VirtualServer with custom listeners -Deploy the example resources in the [custom listeners](/examples/custom-resources/custom-listeners/) folder. This will deploy all required resources, including the VirtualServer. +Deploy the [custom listeners](https://github.com/nginxinc/kubernetes-ingress/tree/v3.3.2/examples/custom-resources/custom-listeners) resources from the repository examples. It includes all required resources, including VirtualServer. Below is a snippet of the VirtualServer resource that will be deployed: From c36901c4e3a8dbdac65afa3472444b5827524ba2 Mon Sep 17 00:00:00 2001 From: Venktesh Shivam Patel Date: Tue, 2 Jan 2024 14:53:53 +0000 Subject: [PATCH 04/22] Update docs to include CRD upgrade (#4852) --- .../installing-nic/installation-with-operator.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/docs/content/installation/installing-nic/installation-with-operator.md b/docs/content/installation/installing-nic/installation-with-operator.md index 399cea5324..865f95dd70 100644 --- a/docs/content/installation/installing-nic/installation-with-operator.md +++ b/docs/content/installation/installing-nic/installation-with-operator.md @@ -27,8 +27,10 @@ h2 { - To pull from the F5 Container registry, configure a docker registry secret using your JWT token from the MyF5 portal by following the instructions from [here]({{< relref "installation/nic-images/using-the-jwt-token-docker-secret" >}}). - It is also possible to build your own image and push it to your private Docker registry by following the instructions from [here]({{< relref "installation/building-nginx-ingress-controller.md" >}})). -2. Install the NGINX Ingress Operator following the [instructions](https://github.com/nginxinc/nginx-ingress-helm-operator/blob/v1.4.1/docs/installation.md). -3. Create the SecurityContextConstraint as outlined in the ["Getting Started" instructions](https://github.com/nginxinc/nginx-ingress-helm-operator/blob/v1.4.1/README.md#getting-started). +2. Install the NGINX Ingress Operator following the [instructions](https://github.com/nginxinc/nginx-ingress-helm-operator/blob/main/docs/installation.md). +3. Create the SecurityContextConstraint as outlined in the ["Getting Started" instructions](https://github.com/nginxinc/nginx-ingress-helm-operator/blob/main/README.md#getting-started). + +{{}} If you're upgrading your operator installation to a later release, navigate [here](https://github.com/nginxinc/nginx-ingress-helm-operator/blob/main/helm-charts/nginx-ingress) and run `kubectl apply -f crds/` or `oc apply -f crds/` as a prerequisite{{}} ## Create the NGINX Ingress Controller manifest @@ -64,7 +66,7 @@ kubectl apply -f nginx-ingress-controller.yaml A new instance of NGINX Ingress Controller will be deployed by the NGINX Ingress Operator in the `default` namespace with default parameters. -To configure other parameters of the NginxIngressController resource, check the [documentation](https://github.com/nginxinc/nginx-ingress-helm-operator/blob/v1.4.1/docs/nginx-ingress-controller.md). +To configure other parameters of the NginxIngressController resource, check the [documentation](https://github.com/nginxinc/nginx-ingress-helm-operator/blob/main/docs/nginx-ingress-controller.md). ## Troubleshooting From a376068df19fffdc40efd72af614a67282a8247f Mon Sep 17 00:00:00 2001 From: Paul Abel <128620221+pdabelf5@users.noreply.github.com> Date: Fri, 12 Jan 2024 12:27:21 +0000 Subject: [PATCH 05/22] Cherry pick 3.4.1 (#4886) * fix release script for helm (#4810) Signed-off-by: Haywood Shannon <5781935+haywoodsh@users.noreply.github.com> * Test jobs further refactor (#4820) * Fix AWS registry (#4825) * Don't push Marketplace images (#4827) * Add the ability to have Nginx version checks in templates (#4831) Add the ability to add version dependent template elements * Add trigger for GCP Marketplace repo (#4829) * Add automatic push to GCP Marketplace (#4828) * Update N+ to R31 (#4850) * Bump the go group with 3 updates (#4846) Bumps the go group with 3 updates: [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2), [github.com/go-chi/chi/v5](https://github.com/go-chi/chi) and [github.com/prometheus/client_golang](https://github.com/prometheus/client_golang). Updates `github.com/aws/aws-sdk-go-v2/config` from 1.26.1 to 1.26.2 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/config/v1.26.1...config/v1.26.2) Updates `github.com/go-chi/chi/v5` from 5.0.10 to 5.0.11 - [Release notes](https://github.com/go-chi/chi/releases) - [Changelog](https://github.com/go-chi/chi/blob/master/CHANGELOG.md) - [Commits](https://github.com/go-chi/chi/compare/v5.0.10...v5.0.11) Updates `github.com/prometheus/client_golang` from 1.17.0 to 1.18.0 - [Release notes](https://github.com/prometheus/client_golang/releases) - [Changelog](https://github.com/prometheus/client_golang/blob/main/CHANGELOG.md) - [Commits](https://github.com/prometheus/client_golang/compare/v1.17.0...v1.18.0) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2/config dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: github.com/go-chi/chi/v5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: github.com/prometheus/client_golang dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Report User Agent for Alpine and UBI (#4845) * Bump the go group with 2 updates (#4873) Bumps the go group with 2 updates: [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2) and [github.com/aws/aws-sdk-go-v2/service/marketplacemetering](https://github.com/aws/aws-sdk-go-v2). Updates `github.com/aws/aws-sdk-go-v2/config` from 1.26.2 to 1.26.3 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/config/v1.26.2...config/v1.26.3) Updates `github.com/aws/aws-sdk-go-v2/service/marketplacemetering` from 1.19.5 to 1.19.6 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/mq/v1.19.5...service/efs/v1.19.6) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2/config dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: github.com/aws/aws-sdk-go-v2/service/marketplacemetering dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Paul Abel <128620221+pdabelf5@users.noreply.github.com> * Update UBI string for new images (#4893) * Bump the go group with 1 update (#4905) Bumps the go group with 1 update: [github.com/nginxinc/nginx-prometheus-exporter](https://github.com/nginxinc/nginx-prometheus-exporter). Updates `github.com/nginxinc/nginx-prometheus-exporter` from 1.0.0 to 1.1.0 - [Release notes](https://github.com/nginxinc/nginx-prometheus-exporter/releases) - [Changelog](https://github.com/nginxinc/nginx-prometheus-exporter/blob/main/CHANGELOG.md) - [Commits](https://github.com/nginxinc/nginx-prometheus-exporter/compare/v1.0.0...v1.1.0) --- updated-dependencies: - dependency-name: github.com/nginxinc/nginx-prometheus-exporter dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Paul Abel <128620221+pdabelf5@users.noreply.github.com> * patch base images on container build (#4869) --------- Signed-off-by: Haywood Shannon <5781935+haywoodsh@users.noreply.github.com> Signed-off-by: dependabot[bot] Co-authored-by: Haywood Shannon <5781935+haywoodsh@users.noreply.github.com> Co-authored-by: Luca Comellini Co-authored-by: oseoin Co-authored-by: Venktesh Shivam Patel Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/scripts/release-version-update.sh | 12 +-- .github/workflows/build-plus.yml | 22 ++++- .github/workflows/ci.yml | 34 +++++-- build/Dockerfile | 28 ++++-- cmd/nginx-ingress/main.go | 17 ++-- docs/content/technical-specifications.md | 2 +- go.mod | 32 +++--- go.sum | 68 ++++++------- internal/configs/config_params.go | 6 +- internal/configs/configmaps.go | 1 + internal/configs/configurator.go | 1 + internal/configs/configurator_test.go | 2 + internal/configs/version1/config.go | 3 + internal/configs/version1/nginx-plus.tmpl | 6 ++ internal/configs/version1/template_test.go | 49 ++++++++++ internal/nginx/fake_manager.go | 4 +- internal/nginx/manager.go | 97 ++++++++++++++++++- internal/nginx/manager_test.go | 94 ++++++++++++++++++ .../test_virtual_server_backup_service.py | 1 + 19 files changed, 393 insertions(+), 86 deletions(-) create mode 100644 internal/nginx/manager_test.go diff --git a/.github/scripts/release-version-update.sh b/.github/scripts/release-version-update.sh index efddb21d85..177b11f0e4 100755 --- a/.github/scripts/release-version-update.sh +++ b/.github/scripts/release-version-update.sh @@ -55,6 +55,9 @@ echo "Updating versions: " echo "ic_version: ${current_ic_version} -> ${ic_version}" echo "helm_chart_version: ${current_helm_chart_version} -> ${helm_chart_version}" +regex_ic="s#$current_ic_version#$ic_version#g" +regex_helm="s#$current_helm_chart_version#$helm_chart_version#g" + mv "${HELM_CHART_PATH}/values.schema.json" "${TMPDIR}/" jq --arg version "${ic_version}" \ '.properties.controller.properties.image.properties.tag.default = $version | .properties.controller.properties.image.properties.tag.examples[0] = $version | .properties.controller.examples[0].image.tag = $version | .properties.controller.properties.image.examples[0].tag = $version | .examples[0].controller.image.tag = $version' \ @@ -74,8 +77,7 @@ for i in "${FILES_TO_UPDATE_IC_VERSION[@]}"; do fi file_name=$(basename "${i}") mv "${i}" "${TMPDIR}/${file_name}" - regex="s#$current_ic_version#$ic_version#g" - cat "${TMPDIR}/${file_name}" | sed -e "$regex" > "${i}" + cat "${TMPDIR}/${file_name}" | sed -e "$regex_ic" > "${i}" if [ $? -ne 0 ]; then echo "ERROR: failed processing ${i}" mv "${TMPDIR}/${file_name}" "${i}" @@ -90,8 +92,7 @@ for i in "${FILE_TO_UPDATE_HELM_CHART_VERSION[@]}"; do fi file_name=$(basename "${i}") mv "${i}" "${TMPDIR}/${file_name}" - regex="s#$current_ic_version#$ic_version#g" - cat "${TMPDIR}/${file_name}" | sed -e "$regex" > "${i}" + cat "${TMPDIR}/${file_name}" | sed -e "$regex_helm" > "${i}" if [ $? -ne 0 ]; then echo "ERROR: failed processing ${i}" mv "${TMPDIR}/${file_name}" "${i}" @@ -107,8 +108,7 @@ for i in ${docs_files}; do fi file_name=$(basename "${i}") mv "${i}" "${TMPDIR}/${file_name}" - regex="s#$current_ic_version#$ic_version#g" - cat "${TMPDIR}/${file_name}" | sed -e "$regex" > "${i}" + cat "${TMPDIR}/${file_name}" | sed -e "$regex_ic" | sed -e "$regex_helm" > "${i}" if [ $? -ne 0 ]; then echo "ERROR: failed processing ${i}" mv "${TMPDIR}/${file_name}" "${i}" diff --git a/.github/workflows/build-plus.yml b/.github/workflows/build-plus.yml index bbab64fc44..56cf2a512d 100644 --- a/.github/workflows/build-plus.yml +++ b/.github/workflows/build-plus.yml @@ -71,6 +71,23 @@ jobs: password: ${{ steps.auth.outputs.access_token }} if: github.event_name != 'pull_request' + - name: Authenticate to Google Cloud Marketplace + id: auth-mktpl + uses: google-github-actions/auth@67e9c72af6e0492df856527b474995862b7b6591 # v2.0.0 + with: + token_format: access_token + workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY_MKTPL }} + service_account: ${{ secrets.GCR_SERVICE_ACCOUNT_MKTPL }} + if: github.ref_type == 'tag' && ! contains(inputs.target, 'aws') + + - name: Login to GCR for Marketplace + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + with: + registry: gcr.io + username: oauth2accesstoken + password: ${{ steps.auth-mktpl.outputs.access_token }} + if: github.ref_type == 'tag' && ! contains(inputs.target, 'aws') + - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 with: @@ -107,7 +124,8 @@ jobs: with: images: | name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic${{ contains(inputs.nap_modules, 'dos') && '-dos' || '' }}${{ contains(inputs.nap_modules, 'waf') && '-nap' || '' }}/nginx-plus-ingress - name=docker-mgmt.nginx.com/nginx-ic${{ contains(inputs.nap_modules, 'dos') && '-dos' || '' }}${{ contains(inputs.nap_modules, 'waf') && '-nap' || '' }}/nginx-plus-ingress,enable=${{ github.ref_type != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') }} + name=gcr.io/f5-7626-networks-public/nginxinc/nginx-plus-ingress${{ contains(inputs.nap_modules, 'waf') && '-nap' || '' }}${{ contains(inputs.nap_modules, 'dos') && '-dos' || '' }},enable=${{ github.ref_type == 'tag' && ! contains(inputs.target, 'aws') && ! contains(inputs.image, 'alpine') && ! contains(inputs.image, 'ubi') }} + name=docker-mgmt.nginx.com/nginx-ic${{ contains(inputs.nap_modules, 'waf') && '-nap' || '' }}${{ contains(inputs.nap_modules, 'dos') && '-dos' || '' }}/nginx-plus-ingress,enable=${{ github.ref_type != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! contains(inputs.target, 'aws') }} name=709825985650.dkr.ecr.us-east-1.amazonaws.com/nginx/nginx-plus-ingress${{ contains(inputs.nap_modules, 'dos') && '-dos' || '' }}${{ contains(inputs.nap_modules, 'waf') && '-nap' || '' }},enable=${{ github.ref_type == 'tag' && contains(inputs.target, 'aws') }} flavor: | suffix=${{ contains(inputs.image, 'ubi') && '-ubi' || '' }}${{ contains(inputs.image, 'alpine') && '-alpine' || '' }}${{ contains(inputs.target, 'aws') && '-mktpl' || '' }}${{ contains(inputs.image, 'fips') && '-fips' || ''}},onlatest=true @@ -161,7 +179,7 @@ jobs: - name: AWS variables id: aws run: | - aws_registry=$(echo "${{ steps.meta.outputs.tags }}" | grep -oP "709825985650.dkr.ecr.us-east-1.amazonaws.com/[^[:space:]]+") + aws_registry=$(echo "${{ steps.meta.outputs.tags }}" | grep -oP "709825985650.dkr.ecr.us-east-1.amazonaws.com/[^[:space:]]+:${{ steps.meta.outputs.version }}") version=$(echo ${{ steps.meta.outputs.version }} | sed 's/-mktpl//') declare -A nap_mapping=( ["waf"]=_NAP_WAF diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 966febbc22..af0245f651 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -282,18 +282,17 @@ jobs: {\"image\": \"alpine\", \"marker\":\"'policies and not policies_rl and not policies_ac and not policies_jwt and not policies_mtls'\"}, \ {\"image\": \"alpine\", \"marker\":\"'policies_rl or policies_ac or policies_jwt or policies_mtls'\"}, \ {\"image\": \"debian\", \"marker\": \"'vs and not vs_ipv6 and not vs_rewrite and not vs_responses and not vs_grpc and not vs_redirects and not vs_externalname and not vs_externaldns and not vs_certmanager'\"}, \ - {\"image\": \"debian\", \"marker\": \"'vs_ipv6 or vs_rewrite or vs_responses or vs_grpc or vs_redirects or vs_externalname or vs_externaldns or vs_certmanager'\"}, \ - {\"image\": \"debian\", \"marker\": \"'vs_certmanager'\"}, \ + {\"image\": \"debian\", \"marker\": \"'vs_grpc or vs_redirects or vs_externalname or vs_externaldns'\"}, \ + {\"image\": \"debian\", \"marker\": \"'vs_responses or vs_ipv6 or vs_rewrite or vs_certmanager'\"}, \ {\"image\": \"ubi\", \"marker\": \"ts\"}, \ {\"image\": \"debian-plus\", \"marker\": \"'vs and not vs_ipv6 and not vs_rewrite and not vs_responses and not vs_grpc and not vs_redirects and not vs_externalname and not vs_externaldns and not vs_certmanager'\"}, \ - {\"image\": \"debian-plus\", \"marker\": \"'vs_ipv6 or vs_rewrite or vs_responses or vs_grpc or vs_redirects or vs_externalname or vs_externaldns or vs_certmanager'\"}, \ - {\"image\": \"debian-plus\", \"marker\": \"vs_certmanager\"}, \ + {\"image\": \"debian-plus\", \"marker\": \"'vs_grpc or vs_redirects or vs_externalname or vs_externaldns'\"}, \ + {\"image\": \"debian-plus\", \"marker\": \"'vs_responses or vs_ipv6 or vs_rewrite or vs_certmanager'\"}, \ {\"image\": \"debian-plus\", \"marker\": \"ts\"}, \ {\"image\": \"alpine-plus\", \"marker\":\"ingresses\"}, \ {\"image\": \"alpine-plus\", \"marker\": \"vsr\"}, \ - {\"image\": \"ubi-plus\", \"marker\":\"'policies and not policies_rl and not policies_ac and not policies_jwt and not policies_mtls'\"}, \ - {\"image\": \"ubi-plus\", \"marker\":\"'policies_rl or policies_ac or policies_jwt or policies_mtls'\"}, \ - {\"image\": \"debian-plus-nap\", \"marker\": \"appprotect_integration\"}, \ + {\"image\": \"ubi-plus\", \"marker\":\"'policies and not policies_ac and not policies_jwt and not policies_mtls'\"}, \ + {\"image\": \"ubi-plus\", \"marker\":\"'policies_ac or policies_jwt or policies_mtls'\"}, \ {\"image\": \"debian-plus-nap\", \"marker\": \"appprotect_waf_policies_allow\"}, \ {\"image\": \"debian-plus-nap\", \"marker\": \"'appprotect_waf_policies and not appprotect_waf_policies_allow'\"}, \ {\"image\": \"debian-plus-nap\", \"marker\": \"appprotect_waf_policies_grpc\"}, \ @@ -502,3 +501,24 @@ jobs: }, }) if: github.ref_type == 'tag' + + gcp-marketplace: + name: Trigger PR for GCP Marketplace + runs-on: ubuntu-22.04 + needs: [checks, publish-helm] + steps: + - name: + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + with: + github-token: ${{ secrets.NGINX_PAT }} + script: | + await github.rest.actions.createWorkflowDispatch({ + owner: context.repo.owner, + repo: 'kubernetes-ingress-gcp', + workflow_id: 'sync-chart.yml', + ref: 'main', + inputs: { + chart_version: '${{ needs.checks.outputs.chart_version }}' + }, + }) + if: github.ref_type == 'tag' diff --git a/build/Dockerfile b/build/Dockerfile index 1a7b0110b6..a4db7ba74a 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -1,7 +1,8 @@ # syntax=docker/dockerfile:1.6 ARG BUILD_OS=debian -ARG NGINX_PLUS_VERSION=R30 +ARG NGINX_PLUS_VERSION=R31 ARG DOWNLOAD_TAG=edge +ARG DEBIAN_FRONTEND=noninteractive ############################################# Base images containing libs for Opentracing and FIPS ############################################# @@ -15,9 +16,11 @@ FROM nginx:1.25.3-alpine AS alpine RUN --mount=type=bind,from=alpine-opentracing-lib,target=/tmp/ot/ \ apk add --no-cache libcap libstdc++ \ + && apk upgrade --no-cache -U \ && cp -av /tmp/ot/usr/local/lib/libopentracing.so* /tmp/ot/usr/local/lib/libjaegertracing*so* /tmp/ot/usr/local/lib/libzipkin*so* /tmp/ot/usr/local/lib/libdd*so* /tmp/ot/usr/local/lib/libyaml*so* /usr/local/lib/ \ && cp -av /tmp/ot/usr/lib/nginx/modules/ngx_http_opentracing_module.so /usr/lib/nginx/modules/ \ - && ldconfig /usr/local/lib/ + && ldconfig /usr/local/lib/ \ + && apk cache clean ############################################# Base image for Debian ############################################# @@ -25,6 +28,7 @@ FROM nginx:1.25.3 AS debian RUN --mount=type=bind,from=opentracing-lib,target=/tmp/ot/ \ apt-get update \ + && apt-get upgrade -y \ && apt-get install --no-install-recommends --no-install-suggests -y libcap2-bin \ && rm -rf /var/lib/apt/lists/* \ && cp -av /tmp/ot/usr/local/lib/libopentracing.so* /tmp/ot/usr/local/lib/libjaegertracing*so* /tmp/ot/usr/local/lib/libzipkin*so* /tmp/ot/usr/local/lib/libdd*so* /tmp/ot/usr/local/lib/libyaml*so* /usr/local/lib/ \ @@ -47,6 +51,8 @@ LABEL name="NGINX Ingress Controller" \ io.openshift.tags="nginx,ingress-controller,ingress,controller,kubernetes,openshift" COPY --link --chown=101:0 LICENSE /licenses/ +RUN microdnf update -y \ + && microdnf clean all ############################################# NGINX files for NGINX Plus ############################################# @@ -69,9 +75,11 @@ ADD --link --chown=101:0 https://raw.githubusercontent.com/nginxinc/k8s-common/m ADD --link --chown=101:0 https://raw.githubusercontent.com/nginxinc/k8s-common/main/files/nap-waf-debian-11.repo nap-waf-11.sources ADD --link --chown=101:0 https://raw.githubusercontent.com/nginxinc/k8s-common/main/files/nap-dos-debian-11.repo nap-dos-11.sources -RUN --mount=from=busybox:musl,src=/bin/,dst=/bin/ printf "%s\n" "Acquire::https::pkgs.nginx.com::User-Agent \"k8s-ic-$IC_VERSION${BUILD_OS##debian-plus}-apt\";" >> 90pkgs-nginx \ +RUN --mount=from=busybox:musl,src=/bin/,dst=/bin/ printf "%s\n" "Acquire::https::pkgs.nginx.com::User-Agent k8s-ic-$IC_VERSION${BUILD_OS##debian-plus}-apt;" >> 90pkgs-nginx \ + && printf "%s\n" "user_agent=k8s-ic-$IC_VERSION${BUILD_OS##ubi*plus}-dnf" | tee -a nginx-plus-*.repo \ && sed -i -e "s;%VERSION%;${NGINX_PLUS_VERSION};g" *.sources \ - && sed -i -e "y/0/1/" -e "1,8s;/centos;/${NGINX_PLUS_VERSION}/centos;" *.repo + && sed -i -e "y/0/1/" -e "1,8s;/centos;/${NGINX_PLUS_VERSION}/centos;" *.repo \ + && echo HTTP_USER_AGENT="k8s-ic-$IC_VERSION${BUILD_OS##alpine-plus}-apk" > user_agent ############################################# Base image for Alpine with NGINX Plus ############################################# @@ -82,10 +90,14 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/apk/cert.pem,mode=0644 \ --mount=type=secret,id=nginx-repo.key,dst=/etc/apk/cert.key,mode=0644 \ --mount=type=bind,from=alpine-opentracing-lib,target=/tmp/ot/ \ --mount=type=bind,from=nginx-files,src=nginx_signing.rsa.pub,target=/etc/apk/keys/nginx_signing.rsa.pub \ - printf "%s\n" "https://pkgs.nginx.com/plus/${NGINX_PLUS_VERSION}/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ + --mount=type=bind,from=nginx-files,src=user_agent,target=/tmp/user_agent \ + export $(cat /tmp/user_agent) \ + && printf "%s\n" "https://pkgs.nginx.com/plus/${NGINX_PLUS_VERSION}/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ + && apk upgrade --no-cache -U \ && apk add --no-cache nginx-plus nginx-plus-module-njs nginx-plus-module-opentracing nginx-plus-module-fips-check libcap libcurl \ && cp -av /tmp/ot/usr/local/lib/libjaegertracing*so* /tmp/ot/usr/local/lib/libzipkin*so* /tmp/ot/usr/local/lib/libdd*so* /tmp/ot/usr/local/lib/libyaml*so* /usr/local/lib/ \ - && ldconfig /usr/local/lib/ + && ldconfig /usr/local/lib/ \ + && apk cache clean ############################################# Base image for Alpine with NGINX Plus and FIPS ############################################# @@ -109,6 +121,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode --mount=type=bind,from=nginx-files,src=90pkgs-nginx,target=/etc/apt/apt.conf.d/90pkgs-nginx \ --mount=type=bind,from=nginx-files,src=debian-plus-12.sources,target=/etc/apt/sources.list.d/nginx-plus.sources \ apt-get update \ + && apt-get upgrade -y \ && apt-get install --no-install-recommends --no-install-suggests -y sq ca-certificates libcap2-bin libcurl4 \ && groupadd --system --gid 101 nginx \ && useradd --system --gid nginx --no-create-home --home-dir /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \ @@ -136,6 +149,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode --mount=type=bind,from=nginx-files,src=nap-dos-11.sources,target=/etc/apt/sources.list.d/app-protect-dos.sources \ ## the code below is duplicated from the debian-plus image because NAP doesn't support debian 12 apt-get update \ + && apt-get upgrade -y \ && apt-get install --no-install-recommends --no-install-suggests -y ca-certificates sq \ && groupadd --system --gid 101 nginx \ && useradd --system --gid nginx --no-create-home --home-dir /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \ @@ -171,6 +185,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode --mount=type=bind,from=nginx-files,src=nginx_signing.key,target=/tmp/nginx_signing.key \ --mount=type=bind,from=nginx-files,src=nginx-plus-9.repo,target=/etc/yum.repos.d/nginx-plus.repo \ microdnf --nodocs install -y shadow-utils \ + && microdnf update -y \ && cat /etc/yum.repos.d/nginx-plus.repo \ && groupadd --system --gid 101 nginx \ && useradd --system --gid nginx --no-create-home --home-dir /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \ @@ -195,6 +210,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode source /tmp/rhel_license \ ## the code below is duplicated from the ubi-plus image because NAP doesn't support UBI 9 and minimal versions dnf --nodocs install -y shadow-utils ca-certificates \ + && dnf update -y \ && groupadd --system --gid 101 nginx \ && useradd --system --gid nginx --no-create-home --home-dir /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \ && rpm --import /tmp/nginx_signing.key \ diff --git a/cmd/nginx-ingress/main.go b/cmd/nginx-ingress/main.go index 40339c46e7..8bc440e1c5 100644 --- a/cmd/nginx-ingress/main.go +++ b/cmd/nginx-ingress/main.go @@ -79,7 +79,7 @@ func main() { appProtectVersion = getAppProtectVersionInfo() } - updateSelfWithVersionInfo(kubeClient, version, nginxVersion, appProtectVersion) + updateSelfWithVersionInfo(kubeClient, version, nginxVersion.String(), appProtectVersion) templateExecutor, templateExecutorV2 := createTemplateExecutors() @@ -118,6 +118,7 @@ func main() { EnableCertManager: *enableCertManager, DynamicSSLReload: *enableDynamicSSLReload, StaticSSLPath: nginxManager.GetSecretsDir(), + NginxVersion: nginxVersion, } processNginxConfig(staticCfgParams, cfgParams, templateExecutor, nginxManager) @@ -146,6 +147,7 @@ func main() { IsPrometheusEnabled: *enablePrometheusMetrics, IsLatencyMetricsEnabled: *enableLatencyMetrics, IsDynamicSSLReloadEnabled: *enableDynamicSSLReload, + NginxVersion: nginxVersion, }) controllerNamespace := os.Getenv("POD_NAMESPACE") @@ -400,17 +402,16 @@ func createNginxManager(managerCollector collectors.ManagerCollector) (nginx.Man return nginxManager, useFakeNginxManager } -func getNginxVersionInfo(nginxManager nginx.Manager) string { - nginxVersion := nginxManager.Version() - isPlus := strings.Contains(nginxVersion, "plus") - glog.Infof("Using %s", nginxVersion) +func getNginxVersionInfo(nginxManager nginx.Manager) nginx.Version { + nginxInfo := nginxManager.Version() + glog.Infof("Using %s", nginxInfo.String()) - if *nginxPlus && !isPlus { + if *nginxPlus && !nginxInfo.IsPlus { glog.Fatal("NGINX Plus flag enabled (-nginx-plus) without NGINX Plus binary") - } else if !*nginxPlus && isPlus { + } else if !*nginxPlus && nginxInfo.IsPlus { glog.Fatal("NGINX Plus binary found without NGINX Plus flag (-nginx-plus)") } - return nginxVersion + return nginxInfo } func getAppProtectVersionInfo() string { diff --git a/docs/content/technical-specifications.md b/docs/content/technical-specifications.md index 1f0abd9010..3af2e8ce50 100644 --- a/docs/content/technical-specifications.md +++ b/docs/content/technical-specifications.md @@ -60,7 +60,7 @@ _All images include NGINX 1.25.2._ ### Images with NGINX Plus -_NGINX Plus images include NGINX Plus R30._ +_NGINX Plus images include NGINX Plus R31._ #### **F5 Container registry** diff --git a/go.mod b/go.mod index 9c27497375..716f5ddaff 100644 --- a/go.mod +++ b/go.mod @@ -3,19 +3,19 @@ module github.com/nginxinc/kubernetes-ingress go 1.21.3 require ( - github.com/aws/aws-sdk-go-v2/config v1.26.1 - github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.19.5 + github.com/aws/aws-sdk-go-v2/config v1.26.3 + github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.19.6 github.com/cert-manager/cert-manager v1.13.3 github.com/dlclark/regexp2 v1.10.0 - github.com/go-chi/chi/v5 v5.0.10 + github.com/go-chi/chi/v5 v5.0.11 github.com/golang-jwt/jwt/v4 v4.5.0 github.com/golang/glog v1.1.2 github.com/google/go-cmp v0.6.0 github.com/kr/pretty v0.3.1 github.com/nginxinc/nginx-plus-go-client v1.2.0 - github.com/nginxinc/nginx-prometheus-exporter v1.0.0 + github.com/nginxinc/nginx-prometheus-exporter v1.1.0 github.com/nginxinc/nginx-service-mesh v1.7.0 - github.com/prometheus/client_golang v1.17.0 + github.com/prometheus/client_golang v1.18.0 github.com/prometheus/common v0.45.0 github.com/spiffe/go-spiffe/v2 v2.1.6 github.com/stretchr/testify v1.8.4 @@ -31,17 +31,17 @@ require ( require ( github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect github.com/Microsoft/go-winio v0.6.0 // indirect - github.com/aws/aws-sdk-go-v2 v1.24.0 // indirect - github.com/aws/aws-sdk-go-v2/credentials v1.16.12 // indirect - github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.10 // indirect - github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.9 // indirect - github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.9 // indirect + github.com/aws/aws-sdk-go-v2 v1.24.1 // indirect + github.com/aws/aws-sdk-go-v2/credentials v1.16.14 // indirect + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.11 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.10 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.10 // indirect github.com/aws/aws-sdk-go-v2/internal/ini v1.7.2 // indirect github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.4 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.9 // indirect - github.com/aws/aws-sdk-go-v2/service/sso v1.18.5 // indirect - github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.5 // indirect - github.com/aws/aws-sdk-go-v2/service/sts v1.26.5 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.10 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.18.6 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.6 // indirect + github.com/aws/aws-sdk-go-v2/service/sts v1.26.7 // indirect github.com/aws/smithy-go v1.19.0 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/blang/semver/v4 v4.0.0 // indirect @@ -88,8 +88,8 @@ require ( github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/pkg/errors v0.9.1 // indirect github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect - github.com/prometheus/client_model v0.4.1-0.20230718164431-9a2bf3000d16 // indirect - github.com/prometheus/procfs v0.11.1 // indirect + github.com/prometheus/client_model v0.5.0 // indirect + github.com/prometheus/procfs v0.12.0 // indirect github.com/rogpeppe/go-internal v1.11.0 // indirect github.com/spf13/cobra v1.7.0 // indirect github.com/spf13/pflag v1.0.5 // indirect diff --git a/go.sum b/go.sum index 7b3e405035..a57064b92b 100644 --- a/go.sum +++ b/go.sum @@ -9,32 +9,32 @@ github.com/Microsoft/go-winio v0.6.0 h1:slsWYD/zyx7lCXoZVlvQrj0hPTM1HI4+v1sIda2y github.com/Microsoft/go-winio v0.6.0/go.mod h1:cTAf44im0RAYeL23bpB+fzCyDH2MJiz2BO69KH/soAE= github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74 h1:Kk6a4nehpJ3UuJRqlA3JxYxBZEqCeOmATOvrbT4p9RA= github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4= -github.com/aws/aws-sdk-go-v2 v1.24.0 h1:890+mqQ+hTpNuw0gGP6/4akolQkSToDJgHfQE7AwGuk= -github.com/aws/aws-sdk-go-v2 v1.24.0/go.mod h1:LNh45Br1YAkEKaAqvmE1m8FUx6a5b/V0oAKV7of29b4= -github.com/aws/aws-sdk-go-v2/config v1.26.1 h1:z6DqMxclFGL3Zfo+4Q0rLnAZ6yVkzCRxhRMsiRQnD1o= -github.com/aws/aws-sdk-go-v2/config v1.26.1/go.mod h1:ZB+CuKHRbb5v5F0oJtGdhFTelmrxd4iWO1lf0rQwSAg= -github.com/aws/aws-sdk-go-v2/credentials v1.16.12 h1:v/WgB8NxprNvr5inKIiVVrXPuuTegM+K8nncFkr1usU= -github.com/aws/aws-sdk-go-v2/credentials v1.16.12/go.mod h1:X21k0FjEJe+/pauud82HYiQbEr9jRKY3kXEIQ4hXeTQ= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.10 h1:w98BT5w+ao1/r5sUuiH6JkVzjowOKeOJRHERyy1vh58= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.10/go.mod h1:K2WGI7vUvkIv1HoNbfBA1bvIZ+9kL3YVmWxeKuLQsiw= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.9 h1:v+HbZaCGmOwnTTVS86Fleq0vPzOd7tnJGbFhP0stNLs= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.9/go.mod h1:Xjqy+Nyj7VDLBtCMkQYOw1QYfAEZCVLrfI0ezve8wd4= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.9 h1:N94sVhRACtXyVcjXxrwK1SKFIJrA9pOJ5yu2eSHnmls= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.9/go.mod h1:hqamLz7g1/4EJP+GH5NBhcUMLjW+gKLQabgyz6/7WAU= +github.com/aws/aws-sdk-go-v2 v1.24.1 h1:xAojnj+ktS95YZlDf0zxWBkbFtymPeDP+rvUQIH3uAU= +github.com/aws/aws-sdk-go-v2 v1.24.1/go.mod h1:LNh45Br1YAkEKaAqvmE1m8FUx6a5b/V0oAKV7of29b4= +github.com/aws/aws-sdk-go-v2/config v1.26.3 h1:dKuc2jdp10y13dEEvPqWxqLoc0vF3Z9FC45MvuQSxOA= +github.com/aws/aws-sdk-go-v2/config v1.26.3/go.mod h1:Bxgi+DeeswYofcYO0XyGClwlrq3DZEXli0kLf4hkGA0= +github.com/aws/aws-sdk-go-v2/credentials v1.16.14 h1:mMDTwwYO9A0/JbOCOG7EOZHtYM+o7OfGWfu0toa23VE= +github.com/aws/aws-sdk-go-v2/credentials v1.16.14/go.mod h1:cniAUh3ErQPHtCQGPT5ouvSAQ0od8caTO9OOuufZOAE= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.11 h1:c5I5iH+DZcH3xOIMlz3/tCKJDaHFwYEmxvlh2fAcFo8= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.11/go.mod h1:cRrYDYAMUohBJUtUnOhydaMHtiK/1NZ0Otc9lIb6O0Y= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.10 h1:vF+Zgd9s+H4vOXd5BMaPWykta2a6Ih0AKLq/X6NYKn4= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.10/go.mod h1:6BkRjejp/GR4411UGqkX8+wFMbFbqsUIimfK4XjOKR4= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.10 h1:nYPe006ktcqUji8S2mqXf9c/7NdiKriOwMvWQHgYztw= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.10/go.mod h1:6UV4SZkVvmODfXKql4LCbaZUpF7HO2BX38FgBf9ZOLw= github.com/aws/aws-sdk-go-v2/internal/ini v1.7.2 h1:GrSw8s0Gs/5zZ0SX+gX4zQjRnRsMJDJ2sLur1gRBhEM= github.com/aws/aws-sdk-go-v2/internal/ini v1.7.2/go.mod h1:6fQQgfuGmw8Al/3M2IgIllycxV7ZW7WCdVSqfBeUiCY= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.4 h1:/b31bi3YVNlkzkBrm9LfpaKoaYZUxIAj4sHfOTmLfqw= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.4/go.mod h1:2aGXHFmbInwgP9ZfpmdIfOELL79zhdNYNmReK8qDfdQ= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.9 h1:Nf2sHxjMJR8CSImIVCONRi4g0Su3J+TSTbS7G0pUeMU= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.9/go.mod h1:idky4TER38YIjr2cADF1/ugFMKvZV7p//pVeV5LZbF0= -github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.19.5 h1:Fp3Gcbp3lAJAxeFRVSxc6tWOUPSG8iSkJEiFl3eZZ3o= -github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.19.5/go.mod h1:XABJbVXMa0xnVqaGbhkfUeVV0GrPsc3Jqscu87IovXU= -github.com/aws/aws-sdk-go-v2/service/sso v1.18.5 h1:ldSFWz9tEHAwHNmjx2Cvy1MjP5/L9kNoR0skc6wyOOM= -github.com/aws/aws-sdk-go-v2/service/sso v1.18.5/go.mod h1:CaFfXLYL376jgbP7VKC96uFcU8Rlavak0UlAwk1Dlhc= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.5 h1:2k9KmFawS63euAkY4/ixVNsYYwrwnd5fIvgEKkfZFNM= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.5/go.mod h1:W+nd4wWDVkSUIox9bacmkBP5NMFQeTJ/xqNabpzSR38= -github.com/aws/aws-sdk-go-v2/service/sts v1.26.5 h1:5UYvv8JUvllZsRnfrcMQ+hJ9jNICmcgKPAO1CER25Wg= -github.com/aws/aws-sdk-go-v2/service/sts v1.26.5/go.mod h1:XX5gh4CB7wAs4KhcF46G6C8a2i7eupU19dcAAE+EydU= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.10 h1:DBYTXwIGQSGs9w4jKm60F5dmCQ3EEruxdc0MFh+3EY4= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.10/go.mod h1:wohMUQiFdzo0NtxbBg0mSRGZ4vL3n0dKjLTINdcIino= +github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.19.6 h1:JWy+uLKZQR/9a3gQ+jQa28FEJ/41Z0spdbbQodaXFeA= +github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.19.6/go.mod h1:T2NcfuIuXWcuwVwg3rBIW6h1cfzCdrzSn4Hs0KltND8= +github.com/aws/aws-sdk-go-v2/service/sso v1.18.6 h1:dGrs+Q/WzhsiUKh82SfTVN66QzyulXuMDTV/G8ZxOac= +github.com/aws/aws-sdk-go-v2/service/sso v1.18.6/go.mod h1:+mJNDdF+qiUlNKNC3fxn74WWNN+sOiGOEImje+3ScPM= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.6 h1:Yf2MIo9x+0tyv76GljxzqA3WtC5mw7NmazD2chwjxE4= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.6/go.mod h1:ykf3COxYI0UJmxcfcxcVuz7b6uADi1FkiUz6Eb7AgM8= +github.com/aws/aws-sdk-go-v2/service/sts v1.26.7 h1:NzO4Vrau795RkUdSHKEwiR01FaGzGOH1EETJ+5QHnm0= +github.com/aws/aws-sdk-go-v2/service/sts v1.26.7/go.mod h1:6h2YuIoxaMSCFf5fi1EgZAwdfkGMgDY+DVfa61uLe4U= github.com/aws/smithy-go v1.19.0 h1:KWFKQV80DpP3vJrrA9sVAHQ5gc2z8i4EzrLhLlWXcBM= github.com/aws/smithy-go v1.19.0/go.mod h1:NukqUGpCZIILqqiV0NIjeFh24kd/FAa4beRb6nbIUPE= github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA= @@ -80,8 +80,8 @@ github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4 github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw= github.com/go-asn1-ber/asn1-ber v1.5.4 h1:vXT6d/FNDiELJnLb6hGNa309LMsrCoYFvpwHDF0+Y1A= github.com/go-asn1-ber/asn1-ber v1.5.4/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0= -github.com/go-chi/chi/v5 v5.0.10 h1:rLz5avzKpjqxrYwXNfmjkrYYXOyLJd37pz53UFHC6vk= -github.com/go-chi/chi/v5 v5.0.10/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8= +github.com/go-chi/chi/v5 v5.0.11 h1:BnpYbFZ3T3S1WMpD79r7R5ThWX40TaFB7L31Y8xqSwA= +github.com/go-chi/chi/v5 v5.0.11/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8= github.com/go-jose/go-jose/v3 v3.0.1 h1:pWmKFVtt+Jl0vBZTIpz/eAKwsm6LkIxDVVbFHKkchhA= github.com/go-jose/go-jose/v3 v3.0.1/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8= github.com/go-kit/log v0.2.1 h1:MRVx0/zhvdseW+Gza6N9rVzU/IVzaeE1SFI4raAhmBU= @@ -189,8 +189,8 @@ github.com/nginxinc/glog v1.1.2 h1:zyoZXhCoYvNMJq4qMsKislUCGyJ4eU2gNl3Nt7cjESg= github.com/nginxinc/glog v1.1.2/go.mod h1:Q2FpGp/qFhJEVnuC88BVfbLDPmio9aHYUj4al6w0138= github.com/nginxinc/nginx-plus-go-client v1.2.0 h1:NVfRsHbMJ7lOhkqMG52uvODiDBhQZNp20c0tV2lU3wg= github.com/nginxinc/nginx-plus-go-client v1.2.0/go.mod h1:n8OFLzrJulJ2fur28Cwa1Qp5DZNS2VicLV+Adt30LQ4= -github.com/nginxinc/nginx-prometheus-exporter v1.0.0 h1:rw5q6j6FQe9EWzJy5HzRgRBJ2tSVyC9By6k9ZFQ7lD8= -github.com/nginxinc/nginx-prometheus-exporter v1.0.0/go.mod h1:SPohlKx0SiOuZYi04js53GWWb0HhD281AT8q4ApVMIE= +github.com/nginxinc/nginx-prometheus-exporter v1.1.0 h1:Uj+eWKGvUionZc8gWFDnrb3jpdkuZAlPKo4ck96cOmE= +github.com/nginxinc/nginx-prometheus-exporter v1.1.0/go.mod h1:A1Fy5uLQonVGmwLC5xNxBX+vPFgYzBOvPjNRs8msT0k= github.com/nginxinc/nginx-service-mesh v1.7.0 h1:oxKr+Jdbxkos10VTy5xF2UHCcmfIhqWNlsOK/zPnZDM= github.com/nginxinc/nginx-service-mesh v1.7.0/go.mod h1:8tREM3kSEUGyk8JT8hdCf/9ol2kEo7hLR8b+m5Yd8Fs= github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE= @@ -208,14 +208,14 @@ github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINE github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/prometheus/client_golang v1.17.0 h1:rl2sfwZMtSthVU752MqfjQozy7blglC+1SOtjMAMh+Q= -github.com/prometheus/client_golang v1.17.0/go.mod h1:VeL+gMmOAxkS2IqfCq0ZmHSL+LjWfWDUmp1mBz9JgUY= -github.com/prometheus/client_model v0.4.1-0.20230718164431-9a2bf3000d16 h1:v7DLqVdK4VrYkVD5diGdl4sxJurKJEMnODWRJlxV9oM= -github.com/prometheus/client_model v0.4.1-0.20230718164431-9a2bf3000d16/go.mod h1:oMQmHW1/JoDwqLtg57MGgP/Fb1CJEYF2imWWhWtMkYU= +github.com/prometheus/client_golang v1.18.0 h1:HzFfmkOzH5Q8L8G+kSJKUx5dtG87sewO+FoDDqP5Tbk= +github.com/prometheus/client_golang v1.18.0/go.mod h1:T+GXkCk5wSJyOqMIzVgvvjFDlkOQntgjkJWKrN5txjA= +github.com/prometheus/client_model v0.5.0 h1:VQw1hfvPvk3Uv6Qf29VrPF32JB6rtbgI6cYPYQjL0Qw= +github.com/prometheus/client_model v0.5.0/go.mod h1:dTiFglRmd66nLR9Pv9f0mZi7B7fk5Pm3gvsjB5tr+kI= github.com/prometheus/common v0.45.0 h1:2BGz0eBc2hdMDLnO/8n0jeB3oPrt2D08CekT0lneoxM= github.com/prometheus/common v0.45.0/go.mod h1:YJmSTw9BoKxJplESWWxlbyttQR4uaEcGyv9MZjVOJsY= -github.com/prometheus/procfs v0.11.1 h1:xRC8Iq1yyca5ypa9n1EZnWZkt7dwcoRPQwX/5gwaUuI= -github.com/prometheus/procfs v0.11.1/go.mod h1:eesXgaPo1q7lBpVMoMy0ZOFTth9hBn4W/y0/p/ScXhY= +github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo= +github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo= github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs= github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M= github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA= @@ -334,8 +334,8 @@ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.4.0 h1:zxkM55ReGkDlKSM+Fu41A+zmbZuaPVbGMzvvdUPznYQ= -golang.org/x/sync v0.4.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y= +golang.org/x/sync v0.5.0 h1:60k92dhOjHxJkrqnwsfl8KuaHbn/5dl0lUPUklKo3qE= +golang.org/x/sync v0.5.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= diff --git a/internal/configs/config_params.go b/internal/configs/config_params.go index f76a944663..908463024e 100644 --- a/internal/configs/config_params.go +++ b/internal/configs/config_params.go @@ -1,6 +1,9 @@ package configs -import conf_v1 "github.com/nginxinc/kubernetes-ingress/pkg/apis/configuration/v1" +import ( + "github.com/nginxinc/kubernetes-ingress/internal/nginx" + conf_v1 "github.com/nginxinc/kubernetes-ingress/pkg/apis/configuration/v1" +) // ConfigParams holds NGINX configuration parameters that affect the main NGINX config // as well as configs for Ingress resources. @@ -136,6 +139,7 @@ type StaticConfigParams struct { EnableCertManager bool DynamicSSLReload bool StaticSSLPath string + NginxVersion nginx.Version } // GlobalConfigParams holds global configuration parameters. For now, it only holds listeners. diff --git a/internal/configs/configmaps.go b/internal/configs/configmaps.go index 0b653408f9..fbcd63b68d 100644 --- a/internal/configs/configmaps.go +++ b/internal/configs/configmaps.go @@ -581,6 +581,7 @@ func GenerateNginxMainConfig(staticCfgParams *StaticConfigParams, config *Config OIDC: staticCfgParams.EnableOIDC, DynamicSSLReloadEnabled: staticCfgParams.DynamicSSLReload, StaticSSLPath: staticCfgParams.StaticSSLPath, + NginxVersion: staticCfgParams.NginxVersion, } return nginxCfg } diff --git a/internal/configs/configurator.go b/internal/configs/configurator.go index 4d03c03be9..8574589ae4 100644 --- a/internal/configs/configurator.go +++ b/internal/configs/configurator.go @@ -145,6 +145,7 @@ type ConfiguratorParams struct { IsWildcardEnabled bool IsLatencyMetricsEnabled bool IsDynamicSSLReloadEnabled bool + NginxVersion nginx.Version } // NewConfigurator creates a new Configurator. diff --git a/internal/configs/configurator_test.go b/internal/configs/configurator_test.go index a20240f438..6a9720494c 100644 --- a/internal/configs/configurator_test.go +++ b/internal/configs/configurator_test.go @@ -25,6 +25,7 @@ func createTestStaticConfigParams() *StaticConfigParams { NginxStatusAllowCIDRs: []string{"127.0.0.1"}, NginxStatusPort: 8080, StubStatusOverUnixSocketForOSS: false, + NginxVersion: nginx.NewVersion("nginx version: nginx/1.25.3 (nginx-plus-r31)"), } } @@ -53,6 +54,7 @@ func createTestConfigurator(t *testing.T) *Configurator { IsWildcardEnabled: false, IsPrometheusEnabled: false, IsLatencyMetricsEnabled: false, + NginxVersion: nginx.NewVersion("nginx version: nginx/1.25.3 (nginx-plus-r31)"), }) cnf.isReloadsEnabled = true return cnf diff --git a/internal/configs/version1/config.go b/internal/configs/version1/config.go index e1569a7bdb..888c19b336 100644 --- a/internal/configs/version1/config.go +++ b/internal/configs/version1/config.go @@ -1,5 +1,7 @@ package version1 +import "github.com/nginxinc/kubernetes-ingress/internal/nginx" + // UpstreamLabels describes the Prometheus labels for an NGINX upstream. type UpstreamLabels struct { Service string @@ -234,6 +236,7 @@ type MainConfig struct { OIDC bool DynamicSSLReloadEnabled bool StaticSSLPath string + NginxVersion nginx.Version } // NewUpstreamWithDefaultServer creates an upstream with the default server. diff --git a/internal/configs/version1/nginx-plus.tmpl b/internal/configs/version1/nginx-plus.tmpl index cb7cbd8706..0dbef3471f 100644 --- a/internal/configs/version1/nginx-plus.tmpl +++ b/internal/configs/version1/nginx-plus.tmpl @@ -346,3 +346,9 @@ stream { include /etc/nginx/stream-conf.d/*.conf; } + +{{- if (.NginxVersion.PlusGreaterThanOrEqualTo "nginx-plus-r31") }} +mgmt { + usage_report interval=0s; +} +{{- end}} diff --git a/internal/configs/version1/template_test.go b/internal/configs/version1/template_test.go index 395dcd77a8..9172863df2 100644 --- a/internal/configs/version1/template_test.go +++ b/internal/configs/version1/template_test.go @@ -5,6 +5,8 @@ import ( "strings" "testing" "text/template" + + "github.com/nginxinc/kubernetes-ingress/internal/nginx" ) func TestExecuteMainTemplateForNGINXPlus(t *testing.T) { @@ -20,6 +22,19 @@ func TestExecuteMainTemplateForNGINXPlus(t *testing.T) { t.Log(buf.String()) } +func TestExecuteMainTemplateForNGINXPlusR31(t *testing.T) { + t.Parallel() + + tmpl := newNGINXPlusMainTmpl(t) + buf := &bytes.Buffer{} + + err := tmpl.Execute(buf, mainCfgR31) + if err != nil { + t.Error(err) + } + t.Log(buf.String()) +} + func TestExecuteMainTemplateForNGINX(t *testing.T) { t.Parallel() @@ -1291,6 +1306,33 @@ var ( KeepaliveRequests: 100, VariablesHashBucketSize: 256, VariablesHashMaxSize: 1024, + NginxVersion: nginx.NewVersion("nginx version: nginx/1.25.3 (nginx-plus-r31)"), + } + + mainCfgR31 = MainConfig{ + DefaultHTTPListenerPort: 80, + DefaultHTTPSListenerPort: 443, + ServerNamesHashMaxSize: "512", + ServerTokens: "off", + WorkerProcesses: "auto", + WorkerCPUAffinity: "auto", + WorkerShutdownTimeout: "1m", + WorkerConnections: "1024", + WorkerRlimitNofile: "65536", + LogFormat: []string{"$remote_addr", "$remote_user"}, + LogFormatEscaping: "default", + StreamSnippets: []string{"# comment"}, + StreamLogFormat: []string{"$remote_addr", "$remote_user"}, + StreamLogFormatEscaping: "none", + ResolverAddresses: []string{"example.com", "127.0.0.1"}, + ResolverIPV6: false, + ResolverValid: "10s", + ResolverTimeout: "15s", + KeepaliveTimeout: "65s", + KeepaliveRequests: 100, + VariablesHashBucketSize: 256, + VariablesHashMaxSize: 1024, + NginxVersion: nginx.NewVersion("nginx version: nginx/1.25.3 (nginx-plus-r31)"), } mainCfgHTTP2On = MainConfig{ @@ -1317,6 +1359,7 @@ var ( KeepaliveRequests: 100, VariablesHashBucketSize: 256, VariablesHashMaxSize: 1024, + NginxVersion: nginx.NewVersion("nginx version: nginx/1.25.3 (nginx-plus-r31)"), } mainCfgCustomTLSPassthroughPort = MainConfig{ @@ -1342,6 +1385,7 @@ var ( VariablesHashMaxSize: 1024, TLSPassthrough: true, TLSPassthroughPort: 8443, + NginxVersion: nginx.NewVersion("nginx version: nginx/1.25.3 (nginx-plus-r31)"), } mainCfgWithoutTLSPassthrough = MainConfig{ @@ -1367,6 +1411,7 @@ var ( VariablesHashMaxSize: 1024, TLSPassthrough: false, TLSPassthroughPort: 8443, + NginxVersion: nginx.NewVersion("nginx version: nginx/1.25.3 (nginx-plus-r31)"), } mainCfgDefaultTLSPassthroughPort = MainConfig{ @@ -1392,6 +1437,7 @@ var ( VariablesHashMaxSize: 1024, TLSPassthrough: true, TLSPassthroughPort: 443, + NginxVersion: nginx.NewVersion("nginx version: nginx/1.25.3 (nginx-plus-r31)"), } mainCfgCustomDefaultHTTPAndHTTPSListenerPorts = MainConfig{ @@ -1417,6 +1463,7 @@ var ( KeepaliveRequests: 100, VariablesHashBucketSize: 256, VariablesHashMaxSize: 1024, + NginxVersion: nginx.NewVersion("nginx version: nginx/1.25.3 (nginx-plus-r31)"), } mainCfgCustomDefaultHTTPListenerPort = MainConfig{ @@ -1442,6 +1489,7 @@ var ( KeepaliveRequests: 100, VariablesHashBucketSize: 256, VariablesHashMaxSize: 1024, + NginxVersion: nginx.NewVersion("nginx version: nginx/1.25.3 (nginx-plus-r31)"), } mainCfgCustomDefaultHTTPSListenerPort = MainConfig{ @@ -1467,6 +1515,7 @@ var ( KeepaliveRequests: 100, VariablesHashBucketSize: 256, VariablesHashMaxSize: 1024, + NginxVersion: nginx.NewVersion("nginx version: nginx/1.25.3 (nginx-plus-r31)"), } // Vars for Mergable Ingress Master - Minion tests diff --git a/internal/nginx/fake_manager.go b/internal/nginx/fake_manager.go index 5533fb9180..1e42c51ed8 100644 --- a/internal/nginx/fake_manager.go +++ b/internal/nginx/fake_manager.go @@ -101,9 +101,9 @@ func (fm *FakeManager) CreateDHParam(_ string) (string, error) { } // Version provides a fake implementation of Version. -func (*FakeManager) Version() string { +func (*FakeManager) Version() Version { glog.V(3).Info("Printing nginx version") - return "fake version plus" + return Version{} } // Start provides a fake implementation of Start. diff --git a/internal/nginx/manager.go b/internal/nginx/manager.go index b4ac67d110..7c5af351fc 100644 --- a/internal/nginx/manager.go +++ b/internal/nginx/manager.go @@ -8,6 +8,7 @@ import ( "os/exec" "path" "path/filepath" + "regexp" "strconv" "strings" "time" @@ -46,6 +47,19 @@ const ( appProtectDosAgentStartDebugCmd = "/usr/bin/admd -d --standalone --log debug" ) +var ( + re = regexp.MustCompile(`(?P\S+)/(?P\S+)`) + plusre = regexp.MustCompile(`(?P\S+)/(?P\S+).\((?P\S+plus\S+)\)`) +) + +// Version holds the parsed output from `nginx -v` +type Version struct { + raw string + OSS string + IsPlus bool + Plus string +} + // ServerConfig holds the config data for an upstream server in NGINX Plus. type ServerConfig struct { MaxFails int @@ -72,7 +86,7 @@ type Manager interface { CreateDHParam(content string) (string, error) CreateOpenTracingTracerConfig(content string) error Start(done chan error) - Version() string + Version() Version Reload(isEndpointsUpdate bool) error Quit() UpdateConfigVersionFile(openTracing bool) @@ -334,13 +348,13 @@ func (lm *LocalManager) Quit() { } // Version returns NGINX version -func (lm *LocalManager) Version() string { +func (lm *LocalManager) Version() Version { binaryFilename := getBinaryFileName(lm.debug) out, err := exec.Command(binaryFilename, "-v").CombinedOutput() if err != nil { glog.Fatalf("Failed to get nginx version: %v", err) } - return string(out) + return NewVersion(string(out)) } // UpdateConfigVersionFile writes the config version file. @@ -432,6 +446,83 @@ func (lm *LocalManager) CreateOpenTracingTracerConfig(content string) error { return nil } +// Return the raw Nginx version string from `nginx -v` +func (v *Version) String() string { + return v.raw +} + +// PlusGreaterThanOrEqualTo compares the supplied nginx-plus version string with the Version{} struct +func (v Version) PlusGreaterThanOrEqualTo(target string) (bool, error) { + r, p, err := extractPlusVersionValues(v.String()) + if err != nil { + return false, err + } + tr, tp, err := extractPlusVersionValues(target) + if err != nil { + return false, err + } + + return (r > tr || (r == tr && p >= tp)), nil +} + +// NewVersion will take the output from `nginx -v` and explodes it into the `nginx.Version` struct +func NewVersion(line string) Version { + matches := re.FindStringSubmatch(line) + plusmatches := plusre.FindStringSubmatch(line) + nv := Version{ + raw: line, + } + + if len(plusmatches) > 0 { + subNames := plusre.SubexpNames() + nv.IsPlus = true + for i, v := range plusmatches { + switch subNames[i] { + case "plus": + nv.Plus = v + case "version": + nv.OSS = v + } + } + } + + if len(matches) > 0 { + for i, key := range re.SubexpNames() { + val := matches[i] + if key == "version" { + nv.OSS = val + } + } + } + + return nv +} + +// extractPlusVersionValues +func extractPlusVersionValues(input string) (int, int, error) { + var rValue, pValue int + re := regexp.MustCompile(`-r(\d+)(?:-p(\d+))?`) + matches := re.FindStringSubmatch(input) + + if len(matches) < 2 { + return 0, 0, fmt.Errorf("no matches found in the input string") + } + + rValue, err := strconv.Atoi(matches[1]) + if err != nil { + return 0, 0, fmt.Errorf("failed to convert rValue to integer: %w", err) + } + + if len(matches) > 2 && len(matches[2]) > 0 { + pValue, err = strconv.Atoi(matches[2]) + if err != nil { + return 0, 0, fmt.Errorf("failed to convert pValue to integer: %w", err) + } + } + + return rValue, pValue, nil +} + // verifyConfigVersion is used to check if the worker process that the API client is connected // to is using the latest version of nginx config. This way we avoid making changes on // a worker processes that is being shut down. diff --git a/internal/nginx/manager_test.go b/internal/nginx/manager_test.go new file mode 100644 index 0000000000..948326b8ae --- /dev/null +++ b/internal/nginx/manager_test.go @@ -0,0 +1,94 @@ +package nginx + +import ( + "testing" +) + +func TestNginxVersionParsing(t *testing.T) { + t.Parallel() + type testCase struct { + input string + expected Version + } + testCases := []testCase{ + { + input: "nginx version: nginx/1.25.1 (nginx-plus-r30-p1)", + expected: Version{ + raw: "nginx version: nginx/1.25.1 (nginx-plus-r30-p1)", + OSS: "1.25.1", + IsPlus: true, + Plus: "nginx-plus-r30-p1", + }, + }, + { + input: "nginx version: nginx/1.25.3 (nginx-plus-r31)", + expected: Version{ + raw: "nginx version: nginx/1.25.3 (nginx-plus-r31)", + OSS: "1.25.3", + IsPlus: true, + Plus: "nginx-plus-r31", + }, + }, + { + input: "nginx version: nginx/1.25.0", + expected: Version{ + raw: "nginx version: nginx/1.25.0", + OSS: "1.25.0", + IsPlus: false, + Plus: "", + }, + }, + } + for _, tc := range testCases { + t.Run(tc.input, func(t *testing.T) { + actual := NewVersion(tc.input) + if actual != tc.expected { + t.Errorf("expected %v but got %v", tc.expected, actual) + } + }) + } +} + +func TestNginxVersionPlusGreaterThanOrEqualTo(t *testing.T) { + t.Parallel() + type testCase struct { + version Version + input string + expected bool + } + testCases := []testCase{ + { + version: NewVersion("nginx version: nginx/1.25.1 (nginx-plus-r30-p1)"), + input: "nginx-plus-r30-p1", + expected: true, + }, + { + version: NewVersion("nginx version: nginx/1.25.1 (nginx-plus-r30)"), + input: "nginx-plus-r30", + expected: true, + }, + { + version: NewVersion("nginx version: nginx/1.25.1 (nginx-plus-r30-p1)"), + input: "nginx-plus-r30", + expected: true, + }, + { + version: NewVersion("nginx version: nginx/1.25.1 (nginx-plus-r30)"), + input: "nginx-plus-r30-p1", + expected: false, + }, + { + version: NewVersion("nginx version: nginx/1.25.1"), + input: "nginx-plus-r30-p1", + expected: false, + }, + } + for _, tc := range testCases { + t.Run(tc.input, func(t *testing.T) { + actual, _ := tc.version.PlusGreaterThanOrEqualTo(tc.input) + if actual != tc.expected { + t.Errorf("expected %v but got %v", tc.expected, actual) + } + }) + } +} diff --git a/tests/suite/test_virtual_server_backup_service.py b/tests/suite/test_virtual_server_backup_service.py index 776fd62d9c..7bfc5dfad4 100644 --- a/tests/suite/test_virtual_server_backup_service.py +++ b/tests/suite/test_virtual_server_backup_service.py @@ -107,6 +107,7 @@ def fin(): @pytest.mark.vs @pytest.mark.skip_for_nginx_oss @pytest.mark.backup_service +@pytest.mark.skip @pytest.mark.parametrize( "crd_ingress_controller, virtual_server_setup", [ From 6c395cf18f3978989c3964b5856d02549aac57f8 Mon Sep 17 00:00:00 2001 From: Paul Abel <128620221+pdabelf5@users.noreply.github.com> Date: Mon, 15 Jan 2024 13:32:10 +0000 Subject: [PATCH 06/22] Base image hash (#4871) (#4917) add docker image sha to dockerfile --- build/Dockerfile | 24 ++++++++++++------------ tests/Dockerfile | 4 ++-- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/build/Dockerfile b/build/Dockerfile index a4db7ba74a..26dc19113b 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -6,13 +6,13 @@ ARG DEBIAN_FRONTEND=noninteractive ############################################# Base images containing libs for Opentracing and FIPS ############################################# -FROM opentracing/nginx-opentracing:nginx-1.25.3 as opentracing-lib -FROM opentracing/nginx-opentracing:nginx-1.25.3-alpine as alpine-opentracing-lib -FROM ghcr.io/nginxinc/alpine-fips:0.1.1-alpine3.18 as alpine-fips +FROM opentracing/nginx-opentracing:nginx-1.25.3@sha256:426c2ff410f637eb243363f58c118254b5663e90224e5ab3c99d985eea50ec18 as opentracing-lib +FROM opentracing/nginx-opentracing:nginx-1.25.3-alpine@sha256:08ccc2c8bb28f01cb17b7619f139830b3af7950826b819b267393aefa32f23ab as alpine-opentracing-lib +FROM ghcr.io/nginxinc/alpine-fips:0.1.1-alpine3.18@sha256:6f124002650fae697152290a14a7caa7f21884e8d78d8236c63fec2d018d721d as alpine-fips ############################################# Base image for Alpine ############################################# -FROM nginx:1.25.3-alpine AS alpine +FROM nginx:1.25.3-alpine@sha256:a59278fd22a9d411121e190b8cec8aa57b306aa3332459197777583beb728f59 AS alpine RUN --mount=type=bind,from=alpine-opentracing-lib,target=/tmp/ot/ \ apk add --no-cache libcap libstdc++ \ @@ -24,7 +24,7 @@ RUN --mount=type=bind,from=alpine-opentracing-lib,target=/tmp/ot/ \ ############################################# Base image for Debian ############################################# -FROM nginx:1.25.3 AS debian +FROM nginx:1.25.3@sha256:2bdc49f2f8ae8d8dc50ed00f2ee56d00385c6f8bc8a8b320d0a294d9e3b49026 AS debian RUN --mount=type=bind,from=opentracing-lib,target=/tmp/ot/ \ apt-get update \ @@ -37,7 +37,7 @@ RUN --mount=type=bind,from=opentracing-lib,target=/tmp/ot/ \ ############################################# Base image for UBI ############################################# -FROM nginxcontrib/nginx:1.25.3-ubi AS ubi +FROM nginxcontrib/nginx:1.25.3-ubi@sha256:4059affa739e77196cf465edf9fac1150afacc2a4ef3e12ae74cf594b9c1198a AS ubi ARG IC_VERSION LABEL name="NGINX Ingress Controller" \ @@ -83,7 +83,7 @@ RUN --mount=from=busybox:musl,src=/bin/,dst=/bin/ printf "%s\n" "Acquire::https: ############################################# Base image for Alpine with NGINX Plus ############################################# -FROM alpine:3.18 as alpine-plus +FROM alpine:3.18@sha256:34871e7290500828b39e22294660bee86d966bc0017544e848dd9a255cdf59e0 as alpine-plus ARG NGINX_PLUS_VERSION RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/apk/cert.pem,mode=0644 \ @@ -111,7 +111,7 @@ RUN --mount=type=bind,from=alpine-fips,target=/tmp/fips/ \ ############################################# Base image for Debian with NGINX Plus ############################################# -FROM debian:12-slim AS debian-plus +FROM debian:12-slim@sha256:f80c45482c8d147da87613cb6878a7238b8642bcc24fc11bad78c7bec726f340 AS debian-plus SHELL ["/bin/bash", "-o", "pipefail", "-c"] RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ @@ -135,7 +135,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode ############################################# Base image for Debian with NGINX Plus and App Protect WAF/DoS ############################################# -FROM debian:11-slim as debian-plus-nap +FROM debian:11-slim@sha256:d3d0d14f49b49a4dd98a436711f5646dc39e1c99203ef223d1b6620061e2c0e5 as debian-plus-nap ARG NAP_MODULES RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ @@ -177,7 +177,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode ############################################# Base image for UBI with NGINX Plus ############################################# -FROM redhat/ubi9-minimal AS ubi-plus +FROM redhat/ubi9-minimal@sha256:a340f4b9fb261a75c84666a3dccb88e193a116da3cebabaf9bcdc33609b61172 AS ubi-plus SHELL ["/bin/bash", "-o", "pipefail", "-c"] RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ @@ -196,7 +196,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode ############################################# Base image for UBI with NGINX Plus and App Protect WAF/DoS ############################################# -FROM redhat/ubi8 as ubi-plus-nap +FROM redhat/ubi8@sha256:1fdb97f2d2a44fdef3feaa69100f154631bae65130105ac685d0e34eb1d8c3d0 as ubi-plus-nap ARG NAP_MODULES RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ @@ -289,7 +289,7 @@ LABEL org.nginx.kic.image.build.nginx.version="${NGINX_PLUS_VERSION}${NGINX_VERS ############################################# Build nginx-ingress in golang container ############################################# -FROM golang:1.21-alpine AS builder +FROM golang:1.21-alpine@sha256:4db4aac30880b978cae5445dd4a706215249ad4f43d28bd7cdf7906e9be8dd6b AS builder ARG IC_VERSION ARG TARGETARCH diff --git a/tests/Dockerfile b/tests/Dockerfile index 05de516111..7c70a8e356 100644 --- a/tests/Dockerfile +++ b/tests/Dockerfile @@ -1,8 +1,8 @@ # syntax=docker/dockerfile:1.5 # this is here so we can grab the latest version of kind and have dependabot keep it up to date -FROM kindest/node:v1.28.0 +FROM kindest/node:v1.28.0@sha256:b7a4cad12c197af3ba43202d3efe03246b3f0793f162afb40a33c923952d5b31 -FROM python:3.12 +FROM python:3.12@sha256:3733015cdd1bd7d9a0b9fe21a925b608de82131aa4f3d397e465a1fcb545d36f RUN apt-get update \ && apt-get install -y curl git \ From 19706a72ee655e187b4178694370878207bc7803 Mon Sep 17 00:00:00 2001 From: nginx-bot <68849795+nginx-bot@users.noreply.github.com> Date: Tue, 16 Jan 2024 03:25:16 -0800 Subject: [PATCH 07/22] Release 3.4.1 (#4920) * Release 3.4.1 --- README.md | 4 +- charts/nginx-ingress/Chart.yaml | 8 ++-- charts/nginx-ingress/README.md | 16 ++++---- charts/nginx-ingress/values-icp.yaml | 2 +- charts/nginx-ingress/values-plus.yaml | 2 +- charts/nginx-ingress/values.schema.json | 10 ++--- charts/nginx-ingress/values.yaml | 4 +- deployments/daemon-set/nginx-ingress.yaml | 4 +- .../daemon-set/nginx-plus-ingress.yaml | 4 +- deployments/deployment/nginx-ingress.yaml | 4 +- .../deployment/nginx-plus-ingress.yaml | 4 +- .../configuration/configuration-examples.md | 4 +- .../configmap-resource.md | 16 ++++---- .../global-configuration/custom-templates.md | 2 +- .../handling-host-and-listener-collisions.md | 2 +- ...advanced-configuration-with-annotations.md | 40 +++++++++---------- .../ingress-resources/basic-configuration.md | 2 +- .../cross-namespace-configuration.md | 4 +- .../ingress-resources/custom-annotations.md | 4 +- docs/content/configuration/policy-resource.md | 4 +- docs/content/configuration/security.md | 6 +-- .../configuration/transportserver-resource.md | 2 +- ...server-and-virtualserverroute-resources.md | 6 +-- .../building-nginx-ingress-controller.md | 4 +- .../installing-nic/installation-with-helm.md | 16 ++++---- .../installation-with-manifests.md | 14 +++---- .../installation-with-operator.md | 2 +- .../app-protect-dos/configuration.md | 2 +- .../app-protect-dos/installation.md | 6 +-- .../app-protect-waf/configuration.md | 22 +++++----- .../app-protect-waf/installation.md | 4 +- .../pulling-ingress-controller-image.md | 18 ++++----- .../using-the-jwt-token-docker-secret.md | 20 +++++----- .../content/overview/controller-comparison.md | 4 +- docs/content/overview/nginx-plus.md | 6 +-- docs/content/releases.md | 26 ++++++++++++ docs/content/technical-specifications.md | 30 +++++++------- .../troubleshooting/troubleshoot-common.md | 2 +- docs/content/tutorials/custom-listen-ports.md | 2 +- .../tutorials/oidc-custom-configuration.md | 2 +- docs/content/usage-reporting.md | 2 +- 41 files changed, 181 insertions(+), 155 deletions(-) diff --git a/README.md b/README.md index 71406c06f0..dd252a1a43 100644 --- a/README.md +++ b/README.md @@ -98,7 +98,7 @@ In the case of NGINX, the Ingress Controller is deployed in a pod along with the We publish NGINX Ingress Controller releases on GitHub. See our [releases page](https://github.com/nginxinc/kubernetes-ingress/releases). -The latest stable release is [3.4.0](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v3.4.0). For production +The latest stable release is [3.4.1](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v3.4.1). For production use, we recommend that you choose the latest stable release. The edge version is useful for experimenting with new features that are not yet published in a stable release. To use @@ -118,7 +118,7 @@ your links to the correct versions: | Version | Description | Image for NGINX | Image for NGINX Plus | Installation Manifests and Helm Chart | Documentation and Examples | | ------- | ----------- | --------------- | -------------------- | ---------------------------------------| -------------------------- | -| Latest stable release | For production use | Use the 3.4.0 images from [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/), [GitHub Container](https://github.com/nginxinc/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress) or [build your own image](https://docs.nginx.com/nginx-ingress-controller/installation/building-ingress-controller-image/). | Use the 3.4.0 images from the [F5 Container Registry](https://docs.nginx.com/nginx-ingress-controller/installation/pulling-ingress-controller-image/) or the [AWS Marketplace](https://aws.amazon.com/marketplace/search/?CREATOR=741df81b-dfdc-4d36-b8da-945ea66b522c&FULFILLMENT_OPTION_TYPE=CONTAINER&filters=CREATOR%2CFULFILLMENT_OPTION_TYPE) or [Build your own image](https://docs.nginx.com/nginx-ingress-controller/installation/building-nginx-ingress-controller/). | [Manifests](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.0/deployments). [Helm chart](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.0/charts/nginx-ingress). | [Documentation](https://docs.nginx.com/nginx-ingress-controller/). [Examples](https://docs.nginx.com/nginx-ingress-controller/configuration/configuration-examples/). | +| Latest stable release | For production use | Use the 3.4.1 images from [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/), [GitHub Container](https://github.com/nginxinc/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress) or [build your own image](https://docs.nginx.com/nginx-ingress-controller/installation/building-ingress-controller-image/). | Use the 3.4.1 images from the [F5 Container Registry](https://docs.nginx.com/nginx-ingress-controller/installation/pulling-ingress-controller-image/) or the [AWS Marketplace](https://aws.amazon.com/marketplace/search/?CREATOR=741df81b-dfdc-4d36-b8da-945ea66b522c&FULFILLMENT_OPTION_TYPE=CONTAINER&filters=CREATOR%2CFULFILLMENT_OPTION_TYPE) or [Build your own image](https://docs.nginx.com/nginx-ingress-controller/installation/building-nginx-ingress-controller/). | [Manifests](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/deployments). [Helm chart](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/charts/nginx-ingress). | [Documentation](https://docs.nginx.com/nginx-ingress-controller/). [Examples](https://docs.nginx.com/nginx-ingress-controller/configuration/configuration-examples/). | | Edge/Nightly | For testing and experimenting | Use the edge or nightly images from [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/), [GitHub Container](https://github.com/nginxinc/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress) or [build your own image](https://docs.nginx.com/nginx-ingress-controller/installation/building-nginx-ingress-controller/). | [Build your own image](https://docs.nginx.com/nginx-ingress-controller/installation/building-nginx-ingress-controller/). | [Manifests](https://github.com/nginxinc/kubernetes-ingress/tree/main/deployments). [Helm chart](https://github.com/nginxinc/kubernetes-ingress/tree/main/charts/nginx-ingress). | [Documentation](https://github.com/nginxinc/kubernetes-ingress/tree/main/docs/content). [Examples](https://github.com/nginxinc/kubernetes-ingress/tree/main/examples). | ## SBOM (Software Bill of Materials) diff --git a/charts/nginx-ingress/Chart.yaml b/charts/nginx-ingress/Chart.yaml index 7b61c32697..9e4d7cb181 100644 --- a/charts/nginx-ingress/Chart.yaml +++ b/charts/nginx-ingress/Chart.yaml @@ -1,14 +1,14 @@ apiVersion: v2 name: nginx-ingress -version: 1.1.0 -appVersion: 3.4.0 +version: 1.1.1 +appVersion: 3.4.1 kubeVersion: ">= 1.22.0-0" type: application description: NGINX Ingress Controller -icon: https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.0/charts/nginx-ingress/chart-icon.png +icon: https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.1/charts/nginx-ingress/chart-icon.png home: https://github.com/nginxinc/kubernetes-ingress sources: - - https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.0/charts/nginx-ingress + - https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/charts/nginx-ingress keywords: - ingress - nginx diff --git a/charts/nginx-ingress/README.md b/charts/nginx-ingress/README.md index cb0ffdc50d..f7abbd1215 100644 --- a/charts/nginx-ingress/README.md +++ b/charts/nginx-ingress/README.md @@ -79,14 +79,14 @@ To install the chart with the release name my-release (my-release is the name th For NGINX: ```console -helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.1.0 +helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.1.1 ``` For NGINX Plus: (assuming you have pushed the Ingress Controller image `nginx-plus-ingress` to your private registry `myregistry.example.com`) ```console -helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.1.0 --set controller.image.repository=myregistry.example.com/nginx-plus-ingress --set controller.nginxplus=true +helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.1.1 --set controller.image.repository=myregistry.example.com/nginx-plus-ingress --set controller.nginxplus=true ``` This will install the latest `edge` version of the Ingress Controller from GitHub Container Registry. If you prefer to @@ -101,7 +101,7 @@ CRDs](#upgrading-the-crds). To upgrade the release `my-release`: ```console -helm upgrade my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.1.0 +helm upgrade my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.1.1 ``` ### Uninstalling the Chart @@ -142,7 +142,7 @@ upgrading/deleting the CRDs. 1. Pull the chart sources: ```console - helm pull oci://ghcr.io/nginxinc/charts/nginx-ingress --untar --version 1.1.0 + helm pull oci://ghcr.io/nginxinc/charts/nginx-ingress --untar --version 1.1.1 ``` 2. Change your working directory to nginx-ingress: @@ -228,7 +228,7 @@ The steps you should follow depend on the Helm release name: Selector: app=nginx-ingress-nginx-ingress ``` -2. Checkout the latest available tag using `git checkout v3.4.0` +2. Checkout the latest available tag using `git checkout v3.4.1` 3. Navigate to `/kubernates-ingress/charts/nginx-ingress` @@ -280,7 +280,7 @@ reviewing its events: Selector: app=-nginx-ingress ``` -2. Checkout the latest available tag using `git checkout v3.4.0` +2. Checkout the latest available tag using `git checkout v3.4.1` 3. Navigate to `/kubernates-ingress/charts/nginx-ingress` @@ -347,7 +347,7 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont |`controller.logLevel` | The log level of the Ingress Controller. | 1 | |`controller.image.digest` | The image digest of the Ingress Controller. | None | |`controller.image.repository` | The image repository of the Ingress Controller. | nginx/nginx-ingress | -|`controller.image.tag` | The tag of the Ingress Controller image. | 3.4.0 | +|`controller.image.tag` | The tag of the Ingress Controller image. | 3.4.1 | |`controller.image.pullPolicy` | The pull policy for the Ingress Controller image. | IfNotPresent | |`controller.lifecycle` | The lifecycle of the Ingress Controller pods. | {} | |`controller.customConfigMap` | The name of the custom ConfigMap used by the Ingress Controller. If set, then the default config is ignored. | "" | @@ -375,7 +375,7 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont |`controller.initContainerResources` | The resources of the init container which is used when `controller.readOnlyRootFilesystem` is set to `true` | requests: cpu=100m,memory=128Mi | |`controller.replicaCount` | The number of replicas of the Ingress Controller deployment. | 1 | |`controller.ingressClass.name` | A class of the Ingress Controller. An IngressClass resource with the name equal to the class must be deployed. Otherwise, the Ingress Controller will fail to start. The Ingress Controller only processes resources that belong to its class - i.e. have the "ingressClassName" field resource equal to the class. The Ingress Controller processes all the VirtualServer/VirtualServerRoute/TransportServer resources that do not have the "ingressClassName" field for all versions of Kubernetes. | nginx | -|`controller.ingressClass.create` | Creates a new IngressClass object with the name `controller.ingressClass.name`. Set to `false` to use an existing ingressClass created using `kubectl` with the same name. If you use `helm upgrade`, do not change the values from the previous release as helm will delete IngressClass objects managed by helm. If you are upgrading from a release earlier than 3.4.0, do not set the value to false. | true | +|`controller.ingressClass.create` | Creates a new IngressClass object with the name `controller.ingressClass.name`. Set to `false` to use an existing ingressClass created using `kubectl` with the same name. If you use `helm upgrade`, do not change the values from the previous release as helm will delete IngressClass objects managed by helm. If you are upgrading from a release earlier than 3.3.0, do not set the value to false. | true | |`controller.ingressClass.setAsDefaultIngress` | New Ingresses without an `"ingressClassName"` field specified will be assigned the class specified in `controller.ingressClass.name`. Requires `controller.ingressClass.create`. | false | |`controller.watchNamespace` | Comma separated list of namespaces the Ingress Controller should watch for resources. By default the Ingress Controller watches all namespaces. Mutually exclusive with `controller.watchNamespaceLabel`. Please note that if configuring multiple namespaces using the Helm cli `--set` option, the string needs to wrapped in double quotes and the commas escaped using a backslash - e.g. `--set controller.watchNamespace="default\,nginx-ingress"`. | "" | |`controller.watchNamespaceLabel` | Configures the Ingress Controller to watch only those namespaces with label foo=bar. By default the Ingress Controller watches all namespaces. Mutually exclusive with `controller.watchNamespace`. | "" | diff --git a/charts/nginx-ingress/values-icp.yaml b/charts/nginx-ingress/values-icp.yaml index c2969ed7cf..0d7c476a7f 100644 --- a/charts/nginx-ingress/values-icp.yaml +++ b/charts/nginx-ingress/values-icp.yaml @@ -4,7 +4,7 @@ controller: nginxplus: true image: repository: mycluster.icp:8500/kube-system/nginx-plus-ingress - tag: "3.4.0" + tag: "3.4.1" nodeSelector: beta.kubernetes.io/arch: "amd64" proxy: true diff --git a/charts/nginx-ingress/values-plus.yaml b/charts/nginx-ingress/values-plus.yaml index 54d8551ac2..9bcd49061b 100644 --- a/charts/nginx-ingress/values-plus.yaml +++ b/charts/nginx-ingress/values-plus.yaml @@ -3,4 +3,4 @@ controller: nginxplus: true image: repository: nginx-plus-ingress - tag: "3.4.0" + tag: "3.4.1" diff --git a/charts/nginx-ingress/values.schema.json b/charts/nginx-ingress/values.schema.json index 0292118102..6f9408f684 100644 --- a/charts/nginx-ingress/values.schema.json +++ b/charts/nginx-ingress/values.schema.json @@ -305,10 +305,10 @@ }, "tag": { "type": "string", - "default": "3.4.0", + "default": "3.4.1", "title": "The tag of the Ingress Controller image", "examples": [ - "3.4.0" + "3.4.1" ] }, "digest": { @@ -345,7 +345,7 @@ "examples": [ { "repository": "nginx/nginx-ingress", - "tag": "3.4.0", + "tag": "3.4.1", "pullPolicy": "IfNotPresent" } ] @@ -1393,7 +1393,7 @@ "customPorts": [], "image": { "repository": "nginx/nginx-ingress", - "tag": "3.4.0", + "tag": "3.4.1", "digest": "", "pullPolicy": "IfNotPresent" }, @@ -1765,7 +1765,7 @@ "customPorts": [], "image": { "repository": "nginx/nginx-ingress", - "tag": "3.4.0", + "tag": "3.4.1", "digest": "", "pullPolicy": "IfNotPresent" }, diff --git a/charts/nginx-ingress/values.yaml b/charts/nginx-ingress/values.yaml index 1d7829266d..a9d0944822 100644 --- a/charts/nginx-ingress/values.yaml +++ b/charts/nginx-ingress/values.yaml @@ -78,7 +78,7 @@ controller: repository: nginx/nginx-ingress ## The tag of the Ingress Controller image. If not specified the appVersion from Chart.yaml is used as a tag. - # tag: "3.4.0" + # tag: "3.4.1" ## The digest of the Ingress Controller image. ## If digest is specified it has precedence over tag and will be used instead @@ -246,7 +246,7 @@ controller: ## The Ingress Controller processes all the resources that do not have the "ingressClassName" field for all versions of kubernetes. name: nginx - ## Creates a new IngressClass object with the name "controller.ingressClass.name". Set to false to use an existing IngressClass with the same name. If you use helm upgrade, do not change the values from the previous release as helm will delete IngressClass objects managed by helm. If you are upgrading from a release earlier than 3.4.0, do not set the value to false. + ## Creates a new IngressClass object with the name "controller.ingressClass.name". Set to false to use an existing IngressClass with the same name. If you use helm upgrade, do not change the values from the previous release as helm will delete IngressClass objects managed by helm. If you are upgrading from a release earlier than 3.3.0, do not set the value to false. create: true ## New Ingresses without an ingressClassName field specified will be assigned the class specified in `controller.ingressClass`. Requires "controller.ingressClass.create". diff --git a/deployments/daemon-set/nginx-ingress.yaml b/deployments/daemon-set/nginx-ingress.yaml index f9299048aa..fbf7b71337 100644 --- a/deployments/daemon-set/nginx-ingress.yaml +++ b/deployments/daemon-set/nginx-ingress.yaml @@ -32,7 +32,7 @@ spec: # - name: nginx-log # emptyDir: {} containers: - - image: nginx/nginx-ingress:3.4.0 + - image: nginx/nginx-ingress:3.4.1 imagePullPolicy: IfNotPresent name: nginx-ingress ports: @@ -96,7 +96,7 @@ spec: #- -enable-prometheus-metrics #- -global-configuration=$(POD_NAMESPACE)/nginx-configuration # initContainers: -# - image: nginx/nginx-ingress:3.4.0 +# - image: nginx/nginx-ingress:3.4.1 # imagePullPolicy: IfNotPresent # name: init-nginx-ingress # command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc'] diff --git a/deployments/daemon-set/nginx-plus-ingress.yaml b/deployments/daemon-set/nginx-plus-ingress.yaml index 524159deed..5961c17716 100644 --- a/deployments/daemon-set/nginx-plus-ingress.yaml +++ b/deployments/daemon-set/nginx-plus-ingress.yaml @@ -32,7 +32,7 @@ spec: # - name: nginx-log # emptyDir: {} containers: - - image: nginx-plus-ingress:3.4.0 + - image: nginx-plus-ingress:3.4.1 imagePullPolicy: IfNotPresent name: nginx-plus-ingress ports: @@ -99,7 +99,7 @@ spec: #- -enable-prometheus-metrics #- -global-configuration=$(POD_NAMESPACE)/nginx-configuration # initContainers: -# - image: nginx/nginx-ingress:3.4.0 +# - image: nginx/nginx-ingress:3.4.1 # imagePullPolicy: IfNotPresent # name: init-nginx-ingress # command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc'] diff --git a/deployments/deployment/nginx-ingress.yaml b/deployments/deployment/nginx-ingress.yaml index c202bf4060..89a90d9902 100644 --- a/deployments/deployment/nginx-ingress.yaml +++ b/deployments/deployment/nginx-ingress.yaml @@ -33,7 +33,7 @@ spec: # - name: nginx-log # emptyDir: {} containers: - - image: nginx/nginx-ingress:3.4.0 + - image: nginx/nginx-ingress:3.4.1 imagePullPolicy: IfNotPresent name: nginx-ingress ports: @@ -97,7 +97,7 @@ spec: #- -enable-prometheus-metrics #- -global-configuration=$(POD_NAMESPACE)/nginx-configuration # initContainers: -# - image: nginx/nginx-ingress:3.4.0 +# - image: nginx/nginx-ingress:3.4.1 # imagePullPolicy: IfNotPresent # name: init-nginx-ingress # command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc'] diff --git a/deployments/deployment/nginx-plus-ingress.yaml b/deployments/deployment/nginx-plus-ingress.yaml index 91e54cb613..2f6e652118 100644 --- a/deployments/deployment/nginx-plus-ingress.yaml +++ b/deployments/deployment/nginx-plus-ingress.yaml @@ -33,7 +33,7 @@ spec: # - name: nginx-log # emptyDir: {} containers: - - image: nginx-plus-ingress:3.4.0 + - image: nginx-plus-ingress:3.4.1 imagePullPolicy: IfNotPresent name: nginx-plus-ingress ports: @@ -103,7 +103,7 @@ spec: #- -enable-service-insight #- -global-configuration=$(POD_NAMESPACE)/nginx-configuration # initContainers: -# - image: nginx/nginx-ingress:3.4.0 +# - image: nginx/nginx-ingress:3.4.1 # imagePullPolicy: IfNotPresent # name: init-nginx-ingress # command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc'] diff --git a/docs/content/configuration/configuration-examples.md b/docs/content/configuration/configuration-examples.md index 88a6033f32..96acf4bc3b 100644 --- a/docs/content/configuration/configuration-examples.md +++ b/docs/content/configuration/configuration-examples.md @@ -11,5 +11,5 @@ docs: "DOCS-584" Our [GitHub repo](https://github.com/nginxinc/kubernetes-ingress) includes a number of configuration examples: -- [*Examples of Custom Resources*](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.0/examples/custom-resources) show how to advanced NGINX features by using VirtualServer, VirtualServerRoute, TransportServer and Policy Custom Resources. -- [*Examples of Ingress Resources*](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.0/examples/ingress-resources) show how to use advanced NGINX features in Ingress resources with annotations. +- [*Examples of Custom Resources*](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/custom-resources) show how to advanced NGINX features by using VirtualServer, VirtualServerRoute, TransportServer and Policy Custom Resources. +- [*Examples of Ingress Resources*](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources) show how to use advanced NGINX features in Ingress resources with annotations. diff --git a/docs/content/configuration/global-configuration/configmap-resource.md b/docs/content/configuration/global-configuration/configmap-resource.md index 7d352e1732..abdf70dd79 100644 --- a/docs/content/configuration/global-configuration/configmap-resource.md +++ b/docs/content/configuration/global-configuration/configmap-resource.md @@ -91,10 +91,10 @@ See the doc about [VirtualServer and VirtualServerRoute resources](/nginx-ingres |``server-names-hash-max-size`` | Sets the value of the [server_names_hash_max_size](https://nginx.org/en/docs/http/ngx_http_core_module.html#server_names_hash_max_size) directive. | ``1024`` | | |``map-hash-bucket-size`` | Sets the value of the [map_hash_bucket_size](http://nginx.org/en/docs/http/ngx_http_map_module.html#map_hash_bucket_size) directive.| ``256`` | | |``map-hash-max-size`` | Sets the value of the [map_hash_max_size](http://nginx.org/en/docs/http/ngx_http_map_module.html#map_hash_max_size) directive. | ``2048`` | | -|``resolver-addresses`` | Sets the value of the [resolver](https://nginx.org/en/docs/http/ngx_http_core_module.html#resolver) addresses. Note: If you use a DNS name (for example, ``kube-dns.kube-system.svc.cluster.local`` ) as a resolver address, NGINX Plus will resolve it using the system resolver during the start and on every configuration reload. If the name cannot be resolved or the DNS server doesn't respond, NGINX Plus will fail to start or reload. To avoid this, we recommend using IP addresses as resolver addresses instead of DNS names. Supported in NGINX Plus only. | N/A | [Support for Type ExternalName Services](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.0/examples/ingress-resources/externalname-services). | -|``resolver-ipv6`` | Enables IPv6 resolution in the resolver. Supported in NGINX Plus only. | ``True`` | [Support for Type ExternalName Services](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.0/examples/ingress-resources/externalname-services). | -|``resolver-valid`` | Sets the time NGINX caches the resolved DNS records. Supported in NGINX Plus only. | TTL value of a DNS record | [Support for Type ExternalName Services](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.0/examples/ingress-resources/externalname-services). | -|``resolver-timeout`` | Sets the [resolver_timeout](https://nginx.org/en/docs/http/ngx_http_core_module.html#resolver_timeout) for name resolution. Supported in NGINX Plus only. | ``30s`` | [Support for Type ExternalName Services](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.0/examples/ingress-resources/externalname-services). | +|``resolver-addresses`` | Sets the value of the [resolver](https://nginx.org/en/docs/http/ngx_http_core_module.html#resolver) addresses. Note: If you use a DNS name (for example, ``kube-dns.kube-system.svc.cluster.local`` ) as a resolver address, NGINX Plus will resolve it using the system resolver during the start and on every configuration reload. If the name cannot be resolved or the DNS server doesn't respond, NGINX Plus will fail to start or reload. To avoid this, we recommend using IP addresses as resolver addresses instead of DNS names. Supported in NGINX Plus only. | N/A | [Support for Type ExternalName Services](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/externalname-services). | +|``resolver-ipv6`` | Enables IPv6 resolution in the resolver. Supported in NGINX Plus only. | ``True`` | [Support for Type ExternalName Services](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/externalname-services). | +|``resolver-valid`` | Sets the time NGINX caches the resolved DNS records. Supported in NGINX Plus only. | TTL value of a DNS record | [Support for Type ExternalName Services](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/externalname-services). | +|``resolver-timeout`` | Sets the [resolver_timeout](https://nginx.org/en/docs/http/ngx_http_core_module.html#resolver_timeout) for name resolution. Supported in NGINX Plus only. | ``30s`` | [Support for Type ExternalName Services](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/externalname-services). | |``keepalive-timeout`` | Sets the value of the [keepalive_timeout](https://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout) directive. | ``65s`` | | |``keepalive-requests`` | Sets the value of the [keepalive_requests](https://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_requests) directive. | ``100`` | | |``variables-hash-bucket-size`` | Sets the value of the [variables_hash_bucket_size](https://nginx.org/en/docs/http/ngx_http_core_module.html#variables_hash_bucket_size) directive. | ``256`` | | @@ -109,9 +109,9 @@ See the doc about [VirtualServer and VirtualServerRoute resources](/nginx-ingres |``error-log-level`` | Sets the global [error log level](https://nginx.org/en/docs/ngx_core_module.html#error_log) for NGINX. | ``notice`` | | |``access-log-off`` | Disables the [access log](https://nginx.org/en/docs/http/ngx_http_log_module.html#access_log). | ``False`` | | |``default-server-access-log-off`` | Disables the [access log](https://nginx.org/en/docs/http/ngx_http_log_module.html#access_log) for the default server. If access log is disabled globally (``access-log-off: "True"``), then the default server access log is always disabled. | ``False`` | | -|``log-format`` | Sets the custom [log format](https://nginx.org/en/docs/http/ngx_http_log_module.html#log_format) for HTTP and HTTPS traffic. For convenience, it is possible to define the log format across multiple lines (each line separated by ``\n``). In that case, the Ingress Controller will replace every ``\n`` character with a space character. All ``'`` characters must be escaped. | See the [template file](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.0/internal/configs/version1/nginx.tmpl) for the access log. | [Custom Log Format](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.0/examples/shared-examples/custom-log-format). | +|``log-format`` | Sets the custom [log format](https://nginx.org/en/docs/http/ngx_http_log_module.html#log_format) for HTTP and HTTPS traffic. For convenience, it is possible to define the log format across multiple lines (each line separated by ``\n``). In that case, the Ingress Controller will replace every ``\n`` character with a space character. All ``'`` characters must be escaped. | See the [template file](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.1/internal/configs/version1/nginx.tmpl) for the access log. | [Custom Log Format](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/shared-examples/custom-log-format). | |``log-format-escaping`` | Sets the characters escaping for the variables of the log format. Supported values: ``json`` (JSON escaping), ``default`` (the default escaping) ``none`` (disables escaping). | ``default`` | | -|``stream-log-format`` | Sets the custom [log format](https://nginx.org/en/docs/stream/ngx_stream_log_module.html#log_format) for TCP, UDP, and TLS Passthrough traffic. For convenience, it is possible to define the log format across multiple lines (each line separated by ``\n``). In that case, the Ingress Controller will replace every ``\n`` character with a space character. All ``'`` characters must be escaped. | See the [template file](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.0/internal/configs/version1/nginx.tmpl). | | +|``stream-log-format`` | Sets the custom [log format](https://nginx.org/en/docs/stream/ngx_stream_log_module.html#log_format) for TCP, UDP, and TLS Passthrough traffic. For convenience, it is possible to define the log format across multiple lines (each line separated by ``\n``). In that case, the Ingress Controller will replace every ``\n`` character with a space character. All ``'`` characters must be escaped. | See the [template file](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.1/internal/configs/version1/nginx.tmpl). | | |``stream-log-format-escaping`` | Sets the characters escaping for the variables of the stream log format. Supported values: ``json`` (JSON escaping), ``default`` (the default escaping) ``none`` (disables escaping). | ``default`` | | {{% /table %}} @@ -147,7 +147,7 @@ See the doc about [VirtualServer and VirtualServerRoute resources](/nginx-ingres |ConfigMap Key | Description | Default | Example | | ---| ---| ---| --- | |``http2`` | Enables HTTP/2 in servers with SSL enabled. | ``False`` | | -|``proxy-protocol`` | Enables PROXY Protocol for incoming connections. | ``False`` | [Proxy Protocol](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.0/examples/shared-examples/proxy-protocol). | +|``proxy-protocol`` | Enables PROXY Protocol for incoming connections. | ``False`` | [Proxy Protocol](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/shared-examples/proxy-protocol). | {{% /table %}} ### Backend Services (Upstreams) @@ -171,7 +171,7 @@ See the doc about [VirtualServer and VirtualServerRoute resources](/nginx-ingres |``http-snippets`` | Sets a custom snippet in http context. | N/A | | |``location-snippets`` | Sets a custom snippet in location context. | N/A | | |``server-snippets`` | Sets a custom snippet in server context. | N/A | | -|``stream-snippets`` | Sets a custom snippet in stream context. | N/A | [Support for TCP/UDP Load Balancing](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.0/examples/ingress-resources/tcp-udp). | +|``stream-snippets`` | Sets a custom snippet in stream context. | N/A | [Support for TCP/UDP Load Balancing](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/tcp-udp). | |``main-template`` | Sets the main NGINX configuration template. | By default the template is read from the file in the container. | [Custom Templates](/nginx-ingress-controller/configuration/global-configuration/custom-templates). | |``ingress-template`` | Sets the NGINX configuration template for an Ingress resource. | By default the template is read from the file on the container. | [Custom Templates](/nginx-ingress-controller/configuration/global-configuration/custom-templates). | |``virtualserver-template`` | Sets the NGINX configuration template for an VirtualServer resource. | By default the template is read from the file on the container. | [Custom Templates](/nginx-ingress-controller/configuration/global-configuration/custom-templates). | diff --git a/docs/content/configuration/global-configuration/custom-templates.md b/docs/content/configuration/global-configuration/custom-templates.md index 3964286c23..efc2b1da80 100644 --- a/docs/content/configuration/global-configuration/custom-templates.md +++ b/docs/content/configuration/global-configuration/custom-templates.md @@ -9,4 +9,4 @@ docs: "DOCS-587" --- -The Ingress Controller uses templates to generate NGINX configuration for Ingress resources, VirtualServer resources and the main NGINX configuration file. You can customize the templates and apply them via the ConfigMap. See the [corresponding example](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.0/examples/shared-examples/custom-templates). +The Ingress Controller uses templates to generate NGINX configuration for Ingress resources, VirtualServer resources and the main NGINX configuration file. You can customize the templates and apply them via the ConfigMap. See the [corresponding example](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/shared-examples/custom-templates). diff --git a/docs/content/configuration/handling-host-and-listener-collisions.md b/docs/content/configuration/handling-host-and-listener-collisions.md index 3c6f36c88e..43c9a33ef9 100644 --- a/docs/content/configuration/handling-host-and-listener-collisions.md +++ b/docs/content/configuration/handling-host-and-listener-collisions.md @@ -87,7 +87,7 @@ Similarly, if `cafe-ingress` was created first, it will win `cafe.example.com` a It is possible to merge configuration for multiple Ingress resources for the same host. One common use case for this approach is distributing resources across multiple namespaces. See the [Cross-namespace Configuration](/nginx-ingress-controller/configuration/ingress-resources/cross-namespace-configuration/) doc for more information. -It is *not* possible to merge the configurations for multiple VirtualServer resources for the same host. However, you can split the VirtualServers into multiple VirtualServerRoute resources, which a single VirtualServer can then reference. See the [corresponding example](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.0/examples/custom-resources/cross-namespace-configuration) on GitHub. +It is *not* possible to merge the configurations for multiple VirtualServer resources for the same host. However, you can split the VirtualServers into multiple VirtualServerRoute resources, which a single VirtualServer can then reference. See the [corresponding example](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/custom-resources/cross-namespace-configuration) on GitHub. It is *not* possible to merge configuration for multiple TransportServer resources. diff --git a/docs/content/configuration/ingress-resources/advanced-configuration-with-annotations.md b/docs/content/configuration/ingress-resources/advanced-configuration-with-annotations.md index a7e67204bd..f96b2b59d6 100644 --- a/docs/content/configuration/ingress-resources/advanced-configuration-with-annotations.md +++ b/docs/content/configuration/ingress-resources/advanced-configuration-with-annotations.md @@ -112,7 +112,7 @@ The table below summarizes the available annotations. |``nginx.org/proxy-buffer-size`` | ``proxy-buffer-size`` | Sets the value of the [proxy_buffer_size](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size) and [grpc_buffer_size](https://nginx.org/en/docs/http/ngx_http_grpc_module.html#grpc_buffer_size) directives. | Depends on the platform. | | |``nginx.org/proxy-max-temp-file-size`` | ``proxy-max-temp-file-size`` | Sets the value of the [proxy_max_temp_file_size](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_max_temp_file_size) directive. | ``1024m`` | | |``nginx.org/server-tokens`` | ``server-tokens`` | Enables or disables the [server_tokens](https://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens) directive. Additionally, with the NGINX Plus, you can specify a custom string value, including the empty string value, which disables the emission of the “Server” field. | ``True`` | | -|``nginx.org/path-regex`` | N/A | Enables regular expression modifiers for Ingress path parameter. This translates to the NGINX [location](https://nginx.org/en/docs/http/ngx_http_core_module.html#location) directive. You can specify one of these values: "case_sensitive", "case_insensitive", or "exact". The annotation is applied to the entire Ingress resource and its paths. While using Master and Minion Ingresses i.e. Mergeable Ingresses, this annotation can be specified on Minion types. The `path-regex` annotation specified on Master is ignored, and has no effect on paths defined on Minions. | N/A | [Path Regex](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.0/examples/ingress-resources/path-regex). | +|``nginx.org/path-regex`` | N/A | Enables regular expression modifiers for Ingress path parameter. This translates to the NGINX [location](https://nginx.org/en/docs/http/ngx_http_core_module.html#location) directive. You can specify one of these values: "case_sensitive", "case_insensitive", or "exact". The annotation is applied to the entire Ingress resource and its paths. While using Master and Minion Ingresses i.e. Mergeable Ingresses, this annotation can be specified on Minion types. The `path-regex` annotation specified on Master is ignored, and has no effect on paths defined on Minions. | N/A | [Path Regex](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/path-regex). | {{% /table %}} ### Request URI/Header Manipulation @@ -122,7 +122,7 @@ The table below summarizes the available annotations. | ---| ---| ---| ---| --- | |``nginx.org/proxy-hide-headers`` | ``proxy-hide-headers`` | Sets the value of one or more [proxy_hide_header](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_hide_header) directives. Example: ``"nginx.org/proxy-hide-headers": "header-a,header-b"`` | N/A | | |``nginx.org/proxy-pass-headers`` | ``proxy-pass-headers`` | Sets the value of one or more [proxy_pass_header](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass_header) directives. Example: ``"nginx.org/proxy-pass-headers": "header-a,header-b"`` | N/A | | -|``nginx.org/rewrites`` | N/A | Configures URI rewriting using [proxy_pass](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass) directive. | N/A | [Rewrites Support](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.0/examples/ingress-resources/rewrites). | +|``nginx.org/rewrites`` | N/A | Configures URI rewriting using [proxy_pass](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass) directive. | N/A | [Rewrites Support](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/rewrites). | {{% /table %}} ### Auth and SSL/TLS @@ -138,10 +138,10 @@ The table below summarizes the available annotations. |``nginx.org/hsts-behind-proxy`` | ``hsts-behind-proxy`` | Enables HSTS based on the value of the ``http_x_forwarded_proto`` request header. Should only be used when TLS termination is configured in a load balancer (proxy) in front of the Ingress Controller. Note: to control redirection from HTTP to HTTPS configure the ``nginx.org/redirect-to-https`` annotation. | ``False`` | | |``nginx.org/basic-auth-secret`` | N/A | Specifies a Secret resource with a user list for HTTP Basic authentication. | N/A | | |``nginx.org/basic-auth-realm`` | N/A | Specifies a realm. | N/A | | -|``nginx.com/jwt-key`` | N/A | Specifies a Secret resource with keys for validating JSON Web Tokens (JWTs). | N/A | [Support for JSON Web Tokens (JWTs)](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.0/examples/ingress-resources/jwt). | -|``nginx.com/jwt-realm`` | N/A | Specifies a realm. | N/A | [Support for JSON Web Tokens (JWTs)](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.0/examples/ingress-resources/jwt). | -|``nginx.com/jwt-token`` | N/A | Specifies a variable that contains a JSON Web Token. | By default, a JWT is expected in the ``Authorization`` header as a Bearer Token. | [Support for JSON Web Tokens (JWTs)](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.0/examples/ingress-resources/jwt). | -|``nginx.com/jwt-login-url`` | N/A | Specifies a URL to which a client is redirected in case of an invalid or missing JWT. | N/A | [Support for JSON Web Tokens (JWTs)](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.0/examples/ingress-resources/jwt). | +|``nginx.com/jwt-key`` | N/A | Specifies a Secret resource with keys for validating JSON Web Tokens (JWTs). | N/A | [Support for JSON Web Tokens (JWTs)](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/jwt). | +|``nginx.com/jwt-realm`` | N/A | Specifies a realm. | N/A | [Support for JSON Web Tokens (JWTs)](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/jwt). | +|``nginx.com/jwt-token`` | N/A | Specifies a variable that contains a JSON Web Token. | By default, a JWT is expected in the ``Authorization`` header as a Bearer Token. | [Support for JSON Web Tokens (JWTs)](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/jwt). | +|``nginx.com/jwt-login-url`` | N/A | Specifies a URL to which a client is redirected in case of an invalid or missing JWT. | N/A | [Support for JSON Web Tokens (JWTs)](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/jwt). | {{% /table %}} ### Listeners @@ -159,19 +159,19 @@ The table below summarizes the available annotations. |Annotation | ConfigMap Key | Description | Default | Example | | ---| ---| ---| ---| --- | |``nginx.org/lb-method`` | ``lb-method`` | Sets the [load balancing method](https://docs.nginx.com/nginx/admin-guide/load-balancer/http-load-balancer/#choosing-a-load-balancing-method). To use the round-robin method, specify ``"round_robin"``. | ``"random two least_conn"`` | | -|``nginx.org/ssl-services`` | N/A | Enables HTTPS or gRPC over SSL when connecting to the endpoints of services. | N/A | [SSL Services Support](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.0/examples/ingress-resources/ssl-services). | -|``nginx.org/grpc-services`` | N/A | Enables gRPC for services. Note: requires HTTP/2 (see ``http2`` ConfigMap key); only works for Ingresses with TLS termination enabled. | N/A | [GRPC Services Support](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.0/examples/ingress-resources/grpc-services). | -|``nginx.org/websocket-services`` | N/A | Enables WebSocket for services. | N/A | [WebSocket support](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.0/examples/ingress-resources/websocket). | +|``nginx.org/ssl-services`` | N/A | Enables HTTPS or gRPC over SSL when connecting to the endpoints of services. | N/A | [SSL Services Support](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/ssl-services). | +|``nginx.org/grpc-services`` | N/A | Enables gRPC for services. Note: requires HTTP/2 (see ``http2`` ConfigMap key); only works for Ingresses with TLS termination enabled. | N/A | [GRPC Services Support](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/grpc-services). | +|``nginx.org/websocket-services`` | N/A | Enables WebSocket for services. | N/A | [WebSocket support](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/websocket). | |``nginx.org/max-fails`` | ``max-fails`` | Sets the value of the [max_fails](https://nginx.org/en/docs/http/ngx_http_upstream_module.html#max_fails) parameter of the ``server`` directive. | ``1`` | | |``nginx.org/max-conns`` | N\A | Sets the value of the [max_conns](https://nginx.org/en/docs/http/ngx_http_upstream_module.html#max_conns) parameter of the ``server`` directive. | ``0`` | | |``nginx.org/upstream-zone-size`` | ``upstream-zone-size`` | Sets the size of the shared memory [zone](https://nginx.org/en/docs/http/ngx_http_upstream_module.html#zone) for upstreams. For NGINX, the special value 0 disables the shared memory zones. For NGINX Plus, shared memory zones are required and cannot be disabled. The special value 0 will be ignored. | ``256K`` | | |``nginx.org/fail-timeout`` | ``fail-timeout`` | Sets the value of the [fail_timeout](https://nginx.org/en/docs/http/ngx_http_upstream_module.html#fail_timeout) parameter of the ``server`` directive. | ``10s`` | | -|``nginx.com/sticky-cookie-services`` | N/A | Configures session persistence. | N/A | [Session Persistence](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.0/examples/ingress-resources/session-persistence). | +|``nginx.com/sticky-cookie-services`` | N/A | Configures session persistence. | N/A | [Session Persistence](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/session-persistence). | |``nginx.org/keepalive`` | ``keepalive`` | Sets the value of the [keepalive](https://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive) directive. Note that ``proxy_set_header Connection "";`` is added to the generated configuration when the value > 0. | ``0`` | | -|``nginx.com/health-checks`` | N/A | Enables active health checks. | ``False`` | [Support for Active Health Checks](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.0/examples/ingress-resources/health-checks). | -|``nginx.com/health-checks-mandatory`` | N/A | Configures active health checks as mandatory. | ``False`` | [Support for Active Health Checks](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.0/examples/ingress-resources/health-checks). | -|``nginx.com/health-checks-mandatory-queue`` | N/A | When active health checks are mandatory, creates a queue where incoming requests are temporarily stored while NGINX Plus is checking the health of the endpoints after a configuration reload. | ``0`` | [Support for Active Health Checks](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.0/examples/ingress-resources/health-checks). | -|``nginx.com/slow-start`` | N/A | Sets the upstream server [slow-start period](https://docs.nginx.com/nginx/admin-guide/load-balancer/http-load-balancer/#server-slow-start). By default, slow-start is activated after a server becomes [available](https://docs.nginx.com/nginx/admin-guide/load-balancer/http-health-check/#passive-health-checks) or [healthy](https://docs.nginx.com/nginx/admin-guide/load-balancer/http-health-check/#active-health-checks). To enable slow-start for newly-added servers, configure [mandatory active health checks](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.0/examples/ingress-resources/health-checks). | ``"0s"`` | | +|``nginx.com/health-checks`` | N/A | Enables active health checks. | ``False`` | [Support for Active Health Checks](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/health-checks). | +|``nginx.com/health-checks-mandatory`` | N/A | Configures active health checks as mandatory. | ``False`` | [Support for Active Health Checks](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/health-checks). | +|``nginx.com/health-checks-mandatory-queue`` | N/A | When active health checks are mandatory, creates a queue where incoming requests are temporarily stored while NGINX Plus is checking the health of the endpoints after a configuration reload. | ``0`` | [Support for Active Health Checks](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/health-checks). | +|``nginx.com/slow-start`` | N/A | Sets the upstream server [slow-start period](https://docs.nginx.com/nginx/admin-guide/load-balancer/http-load-balancer/#server-slow-start). By default, slow-start is activated after a server becomes [available](https://docs.nginx.com/nginx/admin-guide/load-balancer/http-health-check/#passive-health-checks) or [healthy](https://docs.nginx.com/nginx/admin-guide/load-balancer/http-health-check/#active-health-checks). To enable slow-start for newly-added servers, configure [mandatory active health checks](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/health-checks). | ``"0s"`` | | {{% /table %}} ### Snippets and Custom Templates @@ -190,11 +190,11 @@ The table below summarizes the available annotations. {{% table %}} |Annotation | ConfigMap Key | Description | Default | Example | | ---| ---| ---| ---| --- | -|``appprotect.f5.com/app-protect-policy`` | N/A | The name of the App Protect Policy for the Ingress Resource. Format is ``namespace/name``. If no namespace is specified, the same namespace of the Ingress Resource is used. If not specified but ``appprotect.f5.com/app-protect-enable`` is true, a default policy id applied. If the referenced policy resource does not exist, or policy is invalid, this annotation will be ignored, and the default policy will be applied. | N/A | [Example for App Protect](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.0/examples/ingress-resources/app-protect-waf). | -|``appprotect.f5.com/app-protect-enable`` | N/A | Enable App Protect for the Ingress Resource. | ``False`` | [Example for App Protect](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.0/examples/ingress-resources/app-protect-waf). | -|``appprotect.f5.com/app-protect-security-log-enable`` | N/A | Enable the [security log](/nginx-app-protect/troubleshooting/#app-protect-logging-overview) for App Protect. | ``False`` | [Example for App Protect](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.0/examples/ingress-resources/app-protect-waf). | -|``appprotect.f5.com/app-protect-security-log`` | N/A | The App Protect log configuration for the Ingress Resource. Format is ``namespace/name``. If no namespace is specified, the same namespace as the Ingress Resource is used. If not specified the default is used which is: filter: ``illegal``, format: ``default``. Multiple configurations can be specified in a comma separated list. Both log configurations and destinations list (see below) must be of equal length. Configs and destinations are paired by the list indices. | N/A | [Example for App Protect](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.0/examples/ingress-resources/app-protect-waf). | -|``appprotect.f5.com/app-protect-security-log-destination`` | N/A | The destination of the security log. For more information check the [DESTINATION argument](/nginx-app-protect/troubleshooting/#app-protect-logging-overview). Multiple destinations can be specified in a comma-separated list. Both log configurations and destinations list (see above) must be of equal length. Configs and destinations are paired by the list indices. | ``syslog:server=localhost:514`` | [Example for App Protect](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.0/examples/ingress-resources/app-protect-waf). | +|``appprotect.f5.com/app-protect-policy`` | N/A | The name of the App Protect Policy for the Ingress Resource. Format is ``namespace/name``. If no namespace is specified, the same namespace of the Ingress Resource is used. If not specified but ``appprotect.f5.com/app-protect-enable`` is true, a default policy id applied. If the referenced policy resource does not exist, or policy is invalid, this annotation will be ignored, and the default policy will be applied. | N/A | [Example for App Protect](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/app-protect-waf). | +|``appprotect.f5.com/app-protect-enable`` | N/A | Enable App Protect for the Ingress Resource. | ``False`` | [Example for App Protect](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/app-protect-waf). | +|``appprotect.f5.com/app-protect-security-log-enable`` | N/A | Enable the [security log](/nginx-app-protect/troubleshooting/#app-protect-logging-overview) for App Protect. | ``False`` | [Example for App Protect](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/app-protect-waf). | +|``appprotect.f5.com/app-protect-security-log`` | N/A | The App Protect log configuration for the Ingress Resource. Format is ``namespace/name``. If no namespace is specified, the same namespace as the Ingress Resource is used. If not specified the default is used which is: filter: ``illegal``, format: ``default``. Multiple configurations can be specified in a comma separated list. Both log configurations and destinations list (see below) must be of equal length. Configs and destinations are paired by the list indices. | N/A | [Example for App Protect](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/app-protect-waf). | +|``appprotect.f5.com/app-protect-security-log-destination`` | N/A | The destination of the security log. For more information check the [DESTINATION argument](/nginx-app-protect/troubleshooting/#app-protect-logging-overview). Multiple destinations can be specified in a comma-separated list. Both log configurations and destinations list (see above) must be of equal length. Configs and destinations are paired by the list indices. | ``syslog:server=localhost:514`` | [Example for App Protect](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/app-protect-waf). | {{% /table %}} ### App Protect DoS @@ -204,5 +204,5 @@ The table below summarizes the available annotations. {{% table %}} |Annotation | ConfigMap Key | Description | Default | Example | | ---| ---| ---| ---| --- | -|``appprotectdos.f5.com/app-protect-dos-resource`` | N/A | Enable App Protect DoS for the Ingress Resource by specifying a [DosProtectedResource](/nginx-ingress-controller/app-protect-dos/dos-protected/). | N/A | [Example for App Protect DoS](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.0/examples/ingress-resources/app-protect-dos). | +|``appprotectdos.f5.com/app-protect-dos-resource`` | N/A | Enable App Protect DoS for the Ingress Resource by specifying a [DosProtectedResource](/nginx-ingress-controller/app-protect-dos/dos-protected/). | N/A | [Example for App Protect DoS](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/app-protect-dos). | {{% /table %}} diff --git a/docs/content/configuration/ingress-resources/basic-configuration.md b/docs/content/configuration/ingress-resources/basic-configuration.md index 5cde629e6d..86ce2064ae 100644 --- a/docs/content/configuration/ingress-resources/basic-configuration.md +++ b/docs/content/configuration/ingress-resources/basic-configuration.md @@ -53,7 +53,7 @@ Here is a breakdown of what this Ingress resource definition means: - The rule with the path `/coffee` instructs NGINX to distribute the requests with the `/coffee` URI among the pods of the *coffee* service, which is deployed with the name `coffee‑svc` in the cluster. - Both rules instruct NGINX to distribute the requests to `port 80` of the corresponding service (the `servicePort` field). -> For complete instructions on deploying the Ingress and Secret resources in the cluster, see the [complete example](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.0/examples/ingress-resources/complete-example) in our GitHub repository. +> For complete instructions on deploying the Ingress and Secret resources in the cluster, see the [complete example](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/complete-example) in our GitHub repository. > To learn more about the Ingress resource, see the [Ingress resource documentation](https://kubernetes.io/docs/concepts/services-networking/ingress/) in the Kubernetes docs. diff --git a/docs/content/configuration/ingress-resources/cross-namespace-configuration.md b/docs/content/configuration/ingress-resources/cross-namespace-configuration.md index 0c2db92c00..9a7ac9e1b1 100644 --- a/docs/content/configuration/ingress-resources/cross-namespace-configuration.md +++ b/docs/content/configuration/ingress-resources/cross-namespace-configuration.md @@ -9,6 +9,6 @@ docs: "DOCS-594" --- -You can spread the Ingress configuration for a common host across multiple Ingress resources using Mergeable Ingress resources. Such resources can belong to the *same* or *different* namespaces. This enables easier management when using a large number of paths. See the [Mergeable Ingress Resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.0/examples/ingress-resources/mergeable-ingress-types) example in our GitHub repo. +You can spread the Ingress configuration for a common host across multiple Ingress resources using Mergeable Ingress resources. Such resources can belong to the *same* or *different* namespaces. This enables easier management when using a large number of paths. See the [Mergeable Ingress Resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/mergeable-ingress-types) example in our GitHub repo. -As an alternative to Mergeable Ingress resources, you can use [VirtualServer and VirtualServerRoute resources](/nginx-ingress-controller/configuration/virtualserver-and-virtualserverroute-resources/) for cross-namespace configuration. See the [Cross-Namespace Configuration](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.0/examples/custom-resources/cross-namespace-configuration) example in our GitHub repo. +As an alternative to Mergeable Ingress resources, you can use [VirtualServer and VirtualServerRoute resources](/nginx-ingress-controller/configuration/virtualserver-and-virtualserverroute-resources/) for cross-namespace configuration. See the [Cross-Namespace Configuration](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/custom-resources/cross-namespace-configuration) example in our GitHub repo. diff --git a/docs/content/configuration/ingress-resources/custom-annotations.md b/docs/content/configuration/ingress-resources/custom-annotations.md index 83fc4dfba0..2ae929c83a 100644 --- a/docs/content/configuration/ingress-resources/custom-annotations.md +++ b/docs/content/configuration/ingress-resources/custom-annotations.md @@ -23,7 +23,7 @@ Custom annotations allow you to add an annotation for an NGINX feature that is n ## Usage -The Ingress Controller generates NGINX configuration for Ingress resources by executing a configuration template. See [NGINX template](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.0/internal/configs/version1/nginx.ingress.tmpl) or [NGINX Plus template](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.0/internal/configs/version1/nginx-plus.ingress.tmpl). +The Ingress Controller generates NGINX configuration for Ingress resources by executing a configuration template. See [NGINX template](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.1/internal/configs/version1/nginx.ingress.tmpl) or [NGINX Plus template](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.1/internal/configs/version1/nginx-plus.ingress.tmpl). To support custom annotations, the template has access to the information about the Ingress resource - its *name*, *namespace* and *annotations*. It is possible to check if a particular annotation present in the Ingress resource and conditionally insert NGINX configuration directives at multiple NGINX contexts - `http`, `server`, `location` or `upstream`. Additionally, you can get the value that is set to the annotation. @@ -144,4 +144,4 @@ deny all; ## Example -See the [custom annotations example](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.0/examples/ingress-resources/custom-annotations). +See the [custom annotations example](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.1/examples/ingress-resources/custom-annotations). diff --git a/docs/content/configuration/policy-resource.md b/docs/content/configuration/policy-resource.md index d4b0c2e656..6160697f95 100644 --- a/docs/content/configuration/policy-resource.md +++ b/docs/content/configuration/policy-resource.md @@ -12,7 +12,7 @@ The Policy resource allows you to configure features like access control and rat The resource is implemented as a [Custom Resource](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/). -This document is the reference documentation for the Policy resource. An example of a Policy for access control is available in our [GitHub repository](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.0/examples/custom-resources/access-control). +This document is the reference documentation for the Policy resource. An example of a Policy for access control is available in our [GitHub repository](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.1/examples/custom-resources/access-control). ## Prerequisites @@ -459,7 +459,7 @@ NGINX Plus will pass the ID of an authenticated user to the backend in the HTTP #### Prerequisites In order to use OIDC, you need to enable [zone synchronization](https://docs.nginx.com/nginx/admin-guide/high-availability/zone_sync/). If you don't set up zone synchronization, NGINX Plus will fail to reload. -You also need to configure a resolver, which NGINX Plus will use to resolve the IDP authorization endpoint. You can find an example configuration [in our GitHub repository](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.0/examples/custom-resources/oidc#step-7---configure-nginx-plus-zone-synchronization-and-resolver). +You also need to configure a resolver, which NGINX Plus will use to resolve the IDP authorization endpoint. You can find an example configuration [in our GitHub repository](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.1/examples/custom-resources/oidc#step-7---configure-nginx-plus-zone-synchronization-and-resolver). > **Note**: The configuration in the example doesn't enable TLS and the synchronization between the replica happens in clear text. This could lead to the exposure of tokens. diff --git a/docs/content/configuration/security.md b/docs/content/configuration/security.md index 6ecdaf8146..222b4d4f46 100644 --- a/docs/content/configuration/security.md +++ b/docs/content/configuration/security.md @@ -22,10 +22,10 @@ In addition, the following relating more specifically to Ingress Controller. The Ingress Controller is deployed within a Kubernetes environment, this environment must be secured. Kubernetes uses [RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) to control the resources and operations available to different types of users. The Ingress Controller requires a service account which is configured using RBAC. -We strongly recommend using the [RBAC configuration](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.0/deployments/rbac/rbac.yaml) provided in our standard deployment configuration. It is configured with the least amount of privilege required for the Ingress Controller to work. +We strongly recommend using the [RBAC configuration](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.1/deployments/rbac/rbac.yaml) provided in our standard deployment configuration. It is configured with the least amount of privilege required for the Ingress Controller to work. -We strongly recommend inspecting the RBAC configuration for [Manifests](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.0/deployments/rbac/rbac.yaml) -or for [Helm](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.0/charts/nginx-ingress/templates/rbac.yaml) to understand what access the Ingress Controller service account has and to which resources. For example, by default the service account has access to all Secret resources in the cluster. +We strongly recommend inspecting the RBAC configuration for [Manifests](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.1/deployments/rbac/rbac.yaml) +or for [Helm](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.1/charts/nginx-ingress/templates/rbac.yaml) to understand what access the Ingress Controller service account has and to which resources. For example, by default the service account has access to all Secret resources in the cluster. ### Certificates and Privacy Keys diff --git a/docs/content/configuration/transportserver-resource.md b/docs/content/configuration/transportserver-resource.md index 1d4062440f..8f9622dbd9 100644 --- a/docs/content/configuration/transportserver-resource.md +++ b/docs/content/configuration/transportserver-resource.md @@ -10,7 +10,7 @@ docs: "DOCS-598" The TransportServer resource allows you to configure TCP, UDP, and TLS Passthrough load balancing. The resource is implemented as a [Custom Resource](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/). -This document is the reference documentation for the TransportServer resource. To see additional examples of using the resource for specific use cases, go to the [examples/custom-resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.0/examples/custom-resources) folder in our GitHub repo. +This document is the reference documentation for the TransportServer resource. To see additional examples of using the resource for specific use cases, go to the [examples/custom-resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/custom-resources) folder in our GitHub repo. ## Prerequisites diff --git a/docs/content/configuration/virtualserver-and-virtualserverroute-resources.md b/docs/content/configuration/virtualserver-and-virtualserverroute-resources.md index 831709c81f..f8c10937d6 100644 --- a/docs/content/configuration/virtualserver-and-virtualserverroute-resources.md +++ b/docs/content/configuration/virtualserver-and-virtualserverroute-resources.md @@ -12,7 +12,7 @@ docs: "DOCS-599" The VirtualServer and VirtualServerRoute resources, introduced in release 1.5, enable use cases not supported with the Ingress resource, such as traffic splitting and advanced content-based routing. The resources are implemented as [Custom Resources](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/). -This document is the reference documentation for the resources. To see additional examples of using the resources for specific use cases, go to the [examples/custom-resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.0/examples/custom-resources) folder in our GitHub repo. +This document is the reference documentation for the resources. To see additional examples of using the resources for specific use cases, go to the [examples/custom-resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/custom-resources) folder in our GitHub repo. ## VirtualServer Specification @@ -347,7 +347,7 @@ tls: |Field | Description | Type | Required | | ---| ---| ---| --- | |``name`` | The name of the upstream. Must be a valid DNS label as defined in RFC 1035. For example, ``hello`` and ``upstream-123`` are valid. The name must be unique among all upstreams of the resource. | ``string`` | Yes | -|``service`` | The name of a [service](https://kubernetes.io/docs/concepts/services-networking/service/). The service must belong to the same namespace as the resource. If the service doesn't exist, NGINX will assume the service has zero endpoints and return a ``502`` response for requests for this upstream. For NGINX Plus only, services of type [ExternalName](https://kubernetes.io/docs/concepts/services-networking/service/#externalname) are also supported (check the [prerequisites](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.0/examples/ingress-resources/externalname-services#prerequisites) ). | ``string`` | Yes | +|``service`` | The name of a [service](https://kubernetes.io/docs/concepts/services-networking/service/). The service must belong to the same namespace as the resource. If the service doesn't exist, NGINX will assume the service has zero endpoints and return a ``502`` response for requests for this upstream. For NGINX Plus only, services of type [ExternalName](https://kubernetes.io/docs/concepts/services-networking/service/#externalname) are also supported (check the [prerequisites](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/externalname-services#prerequisites) ). | ``string`` | Yes | |``subselector`` | Selects the pods within the service using label keys and values. By default, all pods of the service are selected. Note: the specified labels are expected to be present in the pods when they are created. If the pod labels are updated, the Ingress Controller will not see that change until the number of the pods is changed. | ``map[string]string`` | No | |``use-cluster-ip`` | Enables using the Cluster IP and port of the service instead of the default behavior of using the IP and port of the pods. When this field is enabled, the fields that configure NGINX behavior related to multiple upstream servers (like ``lb-method`` and ``next-upstream``) will have no effect, as the Ingress Controller will configure NGINX with only one upstream server that will match the service Cluster IP. | ``boolean`` | No | |``port`` | The port of the service. If the service doesn't define that port, NGINX will assume the service has zero endpoints and return a ``502`` response for requests for this upstream. The port must fall into the range ``1..65535``. | ``uint16`` | Yes | @@ -636,7 +636,7 @@ proxy: |``upstream`` | The name of the upstream which the requests will be proxied to. The upstream with that name must be defined in the resource. | ``string`` | Yes | |``requestHeaders`` | The request headers modifications. | [action.Proxy.RequestHeaders](#actionproxyrequestheaders) | No | |``responseHeaders`` | The response headers modifications. | [action.Proxy.ResponseHeaders](#actionproxyresponseheaders) | No | -|``rewritePath`` | The rewritten URI. If the route path is a regular expression -- starts with `~` -- the `rewritePath` can include capture groups with ``$1-9``. For example `$1` for the first group, and so on. For more information, check the [rewrite](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.0/examples/custom-resources/rewrites) example. | ``string`` | No | +|``rewritePath`` | The rewritten URI. If the route path is a regular expression -- starts with `~` -- the `rewritePath` can include capture groups with ``$1-9``. For example `$1` for the first group, and so on. For more information, check the [rewrite](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/custom-resources/rewrites) example. | ``string`` | No | {{% /table %}} ### Action.Proxy.RequestHeaders diff --git a/docs/content/installation/building-nginx-ingress-controller.md b/docs/content/installation/building-nginx-ingress-controller.md index 4144219d28..27b1d04f80 100644 --- a/docs/content/installation/building-nginx-ingress-controller.md +++ b/docs/content/installation/building-nginx-ingress-controller.md @@ -41,10 +41,10 @@ Get your system ready for building and pushing the NGINX Ingress Controller imag cd kubernetes-ingress ``` - For instance if you want to clone version v3.4.0, the commands to run would be: + For instance if you want to clone version v3.4.1, the commands to run would be: ```shell - git clone https://github.com/nginxinc/kubernetes-ingress.git --branch v3.4.0 + git clone https://github.com/nginxinc/kubernetes-ingress.git --branch v3.4.1 cd kubernetes-ingress ``` diff --git a/docs/content/installation/installing-nic/installation-with-helm.md b/docs/content/installation/installing-nic/installation-with-helm.md index 6dc870279c..e6902ead06 100644 --- a/docs/content/installation/installing-nic/installation-with-helm.md +++ b/docs/content/installation/installing-nic/installation-with-helm.md @@ -66,13 +66,13 @@ To install the chart with the release name my-release (my-release is the name th - For NGINX: ```shell - helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.1.0 + helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.1.1 ``` - For NGINX Plus: (assuming you have pushed the Ingress Controller image `nginx-plus-ingress` to your private registry `myregistry.example.com`) ```shell - helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.1.0 --set controller.image.repository=myregistry.example.com/nginx-plus-ingress --set controller.nginxplus=true + helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.1.1 --set controller.image.repository=myregistry.example.com/nginx-plus-ingress --set controller.nginxplus=true ``` This will install the latest `edge` version of the Ingress Controller from GitHub Container Registry. If you prefer to use Docker Hub, you can replace `ghcr.io/nginxinc/charts/nginx-ingress` with `registry-1.docker.io/nginxcharts/nginx-ingress`. @@ -84,7 +84,7 @@ Helm does not upgrade the CRDs during a release upgrade. Before you upgrade a re To upgrade the release `my-release`: ```shell -helm upgrade my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.1.0 +helm upgrade my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.1.1 ``` ### Uninstalling the Chart @@ -121,7 +121,7 @@ This step is required if you're installing the chart using its sources. Addition 1. Pull the chart sources: ```shell - helm pull oci://ghcr.io/nginxinc/charts/nginx-ingress --untar --version 1.1.0 + helm pull oci://ghcr.io/nginxinc/charts/nginx-ingress --untar --version 1.1.1 ``` 2. Change your working directory to nginx-ingress: @@ -202,7 +202,7 @@ The steps you should follow depend on the Helm release name: Selector: app=nginx-ingress-nginx-ingress ``` -2. Checkout the latest available tag using `git checkout v3.4.0` +2. Checkout the latest available tag using `git checkout v3.4.1` 3. Navigate to `/kubernates-ingress/charts/nginx-ingress` @@ -247,7 +247,7 @@ The steps you should follow depend on the Helm release name: Selector: app=-nginx-ingress ``` -2. Checkout the latest available tag using `git checkout v3.4.0` +2. Checkout the latest available tag using `git checkout v3.4.1` 3. Navigate to `/kubernates-ingress/charts/nginx-ingress` @@ -310,7 +310,7 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont | **controller.logLevel** | The log level of the Ingress Controller. | 1 | | **controller.image.digest** | The image digest of the Ingress Controller. | None | | **controller.image.repository** | The image repository of the Ingress Controller. | nginx/nginx-ingress | -| **controller.image.tag** | The tag of the Ingress Controller image. | 3.4.0 | +| **controller.image.tag** | The tag of the Ingress Controller image. | 3.4.1 | | **controller.image.pullPolicy** | The pull policy for the Ingress Controller image. | IfNotPresent | | **controller.lifecycle** | The lifecycle of the Ingress Controller pods. | {} | | **controller.customConfigMap** | The name of the custom ConfigMap used by the Ingress Controller. If set, then the default config is ignored. | "" | @@ -338,7 +338,7 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont | **controller.initContainerResources** | The resources of the init container which is used when `controller.readOnlyRootFilesystem` is set to `true` | requests: cpu=100m,memory=128Mi | | **controller.replicaCount** | The number of replicas of the Ingress Controller deployment. | 1 | | **controller.ingressClass.name** | A class of the Ingress Controller. An IngressClass resource with the name equal to the class must be deployed. Otherwise, the Ingress Controller will fail to start. The Ingress Controller only processes resources that belong to its class - i.e. have the "ingressClassName" field resource equal to the class. The Ingress Controller processes all the VirtualServer/VirtualServerRoute/TransportServer resources that do not have the "ingressClassName" field for all versions of Kubernetes. | nginx | -| **controller.ingressClass.create** | Creates a new IngressClass object with the name `controller.ingressClass.name`. Set to `false` to use an existing ingressClass created using `kubectl` with the same name. If you use `helm upgrade`, do not change the values from the previous release as helm will delete IngressClass objects managed by helm. If you are upgrading from a release earlier than 3.4.0, do not set the value to false. | true | +| **controller.ingressClass.create** | Creates a new IngressClass object with the name `controller.ingressClass.name`. Set to `false` to use an existing ingressClass created using `kubectl` with the same name. If you use `helm upgrade`, do not change the values from the previous release as helm will delete IngressClass objects managed by helm. If you are upgrading from a release earlier than 3.3.0, do not set the value to false. | true | | **controller.ingressClass.setAsDefaultIngress** | New Ingresses without an `"ingressClassName"` field specified will be assigned the class specified in `controller.ingressClass.name`. Requires `controller.ingressClass.create`. | false | | **controller.watchNamespace** | Comma separated list of namespaces the Ingress Controller should watch for resources. By default the Ingress Controller watches all namespaces. Mutually exclusive with `controller.watchNamespaceLabel`. Please note that if configuring multiple namespaces using the Helm cli `--set` option, the string needs to wrapped in double quotes and the commas escaped using a backslash - e.g. `--set controller.watchNamespace="default\,nginx-ingress"`. | "" | | **controller.watchNamespaceLabel** | Configures the Ingress Controller to watch only those namespaces with label foo=bar. By default the Ingress Controller watches all namespaces. Mutually exclusive with `controller.watchNamespace`. | "" | diff --git a/docs/content/installation/installing-nic/installation-with-manifests.md b/docs/content/installation/installing-nic/installation-with-manifests.md index 0c5aa0ca03..4591034161 100644 --- a/docs/content/installation/installing-nic/installation-with-manifests.md +++ b/docs/content/installation/installing-nic/installation-with-manifests.md @@ -35,7 +35,7 @@ Clone the NGINX Ingress Controller repository using the command shown below, and git clone https://github.com/nginxinc/kubernetes-ingress.git --branch ``` -For example, if you want to use version 3.4.0, the command would be `git clone https://github.com/nginxinc/kubernetes-ingress.git --branch v3.4.0`. +For example, if you want to use version 3.4.1, the command would be `git clone https://github.com/nginxinc/kubernetes-ingress.git --branch v3.4.1`. This guide assumes you are using the latest release. @@ -69,7 +69,7 @@ There are two ways you can install the custom resource definitions: 1. Create CRDs for [VirtualServer and VirtualServerRoute]({{< relref "configuration/virtualserver-and-virtualserverroute-resources.md" >}}), [TransportServer]({{< relref "configuration/transportserver-resource.md" >}}), [Policy]({{< relref "configuration/policy-resource.md" >}}) and [GlobalConfiguration]({{< relref "configuration/global-configuration/globalconfiguration-resource.md" >}}): ```shell - kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.0/deploy/crds.yaml + kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.1/deploy/crds.yaml ``` ### Optional custom resource definitions @@ -77,13 +77,13 @@ There are two ways you can install the custom resource definitions: 1. For the NGINX App Protect WAF module, create CRDs for `APPolicy`, `APLogConf` and `APUserSig`: ```shell - kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.0/deploy/crds-nap-waf.yaml + kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.1/deploy/crds-nap-waf.yaml ``` 2. For the NGINX App Protect DoS module, create CRDs for `APDosPolicy`, `APDosLogConf` and `DosProtectedResource`: ```shell - kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.0/deploy/crds-nap-dos.yaml + kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.1/deploy/crds-nap-dos.yaml ``` {{%/tab%}} @@ -262,17 +262,17 @@ Connect to ports 80 and 443 using the IP address of any node in the cluster wher 1. Delete core custom resource definitions: ```shell - kubectl delete -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.0/deploy/crds.yaml + kubectl delete -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.1/deploy/crds.yaml ``` 2. Delete custom resource definitions for the NGINX App Protect WAF module: ```shell - kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.0/deploy/crds-nap-waf.yaml + kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.1/deploy/crds-nap-waf.yaml ``` 3. Delete custom resource definitions for the NGINX App Protect DoS module: ```shell - kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.0/deploy/crds-nap-dos.yaml + kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.1/deploy/crds-nap-dos.yaml ``` {{%/tab%}} diff --git a/docs/content/installation/installing-nic/installation-with-operator.md b/docs/content/installation/installing-nic/installation-with-operator.md index 865f95dd70..84da0fef95 100644 --- a/docs/content/installation/installing-nic/installation-with-operator.md +++ b/docs/content/installation/installing-nic/installation-with-operator.md @@ -47,7 +47,7 @@ spec: image: pullPolicy: IfNotPresent repository: nginx/nginx-ingress - tag: 3.4.0-ubi + tag: 3.4.1-ubi ingressClass: nginx kind: deployment nginxplus: false diff --git a/docs/content/installation/integrations/app-protect-dos/configuration.md b/docs/content/installation/integrations/app-protect-dos/configuration.md index 9577a89314..4b6420e979 100644 --- a/docs/content/installation/integrations/app-protect-dos/configuration.md +++ b/docs/content/installation/integrations/app-protect-dos/configuration.md @@ -8,7 +8,7 @@ toc: true docs: "DOCS-580" --- -> Check out the complete [NGINX Ingress Controller with App Protect DoS example for VirtualServer](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.0/examples/custom-resources/app-protect-dos) and the [NGINX Ingress Controller with App Protect DoS example for Ingress](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.0/examples/ingress-resources/app-protect-dos). +> Check out the complete [NGINX Ingress Controller with App Protect DoS example for VirtualServer](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/custom-resources/app-protect-dos) and the [NGINX Ingress Controller with App Protect DoS example for Ingress](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/app-protect-dos). ## App Protect DoS Configuration diff --git a/docs/content/installation/integrations/app-protect-dos/installation.md b/docs/content/installation/integrations/app-protect-dos/installation.md index 270d8e9af4..0ab3d5ae3d 100644 --- a/docs/content/installation/integrations/app-protect-dos/installation.md +++ b/docs/content/installation/integrations/app-protect-dos/installation.md @@ -34,10 +34,10 @@ Get your system ready for building and pushing the NGINX Ingress Controller imag cd kubernetes-ingress ``` - For instance if you want to clone version v3.4.0, the commands to run would be: + For instance if you want to clone version v3.4.1, the commands to run would be: ```shell - git clone https://github.com/nginxinc/kubernetes-ingress.git --branch v3.4.0 + git clone https://github.com/nginxinc/kubernetes-ingress.git --branch v3.4.1 cd kubernetes-ingress/deployments ``` @@ -216,7 +216,7 @@ To enable the NGINX App Protect DoS Module: {{< include "installation/manifests/verify-pods-are-running.md" >}} -For more information, see the [Configuration guide]({{< relref "installation/integrations/app-protect-dos/configuration.md" >}}),the [NGINX Ingress Controller with App Protect DoS example for VirtualServer](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.0/examples/custom-resources/app-protect-dos) and the [NGINX Ingress Controller with App Protect DoS example for Ingress](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.0/examples/ingress-resources/app-protect-dos). +For more information, see the [Configuration guide]({{< relref "installation/integrations/app-protect-dos/configuration.md" >}}),the [NGINX Ingress Controller with App Protect DoS example for VirtualServer](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/custom-resources/app-protect-dos) and the [NGINX Ingress Controller with App Protect DoS example for Ingress](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/app-protect-dos). --- diff --git a/docs/content/installation/integrations/app-protect-waf/configuration.md b/docs/content/installation/integrations/app-protect-waf/configuration.md index 0e3dc796e7..69557f722f 100644 --- a/docs/content/installation/integrations/app-protect-waf/configuration.md +++ b/docs/content/installation/integrations/app-protect-waf/configuration.md @@ -268,8 +268,8 @@ These are the typical steps to deploy an OpenAPI protection Policy in NGINX Ingr 3. Make other custom changes if needed (e.g. enable Data Guard protection). 4. Use a tool to convert the result to YAML. There are many, for example: [`yq` utility](https://github.com/mikefarah/yq). 5. Add the YAML properties to create an `APPolicy` Custom Resource putting the policy itself (as in step 4) within the `spec` property of the Custom Resource. Refer to the [NGINX App Protect Policies](#nginx-app-protect-waf-policies) section above. -6. Create a `Policy` object which references the `APPolicy` Custom Resource as in [this example](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.0/examples/custom-resources/app-protect-waf/waf.yaml). -7. Finally, attach the `Policy` object to a `VirtualServer` resource as in [this example](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.0/examples/custom-resources/app-protect-waf/virtual-server.yaml). +6. Create a `Policy` object which references the `APPolicy` Custom Resource as in [this example](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.1/examples/custom-resources/app-protect-waf/waf.yaml). +7. Finally, attach the `Policy` object to a `VirtualServer` resource as in [this example](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.1/examples/custom-resources/app-protect-waf/virtual-server.yaml). **Note**: You need to make sure that the server where the resource files are located is always available when you are compiling your policy. @@ -404,7 +404,7 @@ The `link` option is also available in the `openApiFileReference` property and i In this example we deploy NGINX Ingress Controller with NGINX Plus and NGINX App Protect WAF, deploy a simple web application, and then configure load balancing and WAF protection for that application using the VirtualServer resource. -**Note:** You can find the example, and the files referenced, on [GitHub](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.0/examples/custom-resources/app-protect-waf). +**Note:** You can find the example, and the files referenced, on [GitHub](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/custom-resources/app-protect-waf). ## Prerequisites @@ -426,7 +426,7 @@ In this example we deploy NGINX Ingress Controller with NGINX Plus and NGINX App Create the application deployment and service: ```console - kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.0/examples/custom-resources/app-protect-waf/webapp.yaml + kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.1/examples/custom-resources/app-protect-waf/webapp.yaml ``` ### Step 2. Deploy the AP Policy @@ -434,15 +434,15 @@ Create the application deployment and service: 1. Create the syslog service and pod for the NGINX App Protect WAF security logs: ```console - kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.0/examples/custom-resources/app-protect-waf/syslog.yaml + kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.1/examples/custom-resources/app-protect-waf/syslog.yaml ``` 2. Create the User-Defined Signature, WAF policy, and log configuration: ```console - kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.0/examples/custom-resources/app-protect-waf/ap-apple-uds.yaml - kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.0/examples/custom-resources/app-protect-waf/ap-dataguard-alarm-policy.yaml - kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.0/examples/custom-resources/app-protect-waf/ap-logconf.yaml + kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.1/examples/custom-resources/app-protect-waf/ap-apple-uds.yaml + kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.1/examples/custom-resources/app-protect-waf/ap-dataguard-alarm-policy.yaml + kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.1/examples/custom-resources/app-protect-waf/ap-logconf.yaml ``` ### Step 3 - Deploy the WAF Policy @@ -450,7 +450,7 @@ Create the application deployment and service: Create the WAF policy ```console - kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.0/examples/custom-resources/app-protect-waf/waf.yaml + kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.1/examples/custom-resources/app-protect-waf/waf.yaml ``` Note the NGINX App Protect WAF configuration settings in the Policy resource. They enable WAF protection by configuring NGINX App Protect WAF with the policy and log configuration created in the previous step. @@ -460,7 +460,7 @@ Create the WAF policy 1. Create the VirtualServer Resource: ```console - kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.0/examples/custom-resources/app-protect-waf/virtual-server.yaml + kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.1/examples/custom-resources/app-protect-waf/virtual-server.yaml ``` Note that the VirtualServer references the policy waf-policy created in Step 3. @@ -501,7 +501,7 @@ To access the application, curl the coffee and the tea services. We'll use the - ### Configuration Example of Virtual Server -Refer to GitHub repo for [Virtual Server example](https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.0/examples/custom-resources/app-protect-waf/webapp.yaml). +Refer to GitHub repo for [Virtual Server example](https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.1/examples/custom-resources/app-protect-waf/webapp.yaml). ```yaml apiVersion: k8s.nginx.org/v1 diff --git a/docs/content/installation/integrations/app-protect-waf/installation.md b/docs/content/installation/integrations/app-protect-waf/installation.md index 61f34f1d16..cdc8b3f463 100644 --- a/docs/content/installation/integrations/app-protect-waf/installation.md +++ b/docs/content/installation/integrations/app-protect-waf/installation.md @@ -29,7 +29,7 @@ Get your system ready for building and pushing the NGINX Ingress Controller imag 1. Clone the NGINX Ingress Controller repository: ```console - git clone https://github.com/nginxinc/kubernetes-ingress.git --branch v3.4.0 + git clone https://github.com/nginxinc/kubernetes-ingress.git --branch v3.4.1 cd kubernetes-ingress ``` @@ -217,4 +217,4 @@ To enable the NGINX App Protect DoS Module: {{< include "installation/manifests/verify-pods-are-running.md" >}} -For more information, see the [Configuration guide]({{< relref "installation/integrations/app-protect-waf/configuration.md" >}}) and the NGINX Ingress Controller with App Protect example resources on GitHub [for VirtualServer resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.0/examples/custom-resources/app-protect-waf) and [for Ingress resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.0/examples/ingress-resources/app-protect-waf" >}}). +For more information, see the [Configuration guide]({{< relref "installation/integrations/app-protect-waf/configuration.md" >}}) and the NGINX Ingress Controller with App Protect example resources on GitHub [for VirtualServer resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/custom-resources/app-protect-waf) and [for Ingress resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/app-protect-waf" >}}). diff --git a/docs/content/installation/nic-images/pulling-ingress-controller-image.md b/docs/content/installation/nic-images/pulling-ingress-controller-image.md index bfe2466981..44fda0b509 100644 --- a/docs/content/installation/nic-images/pulling-ingress-controller-image.md +++ b/docs/content/installation/nic-images/pulling-ingress-controller-image.md @@ -38,7 +38,7 @@ The steps provided are for Linux. For Mac or Windows, consult the [Docker for Ma Next, pull the image you need from `private-registry.nginx.com`. To find the correct image, consult the [Tech Specs guide]({{< relref "technical-specifications#images-with-nginx-plus" >}}). -To pull an image, follow these steps. Replace `` with the specific version you need, for example, `3.4.0`. +To pull an image, follow these steps. Replace `` with the specific version you need, for example, `3.4.1`. - For NGINX Plus Ingress Controller, run: @@ -65,9 +65,9 @@ $ curl https://private-registry.nginx.com/v2/nginx-ic/nginx-plus-ingress/tags/li { "name": "nginx-ic/nginx-plus-ingress", "tags": [ - "3.4.0-alpine", - "3.4.0-ubi", - "3.4.0" + "3.4.1-alpine", + "3.4.1-ubi", + "3.4.1" ] } @@ -75,8 +75,8 @@ $ curl https://private-registry.nginx.com/v2/nginx-ic-nap/nginx-plus-ingress/tag { "name": "nginx-ic-nap/nginx-plus-ingress", "tags": [ - "3.4.0-ubi", - "3.4.0" + "3.4.1-ubi", + "3.4.1" ] } @@ -84,8 +84,8 @@ $ curl https://private-registry.nginx.com/v2/nginx-ic-dos/nginx-plus-ingress/tag { "name": "nginx-ic-dos/nginx-plus-ingress", "tags": [ - "3.4.0-ubi", - "3.4.0" + "3.4.1-ubi", + "3.4.1" ] } ``` @@ -102,7 +102,7 @@ After pulling the image, tag it and upload it to your private registry. docker login ``` -1. Tag and push the image. Replace `` with your registry's path and `` with the version you're using, for example `3.4.0`: +1. Tag and push the image. Replace `` with your registry's path and `` with the version you're using, for example `3.4.1`: - For NGINX Plus Ingress Controller, run: diff --git a/docs/content/installation/nic-images/using-the-jwt-token-docker-secret.md b/docs/content/installation/nic-images/using-the-jwt-token-docker-secret.md index a2e4e6fcac..e6de96c0a9 100644 --- a/docs/content/installation/nic-images/using-the-jwt-token-docker-secret.md +++ b/docs/content/installation/nic-images/using-the-jwt-token-docker-secret.md @@ -78,7 +78,7 @@ spec: seccompProfile: type: RuntimeDefault containers: - - image: private-registry.nginx.com/nginx-ic/nginx-plus-ingress:3.4.0 + - image: private-registry.nginx.com/nginx-ic/nginx-plus-ingress:3.4.1 imagePullPolicy: IfNotPresent name: nginx-plus-ingress ``` @@ -118,7 +118,7 @@ The [Installation with Helm ]({{< relref "installation/installing-nic/installati repository: private-registry.nginx.com/nginx-ic/nginx-plus-ingress ## The version tag - tag: 3.4.0 + tag: 3.4.1 serviceAccount: ## The annotations of the service account of the Ingress Controller pods. @@ -150,7 +150,7 @@ If the namespace does not exist, `--create-namespace` will create it. Using `-f If you want to install NGINX Ingress Controller using the charts method, the following is an example of using the command line to pass the required arguments using the `set` parameter. ```shell -helm install my-release -n nginx-ingress oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.1.0 --set controller.image.repository=private-registry.nginx.com/nginx-ic/nginx-plus-ingress --set controller.image.tag=3.4.0 --set controller.nginxplus=true --set controller.serviceAccount.imagePullSecretName=regcred +helm install my-release -n nginx-ingress oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.1.1 --set controller.image.repository=private-registry.nginx.com/nginx-ic/nginx-plus-ingress --set controller.image.tag=3.4.1 --set controller.nginxplus=true --set controller.serviceAccount.imagePullSecretName=regcred ``` You can also use the certificate and key from the MyF5 portal and the Docker registry API to list the available image tags for the repositories, for example: @@ -160,9 +160,9 @@ You can also use the certificate and key from the MyF5 portal and the Docker reg { "name": "nginx-ic/nginx-plus-ingress", "tags": [ - "3.4.0-alpine", - "3.4.0-ubi", - "3.4.0" + "3.4.1-alpine", + "3.4.1-ubi", + "3.4.1" ] } @@ -170,8 +170,8 @@ You can also use the certificate and key from the MyF5 portal and the Docker reg { "name": "nginx-ic-nap/nginx-plus-ingress", "tags": [ - "3.4.0-ubi", - "3.4.0" + "3.4.1-ubi", + "3.4.1" ] } @@ -179,8 +179,8 @@ You can also use the certificate and key from the MyF5 portal and the Docker reg { "name": "nginx-ic-dos/nginx-plus-ingress", "tags": [ - "3.4.0-ubi", - "3.4.0" + "3.4.1-ubi", + "3.4.1" ] } ``` diff --git a/docs/content/overview/controller-comparison.md b/docs/content/overview/controller-comparison.md index 32e24fda22..056f390601 100644 --- a/docs/content/overview/controller-comparison.md +++ b/docs/content/overview/controller-comparison.md @@ -26,11 +26,11 @@ The table below summarizes the key difference between nginxinc/kubernetes-ingres | NGINX version | [Custom](https://github.com/kubernetes/ingress-nginx/tree/main/images/nginx) NGINX build that includes several third-party modules | NGINX official mainline [build](https://github.com/nginxinc/docker-nginx) | NGINX Plus | | Commercial support | N/A | N/A | Included | | **Load balancing configuration via the Ingress resource** | -| Merging Ingress rules with the same host | Supported | Supported via [Mergeable Ingresses](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.0/examples/ingress-resources/mergeable-ingress-types) | Supported via [Mergeable Ingresses](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.0/examples/ingress-resources/mergeable-ingress-types) | +| Merging Ingress rules with the same host | Supported | Supported via [Mergeable Ingresses](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/mergeable-ingress-types) | Supported via [Mergeable Ingresses](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/mergeable-ingress-types) | | HTTP load balancing extensions - Annotations | See the [supported annotations](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/) | See the [supported annotations](https://docs.nginx.com/nginx-ingress-controller/configuration/ingress-resources/advanced-configuration-with-annotations/) | See the [supported annotations](https://docs.nginx.com/nginx-ingress-controller/configuration/ingress-resources/advanced-configuration-with-annotations/)| | HTTP load balancing extensions -- ConfigMap | See the [supported ConfigMap keys](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/) | See the [supported ConfigMap keys](https://docs.nginx.com/nginx-ingress-controller/configuration/global-configuration/configmap-resource/) | See the [supported ConfigMap keys](https://docs.nginx.com/nginx-ingress-controller/configuration/global-configuration/configmap-resource/) | | TCP/UDP | Supported via a ConfigMap | Supported via custom resources | Supported via custom resources | -| Websocket | Supported | Supported via an [annotation](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.0/examples/ingress-resources/websocket) | Supported via an [annotation](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.0/examples/ingress-resources/websocket) | +| Websocket | Supported | Supported via an [annotation](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/websocket) | Supported via an [annotation](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/websocket) | | TCP SSL Passthrough | Supported via a ConfigMap | Supported via custom resources | Supported via custom resources | | JWT validation | Not supported | Not supported | Supported | | Session persistence | Supported via a third-party module | Not supported | Supported | diff --git a/docs/content/overview/nginx-plus.md b/docs/content/overview/nginx-plus.md index 182f55ab30..16b2ff7540 100644 --- a/docs/content/overview/nginx-plus.md +++ b/docs/content/overview/nginx-plus.md @@ -16,9 +16,9 @@ The NGINX Ingress Controller works with [NGINX](https://nginx.org/) as well as [ - _Real-time metrics_: Metrics for NGINX Plus and application performance are available through the API or the [NGINX Status Page]({{< relref "logging-and-monitoring/status-page">}}). These metrics can also be exported to [Prometheus]({{< relref "logging-and-monitoring/prometheus">}}). - _Additional load balancing methods_: The `least_time` and `random two least_time` methods and their derivatives become available. The NGINX [`ngx_http_upstream_module` documentation](https://nginx.org/en/docs/http/ngx_http_upstream_module.html) has the complete list of load balancing methods. -- _Session persistence_: The *sticky cookie* method becomes available. See the [Ingress Resource](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.0/examples/ingress-resources/session-persistence) and [Custom Resource](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.0/examples/custom-resources/session-persistence) examples. -- _Active health checks_: See the [Ingress Resource](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.0/examples/ingress-resources/health-checks) and [Custom Resource](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.0/examples/custom-resources/health-checks) examples. -- _JWT validation_: See the [Ingress Resource](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.0/examples/ingress-resources/jwt) and [Custom Resource](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.0/examples/custom-resources/jwt) examples. +- _Session persistence_: The *sticky cookie* method becomes available. See the [Ingress Resource](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/session-persistence) and [Custom Resource](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/custom-resources/session-persistence) examples. +- _Active health checks_: See the [Ingress Resource](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/health-checks) and [Custom Resource](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/custom-resources/health-checks) examples. +- _JWT validation_: See the [Ingress Resource](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/jwt) and [Custom Resource](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/custom-resources/jwt) examples. For a comprehensive guide of NGINX Plus features available with Ingress resources, see the [ConfigMap]({{< relref "configuration/global-configuration/configmap-resource">}}) and [Annotations]({{< relref "configuration/ingress-resources/advanced-configuration-with-annotations">}}) documentation. diff --git a/docs/content/releases.md b/docs/content/releases.md index c6019e7c82..850ba1bbe0 100644 --- a/docs/content/releases.md +++ b/docs/content/releases.md @@ -6,6 +6,32 @@ doctypes: ["concept"] toc: true docs: "DOCS-616" --- +## 3.4.1 + +15 Jan 2024 + +### Dependencies +[4886](https://github.com/nginxinc/kubernetes-ingress/pull/4886) Update N+ to R31 +[4886](https://github.com/nginxinc/kubernetes-ingress/pull/4886) Bump Go dependencies. + +### Upgrade + +- For NGINX, use the 3.4.1 images from our +[DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=3.4.1), +[GitHub Container](https://github.com/nginxinc/kubernetes-ingress/pkgs/container/kubernetes-ingress), +[Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress). +- For NGINX Plus, use the 3.4.1 images from the F5 Container registry, +the [AWS Marketplace](https://aws.amazon.com/marketplace/search/?CREATOR=741df81b-dfdc-4d36-b8da-945ea66b522c&FULFILLMENT_OPTION_TYPE=CONTAINER&filters=CREATOR%2CFULFILLMENT_OPTION_TYPE), +the [GCP Marketplace](https://console.cloud.google.com/marketplace/browse?filter=partner:F5,%20Inc.&filter=solution-type:k8s&filter=category:networking) +or build your own image using the 3.4.1 source code +- For Helm, use version 1.1.1 of the chart. + +### Supported Platforms + +We will provide technical support for NGINX Ingress Controller on any Kubernetes platform that is currently supported by +its provider and that passes the Kubernetes conformance tests. This release was fully tested on the following Kubernetes +versions: 1.23-1.29. + ## 3.4.0 19 Dec 2023 diff --git a/docs/content/technical-specifications.md b/docs/content/technical-specifications.md index 3af2e8ce50..7e3bbabe01 100644 --- a/docs/content/technical-specifications.md +++ b/docs/content/technical-specifications.md @@ -23,7 +23,7 @@ We explicitly test NGINX Ingress Controller on a range of Kubernetes platforms f {{< bootstrap-table "table table-bordered table-striped table-responsive" >}} | NIC Version | Supported Kubernetes Version | NIC Helm Chart Version | NIC Operator Version | NGINX / NGINX Plus version | | --- | --- | --- | --- | --- | -| 3.4.0 | 1.29 - 1.22 | 1.1.0 | 2.1.0 | 1.25.3 / R30 | +| 3.4.1 | 1.29 - 1.23 | 1.1.1 | 2.1.0 | 1.25.3 / R31 | | 3.3.2 | 1.28 - 1.22 | 1.0.2 | 2.0.2 | 1.25.3 / R30 | | 3.2.1 | 1.27 - 1.22 | 0.18.1 | 1.5.1 | 1.25.2 / R30 | | 3.1.1 | 1.26 - 1.22 | 0.17.1 | 1.4.2 | 1.23.4 / R29 | @@ -48,14 +48,14 @@ We provide the following Docker images, which include NGINX or NGINX Plus bundle ### Images with NGINX -_All images include NGINX 1.25.2._ +_All images include NGINX 1.25.3._ {{< bootstrap-table "table table-bordered table-responsive" >}} |
Name
|
Base image
|
Third-party modules
| DockerHub image | Architectures | | ---| --- | --- | --- | --- | -|Alpine-based image | ``nginx:1.25.2-alpine``,
based on on ``alpine:3.18`` | NGINX OpenTracing module

OpenTracing library

OpenTracing tracers for Jaeger

Zipkin and Datadog | ``nginx/nginx-ingress:3.4.0-alpine`` | arm/v7
arm64
amd64
ppc64le
s390x | -|Debian-based image | ``nginx:1.25.2``,
based on on ``debian:12-slim`` | NGINX OpenTracing module

OpenTracing library

OpenTracing tracers for Jaeger

Zipkin and Datadog | ``nginx/nginx-ingress:3.4.0`` | arm/v7
arm64
amd64
ppc64le
s390x | -|Ubi-based image | ``nginxcontrib/nginx:1.25.2-ubi``,
based on on ``redhat/ubi9-minimal`` | | ``nginx/nginx-ingress:3.4.0-ubi`` | arm64
amd64
ppc64le
s390x | +|Alpine-based image | ``nginx:1.25.3-alpine``,
based on on ``alpine:3.18`` | NGINX OpenTracing module

OpenTracing library

OpenTracing tracers for Jaeger

Zipkin and Datadog | ``nginx/nginx-ingress:3.4.1-alpine`` | arm/v7
arm64
amd64
ppc64le
s390x | +|Debian-based image | ``nginx:1.25.3``,
based on on ``debian:12-slim`` | NGINX OpenTracing module

OpenTracing library

OpenTracing tracers for Jaeger

Zipkin and Datadog | ``nginx/nginx-ingress:3.4.1`` | arm/v7
arm64
amd64
ppc64le
s390x | +|Ubi-based image | ``nginxcontrib/nginx:1.25.3-ubi``,
based on on ``redhat/ubi9-minimal`` | | ``nginx/nginx-ingress:3.4.1-ubi`` | arm64
amd64
ppc64le
s390x | {{% /bootstrap-table %}} ### Images with NGINX Plus @@ -69,16 +69,16 @@ NGINX Plus images are available through the F5 Container registry `private-regis {{< bootstrap-table "table table-striped table-bordered table-responsive" >}} |
Name
|
Base image
|
Third-party modules
| F5 Container Registry Image | Architectures | | ---| ---| --- | --- | --- | -|Alpine-based image | ``alpine:3.18`` | NGINX Plus JavaScript and OpenTracing modules

OpenTracing tracers for Jaeger

Zipkin and Datadog | `nginx-ic/nginx-plus-ingress:3.4.0-alpine` | arm64
amd64 | -|Alpine-based image with FIPS inside | ``alpine:3.18`` | NGINX Plus JavaScript and OpenTracing modules

OpenTracing tracers for Jaeger

Zipkin and Datadog

FIPS module and OpenSSL configuration | `nginx-ic/nginx-plus-ingress:3.4.0-alpine-fips` | arm64
amd64 | -|Debian-based image | ``debian:12-slim`` | NGINX Plus JavaScript and OpenTracing modules

OpenTracing tracers for Jaeger

Zipkin and Datadog | `nginx-ic/nginx-plus-ingress:3.4.0` | arm64
amd64 | -|Debian-based image with NGINX App Protect WAF | ``debian:11-slim`` | NGINX App Protect WAF

NGINX Plus JavaScript and OpenTracing modules

OpenTracing tracers for Jaeger

Zipkin and Datadog | `nginx-ic-nap/nginx-plus-ingress:3.4.0` | amd64 | -|Debian-based image with NGINX App Protect DoS | ``debian:11-slim`` | NGINX App Protect DoS

NGINX Plus JavaScript and OpenTracing modules

OpenTracing tracers for Jaeger

Zipkin and Datadog | `nginx-ic-dos/nginx-plus-ingress:3.4.0` | amd64 | -|Debian-based image with NGINX App Protect WAF and DoS | ``debian:11-slim`` | NGINX App Protect WAF and DoS

NGINX Plus JavaScript and OpenTracing modules

OpenTracing tracers for Jaeger

Zipkin and Datadog | `nginx-ic-nap-dos/nginx-plus-ingress:3.4.0` | amd64 | -|Ubi-based image | ``redhat/ubi9-minimal`` | NGINX Plus JavaScript module | `nginx-ic/nginx-plus-ingress:3.4.0-ubi` | arm64
amd64
s390x | -|Ubi-based image with NGINX App Protect WAF | ``redhat/ubi8`` | NGINX App Protect WAF and NGINX Plus JavaScript module | `nginx-ic-nap/nginx-plus-ingress:3.4.0-ubi` | amd64 | -|Ubi-based image with NGINX App Protect DoS | ``redhat/ubi8`` | NGINX App Protect DoS and NGINX Plus JavaScript module | `nginx-ic-dos/nginx-plus-ingress:3.4.0-ubi` | amd64 | -|Ubi-based image with NGINX App Protect WAF and DoS | ``redhat/ubi8`` | NGINX App Protect WAF and DoS

NGINX Plus JavaScript module | `nginx-ic-nap-dos/nginx-plus-ingress:3.4.0-ubi` | amd64 | +|Alpine-based image | ``alpine:3.18`` | NGINX Plus JavaScript and OpenTracing modules

OpenTracing tracers for Jaeger

Zipkin and Datadog | `nginx-ic/nginx-plus-ingress:3.4.1-alpine` | arm64
amd64 | +|Alpine-based image with FIPS inside | ``alpine:3.18`` | NGINX Plus JavaScript and OpenTracing modules

OpenTracing tracers for Jaeger

Zipkin and Datadog

FIPS module and OpenSSL configuration | `nginx-ic/nginx-plus-ingress:3.4.1-alpine-fips` | arm64
amd64 | +|Debian-based image | ``debian:12-slim`` | NGINX Plus JavaScript and OpenTracing modules

OpenTracing tracers for Jaeger

Zipkin and Datadog | `nginx-ic/nginx-plus-ingress:3.4.1` | arm64
amd64 | +|Debian-based image with NGINX App Protect WAF | ``debian:11-slim`` | NGINX App Protect WAF

NGINX Plus JavaScript and OpenTracing modules

OpenTracing tracers for Jaeger

Zipkin and Datadog | `nginx-ic-nap/nginx-plus-ingress:3.4.1` | amd64 | +|Debian-based image with NGINX App Protect DoS | ``debian:11-slim`` | NGINX App Protect DoS

NGINX Plus JavaScript and OpenTracing modules

OpenTracing tracers for Jaeger

Zipkin and Datadog | `nginx-ic-dos/nginx-plus-ingress:3.4.1` | amd64 | +|Debian-based image with NGINX App Protect WAF and DoS | ``debian:11-slim`` | NGINX App Protect WAF and DoS

NGINX Plus JavaScript and OpenTracing modules

OpenTracing tracers for Jaeger

Zipkin and Datadog | `nginx-ic-nap-dos/nginx-plus-ingress:3.4.1` | amd64 | +|Ubi-based image | ``redhat/ubi9-minimal`` | NGINX Plus JavaScript module | `nginx-ic/nginx-plus-ingress:3.4.1-ubi` | arm64
amd64
s390x | +|Ubi-based image with NGINX App Protect WAF | ``redhat/ubi8`` | NGINX App Protect WAF and NGINX Plus JavaScript module | `nginx-ic-nap/nginx-plus-ingress:3.4.1-ubi` | amd64 | +|Ubi-based image with NGINX App Protect DoS | ``redhat/ubi8`` | NGINX App Protect DoS and NGINX Plus JavaScript module | `nginx-ic-dos/nginx-plus-ingress:3.4.1-ubi` | amd64 | +|Ubi-based image with NGINX App Protect WAF and DoS | ``redhat/ubi8`` | NGINX App Protect WAF and DoS

NGINX Plus JavaScript module | `nginx-ic-nap-dos/nginx-plus-ingress:3.4.1-ubi` | amd64 | {{% /bootstrap-table %}} #### **AWS Marketplace** diff --git a/docs/content/troubleshooting/troubleshoot-common.md b/docs/content/troubleshooting/troubleshoot-common.md index 05a8fe9390..04ff955ba4 100644 --- a/docs/content/troubleshooting/troubleshoot-common.md +++ b/docs/content/troubleshooting/troubleshoot-common.md @@ -145,7 +145,7 @@ controller: nginxplus: plus image: repository: nginx/nginx-ingress - tag: 3.4.0 + tag: 3.4.1 # NGINX Configmap config: entries: diff --git a/docs/content/tutorials/custom-listen-ports.md b/docs/content/tutorials/custom-listen-ports.md index 80ba5e2066..0789bf5add 100644 --- a/docs/content/tutorials/custom-listen-ports.md +++ b/docs/content/tutorials/custom-listen-ports.md @@ -88,7 +88,7 @@ spec: spec: serviceAccountName: nginx-ingress containers: - - image: nginx/nginx-ingress:3.4.0 + - image: nginx/nginx-ingress:3.4.1 imagePullPolicy: IfNotPresent name: nginx-ingress ports: diff --git a/docs/content/tutorials/oidc-custom-configuration.md b/docs/content/tutorials/oidc-custom-configuration.md index c91fca0ea3..c00ad0badd 100644 --- a/docs/content/tutorials/oidc-custom-configuration.md +++ b/docs/content/tutorials/oidc-custom-configuration.md @@ -30,7 +30,7 @@ Run the below command to generate a ConfigMap with the contents of the `oidc.con **NOTE** The ConfigMap must be deployed in the same `namespace` as the F5 NGINX Ingress Controller. ```console -kubectl create configmap oidc-config-map --from-literal=oidc.conf="$(curl -k https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.0/internal/configs/oidc/oidc.conf)" +kubectl create configmap oidc-config-map --from-literal=oidc.conf="$(curl -k https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.1/internal/configs/oidc/oidc.conf)" ``` Use the `kubectl describe` command to confirm the contents of the ConfigMap are correct. diff --git a/docs/content/usage-reporting.md b/docs/content/usage-reporting.md index 8a4f48e56b..4b2a46d1c2 100644 --- a/docs/content/usage-reporting.md +++ b/docs/content/usage-reporting.md @@ -87,7 +87,7 @@ To make the credential available to Usage Reporting, we need to create a Kuberne If you need to update the basic-auth credentials for NGINX Management Suite in the future, update the `username` and `password` fields, and apply the changes by running the command again. Usage Reporting will automatically detect the changes, using the new username and password without redeployment. -5. Download and save the deployment file [cluster-connector.yaml](https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.0/examples/shared-examples/usage-reporting/cluster-connector.yaml). Edit the following under the `args` section and then save the file: +5. Download and save the deployment file [cluster-connector.yaml](https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.1/examples/shared-examples/usage-reporting/cluster-connector.yaml). Edit the following under the `args` section and then save the file: ```yaml args: From 399012909861705e793f827b13371194c87887a9 Mon Sep 17 00:00:00 2001 From: Paul Abel <128620221+pdabelf5@users.noreply.github.com> Date: Tue, 16 Jan 2024 14:46:02 +0000 Subject: [PATCH 08/22] GCR AWS plus publish fix (#4934) remove GCP marketplace from release process --- .github/workflows/build-plus.yml | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/.github/workflows/build-plus.yml b/.github/workflows/build-plus.yml index 56cf2a512d..3c7124ebe5 100644 --- a/.github/workflows/build-plus.yml +++ b/.github/workflows/build-plus.yml @@ -80,13 +80,13 @@ jobs: service_account: ${{ secrets.GCR_SERVICE_ACCOUNT_MKTPL }} if: github.ref_type == 'tag' && ! contains(inputs.target, 'aws') - - name: Login to GCR for Marketplace - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 - with: - registry: gcr.io - username: oauth2accesstoken - password: ${{ steps.auth-mktpl.outputs.access_token }} - if: github.ref_type == 'tag' && ! contains(inputs.target, 'aws') + # - name: Login to GCR for Marketplace + # uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + # with: + # registry: gcr.io + # username: oauth2accesstoken + # password: ${{ steps.auth-mktpl.outputs.access_token }} + # if: github.ref_type == 'tag' && ! contains(inputs.target, 'aws') - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 @@ -124,7 +124,6 @@ jobs: with: images: | name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic${{ contains(inputs.nap_modules, 'dos') && '-dos' || '' }}${{ contains(inputs.nap_modules, 'waf') && '-nap' || '' }}/nginx-plus-ingress - name=gcr.io/f5-7626-networks-public/nginxinc/nginx-plus-ingress${{ contains(inputs.nap_modules, 'waf') && '-nap' || '' }}${{ contains(inputs.nap_modules, 'dos') && '-dos' || '' }},enable=${{ github.ref_type == 'tag' && ! contains(inputs.target, 'aws') && ! contains(inputs.image, 'alpine') && ! contains(inputs.image, 'ubi') }} name=docker-mgmt.nginx.com/nginx-ic${{ contains(inputs.nap_modules, 'waf') && '-nap' || '' }}${{ contains(inputs.nap_modules, 'dos') && '-dos' || '' }}/nginx-plus-ingress,enable=${{ github.ref_type != 'pull_request' && ! startsWith(github.ref, 'refs/heads/release-') && ! contains(inputs.target, 'aws') }} name=709825985650.dkr.ecr.us-east-1.amazonaws.com/nginx/nginx-plus-ingress${{ contains(inputs.nap_modules, 'dos') && '-dos' || '' }}${{ contains(inputs.nap_modules, 'waf') && '-nap' || '' }},enable=${{ github.ref_type == 'tag' && contains(inputs.target, 'aws') }} flavor: | @@ -136,7 +135,6 @@ jobs: type=ref,event=branch,enable=${{ startsWith(github.ref, 'refs/heads/release-') }} type=schedule type=semver,pattern={{version}} - type=semver,pattern={{major}}.{{minor}} labels: | org.opencontainers.image.description=NGINX Plus Ingress Controller for Kubernetes org.opencontainers.image.documentation=https://docs.nginx.com/nginx-ingress-controller From 63ac31a81f03ee4796d7c7c1d8bc2e93a43c414b Mon Sep 17 00:00:00 2001 From: nginx-bot <68849795+nginx-bot@users.noreply.github.com> Date: Tue, 16 Jan 2024 08:00:25 -0800 Subject: [PATCH 09/22] Release 3.4.2 (#4935) * Release 3.4.2 --- README.md | 4 +- charts/nginx-ingress/Chart.yaml | 8 ++-- charts/nginx-ingress/README.md | 14 +++---- charts/nginx-ingress/values-icp.yaml | 2 +- charts/nginx-ingress/values-plus.yaml | 2 +- charts/nginx-ingress/values.schema.json | 10 ++--- charts/nginx-ingress/values.yaml | 2 +- deployments/daemon-set/nginx-ingress.yaml | 4 +- .../daemon-set/nginx-plus-ingress.yaml | 4 +- deployments/deployment/nginx-ingress.yaml | 4 +- .../deployment/nginx-plus-ingress.yaml | 4 +- .../configuration/configuration-examples.md | 4 +- .../configmap-resource.md | 16 ++++---- .../global-configuration/custom-templates.md | 2 +- .../handling-host-and-listener-collisions.md | 2 +- ...advanced-configuration-with-annotations.md | 40 +++++++++---------- .../ingress-resources/basic-configuration.md | 2 +- .../cross-namespace-configuration.md | 4 +- .../ingress-resources/custom-annotations.md | 4 +- docs/content/configuration/policy-resource.md | 4 +- docs/content/configuration/security.md | 6 +-- .../configuration/transportserver-resource.md | 2 +- ...server-and-virtualserverroute-resources.md | 6 +-- .../building-nginx-ingress-controller.md | 4 +- .../installing-nic/installation-with-helm.md | 14 +++---- .../installation-with-manifests.md | 14 +++---- .../installation-with-operator.md | 2 +- .../app-protect-dos/configuration.md | 2 +- .../app-protect-dos/installation.md | 6 +-- .../app-protect-waf/configuration.md | 22 +++++----- .../app-protect-waf/installation.md | 4 +- .../pulling-ingress-controller-image.md | 18 ++++----- .../using-the-jwt-token-docker-secret.md | 20 +++++----- .../content/overview/controller-comparison.md | 4 +- docs/content/overview/nginx-plus.md | 6 +-- docs/content/releases.md | 25 ++++++++++++ docs/content/technical-specifications.md | 28 ++++++------- .../troubleshooting/troubleshoot-common.md | 2 +- docs/content/tutorials/custom-listen-ports.md | 2 +- .../tutorials/oidc-custom-configuration.md | 2 +- docs/content/usage-reporting.md | 2 +- 41 files changed, 176 insertions(+), 151 deletions(-) diff --git a/README.md b/README.md index dd252a1a43..2b61ce7d80 100644 --- a/README.md +++ b/README.md @@ -98,7 +98,7 @@ In the case of NGINX, the Ingress Controller is deployed in a pod along with the We publish NGINX Ingress Controller releases on GitHub. See our [releases page](https://github.com/nginxinc/kubernetes-ingress/releases). -The latest stable release is [3.4.1](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v3.4.1). For production +The latest stable release is [3.4.2](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v3.4.2). For production use, we recommend that you choose the latest stable release. The edge version is useful for experimenting with new features that are not yet published in a stable release. To use @@ -118,7 +118,7 @@ your links to the correct versions: | Version | Description | Image for NGINX | Image for NGINX Plus | Installation Manifests and Helm Chart | Documentation and Examples | | ------- | ----------- | --------------- | -------------------- | ---------------------------------------| -------------------------- | -| Latest stable release | For production use | Use the 3.4.1 images from [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/), [GitHub Container](https://github.com/nginxinc/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress) or [build your own image](https://docs.nginx.com/nginx-ingress-controller/installation/building-ingress-controller-image/). | Use the 3.4.1 images from the [F5 Container Registry](https://docs.nginx.com/nginx-ingress-controller/installation/pulling-ingress-controller-image/) or the [AWS Marketplace](https://aws.amazon.com/marketplace/search/?CREATOR=741df81b-dfdc-4d36-b8da-945ea66b522c&FULFILLMENT_OPTION_TYPE=CONTAINER&filters=CREATOR%2CFULFILLMENT_OPTION_TYPE) or [Build your own image](https://docs.nginx.com/nginx-ingress-controller/installation/building-nginx-ingress-controller/). | [Manifests](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/deployments). [Helm chart](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/charts/nginx-ingress). | [Documentation](https://docs.nginx.com/nginx-ingress-controller/). [Examples](https://docs.nginx.com/nginx-ingress-controller/configuration/configuration-examples/). | +| Latest stable release | For production use | Use the 3.4.2 images from [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/), [GitHub Container](https://github.com/nginxinc/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress) or [build your own image](https://docs.nginx.com/nginx-ingress-controller/installation/building-ingress-controller-image/). | Use the 3.4.2 images from the [F5 Container Registry](https://docs.nginx.com/nginx-ingress-controller/installation/pulling-ingress-controller-image/) or the [AWS Marketplace](https://aws.amazon.com/marketplace/search/?CREATOR=741df81b-dfdc-4d36-b8da-945ea66b522c&FULFILLMENT_OPTION_TYPE=CONTAINER&filters=CREATOR%2CFULFILLMENT_OPTION_TYPE) or [Build your own image](https://docs.nginx.com/nginx-ingress-controller/installation/building-nginx-ingress-controller/). | [Manifests](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/deployments). [Helm chart](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/charts/nginx-ingress). | [Documentation](https://docs.nginx.com/nginx-ingress-controller/). [Examples](https://docs.nginx.com/nginx-ingress-controller/configuration/configuration-examples/). | | Edge/Nightly | For testing and experimenting | Use the edge or nightly images from [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/), [GitHub Container](https://github.com/nginxinc/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress) or [build your own image](https://docs.nginx.com/nginx-ingress-controller/installation/building-nginx-ingress-controller/). | [Build your own image](https://docs.nginx.com/nginx-ingress-controller/installation/building-nginx-ingress-controller/). | [Manifests](https://github.com/nginxinc/kubernetes-ingress/tree/main/deployments). [Helm chart](https://github.com/nginxinc/kubernetes-ingress/tree/main/charts/nginx-ingress). | [Documentation](https://github.com/nginxinc/kubernetes-ingress/tree/main/docs/content). [Examples](https://github.com/nginxinc/kubernetes-ingress/tree/main/examples). | ## SBOM (Software Bill of Materials) diff --git a/charts/nginx-ingress/Chart.yaml b/charts/nginx-ingress/Chart.yaml index 9e4d7cb181..1d3980cff2 100644 --- a/charts/nginx-ingress/Chart.yaml +++ b/charts/nginx-ingress/Chart.yaml @@ -1,14 +1,14 @@ apiVersion: v2 name: nginx-ingress -version: 1.1.1 -appVersion: 3.4.1 +version: 1.1.2 +appVersion: 3.4.2 kubeVersion: ">= 1.22.0-0" type: application description: NGINX Ingress Controller -icon: https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.1/charts/nginx-ingress/chart-icon.png +icon: https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.2/charts/nginx-ingress/chart-icon.png home: https://github.com/nginxinc/kubernetes-ingress sources: - - https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/charts/nginx-ingress + - https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/charts/nginx-ingress keywords: - ingress - nginx diff --git a/charts/nginx-ingress/README.md b/charts/nginx-ingress/README.md index f7abbd1215..f4ecf5d29c 100644 --- a/charts/nginx-ingress/README.md +++ b/charts/nginx-ingress/README.md @@ -79,14 +79,14 @@ To install the chart with the release name my-release (my-release is the name th For NGINX: ```console -helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.1.1 +helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.1.2 ``` For NGINX Plus: (assuming you have pushed the Ingress Controller image `nginx-plus-ingress` to your private registry `myregistry.example.com`) ```console -helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.1.1 --set controller.image.repository=myregistry.example.com/nginx-plus-ingress --set controller.nginxplus=true +helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.1.2 --set controller.image.repository=myregistry.example.com/nginx-plus-ingress --set controller.nginxplus=true ``` This will install the latest `edge` version of the Ingress Controller from GitHub Container Registry. If you prefer to @@ -101,7 +101,7 @@ CRDs](#upgrading-the-crds). To upgrade the release `my-release`: ```console -helm upgrade my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.1.1 +helm upgrade my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.1.2 ``` ### Uninstalling the Chart @@ -142,7 +142,7 @@ upgrading/deleting the CRDs. 1. Pull the chart sources: ```console - helm pull oci://ghcr.io/nginxinc/charts/nginx-ingress --untar --version 1.1.1 + helm pull oci://ghcr.io/nginxinc/charts/nginx-ingress --untar --version 1.1.2 ``` 2. Change your working directory to nginx-ingress: @@ -228,7 +228,7 @@ The steps you should follow depend on the Helm release name: Selector: app=nginx-ingress-nginx-ingress ``` -2. Checkout the latest available tag using `git checkout v3.4.1` +2. Checkout the latest available tag using `git checkout v3.4.2` 3. Navigate to `/kubernates-ingress/charts/nginx-ingress` @@ -280,7 +280,7 @@ reviewing its events: Selector: app=-nginx-ingress ``` -2. Checkout the latest available tag using `git checkout v3.4.1` +2. Checkout the latest available tag using `git checkout v3.4.2` 3. Navigate to `/kubernates-ingress/charts/nginx-ingress` @@ -347,7 +347,7 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont |`controller.logLevel` | The log level of the Ingress Controller. | 1 | |`controller.image.digest` | The image digest of the Ingress Controller. | None | |`controller.image.repository` | The image repository of the Ingress Controller. | nginx/nginx-ingress | -|`controller.image.tag` | The tag of the Ingress Controller image. | 3.4.1 | +|`controller.image.tag` | The tag of the Ingress Controller image. | 3.4.2 | |`controller.image.pullPolicy` | The pull policy for the Ingress Controller image. | IfNotPresent | |`controller.lifecycle` | The lifecycle of the Ingress Controller pods. | {} | |`controller.customConfigMap` | The name of the custom ConfigMap used by the Ingress Controller. If set, then the default config is ignored. | "" | diff --git a/charts/nginx-ingress/values-icp.yaml b/charts/nginx-ingress/values-icp.yaml index 0d7c476a7f..2c2d1f2663 100644 --- a/charts/nginx-ingress/values-icp.yaml +++ b/charts/nginx-ingress/values-icp.yaml @@ -4,7 +4,7 @@ controller: nginxplus: true image: repository: mycluster.icp:8500/kube-system/nginx-plus-ingress - tag: "3.4.1" + tag: "3.4.2" nodeSelector: beta.kubernetes.io/arch: "amd64" proxy: true diff --git a/charts/nginx-ingress/values-plus.yaml b/charts/nginx-ingress/values-plus.yaml index 9bcd49061b..d30f65751b 100644 --- a/charts/nginx-ingress/values-plus.yaml +++ b/charts/nginx-ingress/values-plus.yaml @@ -3,4 +3,4 @@ controller: nginxplus: true image: repository: nginx-plus-ingress - tag: "3.4.1" + tag: "3.4.2" diff --git a/charts/nginx-ingress/values.schema.json b/charts/nginx-ingress/values.schema.json index 6f9408f684..ce40e1983e 100644 --- a/charts/nginx-ingress/values.schema.json +++ b/charts/nginx-ingress/values.schema.json @@ -305,10 +305,10 @@ }, "tag": { "type": "string", - "default": "3.4.1", + "default": "3.4.2", "title": "The tag of the Ingress Controller image", "examples": [ - "3.4.1" + "3.4.2" ] }, "digest": { @@ -345,7 +345,7 @@ "examples": [ { "repository": "nginx/nginx-ingress", - "tag": "3.4.1", + "tag": "3.4.2", "pullPolicy": "IfNotPresent" } ] @@ -1393,7 +1393,7 @@ "customPorts": [], "image": { "repository": "nginx/nginx-ingress", - "tag": "3.4.1", + "tag": "3.4.2", "digest": "", "pullPolicy": "IfNotPresent" }, @@ -1765,7 +1765,7 @@ "customPorts": [], "image": { "repository": "nginx/nginx-ingress", - "tag": "3.4.1", + "tag": "3.4.2", "digest": "", "pullPolicy": "IfNotPresent" }, diff --git a/charts/nginx-ingress/values.yaml b/charts/nginx-ingress/values.yaml index a9d0944822..f0e2c9b2e2 100644 --- a/charts/nginx-ingress/values.yaml +++ b/charts/nginx-ingress/values.yaml @@ -78,7 +78,7 @@ controller: repository: nginx/nginx-ingress ## The tag of the Ingress Controller image. If not specified the appVersion from Chart.yaml is used as a tag. - # tag: "3.4.1" + # tag: "3.4.2" ## The digest of the Ingress Controller image. ## If digest is specified it has precedence over tag and will be used instead diff --git a/deployments/daemon-set/nginx-ingress.yaml b/deployments/daemon-set/nginx-ingress.yaml index fbf7b71337..fc9fc6949c 100644 --- a/deployments/daemon-set/nginx-ingress.yaml +++ b/deployments/daemon-set/nginx-ingress.yaml @@ -32,7 +32,7 @@ spec: # - name: nginx-log # emptyDir: {} containers: - - image: nginx/nginx-ingress:3.4.1 + - image: nginx/nginx-ingress:3.4.2 imagePullPolicy: IfNotPresent name: nginx-ingress ports: @@ -96,7 +96,7 @@ spec: #- -enable-prometheus-metrics #- -global-configuration=$(POD_NAMESPACE)/nginx-configuration # initContainers: -# - image: nginx/nginx-ingress:3.4.1 +# - image: nginx/nginx-ingress:3.4.2 # imagePullPolicy: IfNotPresent # name: init-nginx-ingress # command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc'] diff --git a/deployments/daemon-set/nginx-plus-ingress.yaml b/deployments/daemon-set/nginx-plus-ingress.yaml index 5961c17716..f5dbd4170a 100644 --- a/deployments/daemon-set/nginx-plus-ingress.yaml +++ b/deployments/daemon-set/nginx-plus-ingress.yaml @@ -32,7 +32,7 @@ spec: # - name: nginx-log # emptyDir: {} containers: - - image: nginx-plus-ingress:3.4.1 + - image: nginx-plus-ingress:3.4.2 imagePullPolicy: IfNotPresent name: nginx-plus-ingress ports: @@ -99,7 +99,7 @@ spec: #- -enable-prometheus-metrics #- -global-configuration=$(POD_NAMESPACE)/nginx-configuration # initContainers: -# - image: nginx/nginx-ingress:3.4.1 +# - image: nginx/nginx-ingress:3.4.2 # imagePullPolicy: IfNotPresent # name: init-nginx-ingress # command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc'] diff --git a/deployments/deployment/nginx-ingress.yaml b/deployments/deployment/nginx-ingress.yaml index 89a90d9902..c8fcf20c28 100644 --- a/deployments/deployment/nginx-ingress.yaml +++ b/deployments/deployment/nginx-ingress.yaml @@ -33,7 +33,7 @@ spec: # - name: nginx-log # emptyDir: {} containers: - - image: nginx/nginx-ingress:3.4.1 + - image: nginx/nginx-ingress:3.4.2 imagePullPolicy: IfNotPresent name: nginx-ingress ports: @@ -97,7 +97,7 @@ spec: #- -enable-prometheus-metrics #- -global-configuration=$(POD_NAMESPACE)/nginx-configuration # initContainers: -# - image: nginx/nginx-ingress:3.4.1 +# - image: nginx/nginx-ingress:3.4.2 # imagePullPolicy: IfNotPresent # name: init-nginx-ingress # command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc'] diff --git a/deployments/deployment/nginx-plus-ingress.yaml b/deployments/deployment/nginx-plus-ingress.yaml index 2f6e652118..8a7d03ff56 100644 --- a/deployments/deployment/nginx-plus-ingress.yaml +++ b/deployments/deployment/nginx-plus-ingress.yaml @@ -33,7 +33,7 @@ spec: # - name: nginx-log # emptyDir: {} containers: - - image: nginx-plus-ingress:3.4.1 + - image: nginx-plus-ingress:3.4.2 imagePullPolicy: IfNotPresent name: nginx-plus-ingress ports: @@ -103,7 +103,7 @@ spec: #- -enable-service-insight #- -global-configuration=$(POD_NAMESPACE)/nginx-configuration # initContainers: -# - image: nginx/nginx-ingress:3.4.1 +# - image: nginx/nginx-ingress:3.4.2 # imagePullPolicy: IfNotPresent # name: init-nginx-ingress # command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc'] diff --git a/docs/content/configuration/configuration-examples.md b/docs/content/configuration/configuration-examples.md index 96acf4bc3b..90e7e9144d 100644 --- a/docs/content/configuration/configuration-examples.md +++ b/docs/content/configuration/configuration-examples.md @@ -11,5 +11,5 @@ docs: "DOCS-584" Our [GitHub repo](https://github.com/nginxinc/kubernetes-ingress) includes a number of configuration examples: -- [*Examples of Custom Resources*](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/custom-resources) show how to advanced NGINX features by using VirtualServer, VirtualServerRoute, TransportServer and Policy Custom Resources. -- [*Examples of Ingress Resources*](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources) show how to use advanced NGINX features in Ingress resources with annotations. +- [*Examples of Custom Resources*](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/custom-resources) show how to advanced NGINX features by using VirtualServer, VirtualServerRoute, TransportServer and Policy Custom Resources. +- [*Examples of Ingress Resources*](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources) show how to use advanced NGINX features in Ingress resources with annotations. diff --git a/docs/content/configuration/global-configuration/configmap-resource.md b/docs/content/configuration/global-configuration/configmap-resource.md index abdf70dd79..6fc492f2f5 100644 --- a/docs/content/configuration/global-configuration/configmap-resource.md +++ b/docs/content/configuration/global-configuration/configmap-resource.md @@ -91,10 +91,10 @@ See the doc about [VirtualServer and VirtualServerRoute resources](/nginx-ingres |``server-names-hash-max-size`` | Sets the value of the [server_names_hash_max_size](https://nginx.org/en/docs/http/ngx_http_core_module.html#server_names_hash_max_size) directive. | ``1024`` | | |``map-hash-bucket-size`` | Sets the value of the [map_hash_bucket_size](http://nginx.org/en/docs/http/ngx_http_map_module.html#map_hash_bucket_size) directive.| ``256`` | | |``map-hash-max-size`` | Sets the value of the [map_hash_max_size](http://nginx.org/en/docs/http/ngx_http_map_module.html#map_hash_max_size) directive. | ``2048`` | | -|``resolver-addresses`` | Sets the value of the [resolver](https://nginx.org/en/docs/http/ngx_http_core_module.html#resolver) addresses. Note: If you use a DNS name (for example, ``kube-dns.kube-system.svc.cluster.local`` ) as a resolver address, NGINX Plus will resolve it using the system resolver during the start and on every configuration reload. If the name cannot be resolved or the DNS server doesn't respond, NGINX Plus will fail to start or reload. To avoid this, we recommend using IP addresses as resolver addresses instead of DNS names. Supported in NGINX Plus only. | N/A | [Support for Type ExternalName Services](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/externalname-services). | -|``resolver-ipv6`` | Enables IPv6 resolution in the resolver. Supported in NGINX Plus only. | ``True`` | [Support for Type ExternalName Services](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/externalname-services). | -|``resolver-valid`` | Sets the time NGINX caches the resolved DNS records. Supported in NGINX Plus only. | TTL value of a DNS record | [Support for Type ExternalName Services](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/externalname-services). | -|``resolver-timeout`` | Sets the [resolver_timeout](https://nginx.org/en/docs/http/ngx_http_core_module.html#resolver_timeout) for name resolution. Supported in NGINX Plus only. | ``30s`` | [Support for Type ExternalName Services](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/externalname-services). | +|``resolver-addresses`` | Sets the value of the [resolver](https://nginx.org/en/docs/http/ngx_http_core_module.html#resolver) addresses. Note: If you use a DNS name (for example, ``kube-dns.kube-system.svc.cluster.local`` ) as a resolver address, NGINX Plus will resolve it using the system resolver during the start and on every configuration reload. If the name cannot be resolved or the DNS server doesn't respond, NGINX Plus will fail to start or reload. To avoid this, we recommend using IP addresses as resolver addresses instead of DNS names. Supported in NGINX Plus only. | N/A | [Support for Type ExternalName Services](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/externalname-services). | +|``resolver-ipv6`` | Enables IPv6 resolution in the resolver. Supported in NGINX Plus only. | ``True`` | [Support for Type ExternalName Services](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/externalname-services). | +|``resolver-valid`` | Sets the time NGINX caches the resolved DNS records. Supported in NGINX Plus only. | TTL value of a DNS record | [Support for Type ExternalName Services](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/externalname-services). | +|``resolver-timeout`` | Sets the [resolver_timeout](https://nginx.org/en/docs/http/ngx_http_core_module.html#resolver_timeout) for name resolution. Supported in NGINX Plus only. | ``30s`` | [Support for Type ExternalName Services](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/externalname-services). | |``keepalive-timeout`` | Sets the value of the [keepalive_timeout](https://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout) directive. | ``65s`` | | |``keepalive-requests`` | Sets the value of the [keepalive_requests](https://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_requests) directive. | ``100`` | | |``variables-hash-bucket-size`` | Sets the value of the [variables_hash_bucket_size](https://nginx.org/en/docs/http/ngx_http_core_module.html#variables_hash_bucket_size) directive. | ``256`` | | @@ -109,9 +109,9 @@ See the doc about [VirtualServer and VirtualServerRoute resources](/nginx-ingres |``error-log-level`` | Sets the global [error log level](https://nginx.org/en/docs/ngx_core_module.html#error_log) for NGINX. | ``notice`` | | |``access-log-off`` | Disables the [access log](https://nginx.org/en/docs/http/ngx_http_log_module.html#access_log). | ``False`` | | |``default-server-access-log-off`` | Disables the [access log](https://nginx.org/en/docs/http/ngx_http_log_module.html#access_log) for the default server. If access log is disabled globally (``access-log-off: "True"``), then the default server access log is always disabled. | ``False`` | | -|``log-format`` | Sets the custom [log format](https://nginx.org/en/docs/http/ngx_http_log_module.html#log_format) for HTTP and HTTPS traffic. For convenience, it is possible to define the log format across multiple lines (each line separated by ``\n``). In that case, the Ingress Controller will replace every ``\n`` character with a space character. All ``'`` characters must be escaped. | See the [template file](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.1/internal/configs/version1/nginx.tmpl) for the access log. | [Custom Log Format](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/shared-examples/custom-log-format). | +|``log-format`` | Sets the custom [log format](https://nginx.org/en/docs/http/ngx_http_log_module.html#log_format) for HTTP and HTTPS traffic. For convenience, it is possible to define the log format across multiple lines (each line separated by ``\n``). In that case, the Ingress Controller will replace every ``\n`` character with a space character. All ``'`` characters must be escaped. | See the [template file](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.2/internal/configs/version1/nginx.tmpl) for the access log. | [Custom Log Format](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/shared-examples/custom-log-format). | |``log-format-escaping`` | Sets the characters escaping for the variables of the log format. Supported values: ``json`` (JSON escaping), ``default`` (the default escaping) ``none`` (disables escaping). | ``default`` | | -|``stream-log-format`` | Sets the custom [log format](https://nginx.org/en/docs/stream/ngx_stream_log_module.html#log_format) for TCP, UDP, and TLS Passthrough traffic. For convenience, it is possible to define the log format across multiple lines (each line separated by ``\n``). In that case, the Ingress Controller will replace every ``\n`` character with a space character. All ``'`` characters must be escaped. | See the [template file](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.1/internal/configs/version1/nginx.tmpl). | | +|``stream-log-format`` | Sets the custom [log format](https://nginx.org/en/docs/stream/ngx_stream_log_module.html#log_format) for TCP, UDP, and TLS Passthrough traffic. For convenience, it is possible to define the log format across multiple lines (each line separated by ``\n``). In that case, the Ingress Controller will replace every ``\n`` character with a space character. All ``'`` characters must be escaped. | See the [template file](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.2/internal/configs/version1/nginx.tmpl). | | |``stream-log-format-escaping`` | Sets the characters escaping for the variables of the stream log format. Supported values: ``json`` (JSON escaping), ``default`` (the default escaping) ``none`` (disables escaping). | ``default`` | | {{% /table %}} @@ -147,7 +147,7 @@ See the doc about [VirtualServer and VirtualServerRoute resources](/nginx-ingres |ConfigMap Key | Description | Default | Example | | ---| ---| ---| --- | |``http2`` | Enables HTTP/2 in servers with SSL enabled. | ``False`` | | -|``proxy-protocol`` | Enables PROXY Protocol for incoming connections. | ``False`` | [Proxy Protocol](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/shared-examples/proxy-protocol). | +|``proxy-protocol`` | Enables PROXY Protocol for incoming connections. | ``False`` | [Proxy Protocol](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/shared-examples/proxy-protocol). | {{% /table %}} ### Backend Services (Upstreams) @@ -171,7 +171,7 @@ See the doc about [VirtualServer and VirtualServerRoute resources](/nginx-ingres |``http-snippets`` | Sets a custom snippet in http context. | N/A | | |``location-snippets`` | Sets a custom snippet in location context. | N/A | | |``server-snippets`` | Sets a custom snippet in server context. | N/A | | -|``stream-snippets`` | Sets a custom snippet in stream context. | N/A | [Support for TCP/UDP Load Balancing](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/tcp-udp). | +|``stream-snippets`` | Sets a custom snippet in stream context. | N/A | [Support for TCP/UDP Load Balancing](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/tcp-udp). | |``main-template`` | Sets the main NGINX configuration template. | By default the template is read from the file in the container. | [Custom Templates](/nginx-ingress-controller/configuration/global-configuration/custom-templates). | |``ingress-template`` | Sets the NGINX configuration template for an Ingress resource. | By default the template is read from the file on the container. | [Custom Templates](/nginx-ingress-controller/configuration/global-configuration/custom-templates). | |``virtualserver-template`` | Sets the NGINX configuration template for an VirtualServer resource. | By default the template is read from the file on the container. | [Custom Templates](/nginx-ingress-controller/configuration/global-configuration/custom-templates). | diff --git a/docs/content/configuration/global-configuration/custom-templates.md b/docs/content/configuration/global-configuration/custom-templates.md index efc2b1da80..6237504f9f 100644 --- a/docs/content/configuration/global-configuration/custom-templates.md +++ b/docs/content/configuration/global-configuration/custom-templates.md @@ -9,4 +9,4 @@ docs: "DOCS-587" --- -The Ingress Controller uses templates to generate NGINX configuration for Ingress resources, VirtualServer resources and the main NGINX configuration file. You can customize the templates and apply them via the ConfigMap. See the [corresponding example](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/shared-examples/custom-templates). +The Ingress Controller uses templates to generate NGINX configuration for Ingress resources, VirtualServer resources and the main NGINX configuration file. You can customize the templates and apply them via the ConfigMap. See the [corresponding example](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/shared-examples/custom-templates). diff --git a/docs/content/configuration/handling-host-and-listener-collisions.md b/docs/content/configuration/handling-host-and-listener-collisions.md index 43c9a33ef9..69c469575c 100644 --- a/docs/content/configuration/handling-host-and-listener-collisions.md +++ b/docs/content/configuration/handling-host-and-listener-collisions.md @@ -87,7 +87,7 @@ Similarly, if `cafe-ingress` was created first, it will win `cafe.example.com` a It is possible to merge configuration for multiple Ingress resources for the same host. One common use case for this approach is distributing resources across multiple namespaces. See the [Cross-namespace Configuration](/nginx-ingress-controller/configuration/ingress-resources/cross-namespace-configuration/) doc for more information. -It is *not* possible to merge the configurations for multiple VirtualServer resources for the same host. However, you can split the VirtualServers into multiple VirtualServerRoute resources, which a single VirtualServer can then reference. See the [corresponding example](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/custom-resources/cross-namespace-configuration) on GitHub. +It is *not* possible to merge the configurations for multiple VirtualServer resources for the same host. However, you can split the VirtualServers into multiple VirtualServerRoute resources, which a single VirtualServer can then reference. See the [corresponding example](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/custom-resources/cross-namespace-configuration) on GitHub. It is *not* possible to merge configuration for multiple TransportServer resources. diff --git a/docs/content/configuration/ingress-resources/advanced-configuration-with-annotations.md b/docs/content/configuration/ingress-resources/advanced-configuration-with-annotations.md index f96b2b59d6..8888cfb1f4 100644 --- a/docs/content/configuration/ingress-resources/advanced-configuration-with-annotations.md +++ b/docs/content/configuration/ingress-resources/advanced-configuration-with-annotations.md @@ -112,7 +112,7 @@ The table below summarizes the available annotations. |``nginx.org/proxy-buffer-size`` | ``proxy-buffer-size`` | Sets the value of the [proxy_buffer_size](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size) and [grpc_buffer_size](https://nginx.org/en/docs/http/ngx_http_grpc_module.html#grpc_buffer_size) directives. | Depends on the platform. | | |``nginx.org/proxy-max-temp-file-size`` | ``proxy-max-temp-file-size`` | Sets the value of the [proxy_max_temp_file_size](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_max_temp_file_size) directive. | ``1024m`` | | |``nginx.org/server-tokens`` | ``server-tokens`` | Enables or disables the [server_tokens](https://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens) directive. Additionally, with the NGINX Plus, you can specify a custom string value, including the empty string value, which disables the emission of the “Server” field. | ``True`` | | -|``nginx.org/path-regex`` | N/A | Enables regular expression modifiers for Ingress path parameter. This translates to the NGINX [location](https://nginx.org/en/docs/http/ngx_http_core_module.html#location) directive. You can specify one of these values: "case_sensitive", "case_insensitive", or "exact". The annotation is applied to the entire Ingress resource and its paths. While using Master and Minion Ingresses i.e. Mergeable Ingresses, this annotation can be specified on Minion types. The `path-regex` annotation specified on Master is ignored, and has no effect on paths defined on Minions. | N/A | [Path Regex](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/path-regex). | +|``nginx.org/path-regex`` | N/A | Enables regular expression modifiers for Ingress path parameter. This translates to the NGINX [location](https://nginx.org/en/docs/http/ngx_http_core_module.html#location) directive. You can specify one of these values: "case_sensitive", "case_insensitive", or "exact". The annotation is applied to the entire Ingress resource and its paths. While using Master and Minion Ingresses i.e. Mergeable Ingresses, this annotation can be specified on Minion types. The `path-regex` annotation specified on Master is ignored, and has no effect on paths defined on Minions. | N/A | [Path Regex](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/path-regex). | {{% /table %}} ### Request URI/Header Manipulation @@ -122,7 +122,7 @@ The table below summarizes the available annotations. | ---| ---| ---| ---| --- | |``nginx.org/proxy-hide-headers`` | ``proxy-hide-headers`` | Sets the value of one or more [proxy_hide_header](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_hide_header) directives. Example: ``"nginx.org/proxy-hide-headers": "header-a,header-b"`` | N/A | | |``nginx.org/proxy-pass-headers`` | ``proxy-pass-headers`` | Sets the value of one or more [proxy_pass_header](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass_header) directives. Example: ``"nginx.org/proxy-pass-headers": "header-a,header-b"`` | N/A | | -|``nginx.org/rewrites`` | N/A | Configures URI rewriting using [proxy_pass](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass) directive. | N/A | [Rewrites Support](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/rewrites). | +|``nginx.org/rewrites`` | N/A | Configures URI rewriting using [proxy_pass](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass) directive. | N/A | [Rewrites Support](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/rewrites). | {{% /table %}} ### Auth and SSL/TLS @@ -138,10 +138,10 @@ The table below summarizes the available annotations. |``nginx.org/hsts-behind-proxy`` | ``hsts-behind-proxy`` | Enables HSTS based on the value of the ``http_x_forwarded_proto`` request header. Should only be used when TLS termination is configured in a load balancer (proxy) in front of the Ingress Controller. Note: to control redirection from HTTP to HTTPS configure the ``nginx.org/redirect-to-https`` annotation. | ``False`` | | |``nginx.org/basic-auth-secret`` | N/A | Specifies a Secret resource with a user list for HTTP Basic authentication. | N/A | | |``nginx.org/basic-auth-realm`` | N/A | Specifies a realm. | N/A | | -|``nginx.com/jwt-key`` | N/A | Specifies a Secret resource with keys for validating JSON Web Tokens (JWTs). | N/A | [Support for JSON Web Tokens (JWTs)](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/jwt). | -|``nginx.com/jwt-realm`` | N/A | Specifies a realm. | N/A | [Support for JSON Web Tokens (JWTs)](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/jwt). | -|``nginx.com/jwt-token`` | N/A | Specifies a variable that contains a JSON Web Token. | By default, a JWT is expected in the ``Authorization`` header as a Bearer Token. | [Support for JSON Web Tokens (JWTs)](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/jwt). | -|``nginx.com/jwt-login-url`` | N/A | Specifies a URL to which a client is redirected in case of an invalid or missing JWT. | N/A | [Support for JSON Web Tokens (JWTs)](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/jwt). | +|``nginx.com/jwt-key`` | N/A | Specifies a Secret resource with keys for validating JSON Web Tokens (JWTs). | N/A | [Support for JSON Web Tokens (JWTs)](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/jwt). | +|``nginx.com/jwt-realm`` | N/A | Specifies a realm. | N/A | [Support for JSON Web Tokens (JWTs)](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/jwt). | +|``nginx.com/jwt-token`` | N/A | Specifies a variable that contains a JSON Web Token. | By default, a JWT is expected in the ``Authorization`` header as a Bearer Token. | [Support for JSON Web Tokens (JWTs)](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/jwt). | +|``nginx.com/jwt-login-url`` | N/A | Specifies a URL to which a client is redirected in case of an invalid or missing JWT. | N/A | [Support for JSON Web Tokens (JWTs)](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/jwt). | {{% /table %}} ### Listeners @@ -159,19 +159,19 @@ The table below summarizes the available annotations. |Annotation | ConfigMap Key | Description | Default | Example | | ---| ---| ---| ---| --- | |``nginx.org/lb-method`` | ``lb-method`` | Sets the [load balancing method](https://docs.nginx.com/nginx/admin-guide/load-balancer/http-load-balancer/#choosing-a-load-balancing-method). To use the round-robin method, specify ``"round_robin"``. | ``"random two least_conn"`` | | -|``nginx.org/ssl-services`` | N/A | Enables HTTPS or gRPC over SSL when connecting to the endpoints of services. | N/A | [SSL Services Support](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/ssl-services). | -|``nginx.org/grpc-services`` | N/A | Enables gRPC for services. Note: requires HTTP/2 (see ``http2`` ConfigMap key); only works for Ingresses with TLS termination enabled. | N/A | [GRPC Services Support](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/grpc-services). | -|``nginx.org/websocket-services`` | N/A | Enables WebSocket for services. | N/A | [WebSocket support](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/websocket). | +|``nginx.org/ssl-services`` | N/A | Enables HTTPS or gRPC over SSL when connecting to the endpoints of services. | N/A | [SSL Services Support](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/ssl-services). | +|``nginx.org/grpc-services`` | N/A | Enables gRPC for services. Note: requires HTTP/2 (see ``http2`` ConfigMap key); only works for Ingresses with TLS termination enabled. | N/A | [GRPC Services Support](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/grpc-services). | +|``nginx.org/websocket-services`` | N/A | Enables WebSocket for services. | N/A | [WebSocket support](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/websocket). | |``nginx.org/max-fails`` | ``max-fails`` | Sets the value of the [max_fails](https://nginx.org/en/docs/http/ngx_http_upstream_module.html#max_fails) parameter of the ``server`` directive. | ``1`` | | |``nginx.org/max-conns`` | N\A | Sets the value of the [max_conns](https://nginx.org/en/docs/http/ngx_http_upstream_module.html#max_conns) parameter of the ``server`` directive. | ``0`` | | |``nginx.org/upstream-zone-size`` | ``upstream-zone-size`` | Sets the size of the shared memory [zone](https://nginx.org/en/docs/http/ngx_http_upstream_module.html#zone) for upstreams. For NGINX, the special value 0 disables the shared memory zones. For NGINX Plus, shared memory zones are required and cannot be disabled. The special value 0 will be ignored. | ``256K`` | | |``nginx.org/fail-timeout`` | ``fail-timeout`` | Sets the value of the [fail_timeout](https://nginx.org/en/docs/http/ngx_http_upstream_module.html#fail_timeout) parameter of the ``server`` directive. | ``10s`` | | -|``nginx.com/sticky-cookie-services`` | N/A | Configures session persistence. | N/A | [Session Persistence](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/session-persistence). | +|``nginx.com/sticky-cookie-services`` | N/A | Configures session persistence. | N/A | [Session Persistence](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/session-persistence). | |``nginx.org/keepalive`` | ``keepalive`` | Sets the value of the [keepalive](https://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive) directive. Note that ``proxy_set_header Connection "";`` is added to the generated configuration when the value > 0. | ``0`` | | -|``nginx.com/health-checks`` | N/A | Enables active health checks. | ``False`` | [Support for Active Health Checks](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/health-checks). | -|``nginx.com/health-checks-mandatory`` | N/A | Configures active health checks as mandatory. | ``False`` | [Support for Active Health Checks](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/health-checks). | -|``nginx.com/health-checks-mandatory-queue`` | N/A | When active health checks are mandatory, creates a queue where incoming requests are temporarily stored while NGINX Plus is checking the health of the endpoints after a configuration reload. | ``0`` | [Support for Active Health Checks](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/health-checks). | -|``nginx.com/slow-start`` | N/A | Sets the upstream server [slow-start period](https://docs.nginx.com/nginx/admin-guide/load-balancer/http-load-balancer/#server-slow-start). By default, slow-start is activated after a server becomes [available](https://docs.nginx.com/nginx/admin-guide/load-balancer/http-health-check/#passive-health-checks) or [healthy](https://docs.nginx.com/nginx/admin-guide/load-balancer/http-health-check/#active-health-checks). To enable slow-start for newly-added servers, configure [mandatory active health checks](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/health-checks). | ``"0s"`` | | +|``nginx.com/health-checks`` | N/A | Enables active health checks. | ``False`` | [Support for Active Health Checks](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/health-checks). | +|``nginx.com/health-checks-mandatory`` | N/A | Configures active health checks as mandatory. | ``False`` | [Support for Active Health Checks](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/health-checks). | +|``nginx.com/health-checks-mandatory-queue`` | N/A | When active health checks are mandatory, creates a queue where incoming requests are temporarily stored while NGINX Plus is checking the health of the endpoints after a configuration reload. | ``0`` | [Support for Active Health Checks](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/health-checks). | +|``nginx.com/slow-start`` | N/A | Sets the upstream server [slow-start period](https://docs.nginx.com/nginx/admin-guide/load-balancer/http-load-balancer/#server-slow-start). By default, slow-start is activated after a server becomes [available](https://docs.nginx.com/nginx/admin-guide/load-balancer/http-health-check/#passive-health-checks) or [healthy](https://docs.nginx.com/nginx/admin-guide/load-balancer/http-health-check/#active-health-checks). To enable slow-start for newly-added servers, configure [mandatory active health checks](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/health-checks). | ``"0s"`` | | {{% /table %}} ### Snippets and Custom Templates @@ -190,11 +190,11 @@ The table below summarizes the available annotations. {{% table %}} |Annotation | ConfigMap Key | Description | Default | Example | | ---| ---| ---| ---| --- | -|``appprotect.f5.com/app-protect-policy`` | N/A | The name of the App Protect Policy for the Ingress Resource. Format is ``namespace/name``. If no namespace is specified, the same namespace of the Ingress Resource is used. If not specified but ``appprotect.f5.com/app-protect-enable`` is true, a default policy id applied. If the referenced policy resource does not exist, or policy is invalid, this annotation will be ignored, and the default policy will be applied. | N/A | [Example for App Protect](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/app-protect-waf). | -|``appprotect.f5.com/app-protect-enable`` | N/A | Enable App Protect for the Ingress Resource. | ``False`` | [Example for App Protect](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/app-protect-waf). | -|``appprotect.f5.com/app-protect-security-log-enable`` | N/A | Enable the [security log](/nginx-app-protect/troubleshooting/#app-protect-logging-overview) for App Protect. | ``False`` | [Example for App Protect](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/app-protect-waf). | -|``appprotect.f5.com/app-protect-security-log`` | N/A | The App Protect log configuration for the Ingress Resource. Format is ``namespace/name``. If no namespace is specified, the same namespace as the Ingress Resource is used. If not specified the default is used which is: filter: ``illegal``, format: ``default``. Multiple configurations can be specified in a comma separated list. Both log configurations and destinations list (see below) must be of equal length. Configs and destinations are paired by the list indices. | N/A | [Example for App Protect](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/app-protect-waf). | -|``appprotect.f5.com/app-protect-security-log-destination`` | N/A | The destination of the security log. For more information check the [DESTINATION argument](/nginx-app-protect/troubleshooting/#app-protect-logging-overview). Multiple destinations can be specified in a comma-separated list. Both log configurations and destinations list (see above) must be of equal length. Configs and destinations are paired by the list indices. | ``syslog:server=localhost:514`` | [Example for App Protect](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/app-protect-waf). | +|``appprotect.f5.com/app-protect-policy`` | N/A | The name of the App Protect Policy for the Ingress Resource. Format is ``namespace/name``. If no namespace is specified, the same namespace of the Ingress Resource is used. If not specified but ``appprotect.f5.com/app-protect-enable`` is true, a default policy id applied. If the referenced policy resource does not exist, or policy is invalid, this annotation will be ignored, and the default policy will be applied. | N/A | [Example for App Protect](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/app-protect-waf). | +|``appprotect.f5.com/app-protect-enable`` | N/A | Enable App Protect for the Ingress Resource. | ``False`` | [Example for App Protect](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/app-protect-waf). | +|``appprotect.f5.com/app-protect-security-log-enable`` | N/A | Enable the [security log](/nginx-app-protect/troubleshooting/#app-protect-logging-overview) for App Protect. | ``False`` | [Example for App Protect](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/app-protect-waf). | +|``appprotect.f5.com/app-protect-security-log`` | N/A | The App Protect log configuration for the Ingress Resource. Format is ``namespace/name``. If no namespace is specified, the same namespace as the Ingress Resource is used. If not specified the default is used which is: filter: ``illegal``, format: ``default``. Multiple configurations can be specified in a comma separated list. Both log configurations and destinations list (see below) must be of equal length. Configs and destinations are paired by the list indices. | N/A | [Example for App Protect](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/app-protect-waf). | +|``appprotect.f5.com/app-protect-security-log-destination`` | N/A | The destination of the security log. For more information check the [DESTINATION argument](/nginx-app-protect/troubleshooting/#app-protect-logging-overview). Multiple destinations can be specified in a comma-separated list. Both log configurations and destinations list (see above) must be of equal length. Configs and destinations are paired by the list indices. | ``syslog:server=localhost:514`` | [Example for App Protect](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/app-protect-waf). | {{% /table %}} ### App Protect DoS @@ -204,5 +204,5 @@ The table below summarizes the available annotations. {{% table %}} |Annotation | ConfigMap Key | Description | Default | Example | | ---| ---| ---| ---| --- | -|``appprotectdos.f5.com/app-protect-dos-resource`` | N/A | Enable App Protect DoS for the Ingress Resource by specifying a [DosProtectedResource](/nginx-ingress-controller/app-protect-dos/dos-protected/). | N/A | [Example for App Protect DoS](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/app-protect-dos). | +|``appprotectdos.f5.com/app-protect-dos-resource`` | N/A | Enable App Protect DoS for the Ingress Resource by specifying a [DosProtectedResource](/nginx-ingress-controller/app-protect-dos/dos-protected/). | N/A | [Example for App Protect DoS](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/app-protect-dos). | {{% /table %}} diff --git a/docs/content/configuration/ingress-resources/basic-configuration.md b/docs/content/configuration/ingress-resources/basic-configuration.md index 86ce2064ae..5e9b492f9f 100644 --- a/docs/content/configuration/ingress-resources/basic-configuration.md +++ b/docs/content/configuration/ingress-resources/basic-configuration.md @@ -53,7 +53,7 @@ Here is a breakdown of what this Ingress resource definition means: - The rule with the path `/coffee` instructs NGINX to distribute the requests with the `/coffee` URI among the pods of the *coffee* service, which is deployed with the name `coffee‑svc` in the cluster. - Both rules instruct NGINX to distribute the requests to `port 80` of the corresponding service (the `servicePort` field). -> For complete instructions on deploying the Ingress and Secret resources in the cluster, see the [complete example](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/complete-example) in our GitHub repository. +> For complete instructions on deploying the Ingress and Secret resources in the cluster, see the [complete example](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/complete-example) in our GitHub repository. > To learn more about the Ingress resource, see the [Ingress resource documentation](https://kubernetes.io/docs/concepts/services-networking/ingress/) in the Kubernetes docs. diff --git a/docs/content/configuration/ingress-resources/cross-namespace-configuration.md b/docs/content/configuration/ingress-resources/cross-namespace-configuration.md index 9a7ac9e1b1..5242d7d9f6 100644 --- a/docs/content/configuration/ingress-resources/cross-namespace-configuration.md +++ b/docs/content/configuration/ingress-resources/cross-namespace-configuration.md @@ -9,6 +9,6 @@ docs: "DOCS-594" --- -You can spread the Ingress configuration for a common host across multiple Ingress resources using Mergeable Ingress resources. Such resources can belong to the *same* or *different* namespaces. This enables easier management when using a large number of paths. See the [Mergeable Ingress Resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/mergeable-ingress-types) example in our GitHub repo. +You can spread the Ingress configuration for a common host across multiple Ingress resources using Mergeable Ingress resources. Such resources can belong to the *same* or *different* namespaces. This enables easier management when using a large number of paths. See the [Mergeable Ingress Resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/mergeable-ingress-types) example in our GitHub repo. -As an alternative to Mergeable Ingress resources, you can use [VirtualServer and VirtualServerRoute resources](/nginx-ingress-controller/configuration/virtualserver-and-virtualserverroute-resources/) for cross-namespace configuration. See the [Cross-Namespace Configuration](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/custom-resources/cross-namespace-configuration) example in our GitHub repo. +As an alternative to Mergeable Ingress resources, you can use [VirtualServer and VirtualServerRoute resources](/nginx-ingress-controller/configuration/virtualserver-and-virtualserverroute-resources/) for cross-namespace configuration. See the [Cross-Namespace Configuration](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/custom-resources/cross-namespace-configuration) example in our GitHub repo. diff --git a/docs/content/configuration/ingress-resources/custom-annotations.md b/docs/content/configuration/ingress-resources/custom-annotations.md index 2ae929c83a..8fbbbecbe3 100644 --- a/docs/content/configuration/ingress-resources/custom-annotations.md +++ b/docs/content/configuration/ingress-resources/custom-annotations.md @@ -23,7 +23,7 @@ Custom annotations allow you to add an annotation for an NGINX feature that is n ## Usage -The Ingress Controller generates NGINX configuration for Ingress resources by executing a configuration template. See [NGINX template](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.1/internal/configs/version1/nginx.ingress.tmpl) or [NGINX Plus template](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.1/internal/configs/version1/nginx-plus.ingress.tmpl). +The Ingress Controller generates NGINX configuration for Ingress resources by executing a configuration template. See [NGINX template](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.2/internal/configs/version1/nginx.ingress.tmpl) or [NGINX Plus template](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.2/internal/configs/version1/nginx-plus.ingress.tmpl). To support custom annotations, the template has access to the information about the Ingress resource - its *name*, *namespace* and *annotations*. It is possible to check if a particular annotation present in the Ingress resource and conditionally insert NGINX configuration directives at multiple NGINX contexts - `http`, `server`, `location` or `upstream`. Additionally, you can get the value that is set to the annotation. @@ -144,4 +144,4 @@ deny all; ## Example -See the [custom annotations example](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.1/examples/ingress-resources/custom-annotations). +See the [custom annotations example](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.2/examples/ingress-resources/custom-annotations). diff --git a/docs/content/configuration/policy-resource.md b/docs/content/configuration/policy-resource.md index 6160697f95..8a49623ed5 100644 --- a/docs/content/configuration/policy-resource.md +++ b/docs/content/configuration/policy-resource.md @@ -12,7 +12,7 @@ The Policy resource allows you to configure features like access control and rat The resource is implemented as a [Custom Resource](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/). -This document is the reference documentation for the Policy resource. An example of a Policy for access control is available in our [GitHub repository](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.1/examples/custom-resources/access-control). +This document is the reference documentation for the Policy resource. An example of a Policy for access control is available in our [GitHub repository](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.2/examples/custom-resources/access-control). ## Prerequisites @@ -459,7 +459,7 @@ NGINX Plus will pass the ID of an authenticated user to the backend in the HTTP #### Prerequisites In order to use OIDC, you need to enable [zone synchronization](https://docs.nginx.com/nginx/admin-guide/high-availability/zone_sync/). If you don't set up zone synchronization, NGINX Plus will fail to reload. -You also need to configure a resolver, which NGINX Plus will use to resolve the IDP authorization endpoint. You can find an example configuration [in our GitHub repository](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.1/examples/custom-resources/oidc#step-7---configure-nginx-plus-zone-synchronization-and-resolver). +You also need to configure a resolver, which NGINX Plus will use to resolve the IDP authorization endpoint. You can find an example configuration [in our GitHub repository](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.2/examples/custom-resources/oidc#step-7---configure-nginx-plus-zone-synchronization-and-resolver). > **Note**: The configuration in the example doesn't enable TLS and the synchronization between the replica happens in clear text. This could lead to the exposure of tokens. diff --git a/docs/content/configuration/security.md b/docs/content/configuration/security.md index 222b4d4f46..6b01344d45 100644 --- a/docs/content/configuration/security.md +++ b/docs/content/configuration/security.md @@ -22,10 +22,10 @@ In addition, the following relating more specifically to Ingress Controller. The Ingress Controller is deployed within a Kubernetes environment, this environment must be secured. Kubernetes uses [RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) to control the resources and operations available to different types of users. The Ingress Controller requires a service account which is configured using RBAC. -We strongly recommend using the [RBAC configuration](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.1/deployments/rbac/rbac.yaml) provided in our standard deployment configuration. It is configured with the least amount of privilege required for the Ingress Controller to work. +We strongly recommend using the [RBAC configuration](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.2/deployments/rbac/rbac.yaml) provided in our standard deployment configuration. It is configured with the least amount of privilege required for the Ingress Controller to work. -We strongly recommend inspecting the RBAC configuration for [Manifests](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.1/deployments/rbac/rbac.yaml) -or for [Helm](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.1/charts/nginx-ingress/templates/rbac.yaml) to understand what access the Ingress Controller service account has and to which resources. For example, by default the service account has access to all Secret resources in the cluster. +We strongly recommend inspecting the RBAC configuration for [Manifests](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.2/deployments/rbac/rbac.yaml) +or for [Helm](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.2/charts/nginx-ingress/templates/rbac.yaml) to understand what access the Ingress Controller service account has and to which resources. For example, by default the service account has access to all Secret resources in the cluster. ### Certificates and Privacy Keys diff --git a/docs/content/configuration/transportserver-resource.md b/docs/content/configuration/transportserver-resource.md index 8f9622dbd9..415a08e2da 100644 --- a/docs/content/configuration/transportserver-resource.md +++ b/docs/content/configuration/transportserver-resource.md @@ -10,7 +10,7 @@ docs: "DOCS-598" The TransportServer resource allows you to configure TCP, UDP, and TLS Passthrough load balancing. The resource is implemented as a [Custom Resource](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/). -This document is the reference documentation for the TransportServer resource. To see additional examples of using the resource for specific use cases, go to the [examples/custom-resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/custom-resources) folder in our GitHub repo. +This document is the reference documentation for the TransportServer resource. To see additional examples of using the resource for specific use cases, go to the [examples/custom-resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/custom-resources) folder in our GitHub repo. ## Prerequisites diff --git a/docs/content/configuration/virtualserver-and-virtualserverroute-resources.md b/docs/content/configuration/virtualserver-and-virtualserverroute-resources.md index f8c10937d6..1799b281fb 100644 --- a/docs/content/configuration/virtualserver-and-virtualserverroute-resources.md +++ b/docs/content/configuration/virtualserver-and-virtualserverroute-resources.md @@ -12,7 +12,7 @@ docs: "DOCS-599" The VirtualServer and VirtualServerRoute resources, introduced in release 1.5, enable use cases not supported with the Ingress resource, such as traffic splitting and advanced content-based routing. The resources are implemented as [Custom Resources](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/). -This document is the reference documentation for the resources. To see additional examples of using the resources for specific use cases, go to the [examples/custom-resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/custom-resources) folder in our GitHub repo. +This document is the reference documentation for the resources. To see additional examples of using the resources for specific use cases, go to the [examples/custom-resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/custom-resources) folder in our GitHub repo. ## VirtualServer Specification @@ -347,7 +347,7 @@ tls: |Field | Description | Type | Required | | ---| ---| ---| --- | |``name`` | The name of the upstream. Must be a valid DNS label as defined in RFC 1035. For example, ``hello`` and ``upstream-123`` are valid. The name must be unique among all upstreams of the resource. | ``string`` | Yes | -|``service`` | The name of a [service](https://kubernetes.io/docs/concepts/services-networking/service/). The service must belong to the same namespace as the resource. If the service doesn't exist, NGINX will assume the service has zero endpoints and return a ``502`` response for requests for this upstream. For NGINX Plus only, services of type [ExternalName](https://kubernetes.io/docs/concepts/services-networking/service/#externalname) are also supported (check the [prerequisites](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/externalname-services#prerequisites) ). | ``string`` | Yes | +|``service`` | The name of a [service](https://kubernetes.io/docs/concepts/services-networking/service/). The service must belong to the same namespace as the resource. If the service doesn't exist, NGINX will assume the service has zero endpoints and return a ``502`` response for requests for this upstream. For NGINX Plus only, services of type [ExternalName](https://kubernetes.io/docs/concepts/services-networking/service/#externalname) are also supported (check the [prerequisites](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/externalname-services#prerequisites) ). | ``string`` | Yes | |``subselector`` | Selects the pods within the service using label keys and values. By default, all pods of the service are selected. Note: the specified labels are expected to be present in the pods when they are created. If the pod labels are updated, the Ingress Controller will not see that change until the number of the pods is changed. | ``map[string]string`` | No | |``use-cluster-ip`` | Enables using the Cluster IP and port of the service instead of the default behavior of using the IP and port of the pods. When this field is enabled, the fields that configure NGINX behavior related to multiple upstream servers (like ``lb-method`` and ``next-upstream``) will have no effect, as the Ingress Controller will configure NGINX with only one upstream server that will match the service Cluster IP. | ``boolean`` | No | |``port`` | The port of the service. If the service doesn't define that port, NGINX will assume the service has zero endpoints and return a ``502`` response for requests for this upstream. The port must fall into the range ``1..65535``. | ``uint16`` | Yes | @@ -636,7 +636,7 @@ proxy: |``upstream`` | The name of the upstream which the requests will be proxied to. The upstream with that name must be defined in the resource. | ``string`` | Yes | |``requestHeaders`` | The request headers modifications. | [action.Proxy.RequestHeaders](#actionproxyrequestheaders) | No | |``responseHeaders`` | The response headers modifications. | [action.Proxy.ResponseHeaders](#actionproxyresponseheaders) | No | -|``rewritePath`` | The rewritten URI. If the route path is a regular expression -- starts with `~` -- the `rewritePath` can include capture groups with ``$1-9``. For example `$1` for the first group, and so on. For more information, check the [rewrite](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/custom-resources/rewrites) example. | ``string`` | No | +|``rewritePath`` | The rewritten URI. If the route path is a regular expression -- starts with `~` -- the `rewritePath` can include capture groups with ``$1-9``. For example `$1` for the first group, and so on. For more information, check the [rewrite](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/custom-resources/rewrites) example. | ``string`` | No | {{% /table %}} ### Action.Proxy.RequestHeaders diff --git a/docs/content/installation/building-nginx-ingress-controller.md b/docs/content/installation/building-nginx-ingress-controller.md index 27b1d04f80..ce423ff524 100644 --- a/docs/content/installation/building-nginx-ingress-controller.md +++ b/docs/content/installation/building-nginx-ingress-controller.md @@ -41,10 +41,10 @@ Get your system ready for building and pushing the NGINX Ingress Controller imag cd kubernetes-ingress ``` - For instance if you want to clone version v3.4.1, the commands to run would be: + For instance if you want to clone version v3.4.2, the commands to run would be: ```shell - git clone https://github.com/nginxinc/kubernetes-ingress.git --branch v3.4.1 + git clone https://github.com/nginxinc/kubernetes-ingress.git --branch v3.4.2 cd kubernetes-ingress ``` diff --git a/docs/content/installation/installing-nic/installation-with-helm.md b/docs/content/installation/installing-nic/installation-with-helm.md index e6902ead06..52a42af2b3 100644 --- a/docs/content/installation/installing-nic/installation-with-helm.md +++ b/docs/content/installation/installing-nic/installation-with-helm.md @@ -66,13 +66,13 @@ To install the chart with the release name my-release (my-release is the name th - For NGINX: ```shell - helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.1.1 + helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.1.2 ``` - For NGINX Plus: (assuming you have pushed the Ingress Controller image `nginx-plus-ingress` to your private registry `myregistry.example.com`) ```shell - helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.1.1 --set controller.image.repository=myregistry.example.com/nginx-plus-ingress --set controller.nginxplus=true + helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.1.2 --set controller.image.repository=myregistry.example.com/nginx-plus-ingress --set controller.nginxplus=true ``` This will install the latest `edge` version of the Ingress Controller from GitHub Container Registry. If you prefer to use Docker Hub, you can replace `ghcr.io/nginxinc/charts/nginx-ingress` with `registry-1.docker.io/nginxcharts/nginx-ingress`. @@ -84,7 +84,7 @@ Helm does not upgrade the CRDs during a release upgrade. Before you upgrade a re To upgrade the release `my-release`: ```shell -helm upgrade my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.1.1 +helm upgrade my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.1.2 ``` ### Uninstalling the Chart @@ -121,7 +121,7 @@ This step is required if you're installing the chart using its sources. Addition 1. Pull the chart sources: ```shell - helm pull oci://ghcr.io/nginxinc/charts/nginx-ingress --untar --version 1.1.1 + helm pull oci://ghcr.io/nginxinc/charts/nginx-ingress --untar --version 1.1.2 ``` 2. Change your working directory to nginx-ingress: @@ -202,7 +202,7 @@ The steps you should follow depend on the Helm release name: Selector: app=nginx-ingress-nginx-ingress ``` -2. Checkout the latest available tag using `git checkout v3.4.1` +2. Checkout the latest available tag using `git checkout v3.4.2` 3. Navigate to `/kubernates-ingress/charts/nginx-ingress` @@ -247,7 +247,7 @@ The steps you should follow depend on the Helm release name: Selector: app=-nginx-ingress ``` -2. Checkout the latest available tag using `git checkout v3.4.1` +2. Checkout the latest available tag using `git checkout v3.4.2` 3. Navigate to `/kubernates-ingress/charts/nginx-ingress` @@ -310,7 +310,7 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont | **controller.logLevel** | The log level of the Ingress Controller. | 1 | | **controller.image.digest** | The image digest of the Ingress Controller. | None | | **controller.image.repository** | The image repository of the Ingress Controller. | nginx/nginx-ingress | -| **controller.image.tag** | The tag of the Ingress Controller image. | 3.4.1 | +| **controller.image.tag** | The tag of the Ingress Controller image. | 3.4.2 | | **controller.image.pullPolicy** | The pull policy for the Ingress Controller image. | IfNotPresent | | **controller.lifecycle** | The lifecycle of the Ingress Controller pods. | {} | | **controller.customConfigMap** | The name of the custom ConfigMap used by the Ingress Controller. If set, then the default config is ignored. | "" | diff --git a/docs/content/installation/installing-nic/installation-with-manifests.md b/docs/content/installation/installing-nic/installation-with-manifests.md index 4591034161..02ad0e6dca 100644 --- a/docs/content/installation/installing-nic/installation-with-manifests.md +++ b/docs/content/installation/installing-nic/installation-with-manifests.md @@ -35,7 +35,7 @@ Clone the NGINX Ingress Controller repository using the command shown below, and git clone https://github.com/nginxinc/kubernetes-ingress.git --branch ``` -For example, if you want to use version 3.4.1, the command would be `git clone https://github.com/nginxinc/kubernetes-ingress.git --branch v3.4.1`. +For example, if you want to use version 3.4.2, the command would be `git clone https://github.com/nginxinc/kubernetes-ingress.git --branch v3.4.2`. This guide assumes you are using the latest release. @@ -69,7 +69,7 @@ There are two ways you can install the custom resource definitions: 1. Create CRDs for [VirtualServer and VirtualServerRoute]({{< relref "configuration/virtualserver-and-virtualserverroute-resources.md" >}}), [TransportServer]({{< relref "configuration/transportserver-resource.md" >}}), [Policy]({{< relref "configuration/policy-resource.md" >}}) and [GlobalConfiguration]({{< relref "configuration/global-configuration/globalconfiguration-resource.md" >}}): ```shell - kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.1/deploy/crds.yaml + kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.2/deploy/crds.yaml ``` ### Optional custom resource definitions @@ -77,13 +77,13 @@ There are two ways you can install the custom resource definitions: 1. For the NGINX App Protect WAF module, create CRDs for `APPolicy`, `APLogConf` and `APUserSig`: ```shell - kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.1/deploy/crds-nap-waf.yaml + kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.2/deploy/crds-nap-waf.yaml ``` 2. For the NGINX App Protect DoS module, create CRDs for `APDosPolicy`, `APDosLogConf` and `DosProtectedResource`: ```shell - kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.1/deploy/crds-nap-dos.yaml + kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.2/deploy/crds-nap-dos.yaml ``` {{%/tab%}} @@ -262,17 +262,17 @@ Connect to ports 80 and 443 using the IP address of any node in the cluster wher 1. Delete core custom resource definitions: ```shell - kubectl delete -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.1/deploy/crds.yaml + kubectl delete -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.2/deploy/crds.yaml ``` 2. Delete custom resource definitions for the NGINX App Protect WAF module: ```shell - kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.1/deploy/crds-nap-waf.yaml + kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.2/deploy/crds-nap-waf.yaml ``` 3. Delete custom resource definitions for the NGINX App Protect DoS module: ```shell - kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.1/deploy/crds-nap-dos.yaml + kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.2/deploy/crds-nap-dos.yaml ``` {{%/tab%}} diff --git a/docs/content/installation/installing-nic/installation-with-operator.md b/docs/content/installation/installing-nic/installation-with-operator.md index 84da0fef95..1307e2fe91 100644 --- a/docs/content/installation/installing-nic/installation-with-operator.md +++ b/docs/content/installation/installing-nic/installation-with-operator.md @@ -47,7 +47,7 @@ spec: image: pullPolicy: IfNotPresent repository: nginx/nginx-ingress - tag: 3.4.1-ubi + tag: 3.4.2-ubi ingressClass: nginx kind: deployment nginxplus: false diff --git a/docs/content/installation/integrations/app-protect-dos/configuration.md b/docs/content/installation/integrations/app-protect-dos/configuration.md index 4b6420e979..511d494789 100644 --- a/docs/content/installation/integrations/app-protect-dos/configuration.md +++ b/docs/content/installation/integrations/app-protect-dos/configuration.md @@ -8,7 +8,7 @@ toc: true docs: "DOCS-580" --- -> Check out the complete [NGINX Ingress Controller with App Protect DoS example for VirtualServer](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/custom-resources/app-protect-dos) and the [NGINX Ingress Controller with App Protect DoS example for Ingress](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/app-protect-dos). +> Check out the complete [NGINX Ingress Controller with App Protect DoS example for VirtualServer](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/custom-resources/app-protect-dos) and the [NGINX Ingress Controller with App Protect DoS example for Ingress](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/app-protect-dos). ## App Protect DoS Configuration diff --git a/docs/content/installation/integrations/app-protect-dos/installation.md b/docs/content/installation/integrations/app-protect-dos/installation.md index 0ab3d5ae3d..f74a11366f 100644 --- a/docs/content/installation/integrations/app-protect-dos/installation.md +++ b/docs/content/installation/integrations/app-protect-dos/installation.md @@ -34,10 +34,10 @@ Get your system ready for building and pushing the NGINX Ingress Controller imag cd kubernetes-ingress ``` - For instance if you want to clone version v3.4.1, the commands to run would be: + For instance if you want to clone version v3.4.2, the commands to run would be: ```shell - git clone https://github.com/nginxinc/kubernetes-ingress.git --branch v3.4.1 + git clone https://github.com/nginxinc/kubernetes-ingress.git --branch v3.4.2 cd kubernetes-ingress/deployments ``` @@ -216,7 +216,7 @@ To enable the NGINX App Protect DoS Module: {{< include "installation/manifests/verify-pods-are-running.md" >}} -For more information, see the [Configuration guide]({{< relref "installation/integrations/app-protect-dos/configuration.md" >}}),the [NGINX Ingress Controller with App Protect DoS example for VirtualServer](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/custom-resources/app-protect-dos) and the [NGINX Ingress Controller with App Protect DoS example for Ingress](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/app-protect-dos). +For more information, see the [Configuration guide]({{< relref "installation/integrations/app-protect-dos/configuration.md" >}}),the [NGINX Ingress Controller with App Protect DoS example for VirtualServer](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/custom-resources/app-protect-dos) and the [NGINX Ingress Controller with App Protect DoS example for Ingress](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/app-protect-dos). --- diff --git a/docs/content/installation/integrations/app-protect-waf/configuration.md b/docs/content/installation/integrations/app-protect-waf/configuration.md index 69557f722f..1f7a4115ee 100644 --- a/docs/content/installation/integrations/app-protect-waf/configuration.md +++ b/docs/content/installation/integrations/app-protect-waf/configuration.md @@ -268,8 +268,8 @@ These are the typical steps to deploy an OpenAPI protection Policy in NGINX Ingr 3. Make other custom changes if needed (e.g. enable Data Guard protection). 4. Use a tool to convert the result to YAML. There are many, for example: [`yq` utility](https://github.com/mikefarah/yq). 5. Add the YAML properties to create an `APPolicy` Custom Resource putting the policy itself (as in step 4) within the `spec` property of the Custom Resource. Refer to the [NGINX App Protect Policies](#nginx-app-protect-waf-policies) section above. -6. Create a `Policy` object which references the `APPolicy` Custom Resource as in [this example](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.1/examples/custom-resources/app-protect-waf/waf.yaml). -7. Finally, attach the `Policy` object to a `VirtualServer` resource as in [this example](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.1/examples/custom-resources/app-protect-waf/virtual-server.yaml). +6. Create a `Policy` object which references the `APPolicy` Custom Resource as in [this example](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.2/examples/custom-resources/app-protect-waf/waf.yaml). +7. Finally, attach the `Policy` object to a `VirtualServer` resource as in [this example](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.2/examples/custom-resources/app-protect-waf/virtual-server.yaml). **Note**: You need to make sure that the server where the resource files are located is always available when you are compiling your policy. @@ -404,7 +404,7 @@ The `link` option is also available in the `openApiFileReference` property and i In this example we deploy NGINX Ingress Controller with NGINX Plus and NGINX App Protect WAF, deploy a simple web application, and then configure load balancing and WAF protection for that application using the VirtualServer resource. -**Note:** You can find the example, and the files referenced, on [GitHub](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/custom-resources/app-protect-waf). +**Note:** You can find the example, and the files referenced, on [GitHub](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/custom-resources/app-protect-waf). ## Prerequisites @@ -426,7 +426,7 @@ In this example we deploy NGINX Ingress Controller with NGINX Plus and NGINX App Create the application deployment and service: ```console - kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.1/examples/custom-resources/app-protect-waf/webapp.yaml + kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.2/examples/custom-resources/app-protect-waf/webapp.yaml ``` ### Step 2. Deploy the AP Policy @@ -434,15 +434,15 @@ Create the application deployment and service: 1. Create the syslog service and pod for the NGINX App Protect WAF security logs: ```console - kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.1/examples/custom-resources/app-protect-waf/syslog.yaml + kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.2/examples/custom-resources/app-protect-waf/syslog.yaml ``` 2. Create the User-Defined Signature, WAF policy, and log configuration: ```console - kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.1/examples/custom-resources/app-protect-waf/ap-apple-uds.yaml - kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.1/examples/custom-resources/app-protect-waf/ap-dataguard-alarm-policy.yaml - kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.1/examples/custom-resources/app-protect-waf/ap-logconf.yaml + kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.2/examples/custom-resources/app-protect-waf/ap-apple-uds.yaml + kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.2/examples/custom-resources/app-protect-waf/ap-dataguard-alarm-policy.yaml + kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.2/examples/custom-resources/app-protect-waf/ap-logconf.yaml ``` ### Step 3 - Deploy the WAF Policy @@ -450,7 +450,7 @@ Create the application deployment and service: Create the WAF policy ```console - kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.1/examples/custom-resources/app-protect-waf/waf.yaml + kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.2/examples/custom-resources/app-protect-waf/waf.yaml ``` Note the NGINX App Protect WAF configuration settings in the Policy resource. They enable WAF protection by configuring NGINX App Protect WAF with the policy and log configuration created in the previous step. @@ -460,7 +460,7 @@ Create the WAF policy 1. Create the VirtualServer Resource: ```console - kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.1/examples/custom-resources/app-protect-waf/virtual-server.yaml + kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.2/examples/custom-resources/app-protect-waf/virtual-server.yaml ``` Note that the VirtualServer references the policy waf-policy created in Step 3. @@ -501,7 +501,7 @@ To access the application, curl the coffee and the tea services. We'll use the - ### Configuration Example of Virtual Server -Refer to GitHub repo for [Virtual Server example](https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.1/examples/custom-resources/app-protect-waf/webapp.yaml). +Refer to GitHub repo for [Virtual Server example](https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.2/examples/custom-resources/app-protect-waf/webapp.yaml). ```yaml apiVersion: k8s.nginx.org/v1 diff --git a/docs/content/installation/integrations/app-protect-waf/installation.md b/docs/content/installation/integrations/app-protect-waf/installation.md index cdc8b3f463..dec65144d1 100644 --- a/docs/content/installation/integrations/app-protect-waf/installation.md +++ b/docs/content/installation/integrations/app-protect-waf/installation.md @@ -29,7 +29,7 @@ Get your system ready for building and pushing the NGINX Ingress Controller imag 1. Clone the NGINX Ingress Controller repository: ```console - git clone https://github.com/nginxinc/kubernetes-ingress.git --branch v3.4.1 + git clone https://github.com/nginxinc/kubernetes-ingress.git --branch v3.4.2 cd kubernetes-ingress ``` @@ -217,4 +217,4 @@ To enable the NGINX App Protect DoS Module: {{< include "installation/manifests/verify-pods-are-running.md" >}} -For more information, see the [Configuration guide]({{< relref "installation/integrations/app-protect-waf/configuration.md" >}}) and the NGINX Ingress Controller with App Protect example resources on GitHub [for VirtualServer resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/custom-resources/app-protect-waf) and [for Ingress resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/app-protect-waf" >}}). +For more information, see the [Configuration guide]({{< relref "installation/integrations/app-protect-waf/configuration.md" >}}) and the NGINX Ingress Controller with App Protect example resources on GitHub [for VirtualServer resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/custom-resources/app-protect-waf) and [for Ingress resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/app-protect-waf" >}}). diff --git a/docs/content/installation/nic-images/pulling-ingress-controller-image.md b/docs/content/installation/nic-images/pulling-ingress-controller-image.md index 44fda0b509..6747ffa5de 100644 --- a/docs/content/installation/nic-images/pulling-ingress-controller-image.md +++ b/docs/content/installation/nic-images/pulling-ingress-controller-image.md @@ -38,7 +38,7 @@ The steps provided are for Linux. For Mac or Windows, consult the [Docker for Ma Next, pull the image you need from `private-registry.nginx.com`. To find the correct image, consult the [Tech Specs guide]({{< relref "technical-specifications#images-with-nginx-plus" >}}). -To pull an image, follow these steps. Replace `` with the specific version you need, for example, `3.4.1`. +To pull an image, follow these steps. Replace `` with the specific version you need, for example, `3.4.2`. - For NGINX Plus Ingress Controller, run: @@ -65,9 +65,9 @@ $ curl https://private-registry.nginx.com/v2/nginx-ic/nginx-plus-ingress/tags/li { "name": "nginx-ic/nginx-plus-ingress", "tags": [ - "3.4.1-alpine", - "3.4.1-ubi", - "3.4.1" + "3.4.2-alpine", + "3.4.2-ubi", + "3.4.2" ] } @@ -75,8 +75,8 @@ $ curl https://private-registry.nginx.com/v2/nginx-ic-nap/nginx-plus-ingress/tag { "name": "nginx-ic-nap/nginx-plus-ingress", "tags": [ - "3.4.1-ubi", - "3.4.1" + "3.4.2-ubi", + "3.4.2" ] } @@ -84,8 +84,8 @@ $ curl https://private-registry.nginx.com/v2/nginx-ic-dos/nginx-plus-ingress/tag { "name": "nginx-ic-dos/nginx-plus-ingress", "tags": [ - "3.4.1-ubi", - "3.4.1" + "3.4.2-ubi", + "3.4.2" ] } ``` @@ -102,7 +102,7 @@ After pulling the image, tag it and upload it to your private registry. docker login ``` -1. Tag and push the image. Replace `` with your registry's path and `` with the version you're using, for example `3.4.1`: +1. Tag and push the image. Replace `` with your registry's path and `` with the version you're using, for example `3.4.2`: - For NGINX Plus Ingress Controller, run: diff --git a/docs/content/installation/nic-images/using-the-jwt-token-docker-secret.md b/docs/content/installation/nic-images/using-the-jwt-token-docker-secret.md index e6de96c0a9..4b835b4d76 100644 --- a/docs/content/installation/nic-images/using-the-jwt-token-docker-secret.md +++ b/docs/content/installation/nic-images/using-the-jwt-token-docker-secret.md @@ -78,7 +78,7 @@ spec: seccompProfile: type: RuntimeDefault containers: - - image: private-registry.nginx.com/nginx-ic/nginx-plus-ingress:3.4.1 + - image: private-registry.nginx.com/nginx-ic/nginx-plus-ingress:3.4.2 imagePullPolicy: IfNotPresent name: nginx-plus-ingress ``` @@ -118,7 +118,7 @@ The [Installation with Helm ]({{< relref "installation/installing-nic/installati repository: private-registry.nginx.com/nginx-ic/nginx-plus-ingress ## The version tag - tag: 3.4.1 + tag: 3.4.2 serviceAccount: ## The annotations of the service account of the Ingress Controller pods. @@ -150,7 +150,7 @@ If the namespace does not exist, `--create-namespace` will create it. Using `-f If you want to install NGINX Ingress Controller using the charts method, the following is an example of using the command line to pass the required arguments using the `set` parameter. ```shell -helm install my-release -n nginx-ingress oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.1.1 --set controller.image.repository=private-registry.nginx.com/nginx-ic/nginx-plus-ingress --set controller.image.tag=3.4.1 --set controller.nginxplus=true --set controller.serviceAccount.imagePullSecretName=regcred +helm install my-release -n nginx-ingress oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.1.2 --set controller.image.repository=private-registry.nginx.com/nginx-ic/nginx-plus-ingress --set controller.image.tag=3.4.2 --set controller.nginxplus=true --set controller.serviceAccount.imagePullSecretName=regcred ``` You can also use the certificate and key from the MyF5 portal and the Docker registry API to list the available image tags for the repositories, for example: @@ -160,9 +160,9 @@ You can also use the certificate and key from the MyF5 portal and the Docker reg { "name": "nginx-ic/nginx-plus-ingress", "tags": [ - "3.4.1-alpine", - "3.4.1-ubi", - "3.4.1" + "3.4.2-alpine", + "3.4.2-ubi", + "3.4.2" ] } @@ -170,8 +170,8 @@ You can also use the certificate and key from the MyF5 portal and the Docker reg { "name": "nginx-ic-nap/nginx-plus-ingress", "tags": [ - "3.4.1-ubi", - "3.4.1" + "3.4.2-ubi", + "3.4.2" ] } @@ -179,8 +179,8 @@ You can also use the certificate and key from the MyF5 portal and the Docker reg { "name": "nginx-ic-dos/nginx-plus-ingress", "tags": [ - "3.4.1-ubi", - "3.4.1" + "3.4.2-ubi", + "3.4.2" ] } ``` diff --git a/docs/content/overview/controller-comparison.md b/docs/content/overview/controller-comparison.md index 056f390601..1e9fc56fb5 100644 --- a/docs/content/overview/controller-comparison.md +++ b/docs/content/overview/controller-comparison.md @@ -26,11 +26,11 @@ The table below summarizes the key difference between nginxinc/kubernetes-ingres | NGINX version | [Custom](https://github.com/kubernetes/ingress-nginx/tree/main/images/nginx) NGINX build that includes several third-party modules | NGINX official mainline [build](https://github.com/nginxinc/docker-nginx) | NGINX Plus | | Commercial support | N/A | N/A | Included | | **Load balancing configuration via the Ingress resource** | -| Merging Ingress rules with the same host | Supported | Supported via [Mergeable Ingresses](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/mergeable-ingress-types) | Supported via [Mergeable Ingresses](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/mergeable-ingress-types) | +| Merging Ingress rules with the same host | Supported | Supported via [Mergeable Ingresses](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/mergeable-ingress-types) | Supported via [Mergeable Ingresses](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/mergeable-ingress-types) | | HTTP load balancing extensions - Annotations | See the [supported annotations](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/) | See the [supported annotations](https://docs.nginx.com/nginx-ingress-controller/configuration/ingress-resources/advanced-configuration-with-annotations/) | See the [supported annotations](https://docs.nginx.com/nginx-ingress-controller/configuration/ingress-resources/advanced-configuration-with-annotations/)| | HTTP load balancing extensions -- ConfigMap | See the [supported ConfigMap keys](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/) | See the [supported ConfigMap keys](https://docs.nginx.com/nginx-ingress-controller/configuration/global-configuration/configmap-resource/) | See the [supported ConfigMap keys](https://docs.nginx.com/nginx-ingress-controller/configuration/global-configuration/configmap-resource/) | | TCP/UDP | Supported via a ConfigMap | Supported via custom resources | Supported via custom resources | -| Websocket | Supported | Supported via an [annotation](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/websocket) | Supported via an [annotation](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/websocket) | +| Websocket | Supported | Supported via an [annotation](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/websocket) | Supported via an [annotation](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/websocket) | | TCP SSL Passthrough | Supported via a ConfigMap | Supported via custom resources | Supported via custom resources | | JWT validation | Not supported | Not supported | Supported | | Session persistence | Supported via a third-party module | Not supported | Supported | diff --git a/docs/content/overview/nginx-plus.md b/docs/content/overview/nginx-plus.md index 16b2ff7540..e582a7fe15 100644 --- a/docs/content/overview/nginx-plus.md +++ b/docs/content/overview/nginx-plus.md @@ -16,9 +16,9 @@ The NGINX Ingress Controller works with [NGINX](https://nginx.org/) as well as [ - _Real-time metrics_: Metrics for NGINX Plus and application performance are available through the API or the [NGINX Status Page]({{< relref "logging-and-monitoring/status-page">}}). These metrics can also be exported to [Prometheus]({{< relref "logging-and-monitoring/prometheus">}}). - _Additional load balancing methods_: The `least_time` and `random two least_time` methods and their derivatives become available. The NGINX [`ngx_http_upstream_module` documentation](https://nginx.org/en/docs/http/ngx_http_upstream_module.html) has the complete list of load balancing methods. -- _Session persistence_: The *sticky cookie* method becomes available. See the [Ingress Resource](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/session-persistence) and [Custom Resource](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/custom-resources/session-persistence) examples. -- _Active health checks_: See the [Ingress Resource](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/health-checks) and [Custom Resource](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/custom-resources/health-checks) examples. -- _JWT validation_: See the [Ingress Resource](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/ingress-resources/jwt) and [Custom Resource](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.1/examples/custom-resources/jwt) examples. +- _Session persistence_: The *sticky cookie* method becomes available. See the [Ingress Resource](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/session-persistence) and [Custom Resource](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/custom-resources/session-persistence) examples. +- _Active health checks_: See the [Ingress Resource](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/health-checks) and [Custom Resource](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/custom-resources/health-checks) examples. +- _JWT validation_: See the [Ingress Resource](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/jwt) and [Custom Resource](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/custom-resources/jwt) examples. For a comprehensive guide of NGINX Plus features available with Ingress resources, see the [ConfigMap]({{< relref "configuration/global-configuration/configmap-resource">}}) and [Annotations]({{< relref "configuration/ingress-resources/advanced-configuration-with-annotations">}}) documentation. diff --git a/docs/content/releases.md b/docs/content/releases.md index 850ba1bbe0..4642a03709 100644 --- a/docs/content/releases.md +++ b/docs/content/releases.md @@ -6,6 +6,31 @@ doctypes: ["concept"] toc: true docs: "DOCS-616" --- +## 3.4.2 + +16 Jan 2024 + +### Fixes +[4934](https://github.com/nginxinc/kubernetes-ingress/pull/4934) GCR & AWS Plus image publishing fix + +### Upgrade + +- For NGINX, use the 3.4.2 images from our +[DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=3.4.2), +[GitHub Container](https://github.com/nginxinc/kubernetes-ingress/pkgs/container/kubernetes-ingress), +[Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress). +- For NGINX Plus, use the 3.4.2 images from the F5 Container registry, +the [AWS Marketplace](https://aws.amazon.com/marketplace/search/?CREATOR=741df81b-dfdc-4d36-b8da-945ea66b522c&FULFILLMENT_OPTION_TYPE=CONTAINER&filters=CREATOR%2CFULFILLMENT_OPTION_TYPE), +the [GCP Marketplace](https://console.cloud.google.com/marketplace/browse?filter=partner:F5,%20Inc.&filter=solution-type:k8s&filter=category:networking) +or build your own image using the 3.4.2 source code +- For Helm, use version 1.1.2 of the chart. + +### Supported Platforms + +We will provide technical support for NGINX Ingress Controller on any Kubernetes platform that is currently supported by +its provider and that passes the Kubernetes conformance tests. This release was fully tested on the following Kubernetes +versions: 1.23-1.29. + ## 3.4.1 15 Jan 2024 diff --git a/docs/content/technical-specifications.md b/docs/content/technical-specifications.md index 7e3bbabe01..2ea8c3302f 100644 --- a/docs/content/technical-specifications.md +++ b/docs/content/technical-specifications.md @@ -23,7 +23,7 @@ We explicitly test NGINX Ingress Controller on a range of Kubernetes platforms f {{< bootstrap-table "table table-bordered table-striped table-responsive" >}} | NIC Version | Supported Kubernetes Version | NIC Helm Chart Version | NIC Operator Version | NGINX / NGINX Plus version | | --- | --- | --- | --- | --- | -| 3.4.1 | 1.29 - 1.23 | 1.1.1 | 2.1.0 | 1.25.3 / R31 | +| 3.4.2 | 1.29 - 1.23 | 1.1.2 | 2.1.0 | 1.25.3 / R31 | | 3.3.2 | 1.28 - 1.22 | 1.0.2 | 2.0.2 | 1.25.3 / R30 | | 3.2.1 | 1.27 - 1.22 | 0.18.1 | 1.5.1 | 1.25.2 / R30 | | 3.1.1 | 1.26 - 1.22 | 0.17.1 | 1.4.2 | 1.23.4 / R29 | @@ -53,9 +53,9 @@ _All images include NGINX 1.25.3._ {{< bootstrap-table "table table-bordered table-responsive" >}} |
Name
|
Base image
|
Third-party modules
| DockerHub image | Architectures | | ---| --- | --- | --- | --- | -|Alpine-based image | ``nginx:1.25.3-alpine``,
based on on ``alpine:3.18`` | NGINX OpenTracing module

OpenTracing library

OpenTracing tracers for Jaeger

Zipkin and Datadog | ``nginx/nginx-ingress:3.4.1-alpine`` | arm/v7
arm64
amd64
ppc64le
s390x | -|Debian-based image | ``nginx:1.25.3``,
based on on ``debian:12-slim`` | NGINX OpenTracing module

OpenTracing library

OpenTracing tracers for Jaeger

Zipkin and Datadog | ``nginx/nginx-ingress:3.4.1`` | arm/v7
arm64
amd64
ppc64le
s390x | -|Ubi-based image | ``nginxcontrib/nginx:1.25.3-ubi``,
based on on ``redhat/ubi9-minimal`` | | ``nginx/nginx-ingress:3.4.1-ubi`` | arm64
amd64
ppc64le
s390x | +|Alpine-based image | ``nginx:1.25.3-alpine``,
based on on ``alpine:3.18`` | NGINX OpenTracing module

OpenTracing library

OpenTracing tracers for Jaeger

Zipkin and Datadog | ``nginx/nginx-ingress:3.4.2-alpine`` | arm/v7
arm64
amd64
ppc64le
s390x | +|Debian-based image | ``nginx:1.25.3``,
based on on ``debian:12-slim`` | NGINX OpenTracing module

OpenTracing library

OpenTracing tracers for Jaeger

Zipkin and Datadog | ``nginx/nginx-ingress:3.4.2`` | arm/v7
arm64
amd64
ppc64le
s390x | +|Ubi-based image | ``nginxcontrib/nginx:1.25.3-ubi``,
based on on ``redhat/ubi9-minimal`` | | ``nginx/nginx-ingress:3.4.2-ubi`` | arm64
amd64
ppc64le
s390x | {{% /bootstrap-table %}} ### Images with NGINX Plus @@ -69,16 +69,16 @@ NGINX Plus images are available through the F5 Container registry `private-regis {{< bootstrap-table "table table-striped table-bordered table-responsive" >}} |
Name
|
Base image
|
Third-party modules
| F5 Container Registry Image | Architectures | | ---| ---| --- | --- | --- | -|Alpine-based image | ``alpine:3.18`` | NGINX Plus JavaScript and OpenTracing modules

OpenTracing tracers for Jaeger

Zipkin and Datadog | `nginx-ic/nginx-plus-ingress:3.4.1-alpine` | arm64
amd64 | -|Alpine-based image with FIPS inside | ``alpine:3.18`` | NGINX Plus JavaScript and OpenTracing modules

OpenTracing tracers for Jaeger

Zipkin and Datadog

FIPS module and OpenSSL configuration | `nginx-ic/nginx-plus-ingress:3.4.1-alpine-fips` | arm64
amd64 | -|Debian-based image | ``debian:12-slim`` | NGINX Plus JavaScript and OpenTracing modules

OpenTracing tracers for Jaeger

Zipkin and Datadog | `nginx-ic/nginx-plus-ingress:3.4.1` | arm64
amd64 | -|Debian-based image with NGINX App Protect WAF | ``debian:11-slim`` | NGINX App Protect WAF

NGINX Plus JavaScript and OpenTracing modules

OpenTracing tracers for Jaeger

Zipkin and Datadog | `nginx-ic-nap/nginx-plus-ingress:3.4.1` | amd64 | -|Debian-based image with NGINX App Protect DoS | ``debian:11-slim`` | NGINX App Protect DoS

NGINX Plus JavaScript and OpenTracing modules

OpenTracing tracers for Jaeger

Zipkin and Datadog | `nginx-ic-dos/nginx-plus-ingress:3.4.1` | amd64 | -|Debian-based image with NGINX App Protect WAF and DoS | ``debian:11-slim`` | NGINX App Protect WAF and DoS

NGINX Plus JavaScript and OpenTracing modules

OpenTracing tracers for Jaeger

Zipkin and Datadog | `nginx-ic-nap-dos/nginx-plus-ingress:3.4.1` | amd64 | -|Ubi-based image | ``redhat/ubi9-minimal`` | NGINX Plus JavaScript module | `nginx-ic/nginx-plus-ingress:3.4.1-ubi` | arm64
amd64
s390x | -|Ubi-based image with NGINX App Protect WAF | ``redhat/ubi8`` | NGINX App Protect WAF and NGINX Plus JavaScript module | `nginx-ic-nap/nginx-plus-ingress:3.4.1-ubi` | amd64 | -|Ubi-based image with NGINX App Protect DoS | ``redhat/ubi8`` | NGINX App Protect DoS and NGINX Plus JavaScript module | `nginx-ic-dos/nginx-plus-ingress:3.4.1-ubi` | amd64 | -|Ubi-based image with NGINX App Protect WAF and DoS | ``redhat/ubi8`` | NGINX App Protect WAF and DoS

NGINX Plus JavaScript module | `nginx-ic-nap-dos/nginx-plus-ingress:3.4.1-ubi` | amd64 | +|Alpine-based image | ``alpine:3.18`` | NGINX Plus JavaScript and OpenTracing modules

OpenTracing tracers for Jaeger

Zipkin and Datadog | `nginx-ic/nginx-plus-ingress:3.4.2-alpine` | arm64
amd64 | +|Alpine-based image with FIPS inside | ``alpine:3.18`` | NGINX Plus JavaScript and OpenTracing modules

OpenTracing tracers for Jaeger

Zipkin and Datadog

FIPS module and OpenSSL configuration | `nginx-ic/nginx-plus-ingress:3.4.2-alpine-fips` | arm64
amd64 | +|Debian-based image | ``debian:12-slim`` | NGINX Plus JavaScript and OpenTracing modules

OpenTracing tracers for Jaeger

Zipkin and Datadog | `nginx-ic/nginx-plus-ingress:3.4.2` | arm64
amd64 | +|Debian-based image with NGINX App Protect WAF | ``debian:11-slim`` | NGINX App Protect WAF

NGINX Plus JavaScript and OpenTracing modules

OpenTracing tracers for Jaeger

Zipkin and Datadog | `nginx-ic-nap/nginx-plus-ingress:3.4.2` | amd64 | +|Debian-based image with NGINX App Protect DoS | ``debian:11-slim`` | NGINX App Protect DoS

NGINX Plus JavaScript and OpenTracing modules

OpenTracing tracers for Jaeger

Zipkin and Datadog | `nginx-ic-dos/nginx-plus-ingress:3.4.2` | amd64 | +|Debian-based image with NGINX App Protect WAF and DoS | ``debian:11-slim`` | NGINX App Protect WAF and DoS

NGINX Plus JavaScript and OpenTracing modules

OpenTracing tracers for Jaeger

Zipkin and Datadog | `nginx-ic-nap-dos/nginx-plus-ingress:3.4.2` | amd64 | +|Ubi-based image | ``redhat/ubi9-minimal`` | NGINX Plus JavaScript module | `nginx-ic/nginx-plus-ingress:3.4.2-ubi` | arm64
amd64
s390x | +|Ubi-based image with NGINX App Protect WAF | ``redhat/ubi8`` | NGINX App Protect WAF and NGINX Plus JavaScript module | `nginx-ic-nap/nginx-plus-ingress:3.4.2-ubi` | amd64 | +|Ubi-based image with NGINX App Protect DoS | ``redhat/ubi8`` | NGINX App Protect DoS and NGINX Plus JavaScript module | `nginx-ic-dos/nginx-plus-ingress:3.4.2-ubi` | amd64 | +|Ubi-based image with NGINX App Protect WAF and DoS | ``redhat/ubi8`` | NGINX App Protect WAF and DoS

NGINX Plus JavaScript module | `nginx-ic-nap-dos/nginx-plus-ingress:3.4.2-ubi` | amd64 | {{% /bootstrap-table %}} #### **AWS Marketplace** diff --git a/docs/content/troubleshooting/troubleshoot-common.md b/docs/content/troubleshooting/troubleshoot-common.md index 04ff955ba4..0c81e09e92 100644 --- a/docs/content/troubleshooting/troubleshoot-common.md +++ b/docs/content/troubleshooting/troubleshoot-common.md @@ -145,7 +145,7 @@ controller: nginxplus: plus image: repository: nginx/nginx-ingress - tag: 3.4.1 + tag: 3.4.2 # NGINX Configmap config: entries: diff --git a/docs/content/tutorials/custom-listen-ports.md b/docs/content/tutorials/custom-listen-ports.md index 0789bf5add..9373b91483 100644 --- a/docs/content/tutorials/custom-listen-ports.md +++ b/docs/content/tutorials/custom-listen-ports.md @@ -88,7 +88,7 @@ spec: spec: serviceAccountName: nginx-ingress containers: - - image: nginx/nginx-ingress:3.4.1 + - image: nginx/nginx-ingress:3.4.2 imagePullPolicy: IfNotPresent name: nginx-ingress ports: diff --git a/docs/content/tutorials/oidc-custom-configuration.md b/docs/content/tutorials/oidc-custom-configuration.md index c00ad0badd..77b8a97d68 100644 --- a/docs/content/tutorials/oidc-custom-configuration.md +++ b/docs/content/tutorials/oidc-custom-configuration.md @@ -30,7 +30,7 @@ Run the below command to generate a ConfigMap with the contents of the `oidc.con **NOTE** The ConfigMap must be deployed in the same `namespace` as the F5 NGINX Ingress Controller. ```console -kubectl create configmap oidc-config-map --from-literal=oidc.conf="$(curl -k https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.1/internal/configs/oidc/oidc.conf)" +kubectl create configmap oidc-config-map --from-literal=oidc.conf="$(curl -k https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.2/internal/configs/oidc/oidc.conf)" ``` Use the `kubectl describe` command to confirm the contents of the ConfigMap are correct. diff --git a/docs/content/usage-reporting.md b/docs/content/usage-reporting.md index 4b2a46d1c2..59c1c09600 100644 --- a/docs/content/usage-reporting.md +++ b/docs/content/usage-reporting.md @@ -87,7 +87,7 @@ To make the credential available to Usage Reporting, we need to create a Kuberne If you need to update the basic-auth credentials for NGINX Management Suite in the future, update the `username` and `password` fields, and apply the changes by running the command again. Usage Reporting will automatically detect the changes, using the new username and password without redeployment. -5. Download and save the deployment file [cluster-connector.yaml](https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.1/examples/shared-examples/usage-reporting/cluster-connector.yaml). Edit the following under the `args` section and then save the file: +5. Download and save the deployment file [cluster-connector.yaml](https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.2/examples/shared-examples/usage-reporting/cluster-connector.yaml). Edit the following under the `args` section and then save the file: ```yaml args: From 760d891c961fe144a545f48eae0b49374df57ac9 Mon Sep 17 00:00:00 2001 From: Paul Abel <128620221+pdabelf5@users.noreply.github.com> Date: Fri, 9 Feb 2024 10:33:25 +0000 Subject: [PATCH 10/22] CP: allow waf users to build without dos repo access (#5043) allow waf users to build without dos repo access (#5041) --- build/Dockerfile | 38 +++++++++++++++++++++++++++++++------- 1 file changed, 31 insertions(+), 7 deletions(-) diff --git a/build/Dockerfile b/build/Dockerfile index 26dc19113b..50eb44338d 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -145,10 +145,16 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode --mount=type=bind,from=nginx-files,src=app-protect-security-updates.key,target=/tmp/app-protect-security-updates.key \ --mount=type=bind,from=nginx-files,src=90pkgs-nginx,target=/etc/apt/apt.conf.d/90pkgs-nginx \ --mount=type=bind,from=nginx-files,src=debian-plus-11.sources,target=/etc/apt/sources.list.d/nginx-plus.sources \ - --mount=type=bind,from=nginx-files,src=nap-waf-11.sources,target=/etc/apt/sources.list.d/app-protect.sources \ - --mount=type=bind,from=nginx-files,src=nap-dos-11.sources,target=/etc/apt/sources.list.d/app-protect-dos.sources \ + --mount=type=bind,from=nginx-files,src=nap-waf-11.sources,target=/tmp/app-protect.sources \ + --mount=type=bind,from=nginx-files,src=nap-dos-11.sources,target=/tmp/app-protect-dos.sources \ ## the code below is duplicated from the debian-plus image because NAP doesn't support debian 12 - apt-get update \ + if [ -z "${NAP_MODULES##*waf*}" ]; then \ + cp /tmp/app-protect.sources /etc/apt/sources.list.d/app-protect.sources; \ + fi \ + && if [ -z "${NAP_MODULES##*dos*}" ]; then \ + cp /tmp/app-protect-dos.sources /etc/apt/sources.list.d/app-protect-dos.sources; \ + fi \ + && apt-get update \ && apt-get upgrade -y \ && apt-get install --no-install-recommends --no-install-suggests -y ca-certificates sq \ && groupadd --system --gid 101 nginx \ @@ -169,6 +175,12 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode && cp -av /tmp/ot/usr/local/lib/libjaegertracing*so* /tmp/ot/usr/local/lib/libzipkin*so* /tmp/ot/usr/local/lib/libdd*so* /tmp/ot/usr/local/lib/libyaml*so* /usr/local/lib/ \ && ldconfig \ ## end of duplicated code + && if [ -z "${NAP_MODULES##*waf*}" ]; then \ + rm -f /etc/apt/sources.list.d/app-protect.sources; \ + fi \ + && if [ -z "${NAP_MODULES##*dos*}" ]; then \ + rm -f /etc/apt/sources.list.d/app-protect-dos.sources; \ + fi \ && rm -rf /var/lib/apt/lists/* # Uncomment the lines below if you want to install a custom CA certificate @@ -205,11 +217,17 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode --mount=type=bind,from=nginx-files,src=nginx_signing.key,target=/tmp/nginx_signing.key \ --mount=type=bind,from=nginx-files,src=nginx-plus-8.repo,target=/etc/yum.repos.d/nginx-plus.repo,rw \ --mount=type=bind,from=nginx-files,src=app-protect-security-updates.key,target=/tmp/app-protect-security-updates.key \ - --mount=type=bind,from=nginx-files,src=app-protect-8.repo,target=/etc/yum.repos.d/app-protect-8.repo \ - --mount=type=bind,from=nginx-files,src=app-protect-dos-8.repo,target=/etc/yum.repos.d/app-protect-dos-8.repo \ + --mount=type=bind,from=nginx-files,src=app-protect-8.repo,target=/tmp/app-protect-8.repo \ + --mount=type=bind,from=nginx-files,src=app-protect-dos-8.repo,target=/tmp/app-protect-dos-8.repo \ source /tmp/rhel_license \ - ## the code below is duplicated from the ubi-plus image because NAP doesn't support UBI 9 and minimal versions - dnf --nodocs install -y shadow-utils ca-certificates \ + && if [ -z "${NAP_MODULES##*waf*}" ]; then \ + cp /tmp/app-protect-8.repo /etc/yum.repos.d/app-protect-8.repo; \ + fi \ + && if [ -z "${NAP_MODULES##*dos*}" ]; then \ + cp /tmp/app-protect-dos-8.repo /etc/yum.repos.d/app-protect-dos-8.repo; \ + fi \ + ## the code below is duplicated from the ubi-plus image because NAP DOS doesn't support UBI 9 and minimal versions + && dnf --nodocs install -y shadow-utils ca-certificates \ && dnf update -y \ && groupadd --system --gid 101 nginx \ && useradd --system --gid nginx --no-create-home --home-dir /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \ @@ -233,6 +251,12 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode # fix for CVEs && dnf upgrade -y curl ncurses \ && subscription-manager unregister \ + && if [ -z "${NAP_MODULES##*waf*}" ]; then \ + rm -f /etc/yum.repos.d/app-protect-8.repo; \ + fi \ + && if [ -z "${NAP_MODULES##*dos*}" ]; then \ + rm -f /etc/yum.repos.d/app-protect-dos-8.repo; \ + fi \ && dnf clean all # Uncomment the lines below if you want to install a custom CA certificate From 203cb6ef9ca9410abe65fa45932bd5d5c5b2868b Mon Sep 17 00:00:00 2001 From: Jim Ryan Date: Fri, 9 Feb 2024 13:44:23 +0000 Subject: [PATCH 11/22] cherry pick: Fix template file spacing for `ssl_protocols` directive (#5020) (#5060) Fix template file spacing for `ssl_protocols` directive (#5020) template file space --- internal/configs/version1/nginx-plus.tmpl | 16 ++++++++++++---- internal/configs/version1/nginx.tmpl | 16 ++++++++++++---- 2 files changed, 24 insertions(+), 8 deletions(-) diff --git a/internal/configs/version1/nginx-plus.tmpl b/internal/configs/version1/nginx-plus.tmpl index 0dbef3471f..0cf4575b21 100644 --- a/internal/configs/version1/nginx-plus.tmpl +++ b/internal/configs/version1/nginx-plus.tmpl @@ -130,10 +130,18 @@ http { default upgrade; '' $default_connection_header; } - {{- if .SSLProtocols}}ssl_protocols {{.SSLProtocols}};{{end}} - {{- if .SSLCiphers}}ssl_ciphers "{{.SSLCiphers}}";{{end}} - {{- if .SSLPreferServerCiphers}}ssl_prefer_server_ciphers on;{{end}} - {{- if .SSLDHParam}}ssl_dhparam {{.SSLDHParam}};{{end}} + {{- if .SSLProtocols}} + ssl_protocols {{.SSLProtocols}}; + {{- end}} + {{- if .SSLCiphers}} + ssl_ciphers "{{.SSLCiphers}}"; + {{- end}} + {{- if .SSLPreferServerCiphers}} + ssl_prefer_server_ciphers on; + {{- end}} + {{- if .SSLDHParam}} + ssl_dhparam {{.SSLDHParam}}; + {{- end}} {{- if .OpenTracingEnabled}} opentracing on; diff --git a/internal/configs/version1/nginx.tmpl b/internal/configs/version1/nginx.tmpl index aa452d9fa4..4c45f186d2 100644 --- a/internal/configs/version1/nginx.tmpl +++ b/internal/configs/version1/nginx.tmpl @@ -91,10 +91,18 @@ http { default upgrade; '' $default_connection_header; } - {{- if .SSLProtocols}}ssl_protocols {{.SSLProtocols}};{{end}} - {{- if .SSLCiphers}}ssl_ciphers "{{.SSLCiphers}}";{{end}} - {{- if .SSLPreferServerCiphers}}ssl_prefer_server_ciphers on;{{end}} - {{- if .SSLDHParam}}ssl_dhparam {{.SSLDHParam}};{{end}} + {{- if .SSLProtocols}} + ssl_protocols {{.SSLProtocols}}; + {{- end}} + {{- if .SSLCiphers}} + ssl_ciphers "{{.SSLCiphers}}"; + {{- end}} + {{- if .SSLPreferServerCiphers}} + ssl_prefer_server_ciphers on; + {{- end}} + {{- if .SSLDHParam}} + ssl_dhparam {{.SSLDHParam}}; + {{- end}} {{- if .OpenTracingEnabled}} opentracing on; From 4e84ae8ffb4e0fe93045e227bdc16b52778e6486 Mon Sep 17 00:00:00 2001 From: Paul Abel <128620221+pdabelf5@users.noreply.github.com> Date: Fri, 9 Feb 2024 16:08:36 +0000 Subject: [PATCH 12/22] Snippets cherry pick (#5059) * fix new lines in snippets (#4832) --- .../configs/version2/nginx-plus.transportserver.tmpl | 6 +++--- internal/configs/version2/nginx-plus.virtualserver.tmpl | 6 +++--- internal/configs/version2/nginx.transportserver.tmpl | 4 ++-- internal/configs/version2/nginx.virtualserver.tmpl | 6 +++--- .../data/transport-server/transport-server-snippets.yaml | 5 ++++- tests/suite/test_transport_server.py | 9 +++++---- 6 files changed, 20 insertions(+), 16 deletions(-) diff --git a/internal/configs/version2/nginx-plus.transportserver.tmpl b/internal/configs/version2/nginx-plus.transportserver.tmpl index b3d59172d4..f3e47b3a42 100644 --- a/internal/configs/version2/nginx-plus.transportserver.tmpl +++ b/internal/configs/version2/nginx-plus.transportserver.tmpl @@ -18,8 +18,8 @@ upstream {{ $u.Name }} { {{- end }} {{- range $snippet := .StreamSnippets }} -{{- $snippet }} -{{ end }} +{{ $snippet }} +{{- end }} {{ with $m := .Match }} match {{ $m.Name }} { @@ -60,7 +60,7 @@ server { {{- end }} {{- range $snippet := $s.ServerSnippets }} - {{- $snippet }} + {{ $snippet }} {{- end }} proxy_pass {{ $s.ProxyPass }}; diff --git a/internal/configs/version2/nginx-plus.virtualserver.tmpl b/internal/configs/version2/nginx-plus.virtualserver.tmpl index b8c2ba27da..2f6a3faa59 100644 --- a/internal/configs/version2/nginx-plus.virtualserver.tmpl +++ b/internal/configs/version2/nginx-plus.virtualserver.tmpl @@ -48,7 +48,7 @@ map {{ $m.Source }} {{ $m.Variable }} { {{- end }} {{- range $snippet := .HTTPSnippets }} -{{- $snippet }} +{{ $snippet }} {{- end }} {{- range $z := .LimitReqZones }} @@ -286,7 +286,7 @@ server { {{- end }} {{- range $snippet := $s.Snippets }} - {{- $snippet }} + {{ $snippet }} {{- end }} {{- range $l := $s.InternalRedirectLocations }} @@ -351,7 +351,7 @@ server { internal; {{- end }} {{- range $snippet := $l.Snippets }} - {{- $snippet }} + {{ $snippet }} {{- end }} {{- with $l.PoliciesErrorReturn }} diff --git a/internal/configs/version2/nginx.transportserver.tmpl b/internal/configs/version2/nginx.transportserver.tmpl index 901def05fa..15f0a97fd0 100644 --- a/internal/configs/version2/nginx.transportserver.tmpl +++ b/internal/configs/version2/nginx.transportserver.tmpl @@ -14,7 +14,7 @@ upstream {{ $u.Name }} { {{- end }} {{- range $snippet := .StreamSnippets }} -{{- $snippet }} +{{ $snippet }} {{- end }} {{- $s := .Server }} @@ -42,7 +42,7 @@ server { {{- end }} {{- range $snippet := $s.ServerSnippets }} - {{- $snippet }} + {{ $snippet }} {{- end }} proxy_pass {{ $s.ProxyPass }}; diff --git a/internal/configs/version2/nginx.virtualserver.tmpl b/internal/configs/version2/nginx.virtualserver.tmpl index 6469634d59..da6fa1985a 100644 --- a/internal/configs/version2/nginx.virtualserver.tmpl +++ b/internal/configs/version2/nginx.virtualserver.tmpl @@ -32,7 +32,7 @@ map {{ $m.Source }} {{ $m.Variable }} { {{- end }} {{- range $snippet := .HTTPSnippets }} -{{- $snippet }} +{{ $snippet }} {{- end }} {{- range $z := .LimitReqZones }} @@ -166,7 +166,7 @@ server { {{- end }} {{- range $snippet := $s.Snippets }} - {{- $snippet }} + {{ $snippet }} {{- end }} {{- range $l := $s.InternalRedirectLocations }} @@ -208,7 +208,7 @@ server { internal; {{- end }} {{- range $snippet := $l.Snippets }} - {{- $snippet }} + {{ $snippet }} {{- end }} {{- with $l.PoliciesErrorReturn }} diff --git a/tests/data/transport-server/transport-server-snippets.yaml b/tests/data/transport-server/transport-server-snippets.yaml index ec3c58ba99..8665463603 100644 --- a/tests/data/transport-server/transport-server-snippets.yaml +++ b/tests/data/transport-server/transport-server-snippets.yaml @@ -4,7 +4,10 @@ metadata: name: transport-server spec: streamSnippets: limit_conn_zone $binary_remote_addr zone=addr:10m; - serverSnippets: limit_conn addr 1; + serverSnippets: | + limit_conn addr 1; + # a comment is allowed in snippets + add_header X-test-header "test-value"; listener: name: dns-tcp protocol: TCP diff --git a/tests/suite/test_transport_server.py b/tests/suite/test_transport_server.py index fa72fbd694..4af17653dc 100644 --- a/tests/suite/test_transport_server.py +++ b/tests/suite/test_transport_server.py @@ -55,10 +55,11 @@ def test_snippets( transport_server_setup.namespace, ) - assert ( - "limit_conn_zone $binary_remote_addr zone=addr:10m;" in conf # stream-snippets - and "limit_conn addr 1;" in conf # server-snippets - ) + conf_lines = [line.strip() for line in conf.split("\n")] + assert "limit_conn_zone $binary_remote_addr zone=addr:10m;" in conf_lines # stream-snippets on separate line + assert "limit_conn addr 1;" in conf_lines # server-snippets on separate line + assert "# a comment is allowed in snippets" in conf_lines # comments are allowed in server snippets + assert 'add_header X-test-header "test-value";' in conf_lines # new line in server-snippets on separate line def test_configurable_timeout_directives( self, kube_apis, crd_ingress_controller, transport_server_setup, ingress_controller_prerequisites From 30748f606aaf4909c379c04321176a938b5ff624 Mon Sep 17 00:00:00 2001 From: Paul Abel <128620221+pdabelf5@users.noreply.github.com> Date: Mon, 12 Feb 2024 11:29:44 +0000 Subject: [PATCH 13/22] Go cherry picks (#5064) * Bump the go group with 1 update (#4909) * Bump the go group with 1 update Bumps the go group with 1 update: [sigs.k8s.io/controller-tools](https://github.com/kubernetes-sigs/controller-tools). Updates `sigs.k8s.io/controller-tools` from 0.13.0 to 0.14.0 - [Release notes](https://github.com/kubernetes-sigs/controller-tools/releases) - [Changelog](https://github.com/kubernetes-sigs/controller-tools/blob/master/RELEASE.md) - [Commits](https://github.com/kubernetes-sigs/controller-tools/compare/v0.13.0...v0.14.0) --- updated-dependencies: - dependency-name: sigs.k8s.io/controller-tools dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go ... Signed-off-by: dependabot[bot] * update kubebuilder annotation version --------- Signed-off-by: dependabot[bot] * Bump the go group with 1 update (#4924) Bumps the go group with 1 update: [github.com/prometheus/common](https://github.com/prometheus/common). Updates `github.com/prometheus/common` from 0.45.0 to 0.46.0 - [Release notes](https://github.com/prometheus/common/releases) - [Commits](https://github.com/prometheus/common/compare/v0.45.0...v0.46.0) --- updated-dependencies: - dependency-name: github.com/prometheus/common dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go ... Signed-off-by: dependabot[bot] * Bump the go group with 5 updates (#4939) Bumps the go group with 5 updates: | Package | From | To | | --- | --- | --- | | [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2) | `1.26.3` | `1.26.4` | | [github.com/spiffe/go-spiffe/v2](https://github.com/spiffe/go-spiffe) | `2.1.6` | `2.1.7` | | [k8s.io/api](https://github.com/kubernetes/api) | `0.29.0` | `0.29.1` | | [k8s.io/client-go](https://github.com/kubernetes/client-go) | `0.29.0` | `0.29.1` | | [k8s.io/code-generator](https://github.com/kubernetes/code-generator) | `0.29.0` | `0.29.1` | Updates `github.com/aws/aws-sdk-go-v2/config` from 1.26.3 to 1.26.4 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/config/v1.26.3...config/v1.26.4) Updates `github.com/spiffe/go-spiffe/v2` from 2.1.6 to 2.1.7 - [Release notes](https://github.com/spiffe/go-spiffe/releases) - [Changelog](https://github.com/spiffe/go-spiffe/blob/main/CHANGELOG.md) - [Commits](https://github.com/spiffe/go-spiffe/compare/v2.1.6...v2.1.7) Updates `k8s.io/api` from 0.29.0 to 0.29.1 - [Commits](https://github.com/kubernetes/api/compare/v0.29.0...v0.29.1) Updates `k8s.io/client-go` from 0.29.0 to 0.29.1 - [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md) - [Commits](https://github.com/kubernetes/client-go/compare/v0.29.0...v0.29.1) Updates `k8s.io/code-generator` from 0.29.0 to 0.29.1 - [Commits](https://github.com/kubernetes/code-generator/compare/v0.29.0...v0.29.1) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2/config dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: github.com/spiffe/go-spiffe/v2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: k8s.io/api dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: k8s.io/client-go dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: k8s.io/code-generator dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go ... Signed-off-by: dependabot[bot] * Bump the go group with 1 update (#4949) Bumps the go group with 1 update: [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2). Updates `github.com/aws/aws-sdk-go-v2/config` from 1.26.4 to 1.26.5 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/config/v1.26.4...config/v1.26.5) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2/config dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go ... Signed-off-by: dependabot[bot] * Bump the go group with 1 update (#4971) Bumps the go group with 1 update: [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2). Updates `github.com/aws/aws-sdk-go-v2/config` from 1.26.5 to 1.26.6 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/config/v1.26.5...config/v1.26.6) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2/config dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Paul Abel <128620221+pdabelf5@users.noreply.github.com> * Bump the go group with 1 update (#5022) Bumps the go group with 1 update: [github.com/cert-manager/cert-manager](https://github.com/cert-manager/cert-manager). Updates `github.com/cert-manager/cert-manager` from 1.13.3 to 1.14.0 - [Release notes](https://github.com/cert-manager/cert-manager/releases) - [Commits](https://github.com/cert-manager/cert-manager/compare/v1.13.3...v1.14.0) --- updated-dependencies: - dependency-name: github.com/cert-manager/cert-manager dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go ... Signed-off-by: dependabot[bot] * Bump the go group with 1 update (#5034) Bumps the go group with 1 update: [github.com/cert-manager/cert-manager](https://github.com/cert-manager/cert-manager). Updates `github.com/cert-manager/cert-manager` from 1.14.0 to 1.14.1 - [Release notes](https://github.com/cert-manager/cert-manager/releases) - [Commits](https://github.com/cert-manager/cert-manager/compare/v1.14.0...v1.14.1) --- updated-dependencies: - dependency-name: github.com/cert-manager/cert-manager dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go ... Signed-off-by: dependabot[bot] * Bump the go group with 1 update (#5055) Bumps the go group with 1 update: [github.com/cert-manager/cert-manager](https://github.com/cert-manager/cert-manager). Updates `github.com/cert-manager/cert-manager` from 1.14.1 to 1.14.2 - [Release notes](https://github.com/cert-manager/cert-manager/releases) - [Commits](https://github.com/cert-manager/cert-manager/compare/v1.14.1...v1.14.2) --- updated-dependencies: - dependency-name: github.com/cert-manager/cert-manager dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go ... Signed-off-by: dependabot[bot] --------- Signed-off-by: dependabot[bot] --- ...otectdos.f5.com_dosprotectedresources.yaml | 19 +- .../externaldns.nginx.org_dnsendpoints.yaml | 19 +- .../k8s.nginx.org_globalconfigurations.yaml | 36 +- config/crd/bases/k8s.nginx.org_policies.yaml | 55 +-- .../bases/k8s.nginx.org_transportservers.yaml | 36 +- .../k8s.nginx.org_virtualserverroutes.yaml | 19 +- .../bases/k8s.nginx.org_virtualservers.yaml | 22 +- deploy/crds-nap-dos.yaml | 19 +- deploy/crds.yaml | 187 +++++++---- go.mod | 120 ++++--- go.sum | 315 ++++++++---------- 11 files changed, 465 insertions(+), 382 deletions(-) diff --git a/config/crd/bases/appprotectdos.f5.com_dosprotectedresources.yaml b/config/crd/bases/appprotectdos.f5.com_dosprotectedresources.yaml index 34d85433fe..c95fe76547 100644 --- a/config/crd/bases/appprotectdos.f5.com_dosprotectedresources.yaml +++ b/config/crd/bases/appprotectdos.f5.com_dosprotectedresources.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: dosprotectedresources.appprotectdos.f5.com spec: group: appprotectdos.f5.com @@ -22,14 +22,19 @@ spec: description: DosProtectedResource defines a Dos protected resource. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object diff --git a/config/crd/bases/externaldns.nginx.org_dnsendpoints.yaml b/config/crd/bases/externaldns.nginx.org_dnsendpoints.yaml index 54d27d796e..33d91c9168 100644 --- a/config/crd/bases/externaldns.nginx.org_dnsendpoints.yaml +++ b/config/crd/bases/externaldns.nginx.org_dnsendpoints.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: dnsendpoints.externaldns.nginx.org spec: group: externaldns.nginx.org @@ -20,14 +20,19 @@ spec: description: DNSEndpoint is the CRD wrapper for Endpoint properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object diff --git a/config/crd/bases/k8s.nginx.org_globalconfigurations.yaml b/config/crd/bases/k8s.nginx.org_globalconfigurations.yaml index e5695ddd8f..63d9195cf0 100644 --- a/config/crd/bases/k8s.nginx.org_globalconfigurations.yaml +++ b/config/crd/bases/k8s.nginx.org_globalconfigurations.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: globalconfigurations.k8s.nginx.org spec: group: k8s.nginx.org @@ -22,14 +22,19 @@ spec: description: GlobalConfiguration defines the GlobalConfiguration resource. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -61,14 +66,19 @@ spec: description: GlobalConfiguration defines the GlobalConfiguration resource. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object diff --git a/config/crd/bases/k8s.nginx.org_policies.yaml b/config/crd/bases/k8s.nginx.org_policies.yaml index 59bc5cb9d4..1954063005 100644 --- a/config/crd/bases/k8s.nginx.org_policies.yaml +++ b/config/crd/bases/k8s.nginx.org_policies.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: policies.k8s.nginx.org spec: group: k8s.nginx.org @@ -32,21 +32,27 @@ spec: resources. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: - description: PolicySpec is the spec of the Policy resource. The spec includes - multiple fields, where each field represents a different policy. Only - one policy (field) is allowed. + description: |- + PolicySpec is the spec of the Policy resource. + The spec includes multiple fields, where each field represents a different policy. + Only one policy (field) is allowed. properties: accessControl: description: AccessControl defines an access policy based on the source @@ -62,8 +68,9 @@ spec: type: array type: object basicAuth: - description: 'BasicAuth holds HTTP Basic authentication configuration - policy status: preview' + description: |- + BasicAuth holds HTTP Basic authentication configuration + policy status: preview properties: realm: type: string @@ -223,21 +230,27 @@ spec: resources. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: - description: PolicySpec is the spec of the Policy resource. The spec includes - multiple fields, where each field represents a different policy. Only - one policy (field) is allowed. + description: |- + PolicySpec is the spec of the Policy resource. + The spec includes multiple fields, where each field represents a different policy. + Only one policy (field) is allowed. properties: accessControl: description: AccessControl defines an access policy based on the source diff --git a/config/crd/bases/k8s.nginx.org_transportservers.yaml b/config/crd/bases/k8s.nginx.org_transportservers.yaml index ab3079a16c..1f272a2efd 100644 --- a/config/crd/bases/k8s.nginx.org_transportservers.yaml +++ b/config/crd/bases/k8s.nginx.org_transportservers.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: transportservers.k8s.nginx.org spec: group: k8s.nginx.org @@ -34,14 +34,19 @@ spec: description: TransportServer defines the TransportServer resource. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -186,14 +191,19 @@ spec: description: TransportServer defines the TransportServer resource. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object diff --git a/config/crd/bases/k8s.nginx.org_virtualserverroutes.yaml b/config/crd/bases/k8s.nginx.org_virtualserverroutes.yaml index bc5b47c505..b51167a7ee 100644 --- a/config/crd/bases/k8s.nginx.org_virtualserverroutes.yaml +++ b/config/crd/bases/k8s.nginx.org_virtualserverroutes.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: virtualserverroutes.k8s.nginx.org spec: group: k8s.nginx.org @@ -44,14 +44,19 @@ spec: description: VirtualServerRoute defines the VirtualServerRoute resource. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object diff --git a/config/crd/bases/k8s.nginx.org_virtualservers.yaml b/config/crd/bases/k8s.nginx.org_virtualservers.yaml index 73f12b1697..74e762459c 100644 --- a/config/crd/bases/k8s.nginx.org_virtualservers.yaml +++ b/config/crd/bases/k8s.nginx.org_virtualservers.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: virtualservers.k8s.nginx.org spec: group: k8s.nginx.org @@ -44,14 +44,19 @@ spec: description: VirtualServer defines the VirtualServer resource. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -74,7 +79,8 @@ spec: providerSpecific: description: ProviderSpecific stores provider specific config items: - description: ProviderSpecificProperty defines specific property + description: |- + ProviderSpecificProperty defines specific property for using with ExternalDNS sub-resource. properties: name: diff --git a/deploy/crds-nap-dos.yaml b/deploy/crds-nap-dos.yaml index 89f6fae947..4613d42fca 100644 --- a/deploy/crds-nap-dos.yaml +++ b/deploy/crds-nap-dos.yaml @@ -148,7 +148,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: dosprotectedresources.appprotectdos.f5.com spec: group: appprotectdos.f5.com @@ -167,14 +167,19 @@ spec: description: DosProtectedResource defines a Dos protected resource. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object diff --git a/deploy/crds.yaml b/deploy/crds.yaml index a5d3ebcd13..b9498dd6dd 100644 --- a/deploy/crds.yaml +++ b/deploy/crds.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: dnsendpoints.externaldns.nginx.org spec: group: externaldns.nginx.org @@ -19,14 +19,19 @@ spec: description: DNSEndpoint is the CRD wrapper for Endpoint properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -94,7 +99,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: globalconfigurations.k8s.nginx.org spec: group: k8s.nginx.org @@ -113,14 +118,19 @@ spec: description: GlobalConfiguration defines the GlobalConfiguration resource. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -152,14 +162,19 @@ spec: description: GlobalConfiguration defines the GlobalConfiguration resource. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -190,7 +205,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: policies.k8s.nginx.org spec: group: k8s.nginx.org @@ -219,21 +234,27 @@ spec: resources. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: - description: PolicySpec is the spec of the Policy resource. The spec includes - multiple fields, where each field represents a different policy. Only - one policy (field) is allowed. + description: |- + PolicySpec is the spec of the Policy resource. + The spec includes multiple fields, where each field represents a different policy. + Only one policy (field) is allowed. properties: accessControl: description: AccessControl defines an access policy based on the source @@ -249,8 +270,9 @@ spec: type: array type: object basicAuth: - description: 'BasicAuth holds HTTP Basic authentication configuration - policy status: preview' + description: |- + BasicAuth holds HTTP Basic authentication configuration + policy status: preview properties: realm: type: string @@ -410,21 +432,27 @@ spec: resources. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: - description: PolicySpec is the spec of the Policy resource. The spec includes - multiple fields, where each field represents a different policy. Only - one policy (field) is allowed. + description: |- + PolicySpec is the spec of the Policy resource. + The spec includes multiple fields, where each field represents a different policy. + Only one policy (field) is allowed. properties: accessControl: description: AccessControl defines an access policy based on the source @@ -512,7 +540,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: transportservers.k8s.nginx.org spec: group: k8s.nginx.org @@ -543,14 +571,19 @@ spec: description: TransportServer defines the TransportServer resource. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -695,14 +728,19 @@ spec: description: TransportServer defines the TransportServer resource. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -834,7 +872,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: virtualserverroutes.k8s.nginx.org spec: group: k8s.nginx.org @@ -875,14 +913,19 @@ spec: description: VirtualServerRoute defines the VirtualServerRoute resource. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -1518,7 +1561,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: virtualservers.k8s.nginx.org spec: group: k8s.nginx.org @@ -1559,14 +1602,19 @@ spec: description: VirtualServer defines the VirtualServer resource. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -1589,7 +1637,8 @@ spec: providerSpecific: description: ProviderSpecific stores provider specific config items: - description: ProviderSpecificProperty defines specific property + description: |- + ProviderSpecificProperty defines specific property for using with ExternalDNS sub-resource. properties: name: diff --git a/go.mod b/go.mod index 716f5ddaff..a6ab5e7ad4 100644 --- a/go.mod +++ b/go.mod @@ -3,9 +3,9 @@ module github.com/nginxinc/kubernetes-ingress go 1.21.3 require ( - github.com/aws/aws-sdk-go-v2/config v1.26.3 + github.com/aws/aws-sdk-go-v2/config v1.26.6 github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.19.6 - github.com/cert-manager/cert-manager v1.13.3 + github.com/cert-manager/cert-manager v1.14.2 github.com/dlclark/regexp2 v1.10.0 github.com/go-chi/chi/v5 v5.0.11 github.com/golang-jwt/jwt/v4 v4.5.0 @@ -16,31 +16,31 @@ require ( github.com/nginxinc/nginx-prometheus-exporter v1.1.0 github.com/nginxinc/nginx-service-mesh v1.7.0 github.com/prometheus/client_golang v1.18.0 - github.com/prometheus/common v0.45.0 - github.com/spiffe/go-spiffe/v2 v2.1.6 + github.com/prometheus/common v0.46.0 + github.com/spiffe/go-spiffe/v2 v2.1.7 github.com/stretchr/testify v1.8.4 - golang.org/x/exp v0.0.0-20231006140011-7918f672742d - k8s.io/api v0.29.0 - k8s.io/apimachinery v0.29.0 - k8s.io/client-go v0.29.0 - k8s.io/code-generator v0.29.0 - k8s.io/utils v0.0.0-20230726121419-3b25d923346b - sigs.k8s.io/controller-tools v0.13.0 + golang.org/x/exp v0.0.0-20231226003508-02704c960a9b + k8s.io/api v0.29.1 + k8s.io/apimachinery v0.29.1 + k8s.io/client-go v0.29.1 + k8s.io/code-generator v0.29.1 + k8s.io/utils v0.0.0-20240102154912-e7106e64919e + sigs.k8s.io/controller-tools v0.14.0 ) require ( github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect - github.com/Microsoft/go-winio v0.6.0 // indirect + github.com/Microsoft/go-winio v0.6.1 // indirect github.com/aws/aws-sdk-go-v2 v1.24.1 // indirect - github.com/aws/aws-sdk-go-v2/credentials v1.16.14 // indirect + github.com/aws/aws-sdk-go-v2/credentials v1.16.16 // indirect github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.11 // indirect github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.10 // indirect github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.10 // indirect - github.com/aws/aws-sdk-go-v2/internal/ini v1.7.2 // indirect + github.com/aws/aws-sdk-go-v2/internal/ini v1.7.3 // indirect github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.4 // indirect github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.10 // indirect - github.com/aws/aws-sdk-go-v2/service/sso v1.18.6 // indirect - github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.6 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.18.7 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.7 // indirect github.com/aws/aws-sdk-go-v2/service/sts v1.26.7 // indirect github.com/aws/smithy-go v1.19.0 // indirect github.com/beorn7/perks v1.0.1 // indirect @@ -51,38 +51,37 @@ require ( github.com/coreos/go-systemd/v22 v22.5.0 // indirect github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect github.com/emicklei/go-restful/v3 v3.11.0 // indirect - github.com/evanphx/json-patch v5.6.0+incompatible // indirect - github.com/fatih/color v1.15.0 // indirect + github.com/evanphx/json-patch v5.7.0+incompatible // indirect + github.com/fatih/color v1.16.0 // indirect github.com/felixge/httpsnoop v1.0.4 // indirect - github.com/go-asn1-ber/asn1-ber v1.5.4 // indirect + github.com/go-asn1-ber/asn1-ber v1.5.5 // indirect github.com/go-jose/go-jose/v3 v3.0.1 // indirect github.com/go-kit/log v0.2.1 // indirect - github.com/go-ldap/ldap/v3 v3.4.5 // indirect + github.com/go-ldap/ldap/v3 v3.4.6 // indirect github.com/go-logfmt/logfmt v0.5.1 // indirect - github.com/go-logr/logr v1.3.0 // indirect + github.com/go-logr/logr v1.4.1 // indirect github.com/go-logr/stdr v1.2.2 // indirect - github.com/go-logr/zapr v1.2.4 // indirect - github.com/go-openapi/jsonpointer v0.19.6 // indirect - github.com/go-openapi/jsonreference v0.20.2 // indirect - github.com/go-openapi/swag v0.22.3 // indirect + github.com/go-logr/zapr v1.3.0 // indirect + github.com/go-openapi/jsonpointer v0.20.2 // indirect + github.com/go-openapi/jsonreference v0.20.4 // indirect + github.com/go-openapi/swag v0.22.7 // indirect github.com/gobuffalo/flect v1.0.2 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/golang/protobuf v1.5.3 // indirect github.com/google/gnostic-models v0.6.8 // indirect github.com/google/gofuzz v1.2.0 // indirect - github.com/google/uuid v1.3.1 // indirect + github.com/google/uuid v1.5.0 // indirect github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect - github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 // indirect - github.com/imdario/mergo v0.3.13 // indirect + github.com/grpc-ecosystem/grpc-gateway/v2 v2.18.1 // indirect + github.com/imdario/mergo v0.3.16 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect github.com/kr/text v0.2.0 // indirect github.com/mailru/easyjson v0.7.7 // indirect github.com/mattn/go-colorable v0.1.13 // indirect - github.com/mattn/go-isatty v0.0.17 // indirect - github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 // indirect + github.com/mattn/go-isatty v0.0.20 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.2 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect @@ -90,54 +89,53 @@ require ( github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect github.com/prometheus/client_model v0.5.0 // indirect github.com/prometheus/procfs v0.12.0 // indirect - github.com/rogpeppe/go-internal v1.11.0 // indirect - github.com/spf13/cobra v1.7.0 // indirect + github.com/rogpeppe/go-internal v1.12.0 // indirect + github.com/spf13/cobra v1.8.0 // indirect github.com/spf13/pflag v1.0.5 // indirect github.com/zeebo/errs v1.3.0 // indirect - go.etcd.io/etcd/api/v3 v3.5.9 // indirect - go.etcd.io/etcd/client/pkg/v3 v3.5.9 // indirect - go.etcd.io/etcd/client/v3 v3.5.9 // indirect + go.etcd.io/etcd/api/v3 v3.5.11 // indirect + go.etcd.io/etcd/client/pkg/v3 v3.5.11 // indirect + go.etcd.io/etcd/client/v3 v3.5.11 // indirect go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.46.1 // indirect - go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.0 // indirect + go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1 // indirect go.opentelemetry.io/otel v1.21.0 // indirect - go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.20.0 // indirect - go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.20.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.21.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.21.0 // indirect go.opentelemetry.io/otel/metric v1.21.0 // indirect go.opentelemetry.io/otel/sdk v1.21.0 // indirect go.opentelemetry.io/otel/trace v1.21.0 // indirect go.opentelemetry.io/proto/otlp v1.0.0 // indirect go.uber.org/multierr v1.11.0 // indirect - go.uber.org/zap v1.25.0 // indirect - golang.org/x/crypto v0.17.0 // indirect - golang.org/x/mod v0.13.0 // indirect - golang.org/x/net v0.18.0 // indirect - golang.org/x/oauth2 v0.12.0 // indirect - golang.org/x/sys v0.15.0 // indirect - golang.org/x/term v0.15.0 // indirect + go.uber.org/zap v1.26.0 // indirect + golang.org/x/crypto v0.18.0 // indirect + golang.org/x/mod v0.14.0 // indirect + golang.org/x/net v0.20.0 // indirect + golang.org/x/oauth2 v0.16.0 // indirect + golang.org/x/sys v0.16.0 // indirect + golang.org/x/term v0.16.0 // indirect golang.org/x/text v0.14.0 // indirect - golang.org/x/time v0.3.0 // indirect - golang.org/x/tools v0.14.0 // indirect - google.golang.org/appengine v1.6.7 // indirect - google.golang.org/genproto v0.0.0-20230822172742-b8732ec3820d // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20230822172742-b8732ec3820d // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20230911183012-2d3300fd4832 // indirect - google.golang.org/grpc v1.59.0 // indirect - google.golang.org/protobuf v1.31.0 // indirect + golang.org/x/time v0.5.0 // indirect + golang.org/x/tools v0.16.1 // indirect + google.golang.org/appengine v1.6.8 // indirect + google.golang.org/genproto v0.0.0-20240102182953-50ed04b92917 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20240102182953-50ed04b92917 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240102182953-50ed04b92917 // indirect + google.golang.org/grpc v1.60.1 // indirect + google.golang.org/protobuf v1.32.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - k8s.io/apiextensions-apiserver v0.28.1 // indirect - k8s.io/apiserver v0.28.1 // indirect - k8s.io/component-base v0.28.1 // indirect + k8s.io/apiextensions-apiserver v0.29.0 // indirect + k8s.io/apiserver v0.29.0 // indirect + k8s.io/component-base v0.29.0 // indirect k8s.io/gengo v0.0.0-20230829151522-9cce18d56c01 // indirect k8s.io/klog/v2 v2.110.1 // indirect - k8s.io/kube-aggregator v0.28.1 // indirect - k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect - sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.1.2 // indirect - sigs.k8s.io/gateway-api v0.8.0 // indirect + k8s.io/kube-openapi v0.0.0-20240103051144-eec4567ac022 // indirect + sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.29.0 // indirect + sigs.k8s.io/gateway-api v1.0.0 // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect - sigs.k8s.io/yaml v1.3.0 // indirect + sigs.k8s.io/yaml v1.4.0 // indirect ) replace github.com/golang/glog => github.com/nginxinc/glog v1.1.2 diff --git a/go.sum b/go.sum index a57064b92b..9399cfa80a 100644 --- a/go.sum +++ b/go.sum @@ -1,53 +1,50 @@ -cloud.google.com/go v0.110.7 h1:rJyC7nWRg2jWGZ4wSJ5nY65GTdYJkg0cd/uXb+ACI6o= -cloud.google.com/go/compute v1.23.0 h1:tP41Zoavr8ptEqaW6j+LQOnyBBhO7OkOMAGrgLopTwY= -cloud.google.com/go/compute v1.23.0/go.mod h1:4tCnrn48xsqlwSAiLf1HXMQk8CONslYbdiEZc9FEIbM= +cloud.google.com/go v0.111.0 h1:YHLKNupSD1KqjDbQ3+LVdQ81h/UJbJyZG203cEfnQgM= +cloud.google.com/go/compute v1.23.3 h1:6sVlXXBmbd7jNX0Ipq0trII3e4n1/MsADLK6a+aiVlk= +cloud.google.com/go/compute v1.23.3/go.mod h1:VCgBUoMnIVIR0CscqQiPJLAG25E3ZRZMzcFZeQ+h8CI= cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY= cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA= github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8= github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= -github.com/Microsoft/go-winio v0.6.0 h1:slsWYD/zyx7lCXoZVlvQrj0hPTM1HI4+v1sIda2yDvg= -github.com/Microsoft/go-winio v0.6.0/go.mod h1:cTAf44im0RAYeL23bpB+fzCyDH2MJiz2BO69KH/soAE= +github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow= +github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM= github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74 h1:Kk6a4nehpJ3UuJRqlA3JxYxBZEqCeOmATOvrbT4p9RA= github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4= github.com/aws/aws-sdk-go-v2 v1.24.1 h1:xAojnj+ktS95YZlDf0zxWBkbFtymPeDP+rvUQIH3uAU= github.com/aws/aws-sdk-go-v2 v1.24.1/go.mod h1:LNh45Br1YAkEKaAqvmE1m8FUx6a5b/V0oAKV7of29b4= -github.com/aws/aws-sdk-go-v2/config v1.26.3 h1:dKuc2jdp10y13dEEvPqWxqLoc0vF3Z9FC45MvuQSxOA= -github.com/aws/aws-sdk-go-v2/config v1.26.3/go.mod h1:Bxgi+DeeswYofcYO0XyGClwlrq3DZEXli0kLf4hkGA0= -github.com/aws/aws-sdk-go-v2/credentials v1.16.14 h1:mMDTwwYO9A0/JbOCOG7EOZHtYM+o7OfGWfu0toa23VE= -github.com/aws/aws-sdk-go-v2/credentials v1.16.14/go.mod h1:cniAUh3ErQPHtCQGPT5ouvSAQ0od8caTO9OOuufZOAE= +github.com/aws/aws-sdk-go-v2/config v1.26.6 h1:Z/7w9bUqlRI0FFQpetVuFYEsjzE3h7fpU6HuGmfPL/o= +github.com/aws/aws-sdk-go-v2/config v1.26.6/go.mod h1:uKU6cnDmYCvJ+pxO9S4cWDb2yWWIH5hra+32hVh1MI4= +github.com/aws/aws-sdk-go-v2/credentials v1.16.16 h1:8q6Rliyv0aUFAVtzaldUEcS+T5gbadPbWdV1WcAddK8= +github.com/aws/aws-sdk-go-v2/credentials v1.16.16/go.mod h1:UHVZrdUsv63hPXFo1H7c5fEneoVo9UXiz36QG1GEPi0= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.11 h1:c5I5iH+DZcH3xOIMlz3/tCKJDaHFwYEmxvlh2fAcFo8= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.11/go.mod h1:cRrYDYAMUohBJUtUnOhydaMHtiK/1NZ0Otc9lIb6O0Y= github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.10 h1:vF+Zgd9s+H4vOXd5BMaPWykta2a6Ih0AKLq/X6NYKn4= github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.10/go.mod h1:6BkRjejp/GR4411UGqkX8+wFMbFbqsUIimfK4XjOKR4= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.10 h1:nYPe006ktcqUji8S2mqXf9c/7NdiKriOwMvWQHgYztw= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.10/go.mod h1:6UV4SZkVvmODfXKql4LCbaZUpF7HO2BX38FgBf9ZOLw= -github.com/aws/aws-sdk-go-v2/internal/ini v1.7.2 h1:GrSw8s0Gs/5zZ0SX+gX4zQjRnRsMJDJ2sLur1gRBhEM= -github.com/aws/aws-sdk-go-v2/internal/ini v1.7.2/go.mod h1:6fQQgfuGmw8Al/3M2IgIllycxV7ZW7WCdVSqfBeUiCY= +github.com/aws/aws-sdk-go-v2/internal/ini v1.7.3 h1:n3GDfwqF2tzEkXlv5cuy4iy7LpKDtqDMcNLfZDu9rls= +github.com/aws/aws-sdk-go-v2/internal/ini v1.7.3/go.mod h1:6fQQgfuGmw8Al/3M2IgIllycxV7ZW7WCdVSqfBeUiCY= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.4 h1:/b31bi3YVNlkzkBrm9LfpaKoaYZUxIAj4sHfOTmLfqw= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.4/go.mod h1:2aGXHFmbInwgP9ZfpmdIfOELL79zhdNYNmReK8qDfdQ= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.10 h1:DBYTXwIGQSGs9w4jKm60F5dmCQ3EEruxdc0MFh+3EY4= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.10/go.mod h1:wohMUQiFdzo0NtxbBg0mSRGZ4vL3n0dKjLTINdcIino= github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.19.6 h1:JWy+uLKZQR/9a3gQ+jQa28FEJ/41Z0spdbbQodaXFeA= github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.19.6/go.mod h1:T2NcfuIuXWcuwVwg3rBIW6h1cfzCdrzSn4Hs0KltND8= -github.com/aws/aws-sdk-go-v2/service/sso v1.18.6 h1:dGrs+Q/WzhsiUKh82SfTVN66QzyulXuMDTV/G8ZxOac= -github.com/aws/aws-sdk-go-v2/service/sso v1.18.6/go.mod h1:+mJNDdF+qiUlNKNC3fxn74WWNN+sOiGOEImje+3ScPM= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.6 h1:Yf2MIo9x+0tyv76GljxzqA3WtC5mw7NmazD2chwjxE4= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.6/go.mod h1:ykf3COxYI0UJmxcfcxcVuz7b6uADi1FkiUz6Eb7AgM8= +github.com/aws/aws-sdk-go-v2/service/sso v1.18.7 h1:eajuO3nykDPdYicLlP3AGgOyVN3MOlFmZv7WGTuJPow= +github.com/aws/aws-sdk-go-v2/service/sso v1.18.7/go.mod h1:+mJNDdF+qiUlNKNC3fxn74WWNN+sOiGOEImje+3ScPM= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.7 h1:QPMJf+Jw8E1l7zqhZmMlFw6w1NmfkfiSK8mS4zOx3BA= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.7/go.mod h1:ykf3COxYI0UJmxcfcxcVuz7b6uADi1FkiUz6Eb7AgM8= github.com/aws/aws-sdk-go-v2/service/sts v1.26.7 h1:NzO4Vrau795RkUdSHKEwiR01FaGzGOH1EETJ+5QHnm0= github.com/aws/aws-sdk-go-v2/service/sts v1.26.7/go.mod h1:6h2YuIoxaMSCFf5fi1EgZAwdfkGMgDY+DVfa61uLe4U= github.com/aws/smithy-go v1.19.0 h1:KWFKQV80DpP3vJrrA9sVAHQ5gc2z8i4EzrLhLlWXcBM= github.com/aws/smithy-go v1.19.0/go.mod h1:NukqUGpCZIILqqiV0NIjeFh24kd/FAa4beRb6nbIUPE= -github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA= -github.com/benbjohnson/clock v1.3.0 h1:ip6w0uFQkncKQ979AypyG0ER7mqUSBdKLOgAle/AT8A= -github.com/benbjohnson/clock v1.3.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM= github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ= github.com/cenkalti/backoff/v4 v4.2.1 h1:y4OZtCnogmCPw98Zjyt5a6+QwPLGkiQsYW5oUqylYbM= github.com/cenkalti/backoff/v4 v4.2.1/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= -github.com/cert-manager/cert-manager v1.13.3 h1:3R4G0RI7K0OkTZhWlVOC5SGZMYa2NwqmQJoyKydrz/M= -github.com/cert-manager/cert-manager v1.13.3/go.mod h1:BM2+Pt/NmSv1Zr25/MHv6BgIEF9IUxA1xAjp80qkxgc= +github.com/cert-manager/cert-manager v1.14.2 h1:C/uci6yxiCRO04PWomBbSX+T4JT58FIIpDj5SZ6Ks6I= +github.com/cert-manager/cert-manager v1.14.2/go.mod h1:pik7K6jXfgh++lfVJ/i1HzEnDluSUtTVLXSHikj8Lho= github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/cncf/xds/go v0.0.0-20230607035331-e9ce68804cb4 h1:/inchEIKaYC1Akx+H+gqO04wryn5h75LSazbRlnya1k= @@ -56,7 +53,7 @@ github.com/coreos/go-semver v0.3.1 h1:yi21YpKnrx1gt5R+la8n5WgS0kCrsPp33dmEyHReZr github.com/coreos/go-semver v0.3.1/go.mod h1:irMmmIw/7yzSRPWryHsK7EYSg09caPQL03VsM8rvUec= github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs= github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= -github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= +github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -70,41 +67,41 @@ github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxER github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= github.com/envoyproxy/protoc-gen-validate v1.0.2 h1:QkIBuU5k+x7/QXPvPPnWXWlCdaBFApVqftFV6k087DA= github.com/envoyproxy/protoc-gen-validate v1.0.2/go.mod h1:GpiZQP3dDbg4JouG/NNS7QWXpgx6x8QiMKdmN72jogE= -github.com/evanphx/json-patch v5.6.0+incompatible h1:jBYDEEiFBPxA0v50tFdvOzQQTCvpL6mnFh5mB2/l16U= -github.com/evanphx/json-patch v5.6.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= -github.com/fatih/color v1.15.0 h1:kOqh6YHBtK8aywxGerMG2Eq3H6Qgoqeo13Bk2Mv/nBs= -github.com/fatih/color v1.15.0/go.mod h1:0h5ZqXfHYED7Bhv2ZJamyIOUej9KtShiJESRwBDUSsw= +github.com/evanphx/json-patch v5.7.0+incompatible h1:vgGkfT/9f8zE6tvSCe74nfpAVDQ2tG6yudJd8LBksgI= +github.com/evanphx/json-patch v5.7.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM= +github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE= github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg= github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= -github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY= -github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw= -github.com/go-asn1-ber/asn1-ber v1.5.4 h1:vXT6d/FNDiELJnLb6hGNa309LMsrCoYFvpwHDF0+Y1A= -github.com/go-asn1-ber/asn1-ber v1.5.4/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0= +github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= +github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= +github.com/go-asn1-ber/asn1-ber v1.5.5 h1:MNHlNMBDgEKD4TcKr36vQN68BA00aDfjIt3/bD50WnA= +github.com/go-asn1-ber/asn1-ber v1.5.5/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0= github.com/go-chi/chi/v5 v5.0.11 h1:BnpYbFZ3T3S1WMpD79r7R5ThWX40TaFB7L31Y8xqSwA= github.com/go-chi/chi/v5 v5.0.11/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8= github.com/go-jose/go-jose/v3 v3.0.1 h1:pWmKFVtt+Jl0vBZTIpz/eAKwsm6LkIxDVVbFHKkchhA= github.com/go-jose/go-jose/v3 v3.0.1/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8= github.com/go-kit/log v0.2.1 h1:MRVx0/zhvdseW+Gza6N9rVzU/IVzaeE1SFI4raAhmBU= github.com/go-kit/log v0.2.1/go.mod h1:NwTd00d/i8cPZ3xOwwiv2PO5MOcx78fFErGNcVmBjv0= -github.com/go-ldap/ldap/v3 v3.4.5 h1:ekEKmaDrpvR2yf5Nc/DClsGG9lAmdDixe44mLzlW5r8= -github.com/go-ldap/ldap/v3 v3.4.5/go.mod h1:bMGIq3AGbytbaMwf8wdv5Phdxz0FWHTIYMSzyrYgnQs= +github.com/go-ldap/ldap/v3 v3.4.6 h1:ert95MdbiG7aWo/oPYp9btL3KJlMPKnP58r09rI8T+A= +github.com/go-ldap/ldap/v3 v3.4.6/go.mod h1:IGMQANNtxpsOzj7uUAMjpGBaOVTC4DYyIy8VsTdxmtc= github.com/go-logfmt/logfmt v0.5.1 h1:otpy5pqBCBZ1ng9RQ0dPu4PN7ba75Y/aA+UpowDyNVA= github.com/go-logfmt/logfmt v0.5.1/go.mod h1:WYhtIu8zTZfxdn5+rREduYbwxfcBr/Vr6KEVveWlfTs= github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= -github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= -github.com/go-logr/logr v1.3.0 h1:2y3SDp0ZXuc6/cjLSZ+Q3ir+QB9T/iG5yYRXqsagWSY= github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ= +github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= -github.com/go-logr/zapr v1.2.4 h1:QHVo+6stLbfJmYGkQ7uGHUCu5hnAFAj6mDe6Ea0SeOo= -github.com/go-logr/zapr v1.2.4/go.mod h1:FyHWQIzQORZ0QVE1BtVHv3cKtNLuXsbNLtpuhNapBOA= -github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE= -github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs= -github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE= -github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k= -github.com/go-openapi/swag v0.22.3 h1:yMBqmnQ0gyZvEb/+KzuWZOXgllrXT4SADYbvDaXHv/g= -github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14= +github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ= +github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg= +github.com/go-openapi/jsonpointer v0.20.2 h1:mQc3nmndL8ZBzStEo3JYF8wzmeWffDH4VbXz58sAx6Q= +github.com/go-openapi/jsonpointer v0.20.2/go.mod h1:bHen+N0u1KEO3YlmqOjTT9Adn1RfD91Ar825/PuiRVs= +github.com/go-openapi/jsonreference v0.20.4 h1:bKlDxQxQJgwpUSgOENiMPzCTBVuc7vTdXSSgNeAhojU= +github.com/go-openapi/jsonreference v0.20.4/go.mod h1:5pZJyJP2MnYCpoeoMAql78cCHauHj0V9Lhc506VOpw4= +github.com/go-openapi/swag v0.22.7 h1:JWrc1uc/P9cSomxfnsFSVWoE1FW6bNbrVPmpQYpCcR8= +github.com/go-openapi/swag v0.22.7/go.mod h1:Gl91UqO+btAM0plGGxHqJcQZ1ZTy6jbmridBTsDy8A0= github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls= github.com/gobuffalo/flect v1.0.2 h1:eqjPGSo2WmjgY2XlpGwo2NXgL3RucAKo4k4qQMNA5sA= @@ -116,8 +113,8 @@ github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOW github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE= github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= -github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= +github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg= github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU= @@ -136,8 +133,9 @@ github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJYCmNdQXq6neHJOYx3V6jnqNEec= github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= -github.com/google/uuid v1.3.1 h1:KjJaJ9iWZ3jOFZIf1Lqf4laDRCasjl0BCmnEGxkdLb4= github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.5.0 h1:1p67kYwdtXjb0gL0BPiP1Av9wiZPo5A8z2cWkTZ+eyU= +github.com/google/uuid v1.5.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWmnc= github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 h1:+9834+KizmvFV7pXQGSXQTsaWhq2GjuNUt0aUU0YBYw= @@ -146,10 +144,10 @@ github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 h1:Ovs26xHkKqVztRpIrF/92Bcuy github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= github.com/grpc-ecosystem/grpc-gateway v1.16.0 h1:gmcG1KaJ57LophUzW0Hy8NmPhnMZb4M0+kPpLofRdBo= github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 h1:YBftPWNWd4WwGqtY2yeZL2ef8rHAxPBD8KFhJpmcqms= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0/go.mod h1:YN5jB8ie0yfIUg6VvR9Kz84aCaG7AsGZnLjhHbUqwPg= -github.com/imdario/mergo v0.3.13 h1:lFzP57bqS/wsqKssCGmtLAb8A0wKjLGrve2q3PPVcBk= -github.com/imdario/mergo v0.3.13/go.mod h1:4lJ1jqUDcsbIECGy0RUJAXNIhg+6ocWgb1ALK2O4oXg= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.18.1 h1:6UKoz5ujsI55KNpsJH3UwCq3T8kKbZwNZBNPuTTje8U= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.18.1/go.mod h1:YvJ2f6MplWDhfxiUC3KpyTy76kYUZA4W3pTv/wdKQ9Y= +github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4= +github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= github.com/jonboulle/clockwork v0.2.2 h1:UOGuzwb1PwsrDAObMuhUnj0p5ULPj8V/xJ7Kx9qUBdQ= @@ -160,9 +158,7 @@ github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnr github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= -github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= -github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= @@ -174,10 +170,8 @@ github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJ github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA= github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg= github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= -github.com/mattn/go-isatty v0.0.17 h1:BTarxUcIeDqL27Mc+vyvdWYSL28zpIhv3RoTdsLMPng= -github.com/mattn/go-isatty v0.0.17/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= -github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 h1:jWpvCLoY8Z/e3VKvlsiIGKtc+UG6U5vzxaoagmhXfyg= -github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0/go.mod h1:QUyp042oQthUoa9bqDv0ER0wrtXnBruoNd7aNjkbP+k= +github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY= +github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= @@ -199,10 +193,9 @@ github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU= github.com/onsi/ginkgo/v2 v2.13.0 h1:0jY9lJquiL8fcf3M4LAXN5aMlS/b2BV86HFFPCPMgE4= github.com/onsi/ginkgo/v2 v2.13.0/go.mod h1:TE309ZR8s5FsKKpuB1YAQYBzCaAfUgatB/xlT/ETL/o= -github.com/onsi/gomega v1.29.0 h1:KIA/t2t5UBzoirT4H9tsML45GEbo3ouUnBHsCfD2tVg= -github.com/onsi/gomega v1.29.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ= +github.com/onsi/gomega v1.30.0 h1:hvMK7xYz4D3HapigLTeGdId/NcfQx1VHMJc60ew99+8= +github.com/onsi/gomega v1.30.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ= github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA= -github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= @@ -212,30 +205,29 @@ github.com/prometheus/client_golang v1.18.0 h1:HzFfmkOzH5Q8L8G+kSJKUx5dtG87sewO+ github.com/prometheus/client_golang v1.18.0/go.mod h1:T+GXkCk5wSJyOqMIzVgvvjFDlkOQntgjkJWKrN5txjA= github.com/prometheus/client_model v0.5.0 h1:VQw1hfvPvk3Uv6Qf29VrPF32JB6rtbgI6cYPYQjL0Qw= github.com/prometheus/client_model v0.5.0/go.mod h1:dTiFglRmd66nLR9Pv9f0mZi7B7fk5Pm3gvsjB5tr+kI= -github.com/prometheus/common v0.45.0 h1:2BGz0eBc2hdMDLnO/8n0jeB3oPrt2D08CekT0lneoxM= -github.com/prometheus/common v0.45.0/go.mod h1:YJmSTw9BoKxJplESWWxlbyttQR4uaEcGyv9MZjVOJsY= +github.com/prometheus/common v0.46.0 h1:doXzt5ybi1HBKpsZOL0sSkaNHJJqkyfEWZGGqqScV0Y= +github.com/prometheus/common v0.46.0/go.mod h1:Tp0qkxpb9Jsg54QMe+EAmqXkSV7Evdy1BTn+g2pa/hQ= github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo= github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo= github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs= -github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M= -github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA= +github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8= +github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= github.com/soheilhy/cmux v0.1.5 h1:jjzc5WVemNEDTLwv9tlmemhC73tI08BNOIGwBOo10Js= github.com/soheilhy/cmux v0.1.5/go.mod h1:T7TcVDs9LWfQgPlPsdngu6I6QIoyIFZDDC6sNE1GqG0= -github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I= -github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0= +github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0= +github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= -github.com/spiffe/go-spiffe/v2 v2.1.6 h1:4SdizuQieFyL9eNU+SPiCArH4kynzaKOOj0VvM8R7Xo= -github.com/spiffe/go-spiffe/v2 v2.1.6/go.mod h1:eVDqm9xFvyqao6C+eQensb9ZPkyNEeaUbqbBpOhBnNk= +github.com/spiffe/go-spiffe/v2 v2.1.7 h1:VUkM1yIyg/x8X7u1uXqSRVRCdMdfRIEdFBzpqoeASGk= +github.com/spiffe/go-spiffe/v2 v2.1.7/go.mod h1:QJDGdhXllxjxvd5B+2XnhhXB/+rC8gr+lNrtOryiWeE= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= -github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= @@ -247,36 +239,35 @@ github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2 h1:eY9dn8+vbi4tKz5 github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= -github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= github.com/zeebo/errs v1.3.0 h1:hmiaKqgYZzcVgRL1Vkc1Mn2914BbzB0IBxs+ebeutGs= github.com/zeebo/errs v1.3.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4= -go.etcd.io/bbolt v1.3.7 h1:j+zJOnnEjF/kyHlDDgGnVL/AIqIJPq8UoB2GSNfkUfQ= -go.etcd.io/bbolt v1.3.7/go.mod h1:N9Mkw9X8x5fupy0IKsmuqVtoGDyxsaDlbk4Rd05IAQw= -go.etcd.io/etcd/api/v3 v3.5.9 h1:4wSsluwyTbGGmyjJktOf3wFQoTBIURXHnq9n/G/JQHs= -go.etcd.io/etcd/api/v3 v3.5.9/go.mod h1:uyAal843mC8uUVSLWz6eHa/d971iDGnCRpmKd2Z+X8k= -go.etcd.io/etcd/client/pkg/v3 v3.5.9 h1:oidDC4+YEuSIQbsR94rY9gur91UPL6DnxDCIYd2IGsE= -go.etcd.io/etcd/client/pkg/v3 v3.5.9/go.mod h1:y+CzeSmkMpWN2Jyu1npecjB9BBnABxGM4pN8cGuJeL4= -go.etcd.io/etcd/client/v2 v2.305.9 h1:YZ2OLi0OvR0H75AcgSUajjd5uqKDKocQUqROTG11jIo= -go.etcd.io/etcd/client/v2 v2.305.9/go.mod h1:0NBdNx9wbxtEQLwAQtrDHwx58m02vXpDcgSYI2seohQ= -go.etcd.io/etcd/client/v3 v3.5.9 h1:r5xghnU7CwbUxD/fbUtRyJGaYNfDun8sp/gTr1hew6E= -go.etcd.io/etcd/client/v3 v3.5.9/go.mod h1:i/Eo5LrZ5IKqpbtpPDuaUnDOUv471oDg8cjQaUr2MbA= -go.etcd.io/etcd/pkg/v3 v3.5.9 h1:6R2jg/aWd/zB9+9JxmijDKStGJAPFsX3e6BeJkMi6eQ= -go.etcd.io/etcd/pkg/v3 v3.5.9/go.mod h1:BZl0SAShQFk0IpLWR78T/+pyt8AruMHhTNNX73hkNVY= -go.etcd.io/etcd/raft/v3 v3.5.9 h1:ZZ1GIHoUlHsn0QVqiRysAm3/81Xx7+i2d7nSdWxlOiI= -go.etcd.io/etcd/raft/v3 v3.5.9/go.mod h1:WnFkqzFdZua4LVlVXQEGhmooLeyS7mqzS4Pf4BCVqXg= -go.etcd.io/etcd/server/v3 v3.5.9 h1:vomEmmxeztLtS5OEH7d0hBAg4cjVIu9wXuNzUZx2ZA0= -go.etcd.io/etcd/server/v3 v3.5.9/go.mod h1:GgI1fQClQCFIzuVjlvdbMxNbnISt90gdfYyqiAIt65g= +go.etcd.io/bbolt v1.3.8 h1:xs88BrvEv273UsB79e0hcVrlUWmS0a8upikMFhSyAtA= +go.etcd.io/bbolt v1.3.8/go.mod h1:N9Mkw9X8x5fupy0IKsmuqVtoGDyxsaDlbk4Rd05IAQw= +go.etcd.io/etcd/api/v3 v3.5.11 h1:B54KwXbWDHyD3XYAwprxNzTe7vlhR69LuBgZnMVvS7E= +go.etcd.io/etcd/api/v3 v3.5.11/go.mod h1:Ot+o0SWSyT6uHhA56al1oCED0JImsRiU9Dc26+C2a+4= +go.etcd.io/etcd/client/pkg/v3 v3.5.11 h1:bT2xVspdiCj2910T0V+/KHcVKjkUrCZVtk8J2JF2z1A= +go.etcd.io/etcd/client/pkg/v3 v3.5.11/go.mod h1:seTzl2d9APP8R5Y2hFL3NVlD6qC/dOT+3kvrqPyTas4= +go.etcd.io/etcd/client/v2 v2.305.10 h1:MrmRktzv/XF8CvtQt+P6wLUlURaNpSDJHFZhe//2QE4= +go.etcd.io/etcd/client/v2 v2.305.10/go.mod h1:m3CKZi69HzilhVqtPDcjhSGp+kA1OmbNn0qamH80xjA= +go.etcd.io/etcd/client/v3 v3.5.11 h1:ajWtgoNSZJ1gmS8k+icvPtqsqEav+iUorF7b0qozgUU= +go.etcd.io/etcd/client/v3 v3.5.11/go.mod h1:a6xQUEqFJ8vztO1agJh/KQKOMfFI8og52ZconzcDJwE= +go.etcd.io/etcd/pkg/v3 v3.5.10 h1:WPR8K0e9kWl1gAhB5A7gEa5ZBTNkT9NdNWrR8Qpo1CM= +go.etcd.io/etcd/pkg/v3 v3.5.10/go.mod h1:TKTuCKKcF1zxmfKWDkfz5qqYaE3JncKKZPFf8c1nFUs= +go.etcd.io/etcd/raft/v3 v3.5.10 h1:cgNAYe7xrsrn/5kXMSaH8kM/Ky8mAdMqGOxyYwpP0LA= +go.etcd.io/etcd/raft/v3 v3.5.10/go.mod h1:odD6kr8XQXTy9oQnyMPBOr0TVe+gT0neQhElQ6jbGRc= +go.etcd.io/etcd/server/v3 v3.5.10 h1:4NOGyOwD5sUZ22PiWYKmfxqoeh72z6EhYjNosKGLmZg= +go.etcd.io/etcd/server/v3 v3.5.10/go.mod h1:gBplPHfs6YI0L+RpGkTQO7buDbHv5HJGG/Bst0/zIPo= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.46.1 h1:SpGay3w+nEwMpfVnbqOLH5gY52/foP8RE8UzTZ1pdSE= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.46.1/go.mod h1:4UoMYEZOC0yN/sPGH76KPkkU7zgiEWYWL9vwmbnTJPE= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.0 h1:1eHu3/pUSWaOgltNK3WJFaywKsTIr/PwvHyDmi0lQA0= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.0/go.mod h1:HyABWq60Uy1kjJSa2BVOxUVao8Cdick5AWSKPutqy6U= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1 h1:aFJWCqJMNjENlcleuuOkGAPH82y0yULBScfXcIEdS24= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1/go.mod h1:sEGXWArGqc3tVa+ekntsN65DmVbVeW+7lTKTjZF3/Fo= go.opentelemetry.io/otel v1.21.0 h1:hzLeKBZEL7Okw2mGzZ0cc4k/A7Fta0uoPgaJCr8fsFc= go.opentelemetry.io/otel v1.21.0/go.mod h1:QZzNPQPm1zLX4gZK4cMi+71eaorMSGT3A4znnUvNNEo= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.20.0 h1:DeFD0VgTZ+Cj6hxravYYZE2W4GlneVH81iAOPjZkzk8= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.20.0/go.mod h1:GijYcYmNpX1KazD5JmWGsi4P7dDTTTnfv1UbGn84MnU= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.20.0 h1:gvmNvqrPYovvyRmCSygkUDyL8lC5Tl845MLEwqpxhEU= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.20.0/go.mod h1:vNUq47TGFioo+ffTSnKNdob241vePmtNZnAODKapKd0= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.21.0 h1:cl5P5/GIfFh4t6xyruOgJP5QiA1pw4fYYdv6nc6CBWw= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.21.0/go.mod h1:zgBdWWAu7oEEMC06MMKc5NLbA/1YDXV1sMpSqEeLQLg= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.21.0 h1:tIqheXEFWAZ7O8A7m+J0aPTmpJN3YQ7qetUAdkkkKpk= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.21.0/go.mod h1:nUeKExfxAQVbiVFn32YXpXZZHZ61Cc3s3Rn1pDBGAb0= go.opentelemetry.io/otel/metric v1.21.0 h1:tlYWfeo+Bocx5kLEloTjbcDwBuELRrIFxwdQ36PlJu4= go.opentelemetry.io/otel/metric v1.21.0/go.mod h1:o1p3CA8nNHW8j5yuQLdc1eeqEaPfzug24uvsyIEJRWM= go.opentelemetry.io/otel/sdk v1.21.0 h1:FTt8qirL1EysG6sTQRZ5TokkU8d0ugCj8htOgThZXQ8= @@ -285,53 +276,43 @@ go.opentelemetry.io/otel/trace v1.21.0 h1:WD9i5gzvoUPuXIXH24ZNBudiarZDKuekPqi/E8 go.opentelemetry.io/otel/trace v1.21.0/go.mod h1:LGbsEB0f9LGjN+OZaQQ26sohbOmiMR+BaslueVtS/qQ= go.opentelemetry.io/proto/otlp v1.0.0 h1:T0TX0tmXU8a3CbNXzEKGeU5mIVOdf0oykP+u2lIVU/I= go.opentelemetry.io/proto/otlp v1.0.0/go.mod h1:Sy6pihPLfYHkr3NkUbEhGHFhINUSI/v80hjKIs5JXpM= -go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= -go.uber.org/goleak v1.1.11/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= -go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU= go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= -go.uber.org/zap v1.24.0/go.mod h1:2kMP+WWQ8aoFoedH3T2sq6iJ2yDWpHbP0f6MQbS9Gkg= -go.uber.org/zap v1.25.0 h1:4Hvk6GtkucQ790dqmj7l1eEnRdKm3k3ZUrUMS2d5+5c= -go.uber.org/zap v1.25.0/go.mod h1:JIAUzQIH94IC4fOJQm7gMmBJP5k7wQfdcnYdPoEXJYk= +go.uber.org/zap v1.26.0 h1:sI7k6L95XOKS281NhVKOFCUNIvv9e0w4BF8N3u+tCRo= +go.uber.org/zap v1.26.0/go.mod h1:dtElttAiwGvoJ/vj4IwHBS/gXsEu/pZ50mUIRWuG0so= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20190911031432-227b76d455e7/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU= -golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k= -golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= -golang.org/x/exp v0.0.0-20231006140011-7918f672742d h1:jtJma62tbqLibJ5sFQz8bKtEM8rJBtfilJ2qTU199MI= -golang.org/x/exp v0.0.0-20231006140011-7918f672742d/go.mod h1:ldy0pHrwJyGW56pPQzzkH36rKxoZW1tw7ZJpeKx+hdo= -golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc= +golang.org/x/crypto v0.18.0 h1:PGVlW0xEltQnzFZ55hkuX5+KLyrMYhHld1YHO4AKcdc= +golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg= +golang.org/x/exp v0.0.0-20231226003508-02704c960a9b h1:kLiC65FbiHWFAOu+lxwNPujcsl8VYyTYYEZnsOO1WK4= +golang.org/x/exp v0.0.0-20231226003508-02704c960a9b/go.mod h1:iRJReGqOEeBhDZGkGbynYwcHlctCvnjTYIamk7uXpHI= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/mod v0.13.0 h1:I/DsJXRlw/8l/0c24sM9yb0T4z9liZTduXvdAWYiysY= -golang.org/x/mod v0.13.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= -golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0= +golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= -golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= -golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= -golang.org/x/net v0.18.0 h1:mIYleuAkSbHh0tCv7RvjL3F6ZVbLjq4+R7zbOn3Kokg= -golang.org/x/net v0.18.0/go.mod h1:/czyP5RqHAH4odGYxBJ1qz0+CE5WZ+2j1YgoEo8F2jQ= -golang.org/x/oauth2 v0.12.0 h1:smVPGxink+n1ZI5pkQa8y6fZT0RW0MgCO5bFpepy4B4= -golang.org/x/oauth2 v0.12.0/go.mod h1:A74bZ3aGXgCY0qaIC9Ahg6Lglin4AMAco8cIv9baba4= +golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= +golang.org/x/net v0.20.0 h1:aCL9BSgETF1k+blQaYUBx9hJ9LOGP3gAVemcZlf1Kpo= +golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY= +golang.org/x/oauth2 v0.16.0 h1:aDkGMBSYxElaoP81NpoUoz2oo2R2wHdZpGToUxfyQrQ= +golang.org/x/oauth2 v0.16.0/go.mod h1:hqZ+0LWXsiVoZpeld6jVt06P3adbS2Uu911W1SsJv2o= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.5.0 h1:60k92dhOjHxJkrqnwsfl8KuaHbn/5dl0lUPUklKo3qE= @@ -340,63 +321,62 @@ golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5h golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc= -golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU= +golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= -golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U= -golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4= -golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0= +golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= +golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU= +golang.org/x/term v0.16.0 h1:m+B6fahuftsE9qjo0VWp2FW0mB3MTJvR0BaMQrq0pmE= +golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= -golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= +golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= +golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= -golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4= -golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk= +golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200505023115-26f46d2f7ef8/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= -golang.org/x/tools v0.14.0 h1:jvNa2pY0M4r62jkRQ6RwEZZyPcymeL9XZMLBbV7U2nc= -golang.org/x/tools v0.14.0/go.mod h1:uYBEerGOWcJyEORxN+Ek8+TT266gXkNlHdJBwexUsBg= +golang.org/x/tools v0.16.1 h1:TLyB3WofjdOEepBHAU20JdNC1Zbg87elYofWYAY5oZA= +golang.org/x/tools v0.16.1/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= -google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= -google.golang.org/genproto v0.0.0-20230822172742-b8732ec3820d h1:VBu5YqKPv6XiJ199exd8Br+Aetz+o08F+PLMnwJQHAY= -google.golang.org/genproto v0.0.0-20230822172742-b8732ec3820d/go.mod h1:yZTlhN0tQnXo3h00fuXNCxJdLdIdnVFVBaRJ5LWBbw4= -google.golang.org/genproto/googleapis/api v0.0.0-20230822172742-b8732ec3820d h1:DoPTO70H+bcDXcd39vOqb2viZxgqeBeSGtZ55yZU4/Q= -google.golang.org/genproto/googleapis/api v0.0.0-20230822172742-b8732ec3820d/go.mod h1:KjSP20unUpOx5kyQUFa7k4OJg0qeJ7DEZflGDu2p6Bk= -google.golang.org/genproto/googleapis/rpc v0.0.0-20230911183012-2d3300fd4832 h1:o4LtQxebKIJ4vkzyhtD2rfUNZ20Zf0ik5YVP5E7G7VE= -google.golang.org/genproto/googleapis/rpc v0.0.0-20230911183012-2d3300fd4832/go.mod h1:+Bk1OCOj40wS2hwAMA+aCW9ypzm63QTBBHp6lQ3p+9M= -google.golang.org/grpc v1.59.0 h1:Z5Iec2pjwb+LEOqzpB2MR12/eKFhDPhuqW91O+4bwUk= -google.golang.org/grpc v1.59.0/go.mod h1:aUPDwccQo6OTjy7Hct4AfBPD1GptF4fyUjIkQ9YtF98= +google.golang.org/appengine v1.6.8 h1:IhEN5q69dyKagZPYMSdIjS2HqprW324FRQZJcGqPAsM= +google.golang.org/appengine v1.6.8/go.mod h1:1jJ3jBArFh5pcgW8gCtRJnepW8FzD1V44FJffLiz/Ds= +google.golang.org/genproto v0.0.0-20240102182953-50ed04b92917 h1:nz5NESFLZbJGPFxDT/HCn+V1mZ8JGNoY4nUpmW/Y2eg= +google.golang.org/genproto v0.0.0-20240102182953-50ed04b92917/go.mod h1:pZqR+glSb11aJ+JQcczCvgf47+duRuzNSKqE8YAQnV0= +google.golang.org/genproto/googleapis/api v0.0.0-20240102182953-50ed04b92917 h1:rcS6EyEaoCO52hQDupoSfrxI3R6C2Tq741is7X8OvnM= +google.golang.org/genproto/googleapis/api v0.0.0-20240102182953-50ed04b92917/go.mod h1:CmlNWB9lSezaYELKS5Ym1r44VrrbPUa7JTvw+6MbpJ0= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240102182953-50ed04b92917 h1:6G8oQ016D88m1xAKljMlBOOGWDZkes4kMhgGFlf8WcQ= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240102182953-50ed04b92917/go.mod h1:xtjpI3tXFPP051KaWnhvxkiubL/6dJ18vLVf7q2pTOU= +google.golang.org/grpc v1.60.1 h1:26+wFr+cNqSGFcOXcabYC0lUVJVRa2Sb2ortSK7VrEU= +google.golang.org/grpc v1.60.1/go.mod h1:OlCHIeLYqSSsLi6i49B5QGdzaMZK9+M7LXN2FKz4eGM= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8= -google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.32.0 h1:pPC6BG5ex8PDFnkbrGU3EixyhKcQ2aDuBS36lqK/C7I= +google.golang.org/protobuf v1.32.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= @@ -410,44 +390,41 @@ gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -gopkg.in/yaml.v3 v3.0.0/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -k8s.io/api v0.29.0 h1:NiCdQMY1QOp1H8lfRyeEf8eOwV6+0xA6XEE44ohDX2A= -k8s.io/api v0.29.0/go.mod h1:sdVmXoz2Bo/cb77Pxi71IPTSErEW32xa4aXwKH7gfBA= -k8s.io/apiextensions-apiserver v0.28.1 h1:l2ThkBRjrWpw4f24uq0Da2HaEgqJZ7pcgiEUTKSmQZw= -k8s.io/apiextensions-apiserver v0.28.1/go.mod h1:sVvrI+P4vxh2YBBcm8n2ThjNyzU4BQGilCQ/JAY5kGs= -k8s.io/apimachinery v0.29.0 h1:+ACVktwyicPz0oc6MTMLwa2Pw3ouLAfAon1wPLtG48o= -k8s.io/apimachinery v0.29.0/go.mod h1:eVBxQ/cwiJxH58eK/jd/vAk4mrxmVlnpBH5J2GbMeis= -k8s.io/apiserver v0.28.1 h1:dw2/NKauDZCnOUAzIo2hFhtBRUo6gQK832NV8kuDbGM= -k8s.io/apiserver v0.28.1/go.mod h1:d8aizlSRB6yRgJ6PKfDkdwCy2DXt/d1FDR6iJN9kY1w= -k8s.io/client-go v0.29.0 h1:KmlDtFcrdUzOYrBhXHgKw5ycWzc3ryPX5mQe0SkG3y8= -k8s.io/client-go v0.29.0/go.mod h1:yLkXH4HKMAywcrD82KMSmfYg2DlE8mepPR4JGSo5n38= -k8s.io/code-generator v0.29.0 h1:2LQfayGDhaIlaamXjIjEQlCMy4JNCH9lrzas4DNW1GQ= -k8s.io/code-generator v0.29.0/go.mod h1:5bqIZoCxs2zTRKMWNYqyQWW/bajc+ah4rh0tMY8zdGA= -k8s.io/component-base v0.28.1 h1:LA4AujMlK2mr0tZbQDZkjWbdhTV5bRyEyAFe0TJxlWg= -k8s.io/component-base v0.28.1/go.mod h1:jI11OyhbX21Qtbav7JkhehyBsIRfnO8oEgoAR12ArIU= +k8s.io/api v0.29.1 h1:DAjwWX/9YT7NQD4INu49ROJuZAAAP/Ijki48GUPzxqw= +k8s.io/api v0.29.1/go.mod h1:7Kl10vBRUXhnQQI8YR/R327zXC8eJ7887/+Ybta+RoQ= +k8s.io/apiextensions-apiserver v0.29.0 h1:0VuspFG7Hj+SxyF/Z/2T0uFbI5gb5LRgEyUVE3Q4lV0= +k8s.io/apiextensions-apiserver v0.29.0/go.mod h1:TKmpy3bTS0mr9pylH0nOt/QzQRrW7/h7yLdRForMZwc= +k8s.io/apimachinery v0.29.1 h1:KY4/E6km/wLBguvCZv8cKTeOwwOBqFNjwJIdMkMbbRc= +k8s.io/apimachinery v0.29.1/go.mod h1:6HVkd1FwxIagpYrHSwJlQqZI3G9LfYWRPAkUvLnXTKU= +k8s.io/apiserver v0.29.0 h1:Y1xEMjJkP+BIi0GSEv1BBrf1jLU9UPfAnnGGbbDdp7o= +k8s.io/apiserver v0.29.0/go.mod h1:31n78PsRKPmfpee7/l9NYEv67u6hOL6AfcE761HapDM= +k8s.io/client-go v0.29.1 h1:19B/+2NGEwnFLzt0uB5kNJnfTsbV8w6TgQRz9l7ti7A= +k8s.io/client-go v0.29.1/go.mod h1:TDG/psL9hdet0TI9mGyHJSgRkW3H9JZk2dNEUS7bRks= +k8s.io/code-generator v0.29.1 h1:8ba8BdtSmAVHgAMpzThb/fuyQeTRtN7NtN7VjMcDLew= +k8s.io/code-generator v0.29.1/go.mod h1:FwFi3C9jCrmbPjekhaCYcYG1n07CYiW1+PAPCockaos= +k8s.io/component-base v0.29.0 h1:T7rjd5wvLnPBV1vC4zWd/iWRbV8Mdxs+nGaoaFzGw3s= +k8s.io/component-base v0.29.0/go.mod h1:sADonFTQ9Zc9yFLghpDpmNXEdHyQmFIGbiuZbqAXQ1M= k8s.io/gengo v0.0.0-20230829151522-9cce18d56c01 h1:pWEwq4Asjm4vjW7vcsmijwBhOr1/shsbSYiWXmNGlks= k8s.io/gengo v0.0.0-20230829151522-9cce18d56c01/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= k8s.io/klog/v2 v2.110.1 h1:U/Af64HJf7FcwMcXyKm2RPM22WZzyR7OSpYj5tg3cL0= k8s.io/klog/v2 v2.110.1/go.mod h1:YGtd1984u+GgbuZ7e08/yBuAfKLSO0+uR1Fhi6ExXjo= -k8s.io/kube-aggregator v0.28.1 h1:rvG4llYnQKHjj6YjjoBPEJxfD1uH0DJwkrJTNKGAaCs= -k8s.io/kube-aggregator v0.28.1/go.mod h1:JaLizMe+AECSpO2OmrWVsvnG0V3dX1RpW+Wq/QHbu18= -k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 h1:aVUu9fTY98ivBPKR9Y5w/AuzbMm96cd3YHRTU83I780= -k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00/go.mod h1:AsvuZPBlUDVuCdzJ87iajxtXuR9oktsTctW/R9wwouA= -k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI= -k8s.io/utils v0.0.0-20230726121419-3b25d923346b/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.1.2 h1:trsWhjU5jZrx6UvFu4WzQDrN7Pga4a7Qg+zcfcj64PA= -sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.1.2/go.mod h1:+qG7ISXqCDVVcyO8hLn12AKVYYUjM7ftlqsqmrhMZE0= -sigs.k8s.io/controller-tools v0.13.0 h1:NfrvuZ4bxyolhDBt/rCZhDnx3M2hzlhgo5n3Iv2RykI= -sigs.k8s.io/controller-tools v0.13.0/go.mod h1:5vw3En2NazbejQGCeWKRrE7q4P+CW8/klfVqP8QZkgA= -sigs.k8s.io/gateway-api v0.8.0 h1:isQQ3Jx2qFP7vaA3ls0846F0Amp9Eq14P08xbSwVbQg= -sigs.k8s.io/gateway-api v0.8.0/go.mod h1:okOnjPNBFbIS/Rw9kAhuIUaIkLhTKEu+ARIuXk2dgaM= +k8s.io/kube-openapi v0.0.0-20240103051144-eec4567ac022 h1:avRdiaB03v88Mfvum2S3BBwkNuTlmuar4LlfO9Hajko= +k8s.io/kube-openapi v0.0.0-20240103051144-eec4567ac022/go.mod h1:sIV51WBTkZrlGOJMCDZDA1IaPBUDTulPpD4y7oe038k= +k8s.io/utils v0.0.0-20240102154912-e7106e64919e h1:eQ/4ljkx21sObifjzXwlPKpdGLrCfRziVtos3ofG/sQ= +k8s.io/utils v0.0.0-20240102154912-e7106e64919e/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.29.0 h1:/U5vjBbQn3RChhv7P11uhYvCSm5G2GaIi5AIGBS6r4c= +sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.29.0/go.mod h1:z7+wmGM2dfIiLRfrC6jb5kV2Mq/sK1ZP303cxzkV5Y4= +sigs.k8s.io/controller-tools v0.14.0 h1:rnNoCC5wSXlrNoBKKzL70LNJKIQKEzT6lloG6/LF73A= +sigs.k8s.io/controller-tools v0.14.0/go.mod h1:TV7uOtNNnnR72SpzhStvPkoS/U5ir0nMudrkrC4M9Sc= +sigs.k8s.io/gateway-api v1.0.0 h1:iPTStSv41+d9p0xFydll6d7f7MOBGuqXM6p2/zVYMAs= +sigs.k8s.io/gateway-api v1.0.0/go.mod h1:4cUgr0Lnp5FZ0Cdq8FdRwCvpiWws7LVhLHGIudLlf4c= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4= sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08= sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc= -sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo= -sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8= +sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= +sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY= From 5a1807ea9164b58ca3c7a20a7c31ebb998bd5d08 Mon Sep 17 00:00:00 2001 From: Paul Abel <128620221+pdabelf5@users.noreply.github.com> Date: Mon, 12 Feb 2024 14:10:09 +0000 Subject: [PATCH 14/22] Image SHA update cherry picks (#5067) * Bump opentracing/nginx-opentracing from `426c2ff` to `2e0268d` in /build (#4927) Bumps opentracing/nginx-opentracing from `426c2ff` to `2e0268d`. --- updated-dependencies: - dependency-name: opentracing/nginx-opentracing dependency-type: direct:production ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump nginx from `a59278f` to `a59278f` in /build (#4926) Bumps nginx from `a59278f` to `a59278f`. --- updated-dependencies: - dependency-name: nginx dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump golang from `4db4aac` to `fd78f2f` in /build (#4928) Bumps golang from `4db4aac` to `fd78f2f`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump the docker-images group in /build with 1 update (#4925) * Bump the docker-images group in /build with 1 update Bumps the docker-images group in /build with 1 update: debian. Updates `debian` from 11-slim to 12-slim --- updated-dependencies: - dependency-name: debian dependency-type: direct:production dependency-group: docker-images ... Signed-off-by: dependabot[bot] --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Paul Abel Co-authored-by: Paul Abel <128620221+pdabelf5@users.noreply.github.com> * Bump golang from `fd78f2f` to `51a7800` in /build (#4984) Bumps golang from `fd78f2f` to `51a7800`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump nginxcontrib/nginx from `4059aff` to `4a3e891` in /build (#4992) Bumps nginxcontrib/nginx from `4059aff` to `4a3e891`. --- updated-dependencies: - dependency-name: nginxcontrib/nginx dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump redhat/ubi9-minimal from `a340f4b` to `582e18f` in /build (#4994) Bumps redhat/ubi9-minimal from `a340f4b` to `582e18f`. --- updated-dependencies: - dependency-name: redhat/ubi9-minimal dependency-type: direct:production ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump nginx from `a59278f` to `d12e6f7` in /build (#5003) Bumps nginx from `a59278f` to `d12e6f7`. --- updated-dependencies: - dependency-name: nginx dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump golang from `51a7800` to `a6a7f1f` in /build (#5004) Bumps golang from `51a7800` to `a6a7f1f`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump nginx from `d12e6f7` to `5b7ff23` in /build (#5012) Bumps nginx from `d12e6f7` to `5b7ff23`. --- updated-dependencies: - dependency-name: nginx dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump nginx from `5b7ff23` to `156d75f` in /build (#5019) Bumps nginx from `5b7ff23` to `156d75f`. --- updated-dependencies: - dependency-name: nginx dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump nginx from `156d75f` to `156d75f` in /build (#5028) Bumps nginx from `156d75f` to `156d75f`. --- updated-dependencies: - dependency-name: nginx dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * Bump redhat/ubi8 from `fc88b13` to `23d8dfd` in /build (#5029) Bumps redhat/ubi8 from `fc88b13` to `23d8dfd`. --- updated-dependencies: - dependency-name: redhat/ubi8 dependency-type: direct:production ... Signed-off-by: dependabot[bot] * Bump the docker-tests group in /tests with 1 update (#5033) Bumps the docker-tests group in /tests with 1 update: kindest/node. Updates `kindest/node` from v1.29.0 to v1.29.1 --- updated-dependencies: - dependency-name: kindest/node dependency-type: direct:production dependency-group: docker-tests ... Signed-off-by: dependabot[bot] --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- build/Dockerfile | 18 +++++++++--------- tests/Dockerfile | 2 +- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/build/Dockerfile b/build/Dockerfile index 50eb44338d..ccc65ba112 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -6,13 +6,13 @@ ARG DEBIAN_FRONTEND=noninteractive ############################################# Base images containing libs for Opentracing and FIPS ############################################# -FROM opentracing/nginx-opentracing:nginx-1.25.3@sha256:426c2ff410f637eb243363f58c118254b5663e90224e5ab3c99d985eea50ec18 as opentracing-lib +FROM opentracing/nginx-opentracing:nginx-1.25.3@sha256:2e0268d3cd31fe047c2fe566f29731865b0c99cc99b579c6584b23cd3c7830ef as opentracing-lib FROM opentracing/nginx-opentracing:nginx-1.25.3-alpine@sha256:08ccc2c8bb28f01cb17b7619f139830b3af7950826b819b267393aefa32f23ab as alpine-opentracing-lib FROM ghcr.io/nginxinc/alpine-fips:0.1.1-alpine3.18@sha256:6f124002650fae697152290a14a7caa7f21884e8d78d8236c63fec2d018d721d as alpine-fips ############################################# Base image for Alpine ############################################# -FROM nginx:1.25.3-alpine@sha256:a59278fd22a9d411121e190b8cec8aa57b306aa3332459197777583beb728f59 AS alpine +FROM nginx:1.25.3-alpine@sha256:156d75f07c59b2fd59d3d1470631777943bb574135214f0a90c7bb82bde916da AS alpine RUN --mount=type=bind,from=alpine-opentracing-lib,target=/tmp/ot/ \ apk add --no-cache libcap libstdc++ \ @@ -24,7 +24,7 @@ RUN --mount=type=bind,from=alpine-opentracing-lib,target=/tmp/ot/ \ ############################################# Base image for Debian ############################################# -FROM nginx:1.25.3@sha256:2bdc49f2f8ae8d8dc50ed00f2ee56d00385c6f8bc8a8b320d0a294d9e3b49026 AS debian +FROM nginx:1.25.3@sha256:8b4c32060a41e8c07e4b33c2e2695510c729314d84b2b71a1c5d7002aaf0b5ad AS debian RUN --mount=type=bind,from=opentracing-lib,target=/tmp/ot/ \ apt-get update \ @@ -37,7 +37,7 @@ RUN --mount=type=bind,from=opentracing-lib,target=/tmp/ot/ \ ############################################# Base image for UBI ############################################# -FROM nginxcontrib/nginx:1.25.3-ubi@sha256:4059affa739e77196cf465edf9fac1150afacc2a4ef3e12ae74cf594b9c1198a AS ubi +FROM nginxcontrib/nginx:1.25.3-ubi@sha256:4a3e891705687db11a02a3ba37a1ce42b01349d49198a956576787ab4a3a7a0c AS ubi ARG IC_VERSION LABEL name="NGINX Ingress Controller" \ @@ -111,7 +111,7 @@ RUN --mount=type=bind,from=alpine-fips,target=/tmp/fips/ \ ############################################# Base image for Debian with NGINX Plus ############################################# -FROM debian:12-slim@sha256:f80c45482c8d147da87613cb6878a7238b8642bcc24fc11bad78c7bec726f340 AS debian-plus +FROM debian:12-slim@sha256:f4a83aa865a2b4a064ff142aa91c713180df9fcb86ce676b5de2981029379c37 AS debian-plus SHELL ["/bin/bash", "-o", "pipefail", "-c"] RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ @@ -135,7 +135,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode ############################################# Base image for Debian with NGINX Plus and App Protect WAF/DoS ############################################# -FROM debian:11-slim@sha256:d3d0d14f49b49a4dd98a436711f5646dc39e1c99203ef223d1b6620061e2c0e5 as debian-plus-nap +FROM debian:11-slim@sha256:41c3fecb70015fd9c72d6df95573de3f92d5f4f46fdabe8dbd8d2bfb1531594d as debian-plus-nap ARG NAP_MODULES RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ @@ -189,7 +189,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode ############################################# Base image for UBI with NGINX Plus ############################################# -FROM redhat/ubi9-minimal@sha256:a340f4b9fb261a75c84666a3dccb88e193a116da3cebabaf9bcdc33609b61172 AS ubi-plus +FROM redhat/ubi9-minimal@sha256:582e18f13291d7c686ec4e6e92d20b24c62ae0fc72767c46f30a69b1a6198055 AS ubi-plus SHELL ["/bin/bash", "-o", "pipefail", "-c"] RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ @@ -208,7 +208,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode ############################################# Base image for UBI with NGINX Plus and App Protect WAF/DoS ############################################# -FROM redhat/ubi8@sha256:1fdb97f2d2a44fdef3feaa69100f154631bae65130105ac685d0e34eb1d8c3d0 as ubi-plus-nap +FROM redhat/ubi8@sha256:23d8dfd08024fdfa34b168c297d8c74a1dc58675b02b3418925932df123b755c as ubi-plus-nap ARG NAP_MODULES RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ @@ -313,7 +313,7 @@ LABEL org.nginx.kic.image.build.nginx.version="${NGINX_PLUS_VERSION}${NGINX_VERS ############################################# Build nginx-ingress in golang container ############################################# -FROM golang:1.21-alpine@sha256:4db4aac30880b978cae5445dd4a706215249ad4f43d28bd7cdf7906e9be8dd6b AS builder +FROM golang:1.21-alpine@sha256:a6a7f1fcf12f5efa9e04b1e75020931a616cd707f14f62ab5262bfbe109aa84a AS builder ARG IC_VERSION ARG TARGETARCH diff --git a/tests/Dockerfile b/tests/Dockerfile index 7c70a8e356..b64f59add0 100644 --- a/tests/Dockerfile +++ b/tests/Dockerfile @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1.5 # this is here so we can grab the latest version of kind and have dependabot keep it up to date -FROM kindest/node:v1.28.0@sha256:b7a4cad12c197af3ba43202d3efe03246b3f0793f162afb40a33c923952d5b31 +FROM kindest/node:v1.29.1@sha256:a0cc28af37cf39b019e2b448c54d1a3f789de32536cb5a5db61a49623e527144 FROM python:3.12@sha256:3733015cdd1bd7d9a0b9fe21a925b608de82131aa4f3d397e465a1fcb545d36f From 8acba1431c9ade18f659de70c6078cae90e81300 Mon Sep 17 00:00:00 2001 From: oseoin Date: Mon, 12 Feb 2024 16:38:47 +0000 Subject: [PATCH 15/22] Helm notes cherry pick (#5071) Add docs links to helm NOTES.txt (#4953) --- charts/nginx-ingress/README.md | 8 ++++++++ charts/nginx-ingress/templates/NOTES.txt | 14 +++++++++++++- .../installing-nic/installation-with-helm.md | 8 ++++++++ 3 files changed, 29 insertions(+), 1 deletion(-) diff --git a/charts/nginx-ingress/README.md b/charts/nginx-ingress/README.md index f4ecf5d29c..32c49f489f 100644 --- a/charts/nginx-ingress/README.md +++ b/charts/nginx-ingress/README.md @@ -48,6 +48,14 @@ To upgrade the CRDs, pull the chart sources as described in [Pulling the Chart]( kubectl apply -f crds/ ``` +Alternatively, CRDs can be upgraded without pulling the chart by running: + +```console +kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.2/deploy/crds.yaml +``` + +In the above command, `v3.4.2` represents the version of NGINX Ingress Controller release rather than the Helm chart version. + > **Note** > > The following warning is expected and can be ignored: `Warning: kubectl apply should be used on resource created by diff --git a/charts/nginx-ingress/templates/NOTES.txt b/charts/nginx-ingress/templates/NOTES.txt index c5f4cdf405..c9a2739771 100644 --- a/charts/nginx-ingress/templates/NOTES.txt +++ b/charts/nginx-ingress/templates/NOTES.txt @@ -1 +1,13 @@ -The NGINX Ingress Controller has been installed. +NGINX Ingress Controller {{ .Chart.AppVersion }} has been installed. + +For release notes for this version please see: https://docs.nginx.com/nginx-ingress-controller/releases/ + +Installation and upgrade instructions: https://docs.nginx.com/nginx-ingress-controller/installation/installing-nic/installation-with-helm/ + +{{ if .Release.IsUpgrade -}} +If you are upgrading from a version of the chart that uses older Custom Resource Definitions (CRD) it is necessary to manually upgrade the CRDs as this is not managed by Helm. +To update to the latest version of the CRDs: + $ kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v{{ .Chart.AppVersion }}/deploy/crds.yaml + +More details on upgrading the CRDs: https://docs.nginx.com/nginx-ingress-controller/installation/installing-nic/installation-with-helm/#upgrading-the-crds +{{- end -}} diff --git a/docs/content/installation/installing-nic/installation-with-helm.md b/docs/content/installation/installing-nic/installation-with-helm.md index 52a42af2b3..4689961ec5 100644 --- a/docs/content/installation/installing-nic/installation-with-helm.md +++ b/docs/content/installation/installing-nic/installation-with-helm.md @@ -42,6 +42,14 @@ To upgrade the CRDs, pull the chart sources as described in [Pulling the Chart]( kubectl apply -f crds/ ``` +Alternatively, CRDs can be upgraded without pulling the chart by running: + +```console +kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.2/deploy/crds.yaml +``` + +In the above command, `v3.4.2` represents the version of NGINX Ingress Controller release rather than the Helm chart version. + {{}}The following warning is expected and can be ignored: `Warning: kubectl apply should be used on resource created by either kubectl create --save-config or kubectl apply`. Make sure to check the [release notes](https://www.github.com/nginxinc/kubernetes-ingress/releases) for a new release for any special upgrade procedures. From 997981fe3b237ed14699fd8423cc6639130ced00 Mon Sep 17 00:00:00 2001 From: Paul Abel <128620221+pdabelf5@users.noreply.github.com> Date: Tue, 13 Feb 2024 11:46:42 +0000 Subject: [PATCH 16/22] Fixed validation for VSR exact & regex subroutes (#4744) (#5079) * Fixed validation for VSR exact & regex subroutes --- ...server-and-virtualserverroute-resources.md | 2 +- .../configuration/validation/virtualserver.go | 4 +- .../validation/virtualserver_test.go | 213 +++++++++++++++++- 3 files changed, 204 insertions(+), 15 deletions(-) diff --git a/docs/content/configuration/virtualserver-and-virtualserverroute-resources.md b/docs/content/configuration/virtualserver-and-virtualserverroute-resources.md index 1799b281fb..196163b0c1 100644 --- a/docs/content/configuration/virtualserver-and-virtualserverroute-resources.md +++ b/docs/content/configuration/virtualserver-and-virtualserverroute-resources.md @@ -301,7 +301,7 @@ action: {{% table %}} |Field | Description | Type | Required | | ---| ---| ---| --- | -|``path`` | The path of the subroute. NGINX will match it against the URI of a request. Possible values are: a prefix ( ``/`` , ``/path`` ), an exact match ( ``=/exact/match`` ), a case insensitive regular expression ( ``~*^/Bar.*\.jpg`` ) or a case sensitive regular expression ( ``~^/foo.*\.jpg`` ). In the case of a prefix, the path must start with the same path as the path of the route of the VirtualServer that references this resource. In the case of an exact or regex match, the path must be the same as the path of the route of the VirtualServer that references this resource. In the case of a prefix or an exact match, the path must not include any whitespace characters, ``{`` , ``}`` or ``;``. In the case of the regex matches, all double quotes ``"`` must be escaped and the match can't end in an unescaped backslash ``\``. The path must be unique among the paths of all subroutes of the VirtualServerRoute. | ``string`` | Yes | +|``path`` | The path of the subroute. NGINX will match it against the URI of a request. Possible values are: a prefix ( ``/`` , ``/path`` ), an exact match ( ``=/exact/match`` ), a case insensitive regular expression ( ``~*^/Bar.*\.jpg`` ) or a case sensitive regular expression ( ``~^/foo.*\.jpg`` ). In the case of a prefix, the path must start with the same path as the path of the route of the VirtualServer that references this resource. In the case of an exact or regex match, the path must be the same as the path of the route of the VirtualServer that references this resource. A matching path of the route of the VirtualServer but in different type is not accepted, e.g. a regex path (`~/match`) cannot be used with a prefix path in VirtualServer (`/match`) In the case of a prefix or an exact match, the path must not include any whitespace characters, ``{`` , ``}`` or ``;``. In the case of the regex matches, all double quotes ``"`` must be escaped and the match can't end in an unescaped backslash ``\``. The path must be unique among the paths of all subroutes of the VirtualServerRoute. | ``string`` | Yes | |``policies`` | A list of policies. The policies override *all* policies defined in the route of the VirtualServer that references this resource. The policies also override the policies of the same type defined in the ``spec`` of the VirtualServer. See [Applying Policies](/nginx-ingress-controller/configuration/policy-resource/#applying-policies) for more details. | [[]policy](#virtualserverpolicy) | No | |``action`` | The default action to perform for a request. | [action](#action) | No | |``dos`` | A reference to a DosProtectedResource, setting this enables DOS protection of the VirtualServerRoute subroute. | ``string`` | No | diff --git a/pkg/apis/configuration/validation/virtualserver.go b/pkg/apis/configuration/validation/virtualserver.go index 4f260c7f88..cf3fa9907c 100644 --- a/pkg/apis/configuration/validation/virtualserver.go +++ b/pkg/apis/configuration/validation/virtualserver.go @@ -1466,7 +1466,7 @@ func isValidMatchValue(value string) []string { // ValidateVirtualServerRoute validates a VirtualServerRoute. func (vsv *VirtualServerValidator) ValidateVirtualServerRoute(virtualServerRoute *v1.VirtualServerRoute) error { - allErrs := vsv.validateVirtualServerRouteSpec(&virtualServerRoute.Spec, field.NewPath("spec"), "", "/", virtualServerRoute.Namespace) + allErrs := vsv.validateVirtualServerRouteSpec(&virtualServerRoute.Spec, field.NewPath("spec"), "", "", virtualServerRoute.Namespace) return allErrs.ToAggregate() } @@ -1527,7 +1527,7 @@ func (vsv *VirtualServerValidator) validateVirtualServerRouteSubroutes(routes [] isRouteFieldForbidden := true routeErrs := vsv.validateRoute(r, idxPath, upstreamNames, isRouteFieldForbidden, namespace) - if vsPath != "" && !strings.HasPrefix(r.Path, vsPath) && !isRegexOrExactMatch(r.Path) { + if vsPath != "" && !strings.HasPrefix(r.Path, vsPath) { msg := fmt.Sprintf("must start with '%s'", vsPath) routeErrs = append(routeErrs, field.Invalid(idxPath, r.Path, msg)) } diff --git a/pkg/apis/configuration/validation/virtualserver_test.go b/pkg/apis/configuration/validation/virtualserver_test.go index 6e46fb59e5..1d3170829f 100644 --- a/pkg/apis/configuration/validation/virtualserver_test.go +++ b/pkg/apis/configuration/validation/virtualserver_test.go @@ -2426,13 +2426,13 @@ func TestValidateVirtualServerRouteSubroutes(t *testing.T) { tests := []struct { routes []v1.Route upstreamNames sets.Set[string] - pathPrefix string + vsPath string msg string }{ { routes: []v1.Route{}, upstreamNames: sets.Set[string]{}, - pathPrefix: "/", + vsPath: "/", msg: "no routes", }, { @@ -2447,8 +2447,74 @@ func TestValidateVirtualServerRouteSubroutes(t *testing.T) { upstreamNames: map[string]sets.Empty{ "test": {}, }, - pathPrefix: "/", - msg: "valid route", + vsPath: "/", + msg: "valid prefix route", + }, + { + routes: []v1.Route{ + { + Path: "/", + Action: &v1.Action{ + Pass: "test", + }, + }, + { + Path: "/test", + Action: &v1.Action{ + Pass: "test", + }, + }, + }, + upstreamNames: map[string]sets.Empty{ + "test": {}, + }, + vsPath: "/", + msg: "valid route prefix with two paths", + }, + { + routes: []v1.Route{ + { + Path: "~/test", + Action: &v1.Action{ + Pass: "test", + }, + }, + }, + upstreamNames: map[string]sets.Empty{ + "test": {}, + }, + vsPath: "~/test", + msg: "valid regex route", + }, + { + routes: []v1.Route{ + { + Path: "~ /regex1/?(.*)", + Action: &v1.Action{ + Pass: "test", + }, + }, + }, + upstreamNames: map[string]sets.Empty{ + "test": {}, + }, + vsPath: "~ /regex1/?(.*)", + msg: "valid regex route", + }, + { + routes: []v1.Route{ + { + Path: "=/test", + Action: &v1.Action{ + Pass: "test", + }, + }, + }, + upstreamNames: map[string]sets.Empty{ + "test": {}, + }, + vsPath: "=/test", + msg: "valid exact route", }, } @@ -2456,7 +2522,7 @@ func TestValidateVirtualServerRouteSubroutes(t *testing.T) { for _, test := range tests { allErrs := vsv.validateVirtualServerRouteSubroutes(test.routes, field.NewPath("subroutes"), test.upstreamNames, - test.pathPrefix, "default") + test.vsPath, "default") if len(allErrs) > 0 { t.Errorf("validateVirtualServerRouteSubroutes() returned errors %v for valid input for the case of %s", allErrs, test.msg) } @@ -2468,7 +2534,7 @@ func TestValidateVirtualServerRouteSubroutesFails(t *testing.T) { tests := []struct { routes []v1.Route upstreamNames sets.Set[string] - pathPrefix string + vsPath string msg string }{ { @@ -2490,8 +2556,8 @@ func TestValidateVirtualServerRouteSubroutesFails(t *testing.T) { "test-1": {}, "test-2": {}, }, - pathPrefix: "/", - msg: "duplicated paths", + vsPath: "/", + msg: "duplicated paths", }, { routes: []v1.Route{ @@ -2501,7 +2567,7 @@ func TestValidateVirtualServerRouteSubroutesFails(t *testing.T) { }, }, upstreamNames: map[string]sets.Empty{}, - pathPrefix: "", + vsPath: "", msg: "invalid route", }, { @@ -2516,8 +2582,131 @@ func TestValidateVirtualServerRouteSubroutesFails(t *testing.T) { upstreamNames: map[string]sets.Empty{ "test-1": {}, }, - pathPrefix: "/abc", - msg: "invalid prefix", + vsPath: "/abc", + msg: "invalid prefix", + }, + { + routes: []v1.Route{ + { + Path: "/abc", + Action: &v1.Action{ + Pass: "test-1", + }, + }, + { + Path: "~^/test", + Action: &v1.Action{ + Pass: "test-1", + }, + }, + }, + upstreamNames: map[string]sets.Empty{ + "test-1": {}, + }, + vsPath: "/abc", + msg: "prefix vs path with both matching prefix and mismatching regex subroute path", + }, + { + routes: []v1.Route{ + { + Path: "~/test", + Action: &v1.Action{ + Pass: "test-1", + }, + }, + }, + upstreamNames: map[string]sets.Empty{ + "test-1": {}, + }, + vsPath: "/test", + msg: "prefix vs path with matching regex subroute path", + }, + { + routes: []v1.Route{ + { + Path: "=/test", + Action: &v1.Action{ + Pass: "test-1", + }, + }, + }, + upstreamNames: map[string]sets.Empty{ + "test-1": {}, + }, + vsPath: "/test", + msg: "prefix vs path with matching exact subroute path", + }, + { + routes: []v1.Route{ + { + Path: "/test", + Action: &v1.Action{ + Pass: "test-1", + }, + }, + }, + upstreamNames: map[string]sets.Empty{ + "test-1": {}, + }, + vsPath: "=/test", + msg: "exact vs path with prefix subroute path", + }, + { + routes: []v1.Route{ + { + Path: "=/test", + Action: &v1.Action{ + Pass: "test-1", + }, + }, + }, + upstreamNames: map[string]sets.Empty{ + "test-1": {}, + }, + vsPath: "~/test", + msg: "regex vs path with exact subroute path", + }, + { + routes: []v1.Route{ + { + Path: "=/test", + Action: &v1.Action{ + Pass: "test-1", + }, + }, + { + Path: "/abc", + Action: &v1.Action{ + Pass: "test-1", + }, + }, + }, + upstreamNames: map[string]sets.Empty{ + "test-1": {}, + }, + vsPath: "/abc", + msg: "prefix vs path with both exact and matching prefix subroute path", + }, + { + routes: []v1.Route{ + { + Path: "~/abc", + Action: &v1.Action{ + Pass: "test-1", + }, + }, + { + Path: "/test", + Action: &v1.Action{ + Pass: "test-1", + }, + }, + }, + upstreamNames: map[string]sets.Empty{ + "test-1": {}, + }, + vsPath: "/test", + msg: "prefix vs path with both regex and matching prefix subroute path", }, } @@ -2525,7 +2714,7 @@ func TestValidateVirtualServerRouteSubroutesFails(t *testing.T) { for _, test := range tests { allErrs := vsv.validateVirtualServerRouteSubroutes(test.routes, field.NewPath("subroutes"), test.upstreamNames, - test.pathPrefix, "default") + test.vsPath, "default") if len(allErrs) == 0 { t.Errorf("validateVirtualServerRouteSubroutes() returned no errors for the case of %s", test.msg) } From 0f45ece008fd4f6d6203c358b3dc77a6d9582d0c Mon Sep 17 00:00:00 2001 From: Haywood Shannon <5781935+haywoodsh@users.noreply.github.com> Date: Tue, 13 Feb 2024 17:55:19 +0000 Subject: [PATCH 17/22] Remove redundant Prometheus variable labels (#5008) (#5085) Remove redundant variable labels Signed-off-by: Haywood Shannon <5781935+haywoodsh@users.noreply.github.com> (cherry picked from commit fb60fb663bef88e75f76c4af04dc6e07474e8dbb) --- cmd/nginx-ingress/main.go | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/cmd/nginx-ingress/main.go b/cmd/nginx-ingress/main.go index 8bc440e1c5..edf93f2995 100644 --- a/cmd/nginx-ingress/main.go +++ b/cmd/nginx-ingress/main.go @@ -699,10 +699,8 @@ func createPlusAndLatencyCollectors( serverZoneVariableLabels := []string{"resource_type", "resource_name", "resource_namespace"} streamServerZoneVariableLabels := []string{"resource_type", "resource_name", "resource_namespace"} - cacheZoneLabels := []string{"resource_type", "resource_name", "resource_namespace"} - workerPIDVariableLabels := []string{"resource_type", "resource_name", "resource_namespace"} variableLabelNames := nginxCollector.NewVariableLabelNames(upstreamServerVariableLabels, serverZoneVariableLabels, upstreamServerPeerVariableLabelNames, - streamUpstreamServerVariableLabels, streamServerZoneVariableLabels, streamUpstreamServerPeerVariableLabelNames, cacheZoneLabels, workerPIDVariableLabels) + streamUpstreamServerVariableLabels, streamServerZoneVariableLabels, streamUpstreamServerPeerVariableLabelNames, nil, nil) promlogConfig := &promlog.Config{} logger := promlog.New(promlogConfig) plusCollector = nginxCollector.NewNginxPlusCollector(plusClient, "nginx_ingress_nginxplus", variableLabelNames, constLabels, logger) From d025e888601ca6588bdacc84fdcb1dd4ce61f04d Mon Sep 17 00:00:00 2001 From: Paul Abel <128620221+pdabelf5@users.noreply.github.com> Date: Wed, 14 Feb 2024 10:39:16 +0000 Subject: [PATCH 18/22] Split docs script cherry pick (#5090) * Split version update script (#4961) * Bump nginx from `156d75f` to `f2802c2` in /build (#5072) * Bump redhat/ubi8 from `23d8dfd` to `627867e` in /build (#5073) * Bump opentracing/nginx-opentracing from `2e0268d` to `2217e9f` in /build (#5074) --- .github/scripts/release-notes-update.sh | 55 +++++++++++++++++++++++ .github/scripts/release-version-update.sh | 20 ++------- .github/workflows/release-pr.yml | 12 ++++- build/Dockerfile | 10 ++--- hack/changelog-template.txt | 2 +- 5 files changed, 76 insertions(+), 23 deletions(-) create mode 100755 .github/scripts/release-notes-update.sh diff --git a/.github/scripts/release-notes-update.sh b/.github/scripts/release-notes-update.sh new file mode 100755 index 0000000000..47adb43b90 --- /dev/null +++ b/.github/scripts/release-notes-update.sh @@ -0,0 +1,55 @@ +#!/usr/bin/env bash + +set -o pipefail + +ROOTDIR=$(git rev-parse --show-toplevel || echo ".") +TMPDIR=/tmp +DEBUG=${DEBUG:-"false"} + +DOCS_TO_UPDATE_FOLDER=${ROOTDIR}/docs/content + + usage() { + echo "Usage: $0 " + exit 1 + } + +ic_version=$1 +helm_chart_version=$2 +k8s_versions=$3 +release_date=$4 + +if [ -z "${ic_version}" ]; then + usage +fi + +if [ -z "${helm_chart_version}" ]; then + usage +fi + +if [ -z "${k8s_versions}" ]; then + usage +fi + +if [ -z "${release_date}" ]; then + usage +fi + +# update releases docs +file_path=${DOCS_TO_UPDATE_FOLDER}/releases.md +if [ "${DEBUG}" != "false" ]; then + echo "Processing ${file_path}" +fi +file_name=$(basename "${file_path}") +mv "${file_path}" "${TMPDIR}/${file_name}" +sed -e "8r ${ROOTDIR}/hack/changelog-template.txt" "${TMPDIR}/${file_name}" | sed \ + -e "s/%%TITLE%%/## $ic_version/g" \ + -e "s/%%IC_VERSION%%/$ic_version/g" \ + -e "s/%%HELM_CHART_VERSION%%/$helm_chart_version/g" \ + -e "s/%%K8S_VERSIONS%%/$k8s_versions.\n/g" \ + -e "s/%%RELEASE_DATE%%/$release_date/g" \ + > ${file_path} +if [ $? -ne 0 ]; then + echo "ERROR: failed processing ${file_path}" + mv "${TMPDIR}/${file_name}" "${file_path}" + exit 2 +fi diff --git a/.github/scripts/release-version-update.sh b/.github/scripts/release-version-update.sh index 177b11f0e4..ee2ab94e3c 100755 --- a/.github/scripts/release-version-update.sh +++ b/.github/scripts/release-version-update.sh @@ -49,14 +49,16 @@ if [ -z "${helm_chart_version}" ]; then fi current_ic_version=$(yq '.appVersion' <"${HELM_CHART_PATH}/Chart.yaml") +escaped_current_ic_version=$(printf '%s' "$current_ic_version" | sed -e 's/\./\\./g'); current_helm_chart_version=$(yq '.version' <"${HELM_CHART_PATH}/Chart.yaml") +escaped_current_helm_chart_version=$(printf '%s' "$current_helm_chart_version" | sed -e 's/\./\\./g'); echo "Updating versions: " echo "ic_version: ${current_ic_version} -> ${ic_version}" echo "helm_chart_version: ${current_helm_chart_version} -> ${helm_chart_version}" -regex_ic="s#$current_ic_version#$ic_version#g" -regex_helm="s#$current_helm_chart_version#$helm_chart_version#g" +regex_ic="s#$escaped_current_ic_version#$ic_version#g" +regex_helm="s#$escaped_current_helm_chart_version#$helm_chart_version#g" mv "${HELM_CHART_PATH}/values.schema.json" "${TMPDIR}/" jq --arg version "${ic_version}" \ @@ -115,17 +117,3 @@ for i in ${docs_files}; do exit 2 fi done - -# update releases docs -file_path=${DOCS_TO_UPDATE_FOLDER}/releases.md -if [ "${DEBUG}" != "false" ]; then - echo "Processing ${file_path}" -fi -file_name=$(basename "${file_path}") -mv "${file_path}" "${TMPDIR}/${file_name}" -cat "${TMPDIR}/${file_name}" | sed -e "8r ${ROOTDIR}/hack/changelog-template.txt" | sed -e "s/%%TITLE%%/## $ic_version/g" -e "s/%%IC_VERSION%%/$ic_version/g" -e "s/%%HELM_CHART_VERSION%%/$helm_chart_version/g" > ${file_path} -if [ $? -ne 0 ]; then - echo "ERROR: failed processing ${file_path}" - mv "${TMPDIR}/${file_name}" "${file_path}" - exit 2 -fi diff --git a/.github/workflows/release-pr.yml b/.github/workflows/release-pr.yml index 6f52340813..60ba79dd82 100644 --- a/.github/workflows/release-pr.yml +++ b/.github/workflows/release-pr.yml @@ -11,6 +11,14 @@ on: description: "Helm version to release" required: true default: "0.0.0" + k8s_versions: + description: "Kubernetes versions this release has been tested on" + required: true + default: "x.xx-x.xx" + release_date: + description: "Date for this release" + required: true + default: "%d %b %Y" defaults: run: @@ -39,7 +47,9 @@ jobs: token: ${{ secrets.NGINX_PAT }} - name: Replace - run: .github/scripts/release-version-update.sh ${{ github.event.inputs.version }} ${{ github.event.inputs.helm_version }} + run: | + .github/scripts/release-version-update.sh ${{ github.event.inputs.version }} ${{ github.event.inputs.helm_version }} + .github/scripts/release-notes-update.sh ${{ github.event.inputs.version }} ${{ github.event.inputs.helm_version }} "${{ github.event.inputs.k8s_versions }}" "${{ github.event.inputs.release_date }}" - name: Create Pull Request uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 # v5.0.2 diff --git a/build/Dockerfile b/build/Dockerfile index ccc65ba112..c5842d46f6 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -6,13 +6,13 @@ ARG DEBIAN_FRONTEND=noninteractive ############################################# Base images containing libs for Opentracing and FIPS ############################################# -FROM opentracing/nginx-opentracing:nginx-1.25.3@sha256:2e0268d3cd31fe047c2fe566f29731865b0c99cc99b579c6584b23cd3c7830ef as opentracing-lib -FROM opentracing/nginx-opentracing:nginx-1.25.3-alpine@sha256:08ccc2c8bb28f01cb17b7619f139830b3af7950826b819b267393aefa32f23ab as alpine-opentracing-lib +FROM opentracing/nginx-opentracing:nginx-1.25.3@sha256:2217e9fa36a2130d395a40bb051965cf64c9d10087281e301e9c0b60ce2a1a57 as opentracing-lib +FROM opentracing/nginx-opentracing:nginx-1.25.3-alpine@sha256:37c7de3a46ca05428450b1c64bfb2a4d2f9c1835860cef427928fcf11c178f0e as alpine-opentracing-lib FROM ghcr.io/nginxinc/alpine-fips:0.1.1-alpine3.18@sha256:6f124002650fae697152290a14a7caa7f21884e8d78d8236c63fec2d018d721d as alpine-fips ############################################# Base image for Alpine ############################################# -FROM nginx:1.25.3-alpine@sha256:156d75f07c59b2fd59d3d1470631777943bb574135214f0a90c7bb82bde916da AS alpine +FROM nginx:1.25.3-alpine@sha256:f2802c2a9d09c7aa3ace27445dfc5656ff24355da28e7b958074a0111e3fc076 AS alpine RUN --mount=type=bind,from=alpine-opentracing-lib,target=/tmp/ot/ \ apk add --no-cache libcap libstdc++ \ @@ -24,7 +24,7 @@ RUN --mount=type=bind,from=alpine-opentracing-lib,target=/tmp/ot/ \ ############################################# Base image for Debian ############################################# -FROM nginx:1.25.3@sha256:8b4c32060a41e8c07e4b33c2e2695510c729314d84b2b71a1c5d7002aaf0b5ad AS debian +FROM nginx:1.25.3@sha256:84c52dfd55c467e12ef85cad6a252c0990564f03c4850799bf41dd738738691f AS debian RUN --mount=type=bind,from=opentracing-lib,target=/tmp/ot/ \ apt-get update \ @@ -208,7 +208,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode ############################################# Base image for UBI with NGINX Plus and App Protect WAF/DoS ############################################# -FROM redhat/ubi8@sha256:23d8dfd08024fdfa34b168c297d8c74a1dc58675b02b3418925932df123b755c as ubi-plus-nap +FROM redhat/ubi8@sha256:627867e53ad6846afba2dfbf5cef1d54c868a9025633ef0afd546278d4654eac as ubi-plus-nap ARG NAP_MODULES RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ diff --git a/hack/changelog-template.txt b/hack/changelog-template.txt index 604d1ae9b5..3d48f310cf 100644 --- a/hack/changelog-template.txt +++ b/hack/changelog-template.txt @@ -28,4 +28,4 @@ or build your own image using the %%IC_VERSION%% source code We will provide technical support for NGINX Ingress Controller on any Kubernetes platform that is currently supported by its provider and that passes the Kubernetes conformance tests. This release was fully tested on the following Kubernetes -versions: x.xx-x.xx. +versions: %%K8S_VERSIONS%% From e2ebb0d62348121a894f953aa198feef8c7032f4 Mon Sep 17 00:00:00 2001 From: nginx-bot <68849795+nginx-bot@users.noreply.github.com> Date: Mon, 19 Feb 2024 03:06:41 -0800 Subject: [PATCH 19/22] Release 3.4.3 (#5091) * Release 3.4.3 --- README.md | 4 +- charts/nginx-ingress/Chart.yaml | 8 +-- charts/nginx-ingress/README.md | 18 +++--- charts/nginx-ingress/values-icp.yaml | 2 +- charts/nginx-ingress/values-plus.yaml | 2 +- charts/nginx-ingress/values.schema.json | 10 ++-- charts/nginx-ingress/values.yaml | 2 +- deployments/daemon-set/nginx-ingress.yaml | 4 +- .../daemon-set/nginx-plus-ingress.yaml | 4 +- deployments/deployment/nginx-ingress.yaml | 4 +- .../deployment/nginx-plus-ingress.yaml | 4 +- .../configuration/configuration-examples.md | 4 +- .../configmap-resource.md | 16 +++--- .../global-configuration/custom-templates.md | 2 +- .../handling-host-and-listener-collisions.md | 2 +- ...advanced-configuration-with-annotations.md | 40 ++++++------- .../ingress-resources/basic-configuration.md | 2 +- .../cross-namespace-configuration.md | 4 +- .../ingress-resources/custom-annotations.md | 4 +- docs/content/configuration/policy-resource.md | 4 +- docs/content/configuration/security.md | 6 +- .../configuration/transportserver-resource.md | 2 +- ...server-and-virtualserverroute-resources.md | 6 +- .../building-nginx-ingress-controller.md | 4 +- .../installing-nic/installation-with-helm.md | 18 +++--- .../installation-with-manifests.md | 14 ++--- .../installation-with-operator.md | 2 +- .../app-protect-dos/configuration.md | 2 +- .../app-protect-dos/installation.md | 6 +- .../app-protect-waf/configuration.md | 22 ++++---- .../app-protect-waf/installation.md | 4 +- .../pulling-ingress-controller-image.md | 18 +++--- .../using-the-jwt-token-docker-secret.md | 20 +++---- .../content/overview/controller-comparison.md | 4 +- docs/content/overview/nginx-plus.md | 6 +- docs/content/releases.md | 56 +++++++++++++++++++ docs/content/technical-specifications.md | 30 +++++----- .../troubleshooting/troubleshoot-common.md | 2 +- docs/content/tutorials/custom-listen-ports.md | 2 +- .../tutorials/oidc-custom-configuration.md | 2 +- docs/content/usage-reporting.md | 2 +- 41 files changed, 212 insertions(+), 156 deletions(-) diff --git a/README.md b/README.md index 2b61ce7d80..97c95d0728 100644 --- a/README.md +++ b/README.md @@ -98,7 +98,7 @@ In the case of NGINX, the Ingress Controller is deployed in a pod along with the We publish NGINX Ingress Controller releases on GitHub. See our [releases page](https://github.com/nginxinc/kubernetes-ingress/releases). -The latest stable release is [3.4.2](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v3.4.2). For production +The latest stable release is [3.4.3](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v3.4.3). For production use, we recommend that you choose the latest stable release. The edge version is useful for experimenting with new features that are not yet published in a stable release. To use @@ -118,7 +118,7 @@ your links to the correct versions: | Version | Description | Image for NGINX | Image for NGINX Plus | Installation Manifests and Helm Chart | Documentation and Examples | | ------- | ----------- | --------------- | -------------------- | ---------------------------------------| -------------------------- | -| Latest stable release | For production use | Use the 3.4.2 images from [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/), [GitHub Container](https://github.com/nginxinc/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress) or [build your own image](https://docs.nginx.com/nginx-ingress-controller/installation/building-ingress-controller-image/). | Use the 3.4.2 images from the [F5 Container Registry](https://docs.nginx.com/nginx-ingress-controller/installation/pulling-ingress-controller-image/) or the [AWS Marketplace](https://aws.amazon.com/marketplace/search/?CREATOR=741df81b-dfdc-4d36-b8da-945ea66b522c&FULFILLMENT_OPTION_TYPE=CONTAINER&filters=CREATOR%2CFULFILLMENT_OPTION_TYPE) or [Build your own image](https://docs.nginx.com/nginx-ingress-controller/installation/building-nginx-ingress-controller/). | [Manifests](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/deployments). [Helm chart](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/charts/nginx-ingress). | [Documentation](https://docs.nginx.com/nginx-ingress-controller/). [Examples](https://docs.nginx.com/nginx-ingress-controller/configuration/configuration-examples/). | +| Latest stable release | For production use | Use the 3.4.3 images from [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/), [GitHub Container](https://github.com/nginxinc/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress) or [build your own image](https://docs.nginx.com/nginx-ingress-controller/installation/building-ingress-controller-image/). | Use the 3.4.3 images from the [F5 Container Registry](https://docs.nginx.com/nginx-ingress-controller/installation/pulling-ingress-controller-image/) or the [AWS Marketplace](https://aws.amazon.com/marketplace/search/?CREATOR=741df81b-dfdc-4d36-b8da-945ea66b522c&FULFILLMENT_OPTION_TYPE=CONTAINER&filters=CREATOR%2CFULFILLMENT_OPTION_TYPE) or [Build your own image](https://docs.nginx.com/nginx-ingress-controller/installation/building-nginx-ingress-controller/). | [Manifests](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.3/deployments). [Helm chart](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.3/charts/nginx-ingress). | [Documentation](https://docs.nginx.com/nginx-ingress-controller/). [Examples](https://docs.nginx.com/nginx-ingress-controller/configuration/configuration-examples/). | | Edge/Nightly | For testing and experimenting | Use the edge or nightly images from [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/), [GitHub Container](https://github.com/nginxinc/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress) or [build your own image](https://docs.nginx.com/nginx-ingress-controller/installation/building-nginx-ingress-controller/). | [Build your own image](https://docs.nginx.com/nginx-ingress-controller/installation/building-nginx-ingress-controller/). | [Manifests](https://github.com/nginxinc/kubernetes-ingress/tree/main/deployments). [Helm chart](https://github.com/nginxinc/kubernetes-ingress/tree/main/charts/nginx-ingress). | [Documentation](https://github.com/nginxinc/kubernetes-ingress/tree/main/docs/content). [Examples](https://github.com/nginxinc/kubernetes-ingress/tree/main/examples). | ## SBOM (Software Bill of Materials) diff --git a/charts/nginx-ingress/Chart.yaml b/charts/nginx-ingress/Chart.yaml index 1d3980cff2..154b115194 100644 --- a/charts/nginx-ingress/Chart.yaml +++ b/charts/nginx-ingress/Chart.yaml @@ -1,14 +1,14 @@ apiVersion: v2 name: nginx-ingress -version: 1.1.2 -appVersion: 3.4.2 +version: 1.1.3 +appVersion: 3.4.3 kubeVersion: ">= 1.22.0-0" type: application description: NGINX Ingress Controller -icon: https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.2/charts/nginx-ingress/chart-icon.png +icon: https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.3/charts/nginx-ingress/chart-icon.png home: https://github.com/nginxinc/kubernetes-ingress sources: - - https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/charts/nginx-ingress + - https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.3/charts/nginx-ingress keywords: - ingress - nginx diff --git a/charts/nginx-ingress/README.md b/charts/nginx-ingress/README.md index 32c49f489f..053585ad8d 100644 --- a/charts/nginx-ingress/README.md +++ b/charts/nginx-ingress/README.md @@ -51,10 +51,10 @@ kubectl apply -f crds/ Alternatively, CRDs can be upgraded without pulling the chart by running: ```console -kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.2/deploy/crds.yaml +kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.3/deploy/crds.yaml ``` -In the above command, `v3.4.2` represents the version of NGINX Ingress Controller release rather than the Helm chart version. +In the above command, `v3.4.3` represents the version of NGINX Ingress Controller release rather than the Helm chart version. > **Note** > @@ -87,14 +87,14 @@ To install the chart with the release name my-release (my-release is the name th For NGINX: ```console -helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.1.2 +helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.1.3 ``` For NGINX Plus: (assuming you have pushed the Ingress Controller image `nginx-plus-ingress` to your private registry `myregistry.example.com`) ```console -helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.1.2 --set controller.image.repository=myregistry.example.com/nginx-plus-ingress --set controller.nginxplus=true +helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.1.3 --set controller.image.repository=myregistry.example.com/nginx-plus-ingress --set controller.nginxplus=true ``` This will install the latest `edge` version of the Ingress Controller from GitHub Container Registry. If you prefer to @@ -109,7 +109,7 @@ CRDs](#upgrading-the-crds). To upgrade the release `my-release`: ```console -helm upgrade my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.1.2 +helm upgrade my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.1.3 ``` ### Uninstalling the Chart @@ -150,7 +150,7 @@ upgrading/deleting the CRDs. 1. Pull the chart sources: ```console - helm pull oci://ghcr.io/nginxinc/charts/nginx-ingress --untar --version 1.1.2 + helm pull oci://ghcr.io/nginxinc/charts/nginx-ingress --untar --version 1.1.3 ``` 2. Change your working directory to nginx-ingress: @@ -236,7 +236,7 @@ The steps you should follow depend on the Helm release name: Selector: app=nginx-ingress-nginx-ingress ``` -2. Checkout the latest available tag using `git checkout v3.4.2` +2. Checkout the latest available tag using `git checkout v3.4.3` 3. Navigate to `/kubernates-ingress/charts/nginx-ingress` @@ -288,7 +288,7 @@ reviewing its events: Selector: app=-nginx-ingress ``` -2. Checkout the latest available tag using `git checkout v3.4.2` +2. Checkout the latest available tag using `git checkout v3.4.3` 3. Navigate to `/kubernates-ingress/charts/nginx-ingress` @@ -355,7 +355,7 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont |`controller.logLevel` | The log level of the Ingress Controller. | 1 | |`controller.image.digest` | The image digest of the Ingress Controller. | None | |`controller.image.repository` | The image repository of the Ingress Controller. | nginx/nginx-ingress | -|`controller.image.tag` | The tag of the Ingress Controller image. | 3.4.2 | +|`controller.image.tag` | The tag of the Ingress Controller image. | 3.4.3 | |`controller.image.pullPolicy` | The pull policy for the Ingress Controller image. | IfNotPresent | |`controller.lifecycle` | The lifecycle of the Ingress Controller pods. | {} | |`controller.customConfigMap` | The name of the custom ConfigMap used by the Ingress Controller. If set, then the default config is ignored. | "" | diff --git a/charts/nginx-ingress/values-icp.yaml b/charts/nginx-ingress/values-icp.yaml index 2c2d1f2663..a9c49c5c64 100644 --- a/charts/nginx-ingress/values-icp.yaml +++ b/charts/nginx-ingress/values-icp.yaml @@ -4,7 +4,7 @@ controller: nginxplus: true image: repository: mycluster.icp:8500/kube-system/nginx-plus-ingress - tag: "3.4.2" + tag: "3.4.3" nodeSelector: beta.kubernetes.io/arch: "amd64" proxy: true diff --git a/charts/nginx-ingress/values-plus.yaml b/charts/nginx-ingress/values-plus.yaml index d30f65751b..7f5b0b1f6e 100644 --- a/charts/nginx-ingress/values-plus.yaml +++ b/charts/nginx-ingress/values-plus.yaml @@ -3,4 +3,4 @@ controller: nginxplus: true image: repository: nginx-plus-ingress - tag: "3.4.2" + tag: "3.4.3" diff --git a/charts/nginx-ingress/values.schema.json b/charts/nginx-ingress/values.schema.json index ce40e1983e..2b05640725 100644 --- a/charts/nginx-ingress/values.schema.json +++ b/charts/nginx-ingress/values.schema.json @@ -305,10 +305,10 @@ }, "tag": { "type": "string", - "default": "3.4.2", + "default": "3.4.3", "title": "The tag of the Ingress Controller image", "examples": [ - "3.4.2" + "3.4.3" ] }, "digest": { @@ -345,7 +345,7 @@ "examples": [ { "repository": "nginx/nginx-ingress", - "tag": "3.4.2", + "tag": "3.4.3", "pullPolicy": "IfNotPresent" } ] @@ -1393,7 +1393,7 @@ "customPorts": [], "image": { "repository": "nginx/nginx-ingress", - "tag": "3.4.2", + "tag": "3.4.3", "digest": "", "pullPolicy": "IfNotPresent" }, @@ -1765,7 +1765,7 @@ "customPorts": [], "image": { "repository": "nginx/nginx-ingress", - "tag": "3.4.2", + "tag": "3.4.3", "digest": "", "pullPolicy": "IfNotPresent" }, diff --git a/charts/nginx-ingress/values.yaml b/charts/nginx-ingress/values.yaml index f0e2c9b2e2..fe85c8a35e 100644 --- a/charts/nginx-ingress/values.yaml +++ b/charts/nginx-ingress/values.yaml @@ -78,7 +78,7 @@ controller: repository: nginx/nginx-ingress ## The tag of the Ingress Controller image. If not specified the appVersion from Chart.yaml is used as a tag. - # tag: "3.4.2" + # tag: "3.4.3" ## The digest of the Ingress Controller image. ## If digest is specified it has precedence over tag and will be used instead diff --git a/deployments/daemon-set/nginx-ingress.yaml b/deployments/daemon-set/nginx-ingress.yaml index fc9fc6949c..bc1569df5d 100644 --- a/deployments/daemon-set/nginx-ingress.yaml +++ b/deployments/daemon-set/nginx-ingress.yaml @@ -32,7 +32,7 @@ spec: # - name: nginx-log # emptyDir: {} containers: - - image: nginx/nginx-ingress:3.4.2 + - image: nginx/nginx-ingress:3.4.3 imagePullPolicy: IfNotPresent name: nginx-ingress ports: @@ -96,7 +96,7 @@ spec: #- -enable-prometheus-metrics #- -global-configuration=$(POD_NAMESPACE)/nginx-configuration # initContainers: -# - image: nginx/nginx-ingress:3.4.2 +# - image: nginx/nginx-ingress:3.4.3 # imagePullPolicy: IfNotPresent # name: init-nginx-ingress # command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc'] diff --git a/deployments/daemon-set/nginx-plus-ingress.yaml b/deployments/daemon-set/nginx-plus-ingress.yaml index f5dbd4170a..17b3ca87c1 100644 --- a/deployments/daemon-set/nginx-plus-ingress.yaml +++ b/deployments/daemon-set/nginx-plus-ingress.yaml @@ -32,7 +32,7 @@ spec: # - name: nginx-log # emptyDir: {} containers: - - image: nginx-plus-ingress:3.4.2 + - image: nginx-plus-ingress:3.4.3 imagePullPolicy: IfNotPresent name: nginx-plus-ingress ports: @@ -99,7 +99,7 @@ spec: #- -enable-prometheus-metrics #- -global-configuration=$(POD_NAMESPACE)/nginx-configuration # initContainers: -# - image: nginx/nginx-ingress:3.4.2 +# - image: nginx/nginx-ingress:3.4.3 # imagePullPolicy: IfNotPresent # name: init-nginx-ingress # command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc'] diff --git a/deployments/deployment/nginx-ingress.yaml b/deployments/deployment/nginx-ingress.yaml index c8fcf20c28..b4ea334cfe 100644 --- a/deployments/deployment/nginx-ingress.yaml +++ b/deployments/deployment/nginx-ingress.yaml @@ -33,7 +33,7 @@ spec: # - name: nginx-log # emptyDir: {} containers: - - image: nginx/nginx-ingress:3.4.2 + - image: nginx/nginx-ingress:3.4.3 imagePullPolicy: IfNotPresent name: nginx-ingress ports: @@ -97,7 +97,7 @@ spec: #- -enable-prometheus-metrics #- -global-configuration=$(POD_NAMESPACE)/nginx-configuration # initContainers: -# - image: nginx/nginx-ingress:3.4.2 +# - image: nginx/nginx-ingress:3.4.3 # imagePullPolicy: IfNotPresent # name: init-nginx-ingress # command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc'] diff --git a/deployments/deployment/nginx-plus-ingress.yaml b/deployments/deployment/nginx-plus-ingress.yaml index 8a7d03ff56..3d8cd0d3e8 100644 --- a/deployments/deployment/nginx-plus-ingress.yaml +++ b/deployments/deployment/nginx-plus-ingress.yaml @@ -33,7 +33,7 @@ spec: # - name: nginx-log # emptyDir: {} containers: - - image: nginx-plus-ingress:3.4.2 + - image: nginx-plus-ingress:3.4.3 imagePullPolicy: IfNotPresent name: nginx-plus-ingress ports: @@ -103,7 +103,7 @@ spec: #- -enable-service-insight #- -global-configuration=$(POD_NAMESPACE)/nginx-configuration # initContainers: -# - image: nginx/nginx-ingress:3.4.2 +# - image: nginx/nginx-ingress:3.4.3 # imagePullPolicy: IfNotPresent # name: init-nginx-ingress # command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc'] diff --git a/docs/content/configuration/configuration-examples.md b/docs/content/configuration/configuration-examples.md index 90e7e9144d..d9459e4484 100644 --- a/docs/content/configuration/configuration-examples.md +++ b/docs/content/configuration/configuration-examples.md @@ -11,5 +11,5 @@ docs: "DOCS-584" Our [GitHub repo](https://github.com/nginxinc/kubernetes-ingress) includes a number of configuration examples: -- [*Examples of Custom Resources*](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/custom-resources) show how to advanced NGINX features by using VirtualServer, VirtualServerRoute, TransportServer and Policy Custom Resources. -- [*Examples of Ingress Resources*](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources) show how to use advanced NGINX features in Ingress resources with annotations. +- [*Examples of Custom Resources*](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.3/examples/custom-resources) show how to advanced NGINX features by using VirtualServer, VirtualServerRoute, TransportServer and Policy Custom Resources. +- [*Examples of Ingress Resources*](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.3/examples/ingress-resources) show how to use advanced NGINX features in Ingress resources with annotations. diff --git a/docs/content/configuration/global-configuration/configmap-resource.md b/docs/content/configuration/global-configuration/configmap-resource.md index 6fc492f2f5..5b261b185f 100644 --- a/docs/content/configuration/global-configuration/configmap-resource.md +++ b/docs/content/configuration/global-configuration/configmap-resource.md @@ -91,10 +91,10 @@ See the doc about [VirtualServer and VirtualServerRoute resources](/nginx-ingres |``server-names-hash-max-size`` | Sets the value of the [server_names_hash_max_size](https://nginx.org/en/docs/http/ngx_http_core_module.html#server_names_hash_max_size) directive. | ``1024`` | | |``map-hash-bucket-size`` | Sets the value of the [map_hash_bucket_size](http://nginx.org/en/docs/http/ngx_http_map_module.html#map_hash_bucket_size) directive.| ``256`` | | |``map-hash-max-size`` | Sets the value of the [map_hash_max_size](http://nginx.org/en/docs/http/ngx_http_map_module.html#map_hash_max_size) directive. | ``2048`` | | -|``resolver-addresses`` | Sets the value of the [resolver](https://nginx.org/en/docs/http/ngx_http_core_module.html#resolver) addresses. Note: If you use a DNS name (for example, ``kube-dns.kube-system.svc.cluster.local`` ) as a resolver address, NGINX Plus will resolve it using the system resolver during the start and on every configuration reload. If the name cannot be resolved or the DNS server doesn't respond, NGINX Plus will fail to start or reload. To avoid this, we recommend using IP addresses as resolver addresses instead of DNS names. Supported in NGINX Plus only. | N/A | [Support for Type ExternalName Services](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/externalname-services). | -|``resolver-ipv6`` | Enables IPv6 resolution in the resolver. Supported in NGINX Plus only. | ``True`` | [Support for Type ExternalName Services](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/externalname-services). | -|``resolver-valid`` | Sets the time NGINX caches the resolved DNS records. Supported in NGINX Plus only. | TTL value of a DNS record | [Support for Type ExternalName Services](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/externalname-services). | -|``resolver-timeout`` | Sets the [resolver_timeout](https://nginx.org/en/docs/http/ngx_http_core_module.html#resolver_timeout) for name resolution. Supported in NGINX Plus only. | ``30s`` | [Support for Type ExternalName Services](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/externalname-services). | +|``resolver-addresses`` | Sets the value of the [resolver](https://nginx.org/en/docs/http/ngx_http_core_module.html#resolver) addresses. Note: If you use a DNS name (for example, ``kube-dns.kube-system.svc.cluster.local`` ) as a resolver address, NGINX Plus will resolve it using the system resolver during the start and on every configuration reload. If the name cannot be resolved or the DNS server doesn't respond, NGINX Plus will fail to start or reload. To avoid this, we recommend using IP addresses as resolver addresses instead of DNS names. Supported in NGINX Plus only. | N/A | [Support for Type ExternalName Services](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.3/examples/ingress-resources/externalname-services). | +|``resolver-ipv6`` | Enables IPv6 resolution in the resolver. Supported in NGINX Plus only. | ``True`` | [Support for Type ExternalName Services](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.3/examples/ingress-resources/externalname-services). | +|``resolver-valid`` | Sets the time NGINX caches the resolved DNS records. Supported in NGINX Plus only. | TTL value of a DNS record | [Support for Type ExternalName Services](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.3/examples/ingress-resources/externalname-services). | +|``resolver-timeout`` | Sets the [resolver_timeout](https://nginx.org/en/docs/http/ngx_http_core_module.html#resolver_timeout) for name resolution. Supported in NGINX Plus only. | ``30s`` | [Support for Type ExternalName Services](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.3/examples/ingress-resources/externalname-services). | |``keepalive-timeout`` | Sets the value of the [keepalive_timeout](https://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout) directive. | ``65s`` | | |``keepalive-requests`` | Sets the value of the [keepalive_requests](https://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_requests) directive. | ``100`` | | |``variables-hash-bucket-size`` | Sets the value of the [variables_hash_bucket_size](https://nginx.org/en/docs/http/ngx_http_core_module.html#variables_hash_bucket_size) directive. | ``256`` | | @@ -109,9 +109,9 @@ See the doc about [VirtualServer and VirtualServerRoute resources](/nginx-ingres |``error-log-level`` | Sets the global [error log level](https://nginx.org/en/docs/ngx_core_module.html#error_log) for NGINX. | ``notice`` | | |``access-log-off`` | Disables the [access log](https://nginx.org/en/docs/http/ngx_http_log_module.html#access_log). | ``False`` | | |``default-server-access-log-off`` | Disables the [access log](https://nginx.org/en/docs/http/ngx_http_log_module.html#access_log) for the default server. If access log is disabled globally (``access-log-off: "True"``), then the default server access log is always disabled. | ``False`` | | -|``log-format`` | Sets the custom [log format](https://nginx.org/en/docs/http/ngx_http_log_module.html#log_format) for HTTP and HTTPS traffic. For convenience, it is possible to define the log format across multiple lines (each line separated by ``\n``). In that case, the Ingress Controller will replace every ``\n`` character with a space character. All ``'`` characters must be escaped. | See the [template file](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.2/internal/configs/version1/nginx.tmpl) for the access log. | [Custom Log Format](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/shared-examples/custom-log-format). | +|``log-format`` | Sets the custom [log format](https://nginx.org/en/docs/http/ngx_http_log_module.html#log_format) for HTTP and HTTPS traffic. For convenience, it is possible to define the log format across multiple lines (each line separated by ``\n``). In that case, the Ingress Controller will replace every ``\n`` character with a space character. All ``'`` characters must be escaped. | See the [template file](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.3/internal/configs/version1/nginx.tmpl) for the access log. | [Custom Log Format](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.3/examples/shared-examples/custom-log-format). | |``log-format-escaping`` | Sets the characters escaping for the variables of the log format. Supported values: ``json`` (JSON escaping), ``default`` (the default escaping) ``none`` (disables escaping). | ``default`` | | -|``stream-log-format`` | Sets the custom [log format](https://nginx.org/en/docs/stream/ngx_stream_log_module.html#log_format) for TCP, UDP, and TLS Passthrough traffic. For convenience, it is possible to define the log format across multiple lines (each line separated by ``\n``). In that case, the Ingress Controller will replace every ``\n`` character with a space character. All ``'`` characters must be escaped. | See the [template file](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.2/internal/configs/version1/nginx.tmpl). | | +|``stream-log-format`` | Sets the custom [log format](https://nginx.org/en/docs/stream/ngx_stream_log_module.html#log_format) for TCP, UDP, and TLS Passthrough traffic. For convenience, it is possible to define the log format across multiple lines (each line separated by ``\n``). In that case, the Ingress Controller will replace every ``\n`` character with a space character. All ``'`` characters must be escaped. | See the [template file](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.3/internal/configs/version1/nginx.tmpl). | | |``stream-log-format-escaping`` | Sets the characters escaping for the variables of the stream log format. Supported values: ``json`` (JSON escaping), ``default`` (the default escaping) ``none`` (disables escaping). | ``default`` | | {{% /table %}} @@ -147,7 +147,7 @@ See the doc about [VirtualServer and VirtualServerRoute resources](/nginx-ingres |ConfigMap Key | Description | Default | Example | | ---| ---| ---| --- | |``http2`` | Enables HTTP/2 in servers with SSL enabled. | ``False`` | | -|``proxy-protocol`` | Enables PROXY Protocol for incoming connections. | ``False`` | [Proxy Protocol](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/shared-examples/proxy-protocol). | +|``proxy-protocol`` | Enables PROXY Protocol for incoming connections. | ``False`` | [Proxy Protocol](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.3/examples/shared-examples/proxy-protocol). | {{% /table %}} ### Backend Services (Upstreams) @@ -171,7 +171,7 @@ See the doc about [VirtualServer and VirtualServerRoute resources](/nginx-ingres |``http-snippets`` | Sets a custom snippet in http context. | N/A | | |``location-snippets`` | Sets a custom snippet in location context. | N/A | | |``server-snippets`` | Sets a custom snippet in server context. | N/A | | -|``stream-snippets`` | Sets a custom snippet in stream context. | N/A | [Support for TCP/UDP Load Balancing](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/tcp-udp). | +|``stream-snippets`` | Sets a custom snippet in stream context. | N/A | [Support for TCP/UDP Load Balancing](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.3/examples/ingress-resources/tcp-udp). | |``main-template`` | Sets the main NGINX configuration template. | By default the template is read from the file in the container. | [Custom Templates](/nginx-ingress-controller/configuration/global-configuration/custom-templates). | |``ingress-template`` | Sets the NGINX configuration template for an Ingress resource. | By default the template is read from the file on the container. | [Custom Templates](/nginx-ingress-controller/configuration/global-configuration/custom-templates). | |``virtualserver-template`` | Sets the NGINX configuration template for an VirtualServer resource. | By default the template is read from the file on the container. | [Custom Templates](/nginx-ingress-controller/configuration/global-configuration/custom-templates). | diff --git a/docs/content/configuration/global-configuration/custom-templates.md b/docs/content/configuration/global-configuration/custom-templates.md index 6237504f9f..d9cb6295f2 100644 --- a/docs/content/configuration/global-configuration/custom-templates.md +++ b/docs/content/configuration/global-configuration/custom-templates.md @@ -9,4 +9,4 @@ docs: "DOCS-587" --- -The Ingress Controller uses templates to generate NGINX configuration for Ingress resources, VirtualServer resources and the main NGINX configuration file. You can customize the templates and apply them via the ConfigMap. See the [corresponding example](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/shared-examples/custom-templates). +The Ingress Controller uses templates to generate NGINX configuration for Ingress resources, VirtualServer resources and the main NGINX configuration file. You can customize the templates and apply them via the ConfigMap. See the [corresponding example](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.3/examples/shared-examples/custom-templates). diff --git a/docs/content/configuration/handling-host-and-listener-collisions.md b/docs/content/configuration/handling-host-and-listener-collisions.md index 69c469575c..8592393c44 100644 --- a/docs/content/configuration/handling-host-and-listener-collisions.md +++ b/docs/content/configuration/handling-host-and-listener-collisions.md @@ -87,7 +87,7 @@ Similarly, if `cafe-ingress` was created first, it will win `cafe.example.com` a It is possible to merge configuration for multiple Ingress resources for the same host. One common use case for this approach is distributing resources across multiple namespaces. See the [Cross-namespace Configuration](/nginx-ingress-controller/configuration/ingress-resources/cross-namespace-configuration/) doc for more information. -It is *not* possible to merge the configurations for multiple VirtualServer resources for the same host. However, you can split the VirtualServers into multiple VirtualServerRoute resources, which a single VirtualServer can then reference. See the [corresponding example](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/custom-resources/cross-namespace-configuration) on GitHub. +It is *not* possible to merge the configurations for multiple VirtualServer resources for the same host. However, you can split the VirtualServers into multiple VirtualServerRoute resources, which a single VirtualServer can then reference. See the [corresponding example](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.3/examples/custom-resources/cross-namespace-configuration) on GitHub. It is *not* possible to merge configuration for multiple TransportServer resources. diff --git a/docs/content/configuration/ingress-resources/advanced-configuration-with-annotations.md b/docs/content/configuration/ingress-resources/advanced-configuration-with-annotations.md index 8888cfb1f4..96ef6afdb3 100644 --- a/docs/content/configuration/ingress-resources/advanced-configuration-with-annotations.md +++ b/docs/content/configuration/ingress-resources/advanced-configuration-with-annotations.md @@ -112,7 +112,7 @@ The table below summarizes the available annotations. |``nginx.org/proxy-buffer-size`` | ``proxy-buffer-size`` | Sets the value of the [proxy_buffer_size](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size) and [grpc_buffer_size](https://nginx.org/en/docs/http/ngx_http_grpc_module.html#grpc_buffer_size) directives. | Depends on the platform. | | |``nginx.org/proxy-max-temp-file-size`` | ``proxy-max-temp-file-size`` | Sets the value of the [proxy_max_temp_file_size](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_max_temp_file_size) directive. | ``1024m`` | | |``nginx.org/server-tokens`` | ``server-tokens`` | Enables or disables the [server_tokens](https://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens) directive. Additionally, with the NGINX Plus, you can specify a custom string value, including the empty string value, which disables the emission of the “Server” field. | ``True`` | | -|``nginx.org/path-regex`` | N/A | Enables regular expression modifiers for Ingress path parameter. This translates to the NGINX [location](https://nginx.org/en/docs/http/ngx_http_core_module.html#location) directive. You can specify one of these values: "case_sensitive", "case_insensitive", or "exact". The annotation is applied to the entire Ingress resource and its paths. While using Master and Minion Ingresses i.e. Mergeable Ingresses, this annotation can be specified on Minion types. The `path-regex` annotation specified on Master is ignored, and has no effect on paths defined on Minions. | N/A | [Path Regex](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/path-regex). | +|``nginx.org/path-regex`` | N/A | Enables regular expression modifiers for Ingress path parameter. This translates to the NGINX [location](https://nginx.org/en/docs/http/ngx_http_core_module.html#location) directive. You can specify one of these values: "case_sensitive", "case_insensitive", or "exact". The annotation is applied to the entire Ingress resource and its paths. While using Master and Minion Ingresses i.e. Mergeable Ingresses, this annotation can be specified on Minion types. The `path-regex` annotation specified on Master is ignored, and has no effect on paths defined on Minions. | N/A | [Path Regex](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.3/examples/ingress-resources/path-regex). | {{% /table %}} ### Request URI/Header Manipulation @@ -122,7 +122,7 @@ The table below summarizes the available annotations. | ---| ---| ---| ---| --- | |``nginx.org/proxy-hide-headers`` | ``proxy-hide-headers`` | Sets the value of one or more [proxy_hide_header](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_hide_header) directives. Example: ``"nginx.org/proxy-hide-headers": "header-a,header-b"`` | N/A | | |``nginx.org/proxy-pass-headers`` | ``proxy-pass-headers`` | Sets the value of one or more [proxy_pass_header](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass_header) directives. Example: ``"nginx.org/proxy-pass-headers": "header-a,header-b"`` | N/A | | -|``nginx.org/rewrites`` | N/A | Configures URI rewriting using [proxy_pass](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass) directive. | N/A | [Rewrites Support](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/rewrites). | +|``nginx.org/rewrites`` | N/A | Configures URI rewriting using [proxy_pass](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass) directive. | N/A | [Rewrites Support](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.3/examples/ingress-resources/rewrites). | {{% /table %}} ### Auth and SSL/TLS @@ -138,10 +138,10 @@ The table below summarizes the available annotations. |``nginx.org/hsts-behind-proxy`` | ``hsts-behind-proxy`` | Enables HSTS based on the value of the ``http_x_forwarded_proto`` request header. Should only be used when TLS termination is configured in a load balancer (proxy) in front of the Ingress Controller. Note: to control redirection from HTTP to HTTPS configure the ``nginx.org/redirect-to-https`` annotation. | ``False`` | | |``nginx.org/basic-auth-secret`` | N/A | Specifies a Secret resource with a user list for HTTP Basic authentication. | N/A | | |``nginx.org/basic-auth-realm`` | N/A | Specifies a realm. | N/A | | -|``nginx.com/jwt-key`` | N/A | Specifies a Secret resource with keys for validating JSON Web Tokens (JWTs). | N/A | [Support for JSON Web Tokens (JWTs)](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/jwt). | -|``nginx.com/jwt-realm`` | N/A | Specifies a realm. | N/A | [Support for JSON Web Tokens (JWTs)](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/jwt). | -|``nginx.com/jwt-token`` | N/A | Specifies a variable that contains a JSON Web Token. | By default, a JWT is expected in the ``Authorization`` header as a Bearer Token. | [Support for JSON Web Tokens (JWTs)](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/jwt). | -|``nginx.com/jwt-login-url`` | N/A | Specifies a URL to which a client is redirected in case of an invalid or missing JWT. | N/A | [Support for JSON Web Tokens (JWTs)](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/jwt). | +|``nginx.com/jwt-key`` | N/A | Specifies a Secret resource with keys for validating JSON Web Tokens (JWTs). | N/A | [Support for JSON Web Tokens (JWTs)](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.3/examples/ingress-resources/jwt). | +|``nginx.com/jwt-realm`` | N/A | Specifies a realm. | N/A | [Support for JSON Web Tokens (JWTs)](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.3/examples/ingress-resources/jwt). | +|``nginx.com/jwt-token`` | N/A | Specifies a variable that contains a JSON Web Token. | By default, a JWT is expected in the ``Authorization`` header as a Bearer Token. | [Support for JSON Web Tokens (JWTs)](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.3/examples/ingress-resources/jwt). | +|``nginx.com/jwt-login-url`` | N/A | Specifies a URL to which a client is redirected in case of an invalid or missing JWT. | N/A | [Support for JSON Web Tokens (JWTs)](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.3/examples/ingress-resources/jwt). | {{% /table %}} ### Listeners @@ -159,19 +159,19 @@ The table below summarizes the available annotations. |Annotation | ConfigMap Key | Description | Default | Example | | ---| ---| ---| ---| --- | |``nginx.org/lb-method`` | ``lb-method`` | Sets the [load balancing method](https://docs.nginx.com/nginx/admin-guide/load-balancer/http-load-balancer/#choosing-a-load-balancing-method). To use the round-robin method, specify ``"round_robin"``. | ``"random two least_conn"`` | | -|``nginx.org/ssl-services`` | N/A | Enables HTTPS or gRPC over SSL when connecting to the endpoints of services. | N/A | [SSL Services Support](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/ssl-services). | -|``nginx.org/grpc-services`` | N/A | Enables gRPC for services. Note: requires HTTP/2 (see ``http2`` ConfigMap key); only works for Ingresses with TLS termination enabled. | N/A | [GRPC Services Support](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/grpc-services). | -|``nginx.org/websocket-services`` | N/A | Enables WebSocket for services. | N/A | [WebSocket support](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/websocket). | +|``nginx.org/ssl-services`` | N/A | Enables HTTPS or gRPC over SSL when connecting to the endpoints of services. | N/A | [SSL Services Support](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.3/examples/ingress-resources/ssl-services). | +|``nginx.org/grpc-services`` | N/A | Enables gRPC for services. Note: requires HTTP/2 (see ``http2`` ConfigMap key); only works for Ingresses with TLS termination enabled. | N/A | [GRPC Services Support](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.3/examples/ingress-resources/grpc-services). | +|``nginx.org/websocket-services`` | N/A | Enables WebSocket for services. | N/A | [WebSocket support](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.3/examples/ingress-resources/websocket). | |``nginx.org/max-fails`` | ``max-fails`` | Sets the value of the [max_fails](https://nginx.org/en/docs/http/ngx_http_upstream_module.html#max_fails) parameter of the ``server`` directive. | ``1`` | | |``nginx.org/max-conns`` | N\A | Sets the value of the [max_conns](https://nginx.org/en/docs/http/ngx_http_upstream_module.html#max_conns) parameter of the ``server`` directive. | ``0`` | | |``nginx.org/upstream-zone-size`` | ``upstream-zone-size`` | Sets the size of the shared memory [zone](https://nginx.org/en/docs/http/ngx_http_upstream_module.html#zone) for upstreams. For NGINX, the special value 0 disables the shared memory zones. For NGINX Plus, shared memory zones are required and cannot be disabled. The special value 0 will be ignored. | ``256K`` | | |``nginx.org/fail-timeout`` | ``fail-timeout`` | Sets the value of the [fail_timeout](https://nginx.org/en/docs/http/ngx_http_upstream_module.html#fail_timeout) parameter of the ``server`` directive. | ``10s`` | | -|``nginx.com/sticky-cookie-services`` | N/A | Configures session persistence. | N/A | [Session Persistence](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/session-persistence). | +|``nginx.com/sticky-cookie-services`` | N/A | Configures session persistence. | N/A | [Session Persistence](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.3/examples/ingress-resources/session-persistence). | |``nginx.org/keepalive`` | ``keepalive`` | Sets the value of the [keepalive](https://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive) directive. Note that ``proxy_set_header Connection "";`` is added to the generated configuration when the value > 0. | ``0`` | | -|``nginx.com/health-checks`` | N/A | Enables active health checks. | ``False`` | [Support for Active Health Checks](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/health-checks). | -|``nginx.com/health-checks-mandatory`` | N/A | Configures active health checks as mandatory. | ``False`` | [Support for Active Health Checks](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/health-checks). | -|``nginx.com/health-checks-mandatory-queue`` | N/A | When active health checks are mandatory, creates a queue where incoming requests are temporarily stored while NGINX Plus is checking the health of the endpoints after a configuration reload. | ``0`` | [Support for Active Health Checks](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/health-checks). | -|``nginx.com/slow-start`` | N/A | Sets the upstream server [slow-start period](https://docs.nginx.com/nginx/admin-guide/load-balancer/http-load-balancer/#server-slow-start). By default, slow-start is activated after a server becomes [available](https://docs.nginx.com/nginx/admin-guide/load-balancer/http-health-check/#passive-health-checks) or [healthy](https://docs.nginx.com/nginx/admin-guide/load-balancer/http-health-check/#active-health-checks). To enable slow-start for newly-added servers, configure [mandatory active health checks](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/health-checks). | ``"0s"`` | | +|``nginx.com/health-checks`` | N/A | Enables active health checks. | ``False`` | [Support for Active Health Checks](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.3/examples/ingress-resources/health-checks). | +|``nginx.com/health-checks-mandatory`` | N/A | Configures active health checks as mandatory. | ``False`` | [Support for Active Health Checks](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.3/examples/ingress-resources/health-checks). | +|``nginx.com/health-checks-mandatory-queue`` | N/A | When active health checks are mandatory, creates a queue where incoming requests are temporarily stored while NGINX Plus is checking the health of the endpoints after a configuration reload. | ``0`` | [Support for Active Health Checks](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.3/examples/ingress-resources/health-checks). | +|``nginx.com/slow-start`` | N/A | Sets the upstream server [slow-start period](https://docs.nginx.com/nginx/admin-guide/load-balancer/http-load-balancer/#server-slow-start). By default, slow-start is activated after a server becomes [available](https://docs.nginx.com/nginx/admin-guide/load-balancer/http-health-check/#passive-health-checks) or [healthy](https://docs.nginx.com/nginx/admin-guide/load-balancer/http-health-check/#active-health-checks). To enable slow-start for newly-added servers, configure [mandatory active health checks](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.3/examples/ingress-resources/health-checks). | ``"0s"`` | | {{% /table %}} ### Snippets and Custom Templates @@ -190,11 +190,11 @@ The table below summarizes the available annotations. {{% table %}} |Annotation | ConfigMap Key | Description | Default | Example | | ---| ---| ---| ---| --- | -|``appprotect.f5.com/app-protect-policy`` | N/A | The name of the App Protect Policy for the Ingress Resource. Format is ``namespace/name``. If no namespace is specified, the same namespace of the Ingress Resource is used. If not specified but ``appprotect.f5.com/app-protect-enable`` is true, a default policy id applied. If the referenced policy resource does not exist, or policy is invalid, this annotation will be ignored, and the default policy will be applied. | N/A | [Example for App Protect](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/app-protect-waf). | -|``appprotect.f5.com/app-protect-enable`` | N/A | Enable App Protect for the Ingress Resource. | ``False`` | [Example for App Protect](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/app-protect-waf). | -|``appprotect.f5.com/app-protect-security-log-enable`` | N/A | Enable the [security log](/nginx-app-protect/troubleshooting/#app-protect-logging-overview) for App Protect. | ``False`` | [Example for App Protect](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/app-protect-waf). | -|``appprotect.f5.com/app-protect-security-log`` | N/A | The App Protect log configuration for the Ingress Resource. Format is ``namespace/name``. If no namespace is specified, the same namespace as the Ingress Resource is used. If not specified the default is used which is: filter: ``illegal``, format: ``default``. Multiple configurations can be specified in a comma separated list. Both log configurations and destinations list (see below) must be of equal length. Configs and destinations are paired by the list indices. | N/A | [Example for App Protect](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/app-protect-waf). | -|``appprotect.f5.com/app-protect-security-log-destination`` | N/A | The destination of the security log. For more information check the [DESTINATION argument](/nginx-app-protect/troubleshooting/#app-protect-logging-overview). Multiple destinations can be specified in a comma-separated list. Both log configurations and destinations list (see above) must be of equal length. Configs and destinations are paired by the list indices. | ``syslog:server=localhost:514`` | [Example for App Protect](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/app-protect-waf). | +|``appprotect.f5.com/app-protect-policy`` | N/A | The name of the App Protect Policy for the Ingress Resource. Format is ``namespace/name``. If no namespace is specified, the same namespace of the Ingress Resource is used. If not specified but ``appprotect.f5.com/app-protect-enable`` is true, a default policy id applied. If the referenced policy resource does not exist, or policy is invalid, this annotation will be ignored, and the default policy will be applied. | N/A | [Example for App Protect](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.3/examples/ingress-resources/app-protect-waf). | +|``appprotect.f5.com/app-protect-enable`` | N/A | Enable App Protect for the Ingress Resource. | ``False`` | [Example for App Protect](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.3/examples/ingress-resources/app-protect-waf). | +|``appprotect.f5.com/app-protect-security-log-enable`` | N/A | Enable the [security log](/nginx-app-protect/troubleshooting/#app-protect-logging-overview) for App Protect. | ``False`` | [Example for App Protect](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.3/examples/ingress-resources/app-protect-waf). | +|``appprotect.f5.com/app-protect-security-log`` | N/A | The App Protect log configuration for the Ingress Resource. Format is ``namespace/name``. If no namespace is specified, the same namespace as the Ingress Resource is used. If not specified the default is used which is: filter: ``illegal``, format: ``default``. Multiple configurations can be specified in a comma separated list. Both log configurations and destinations list (see below) must be of equal length. Configs and destinations are paired by the list indices. | N/A | [Example for App Protect](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.3/examples/ingress-resources/app-protect-waf). | +|``appprotect.f5.com/app-protect-security-log-destination`` | N/A | The destination of the security log. For more information check the [DESTINATION argument](/nginx-app-protect/troubleshooting/#app-protect-logging-overview). Multiple destinations can be specified in a comma-separated list. Both log configurations and destinations list (see above) must be of equal length. Configs and destinations are paired by the list indices. | ``syslog:server=localhost:514`` | [Example for App Protect](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.3/examples/ingress-resources/app-protect-waf). | {{% /table %}} ### App Protect DoS @@ -204,5 +204,5 @@ The table below summarizes the available annotations. {{% table %}} |Annotation | ConfigMap Key | Description | Default | Example | | ---| ---| ---| ---| --- | -|``appprotectdos.f5.com/app-protect-dos-resource`` | N/A | Enable App Protect DoS for the Ingress Resource by specifying a [DosProtectedResource](/nginx-ingress-controller/app-protect-dos/dos-protected/). | N/A | [Example for App Protect DoS](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/app-protect-dos). | +|``appprotectdos.f5.com/app-protect-dos-resource`` | N/A | Enable App Protect DoS for the Ingress Resource by specifying a [DosProtectedResource](/nginx-ingress-controller/app-protect-dos/dos-protected/). | N/A | [Example for App Protect DoS](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.3/examples/ingress-resources/app-protect-dos). | {{% /table %}} diff --git a/docs/content/configuration/ingress-resources/basic-configuration.md b/docs/content/configuration/ingress-resources/basic-configuration.md index 5e9b492f9f..a462be8282 100644 --- a/docs/content/configuration/ingress-resources/basic-configuration.md +++ b/docs/content/configuration/ingress-resources/basic-configuration.md @@ -53,7 +53,7 @@ Here is a breakdown of what this Ingress resource definition means: - The rule with the path `/coffee` instructs NGINX to distribute the requests with the `/coffee` URI among the pods of the *coffee* service, which is deployed with the name `coffee‑svc` in the cluster. - Both rules instruct NGINX to distribute the requests to `port 80` of the corresponding service (the `servicePort` field). -> For complete instructions on deploying the Ingress and Secret resources in the cluster, see the [complete example](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/complete-example) in our GitHub repository. +> For complete instructions on deploying the Ingress and Secret resources in the cluster, see the [complete example](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.3/examples/ingress-resources/complete-example) in our GitHub repository. > To learn more about the Ingress resource, see the [Ingress resource documentation](https://kubernetes.io/docs/concepts/services-networking/ingress/) in the Kubernetes docs. diff --git a/docs/content/configuration/ingress-resources/cross-namespace-configuration.md b/docs/content/configuration/ingress-resources/cross-namespace-configuration.md index 5242d7d9f6..e67da33228 100644 --- a/docs/content/configuration/ingress-resources/cross-namespace-configuration.md +++ b/docs/content/configuration/ingress-resources/cross-namespace-configuration.md @@ -9,6 +9,6 @@ docs: "DOCS-594" --- -You can spread the Ingress configuration for a common host across multiple Ingress resources using Mergeable Ingress resources. Such resources can belong to the *same* or *different* namespaces. This enables easier management when using a large number of paths. See the [Mergeable Ingress Resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/mergeable-ingress-types) example in our GitHub repo. +You can spread the Ingress configuration for a common host across multiple Ingress resources using Mergeable Ingress resources. Such resources can belong to the *same* or *different* namespaces. This enables easier management when using a large number of paths. See the [Mergeable Ingress Resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.3/examples/ingress-resources/mergeable-ingress-types) example in our GitHub repo. -As an alternative to Mergeable Ingress resources, you can use [VirtualServer and VirtualServerRoute resources](/nginx-ingress-controller/configuration/virtualserver-and-virtualserverroute-resources/) for cross-namespace configuration. See the [Cross-Namespace Configuration](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/custom-resources/cross-namespace-configuration) example in our GitHub repo. +As an alternative to Mergeable Ingress resources, you can use [VirtualServer and VirtualServerRoute resources](/nginx-ingress-controller/configuration/virtualserver-and-virtualserverroute-resources/) for cross-namespace configuration. See the [Cross-Namespace Configuration](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.3/examples/custom-resources/cross-namespace-configuration) example in our GitHub repo. diff --git a/docs/content/configuration/ingress-resources/custom-annotations.md b/docs/content/configuration/ingress-resources/custom-annotations.md index 8fbbbecbe3..20648763bb 100644 --- a/docs/content/configuration/ingress-resources/custom-annotations.md +++ b/docs/content/configuration/ingress-resources/custom-annotations.md @@ -23,7 +23,7 @@ Custom annotations allow you to add an annotation for an NGINX feature that is n ## Usage -The Ingress Controller generates NGINX configuration for Ingress resources by executing a configuration template. See [NGINX template](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.2/internal/configs/version1/nginx.ingress.tmpl) or [NGINX Plus template](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.2/internal/configs/version1/nginx-plus.ingress.tmpl). +The Ingress Controller generates NGINX configuration for Ingress resources by executing a configuration template. See [NGINX template](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.3/internal/configs/version1/nginx.ingress.tmpl) or [NGINX Plus template](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.3/internal/configs/version1/nginx-plus.ingress.tmpl). To support custom annotations, the template has access to the information about the Ingress resource - its *name*, *namespace* and *annotations*. It is possible to check if a particular annotation present in the Ingress resource and conditionally insert NGINX configuration directives at multiple NGINX contexts - `http`, `server`, `location` or `upstream`. Additionally, you can get the value that is set to the annotation. @@ -144,4 +144,4 @@ deny all; ## Example -See the [custom annotations example](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.2/examples/ingress-resources/custom-annotations). +See the [custom annotations example](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.3/examples/ingress-resources/custom-annotations). diff --git a/docs/content/configuration/policy-resource.md b/docs/content/configuration/policy-resource.md index 8a49623ed5..b8aca9cd11 100644 --- a/docs/content/configuration/policy-resource.md +++ b/docs/content/configuration/policy-resource.md @@ -12,7 +12,7 @@ The Policy resource allows you to configure features like access control and rat The resource is implemented as a [Custom Resource](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/). -This document is the reference documentation for the Policy resource. An example of a Policy for access control is available in our [GitHub repository](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.2/examples/custom-resources/access-control). +This document is the reference documentation for the Policy resource. An example of a Policy for access control is available in our [GitHub repository](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.3/examples/custom-resources/access-control). ## Prerequisites @@ -459,7 +459,7 @@ NGINX Plus will pass the ID of an authenticated user to the backend in the HTTP #### Prerequisites In order to use OIDC, you need to enable [zone synchronization](https://docs.nginx.com/nginx/admin-guide/high-availability/zone_sync/). If you don't set up zone synchronization, NGINX Plus will fail to reload. -You also need to configure a resolver, which NGINX Plus will use to resolve the IDP authorization endpoint. You can find an example configuration [in our GitHub repository](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.2/examples/custom-resources/oidc#step-7---configure-nginx-plus-zone-synchronization-and-resolver). +You also need to configure a resolver, which NGINX Plus will use to resolve the IDP authorization endpoint. You can find an example configuration [in our GitHub repository](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.3/examples/custom-resources/oidc#step-7---configure-nginx-plus-zone-synchronization-and-resolver). > **Note**: The configuration in the example doesn't enable TLS and the synchronization between the replica happens in clear text. This could lead to the exposure of tokens. diff --git a/docs/content/configuration/security.md b/docs/content/configuration/security.md index 6b01344d45..89624662a3 100644 --- a/docs/content/configuration/security.md +++ b/docs/content/configuration/security.md @@ -22,10 +22,10 @@ In addition, the following relating more specifically to Ingress Controller. The Ingress Controller is deployed within a Kubernetes environment, this environment must be secured. Kubernetes uses [RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) to control the resources and operations available to different types of users. The Ingress Controller requires a service account which is configured using RBAC. -We strongly recommend using the [RBAC configuration](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.2/deployments/rbac/rbac.yaml) provided in our standard deployment configuration. It is configured with the least amount of privilege required for the Ingress Controller to work. +We strongly recommend using the [RBAC configuration](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.3/deployments/rbac/rbac.yaml) provided in our standard deployment configuration. It is configured with the least amount of privilege required for the Ingress Controller to work. -We strongly recommend inspecting the RBAC configuration for [Manifests](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.2/deployments/rbac/rbac.yaml) -or for [Helm](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.2/charts/nginx-ingress/templates/rbac.yaml) to understand what access the Ingress Controller service account has and to which resources. For example, by default the service account has access to all Secret resources in the cluster. +We strongly recommend inspecting the RBAC configuration for [Manifests](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.3/deployments/rbac/rbac.yaml) +or for [Helm](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.3/charts/nginx-ingress/templates/rbac.yaml) to understand what access the Ingress Controller service account has and to which resources. For example, by default the service account has access to all Secret resources in the cluster. ### Certificates and Privacy Keys diff --git a/docs/content/configuration/transportserver-resource.md b/docs/content/configuration/transportserver-resource.md index 415a08e2da..e5e377608d 100644 --- a/docs/content/configuration/transportserver-resource.md +++ b/docs/content/configuration/transportserver-resource.md @@ -10,7 +10,7 @@ docs: "DOCS-598" The TransportServer resource allows you to configure TCP, UDP, and TLS Passthrough load balancing. The resource is implemented as a [Custom Resource](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/). -This document is the reference documentation for the TransportServer resource. To see additional examples of using the resource for specific use cases, go to the [examples/custom-resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/custom-resources) folder in our GitHub repo. +This document is the reference documentation for the TransportServer resource. To see additional examples of using the resource for specific use cases, go to the [examples/custom-resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.3/examples/custom-resources) folder in our GitHub repo. ## Prerequisites diff --git a/docs/content/configuration/virtualserver-and-virtualserverroute-resources.md b/docs/content/configuration/virtualserver-and-virtualserverroute-resources.md index 196163b0c1..a283f9830f 100644 --- a/docs/content/configuration/virtualserver-and-virtualserverroute-resources.md +++ b/docs/content/configuration/virtualserver-and-virtualserverroute-resources.md @@ -12,7 +12,7 @@ docs: "DOCS-599" The VirtualServer and VirtualServerRoute resources, introduced in release 1.5, enable use cases not supported with the Ingress resource, such as traffic splitting and advanced content-based routing. The resources are implemented as [Custom Resources](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/). -This document is the reference documentation for the resources. To see additional examples of using the resources for specific use cases, go to the [examples/custom-resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/custom-resources) folder in our GitHub repo. +This document is the reference documentation for the resources. To see additional examples of using the resources for specific use cases, go to the [examples/custom-resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.3/examples/custom-resources) folder in our GitHub repo. ## VirtualServer Specification @@ -347,7 +347,7 @@ tls: |Field | Description | Type | Required | | ---| ---| ---| --- | |``name`` | The name of the upstream. Must be a valid DNS label as defined in RFC 1035. For example, ``hello`` and ``upstream-123`` are valid. The name must be unique among all upstreams of the resource. | ``string`` | Yes | -|``service`` | The name of a [service](https://kubernetes.io/docs/concepts/services-networking/service/). The service must belong to the same namespace as the resource. If the service doesn't exist, NGINX will assume the service has zero endpoints and return a ``502`` response for requests for this upstream. For NGINX Plus only, services of type [ExternalName](https://kubernetes.io/docs/concepts/services-networking/service/#externalname) are also supported (check the [prerequisites](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/externalname-services#prerequisites) ). | ``string`` | Yes | +|``service`` | The name of a [service](https://kubernetes.io/docs/concepts/services-networking/service/). The service must belong to the same namespace as the resource. If the service doesn't exist, NGINX will assume the service has zero endpoints and return a ``502`` response for requests for this upstream. For NGINX Plus only, services of type [ExternalName](https://kubernetes.io/docs/concepts/services-networking/service/#externalname) are also supported (check the [prerequisites](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.3/examples/ingress-resources/externalname-services#prerequisites) ). | ``string`` | Yes | |``subselector`` | Selects the pods within the service using label keys and values. By default, all pods of the service are selected. Note: the specified labels are expected to be present in the pods when they are created. If the pod labels are updated, the Ingress Controller will not see that change until the number of the pods is changed. | ``map[string]string`` | No | |``use-cluster-ip`` | Enables using the Cluster IP and port of the service instead of the default behavior of using the IP and port of the pods. When this field is enabled, the fields that configure NGINX behavior related to multiple upstream servers (like ``lb-method`` and ``next-upstream``) will have no effect, as the Ingress Controller will configure NGINX with only one upstream server that will match the service Cluster IP. | ``boolean`` | No | |``port`` | The port of the service. If the service doesn't define that port, NGINX will assume the service has zero endpoints and return a ``502`` response for requests for this upstream. The port must fall into the range ``1..65535``. | ``uint16`` | Yes | @@ -636,7 +636,7 @@ proxy: |``upstream`` | The name of the upstream which the requests will be proxied to. The upstream with that name must be defined in the resource. | ``string`` | Yes | |``requestHeaders`` | The request headers modifications. | [action.Proxy.RequestHeaders](#actionproxyrequestheaders) | No | |``responseHeaders`` | The response headers modifications. | [action.Proxy.ResponseHeaders](#actionproxyresponseheaders) | No | -|``rewritePath`` | The rewritten URI. If the route path is a regular expression -- starts with `~` -- the `rewritePath` can include capture groups with ``$1-9``. For example `$1` for the first group, and so on. For more information, check the [rewrite](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/custom-resources/rewrites) example. | ``string`` | No | +|``rewritePath`` | The rewritten URI. If the route path is a regular expression -- starts with `~` -- the `rewritePath` can include capture groups with ``$1-9``. For example `$1` for the first group, and so on. For more information, check the [rewrite](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.3/examples/custom-resources/rewrites) example. | ``string`` | No | {{% /table %}} ### Action.Proxy.RequestHeaders diff --git a/docs/content/installation/building-nginx-ingress-controller.md b/docs/content/installation/building-nginx-ingress-controller.md index ce423ff524..de453282c4 100644 --- a/docs/content/installation/building-nginx-ingress-controller.md +++ b/docs/content/installation/building-nginx-ingress-controller.md @@ -41,10 +41,10 @@ Get your system ready for building and pushing the NGINX Ingress Controller imag cd kubernetes-ingress ``` - For instance if you want to clone version v3.4.2, the commands to run would be: + For instance if you want to clone version v3.4.3, the commands to run would be: ```shell - git clone https://github.com/nginxinc/kubernetes-ingress.git --branch v3.4.2 + git clone https://github.com/nginxinc/kubernetes-ingress.git --branch v3.4.3 cd kubernetes-ingress ``` diff --git a/docs/content/installation/installing-nic/installation-with-helm.md b/docs/content/installation/installing-nic/installation-with-helm.md index 4689961ec5..8255c2a423 100644 --- a/docs/content/installation/installing-nic/installation-with-helm.md +++ b/docs/content/installation/installing-nic/installation-with-helm.md @@ -45,10 +45,10 @@ kubectl apply -f crds/ Alternatively, CRDs can be upgraded without pulling the chart by running: ```console -kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.2/deploy/crds.yaml +kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.3/deploy/crds.yaml ``` -In the above command, `v3.4.2` represents the version of NGINX Ingress Controller release rather than the Helm chart version. +In the above command, `v3.4.3` represents the version of NGINX Ingress Controller release rather than the Helm chart version. {{}}The following warning is expected and can be ignored: `Warning: kubectl apply should be used on resource created by either kubectl create --save-config or kubectl apply`. @@ -74,13 +74,13 @@ To install the chart with the release name my-release (my-release is the name th - For NGINX: ```shell - helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.1.2 + helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.1.3 ``` - For NGINX Plus: (assuming you have pushed the Ingress Controller image `nginx-plus-ingress` to your private registry `myregistry.example.com`) ```shell - helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.1.2 --set controller.image.repository=myregistry.example.com/nginx-plus-ingress --set controller.nginxplus=true + helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.1.3 --set controller.image.repository=myregistry.example.com/nginx-plus-ingress --set controller.nginxplus=true ``` This will install the latest `edge` version of the Ingress Controller from GitHub Container Registry. If you prefer to use Docker Hub, you can replace `ghcr.io/nginxinc/charts/nginx-ingress` with `registry-1.docker.io/nginxcharts/nginx-ingress`. @@ -92,7 +92,7 @@ Helm does not upgrade the CRDs during a release upgrade. Before you upgrade a re To upgrade the release `my-release`: ```shell -helm upgrade my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.1.2 +helm upgrade my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.1.3 ``` ### Uninstalling the Chart @@ -129,7 +129,7 @@ This step is required if you're installing the chart using its sources. Addition 1. Pull the chart sources: ```shell - helm pull oci://ghcr.io/nginxinc/charts/nginx-ingress --untar --version 1.1.2 + helm pull oci://ghcr.io/nginxinc/charts/nginx-ingress --untar --version 1.1.3 ``` 2. Change your working directory to nginx-ingress: @@ -210,7 +210,7 @@ The steps you should follow depend on the Helm release name: Selector: app=nginx-ingress-nginx-ingress ``` -2. Checkout the latest available tag using `git checkout v3.4.2` +2. Checkout the latest available tag using `git checkout v3.4.3` 3. Navigate to `/kubernates-ingress/charts/nginx-ingress` @@ -255,7 +255,7 @@ The steps you should follow depend on the Helm release name: Selector: app=-nginx-ingress ``` -2. Checkout the latest available tag using `git checkout v3.4.2` +2. Checkout the latest available tag using `git checkout v3.4.3` 3. Navigate to `/kubernates-ingress/charts/nginx-ingress` @@ -318,7 +318,7 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont | **controller.logLevel** | The log level of the Ingress Controller. | 1 | | **controller.image.digest** | The image digest of the Ingress Controller. | None | | **controller.image.repository** | The image repository of the Ingress Controller. | nginx/nginx-ingress | -| **controller.image.tag** | The tag of the Ingress Controller image. | 3.4.2 | +| **controller.image.tag** | The tag of the Ingress Controller image. | 3.4.3 | | **controller.image.pullPolicy** | The pull policy for the Ingress Controller image. | IfNotPresent | | **controller.lifecycle** | The lifecycle of the Ingress Controller pods. | {} | | **controller.customConfigMap** | The name of the custom ConfigMap used by the Ingress Controller. If set, then the default config is ignored. | "" | diff --git a/docs/content/installation/installing-nic/installation-with-manifests.md b/docs/content/installation/installing-nic/installation-with-manifests.md index 02ad0e6dca..2107bc1475 100644 --- a/docs/content/installation/installing-nic/installation-with-manifests.md +++ b/docs/content/installation/installing-nic/installation-with-manifests.md @@ -35,7 +35,7 @@ Clone the NGINX Ingress Controller repository using the command shown below, and git clone https://github.com/nginxinc/kubernetes-ingress.git --branch ``` -For example, if you want to use version 3.4.2, the command would be `git clone https://github.com/nginxinc/kubernetes-ingress.git --branch v3.4.2`. +For example, if you want to use version 3.4.3, the command would be `git clone https://github.com/nginxinc/kubernetes-ingress.git --branch v3.4.3`. This guide assumes you are using the latest release. @@ -69,7 +69,7 @@ There are two ways you can install the custom resource definitions: 1. Create CRDs for [VirtualServer and VirtualServerRoute]({{< relref "configuration/virtualserver-and-virtualserverroute-resources.md" >}}), [TransportServer]({{< relref "configuration/transportserver-resource.md" >}}), [Policy]({{< relref "configuration/policy-resource.md" >}}) and [GlobalConfiguration]({{< relref "configuration/global-configuration/globalconfiguration-resource.md" >}}): ```shell - kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.2/deploy/crds.yaml + kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.3/deploy/crds.yaml ``` ### Optional custom resource definitions @@ -77,13 +77,13 @@ There are two ways you can install the custom resource definitions: 1. For the NGINX App Protect WAF module, create CRDs for `APPolicy`, `APLogConf` and `APUserSig`: ```shell - kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.2/deploy/crds-nap-waf.yaml + kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.3/deploy/crds-nap-waf.yaml ``` 2. For the NGINX App Protect DoS module, create CRDs for `APDosPolicy`, `APDosLogConf` and `DosProtectedResource`: ```shell - kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.2/deploy/crds-nap-dos.yaml + kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.3/deploy/crds-nap-dos.yaml ``` {{%/tab%}} @@ -262,17 +262,17 @@ Connect to ports 80 and 443 using the IP address of any node in the cluster wher 1. Delete core custom resource definitions: ```shell - kubectl delete -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.2/deploy/crds.yaml + kubectl delete -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.3/deploy/crds.yaml ``` 2. Delete custom resource definitions for the NGINX App Protect WAF module: ```shell - kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.2/deploy/crds-nap-waf.yaml + kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.3/deploy/crds-nap-waf.yaml ``` 3. Delete custom resource definitions for the NGINX App Protect DoS module: ```shell - kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.2/deploy/crds-nap-dos.yaml + kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.3/deploy/crds-nap-dos.yaml ``` {{%/tab%}} diff --git a/docs/content/installation/installing-nic/installation-with-operator.md b/docs/content/installation/installing-nic/installation-with-operator.md index 1307e2fe91..df46afcc60 100644 --- a/docs/content/installation/installing-nic/installation-with-operator.md +++ b/docs/content/installation/installing-nic/installation-with-operator.md @@ -47,7 +47,7 @@ spec: image: pullPolicy: IfNotPresent repository: nginx/nginx-ingress - tag: 3.4.2-ubi + tag: 3.4.3-ubi ingressClass: nginx kind: deployment nginxplus: false diff --git a/docs/content/installation/integrations/app-protect-dos/configuration.md b/docs/content/installation/integrations/app-protect-dos/configuration.md index 511d494789..56ab217781 100644 --- a/docs/content/installation/integrations/app-protect-dos/configuration.md +++ b/docs/content/installation/integrations/app-protect-dos/configuration.md @@ -8,7 +8,7 @@ toc: true docs: "DOCS-580" --- -> Check out the complete [NGINX Ingress Controller with App Protect DoS example for VirtualServer](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/custom-resources/app-protect-dos) and the [NGINX Ingress Controller with App Protect DoS example for Ingress](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/app-protect-dos). +> Check out the complete [NGINX Ingress Controller with App Protect DoS example for VirtualServer](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.3/examples/custom-resources/app-protect-dos) and the [NGINX Ingress Controller with App Protect DoS example for Ingress](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.3/examples/ingress-resources/app-protect-dos). ## App Protect DoS Configuration diff --git a/docs/content/installation/integrations/app-protect-dos/installation.md b/docs/content/installation/integrations/app-protect-dos/installation.md index f74a11366f..ca33e315e0 100644 --- a/docs/content/installation/integrations/app-protect-dos/installation.md +++ b/docs/content/installation/integrations/app-protect-dos/installation.md @@ -34,10 +34,10 @@ Get your system ready for building and pushing the NGINX Ingress Controller imag cd kubernetes-ingress ``` - For instance if you want to clone version v3.4.2, the commands to run would be: + For instance if you want to clone version v3.4.3, the commands to run would be: ```shell - git clone https://github.com/nginxinc/kubernetes-ingress.git --branch v3.4.2 + git clone https://github.com/nginxinc/kubernetes-ingress.git --branch v3.4.3 cd kubernetes-ingress/deployments ``` @@ -216,7 +216,7 @@ To enable the NGINX App Protect DoS Module: {{< include "installation/manifests/verify-pods-are-running.md" >}} -For more information, see the [Configuration guide]({{< relref "installation/integrations/app-protect-dos/configuration.md" >}}),the [NGINX Ingress Controller with App Protect DoS example for VirtualServer](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/custom-resources/app-protect-dos) and the [NGINX Ingress Controller with App Protect DoS example for Ingress](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/app-protect-dos). +For more information, see the [Configuration guide]({{< relref "installation/integrations/app-protect-dos/configuration.md" >}}),the [NGINX Ingress Controller with App Protect DoS example for VirtualServer](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.3/examples/custom-resources/app-protect-dos) and the [NGINX Ingress Controller with App Protect DoS example for Ingress](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.3/examples/ingress-resources/app-protect-dos). --- diff --git a/docs/content/installation/integrations/app-protect-waf/configuration.md b/docs/content/installation/integrations/app-protect-waf/configuration.md index 1f7a4115ee..106e8acf7c 100644 --- a/docs/content/installation/integrations/app-protect-waf/configuration.md +++ b/docs/content/installation/integrations/app-protect-waf/configuration.md @@ -268,8 +268,8 @@ These are the typical steps to deploy an OpenAPI protection Policy in NGINX Ingr 3. Make other custom changes if needed (e.g. enable Data Guard protection). 4. Use a tool to convert the result to YAML. There are many, for example: [`yq` utility](https://github.com/mikefarah/yq). 5. Add the YAML properties to create an `APPolicy` Custom Resource putting the policy itself (as in step 4) within the `spec` property of the Custom Resource. Refer to the [NGINX App Protect Policies](#nginx-app-protect-waf-policies) section above. -6. Create a `Policy` object which references the `APPolicy` Custom Resource as in [this example](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.2/examples/custom-resources/app-protect-waf/waf.yaml). -7. Finally, attach the `Policy` object to a `VirtualServer` resource as in [this example](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.2/examples/custom-resources/app-protect-waf/virtual-server.yaml). +6. Create a `Policy` object which references the `APPolicy` Custom Resource as in [this example](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.3/examples/custom-resources/app-protect-waf/waf.yaml). +7. Finally, attach the `Policy` object to a `VirtualServer` resource as in [this example](https://github.com/nginxinc/kubernetes-ingress/blob/v3.4.3/examples/custom-resources/app-protect-waf/virtual-server.yaml). **Note**: You need to make sure that the server where the resource files are located is always available when you are compiling your policy. @@ -404,7 +404,7 @@ The `link` option is also available in the `openApiFileReference` property and i In this example we deploy NGINX Ingress Controller with NGINX Plus and NGINX App Protect WAF, deploy a simple web application, and then configure load balancing and WAF protection for that application using the VirtualServer resource. -**Note:** You can find the example, and the files referenced, on [GitHub](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/custom-resources/app-protect-waf). +**Note:** You can find the example, and the files referenced, on [GitHub](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.3/examples/custom-resources/app-protect-waf). ## Prerequisites @@ -426,7 +426,7 @@ In this example we deploy NGINX Ingress Controller with NGINX Plus and NGINX App Create the application deployment and service: ```console - kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.2/examples/custom-resources/app-protect-waf/webapp.yaml + kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.3/examples/custom-resources/app-protect-waf/webapp.yaml ``` ### Step 2. Deploy the AP Policy @@ -434,15 +434,15 @@ Create the application deployment and service: 1. Create the syslog service and pod for the NGINX App Protect WAF security logs: ```console - kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.2/examples/custom-resources/app-protect-waf/syslog.yaml + kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.3/examples/custom-resources/app-protect-waf/syslog.yaml ``` 2. Create the User-Defined Signature, WAF policy, and log configuration: ```console - kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.2/examples/custom-resources/app-protect-waf/ap-apple-uds.yaml - kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.2/examples/custom-resources/app-protect-waf/ap-dataguard-alarm-policy.yaml - kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.2/examples/custom-resources/app-protect-waf/ap-logconf.yaml + kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.3/examples/custom-resources/app-protect-waf/ap-apple-uds.yaml + kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.3/examples/custom-resources/app-protect-waf/ap-dataguard-alarm-policy.yaml + kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.3/examples/custom-resources/app-protect-waf/ap-logconf.yaml ``` ### Step 3 - Deploy the WAF Policy @@ -450,7 +450,7 @@ Create the application deployment and service: Create the WAF policy ```console - kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.2/examples/custom-resources/app-protect-waf/waf.yaml + kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.3/examples/custom-resources/app-protect-waf/waf.yaml ``` Note the NGINX App Protect WAF configuration settings in the Policy resource. They enable WAF protection by configuring NGINX App Protect WAF with the policy and log configuration created in the previous step. @@ -460,7 +460,7 @@ Create the WAF policy 1. Create the VirtualServer Resource: ```console - kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.2/examples/custom-resources/app-protect-waf/virtual-server.yaml + kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.3/examples/custom-resources/app-protect-waf/virtual-server.yaml ``` Note that the VirtualServer references the policy waf-policy created in Step 3. @@ -501,7 +501,7 @@ To access the application, curl the coffee and the tea services. We'll use the - ### Configuration Example of Virtual Server -Refer to GitHub repo for [Virtual Server example](https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.2/examples/custom-resources/app-protect-waf/webapp.yaml). +Refer to GitHub repo for [Virtual Server example](https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.3/examples/custom-resources/app-protect-waf/webapp.yaml). ```yaml apiVersion: k8s.nginx.org/v1 diff --git a/docs/content/installation/integrations/app-protect-waf/installation.md b/docs/content/installation/integrations/app-protect-waf/installation.md index dec65144d1..16aec1a96e 100644 --- a/docs/content/installation/integrations/app-protect-waf/installation.md +++ b/docs/content/installation/integrations/app-protect-waf/installation.md @@ -29,7 +29,7 @@ Get your system ready for building and pushing the NGINX Ingress Controller imag 1. Clone the NGINX Ingress Controller repository: ```console - git clone https://github.com/nginxinc/kubernetes-ingress.git --branch v3.4.2 + git clone https://github.com/nginxinc/kubernetes-ingress.git --branch v3.4.3 cd kubernetes-ingress ``` @@ -217,4 +217,4 @@ To enable the NGINX App Protect DoS Module: {{< include "installation/manifests/verify-pods-are-running.md" >}} -For more information, see the [Configuration guide]({{< relref "installation/integrations/app-protect-waf/configuration.md" >}}) and the NGINX Ingress Controller with App Protect example resources on GitHub [for VirtualServer resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/custom-resources/app-protect-waf) and [for Ingress resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/app-protect-waf" >}}). +For more information, see the [Configuration guide]({{< relref "installation/integrations/app-protect-waf/configuration.md" >}}) and the NGINX Ingress Controller with App Protect example resources on GitHub [for VirtualServer resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.3/examples/custom-resources/app-protect-waf) and [for Ingress resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.3/examples/ingress-resources/app-protect-waf" >}}). diff --git a/docs/content/installation/nic-images/pulling-ingress-controller-image.md b/docs/content/installation/nic-images/pulling-ingress-controller-image.md index 6747ffa5de..17e02af444 100644 --- a/docs/content/installation/nic-images/pulling-ingress-controller-image.md +++ b/docs/content/installation/nic-images/pulling-ingress-controller-image.md @@ -38,7 +38,7 @@ The steps provided are for Linux. For Mac or Windows, consult the [Docker for Ma Next, pull the image you need from `private-registry.nginx.com`. To find the correct image, consult the [Tech Specs guide]({{< relref "technical-specifications#images-with-nginx-plus" >}}). -To pull an image, follow these steps. Replace `` with the specific version you need, for example, `3.4.2`. +To pull an image, follow these steps. Replace `` with the specific version you need, for example, `3.4.3`. - For NGINX Plus Ingress Controller, run: @@ -65,9 +65,9 @@ $ curl https://private-registry.nginx.com/v2/nginx-ic/nginx-plus-ingress/tags/li { "name": "nginx-ic/nginx-plus-ingress", "tags": [ - "3.4.2-alpine", - "3.4.2-ubi", - "3.4.2" + "3.4.3-alpine", + "3.4.3-ubi", + "3.4.3" ] } @@ -75,8 +75,8 @@ $ curl https://private-registry.nginx.com/v2/nginx-ic-nap/nginx-plus-ingress/tag { "name": "nginx-ic-nap/nginx-plus-ingress", "tags": [ - "3.4.2-ubi", - "3.4.2" + "3.4.3-ubi", + "3.4.3" ] } @@ -84,8 +84,8 @@ $ curl https://private-registry.nginx.com/v2/nginx-ic-dos/nginx-plus-ingress/tag { "name": "nginx-ic-dos/nginx-plus-ingress", "tags": [ - "3.4.2-ubi", - "3.4.2" + "3.4.3-ubi", + "3.4.3" ] } ``` @@ -102,7 +102,7 @@ After pulling the image, tag it and upload it to your private registry. docker login ``` -1. Tag and push the image. Replace `` with your registry's path and `` with the version you're using, for example `3.4.2`: +1. Tag and push the image. Replace `` with your registry's path and `` with the version you're using, for example `3.4.3`: - For NGINX Plus Ingress Controller, run: diff --git a/docs/content/installation/nic-images/using-the-jwt-token-docker-secret.md b/docs/content/installation/nic-images/using-the-jwt-token-docker-secret.md index 4b835b4d76..23f3d8114f 100644 --- a/docs/content/installation/nic-images/using-the-jwt-token-docker-secret.md +++ b/docs/content/installation/nic-images/using-the-jwt-token-docker-secret.md @@ -78,7 +78,7 @@ spec: seccompProfile: type: RuntimeDefault containers: - - image: private-registry.nginx.com/nginx-ic/nginx-plus-ingress:3.4.2 + - image: private-registry.nginx.com/nginx-ic/nginx-plus-ingress:3.4.3 imagePullPolicy: IfNotPresent name: nginx-plus-ingress ``` @@ -118,7 +118,7 @@ The [Installation with Helm ]({{< relref "installation/installing-nic/installati repository: private-registry.nginx.com/nginx-ic/nginx-plus-ingress ## The version tag - tag: 3.4.2 + tag: 3.4.3 serviceAccount: ## The annotations of the service account of the Ingress Controller pods. @@ -150,7 +150,7 @@ If the namespace does not exist, `--create-namespace` will create it. Using `-f If you want to install NGINX Ingress Controller using the charts method, the following is an example of using the command line to pass the required arguments using the `set` parameter. ```shell -helm install my-release -n nginx-ingress oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.1.2 --set controller.image.repository=private-registry.nginx.com/nginx-ic/nginx-plus-ingress --set controller.image.tag=3.4.2 --set controller.nginxplus=true --set controller.serviceAccount.imagePullSecretName=regcred +helm install my-release -n nginx-ingress oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.1.3 --set controller.image.repository=private-registry.nginx.com/nginx-ic/nginx-plus-ingress --set controller.image.tag=3.4.3 --set controller.nginxplus=true --set controller.serviceAccount.imagePullSecretName=regcred ``` You can also use the certificate and key from the MyF5 portal and the Docker registry API to list the available image tags for the repositories, for example: @@ -160,9 +160,9 @@ You can also use the certificate and key from the MyF5 portal and the Docker reg { "name": "nginx-ic/nginx-plus-ingress", "tags": [ - "3.4.2-alpine", - "3.4.2-ubi", - "3.4.2" + "3.4.3-alpine", + "3.4.3-ubi", + "3.4.3" ] } @@ -170,8 +170,8 @@ You can also use the certificate and key from the MyF5 portal and the Docker reg { "name": "nginx-ic-nap/nginx-plus-ingress", "tags": [ - "3.4.2-ubi", - "3.4.2" + "3.4.3-ubi", + "3.4.3" ] } @@ -179,8 +179,8 @@ You can also use the certificate and key from the MyF5 portal and the Docker reg { "name": "nginx-ic-dos/nginx-plus-ingress", "tags": [ - "3.4.2-ubi", - "3.4.2" + "3.4.3-ubi", + "3.4.3" ] } ``` diff --git a/docs/content/overview/controller-comparison.md b/docs/content/overview/controller-comparison.md index 1e9fc56fb5..5c1a233a08 100644 --- a/docs/content/overview/controller-comparison.md +++ b/docs/content/overview/controller-comparison.md @@ -26,11 +26,11 @@ The table below summarizes the key difference between nginxinc/kubernetes-ingres | NGINX version | [Custom](https://github.com/kubernetes/ingress-nginx/tree/main/images/nginx) NGINX build that includes several third-party modules | NGINX official mainline [build](https://github.com/nginxinc/docker-nginx) | NGINX Plus | | Commercial support | N/A | N/A | Included | | **Load balancing configuration via the Ingress resource** | -| Merging Ingress rules with the same host | Supported | Supported via [Mergeable Ingresses](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/mergeable-ingress-types) | Supported via [Mergeable Ingresses](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/mergeable-ingress-types) | +| Merging Ingress rules with the same host | Supported | Supported via [Mergeable Ingresses](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.3/examples/ingress-resources/mergeable-ingress-types) | Supported via [Mergeable Ingresses](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.3/examples/ingress-resources/mergeable-ingress-types) | | HTTP load balancing extensions - Annotations | See the [supported annotations](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/) | See the [supported annotations](https://docs.nginx.com/nginx-ingress-controller/configuration/ingress-resources/advanced-configuration-with-annotations/) | See the [supported annotations](https://docs.nginx.com/nginx-ingress-controller/configuration/ingress-resources/advanced-configuration-with-annotations/)| | HTTP load balancing extensions -- ConfigMap | See the [supported ConfigMap keys](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/) | See the [supported ConfigMap keys](https://docs.nginx.com/nginx-ingress-controller/configuration/global-configuration/configmap-resource/) | See the [supported ConfigMap keys](https://docs.nginx.com/nginx-ingress-controller/configuration/global-configuration/configmap-resource/) | | TCP/UDP | Supported via a ConfigMap | Supported via custom resources | Supported via custom resources | -| Websocket | Supported | Supported via an [annotation](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/websocket) | Supported via an [annotation](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/websocket) | +| Websocket | Supported | Supported via an [annotation](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.3/examples/ingress-resources/websocket) | Supported via an [annotation](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.3/examples/ingress-resources/websocket) | | TCP SSL Passthrough | Supported via a ConfigMap | Supported via custom resources | Supported via custom resources | | JWT validation | Not supported | Not supported | Supported | | Session persistence | Supported via a third-party module | Not supported | Supported | diff --git a/docs/content/overview/nginx-plus.md b/docs/content/overview/nginx-plus.md index e582a7fe15..61ffd54997 100644 --- a/docs/content/overview/nginx-plus.md +++ b/docs/content/overview/nginx-plus.md @@ -16,9 +16,9 @@ The NGINX Ingress Controller works with [NGINX](https://nginx.org/) as well as [ - _Real-time metrics_: Metrics for NGINX Plus and application performance are available through the API or the [NGINX Status Page]({{< relref "logging-and-monitoring/status-page">}}). These metrics can also be exported to [Prometheus]({{< relref "logging-and-monitoring/prometheus">}}). - _Additional load balancing methods_: The `least_time` and `random two least_time` methods and their derivatives become available. The NGINX [`ngx_http_upstream_module` documentation](https://nginx.org/en/docs/http/ngx_http_upstream_module.html) has the complete list of load balancing methods. -- _Session persistence_: The *sticky cookie* method becomes available. See the [Ingress Resource](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/session-persistence) and [Custom Resource](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/custom-resources/session-persistence) examples. -- _Active health checks_: See the [Ingress Resource](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/health-checks) and [Custom Resource](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/custom-resources/health-checks) examples. -- _JWT validation_: See the [Ingress Resource](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/ingress-resources/jwt) and [Custom Resource](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.2/examples/custom-resources/jwt) examples. +- _Session persistence_: The *sticky cookie* method becomes available. See the [Ingress Resource](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.3/examples/ingress-resources/session-persistence) and [Custom Resource](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.3/examples/custom-resources/session-persistence) examples. +- _Active health checks_: See the [Ingress Resource](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.3/examples/ingress-resources/health-checks) and [Custom Resource](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.3/examples/custom-resources/health-checks) examples. +- _JWT validation_: See the [Ingress Resource](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.3/examples/ingress-resources/jwt) and [Custom Resource](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.3/examples/custom-resources/jwt) examples. For a comprehensive guide of NGINX Plus features available with Ingress resources, see the [ConfigMap]({{< relref "configuration/global-configuration/configmap-resource">}}) and [Annotations]({{< relref "configuration/ingress-resources/advanced-configuration-with-annotations">}}) documentation. diff --git a/docs/content/releases.md b/docs/content/releases.md index 4642a03709..486a37e6c1 100644 --- a/docs/content/releases.md +++ b/docs/content/releases.md @@ -6,6 +6,62 @@ doctypes: ["concept"] toc: true docs: "DOCS-616" --- +## 3.4.3 + +19 Feb 2024 + +### Fixes +[5008](https://github.com/nginxinc/kubernetes-ingress/pull/5008) Remove redundant Prometheus variable labels +[4744](https://github.com/nginxinc/kubernetes-ingress/pull/4744) Fixed validation for VSR exact & regex subroutes. Thanks to [jo-carter](https://github.com/jo-carter). +[4832](https://github.com/nginxinc/kubernetes-ingress/pull/4832) Fix new lines in snippets +[5020](https://github.com/nginxinc/kubernetes-ingress/pull/5020) Fix template file spacing for `ssl_protocols` directive +[5041](https://github.com/nginxinc/kubernetes-ingress/pull/5041) Allow waf users to build without dos repo access + +### Dependencies +[5073](https://github.com/nginxinc/kubernetes-ingress/pull/5073) Bump redhat/ubi8 from `23d8dfd` to `627867e` in /build +[5029](https://github.com/nginxinc/kubernetes-ingress/pull/5029) Bump redhat/ubi8 from `fc88b13` to `23d8dfd` in /build +[5074](https://github.com/nginxinc/kubernetes-ingress/pull/5074) Bump opentracing/nginx-opentracing from `2e0268d` to `2217e9f` in /build +[4927](https://github.com/nginxinc/kubernetes-ingress/pull/4927) Bump opentracing/nginx-opentracing from `426c2ff` to `2e0268d` in /build +[5072](https://github.com/nginxinc/kubernetes-ingress/pull/5072) Bump nginx from `156d75f` to `f2802c2` in /build +[5028](https://github.com/nginxinc/kubernetes-ingress/pull/5028) Bump nginx from `156d75f` to `156d75f` in /build +[5019](https://github.com/nginxinc/kubernetes-ingress/pull/5019) Bump nginx from `5b7ff23` to `156d75f` in /build +[5012](https://github.com/nginxinc/kubernetes-ingress/pull/5012) Bump nginx from `d12e6f7` to `5b7ff23` in /build +[5003](https://github.com/nginxinc/kubernetes-ingress/pull/5003) Bump nginx from `a59278f` to `d12e6f7` in /build +[4926](https://github.com/nginxinc/kubernetes-ingress/pull/4926) Bump nginx from `a59278f` to `a59278f` in /build +[4925](https://github.com/nginxinc/kubernetes-ingress/pull/4925) Bump the docker-images group in /build with 1 update +[5004](https://github.com/nginxinc/kubernetes-ingress/pull/5004) Bump golang from `51a7800` to `a6a7f1f` in /build +[4984](https://github.com/nginxinc/kubernetes-ingress/pull/4984) Bump golang from `fd78f2f` to `51a7800` in /build +[4928](https://github.com/nginxinc/kubernetes-ingress/pull/4928) Bump golang from `4db4aac` to `fd78f2f` in /build +[4992](https://github.com/nginxinc/kubernetes-ingress/pull/4992) Bump nginxcontrib/nginx from `4059aff` to `4a3e891` in /build +[4994](https://github.com/nginxinc/kubernetes-ingress/pull/4994) Bump redhat/ubi9-minimal from `a340f4b` to `582e18f` in /build +[5033](https://github.com/nginxinc/kubernetes-ingress/pull/5033) Updates `kindest/node` from v1.29.0 to v1.29.1 +[4909](https://github.com/nginxinc/kubernetes-ingress/pull/4909) Bump the go group with 1 update +[4924](https://github.com/nginxinc/kubernetes-ingress/pull/4924) Bump the go group with 1 update +[4939](https://github.com/nginxinc/kubernetes-ingress/pull/4939) Bump the go group with 5 updates +[4949](https://github.com/nginxinc/kubernetes-ingress/pull/4949) Bump the go group with 1 update +[4971](https://github.com/nginxinc/kubernetes-ingress/pull/4971) Bump the go group with 1 update +[5022](https://github.com/nginxinc/kubernetes-ingress/pull/5022) Bump the go group with 1 update +[5034](https://github.com/nginxinc/kubernetes-ingress/pull/5034) Bump the go group with 1 update +[5055](https://github.com/nginxinc/kubernetes-ingress/pull/5055) Bump the go group with 1 update + +### Upgrade + +- For NGINX, use the 3.4.3 images from our +[DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=3.4.3), +[GitHub Container](https://github.com/nginxinc/kubernetes-ingress/pkgs/container/kubernetes-ingress), +[Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress). +- For NGINX Plus, use the 3.4.3 images from the F5 Container registry, +the [AWS Marketplace](https://aws.amazon.com/marketplace/search/?CREATOR=741df81b-dfdc-4d36-b8da-945ea66b522c&FULFILLMENT_OPTION_TYPE=CONTAINER&filters=CREATOR%2CFULFILLMENT_OPTION_TYPE), +the [GCP Marketplace](https://console.cloud.google.com/marketplace/browse?filter=partner:F5,%20Inc.&filter=solution-type:k8s&filter=category:networking) +or build your own image using the 3.4.3 source code +- For Helm, use version 1.1.3 of the chart. + +### Supported Platforms + +We will provide technical support for NGINX Ingress Controller on any Kubernetes platform that is currently supported by +its provider and that passes the Kubernetes conformance tests. This release was fully tested on the following Kubernetes +versions: 1.23-1.29. + ## 3.4.2 16 Jan 2024 diff --git a/docs/content/technical-specifications.md b/docs/content/technical-specifications.md index 2ea8c3302f..5db41af401 100644 --- a/docs/content/technical-specifications.md +++ b/docs/content/technical-specifications.md @@ -23,7 +23,7 @@ We explicitly test NGINX Ingress Controller on a range of Kubernetes platforms f {{< bootstrap-table "table table-bordered table-striped table-responsive" >}} | NIC Version | Supported Kubernetes Version | NIC Helm Chart Version | NIC Operator Version | NGINX / NGINX Plus version | | --- | --- | --- | --- | --- | -| 3.4.2 | 1.29 - 1.23 | 1.1.2 | 2.1.0 | 1.25.3 / R31 | +| 3.4.3 | 1.29 - 1.23 | 1.1.3 | 2.1.0 | 1.25.4 / R31 P1 | | 3.3.2 | 1.28 - 1.22 | 1.0.2 | 2.0.2 | 1.25.3 / R30 | | 3.2.1 | 1.27 - 1.22 | 0.18.1 | 1.5.1 | 1.25.2 / R30 | | 3.1.1 | 1.26 - 1.22 | 0.17.1 | 1.4.2 | 1.23.4 / R29 | @@ -48,14 +48,14 @@ We provide the following Docker images, which include NGINX or NGINX Plus bundle ### Images with NGINX -_All images include NGINX 1.25.3._ +_All images include NGINX 1.25.4._ {{< bootstrap-table "table table-bordered table-responsive" >}} |
Name
|
Base image
|
Third-party modules
| DockerHub image | Architectures | | ---| --- | --- | --- | --- | -|Alpine-based image | ``nginx:1.25.3-alpine``,
based on on ``alpine:3.18`` | NGINX OpenTracing module

OpenTracing library

OpenTracing tracers for Jaeger

Zipkin and Datadog | ``nginx/nginx-ingress:3.4.2-alpine`` | arm/v7
arm64
amd64
ppc64le
s390x | -|Debian-based image | ``nginx:1.25.3``,
based on on ``debian:12-slim`` | NGINX OpenTracing module

OpenTracing library

OpenTracing tracers for Jaeger

Zipkin and Datadog | ``nginx/nginx-ingress:3.4.2`` | arm/v7
arm64
amd64
ppc64le
s390x | -|Ubi-based image | ``nginxcontrib/nginx:1.25.3-ubi``,
based on on ``redhat/ubi9-minimal`` | | ``nginx/nginx-ingress:3.4.2-ubi`` | arm64
amd64
ppc64le
s390x | +|Alpine-based image | ``nginx:1.25.4-alpine``,
based on on ``alpine:3.18`` | NGINX OpenTracing module

OpenTracing library

OpenTracing tracers for Jaeger

Zipkin and Datadog | ``nginx/nginx-ingress:3.4.3-alpine`` | arm/v7
arm64
amd64
ppc64le
s390x | +|Debian-based image | ``nginx:1.25.4``,
based on on ``debian:12-slim`` | NGINX OpenTracing module

OpenTracing library

OpenTracing tracers for Jaeger

Zipkin and Datadog | ``nginx/nginx-ingress:3.4.3`` | arm/v7
arm64
amd64
ppc64le
s390x | +|Ubi-based image | ``nginxcontrib/nginx:1.25.4-ubi``,
based on on ``redhat/ubi9-minimal`` | | ``nginx/nginx-ingress:3.4.3-ubi`` | arm64
amd64
ppc64le
s390x | {{% /bootstrap-table %}} ### Images with NGINX Plus @@ -69,16 +69,16 @@ NGINX Plus images are available through the F5 Container registry `private-regis {{< bootstrap-table "table table-striped table-bordered table-responsive" >}} |
Name
|
Base image
|
Third-party modules
| F5 Container Registry Image | Architectures | | ---| ---| --- | --- | --- | -|Alpine-based image | ``alpine:3.18`` | NGINX Plus JavaScript and OpenTracing modules

OpenTracing tracers for Jaeger

Zipkin and Datadog | `nginx-ic/nginx-plus-ingress:3.4.2-alpine` | arm64
amd64 | -|Alpine-based image with FIPS inside | ``alpine:3.18`` | NGINX Plus JavaScript and OpenTracing modules

OpenTracing tracers for Jaeger

Zipkin and Datadog

FIPS module and OpenSSL configuration | `nginx-ic/nginx-plus-ingress:3.4.2-alpine-fips` | arm64
amd64 | -|Debian-based image | ``debian:12-slim`` | NGINX Plus JavaScript and OpenTracing modules

OpenTracing tracers for Jaeger

Zipkin and Datadog | `nginx-ic/nginx-plus-ingress:3.4.2` | arm64
amd64 | -|Debian-based image with NGINX App Protect WAF | ``debian:11-slim`` | NGINX App Protect WAF

NGINX Plus JavaScript and OpenTracing modules

OpenTracing tracers for Jaeger

Zipkin and Datadog | `nginx-ic-nap/nginx-plus-ingress:3.4.2` | amd64 | -|Debian-based image with NGINX App Protect DoS | ``debian:11-slim`` | NGINX App Protect DoS

NGINX Plus JavaScript and OpenTracing modules

OpenTracing tracers for Jaeger

Zipkin and Datadog | `nginx-ic-dos/nginx-plus-ingress:3.4.2` | amd64 | -|Debian-based image with NGINX App Protect WAF and DoS | ``debian:11-slim`` | NGINX App Protect WAF and DoS

NGINX Plus JavaScript and OpenTracing modules

OpenTracing tracers for Jaeger

Zipkin and Datadog | `nginx-ic-nap-dos/nginx-plus-ingress:3.4.2` | amd64 | -|Ubi-based image | ``redhat/ubi9-minimal`` | NGINX Plus JavaScript module | `nginx-ic/nginx-plus-ingress:3.4.2-ubi` | arm64
amd64
s390x | -|Ubi-based image with NGINX App Protect WAF | ``redhat/ubi8`` | NGINX App Protect WAF and NGINX Plus JavaScript module | `nginx-ic-nap/nginx-plus-ingress:3.4.2-ubi` | amd64 | -|Ubi-based image with NGINX App Protect DoS | ``redhat/ubi8`` | NGINX App Protect DoS and NGINX Plus JavaScript module | `nginx-ic-dos/nginx-plus-ingress:3.4.2-ubi` | amd64 | -|Ubi-based image with NGINX App Protect WAF and DoS | ``redhat/ubi8`` | NGINX App Protect WAF and DoS

NGINX Plus JavaScript module | `nginx-ic-nap-dos/nginx-plus-ingress:3.4.2-ubi` | amd64 | +|Alpine-based image | ``alpine:3.18`` | NGINX Plus JavaScript and OpenTracing modules

OpenTracing tracers for Jaeger

Zipkin and Datadog | `nginx-ic/nginx-plus-ingress:3.4.3-alpine` | arm64
amd64 | +|Alpine-based image with FIPS inside | ``alpine:3.18`` | NGINX Plus JavaScript and OpenTracing modules

OpenTracing tracers for Jaeger

Zipkin and Datadog

FIPS module and OpenSSL configuration | `nginx-ic/nginx-plus-ingress:3.4.3-alpine-fips` | arm64
amd64 | +|Debian-based image | ``debian:12-slim`` | NGINX Plus JavaScript and OpenTracing modules

OpenTracing tracers for Jaeger

Zipkin and Datadog | `nginx-ic/nginx-plus-ingress:3.4.3` | arm64
amd64 | +|Debian-based image with NGINX App Protect WAF | ``debian:11-slim`` | NGINX App Protect WAF

NGINX Plus JavaScript and OpenTracing modules

OpenTracing tracers for Jaeger

Zipkin and Datadog | `nginx-ic-nap/nginx-plus-ingress:3.4.3` | amd64 | +|Debian-based image with NGINX App Protect DoS | ``debian:11-slim`` | NGINX App Protect DoS

NGINX Plus JavaScript and OpenTracing modules

OpenTracing tracers for Jaeger

Zipkin and Datadog | `nginx-ic-dos/nginx-plus-ingress:3.4.3` | amd64 | +|Debian-based image with NGINX App Protect WAF and DoS | ``debian:11-slim`` | NGINX App Protect WAF and DoS

NGINX Plus JavaScript and OpenTracing modules

OpenTracing tracers for Jaeger

Zipkin and Datadog | `nginx-ic-nap-dos/nginx-plus-ingress:3.4.3` | amd64 | +|Ubi-based image | ``redhat/ubi9-minimal`` | NGINX Plus JavaScript module | `nginx-ic/nginx-plus-ingress:3.4.3-ubi` | arm64
amd64
s390x | +|Ubi-based image with NGINX App Protect WAF | ``redhat/ubi8`` | NGINX App Protect WAF and NGINX Plus JavaScript module | `nginx-ic-nap/nginx-plus-ingress:3.4.3-ubi` | amd64 | +|Ubi-based image with NGINX App Protect DoS | ``redhat/ubi8`` | NGINX App Protect DoS and NGINX Plus JavaScript module | `nginx-ic-dos/nginx-plus-ingress:3.4.3-ubi` | amd64 | +|Ubi-based image with NGINX App Protect WAF and DoS | ``redhat/ubi8`` | NGINX App Protect WAF and DoS

NGINX Plus JavaScript module | `nginx-ic-nap-dos/nginx-plus-ingress:3.4.3-ubi` | amd64 | {{% /bootstrap-table %}} #### **AWS Marketplace** diff --git a/docs/content/troubleshooting/troubleshoot-common.md b/docs/content/troubleshooting/troubleshoot-common.md index 0c81e09e92..516676f0c4 100644 --- a/docs/content/troubleshooting/troubleshoot-common.md +++ b/docs/content/troubleshooting/troubleshoot-common.md @@ -145,7 +145,7 @@ controller: nginxplus: plus image: repository: nginx/nginx-ingress - tag: 3.4.2 + tag: 3.4.3 # NGINX Configmap config: entries: diff --git a/docs/content/tutorials/custom-listen-ports.md b/docs/content/tutorials/custom-listen-ports.md index 9373b91483..0b9e421235 100644 --- a/docs/content/tutorials/custom-listen-ports.md +++ b/docs/content/tutorials/custom-listen-ports.md @@ -88,7 +88,7 @@ spec: spec: serviceAccountName: nginx-ingress containers: - - image: nginx/nginx-ingress:3.4.2 + - image: nginx/nginx-ingress:3.4.3 imagePullPolicy: IfNotPresent name: nginx-ingress ports: diff --git a/docs/content/tutorials/oidc-custom-configuration.md b/docs/content/tutorials/oidc-custom-configuration.md index 77b8a97d68..fade9f31ed 100644 --- a/docs/content/tutorials/oidc-custom-configuration.md +++ b/docs/content/tutorials/oidc-custom-configuration.md @@ -30,7 +30,7 @@ Run the below command to generate a ConfigMap with the contents of the `oidc.con **NOTE** The ConfigMap must be deployed in the same `namespace` as the F5 NGINX Ingress Controller. ```console -kubectl create configmap oidc-config-map --from-literal=oidc.conf="$(curl -k https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.2/internal/configs/oidc/oidc.conf)" +kubectl create configmap oidc-config-map --from-literal=oidc.conf="$(curl -k https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.3/internal/configs/oidc/oidc.conf)" ``` Use the `kubectl describe` command to confirm the contents of the ConfigMap are correct. diff --git a/docs/content/usage-reporting.md b/docs/content/usage-reporting.md index 59c1c09600..1220835dbc 100644 --- a/docs/content/usage-reporting.md +++ b/docs/content/usage-reporting.md @@ -87,7 +87,7 @@ To make the credential available to Usage Reporting, we need to create a Kuberne If you need to update the basic-auth credentials for NGINX Management Suite in the future, update the `username` and `password` fields, and apply the changes by running the command again. Usage Reporting will automatically detect the changes, using the new username and password without redeployment. -5. Download and save the deployment file [cluster-connector.yaml](https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.2/examples/shared-examples/usage-reporting/cluster-connector.yaml). Edit the following under the `args` section and then save the file: +5. Download and save the deployment file [cluster-connector.yaml](https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.4.3/examples/shared-examples/usage-reporting/cluster-connector.yaml). Edit the following under the `args` section and then save the file: ```yaml args: From 3b14d1d09e7cd07ea769fdaa968bab68b7b7319e Mon Sep 17 00:00:00 2001 From: Paul Abel <128620221+pdabelf5@users.noreply.github.com> Date: Mon, 19 Feb 2024 12:13:45 +0000 Subject: [PATCH 20/22] update to nginx 1.25.4 for alpine & opentracing (#5120) --- build/Dockerfile | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/build/Dockerfile b/build/Dockerfile index c5842d46f6..fed2c566e8 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -6,13 +6,13 @@ ARG DEBIAN_FRONTEND=noninteractive ############################################# Base images containing libs for Opentracing and FIPS ############################################# -FROM opentracing/nginx-opentracing:nginx-1.25.3@sha256:2217e9fa36a2130d395a40bb051965cf64c9d10087281e301e9c0b60ce2a1a57 as opentracing-lib -FROM opentracing/nginx-opentracing:nginx-1.25.3-alpine@sha256:37c7de3a46ca05428450b1c64bfb2a4d2f9c1835860cef427928fcf11c178f0e as alpine-opentracing-lib +FROM opentracing/nginx-opentracing:nginx-1.25.4@sha256:2c40c39be2946c080ddb0a43cfdcb856c320ec6fcc9a9126d6f8eafa452787a6 as opentracing-lib +FROM opentracing/nginx-opentracing:nginx-1.25.4-alpine@sha256:682076ac800d0703bf72520116e6a477bb0587551b91882d82d9735e187fcc9f as alpine-opentracing-lib FROM ghcr.io/nginxinc/alpine-fips:0.1.1-alpine3.18@sha256:6f124002650fae697152290a14a7caa7f21884e8d78d8236c63fec2d018d721d as alpine-fips ############################################# Base image for Alpine ############################################# -FROM nginx:1.25.3-alpine@sha256:f2802c2a9d09c7aa3ace27445dfc5656ff24355da28e7b958074a0111e3fc076 AS alpine +FROM nginx:1.25.4-alpine@sha256:6a2f8b28e45c4adea04ec207a251fd4a2df03ddc930f782af51e315ebc76e9a9 AS alpine RUN --mount=type=bind,from=alpine-opentracing-lib,target=/tmp/ot/ \ apk add --no-cache libcap libstdc++ \ @@ -24,7 +24,7 @@ RUN --mount=type=bind,from=alpine-opentracing-lib,target=/tmp/ot/ \ ############################################# Base image for Debian ############################################# -FROM nginx:1.25.3@sha256:84c52dfd55c467e12ef85cad6a252c0990564f03c4850799bf41dd738738691f AS debian +FROM nginx:1.25.4@sha256:c26ae7472d624ba1fafd296e73cecc4f93f853088e6a9c13c0d52f6ca5865107 AS debian RUN --mount=type=bind,from=opentracing-lib,target=/tmp/ot/ \ apt-get update \ @@ -37,7 +37,7 @@ RUN --mount=type=bind,from=opentracing-lib,target=/tmp/ot/ \ ############################################# Base image for UBI ############################################# -FROM nginxcontrib/nginx:1.25.3-ubi@sha256:4a3e891705687db11a02a3ba37a1ce42b01349d49198a956576787ab4a3a7a0c AS ubi +FROM nginxcontrib/nginx:1.25.4-ubi@sha256:e5a56115996ebe12fe7678645a4a33fd8ce345c38e778b1f5b058b14267a50de AS ubi ARG IC_VERSION LABEL name="NGINX Ingress Controller" \ From fe98b86b073a75400459f86e63c31a7c76b2e216 Mon Sep 17 00:00:00 2001 From: Paul Abel <128620221+pdabelf5@users.noreply.github.com> Date: Mon, 19 Feb 2024 17:31:29 +0000 Subject: [PATCH 21/22] cleanup 3.4.3 dependencies (#5121) --- docs/content/releases.md | 51 +++++++++++++++------------------------- 1 file changed, 19 insertions(+), 32 deletions(-) diff --git a/docs/content/releases.md b/docs/content/releases.md index 486a37e6c1..63b70b39f1 100644 --- a/docs/content/releases.md +++ b/docs/content/releases.md @@ -11,38 +11,25 @@ docs: "DOCS-616" 19 Feb 2024 ### Fixes -[5008](https://github.com/nginxinc/kubernetes-ingress/pull/5008) Remove redundant Prometheus variable labels -[4744](https://github.com/nginxinc/kubernetes-ingress/pull/4744) Fixed validation for VSR exact & regex subroutes. Thanks to [jo-carter](https://github.com/jo-carter). -[4832](https://github.com/nginxinc/kubernetes-ingress/pull/4832) Fix new lines in snippets -[5020](https://github.com/nginxinc/kubernetes-ingress/pull/5020) Fix template file spacing for `ssl_protocols` directive -[5041](https://github.com/nginxinc/kubernetes-ingress/pull/5041) Allow waf users to build without dos repo access +- [5008](https://github.com/nginxinc/kubernetes-ingress/pull/5008) Remove redundant Prometheus variable labels +- [4744](https://github.com/nginxinc/kubernetes-ingress/pull/4744) Fixed validation for VSR exact & regex subroutes. Thanks to [jo-carter](https://github.com/jo-carter). +- [4832](https://github.com/nginxinc/kubernetes-ingress/pull/4832) Fix new lines in snippets +- [5020](https://github.com/nginxinc/kubernetes-ingress/pull/5020) Fix template file spacing for `ssl_protocols` directive +- [5041](https://github.com/nginxinc/kubernetes-ingress/pull/5041) Allow waf users to build without dos repo access + +### Helm Chart +- [4953](https://github.com/nginxinc/kubernetes-ingress/pull/4953) Add docs links to helm NOTES.txt ### Dependencies -[5073](https://github.com/nginxinc/kubernetes-ingress/pull/5073) Bump redhat/ubi8 from `23d8dfd` to `627867e` in /build -[5029](https://github.com/nginxinc/kubernetes-ingress/pull/5029) Bump redhat/ubi8 from `fc88b13` to `23d8dfd` in /build -[5074](https://github.com/nginxinc/kubernetes-ingress/pull/5074) Bump opentracing/nginx-opentracing from `2e0268d` to `2217e9f` in /build -[4927](https://github.com/nginxinc/kubernetes-ingress/pull/4927) Bump opentracing/nginx-opentracing from `426c2ff` to `2e0268d` in /build -[5072](https://github.com/nginxinc/kubernetes-ingress/pull/5072) Bump nginx from `156d75f` to `f2802c2` in /build -[5028](https://github.com/nginxinc/kubernetes-ingress/pull/5028) Bump nginx from `156d75f` to `156d75f` in /build -[5019](https://github.com/nginxinc/kubernetes-ingress/pull/5019) Bump nginx from `5b7ff23` to `156d75f` in /build -[5012](https://github.com/nginxinc/kubernetes-ingress/pull/5012) Bump nginx from `d12e6f7` to `5b7ff23` in /build -[5003](https://github.com/nginxinc/kubernetes-ingress/pull/5003) Bump nginx from `a59278f` to `d12e6f7` in /build -[4926](https://github.com/nginxinc/kubernetes-ingress/pull/4926) Bump nginx from `a59278f` to `a59278f` in /build -[4925](https://github.com/nginxinc/kubernetes-ingress/pull/4925) Bump the docker-images group in /build with 1 update -[5004](https://github.com/nginxinc/kubernetes-ingress/pull/5004) Bump golang from `51a7800` to `a6a7f1f` in /build -[4984](https://github.com/nginxinc/kubernetes-ingress/pull/4984) Bump golang from `fd78f2f` to `51a7800` in /build -[4928](https://github.com/nginxinc/kubernetes-ingress/pull/4928) Bump golang from `4db4aac` to `fd78f2f` in /build -[4992](https://github.com/nginxinc/kubernetes-ingress/pull/4992) Bump nginxcontrib/nginx from `4059aff` to `4a3e891` in /build -[4994](https://github.com/nginxinc/kubernetes-ingress/pull/4994) Bump redhat/ubi9-minimal from `a340f4b` to `582e18f` in /build -[5033](https://github.com/nginxinc/kubernetes-ingress/pull/5033) Updates `kindest/node` from v1.29.0 to v1.29.1 -[4909](https://github.com/nginxinc/kubernetes-ingress/pull/4909) Bump the go group with 1 update -[4924](https://github.com/nginxinc/kubernetes-ingress/pull/4924) Bump the go group with 1 update -[4939](https://github.com/nginxinc/kubernetes-ingress/pull/4939) Bump the go group with 5 updates -[4949](https://github.com/nginxinc/kubernetes-ingress/pull/4949) Bump the go group with 1 update -[4971](https://github.com/nginxinc/kubernetes-ingress/pull/4971) Bump the go group with 1 update -[5022](https://github.com/nginxinc/kubernetes-ingress/pull/5022) Bump the go group with 1 update -[5034](https://github.com/nginxinc/kubernetes-ingress/pull/5034) Bump the go group with 1 update -[5055](https://github.com/nginxinc/kubernetes-ingress/pull/5055) Bump the go group with 1 update +- [5073](https://github.com/nginxinc/kubernetes-ingress/pull/5073), [5029](https://github.com/nginxinc/kubernetes-ingress/pull/5029) Bump redhat/ubi8 base image +- [4992](https://github.com/nginxinc/kubernetes-ingress/pull/4992) Bump ubi base image +- [4994](https://github.com/nginxinc/kubernetes-ingress/pull/4994) Bump redhat/ubi9-minimal base image +- [5074](https://github.com/nginxinc/kubernetes-ingress/pull/5074), [4927](https://github.com/nginxinc/kubernetes-ingress/pull/4927) Bump opentracing/nginx-opentracing +- [5072](https://github.com/nginxinc/kubernetes-ingress/pull/5072), [5028](https://github.com/nginxinc/kubernetes-ingress/pull/5028), [5019](https://github.com/nginxinc/kubernetes-ingress/pull/5019), [5012](https://github.com/nginxinc/kubernetes-ingress/pull/5012), [5003](https://github.com/nginxinc/kubernetes-ingress/pull/5003), [4926](https://github.com/nginxinc/kubernetes-ingress/pull/4926), [5119](https://github.com/nginxinc/kubernetes-ingress/pull/5119) Bump nginx image +- [4925](https://github.com/nginxinc/kubernetes-ingress/pull/4925) Bump the debian base image +- [5004](https://github.com/nginxinc/kubernetes-ingress/pull/5004), [4984](https://github.com/nginxinc/kubernetes-ingress/pull/4984), [4928](https://github.com/nginxinc/kubernetes-ingress/pull/4928) Bump golang build image +- [5033](https://github.com/nginxinc/kubernetes-ingress/pull/5033) Updates `kindest/node` from v1.29.0 to v1.29.1 +- [4909](https://github.com/nginxinc/kubernetes-ingress/pull/4909), [4924](https://github.com/nginxinc/kubernetes-ingress/pull/4924), [4939](https://github.com/nginxinc/kubernetes-ingress/pull/4939), [4949](https://github.com/nginxinc/kubernetes-ingress/pull/4949), [4971](https://github.com/nginxinc/kubernetes-ingress/pull/4971), [5022](https://github.com/nginxinc/kubernetes-ingress/pull/5022), [5034](https://github.com/nginxinc/kubernetes-ingress/pull/5034), [5055](https://github.com/nginxinc/kubernetes-ingress/pull/5055) Bump the go dependencies ### Upgrade @@ -92,8 +79,8 @@ versions: 1.23-1.29. 15 Jan 2024 ### Dependencies -[4886](https://github.com/nginxinc/kubernetes-ingress/pull/4886) Update N+ to R31 -[4886](https://github.com/nginxinc/kubernetes-ingress/pull/4886) Bump Go dependencies. +- [4886](https://github.com/nginxinc/kubernetes-ingress/pull/4886) Update N+ to R31 +- [4886](https://github.com/nginxinc/kubernetes-ingress/pull/4886) Bump Go dependencies. ### Upgrade From 9b72073557e8fe0a4f93033f6a1aec60dc671e69 Mon Sep 17 00:00:00 2001 From: Paul Abel <128620221+pdabelf5@users.noreply.github.com> Date: Fri, 15 Mar 2024 16:30:05 +0000 Subject: [PATCH 22/22] add variables script to release branch (#5254) --- .github/scripts/variables.sh | 29 +++++++++++++++++++++++++++++ build/Dockerfile | 2 +- 2 files changed, 30 insertions(+), 1 deletion(-) create mode 100755 .github/scripts/variables.sh diff --git a/.github/scripts/variables.sh b/.github/scripts/variables.sh new file mode 100755 index 0000000000..6208288558 --- /dev/null +++ b/.github/scripts/variables.sh @@ -0,0 +1,29 @@ +#!/usr/bin/env bash + +if [ "$1" = "" ]; then + echo "ERROR: parameter needed" + exit 2 +fi + +INPUT=$1 +ROOTDIR=$(git rev-parse --show-toplevel || echo ".") +if [ "$PWD" != "$ROOTDIR" ]; then + # shellcheck disable=SC2164 + cd "$ROOTDIR"; +fi + +case $INPUT in + docker_md5) + docker_md5=$(find . -type f \( -name "Dockerfile" -o -name version.txt \) -not -path "./tests*" -exec md5sum {} + | LC_ALL=C sort | md5sum | awk '{ print $1 }') + echo "docker_md5=${docker_md5:0:8}" + ;; + + go_code_md5) + echo "go_code_md5=$(find . -type f \( -name "*.go" -o -name go.mod -o -name go.sum -o -name "*.tmpl" \) -not -path "./docs*" -exec md5sum {} + | LC_ALL=C sort | md5sum | awk '{ print $1 }')" + ;; + + *) + echo "ERROR: option not found" + exit 2 + ;; +esac diff --git a/build/Dockerfile b/build/Dockerfile index fed2c566e8..970f132f43 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -208,7 +208,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode ############################################# Base image for UBI with NGINX Plus and App Protect WAF/DoS ############################################# -FROM redhat/ubi8@sha256:627867e53ad6846afba2dfbf5cef1d54c868a9025633ef0afd546278d4654eac as ubi-plus-nap +FROM redhat/ubi8@sha256:bce7e9f69fb7d4533447232478fd825811c760288f87a35699f9c8f030f2c1a6 as ubi-plus-nap ARG NAP_MODULES RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \