andata
/
rke2-charts
mirror of https://git.rancher.io/rke2-charts
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #113 from erikwilson/ingress-nginx-3.34.0 

Hardened ingress-nginx 3.34.0
pull/114/head
Erik Wilson 2021-07-08 16:57:34 -07:00 committed by GitHub
parent d799ec4a50 17f103cfed
commit 487ff32a4c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 63 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
packages/rke2-ingress-nginx/generated-changes/patch/templates/_helpers.tpl.patch
View File

@ -1,6 +1,6 @@
--- charts-original/templates/_helpers.tpl
+++ charts/templates/_helpers.tpl
@@ -118,7 +118,15 @@
@@ -118,7 +118,7 @@
Check the ingress controller version tag is at most three versions behind the last release
*/}}
{{- define "isControllerTagValid" -}}
@ -9,6 +9,10 @@
{{- fail "Controller container image tag should be 0.27.0 or higher" -}}
{{- end -}}
{{- end -}}
@@ -132,3 +132,15 @@
{{ toYaml .Values.controller.ingressClassResource.parameters | indent 4}}
{{ end }}
{{- end -}}
+
+{{- define "system_default_registry" -}}
+{{- if .Values.global.systemDefaultRegistry -}}
@ -17,3 +21,7 @@
+{{- "" -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "repository_or_registry_and_image" -}}
+{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{- end -}}:{{ .tag }}{{- if (.digest) -}} @{{.digest}} {{- end -}}
+{{- end -}}

6
packages/rke2-ingress-nginx/generated-changes/patch/templates/admission-webhooks/job-patch/job-createSecret.yaml.patch
View File

@ -1,13 +1,13 @@
--- charts-original/templates/admission-webhooks/job-patch/job-createSecret.yaml
+++ charts/templates/admission-webhooks/job-patch/job-createSecret.yaml
@@ -32,9 +32,7 @@
@@ -33,9 +33,7 @@
{{- end }}
containers:
- name: create
- {{- with .Values.controller.admissionWebhooks.patch.image }}
- image: "{{.repository}}:{{ .tag }}{{- if (.digest) -}} @{{.digest}} {{- end -}}"
- image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{- end -}}:{{ .tag }}{{- if (.digest) -}} @{{.digest}} {{- end -}}"
- {{- end }}
+ image: "{{ template "system_default_registry" . }}{{.Values.controller.admissionWebhooks.patch.image.repository}}:{{ .Values.controller.admissionWebhooks.patch.image.tag }}{{- if (.Values.controller.admissionWebhooks.patch.image.digest) -}} @{{.Values.controller.admissionWebhooks.patch.image.digest}} {{- end -}}"
+ image: "{{ template "system_default_registry" . }}{{ template "repository_or_registry_and_image" .Values.controller.admissionWebhooks.patch.image }}"
imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.image.pullPolicy }}
args:
- create

6
packages/rke2-ingress-nginx/generated-changes/patch/templates/admission-webhooks/job-patch/job-patchWebhook.yaml.patch
View File

@ -1,13 +1,13 @@
--- charts-original/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
+++ charts/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
@@ -32,9 +32,7 @@
@@ -33,9 +33,7 @@
{{- end }}
containers:
- name: patch
- {{- with .Values.controller.admissionWebhooks.patch.image }}
- image: "{{.repository}}:{{ .tag }}{{- if (.digest) -}} @{{.digest}} {{- end -}}"
- image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{- end -}}:{{ .tag }}{{- if (.digest) -}} @{{.digest}} {{- end -}}"
- {{- end }}
+ image: "{{ template "system_default_registry" . }}{{.Values.controller.admissionWebhooks.patch.image.repository}}:{{ .Values.controller.admissionWebhooks.patch.image.tag }}{{- if (.Values.controller.admissionWebhooks.patch.image.digest) -}} @{{.Values.controller.admissionWebhooks.patch.image.digest}} {{- end -}}"
+ image: "{{ template "system_default_registry" . }}{{ template "repository_or_registry_and_image" .Values.controller.admissionWebhooks.patch.image }}"
imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.image.pullPolicy }}
args:
- patch

10
packages/rke2-ingress-nginx/generated-changes/patch/templates/controller-daemonset.yaml.patch
View File

@ -1,15 +1,13 @@
--- charts-original/templates/controller-daemonset.yaml
+++ charts/templates/controller-daemonset.yaml
@@ -62,10 +62,8 @@
{{- end }}
@@ -64,9 +64,7 @@
{{- end }}
containers:
- - name: controller
- name: {{ .Values.controller.containerName }}
- {{- with .Values.controller.image }}
- image: "{{.repository}}:{{ .tag }}{{- if (.digest) -}} @{{.digest}} {{- end -}}"
- image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{- end -}}:{{ .tag }}{{- if (.digest) -}} @{{.digest}} {{- end -}}"
- {{- end }}
+ - name: rke2-ingress-nginx-controller
+ image: "{{ template "system_default_registry" . }}{{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag }}{{- if (.Values.controller.image.digest) -}} @{{.Values.controller.image.digest}} {{- end -}}"
+ image: "{{ template "system_default_registry" . }}{{ template "repository_or_registry_and_image" .Values.controller.image }}"
imagePullPolicy: {{ .Values.controller.image.pullPolicy }}
{{- if .Values.controller.lifecycle }}
lifecycle: {{ toYaml .Values.controller.lifecycle | nindent 12 }}

10
packages/rke2-ingress-nginx/generated-changes/patch/templates/controller-deployment.yaml.patch
View File

@ -1,15 +1,13 @@
--- charts-original/templates/controller-deployment.yaml
+++ charts/templates/controller-deployment.yaml
@@ -66,10 +66,8 @@
{{- end }}
@@ -68,9 +68,7 @@
{{- end }}
containers:
- - name: controller
- name: {{ .Values.controller.containerName }}
- {{- with .Values.controller.image }}
- image: "{{.repository}}:{{ .tag }}{{- if (.digest) -}} @{{.digest}} {{- end -}}"
- image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{- end -}}:{{ .tag }}{{- if (.digest) -}} @{{.digest}} {{- end -}}"
- {{- end }}
+ - name: rke2-ingress-nginx-controller
+ image: "{{ template "system_default_registry" . }}{{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag }}{{- if (.Values.controller.image.digest) -}} @{{.Values.controller.image.digest}} {{- end -}}"
+ image: "{{ template "system_default_registry" . }}{{ template "repository_or_registry_and_image" .Values.controller.image }}"
imagePullPolicy: {{ .Values.controller.image.pullPolicy }}
{{- if .Values.controller.lifecycle }}
lifecycle: {{ toYaml .Values.controller.lifecycle | nindent 12 }}

6
packages/rke2-ingress-nginx/generated-changes/patch/templates/default-backend-deployment.yaml.patch
View File

@ -1,13 +1,13 @@
--- charts-original/templates/default-backend-deployment.yaml
+++ charts/templates/default-backend-deployment.yaml
@@ -38,9 +38,7 @@
@@ -39,9 +39,7 @@
{{- end }}
containers:
- name: {{ template "ingress-nginx.name" . }}-default-backend
- {{- with .Values.defaultBackend.image }}
- image: "{{.repository}}:{{ .tag }}{{- if (.digest) -}} @{{.digest}} {{- end -}}"
- image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{- end -}}:{{ .tag }}{{- if (.digest) -}} @{{.digest}} {{- end -}}"
- {{- end }}
+ image: "{{ template "system_default_registry" . }}{{.Values.defaultBackend.image.repository}}:{{ .Values.defaultBackend.image.tag }}{{- if (.Values.defaultBackend.image.digest) -}} @{{.Values.defaultBackend.image.digest}} {{- end -}}"
+ image: "{{ template "system_default_registry" . }}{{ template "repository_or_registry_and_image" .Values.defaultBackend.image }}"
imagePullPolicy: {{ .Values.defaultBackend.image.pullPolicy }}
{{- if .Values.defaultBackend.extraArgs }}
args:

52
packages/rke2-ingress-nginx/generated-changes/patch/values.yaml.patch
View File

@ -1,18 +1,31 @@
--- charts-original/values.yaml
+++ charts/values.yaml
@@ -10,9 +10,8 @@
@@ -10,13 +10,11 @@
controller:
name: controller
image:
- repository: k8s.gcr.io/ingress-nginx/controller
- tag: "v0.46.0"
- digest: sha256:52f0058bed0a17ab0fb35628ba97e8d52b5d32299fbc03cc0f6c7b9ff036b61a
- registry: k8s.gcr.io
- image: ingress-nginx/controller
+ repository: rancher/nginx-ingress-controller
+ tag: "nginx-0.46.0-rancher1"
# for backwards compatibility consider setting the full image url via the repository value below
# use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
# repository:
- tag: "v0.47.0"
- digest: sha256:a1e4efc107be0bb78f32eaec37bef17d7a0c81bec8066cdf2572508d21351d0b
+ tag: "nginx-0.47.0-hardened1"
pullPolicy: IfNotPresent
# www-data -> uid 101
runAsUser: 101
@@ -45,7 +44,7 @@
@@ -26,7 +24,7 @@
existingPsp: ""
# Configures the controller container name
- containerName: controller
+ containerName: rke2-ingress-nginx-controller
# Configures the ports the nginx-controller listens on
containerPort:
@@ -52,7 +50,7 @@
# Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'.
# By default, while using host network, name resolution uses the host's DNS. If you wish nginx-controller
# to keep resolving names inside the k8s network, use ClusterFirstWithHostNet.
@ -21,7 +34,7 @@
# Bare-metal considerations via the host network https://kubernetes.github.io/ingress-nginx/deploy/baremetal/#via-the-host-network
# Ingress status was blank because there is no Service exposing the NGINX Ingress controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply
@@ -54,13 +53,13 @@
@@ -61,13 +59,13 @@
# Required for use with CNI based kubernetes installations (such as ones set up by kubeadm),
# since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920
# is merged
@ -37,7 +50,7 @@
ports:
http: 80
https: 443
@@ -144,7 +143,7 @@
@@ -162,7 +160,7 @@
## DaemonSet or Deployment
##
@ -46,27 +59,32 @@
## Annotations to be added to the controller Deployment or DaemonSet
##
@@ -491,7 +490,7 @@
@@ -529,8 +527,7 @@
patch:
enabled: true
image:
- repository: docker.io/jettech/kube-webhook-certgen
- registry: docker.io
- image: jettech/kube-webhook-certgen
+ repository: rancher/mirrored-jettech-kube-webhook-certgen
tag: v1.5.1
pullPolicy: IfNotPresent
## Provide a priority class name to the webhook patching job
@@ -608,8 +607,8 @@
# for backwards compatibility consider setting the full image url via the repository value below
# use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
# repository:
@@ -650,12 +647,11 @@
name: defaultbackend
image:
- repository: k8s.gcr.io/defaultbackend-amd64
- tag: "1.5"
- registry: k8s.gcr.io
- image: defaultbackend-amd64
+ repository: rancher/nginx-ingress-controller-defaultbackend
# for backwards compatibility consider setting the full image url via the repository value below
# use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
# repository:
- tag: "1.5"
+ tag: "1.5-rancher1"
pullPolicy: IfNotPresent
# nobody user -> uid 65534
runAsUser: 65534
@@ -759,3 +758,6 @@
@@ -806,3 +802,6 @@
# This can be generated with: openssl dhparam 4096 2> /dev/null | base64
# Ref: https://github.com/krmichel/ingress-nginx/blob/master/docs/examples/customization/ssl-dh-param
dhParam:

4
packages/rke2-ingress-nginx/package.yaml
View File

@ -1,4 +1,4 @@
url: https://github.com/kubernetes/ingress-nginx/releases/download/helm-chart-3.30.0/ingress-nginx-3.30.0.tgz
packageVersion: 03
url: https://github.com/kubernetes/ingress-nginx/releases/download/helm-chart-3.34.0/ingress-nginx-3.34.0.tgz
packageVersion: 01
# This repository does not use releaseCandidateVersions, so you can leave this as 00.
releaseCandidateVersion: 00