From 50802110c4fb8fd438b814b27948a5aabd8ce2bf Mon Sep 17 00:00:00 2001 From: Hussein Galal Date: Tue, 26 Apr 2022 04:34:15 +0200 Subject: [PATCH] Upgrade Nginx chart to 4.1.0 (#245) * Upgrade Nginx chart to 4.1.0 * Fixing specifying chrooted image * update controller image to hardened6 --- .../overlay/templates/_helpers.tpl.orig | 185 ++++++++++++++++++ .../job-patch/job-createSecret.yaml.orig | 76 +++++++ .../job-patch/job-patchWebhook.yaml.orig | 78 ++++++++ .../default-backend-deployment.yaml.orig | 118 +++++++++++ .../generated-changes/patch/Chart.yaml.patch | 8 +- .../patch/templates/_helpers.tpl.patch | 19 +- .../job-patch/job-createSecret.yaml.patch | 2 +- .../job-patch/job-patchWebhook.yaml.patch | 2 +- .../templates/controller-daemonset.yaml.patch | 4 +- .../controller-deployment.yaml.patch | 4 +- .../default-backend-deployment.yaml.patch | 2 +- .../generated-changes/patch/values.yaml.patch | 100 +++++----- packages/rke2-ingress-nginx/package.yaml | 4 +- 13 files changed, 538 insertions(+), 64 deletions(-) create mode 100644 packages/rke2-ingress-nginx/generated-changes/overlay/templates/_helpers.tpl.orig create mode 100644 packages/rke2-ingress-nginx/generated-changes/overlay/templates/admission-webhooks/job-patch/job-createSecret.yaml.orig create mode 100644 packages/rke2-ingress-nginx/generated-changes/overlay/templates/admission-webhooks/job-patch/job-patchWebhook.yaml.orig create mode 100644 packages/rke2-ingress-nginx/generated-changes/overlay/templates/default-backend-deployment.yaml.orig diff --git a/packages/rke2-ingress-nginx/generated-changes/overlay/templates/_helpers.tpl.orig b/packages/rke2-ingress-nginx/generated-changes/overlay/templates/_helpers.tpl.orig new file mode 100644 index 0000000..e69de0c --- /dev/null +++ b/packages/rke2-ingress-nginx/generated-changes/overlay/templates/_helpers.tpl.orig @@ -0,0 +1,185 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "ingress-nginx.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "ingress-nginx.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "ingress-nginx.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + + +{{/* +Container SecurityContext. +*/}} +{{- define "controller.containerSecurityContext" -}} +{{- if .Values.controller.containerSecurityContext -}} +{{- toYaml .Values.controller.containerSecurityContext -}} +{{- else -}} +capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + {{- if .Values.controller.image.chroot }} + - SYS_CHROOT + {{- end }} +runAsUser: {{ .Values.controller.image.runAsUser }} +allowPrivilegeEscalation: {{ .Values.controller.image.allowPrivilegeEscalation }} +{{- end }} +{{- end -}} + +{{/* +Get specific image +*/}} +{{- define "ingress-nginx.image" -}} +{{- if .chroot -}} +{{- printf "%s-chroot" .image -}} +{{- else -}} +{{- printf "%s" .image -}} +{{- end }} +{{- end -}} + +{{/* +Get specific image digest +*/}} +{{- define "ingress-nginx.imageDigest" -}} +{{- if .chroot -}} +{{- if .digestChroot -}} +{{- printf "@%s" .digestChroot -}} +{{- end }} +{{- else -}} +{{ if .digest -}} +{{- printf "@%s" .digest -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified controller name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "ingress-nginx.controller.fullname" -}} +{{- printf "%s-%s" (include "ingress-nginx.fullname" .) .Values.controller.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Construct the path for the publish-service. + +By convention this will simply use the / to match the name of the +service generated. + +Users can provide an override for an explicit service they want bound via `.Values.controller.publishService.pathOverride` + +*/}} +{{- define "ingress-nginx.controller.publishServicePath" -}} +{{- $defServiceName := printf "%s/%s" "$(POD_NAMESPACE)" (include "ingress-nginx.controller.fullname" .) -}} +{{- $servicePath := default $defServiceName .Values.controller.publishService.pathOverride }} +{{- print $servicePath | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified default backend name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "ingress-nginx.defaultBackend.fullname" -}} +{{- printf "%s-%s" (include "ingress-nginx.fullname" .) .Values.defaultBackend.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "ingress-nginx.labels" -}} +helm.sh/chart: {{ include "ingress-nginx.chart" . }} +{{ include "ingress-nginx.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/part-of: {{ template "ingress-nginx.name" . }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- if .Values.commonLabels}} +{{ toYaml .Values.commonLabels }} +{{- end }} +{{- end -}} + +{{/* +Selector labels +*/}} +{{- define "ingress-nginx.selectorLabels" -}} +app.kubernetes.io/name: {{ include "ingress-nginx.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} + +{{/* +Create the name of the controller service account to use +*/}} +{{- define "ingress-nginx.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "ingress-nginx.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the backend service account to use - only used when podsecuritypolicy is also enabled +*/}} +{{- define "ingress-nginx.defaultBackend.serviceAccountName" -}} +{{- if .Values.defaultBackend.serviceAccount.create -}} + {{ default (printf "%s-backend" (include "ingress-nginx.fullname" .)) .Values.defaultBackend.serviceAccount.name }} +{{- else -}} + {{ default "default-backend" .Values.defaultBackend.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiGroup for PodSecurityPolicy. +*/}} +{{- define "podSecurityPolicy.apiGroup" -}} +{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +{{- print "policy" -}} +{{- else -}} +{{- print "extensions" -}} +{{- end -}} +{{- end -}} + +{{/* +Check the ingress controller version tag is at most three versions behind the last release +*/}} +{{- define "isControllerTagValid" -}} +{{- if not (semverCompare ">=0.27.0-0" .Values.controller.image.tag) -}} +{{- fail "Controller container image tag should be 0.27.0 or higher" -}} +{{- end -}} +{{- end -}} + +{{/* +IngressClass parameters. +*/}} +{{- define "ingressClass.parameters" -}} + {{- if .Values.controller.ingressClassResource.parameters -}} + parameters: +{{ toYaml .Values.controller.ingressClassResource.parameters | indent 4}} + {{ end }} +{{- end -}} diff --git a/packages/rke2-ingress-nginx/generated-changes/overlay/templates/admission-webhooks/job-patch/job-createSecret.yaml.orig b/packages/rke2-ingress-nginx/generated-changes/overlay/templates/admission-webhooks/job-patch/job-createSecret.yaml.orig new file mode 100644 index 0000000..f20e247 --- /dev/null +++ b/packages/rke2-ingress-nginx/generated-changes/overlay/templates/admission-webhooks/job-patch/job-createSecret.yaml.orig @@ -0,0 +1,76 @@ +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "ingress-nginx.fullname" . }}-admission-create + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + {{- with .Values.controller.admissionWebhooks.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: admission-webhook + {{- with .Values.controller.admissionWebhooks.patch.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: +{{- if .Capabilities.APIVersions.Has "batch/v1alpha1" }} + # Alpha feature since k8s 1.12 + ttlSecondsAfterFinished: 0 +{{- end }} + template: + metadata: + name: {{ include "ingress-nginx.fullname" . }}-admission-create + {{- if .Values.controller.admissionWebhooks.patch.podAnnotations }} + annotations: {{ toYaml .Values.controller.admissionWebhooks.patch.podAnnotations | nindent 8 }} + {{- end }} + labels: + {{- include "ingress-nginx.labels" . | nindent 8 }} + app.kubernetes.io/component: admission-webhook + {{- with .Values.controller.admissionWebhooks.patch.labels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- if .Values.controller.admissionWebhooks.patch.priorityClassName }} + priorityClassName: {{ .Values.controller.admissionWebhooks.patch.priorityClassName }} + {{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }} + {{- end }} + containers: + - name: create + {{- with .Values.controller.admissionWebhooks.patch.image }} + image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{- end -}}:{{ .tag }}{{- if (.digest) -}} @{{.digest}} {{- end -}}" + {{- end }} + imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.image.pullPolicy }} + args: + - create + - --host={{ include "ingress-nginx.controller.fullname" . }}-admission,{{ include "ingress-nginx.controller.fullname" . }}-admission.$(POD_NAMESPACE).svc + - --namespace=$(POD_NAMESPACE) + - --secret-name={{ include "ingress-nginx.fullname" . }}-admission + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + securityContext: + allowPrivilegeEscalation: false + {{- if .Values.controller.admissionWebhooks.createSecretJob.resources }} + resources: {{ toYaml .Values.controller.admissionWebhooks.createSecretJob.resources | nindent 12 }} + {{- end }} + restartPolicy: OnFailure + serviceAccountName: {{ include "ingress-nginx.fullname" . }}-admission + {{- if .Values.controller.admissionWebhooks.patch.nodeSelector }} + nodeSelector: {{ toYaml .Values.controller.admissionWebhooks.patch.nodeSelector | nindent 8 }} + {{- end }} + {{- if .Values.controller.admissionWebhooks.patch.tolerations }} + tolerations: {{ toYaml .Values.controller.admissionWebhooks.patch.tolerations | nindent 8 }} + {{- end }} + securityContext: + runAsNonRoot: true + runAsUser: {{ .Values.controller.admissionWebhooks.patch.runAsUser }} + fsGroup: {{ .Values.controller.admissionWebhooks.patch.fsGroup }} +{{- end }} diff --git a/packages/rke2-ingress-nginx/generated-changes/overlay/templates/admission-webhooks/job-patch/job-patchWebhook.yaml.orig b/packages/rke2-ingress-nginx/generated-changes/overlay/templates/admission-webhooks/job-patch/job-patchWebhook.yaml.orig new file mode 100644 index 0000000..8583685 --- /dev/null +++ b/packages/rke2-ingress-nginx/generated-changes/overlay/templates/admission-webhooks/job-patch/job-patchWebhook.yaml.orig @@ -0,0 +1,78 @@ +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "ingress-nginx.fullname" . }}-admission-patch + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + {{- with .Values.controller.admissionWebhooks.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: admission-webhook + {{- with .Values.controller.admissionWebhooks.patch.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: +{{- if .Capabilities.APIVersions.Has "batch/v1alpha1" }} + # Alpha feature since k8s 1.12 + ttlSecondsAfterFinished: 0 +{{- end }} + template: + metadata: + name: {{ include "ingress-nginx.fullname" . }}-admission-patch + {{- if .Values.controller.admissionWebhooks.patch.podAnnotations }} + annotations: {{ toYaml .Values.controller.admissionWebhooks.patch.podAnnotations | nindent 8 }} + {{- end }} + labels: + {{- include "ingress-nginx.labels" . | nindent 8 }} + app.kubernetes.io/component: admission-webhook + {{- with .Values.controller.admissionWebhooks.patch.labels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- if .Values.controller.admissionWebhooks.patch.priorityClassName }} + priorityClassName: {{ .Values.controller.admissionWebhooks.patch.priorityClassName }} + {{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }} + {{- end }} + containers: + - name: patch + {{- with .Values.controller.admissionWebhooks.patch.image }} + image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{- end -}}:{{ .tag }}{{- if (.digest) -}} @{{.digest}} {{- end -}}" + {{- end }} + imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.image.pullPolicy }} + args: + - patch + - --webhook-name={{ include "ingress-nginx.fullname" . }}-admission + - --namespace=$(POD_NAMESPACE) + - --patch-mutating=false + - --secret-name={{ include "ingress-nginx.fullname" . }}-admission + - --patch-failure-policy={{ .Values.controller.admissionWebhooks.failurePolicy }} + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + securityContext: + allowPrivilegeEscalation: false + {{- if .Values.controller.admissionWebhooks.patchWebhookJob.resources }} + resources: {{ toYaml .Values.controller.admissionWebhooks.patchWebhookJob.resources | nindent 12 }} + {{- end }} + restartPolicy: OnFailure + serviceAccountName: {{ include "ingress-nginx.fullname" . }}-admission + {{- if .Values.controller.admissionWebhooks.patch.nodeSelector }} + nodeSelector: {{ toYaml .Values.controller.admissionWebhooks.patch.nodeSelector | nindent 8 }} + {{- end }} + {{- if .Values.controller.admissionWebhooks.patch.tolerations }} + tolerations: {{ toYaml .Values.controller.admissionWebhooks.patch.tolerations | nindent 8 }} + {{- end }} + securityContext: + runAsNonRoot: true + runAsUser: {{ .Values.controller.admissionWebhooks.patch.runAsUser }} + fsGroup: {{ .Values.controller.admissionWebhooks.patch.fsGroup }} +{{- end }} diff --git a/packages/rke2-ingress-nginx/generated-changes/overlay/templates/default-backend-deployment.yaml.orig b/packages/rke2-ingress-nginx/generated-changes/overlay/templates/default-backend-deployment.yaml.orig new file mode 100644 index 0000000..fd3e96e --- /dev/null +++ b/packages/rke2-ingress-nginx/generated-changes/overlay/templates/default-backend-deployment.yaml.orig @@ -0,0 +1,118 @@ +{{- if .Values.defaultBackend.enabled -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: default-backend + {{- with .Values.defaultBackend.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ include "ingress-nginx.defaultBackend.fullname" . }} + namespace: {{ .Release.Namespace }} +spec: + selector: + matchLabels: + {{- include "ingress-nginx.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: default-backend +{{- if not .Values.defaultBackend.autoscaling.enabled }} + replicas: {{ .Values.defaultBackend.replicaCount }} +{{- end }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} + template: + metadata: + {{- if .Values.defaultBackend.podAnnotations }} + annotations: {{ toYaml .Values.defaultBackend.podAnnotations | nindent 8 }} + {{- end }} + labels: + {{- include "ingress-nginx.selectorLabels" . | nindent 8 }} + app.kubernetes.io/component: default-backend + {{- with .Values.defaultBackend.labels }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.defaultBackend.podLabels }} + {{- toYaml .Values.defaultBackend.podLabels | nindent 8 }} + {{- end }} + spec: + {{- if .Values.imagePullSecrets }} + imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }} + {{- end }} + {{- if .Values.defaultBackend.priorityClassName }} + priorityClassName: {{ .Values.defaultBackend.priorityClassName }} + {{- end }} + {{- if .Values.defaultBackend.podSecurityContext }} + securityContext: {{ toYaml .Values.defaultBackend.podSecurityContext | nindent 8 }} + {{- end }} + containers: + - name: {{ template "ingress-nginx.name" . }}-default-backend + {{- with .Values.defaultBackend.image }} + image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{- end -}}:{{ .tag }}{{- if (.digest) -}} @{{.digest}} {{- end -}}" + {{- end }} + imagePullPolicy: {{ .Values.defaultBackend.image.pullPolicy }} + {{- if .Values.defaultBackend.extraArgs }} + args: + {{- range $key, $value := .Values.defaultBackend.extraArgs }} + {{- /* Accept keys without values or with false as value */}} + {{- if eq ($value | quote | len) 2 }} + - --{{ $key }} + {{- else }} + - --{{ $key }}={{ $value }} + {{- end }} + {{- end }} + {{- end }} + securityContext: + capabilities: + drop: + - ALL + runAsUser: {{ .Values.defaultBackend.image.runAsUser }} + runAsNonRoot: {{ .Values.defaultBackend.image.runAsNonRoot }} + allowPrivilegeEscalation: {{ .Values.defaultBackend.image.allowPrivilegeEscalation }} + readOnlyRootFilesystem: {{ .Values.defaultBackend.image.readOnlyRootFilesystem}} + {{- if .Values.defaultBackend.extraEnvs }} + env: {{ toYaml .Values.defaultBackend.extraEnvs | nindent 12 }} + {{- end }} + livenessProbe: + httpGet: + path: /healthz + port: {{ .Values.defaultBackend.port }} + scheme: HTTP + initialDelaySeconds: {{ .Values.defaultBackend.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.defaultBackend.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.defaultBackend.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.defaultBackend.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.defaultBackend.livenessProbe.failureThreshold }} + readinessProbe: + httpGet: + path: /healthz + port: {{ .Values.defaultBackend.port }} + scheme: HTTP + initialDelaySeconds: {{ .Values.defaultBackend.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.defaultBackend.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.defaultBackend.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.defaultBackend.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.defaultBackend.readinessProbe.failureThreshold }} + ports: + - name: http + containerPort: {{ .Values.defaultBackend.port }} + protocol: TCP + {{- if .Values.defaultBackend.extraVolumeMounts }} + volumeMounts: {{- toYaml .Values.defaultBackend.extraVolumeMounts | nindent 12 }} + {{- end }} + {{- if .Values.defaultBackend.resources }} + resources: {{ toYaml .Values.defaultBackend.resources | nindent 12 }} + {{- end }} + {{- if .Values.defaultBackend.nodeSelector }} + nodeSelector: {{ toYaml .Values.defaultBackend.nodeSelector | nindent 8 }} + {{- end }} + serviceAccountName: {{ template "ingress-nginx.defaultBackend.serviceAccountName" . }} + {{- if .Values.defaultBackend.tolerations }} + tolerations: {{ toYaml .Values.defaultBackend.tolerations | nindent 8 }} + {{- end }} + {{- if .Values.defaultBackend.affinity }} + affinity: {{ toYaml .Values.defaultBackend.affinity | nindent 8 }} + {{- end }} + terminationGracePeriodSeconds: 60 + {{- if .Values.defaultBackend.extraVolumes }} + volumes: {{ toYaml .Values.defaultBackend.extraVolumes | nindent 8 }} + {{- end }} +{{- end }} diff --git a/packages/rke2-ingress-nginx/generated-changes/patch/Chart.yaml.patch b/packages/rke2-ingress-nginx/generated-changes/patch/Chart.yaml.patch index 5c0290f..0622ed7 100644 --- a/packages/rke2-ingress-nginx/generated-changes/patch/Chart.yaml.patch +++ b/packages/rke2-ingress-nginx/generated-changes/patch/Chart.yaml.patch @@ -1,9 +1,9 @@ --- charts-original/Chart.yaml +++ charts/Chart.yaml -@@ -15,7 +15,7 @@ - kubeVersion: '>=1.19.0-0' - maintainers: - - name: ChiefAlexander +@@ -28,7 +28,7 @@ + - name: rikatz + - name: strongjz + - name: tao12345666333 -name: ingress-nginx +name: rke2-ingress-nginx sources: diff --git a/packages/rke2-ingress-nginx/generated-changes/patch/templates/_helpers.tpl.patch b/packages/rke2-ingress-nginx/generated-changes/patch/templates/_helpers.tpl.patch index a0a6fdb..96e50de 100644 --- a/packages/rke2-ingress-nginx/generated-changes/patch/templates/_helpers.tpl.patch +++ b/packages/rke2-ingress-nginx/generated-changes/patch/templates/_helpers.tpl.patch @@ -1,6 +1,21 @@ --- charts-original/templates/_helpers.tpl +++ charts/templates/_helpers.tpl -@@ -118,7 +118,7 @@ +@@ -54,11 +54,11 @@ + {{/* + Get specific image + */}} +-{{- define "ingress-nginx.image" -}} ++{{- define "ingress-nginx.repository" -}} + {{- if .chroot -}} +-{{- printf "%s-chroot" .image -}} ++{{- printf "%s-chroot" .repository -}} + {{- else -}} +-{{- printf "%s" .image -}} ++{{- printf "%s" .repository -}} + {{- end }} + {{- end -}} + +@@ -169,7 +169,7 @@ Check the ingress controller version tag is at most three versions behind the last release */}} {{- define "isControllerTagValid" -}} @@ -9,7 +24,7 @@ {{- fail "Controller container image tag should be 0.27.0 or higher" -}} {{- end -}} {{- end -}} -@@ -132,3 +132,15 @@ +@@ -183,3 +183,15 @@ {{ toYaml .Values.controller.ingressClassResource.parameters | indent 4}} {{ end }} {{- end -}} diff --git a/packages/rke2-ingress-nginx/generated-changes/patch/templates/admission-webhooks/job-patch/job-createSecret.yaml.patch b/packages/rke2-ingress-nginx/generated-changes/patch/templates/admission-webhooks/job-patch/job-createSecret.yaml.patch index 81c5f7b..c3e8f03 100644 --- a/packages/rke2-ingress-nginx/generated-changes/patch/templates/admission-webhooks/job-patch/job-createSecret.yaml.patch +++ b/packages/rke2-ingress-nginx/generated-changes/patch/templates/admission-webhooks/job-patch/job-createSecret.yaml.patch @@ -1,6 +1,6 @@ --- charts-original/templates/admission-webhooks/job-patch/job-createSecret.yaml +++ charts/templates/admission-webhooks/job-patch/job-createSecret.yaml -@@ -33,9 +33,7 @@ +@@ -42,9 +42,7 @@ {{- end }} containers: - name: create diff --git a/packages/rke2-ingress-nginx/generated-changes/patch/templates/admission-webhooks/job-patch/job-patchWebhook.yaml.patch b/packages/rke2-ingress-nginx/generated-changes/patch/templates/admission-webhooks/job-patch/job-patchWebhook.yaml.patch index 1041463..4b82e12 100644 --- a/packages/rke2-ingress-nginx/generated-changes/patch/templates/admission-webhooks/job-patch/job-patchWebhook.yaml.patch +++ b/packages/rke2-ingress-nginx/generated-changes/patch/templates/admission-webhooks/job-patch/job-patchWebhook.yaml.patch @@ -1,6 +1,6 @@ --- charts-original/templates/admission-webhooks/job-patch/job-patchWebhook.yaml +++ charts/templates/admission-webhooks/job-patch/job-patchWebhook.yaml -@@ -33,9 +33,7 @@ +@@ -42,9 +42,7 @@ {{- end }} containers: - name: patch diff --git a/packages/rke2-ingress-nginx/generated-changes/patch/templates/controller-daemonset.yaml.patch b/packages/rke2-ingress-nginx/generated-changes/patch/templates/controller-daemonset.yaml.patch index b6b5340..742be53 100644 --- a/packages/rke2-ingress-nginx/generated-changes/patch/templates/controller-daemonset.yaml.patch +++ b/packages/rke2-ingress-nginx/generated-changes/patch/templates/controller-daemonset.yaml.patch @@ -1,11 +1,11 @@ --- charts-original/templates/controller-daemonset.yaml +++ charts/templates/controller-daemonset.yaml -@@ -67,9 +67,7 @@ +@@ -73,9 +73,7 @@ {{- end }} containers: - name: {{ .Values.controller.containerName }} - {{- with .Values.controller.image }} -- image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{- end -}}:{{ .tag }}{{- if (.digest) -}} @{{.digest}} {{- end -}}" +- image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ include "ingress-nginx.image" . }}{{- end -}}:{{ .tag }}{{ include "ingress-nginx.imageDigest" . }}" - {{- end }} + image: "{{ template "system_default_registry" . }}{{ template "repository_or_registry_and_image" .Values.controller.image }}" imagePullPolicy: {{ .Values.controller.image.pullPolicy }} diff --git a/packages/rke2-ingress-nginx/generated-changes/patch/templates/controller-deployment.yaml.patch b/packages/rke2-ingress-nginx/generated-changes/patch/templates/controller-deployment.yaml.patch index c58410b..c8d48ea 100644 --- a/packages/rke2-ingress-nginx/generated-changes/patch/templates/controller-deployment.yaml.patch +++ b/packages/rke2-ingress-nginx/generated-changes/patch/templates/controller-deployment.yaml.patch @@ -1,11 +1,11 @@ --- charts-original/templates/controller-deployment.yaml +++ charts/templates/controller-deployment.yaml -@@ -71,9 +71,7 @@ +@@ -77,9 +77,7 @@ {{- end }} containers: - name: {{ .Values.controller.containerName }} - {{- with .Values.controller.image }} -- image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{- end -}}:{{ .tag }}{{- if (.digest) -}} @{{.digest}} {{- end -}}" +- image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ include "ingress-nginx.image" . }}{{- end -}}:{{ .tag }}{{ include "ingress-nginx.imageDigest" . }}" - {{- end }} + image: "{{ template "system_default_registry" . }}{{ template "repository_or_registry_and_image" .Values.controller.image }}" imagePullPolicy: {{ .Values.controller.image.pullPolicy }} diff --git a/packages/rke2-ingress-nginx/generated-changes/patch/templates/default-backend-deployment.yaml.patch b/packages/rke2-ingress-nginx/generated-changes/patch/templates/default-backend-deployment.yaml.patch index fbf022b..c5713a9 100644 --- a/packages/rke2-ingress-nginx/generated-changes/patch/templates/default-backend-deployment.yaml.patch +++ b/packages/rke2-ingress-nginx/generated-changes/patch/templates/default-backend-deployment.yaml.patch @@ -1,6 +1,6 @@ --- charts-original/templates/default-backend-deployment.yaml +++ charts/templates/default-backend-deployment.yaml -@@ -39,9 +39,7 @@ +@@ -45,9 +45,7 @@ {{- end }} containers: - name: {{ template "ingress-nginx.name" . }}-default-backend diff --git a/packages/rke2-ingress-nginx/generated-changes/patch/values.yaml.patch b/packages/rke2-ingress-nginx/generated-changes/patch/values.yaml.patch index 55fe358..59aee67 100644 --- a/packages/rke2-ingress-nginx/generated-changes/patch/values.yaml.patch +++ b/packages/rke2-ingress-nginx/generated-changes/patch/values.yaml.patch @@ -1,56 +1,57 @@ --- charts-original/values.yaml +++ charts/values.yaml -@@ -10,13 +10,11 @@ - controller: - name: controller +@@ -18,14 +18,11 @@ image: + ## Keep false as default for now! + chroot: false - registry: k8s.gcr.io - image: ingress-nginx/controller + repository: rancher/nginx-ingress-controller - # for backwards compatibility consider setting the full image url via the repository value below - # use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail - # repository: -- tag: "v1.0.2" -- digest: sha256:85b53b493d6d658d8c013449223b0ffd739c76d76dc9bf9000786669ec04e049 -+ tag: "nginx-1.0.2-hardened4" + ## for backwards compatibility consider setting the full image url via the repository value below + ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail + ## repository: +- tag: "v1.2.0" +- digest: sha256:d8196e3bc1e72547c5dec66d6556c0ff92a23f6d0919b206be170bc90d5f9185 +- digestChroot: sha256:fb17f1700b77d4fcc52ca6f83ffc2821861ae887dbb87149cf5cbc52bea425e5 ++ tag: "nginx-1.2.0-hardened6" pullPolicy: IfNotPresent # www-data -> uid 101 runAsUser: 101 -@@ -26,7 +24,7 @@ +@@ -35,7 +32,7 @@ existingPsp: "" - # Configures the controller container name + # -- Configures the controller container name - containerName: controller + containerName: rke2-ingress-nginx-controller - # Configures the ports the nginx-controller listens on + # -- Configures the ports that the nginx-controller listens on containerPort: -@@ -55,7 +53,7 @@ - # Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'. +@@ -63,7 +60,7 @@ + # -- Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'. # By default, while using host network, name resolution uses the host's DNS. If you wish nginx-controller # to keep resolving names inside the k8s network, use ClusterFirstWithHostNet. - dnsPolicy: ClusterFirst + dnsPolicy: ClusterFirstWithHostNet - # Bare-metal considerations via the host network https://kubernetes.github.io/ingress-nginx/deploy/baremetal/#via-the-host-network + # -- Bare-metal considerations via the host network https://kubernetes.github.io/ingress-nginx/deploy/baremetal/#via-the-host-network # Ingress status was blank because there is no Service exposing the NGINX Ingress controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply -@@ -64,7 +62,7 @@ - # Process Ingress objects without ingressClass annotation/ingressClassName field +@@ -72,7 +69,7 @@ + # -- Process Ingress objects without ingressClass annotation/ingressClassName field # Overrides value for --watch-ingress-without-class flag of the controller binary # Defaults to false - watchIngressWithoutClass: false + watchIngressWithoutClass: true - # Process IngressClass per name (additionally as per spec.controller) + # -- Process IngressClass per name (additionally as per spec.controller). ingressClassByName: false -@@ -73,18 +71,18 @@ +@@ -81,18 +78,18 @@ # their own *-snippet annotations, otherwise this is forbidden / dropped # when users add those annotations. # Global snippets in ConfigMap are still respected - allowSnippetAnnotations: true + allowSnippetAnnotations: false - # Required for use with CNI based kubernetes installations (such as ones set up by kubeadm), + # -- Required for use with CNI based kubernetes installations (such as ones set up by kubeadm), # since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920 # is merged - hostNetwork: false @@ -58,74 +59,75 @@ ## Use host ports 80 and 443 ## Disabled by default - ## hostPort: + # -- Enable 'hostPort' or not - enabled: false + enabled: true ports: + # -- 'hostPort' http port http: 80 - https: 443 -@@ -126,7 +124,7 @@ - ## by the service. If disable, the status field reports the IP address of the - ## node or nodes where an ingress controller pod is running. +@@ -141,7 +138,7 @@ + # node or nodes where an ingress controller pod is running. publishService: + # -- Enable 'publishService' or not - enabled: true + enabled: false - ## Allows overriding of the publish service to bind to - ## Must be / - ## -@@ -177,7 +175,7 @@ + # -- Allows overriding of the publish service to bind to + # Must be / + pathOverride: "" +@@ -191,7 +188,7 @@ + # name: secret-resource - ## DaemonSet or Deployment - ## + # -- Use a `DaemonSet` or `Deployment` - kind: Deployment + kind: DaemonSet - ## Annotations to be added to the controller Deployment or DaemonSet + # -- Annotations to be added to the controller Deployment or DaemonSet ## -@@ -427,7 +425,7 @@ +@@ -441,7 +438,7 @@ configMapKey: "" service: - enabled: true + enabled: false - annotations: {} - labels: {} -@@ -574,13 +572,11 @@ + # -- If enabled is adding an appProtocol option for Kubernetes service. An appProtocol field replacing annotations that were + # using for setting a backend protocol. Here is an example for AWS: service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http +@@ -630,13 +627,11 @@ patch: enabled: true image: - registry: k8s.gcr.io - image: ingress-nginx/kube-webhook-certgen + repository: rancher/mirrored-ingress-nginx-kube-webhook-certgen - # for backwards compatibility consider setting the full image url via the repository value below - # use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail - # repository: - tag: v1.0 -- digest: sha256:f3b6b39a6062328c095337b4cadcefd1612348fdd5190b1dcbcb9b9e90bd8068 + ## for backwards compatibility consider setting the full image url via the repository value below + ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail + ## repository: + tag: v1.1.1 +- digest: sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660 pullPolicy: IfNotPresent - ## Provide a priority class name to the webhook patching job + # -- Provide a priority class name to the webhook patching job ## -@@ -697,12 +693,11 @@ +@@ -757,12 +752,11 @@ name: defaultbackend image: - registry: k8s.gcr.io - image: defaultbackend-amd64 + repository: rancher/nginx-ingress-controller-defaultbackend - # for backwards compatibility consider setting the full image url via the repository value below - # use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail - # repository: + ## for backwards compatibility consider setting the full image url via the repository value below + ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail + ## repository: - tag: "1.5" + tag: "1.5-rancher1" pullPolicy: IfNotPresent # nobody user -> uid 65534 runAsUser: 65534 -@@ -854,3 +849,6 @@ - # This can be generated with: openssl dhparam 4096 2> /dev/null | base64 - # Ref: https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/ssl-dh-param +@@ -924,3 +918,6 @@ + # This can be generated with: `openssl dhparam 4096 2> /dev/null | base64` + ## Ref: https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/ssl-dh-param dhParam: + +global: + systemDefaultRegistry: "" +\ No newline at end of file diff --git a/packages/rke2-ingress-nginx/package.yaml b/packages/rke2-ingress-nginx/package.yaml index e4a4934..567cc2a 100644 --- a/packages/rke2-ingress-nginx/package.yaml +++ b/packages/rke2-ingress-nginx/package.yaml @@ -1,4 +1,4 @@ -url: https://github.com/kubernetes/ingress-nginx/releases/download/helm-chart-4.0.3/ingress-nginx-4.0.3.tgz -packageVersion: 07 +url: https://github.com/kubernetes/ingress-nginx/releases/download/helm-chart-4.1.0/ingress-nginx-4.1.0.tgz +packageVersion: 01 # This repository does not use releaseCandidateVersions, so you can leave this as 00. releaseCandidateVersion: 00