Upgrade Nginx chart to 4.1.0 (#245)

* Upgrade Nginx chart to 4.1.0

* Fixing specifying chrooted image

* update controller image to hardened6
pull/246/head
Hussein Galal 2022-04-26 04:34:15 +02:00 committed by GitHub
parent d589066199
commit 50802110c4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
13 changed files with 538 additions and 64 deletions

View File

@ -0,0 +1,185 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "ingress-nginx.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "ingress-nginx.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "ingress-nginx.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Container SecurityContext.
*/}}
{{- define "controller.containerSecurityContext" -}}
{{- if .Values.controller.containerSecurityContext -}}
{{- toYaml .Values.controller.containerSecurityContext -}}
{{- else -}}
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
{{- if .Values.controller.image.chroot }}
- SYS_CHROOT
{{- end }}
runAsUser: {{ .Values.controller.image.runAsUser }}
allowPrivilegeEscalation: {{ .Values.controller.image.allowPrivilegeEscalation }}
{{- end }}
{{- end -}}
{{/*
Get specific image
*/}}
{{- define "ingress-nginx.image" -}}
{{- if .chroot -}}
{{- printf "%s-chroot" .image -}}
{{- else -}}
{{- printf "%s" .image -}}
{{- end }}
{{- end -}}
{{/*
Get specific image digest
*/}}
{{- define "ingress-nginx.imageDigest" -}}
{{- if .chroot -}}
{{- if .digestChroot -}}
{{- printf "@%s" .digestChroot -}}
{{- end }}
{{- else -}}
{{ if .digest -}}
{{- printf "@%s" .digest -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create a default fully qualified controller name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "ingress-nginx.controller.fullname" -}}
{{- printf "%s-%s" (include "ingress-nginx.fullname" .) .Values.controller.name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Construct the path for the publish-service.
By convention this will simply use the <namespace>/<controller-name> to match the name of the
service generated.
Users can provide an override for an explicit service they want bound via `.Values.controller.publishService.pathOverride`
*/}}
{{- define "ingress-nginx.controller.publishServicePath" -}}
{{- $defServiceName := printf "%s/%s" "$(POD_NAMESPACE)" (include "ingress-nginx.controller.fullname" .) -}}
{{- $servicePath := default $defServiceName .Values.controller.publishService.pathOverride }}
{{- print $servicePath | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified default backend name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "ingress-nginx.defaultBackend.fullname" -}}
{{- printf "%s-%s" (include "ingress-nginx.fullname" .) .Values.defaultBackend.name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Common labels
*/}}
{{- define "ingress-nginx.labels" -}}
helm.sh/chart: {{ include "ingress-nginx.chart" . }}
{{ include "ingress-nginx.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/part-of: {{ template "ingress-nginx.name" . }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- if .Values.commonLabels}}
{{ toYaml .Values.commonLabels }}
{{- end }}
{{- end -}}
{{/*
Selector labels
*/}}
{{- define "ingress-nginx.selectorLabels" -}}
app.kubernetes.io/name: {{ include "ingress-nginx.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end -}}
{{/*
Create the name of the controller service account to use
*/}}
{{- define "ingress-nginx.serviceAccountName" -}}
{{- if .Values.serviceAccount.create -}}
{{ default (include "ingress-nginx.fullname" .) .Values.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
Create the name of the backend service account to use - only used when podsecuritypolicy is also enabled
*/}}
{{- define "ingress-nginx.defaultBackend.serviceAccountName" -}}
{{- if .Values.defaultBackend.serviceAccount.create -}}
{{ default (printf "%s-backend" (include "ingress-nginx.fullname" .)) .Values.defaultBackend.serviceAccount.name }}
{{- else -}}
{{ default "default-backend" .Values.defaultBackend.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiGroup for PodSecurityPolicy.
*/}}
{{- define "podSecurityPolicy.apiGroup" -}}
{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
{{- print "policy" -}}
{{- else -}}
{{- print "extensions" -}}
{{- end -}}
{{- end -}}
{{/*
Check the ingress controller version tag is at most three versions behind the last release
*/}}
{{- define "isControllerTagValid" -}}
{{- if not (semverCompare ">=0.27.0-0" .Values.controller.image.tag) -}}
{{- fail "Controller container image tag should be 0.27.0 or higher" -}}
{{- end -}}
{{- end -}}
{{/*
IngressClass parameters.
*/}}
{{- define "ingressClass.parameters" -}}
{{- if .Values.controller.ingressClassResource.parameters -}}
parameters:
{{ toYaml .Values.controller.ingressClassResource.parameters | indent 4}}
{{ end }}
{{- end -}}

View File

@ -0,0 +1,76 @@
{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "ingress-nginx.fullname" . }}-admission-create
namespace: {{ .Release.Namespace }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
{{- with .Values.controller.admissionWebhooks.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: admission-webhook
{{- with .Values.controller.admissionWebhooks.patch.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if .Capabilities.APIVersions.Has "batch/v1alpha1" }}
# Alpha feature since k8s 1.12
ttlSecondsAfterFinished: 0
{{- end }}
template:
metadata:
name: {{ include "ingress-nginx.fullname" . }}-admission-create
{{- if .Values.controller.admissionWebhooks.patch.podAnnotations }}
annotations: {{ toYaml .Values.controller.admissionWebhooks.patch.podAnnotations | nindent 8 }}
{{- end }}
labels:
{{- include "ingress-nginx.labels" . | nindent 8 }}
app.kubernetes.io/component: admission-webhook
{{- with .Values.controller.admissionWebhooks.patch.labels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- if .Values.controller.admissionWebhooks.patch.priorityClassName }}
priorityClassName: {{ .Values.controller.admissionWebhooks.patch.priorityClassName }}
{{- end }}
{{- if .Values.imagePullSecrets }}
imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }}
{{- end }}
containers:
- name: create
{{- with .Values.controller.admissionWebhooks.patch.image }}
image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{- end -}}:{{ .tag }}{{- if (.digest) -}} @{{.digest}} {{- end -}}"
{{- end }}
imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.image.pullPolicy }}
args:
- create
- --host={{ include "ingress-nginx.controller.fullname" . }}-admission,{{ include "ingress-nginx.controller.fullname" . }}-admission.$(POD_NAMESPACE).svc
- --namespace=$(POD_NAMESPACE)
- --secret-name={{ include "ingress-nginx.fullname" . }}-admission
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
securityContext:
allowPrivilegeEscalation: false
{{- if .Values.controller.admissionWebhooks.createSecretJob.resources }}
resources: {{ toYaml .Values.controller.admissionWebhooks.createSecretJob.resources | nindent 12 }}
{{- end }}
restartPolicy: OnFailure
serviceAccountName: {{ include "ingress-nginx.fullname" . }}-admission
{{- if .Values.controller.admissionWebhooks.patch.nodeSelector }}
nodeSelector: {{ toYaml .Values.controller.admissionWebhooks.patch.nodeSelector | nindent 8 }}
{{- end }}
{{- if .Values.controller.admissionWebhooks.patch.tolerations }}
tolerations: {{ toYaml .Values.controller.admissionWebhooks.patch.tolerations | nindent 8 }}
{{- end }}
securityContext:
runAsNonRoot: true
runAsUser: {{ .Values.controller.admissionWebhooks.patch.runAsUser }}
fsGroup: {{ .Values.controller.admissionWebhooks.patch.fsGroup }}
{{- end }}

View File

@ -0,0 +1,78 @@
{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "ingress-nginx.fullname" . }}-admission-patch
namespace: {{ .Release.Namespace }}
annotations:
"helm.sh/hook": post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
{{- with .Values.controller.admissionWebhooks.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: admission-webhook
{{- with .Values.controller.admissionWebhooks.patch.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if .Capabilities.APIVersions.Has "batch/v1alpha1" }}
# Alpha feature since k8s 1.12
ttlSecondsAfterFinished: 0
{{- end }}
template:
metadata:
name: {{ include "ingress-nginx.fullname" . }}-admission-patch
{{- if .Values.controller.admissionWebhooks.patch.podAnnotations }}
annotations: {{ toYaml .Values.controller.admissionWebhooks.patch.podAnnotations | nindent 8 }}
{{- end }}
labels:
{{- include "ingress-nginx.labels" . | nindent 8 }}
app.kubernetes.io/component: admission-webhook
{{- with .Values.controller.admissionWebhooks.patch.labels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- if .Values.controller.admissionWebhooks.patch.priorityClassName }}
priorityClassName: {{ .Values.controller.admissionWebhooks.patch.priorityClassName }}
{{- end }}
{{- if .Values.imagePullSecrets }}
imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }}
{{- end }}
containers:
- name: patch
{{- with .Values.controller.admissionWebhooks.patch.image }}
image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{- end -}}:{{ .tag }}{{- if (.digest) -}} @{{.digest}} {{- end -}}"
{{- end }}
imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.image.pullPolicy }}
args:
- patch
- --webhook-name={{ include "ingress-nginx.fullname" . }}-admission
- --namespace=$(POD_NAMESPACE)
- --patch-mutating=false
- --secret-name={{ include "ingress-nginx.fullname" . }}-admission
- --patch-failure-policy={{ .Values.controller.admissionWebhooks.failurePolicy }}
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
securityContext:
allowPrivilegeEscalation: false
{{- if .Values.controller.admissionWebhooks.patchWebhookJob.resources }}
resources: {{ toYaml .Values.controller.admissionWebhooks.patchWebhookJob.resources | nindent 12 }}
{{- end }}
restartPolicy: OnFailure
serviceAccountName: {{ include "ingress-nginx.fullname" . }}-admission
{{- if .Values.controller.admissionWebhooks.patch.nodeSelector }}
nodeSelector: {{ toYaml .Values.controller.admissionWebhooks.patch.nodeSelector | nindent 8 }}
{{- end }}
{{- if .Values.controller.admissionWebhooks.patch.tolerations }}
tolerations: {{ toYaml .Values.controller.admissionWebhooks.patch.tolerations | nindent 8 }}
{{- end }}
securityContext:
runAsNonRoot: true
runAsUser: {{ .Values.controller.admissionWebhooks.patch.runAsUser }}
fsGroup: {{ .Values.controller.admissionWebhooks.patch.fsGroup }}
{{- end }}

View File

@ -0,0 +1,118 @@
{{- if .Values.defaultBackend.enabled -}}
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: default-backend
{{- with .Values.defaultBackend.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.defaultBackend.fullname" . }}
namespace: {{ .Release.Namespace }}
spec:
selector:
matchLabels:
{{- include "ingress-nginx.selectorLabels" . | nindent 6 }}
app.kubernetes.io/component: default-backend
{{- if not .Values.defaultBackend.autoscaling.enabled }}
replicas: {{ .Values.defaultBackend.replicaCount }}
{{- end }}
revisionHistoryLimit: {{ .Values.revisionHistoryLimit }}
template:
metadata:
{{- if .Values.defaultBackend.podAnnotations }}
annotations: {{ toYaml .Values.defaultBackend.podAnnotations | nindent 8 }}
{{- end }}
labels:
{{- include "ingress-nginx.selectorLabels" . | nindent 8 }}
app.kubernetes.io/component: default-backend
{{- with .Values.defaultBackend.labels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.defaultBackend.podLabels }}
{{- toYaml .Values.defaultBackend.podLabels | nindent 8 }}
{{- end }}
spec:
{{- if .Values.imagePullSecrets }}
imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }}
{{- end }}
{{- if .Values.defaultBackend.priorityClassName }}
priorityClassName: {{ .Values.defaultBackend.priorityClassName }}
{{- end }}
{{- if .Values.defaultBackend.podSecurityContext }}
securityContext: {{ toYaml .Values.defaultBackend.podSecurityContext | nindent 8 }}
{{- end }}
containers:
- name: {{ template "ingress-nginx.name" . }}-default-backend
{{- with .Values.defaultBackend.image }}
image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{- end -}}:{{ .tag }}{{- if (.digest) -}} @{{.digest}} {{- end -}}"
{{- end }}
imagePullPolicy: {{ .Values.defaultBackend.image.pullPolicy }}
{{- if .Values.defaultBackend.extraArgs }}
args:
{{- range $key, $value := .Values.defaultBackend.extraArgs }}
{{- /* Accept keys without values or with false as value */}}
{{- if eq ($value | quote | len) 2 }}
- --{{ $key }}
{{- else }}
- --{{ $key }}={{ $value }}
{{- end }}
{{- end }}
{{- end }}
securityContext:
capabilities:
drop:
- ALL
runAsUser: {{ .Values.defaultBackend.image.runAsUser }}
runAsNonRoot: {{ .Values.defaultBackend.image.runAsNonRoot }}
allowPrivilegeEscalation: {{ .Values.defaultBackend.image.allowPrivilegeEscalation }}
readOnlyRootFilesystem: {{ .Values.defaultBackend.image.readOnlyRootFilesystem}}
{{- if .Values.defaultBackend.extraEnvs }}
env: {{ toYaml .Values.defaultBackend.extraEnvs | nindent 12 }}
{{- end }}
livenessProbe:
httpGet:
path: /healthz
port: {{ .Values.defaultBackend.port }}
scheme: HTTP
initialDelaySeconds: {{ .Values.defaultBackend.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.defaultBackend.livenessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.defaultBackend.livenessProbe.timeoutSeconds }}
successThreshold: {{ .Values.defaultBackend.livenessProbe.successThreshold }}
failureThreshold: {{ .Values.defaultBackend.livenessProbe.failureThreshold }}
readinessProbe:
httpGet:
path: /healthz
port: {{ .Values.defaultBackend.port }}
scheme: HTTP
initialDelaySeconds: {{ .Values.defaultBackend.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.defaultBackend.readinessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.defaultBackend.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.defaultBackend.readinessProbe.successThreshold }}
failureThreshold: {{ .Values.defaultBackend.readinessProbe.failureThreshold }}
ports:
- name: http
containerPort: {{ .Values.defaultBackend.port }}
protocol: TCP
{{- if .Values.defaultBackend.extraVolumeMounts }}
volumeMounts: {{- toYaml .Values.defaultBackend.extraVolumeMounts | nindent 12 }}
{{- end }}
{{- if .Values.defaultBackend.resources }}
resources: {{ toYaml .Values.defaultBackend.resources | nindent 12 }}
{{- end }}
{{- if .Values.defaultBackend.nodeSelector }}
nodeSelector: {{ toYaml .Values.defaultBackend.nodeSelector | nindent 8 }}
{{- end }}
serviceAccountName: {{ template "ingress-nginx.defaultBackend.serviceAccountName" . }}
{{- if .Values.defaultBackend.tolerations }}
tolerations: {{ toYaml .Values.defaultBackend.tolerations | nindent 8 }}
{{- end }}
{{- if .Values.defaultBackend.affinity }}
affinity: {{ toYaml .Values.defaultBackend.affinity | nindent 8 }}
{{- end }}
terminationGracePeriodSeconds: 60
{{- if .Values.defaultBackend.extraVolumes }}
volumes: {{ toYaml .Values.defaultBackend.extraVolumes | nindent 8 }}
{{- end }}
{{- end }}

View File

@ -1,9 +1,9 @@
--- charts-original/Chart.yaml --- charts-original/Chart.yaml
+++ charts/Chart.yaml +++ charts/Chart.yaml
@@ -15,7 +15,7 @@ @@ -28,7 +28,7 @@
kubeVersion: '>=1.19.0-0' - name: rikatz
maintainers: - name: strongjz
- name: ChiefAlexander - name: tao12345666333
-name: ingress-nginx -name: ingress-nginx
+name: rke2-ingress-nginx +name: rke2-ingress-nginx
sources: sources:

View File

@ -1,6 +1,21 @@
--- charts-original/templates/_helpers.tpl --- charts-original/templates/_helpers.tpl
+++ charts/templates/_helpers.tpl +++ charts/templates/_helpers.tpl
@@ -118,7 +118,7 @@ @@ -54,11 +54,11 @@
{{/*
Get specific image
*/}}
-{{- define "ingress-nginx.image" -}}
+{{- define "ingress-nginx.repository" -}}
{{- if .chroot -}}
-{{- printf "%s-chroot" .image -}}
+{{- printf "%s-chroot" .repository -}}
{{- else -}}
-{{- printf "%s" .image -}}
+{{- printf "%s" .repository -}}
{{- end }}
{{- end -}}
@@ -169,7 +169,7 @@
Check the ingress controller version tag is at most three versions behind the last release Check the ingress controller version tag is at most three versions behind the last release
*/}} */}}
{{- define "isControllerTagValid" -}} {{- define "isControllerTagValid" -}}
@ -9,7 +24,7 @@
{{- fail "Controller container image tag should be 0.27.0 or higher" -}} {{- fail "Controller container image tag should be 0.27.0 or higher" -}}
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
@@ -132,3 +132,15 @@ @@ -183,3 +183,15 @@
{{ toYaml .Values.controller.ingressClassResource.parameters | indent 4}} {{ toYaml .Values.controller.ingressClassResource.parameters | indent 4}}
{{ end }} {{ end }}
{{- end -}} {{- end -}}

View File

@ -1,6 +1,6 @@
--- charts-original/templates/admission-webhooks/job-patch/job-createSecret.yaml --- charts-original/templates/admission-webhooks/job-patch/job-createSecret.yaml
+++ charts/templates/admission-webhooks/job-patch/job-createSecret.yaml +++ charts/templates/admission-webhooks/job-patch/job-createSecret.yaml
@@ -33,9 +33,7 @@ @@ -42,9 +42,7 @@
{{- end }} {{- end }}
containers: containers:
- name: create - name: create

View File

@ -1,6 +1,6 @@
--- charts-original/templates/admission-webhooks/job-patch/job-patchWebhook.yaml --- charts-original/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
+++ charts/templates/admission-webhooks/job-patch/job-patchWebhook.yaml +++ charts/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
@@ -33,9 +33,7 @@ @@ -42,9 +42,7 @@
{{- end }} {{- end }}
containers: containers:
- name: patch - name: patch

View File

@ -1,11 +1,11 @@
--- charts-original/templates/controller-daemonset.yaml --- charts-original/templates/controller-daemonset.yaml
+++ charts/templates/controller-daemonset.yaml +++ charts/templates/controller-daemonset.yaml
@@ -67,9 +67,7 @@ @@ -73,9 +73,7 @@
{{- end }} {{- end }}
containers: containers:
- name: {{ .Values.controller.containerName }} - name: {{ .Values.controller.containerName }}
- {{- with .Values.controller.image }} - {{- with .Values.controller.image }}
- image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{- end -}}:{{ .tag }}{{- if (.digest) -}} @{{.digest}} {{- end -}}" - image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ include "ingress-nginx.image" . }}{{- end -}}:{{ .tag }}{{ include "ingress-nginx.imageDigest" . }}"
- {{- end }} - {{- end }}
+ image: "{{ template "system_default_registry" . }}{{ template "repository_or_registry_and_image" .Values.controller.image }}" + image: "{{ template "system_default_registry" . }}{{ template "repository_or_registry_and_image" .Values.controller.image }}"
imagePullPolicy: {{ .Values.controller.image.pullPolicy }} imagePullPolicy: {{ .Values.controller.image.pullPolicy }}

View File

@ -1,11 +1,11 @@
--- charts-original/templates/controller-deployment.yaml --- charts-original/templates/controller-deployment.yaml
+++ charts/templates/controller-deployment.yaml +++ charts/templates/controller-deployment.yaml
@@ -71,9 +71,7 @@ @@ -77,9 +77,7 @@
{{- end }} {{- end }}
containers: containers:
- name: {{ .Values.controller.containerName }} - name: {{ .Values.controller.containerName }}
- {{- with .Values.controller.image }} - {{- with .Values.controller.image }}
- image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{- end -}}:{{ .tag }}{{- if (.digest) -}} @{{.digest}} {{- end -}}" - image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ include "ingress-nginx.image" . }}{{- end -}}:{{ .tag }}{{ include "ingress-nginx.imageDigest" . }}"
- {{- end }} - {{- end }}
+ image: "{{ template "system_default_registry" . }}{{ template "repository_or_registry_and_image" .Values.controller.image }}" + image: "{{ template "system_default_registry" . }}{{ template "repository_or_registry_and_image" .Values.controller.image }}"
imagePullPolicy: {{ .Values.controller.image.pullPolicy }} imagePullPolicy: {{ .Values.controller.image.pullPolicy }}

View File

@ -1,6 +1,6 @@
--- charts-original/templates/default-backend-deployment.yaml --- charts-original/templates/default-backend-deployment.yaml
+++ charts/templates/default-backend-deployment.yaml +++ charts/templates/default-backend-deployment.yaml
@@ -39,9 +39,7 @@ @@ -45,9 +45,7 @@
{{- end }} {{- end }}
containers: containers:
- name: {{ template "ingress-nginx.name" . }}-default-backend - name: {{ template "ingress-nginx.name" . }}-default-backend

View File

@ -1,56 +1,57 @@
--- charts-original/values.yaml --- charts-original/values.yaml
+++ charts/values.yaml +++ charts/values.yaml
@@ -10,13 +10,11 @@ @@ -18,14 +18,11 @@
controller:
name: controller
image: image:
## Keep false as default for now!
chroot: false
- registry: k8s.gcr.io - registry: k8s.gcr.io
- image: ingress-nginx/controller - image: ingress-nginx/controller
+ repository: rancher/nginx-ingress-controller + repository: rancher/nginx-ingress-controller
# for backwards compatibility consider setting the full image url via the repository value below ## for backwards compatibility consider setting the full image url via the repository value below
# use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
# repository: ## repository:
- tag: "v1.0.2" - tag: "v1.2.0"
- digest: sha256:85b53b493d6d658d8c013449223b0ffd739c76d76dc9bf9000786669ec04e049 - digest: sha256:d8196e3bc1e72547c5dec66d6556c0ff92a23f6d0919b206be170bc90d5f9185
+ tag: "nginx-1.0.2-hardened4" - digestChroot: sha256:fb17f1700b77d4fcc52ca6f83ffc2821861ae887dbb87149cf5cbc52bea425e5
+ tag: "nginx-1.2.0-hardened6"
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
# www-data -> uid 101 # www-data -> uid 101
runAsUser: 101 runAsUser: 101
@@ -26,7 +24,7 @@ @@ -35,7 +32,7 @@
existingPsp: "" existingPsp: ""
# Configures the controller container name # -- Configures the controller container name
- containerName: controller - containerName: controller
+ containerName: rke2-ingress-nginx-controller + containerName: rke2-ingress-nginx-controller
# Configures the ports the nginx-controller listens on # -- Configures the ports that the nginx-controller listens on
containerPort: containerPort:
@@ -55,7 +53,7 @@ @@ -63,7 +60,7 @@
# Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'. # -- Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'.
# By default, while using host network, name resolution uses the host's DNS. If you wish nginx-controller # By default, while using host network, name resolution uses the host's DNS. If you wish nginx-controller
# to keep resolving names inside the k8s network, use ClusterFirstWithHostNet. # to keep resolving names inside the k8s network, use ClusterFirstWithHostNet.
- dnsPolicy: ClusterFirst - dnsPolicy: ClusterFirst
+ dnsPolicy: ClusterFirstWithHostNet + dnsPolicy: ClusterFirstWithHostNet
# Bare-metal considerations via the host network https://kubernetes.github.io/ingress-nginx/deploy/baremetal/#via-the-host-network # -- Bare-metal considerations via the host network https://kubernetes.github.io/ingress-nginx/deploy/baremetal/#via-the-host-network
# Ingress status was blank because there is no Service exposing the NGINX Ingress controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply # Ingress status was blank because there is no Service exposing the NGINX Ingress controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply
@@ -64,7 +62,7 @@ @@ -72,7 +69,7 @@
# Process Ingress objects without ingressClass annotation/ingressClassName field # -- Process Ingress objects without ingressClass annotation/ingressClassName field
# Overrides value for --watch-ingress-without-class flag of the controller binary # Overrides value for --watch-ingress-without-class flag of the controller binary
# Defaults to false # Defaults to false
- watchIngressWithoutClass: false - watchIngressWithoutClass: false
+ watchIngressWithoutClass: true + watchIngressWithoutClass: true
# Process IngressClass per name (additionally as per spec.controller) # -- Process IngressClass per name (additionally as per spec.controller).
ingressClassByName: false ingressClassByName: false
@@ -73,18 +71,18 @@ @@ -81,18 +78,18 @@
# their own *-snippet annotations, otherwise this is forbidden / dropped # their own *-snippet annotations, otherwise this is forbidden / dropped
# when users add those annotations. # when users add those annotations.
# Global snippets in ConfigMap are still respected # Global snippets in ConfigMap are still respected
- allowSnippetAnnotations: true - allowSnippetAnnotations: true
+ allowSnippetAnnotations: false + allowSnippetAnnotations: false
# Required for use with CNI based kubernetes installations (such as ones set up by kubeadm), # -- Required for use with CNI based kubernetes installations (such as ones set up by kubeadm),
# since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920 # since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920
# is merged # is merged
- hostNetwork: false - hostNetwork: false
@ -58,74 +59,75 @@
## Use host ports 80 and 443 ## Use host ports 80 and 443
## Disabled by default ## Disabled by default
##
hostPort: hostPort:
# -- Enable 'hostPort' or not
- enabled: false - enabled: false
+ enabled: true + enabled: true
ports: ports:
# -- 'hostPort' http port
http: 80 http: 80
https: 443 @@ -141,7 +138,7 @@
@@ -126,7 +124,7 @@ # node or nodes where an ingress controller pod is running.
## by the service. If disable, the status field reports the IP address of the
## node or nodes where an ingress controller pod is running.
publishService: publishService:
# -- Enable 'publishService' or not
- enabled: true - enabled: true
+ enabled: false + enabled: false
## Allows overriding of the publish service to bind to # -- Allows overriding of the publish service to bind to
## Must be <namespace>/<service_name> # Must be <namespace>/<service_name>
## pathOverride: ""
@@ -177,7 +175,7 @@ @@ -191,7 +188,7 @@
# name: secret-resource
## DaemonSet or Deployment # -- Use a `DaemonSet` or `Deployment`
##
- kind: Deployment - kind: Deployment
+ kind: DaemonSet + kind: DaemonSet
## Annotations to be added to the controller Deployment or DaemonSet # -- Annotations to be added to the controller Deployment or DaemonSet
## ##
@@ -427,7 +425,7 @@ @@ -441,7 +438,7 @@
configMapKey: "" configMapKey: ""
service: service:
- enabled: true - enabled: true
+ enabled: false + enabled: false
annotations: {} # -- If enabled is adding an appProtocol option for Kubernetes service. An appProtocol field replacing annotations that were
labels: {} # using for setting a backend protocol. Here is an example for AWS: service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
@@ -574,13 +572,11 @@ @@ -630,13 +627,11 @@
patch: patch:
enabled: true enabled: true
image: image:
- registry: k8s.gcr.io - registry: k8s.gcr.io
- image: ingress-nginx/kube-webhook-certgen - image: ingress-nginx/kube-webhook-certgen
+ repository: rancher/mirrored-ingress-nginx-kube-webhook-certgen + repository: rancher/mirrored-ingress-nginx-kube-webhook-certgen
# for backwards compatibility consider setting the full image url via the repository value below ## for backwards compatibility consider setting the full image url via the repository value below
# use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
# repository: ## repository:
tag: v1.0 tag: v1.1.1
- digest: sha256:f3b6b39a6062328c095337b4cadcefd1612348fdd5190b1dcbcb9b9e90bd8068 - digest: sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
## Provide a priority class name to the webhook patching job # -- Provide a priority class name to the webhook patching job
## ##
@@ -697,12 +693,11 @@ @@ -757,12 +752,11 @@
name: defaultbackend name: defaultbackend
image: image:
- registry: k8s.gcr.io - registry: k8s.gcr.io
- image: defaultbackend-amd64 - image: defaultbackend-amd64
+ repository: rancher/nginx-ingress-controller-defaultbackend + repository: rancher/nginx-ingress-controller-defaultbackend
# for backwards compatibility consider setting the full image url via the repository value below ## for backwards compatibility consider setting the full image url via the repository value below
# use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
# repository: ## repository:
- tag: "1.5" - tag: "1.5"
+ tag: "1.5-rancher1" + tag: "1.5-rancher1"
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
# nobody user -> uid 65534 # nobody user -> uid 65534
runAsUser: 65534 runAsUser: 65534
@@ -854,3 +849,6 @@ @@ -924,3 +918,6 @@
# This can be generated with: openssl dhparam 4096 2> /dev/null | base64 # This can be generated with: `openssl dhparam 4096 2> /dev/null | base64`
# Ref: https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/ssl-dh-param ## Ref: https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/ssl-dh-param
dhParam: dhParam:
+ +
+global: +global:
+ systemDefaultRegistry: "" + systemDefaultRegistry: ""
\ No newline at end of file

View File

@ -1,4 +1,4 @@
url: https://github.com/kubernetes/ingress-nginx/releases/download/helm-chart-4.0.3/ingress-nginx-4.0.3.tgz url: https://github.com/kubernetes/ingress-nginx/releases/download/helm-chart-4.1.0/ingress-nginx-4.1.0.tgz
packageVersion: 07 packageVersion: 01
# This repository does not use releaseCandidateVersions, so you can leave this as 00. # This repository does not use releaseCandidateVersions, so you can leave this as 00.
releaseCandidateVersion: 00 releaseCandidateVersion: 00