Generated changes

assets/index.yaml

@@ -106,6 +106,25 @@ entries:
     - assets/rke2-coredns/rke2-coredns-1.10.101-build2021022301.tgz
     version: 1.10.101-build2021022301
   rke2-ingress-nginx:
+  - apiVersion: v1
+    appVersion: 0.35.0
+    created: "2021-02-24T21:42:02.60663315Z"
+    description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
+    digest: 2480ed0be9032f8f839913e12f0528128a15483ced57c851baed605156532782
+    home: https://github.com/kubernetes/ingress-nginx
+    icon: https://upload.wikimedia.org/wikipedia/commons/thumb/c/c5/Nginx_logo.svg/500px-Nginx_logo.svg.png
+    keywords:
+    - ingress
+    - nginx
+    kubeVersion: '>=1.16.0-0'
+    maintainers:
+    - name: ChiefAlexander
+    name: rke2-ingress-nginx
+    sources:
+    - https://github.com/kubernetes/ingress-nginx
+    urls:
+    - assets/rke2-ingress-nginx/rke2-ingress-nginx-3.3.000.tgz
+    version: 3.3.000
   - apiVersion: v1
     appVersion: 0.30.0
     created: "2021-02-19T16:11:27.47593126Z"
@@ -359,4 +378,4 @@ entries:
     urls:
     - assets/rke2-metrics-server/rke2-metrics-server-2.11.100-build2021022300.tgz
     version: 2.11.100-build2021022300
-generated: "2021-02-24T21:41:48.73617673Z"
+generated: "2021-02-24T21:42:02.60300284Z"

charts/rke2-ingress-nginx/Chart.yaml

@@ -1,18 +1,16 @@
 apiVersion: v1
-appVersion: 0.30.0
-description: An nginx Ingress controller that uses ConfigMap to store the nginx configuration.
-engine: gotpl
+appVersion: 0.35.0
+description: Ingress controller for Kubernetes using NGINX as a reverse proxy and
+  load balancer
 home: https://github.com/kubernetes/ingress-nginx
 icon: https://upload.wikimedia.org/wikipedia/commons/thumb/c/c5/Nginx_logo.svg/500px-Nginx_logo.svg.png
 keywords:
 - ingress
 - nginx
-kubeVersion: '>=1.10.0-0'
+kubeVersion: '>=1.16.0-0'
 maintainers:
 - name: ChiefAlexander
-- email: Trevor.G.Wood@gmail.com
-  name: taharah
 name: rke2-ingress-nginx
 sources:
 - https://github.com/kubernetes/ingress-nginx
-version: 1.36.300
+version: 3.3.000

charts/rke2-ingress-nginx/OWNERS

@@ -1,6 +1,5 @@
 approvers:
-- ChiefAlexander
-- taharah
+  - ChiefAlexander
+
 reviewers:
-- ChiefAlexander
-- taharah
+  - ChiefAlexander

charts/rke2-ingress-nginx/README.md

@@ -1,280 +1,114 @@
-# nginx-ingress
+# ingress-nginx
 
-[nginx-ingress](https://github.com/kubernetes/ingress-nginx) is an Ingress controller that uses ConfigMap to store the nginx configuration.
+[ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
 
 To use, add the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources.
 
-## TL;DR;
-
-```console
-$ helm install stable/nginx-ingress
-```
-
-## Introduction
-
-This chart bootstraps an nginx-ingress deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
+This chart bootstraps an ingress-nginx deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
 
 ## Prerequisites
 
-  - Kubernetes 1.6+
+- Kubernetes v1.16+
 
-## Installing the Chart
-
-To install the chart with the release name `my-release`:
+## Get Repo Info
 
 ```console
-$ helm install --name my-release stable/nginx-ingress
+helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
+helm repo add stable https://kubernetes-charts.storage.googleapis.com/
+helm repo update
 ```
 
-The command deploys nginx-ingress on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation.
-
-> **Tip**: List all releases using `helm list`
-
-## Uninstalling the Chart
-
-To uninstall/delete the `my-release` deployment:
+## Install Chart
 
 ```console
-$ helm delete my-release
+# Helm 3
+$ helm install [RELEASE_NAME] ingress-nginx/ingress-nginx
+
+# Helm 2
+$ helm install --name [RELEASE_NAME] ingress-nginx/ingress-nginx
 ```
 
-The command removes all the Kubernetes components associated with the chart and deletes the release.
+The command deploys ingress-nginx on the Kubernetes cluster in the default configuration.
+
+_See [configuration](#configuration) below._
+
+_See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._
+
+## Uninstall Chart
+
+```console
+# Helm 3
+$ helm uninstall [RELEASE_NAME]
+
+# Helm 2
+# helm delete --purge [RELEASE_NAME]
+```
+
+This removes all the Kubernetes components associated with the chart and deletes the release.
+
+_See [helm uninstall](https://helm.sh/docs/helm/helm_uninstall/) for command documentation._
+
+## Upgrading Chart
+
+```console
+# Helm 3 or 2
+$ helm upgrade [RELEASE_NAME] [CHART] --install
+```
+
+_See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documentation._
+
+### Upgrading With Zero Downtime in Production
+
+By default the ingress-nginx controller has service interruptions whenever it's pods are restarted or redeployed. In order to fix that, see the excellent blog post by Lindsay Landry from Codecademy: [Kubernetes: Nginx and Zero Downtime in Production](https://medium.com/codecademy-engineering/kubernetes-nginx-and-zero-downtime-in-production-2c910c6a5ed8).
+
+### Migrating from stable/nginx-ingress
+
+There are two main ways to migrate a release from `stable/nginx-ingress` to `ingress-nginx/ingress-nginx` chart:
+
+1. For Nginx Ingress controllers used for non-critical services, the easiest method is to [uninstall](#uninstall-chart) the old release and [install](#install-chart) the new one
+1. For critical services in production that require zero-downtime, you will want to:
+    1. [Install](#install-chart) a second Ingress controller
+    1. Redirect your DNS traffic from the old controller to the new controller
+    1. Log traffic from both controllers during this changeover
+    1. [Uninstall](#uninstall-chart) the old controller once traffic has fully drained from it
+    1. For details on all of these steps see [Upgrading With Zero Downtime in Production](#upgrading-with-zero-downtime-in-production)
+
+Note that there are some different and upgraded configurations between the two charts, described by Rimas Mocevicius from JFrog in the "Upgrading to ingress-nginx Helm chart" section of [Migrating from Helm chart nginx-ingress to ingress-nginx](https://rimusz.net/migrating-to-ingress-nginx). As the `ingress-nginx/ingress-nginx` chart continues to update, you will want to check current differences by running [helm configuration](#configuration) commands on both charts.
 
 ## Configuration
 
-The following table lists the configurable parameters of the nginx-ingress chart and their default values.
-
-Parameter | Description | Default
---- | --- | ---
-`controller.name` | name of the controller component | `controller`
-`controller.image.repository` | controller container image repository | `quay.io/kubernetes-ingress-controller/nginx-ingress-controller`
-`controller.image.tag` | controller container image tag | `0.30.0`
-`controller.image.pullPolicy` | controller container image pull policy | `IfNotPresent`
-`controller.image.runAsUser` | User ID of the controller process. Value depends on the Linux distribution used inside of the container image. | `101`
-`controller.useComponentLabel` | Wether to add component label so the HPA can work separately for controller and defaultBackend. *Note: don't change this if you have an already running deployment as it will need the recreation of the controller deployment* | `false`
-`controller.containerPort.http` | The port that the controller container listens on for http connections. | `80`
-`controller.containerPort.https` | The port that the controller container listens on for https connections. | `443`
-`controller.config` | nginx [ConfigMap](https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/configmap.md) entries | none
-`controller.hostNetwork` | If the nginx deployment / daemonset should run on the host's network namespace. Do not set this when `controller.service.externalIPs` is set and `kube-proxy` is used as there will be a port-conflict for port `80` | false
-`controller.defaultBackendService` | default 404 backend service; needed only if `defaultBackend.enabled = false` and version < 0.21.0| `""`
-`controller.dnsPolicy` | If using `hostNetwork=true`, change to `ClusterFirstWithHostNet`. See [pod's dns policy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy) for details | `ClusterFirst`
-`controller.dnsConfig` | custom pod dnsConfig. See [pod's dns config](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-config) for details | `{}`
-`controller.reportNodeInternalIp` | If using `hostNetwork=true`, setting `reportNodeInternalIp=true`, will pass the flag `report-node-internal-ip-address` to nginx-ingress. This sets the status of all Ingress objects to the internal IP address of all nodes running the NGINX Ingress controller.
-`controller.electionID` | election ID to use for the status update | `ingress-controller-leader`
-`controller.extraEnvs` | any additional environment variables to set in the pods | `{}`
-`controller.extraContainers` | Sidecar containers to add to the controller pod. See [LemonLDAP::NG controller](https://github.com/lemonldap-ng-controller/lemonldap-ng-controller) as example | `{}`
-`controller.extraVolumeMounts` | Additional volumeMounts to the controller main container | `{}`
-`controller.extraVolumes` | Additional volumes to the controller pod | `{}`
-`controller.extraInitContainers` | Containers, which are run before the app containers are started | `[]`
-`controller.ingressClass` | name of the ingress class to route through this controller | `nginx`
-`controller.maxmindLicenseKey` | Maxmind license key to download GeoLite2 Databases. See [Accessing and using GeoLite2 database](https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/) | `""`
-`controller.scope.enabled` | limit the scope of the ingress controller | `false` (watch all namespaces)
-`controller.scope.namespace` | namespace to watch for ingress | `""` (use the release namespace)
-`controller.extraArgs` | Additional controller container arguments | `{}`
-`controller.kind` | install as Deployment, DaemonSet or Both | `Deployment`
-`controller.deploymentAnnotations` | annotations to be added to deployment | `{}`
-`controller.autoscaling.enabled` | If true, creates Horizontal Pod Autoscaler | false
-`controller.autoscaling.minReplicas` | If autoscaling enabled, this field sets minimum replica count | `2`
-`controller.autoscaling.maxReplicas` | If autoscaling enabled, this field sets maximum replica count | `11`
-`controller.autoscaling.targetCPUUtilizationPercentage` | Target CPU utilization percentage to scale | `"50"`
-`controller.autoscaling.targetMemoryUtilizationPercentage` | Target memory utilization percentage to scale | `"50"`
-`controller.daemonset.useHostPort` | If `controller.kind` is `DaemonSet`, this will enable `hostPort` for TCP/80 and TCP/443 | false
-`controller.daemonset.hostPorts.http` | If `controller.daemonset.useHostPort` is `true` and this is non-empty, it sets the hostPort | `"80"`
-`controller.daemonset.hostPorts.https` | If `controller.daemonset.useHostPort` is `true` and this is non-empty, it sets the hostPort | `"443"`
-`controller.tolerations` | node taints to tolerate (requires Kubernetes >=1.6) | `[]`
-`controller.affinity` | node/pod affinities (requires Kubernetes >=1.6) | `{}`
-`controller.terminationGracePeriodSeconds` | how many seconds to wait before terminating a pod | `60`
-`controller.minReadySeconds` | how many seconds a pod needs to be ready before killing the next, during update | `0`
-`controller.nodeSelector` | node labels for pod assignment | `{}`
-`controller.podAnnotations` | annotations to be added to pods | `{}`
-`controller.deploymentLabels` | labels to add to the deployment metadata | `{}`
-`controller.podLabels` | labels to add to the pod container metadata | `{}`
-`controller.podSecurityContext` | Security context policies to add to the controller pod | `{}`
-`controller.replicaCount` | desired number of controller pods | `1`
-`controller.minAvailable` | minimum number of available controller pods for PodDisruptionBudget | `1`
-`controller.resources` | controller pod resource requests & limits | `{}`
-`controller.priorityClassName` | controller priorityClassName | `nil`
-`controller.lifecycle` | controller pod lifecycle hooks | `{}`
-`controller.service.annotations` | annotations for controller service | `{}`
-`controller.service.labels` | labels for controller service | `{}`
-`controller.publishService.enabled` | if true, the controller will set the endpoint records on the ingress objects to reflect those on the service | `false`
-`controller.publishService.pathOverride` | override of the default publish-service name | `""`
-`controller.service.enabled` | if disabled no service will be created. This is especially useful when `controller.kind` is set to `DaemonSet` and `controller.daemonset.useHostPorts` is `true` | true
-`controller.service.clusterIP` | internal controller cluster service IP (set to `"-"` to pass an empty value) | `nil`
-`controller.service.omitClusterIP` | (Deprecated) To omit the `clusterIP` from the controller service | `false`
-`controller.service.externalIPs` | controller service external IP addresses. Do not set this when `controller.hostNetwork` is set to `true` and `kube-proxy` is used as there will be a port-conflict for port `80` | `[]`
-`controller.service.externalTrafficPolicy` | If `controller.service.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable [source IP preservation](https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typenodeport) | `"Cluster"`
-`controller.service.sessionAffinity` | Enables client IP based session affinity. Must be `ClientIP` or `None` if set.  | `""`
-`controller.service.healthCheckNodePort` | If `controller.service.type` is `NodePort` or `LoadBalancer` and `controller.service.externalTrafficPolicy` is set to `Local`, set this to [the managed health-check port the kube-proxy will expose](https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typenodeport). If blank, a random port in the `NodePort` range will be assigned | `""`
-`controller.service.loadBalancerIP` | IP address to assign to load balancer (if supported) | `""`
-`controller.service.loadBalancerSourceRanges` | list of IP CIDRs allowed access to load balancer (if supported) | `[]`
-`controller.service.enableHttp` | if port 80 should be opened for service | `true`
-`controller.service.enableHttps` | if port 443 should be opened for service | `true`
-`controller.service.targetPorts.http` | Sets the targetPort that maps to the Ingress' port 80 | `80`
-`controller.service.targetPorts.https` | Sets the targetPort that maps to the Ingress' port 443 | `443`
-`controller.service.ports.http` | Sets service http port | `80`
-`controller.service.ports.https` | Sets service https port | `443`
-`controller.service.type` | type of controller service to create | `LoadBalancer`
-`controller.service.nodePorts.http` | If `controller.service.type` is either `NodePort` or `LoadBalancer` and this is non-empty, it sets the nodePort that maps to the Ingress' port 80 | `""`
-`controller.service.nodePorts.https` | If `controller.service.type` is either `NodePort` or `LoadBalancer` and this is non-empty, it sets the nodePort that maps to the Ingress' port 443 | `""`
-`controller.service.nodePorts.tcp` | Sets the nodePort for an entry referenced by its key from `tcp` | `{}`
-`controller.service.nodePorts.udp` | Sets the nodePort for an entry referenced by its key from `udp` | `{}`
-`controller.livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 10
-`controller.livenessProbe.periodSeconds` | How often to perform the probe | 10
-`controller.livenessProbe.timeoutSeconds` | When the probe times out | 5
-`controller.livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | 1
-`controller.livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 3
-`controller.livenessProbe.port` | The port number that the liveness probe will listen on. | 10254
-`controller.readinessProbe.initialDelaySeconds` | Delay before readiness probe is initiated | 10
-`controller.readinessProbe.periodSeconds` | How often to perform the probe | 10
-`controller.readinessProbe.timeoutSeconds` | When the probe times out | 1
-`controller.readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | 1
-`controller.readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 3
-`controller.readinessProbe.port` | The port number that the readiness probe will listen on. | 10254
-`controller.metrics.enabled` | if `true`, enable Prometheus metrics | `false`
-`controller.metrics.service.annotations` | annotations for Prometheus metrics service | `{}`
-`controller.metrics.service.clusterIP` | cluster IP address to assign to service (set to `"-"` to pass an empty value) | `nil`
-`controller.metrics.service.omitClusterIP` | (Deprecated) To omit the `clusterIP` from the metrics service | `false`
-`controller.metrics.service.externalIPs` | Prometheus metrics service external IP addresses | `[]`
-`controller.metrics.service.labels` | labels for metrics service | `{}`
-`controller.metrics.service.loadBalancerIP` | IP address to assign to load balancer (if supported) | `""`
-`controller.metrics.service.loadBalancerSourceRanges` | list of IP CIDRs allowed access to load balancer (if supported) | `[]`
-`controller.metrics.service.servicePort` | Prometheus metrics service port | `9913`
-`controller.metrics.service.type` | type of Prometheus metrics service to create | `ClusterIP`
-`controller.metrics.serviceMonitor.enabled` | Set this to `true` to create ServiceMonitor for Prometheus operator | `false`
-`controller.metrics.serviceMonitor.additionalLabels` | Additional labels that can be used so ServiceMonitor will be discovered by Prometheus | `{}`
-`controller.metrics.serviceMonitor.honorLabels` | honorLabels chooses the metric's labels on collisions with target labels. | `false`
-`controller.metrics.serviceMonitor.namespace` | namespace where servicemonitor resource should be created | `the same namespace as nginx ingress`
-`controller.metrics.serviceMonitor.namespaceSelector` | [namespaceSelector](https://github.com/coreos/prometheus-operator/blob/v0.34.0/Documentation/api.md#namespaceselector) to configure what namespaces to scrape | `will scrape the helm release namespace only`
-`controller.metrics.serviceMonitor.scrapeInterval` | interval between Prometheus scraping | `30s`
-`controller.metrics.prometheusRule.enabled` | Set this to `true` to create prometheusRules for Prometheus operator | `false`
-`controller.metrics.prometheusRule.additionalLabels` | Additional labels that can be used so prometheusRules will be discovered by Prometheus | `{}`
-`controller.metrics.prometheusRule.namespace` | namespace where prometheusRules resource should be created | `the same namespace as nginx ingress`
-`controller.metrics.prometheusRule.rules` | [rules](https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/) to be prometheus in YAML format, check values for an example. | `[]`
-`controller.admissionWebhooks.enabled` | Create Ingress admission webhooks. Validating webhook will check the ingress syntax. | `false`
-`controller.admissionWebhooks.failurePolicy` | Failure policy for admission webhooks | `Fail`
-`controller.admissionWebhooks.port` | Admission webhook port | `8080`
-`controller.admissionWebhooks.service.annotations` | Annotations for admission webhook service | `{}`
-`controller.admissionWebhooks.service.omitClusterIP` | (Deprecated) To omit the `clusterIP` from the admission webhook service | `false`
-`controller.admissionWebhooks.service.clusterIP` | cluster IP address to assign to admission webhook service (set to `"-"` to pass an empty value) | `nil`
-`controller.admissionWebhooks.service.externalIPs` | Admission webhook service external IP addresses | `[]`
-`controller.admissionWebhooks.service.loadBalancerIP` | IP address to assign to load balancer (if supported) | `""`
-`controller.admissionWebhooks.service.loadBalancerSourceRanges` | List of IP CIDRs allowed access to load balancer (if supported) | `[]`
-`controller.admissionWebhooks.service.servicePort` | Admission webhook service port | `443`
-`controller.admissionWebhooks.service.type` | Type of admission webhook service to create | `ClusterIP`
-`controller.admissionWebhooks.patch.enabled` | If true, will use a pre and post install hooks to generate a CA and certificate to use for validating webhook endpoint, and patch the created webhooks with the CA. | `true`
-`controller.admissionWebhooks.patch.image.repository` | Repository to use for the webhook integration jobs | `jettech/kube-webhook-certgen`
-`controller.admissionWebhooks.patch.image.tag` |  Tag to use for the webhook integration jobs | `v1.0.0`
-`controller.admissionWebhooks.patch.image.pullPolicy` | Image pull policy for the webhook integration jobs | `IfNotPresent`
-`controller.admissionWebhooks.patch.priorityClassName` | Priority class for the webhook integration jobs | `""`
-`controller.admissionWebhooks.patch.podAnnotations` | Annotations for the webhook job pods | `{}`
-`controller.admissionWebhooks.patch.nodeSelector` | Node selector for running admission hook patch jobs | `{}`
-`controller.customTemplate.configMapName` | configMap containing a custom nginx template | `""`
-`controller.customTemplate.configMapKey` | configMap key containing the nginx template | `""`
-`controller.addHeaders` | configMap key:value pairs containing [custom headers](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#add-headers) added before sending response to the client | `{}`
-`controller.proxySetHeaders` | configMap key:value pairs containing [custom headers](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#proxy-set-headers) added before sending request to the backends| `{}`
-`controller.headers` | DEPRECATED, Use `controller.proxySetHeaders` instead. | `{}`
-`controller.updateStrategy` | allows setting of RollingUpdate strategy | `{}`
-`controller.configMapNamespace` | The nginx-configmap namespace name | `""`
-`controller.tcp.configMapNamespace` | The tcp-services-configmap namespace name | `""`
-`controller.udp.configMapNamespace` | The udp-services-configmap namespace name | `""`
-`defaultBackend.enabled` | Use default backend component | `true`
-`defaultBackend.name` | name of the default backend component | `default-backend`
-`defaultBackend.image.repository` | default backend container image repository | `k8s.gcr.io/defaultbackend-amd64`
-`defaultBackend.image.tag` | default backend container image tag | `1.5`
-`defaultBackend.image.pullPolicy` | default backend container image pull policy | `IfNotPresent`
-`defaultBackend.image.runAsUser` | User ID of the controller process. Value depends on the Linux distribution used inside of the container image. By default uses nobody user. | `65534`
-`defaultBackend.useComponentLabel` | Whether to add component label so the HPA can work separately for controller and defaultBackend. *Note: don't change this if you have an already running deployment as it will need the recreation of the defaultBackend deployment* | `false`
-`defaultBackend.extraArgs` | Additional default backend container arguments | `{}`
-`defaultBackend.extraEnvs` | any additional environment variables to set in the defaultBackend pods | `[]`
-`defaultBackend.port` | Http port number | `8080`
-`defaultBackend.livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 30
-`defaultBackend.livenessProbe.periodSeconds` | How often to perform the probe | 10
-`defaultBackend.livenessProbe.timeoutSeconds` | When the probe times out | 5
-`defaultBackend.livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | 1
-`defaultBackend.livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 3
-`defaultBackend.readinessProbe.initialDelaySeconds` | Delay before readiness probe is initiated | 0
-`defaultBackend.readinessProbe.periodSeconds` | How often to perform the probe | 5
-`defaultBackend.readinessProbe.timeoutSeconds` | When the probe times out | 5
-`defaultBackend.readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | 1
-`defaultBackend.readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 6
-`defaultBackend.tolerations` | node taints to tolerate (requires Kubernetes >=1.6) | `[]`
-`defaultBackend.affinity` | node/pod affinities (requires Kubernetes >=1.6) | `{}`
-`defaultBackend.nodeSelector` | node labels for pod assignment | `{}`
-`defaultBackend.podAnnotations` | annotations to be added to pods | `{}`
-`defaultBackend.deploymentLabels` | labels to add to the deployment metadata | `{}`
-`defaultBackend.podLabels` | labels to add to the pod container metadata | `{}`
-`defaultBackend.replicaCount` | desired number of default backend pods | `1`
-`defaultBackend.minAvailable` | minimum number of available default backend pods for PodDisruptionBudget | `1`
-`defaultBackend.resources` | default backend pod resource requests & limits | `{}`
-`defaultBackend.priorityClassName` | default backend  priorityClassName | `nil`
-`defaultBackend.podSecurityContext` | Security context policies to add to the default backend | `{}`
-`defaultBackend.service.annotations` | annotations for default backend service | `{}`
-`defaultBackend.service.clusterIP` | internal default backend cluster service IP (set to `"-"` to pass an empty value) | `nil`
-`defaultBackend.service.omitClusterIP` | (Deprecated) To omit the `clusterIP` from the default backend service | `false`
-`defaultBackend.service.externalIPs` | default backend service external IP addresses | `[]`
-`defaultBackend.service.loadBalancerIP` | IP address to assign to load balancer (if supported) | `""`
-`defaultBackend.service.loadBalancerSourceRanges` | list of IP CIDRs allowed access to load balancer (if supported) | `[]`
-`defaultBackend.service.type` | type of default backend service to create | `ClusterIP`
-`defaultBackend.serviceAccount.create` | if `true`, create a backend service account. Only useful if you need a pod security policy to run the backend. | `true`
-`defaultBackend.serviceAccount.name` | The name of the backend service account to use. If not set and `create` is `true`, a name is generated using the fullname template. Only useful if you need a pod security policy to run the backend. | ``
-`imagePullSecrets` | name of Secret resource containing private registry credentials | `nil`
-`rbac.create` | if `true`, create & use RBAC resources | `true`
-`rbac.scope` | if `true`, do not create & use clusterrole and -binding. Set to `true` in combination with `controller.scope.enabled=true` to disable load-balancer status updates and scope the ingress entirely. | `false`
-`podSecurityPolicy.enabled` | if `true`, create & use Pod Security Policy resources | `false`
-`serviceAccount.create` | if `true`, create a service account for the controller | `true`
-`serviceAccount.name` | The name of the controller service account to use. If not set and `create` is `true`, a name is generated using the fullname template. | ``
-`revisionHistoryLimit` | The number of old history to retain to allow rollback. | `10`
-`tcp` | TCP service key:value pairs. The value is evaluated as a template. | `{}`
-`udp` | UDP service key:value pairs The value is evaluated as a template. | `{}`
-`releaseLabelOverride` | If provided, the value will be used as the `release` label instead of .Release.Name | `""`
-
-These parameters can be passed via Helm's `--set` option
-```console
-$ helm install stable/nginx-ingress --name my-release \
-    --set controller.metrics.enabled=true
-```
-
-Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,
+See [Customizing the Chart Before Installing](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing). To see all configurable options with detailed comments, visit the chart's [values.yaml](./values.yaml), or run these configuration commands:
 
 ```console
-$ helm install stable/nginx-ingress --name my-release -f values.yaml
+# Helm 2
+$ helm inspect values ingress-nginx/ingress-nginx
+
+# Helm 3
+$ helm show values ingress-nginx/ingress-nginx
 ```
 
-A useful trick to debug issues with ingress is to increase the logLevel
-as described [here](https://github.com/kubernetes/ingress-nginx/blob/master/docs/troubleshooting.md#debug)
-
-```console
-$ helm install stable/nginx-ingress --set controller.extraArgs.v=2
-```
-> **Tip**: You can use the default [values.yaml](values.yaml)
-
-## PodDisruptionBudget
+### PodDisruptionBudget
 
 Note that the PodDisruptionBudget resource will only be defined if the replicaCount is greater than one,
 else it would make it impossible to evacuate a node. See [gh issue #7127](https://github.com/helm/charts/issues/7127) for more info.
 
-## Prometheus Metrics
+### Prometheus Metrics
 
-The Nginx ingress controller can export Prometheus metrics.
-
-```console
-$ helm install stable/nginx-ingress --name my-release \
-    --set controller.metrics.enabled=true
-```
+The Nginx ingress controller can export Prometheus metrics, by setting `controller.metrics.enabled` to `true`.
 
 You can add Prometheus annotations to the metrics service using `controller.metrics.service.annotations`. Alternatively, if you use the Prometheus Operator, you can enable ServiceMonitor creation using `controller.metrics.serviceMonitor.enabled`.
 
-## nginx-ingress nginx\_status page/stats server
+### ingress-nginx nginx\_status page/stats server
 
 Previous versions of this chart had a `controller.stats.*` configuration block, which is now obsolete due to the following changes in nginx ingress controller:
-* in [0.16.1](https://github.com/kubernetes/ingress-nginx/blob/master/Changelog.md#0161), the vts (virtual host traffic status) dashboard was removed
-* in [0.23.0](https://github.com/kubernetes/ingress-nginx/blob/master/Changelog.md#0230), the status page at port 18080 is now a unix socket webserver only available at localhost.
+
+- In [0.16.1](https://github.com/kubernetes/ingress-nginx/blob/master/Changelog.md#0161), the vts (virtual host traffic status) dashboard was removed
+- In [0.23.0](https://github.com/kubernetes/ingress-nginx/blob/master/Changelog.md#0230), the status page at port 18080 is now a unix socket webserver only available at localhost.
   You can use `curl --unix-socket /tmp/nginx-status-server.sock http://localhost/nginx_status` inside the controller container to access it locally, or use the snippet from [nginx-ingress changelog](https://github.com/kubernetes/ingress-nginx/blob/master/Changelog.md#0230) to re-enable the http server
 
-## ExternalDNS Service configuration
+### ExternalDNS Service Configuration
 
-Add an [ExternalDNS](https://github.com/kubernetes-sigs/external-dns) annotation to the LoadBalancer service:
+Add an [ExternalDNS](https://github.com/kubernetes-incubator/external-dns) annotation to the LoadBalancer service:
 
 ```yaml
 controller:
@@ -283,7 +117,7 @@ controller:
       external-dns.alpha.kubernetes.io/hostname: kubernetes-example.com.
 ```
 
-## AWS L7 ELB with SSL Termination
+### AWS L7 ELB with SSL Termination
 
 Annotate the controller as shown in the [nginx-ingress l7 patch](https://github.com/kubernetes/ingress-nginx/blob/master/deploy/aws/l7/service-l7.yaml):
 
@@ -300,36 +134,7 @@ controller:
       service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600'
 ```
 
-## AWS L4 NLB with SSL Redirection
-
-`ssl-redirect` and `force-ssl-redirect` flag are not working with AWS Network Load Balancer. You need to turn if off and add additional port with `server-snippet` in order to make it work.
-
-The port NLB `80` will be mapped to nginx container port `80` and NLB port `443` will be mapped to nginx container port `8000` (special). Then we use `$server_port` to manage redirection on port `80`
-```
-controller:
-  config:
-    ssl-redirect: "false" # we use `special` port to control ssl redirection 
-    server-snippet: |
-      listen 8000;
-      if ( $server_port = 80 ) {
-         return 308 https://$host$request_uri;
-      }
-  containerPort:
-    http: 80
-    https: 443
-    special: 8000
-  service:
-    targetPorts:
-      http: http
-      https: special
-    annotations:
-      service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "tcp"
-      service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
-      service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "your-arn"
-      service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
-```
-
-## AWS route53-mapper
+### AWS route53-mapper
 
 To configure the LoadBalancer service with the [route53-mapper addon](https://github.com/kubernetes/kops/tree/master/addons/route53-mapper), add the `domainName` annotation and `dns` label:
 
@@ -342,17 +147,72 @@ controller:
       domainName: "kubernetes-example.com"
 ```
 
-## Ingress Admission Webhooks
+### Additional Internal Load Balancer
+
+This setup is useful when you need both external and internal load balancers but don't want to have multiple ingress controllers and multiple ingress objects per application.
+
+By default, the ingress object will point to the external load balancer address, but if correctly configured, you can make use of the internal one if the URL you are looking up resolves to the internal load balancer's URL.
+
+You'll need to set both the following values:
+
+`controller.service.internal.enabled`
+`controller.service.internal.annotations`
+
+If one of them is missing the internal load balancer will not be deployed. Example you may have `controller.service.internal.enabled=true` but no annotations set, in this case no action will be taken.
+
+`controller.service.internal.annotations` varies with the cloud service you're using.
+
+Example for AWS:
+
+```yaml
+controller:
+  service:
+    internal:
+      enabled: true
+      annotations:
+        # Create internal ELB
+        service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0
+        # Any other annotation can be declared here.
+```
+
+Example for GCE:
+
+```yaml
+controller:
+  service:
+    internal:
+      enabled: true
+      annotations:
+        # Create internal LB
+        cloud.google.com/load-balancer-type: "Internal"
+        # Any other annotation can be declared here.
+```
+
+Example for Azure:
+
+```yaml
+controller:
+  service:
+      annotations:
+        # Create internal LB
+        service.beta.kubernetes.io/azure-load-balancer-internal: "true"
+        # Any other annotation can be declared here.
+```
+
+An use case for this scenario is having a split-view DNS setup where the public zone CNAME records point to the external balancer URL while the private zone CNAME records point to the internal balancer URL. This way, you only need one ingress kubernetes object.
+
+### Ingress Admission Webhooks
 
 With nginx-ingress-controller version 0.25+, the nginx ingress controller pod exposes an endpoint that will integrate with the `validatingwebhookconfiguration` Kubernetes feature to prevent bad ingress from being added to the cluster.
+**This feature is enabled by default since 0.31.0.**
 
 With nginx-ingress-controller in 0.25.* work only with kubernetes 1.14+, 0.26 fix [this issue](https://github.com/kubernetes/ingress-nginx/pull/4521)
 
-## Helm error when upgrading: spec.clusterIP: Invalid value: ""
+### Helm Error When Upgrading: spec.clusterIP: Invalid value: ""
 
 If you are upgrading this chart from a version between 0.31.0 and 1.2.2 then you may get an error like this:
 
-```
+```console
 Error: UPGRADE FAILED: Service "?????-controller" is invalid: spec.clusterIP: Invalid value: "": field is immutable
 ```
 

charts/rke2-ingress-nginx/ci/daemonset-customconfig-values.yaml

@@ -1,4 +1,9 @@
 controller:
   kind: DaemonSet
+  admissionWebhooks:
+    enabled: false
+  service:
+    type: ClusterIP
+
   config:
     use-proxy-protocol: "true"

charts/rke2-ingress-nginx/ci/daemonset-customnodeport-values.yaml

@@ -1,5 +1,8 @@
 controller:
   kind: DaemonSet
+  admissionWebhooks:
+    enabled: false
+
   service:
     type: NodePort
     nodePorts:

charts/rke2-ingress-nginx/ci/daemonset-headers-values.yaml

@@ -1,6 +1,10 @@
 controller:
   kind: DaemonSet
+  admissionWebhooks:
+    enabled: false
   addHeaders:
     X-Frame-Options: deny
   proxySetHeaders:
     X-Forwarded-Proto: https
+  service:
+    type: ClusterIP

charts/rke2-ingress-nginx/ci/daemonset-internal-lb-values.yaml

@@ -0,0 +1,10 @@
+controller:
+  kind: DaemonSet
+  admissionWebhooks:
+    enabled: false
+  service:
+    type: ClusterIP
+    internal:
+      enabled: true
+      annotations:
+        service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0

charts/rke2-ingress-nginx/ci/daemonset-nodeport-values.yaml

@@ -1,4 +1,6 @@
 controller:
   kind: DaemonSet
+  admissionWebhooks:
+    enabled: false
   service:
     type: NodePort

charts/rke2-ingress-nginx/ci/daemonset-tcp-udp-configMapNamespace-values.yaml

@@ -1,5 +1,7 @@
 controller:
   kind: DaemonSet
+  admissionWebhooks:
+    enabled: false
   service:
     type: ClusterIP
   tcp:

charts/rke2-ingress-nginx/ci/daemonset-tcp-udp-values.yaml

@@ -1,5 +1,7 @@
 controller:
   kind: DaemonSet
+  admissionWebhooks:
+    enabled: false
   service:
     type: ClusterIP
 

charts/rke2-ingress-nginx/ci/daemonset-tcp-values.yaml

@@ -1,5 +1,9 @@
 controller:
   kind: DaemonSet
+  admissionWebhooks:
+    enabled: false
+  service:
+    type: ClusterIP
 
 tcp:
   9000: "default/test:8080"

charts/rke2-ingress-nginx/ci/deamonset-default-values.yaml

@@ -1,2 +1,6 @@
 controller:
   kind: DaemonSet
+  admissionWebhooks:
+    enabled: false
+  service:
+    type: ClusterIP

charts/rke2-ingress-nginx/ci/deamonset-metrics-values.yaml

@@ -1,4 +1,8 @@
 controller:
   kind: DaemonSet
+  admissionWebhooks:
+    enabled: false
   metrics:
     enabled: true
+  service:
+    type: ClusterIP

charts/rke2-ingress-nginx/ci/deamonset-psp-values.yaml

@@ -1,5 +1,9 @@
 controller:
   kind: DaemonSet
+  admissionWebhooks:
+    enabled: false
+  service:
+    type: ClusterIP
 
 podSecurityPolicy:
   enabled: true

charts/rke2-ingress-nginx/ci/deamonset-webhook-and-psp-values.yaml

@@ -2,6 +2,8 @@ controller:
   kind: DaemonSet
   admissionWebhooks:
     enabled: true
+  service:
+    type: ClusterIP
 
 podSecurityPolicy:
   enabled: true

charts/rke2-ingress-nginx/ci/deamonset-webhook-values.yaml

@@ -2,3 +2,5 @@ controller:
   kind: DaemonSet
   admissionWebhooks:
     enabled: true
+  service:
+    type: ClusterIP

charts/rke2-ingress-nginx/ci/deployment-autoscaling-values.yaml

@@ -1,3 +1,7 @@
 controller:
   autoscaling:
     enabled: true
+  admissionWebhooks:
+    enabled: false
+  service:
+    type: ClusterIP

charts/rke2-ingress-nginx/ci/deployment-customconfig-values.yaml

@@ -1,3 +1,7 @@
 controller:
   config:
     use-proxy-protocol: "true"
+  admissionWebhooks:
+    enabled: false
+  service:
+    type: ClusterIP

charts/rke2-ingress-nginx/ci/deployment-customnodeport-values.yaml

@@ -1,4 +1,6 @@
 controller:
+  admissionWebhooks:
+    enabled: false
   service:
     type: NodePort
     nodePorts:

charts/rke2-ingress-nginx/ci/deployment-default-values.yaml

@@ -1 +1,4 @@
 # Left blank to test default values
+controller:
+  service:
+    type: ClusterIP

charts/rke2-ingress-nginx/ci/deployment-headers-values.yaml

@@ -1,5 +1,9 @@
 controller:
+  admissionWebhooks:
+    enabled: false
   addHeaders:
     X-Frame-Options: deny
   proxySetHeaders:
     X-Forwarded-Proto: https
+  service:
+    type: ClusterIP

charts/rke2-ingress-nginx/ci/deployment-internal-lb-values.yaml

@@ -0,0 +1,9 @@
+controller:
+  admissionWebhooks:
+    enabled: false
+  service:
+    type: ClusterIP
+    internal:
+      enabled: true
+      annotations:
+        service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0

charts/rke2-ingress-nginx/ci/deployment-metrics-values.yaml

@@ -1,3 +1,7 @@
 controller:
+  admissionWebhooks:
+    enabled: false
   metrics:
     enabled: true
+  service:
+    type: ClusterIP

charts/rke2-ingress-nginx/ci/deployment-nodeport-values.yaml

@@ -1,3 +1,5 @@
 controller:
+  admissionWebhooks:
+    enabled: false
   service:
     type: NodePort

charts/rke2-ingress-nginx/ci/deployment-psp-values.yaml

@@ -1,2 +1,6 @@
+controller:
+  service:
+    type: ClusterIP
+
 podSecurityPolicy:
   enabled: true

charts/rke2-ingress-nginx/ci/deployment-tcp-udp-configMapNamespace-values.yaml

@@ -1,4 +1,6 @@
 controller:
+  admissionWebhooks:
+    enabled: false
   service:
     type: ClusterIP
   tcp:

charts/rke2-ingress-nginx/ci/deployment-tcp-udp-values.yaml

@@ -1,4 +1,6 @@
 controller:
+  admissionWebhooks:
+    enabled: false
   service:
     type: ClusterIP
 

charts/rke2-ingress-nginx/ci/deployment-tcp-values.yaml

@@ -1,3 +1,7 @@
+controller:
+  service:
+    type: ClusterIP
+
 tcp:
   9000: "default/test:8080"
   9001: "default/test:8080"

charts/rke2-ingress-nginx/ci/deployment-webhook-and-psp-values.yaml

@@ -1,6 +1,8 @@
 controller:
   admissionWebhooks:
     enabled: true
+  service:
+    type: ClusterIP
 
 podSecurityPolicy:
   enabled: true

charts/rke2-ingress-nginx/ci/deployment-webhook-values.yaml

@@ -1,3 +1,5 @@
 controller:
   admissionWebhooks:
     enabled: true
+  service:
+    type: ClusterIP

charts/rke2-ingress-nginx/templates/NOTES.txt

@@ -1,4 +1,4 @@
-The nginx-ingress controller has been installed.
+The ingress-nginx controller has been installed.
 
 {{- if contains "NodePort" .Values.controller.service.type }}
 Get the application URL by running these commands:
@@ -6,12 +6,12 @@ Get the application URL by running these commands:
 {{- if (not (empty .Values.controller.service.nodePorts.http)) }}
   export HTTP_NODE_PORT={{ .Values.controller.service.nodePorts.http }}
 {{- else }}
-  export HTTP_NODE_PORT=$(kubectl --namespace {{ .Release.Namespace }} get services -o jsonpath="{.spec.ports[0].nodePort}" {{ template "nginx-ingress.controller.fullname" . }})
+  export HTTP_NODE_PORT=$(kubectl --namespace {{ .Release.Namespace }} get services -o jsonpath="{.spec.ports[0].nodePort}" {{ include "ingress-nginx.controller.fullname" . }})
 {{- end }}
 {{- if (not (empty .Values.controller.service.nodePorts.https)) }}
   export HTTPS_NODE_PORT={{ .Values.controller.service.nodePorts.https }}
 {{- else }}
-  export HTTPS_NODE_PORT=$(kubectl --namespace {{ .Release.Namespace }} get services -o jsonpath="{.spec.ports[1].nodePort}" {{ template "nginx-ingress.controller.fullname" . }})
+  export HTTPS_NODE_PORT=$(kubectl --namespace {{ .Release.Namespace }} get services -o jsonpath="{.spec.ports[1].nodePort}" {{ include "ingress-nginx.controller.fullname" . }})
 {{- end }}
   export NODE_IP=$(kubectl --namespace {{ .Release.Namespace }} get nodes -o jsonpath="{.items[0].status.addresses[1].address}")
 
@@ -19,17 +19,17 @@ Get the application URL by running these commands:
   echo "Visit https://$NODE_IP:$HTTPS_NODE_PORT to access your application via HTTPS."
 {{- else if contains "LoadBalancer" .Values.controller.service.type }}
 It may take a few minutes for the LoadBalancer IP to be available.
-You can watch the status by running 'kubectl --namespace {{ .Release.Namespace }} get services -o wide -w {{ template "nginx-ingress.controller.fullname" . }}'
+You can watch the status by running 'kubectl --namespace {{ .Release.Namespace }} get services -o wide -w {{ include "ingress-nginx.controller.fullname" . }}'
 {{- else if contains "ClusterIP"  .Values.controller.service.type }}
 Get the application URL by running these commands:
-  export POD_NAME=$(kubectl --namespace {{ .Release.Namespace }} get pods -o jsonpath="{.items[0].metadata.name}" -l "app={{ template "nginx-ingress.name" . }},component={{ .Values.controller.name }},release={{ template "nginx-ingress.releaseLabel" . }}")
+  export POD_NAME=$(kubectl --namespace {{ .Release.Namespace }} get pods -o jsonpath="{.items[0].metadata.name}" -l "app={{ template "ingress-nginx.name" . }},component={{ .Values.controller.name }},release={{ .Release.Name }}")
   kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:80
   echo "Visit http://127.0.0.1:8080 to access your application."
 {{- end }}
 
 An example Ingress that makes use of the controller:
 
-  apiVersion: extensions/v1beta1
+  apiVersion: networking.k8s.io/v1beta1
   kind: Ingress
   metadata:
     annotations:

charts/rke2-ingress-nginx/templates/_helpers.tpl

@@ -2,14 +2,14 @@
 {{/*
 Expand the name of the chart.
 */}}
-{{- define "nginx-ingress.name" -}}
+{{- define "ingress-nginx.name" -}}
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
 {{/*
 Create chart name and version as used by the chart label.
 */}}
-{{- define "nginx-ingress.chart" -}}
+{{- define "ingress-nginx.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
@@ -17,7 +17,7 @@ Create chart name and version as used by the chart label.
 Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
 */}}
-{{- define "nginx-ingress.fullname" -}}
+{{- define "ingress-nginx.fullname" -}}
 {{- if .Values.fullnameOverride -}}
 {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
 {{- else -}}
@@ -34,16 +34,8 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 Create a default fully qualified controller name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
 */}}
-{{- define "nginx-ingress.controller.fullname" -}}
-{{- printf "%s-%s" (include "nginx-ingress.fullname" .) .Values.controller.name | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
-
-
-{{/*
-Allow for the ability to override the release name used as a label in many places.
-*/}}
-{{- define "nginx-ingress.releaseLabel" -}}
-{{- .Values.releaseLabelOverride | default .Release.Name | trunc 63 -}}
+{{- define "ingress-nginx.controller.fullname" -}}
+{{- printf "%s-%s" (include "ingress-nginx.fullname" .) "controller" | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
 {{/*
@@ -55,9 +47,8 @@ service generated.
 Users can provide an override for an explicit service they want bound via `.Values.controller.publishService.pathOverride`
 
 */}}
-
-{{- define "nginx-ingress.controller.publishServicePath" -}}
-{{- $defServiceName := printf "%s/%s" .Release.Namespace (include "nginx-ingress.controller.fullname" .) -}}
+{{- define "ingress-nginx.controller.publishServicePath" -}}
+{{- $defServiceName := printf "%s/%s" "$(POD_NAMESPACE)" (include "ingress-nginx.controller.fullname" .) -}}
 {{- $servicePath := default $defServiceName .Values.controller.publishService.pathOverride }}
 {{- print $servicePath | trimSuffix "-" -}}
 {{- end -}}
@@ -66,16 +57,36 @@ Users can provide an override for an explicit service they want bound via `.Valu
 Create a default fully qualified default backend name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
 */}}
-{{- define "nginx-ingress.defaultBackend.fullname" -}}
-{{- printf "%s-%s" (include "nginx-ingress.fullname" .) .Values.defaultBackend.name | trunc 63 | trimSuffix "-" -}}
+{{- define "ingress-nginx.defaultBackend.fullname" -}}
+{{- printf "%s-%s" (include "ingress-nginx.fullname" .) "defaultbackend" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Common labels
+*/}}
+{{- define "ingress-nginx.labels" -}}
+helm.sh/chart: {{ include "ingress-nginx.chart" . }}
+{{ include "ingress-nginx.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+
+{{/*
+Selector labels
+*/}}
+{{- define "ingress-nginx.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "ingress-nginx.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end -}}
 
 {{/*
 Create the name of the controller service account to use
 */}}
-{{- define "nginx-ingress.serviceAccountName" -}}
+{{- define "ingress-nginx.serviceAccountName" -}}
 {{- if .Values.serviceAccount.create -}}
-    {{ default (include "nginx-ingress.fullname" .) .Values.serviceAccount.name }}
+    {{ default (include "ingress-nginx.fullname" .) .Values.serviceAccount.name }}
 {{- else -}}
     {{ default "default" .Values.serviceAccount.name }}
 {{- end -}}
@@ -84,25 +95,14 @@ Create the name of the controller service account to use
 {{/*
 Create the name of the backend service account to use - only used when podsecuritypolicy is also enabled
 */}}
-{{- define "nginx-ingress.defaultBackend.serviceAccountName" -}}
+{{- define "ingress-nginx.defaultBackend.serviceAccountName" -}}
 {{- if .Values.defaultBackend.serviceAccount.create -}}
-    {{ default (printf "%s-backend" (include "nginx-ingress.fullname" .)) .Values.defaultBackend.serviceAccount.name }}
+    {{ default (printf "%s-backend" (include "ingress-nginx.fullname" .)) .Values.defaultBackend.serviceAccount.name }}
 {{- else -}}
     {{ default "default-backend" .Values.defaultBackend.serviceAccount.name }}
 {{- end -}}
 {{- end -}}
 
-{{/*
-Return the appropriate apiVersion for deployment.
-*/}}
-{{- define "deployment.apiVersion" -}}
-{{- if semverCompare ">=1.9-0" .Capabilities.KubeVersion.GitVersion -}}
-{{- print "apps/v1" -}}
-{{- else -}}
-{{- print "extensions/v1beta1" -}}
-{{- end -}}
-{{- end -}}
-
 {{/*
 Return the appropriate apiGroup for PodSecurityPolicy.
 */}}
@@ -115,13 +115,11 @@ Return the appropriate apiGroup for PodSecurityPolicy.
 {{- end -}}
 
 {{/*
-Return the appropriate apiVersion for podSecurityPolicy.
+Check the ingress controller version tag is at most three versions behind the last release
 */}}
-{{- define "podSecurityPolicy.apiVersion" -}}
-{{- if semverCompare ">=1.10-0" .Capabilities.KubeVersion.GitVersion -}}
-{{- print "policy/v1beta1" -}}
-{{- else -}}
-{{- print "extensions/v1beta1" -}}
+{{- define "isControllerTagValid" -}}
+{{- if not (semverCompare ">=0.27.0-0" (trimPrefix "nginx-" .Values.controller.image.tag)) -}}
+{{- fail "Controller container image tag should be 0.27.0 or higher" -}}
 {{- end -}}
 {{- end -}}
 

charts/rke2-ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml

@@ -1,17 +1,14 @@
-{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled }}
+{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name:  {{ template "nginx-ingress.fullname" . }}-admission
+  name: {{ include "ingress-nginx.fullname" . }}-admission
   annotations:
     "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
   labels:
-    app: {{ template "nginx-ingress.name" . }}
-    chart: {{ template "nginx-ingress.chart" . }}
-    component: "{{ .Values.controller.name }}"
-    heritage: {{ .Release.Service }}
-    release: {{ template "nginx-ingress.releaseLabel" . }}
+    {{- include "ingress-nginx.labels" . | nindent 4 }}
+    app.kubernetes.io/component: admission-webhook
 rules:
   - apiGroups:
       - admissionregistration.k8s.io
@@ -25,6 +22,6 @@ rules:
     resources: ['podsecuritypolicies']
     verbs:     ['use']
     resourceNames:
-    - {{ template "nginx-ingress.fullname" . }}-admission
+    - {{ include "ingress-nginx.fullname" . }}-admission
 {{- end }}
 {{- end }}

charts/rke2-ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml

@@ -1,23 +1,20 @@
-{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled }}
+{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name:  {{ template "nginx-ingress.fullname" . }}-admission
+  name:  {{ include "ingress-nginx.fullname" . }}-admission
   annotations:
     "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
   labels:
-    app: {{ template "nginx-ingress.name" . }}
-    chart: {{ template "nginx-ingress.chart" . }}
-    component: "{{ .Values.controller.name }}"
-    heritage: {{ .Release.Service }}
-    release: {{ template "nginx-ingress.releaseLabel" . }}
+    {{- include "ingress-nginx.labels" . | nindent 4 }}
+    app.kubernetes.io/component: admission-webhook
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: {{ template "nginx-ingress.fullname" . }}-admission
+  name: {{ include "ingress-nginx.fullname" . }}-admission
 subjects:
   - kind: ServiceAccount
-    name: {{ template "nginx-ingress.fullname" . }}-admission
+    name: {{ include "ingress-nginx.fullname" . }}-admission
     namespace: {{ .Release.Namespace }}
 {{- end }}

charts/rke2-ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml

@@ -1,55 +1,60 @@
-{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled }}
+{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}}
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: {{ template "nginx-ingress.fullname" . }}-admission-create
+  name: {{ include "ingress-nginx.fullname" . }}-admission-create
   annotations:
     "helm.sh/hook": pre-install,pre-upgrade
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
   labels:
-    app: {{ template "nginx-ingress.name" . }}
-    chart: {{ template "nginx-ingress.chart" . }}
-    component: "{{ .Values.controller.name }}"
-    heritage: {{ .Release.Service }}
-    release: {{ template "nginx-ingress.releaseLabel" . }}
+    {{- include "ingress-nginx.labels" . | nindent 4 }}
+    app.kubernetes.io/component: admission-webhook
 spec:
-  {{- if .Capabilities.APIVersions.Has "batch/v1alpha1" }}
+{{- if .Capabilities.APIVersions.Has "batch/v1alpha1" }}
   # Alpha feature since k8s 1.12
   ttlSecondsAfterFinished: 0
-  {{- end }}
+{{- end }}
   template:
     metadata:
-      name: {{ template "nginx-ingress.fullname" . }}-admission-create
-{{- with .Values.controller.admissionWebhooks.patch.podAnnotations }}
-      annotations:
-{{ toYaml .  | indent 8 }}
-{{- end }}
+      name: {{ include "ingress-nginx.fullname" . }}-admission-create
+    {{- if .Values.controller.admissionWebhooks.patch.podAnnotations }}
+      annotations: {{ toYaml .Values.controller.admissionWebhooks.patch.podAnnotations | nindent 8 }}
+    {{- end }}
       labels:
-        app: {{ template "nginx-ingress.name" . }}
-        chart: {{ template "nginx-ingress.chart" . }}
-        component: "{{ .Values.controller.name }}"
-        heritage: {{ .Release.Service }}
-        release: {{ template "nginx-ingress.releaseLabel" . }}
+        {{- include "ingress-nginx.labels" . | nindent 8 }}
+        app.kubernetes.io/component: admission-webhook
     spec:
-      {{- if .Values.controller.admissionWebhooks.patch.priorityClassName }}
+    {{- if .Values.controller.admissionWebhooks.patch.priorityClassName }}
       priorityClassName: {{ .Values.controller.admissionWebhooks.patch.priorityClassName }}
-      {{- end }}
+    {{- end }}
+    {{- if .Values.imagePullSecrets }}
+      imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }}
+    {{- end }}
       containers:
         - name: create
-          image: {{ template "system_default_registry" . }}{{ .Values.controller.admissionWebhooks.patch.image.repository }}:{{ .Values.controller.admissionWebhooks.patch.image.tag }}
+          {{- with .Values.controller.admissionWebhooks.patch.image }}
+          image: "{{ template "system_default_registry" . }}{{.repository}}:{{ .tag }}{{- if (.digest) -}} @{{.digest}} {{- end -}}"
+          {{- end }}
           imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.image.pullPolicy }}
           args:
             - create
-            - --host={{ template "nginx-ingress.controller.fullname" . }}-admission,{{ template "nginx-ingress.controller.fullname" . }}-admission.{{ .Release.Namespace }}.svc
-            - --namespace={{ .Release.Namespace }}
-            - --secret-name={{ template "nginx-ingress.fullname". }}-admission
+            - --host={{ include "ingress-nginx.controller.fullname" . }}-admission,{{ include "ingress-nginx.controller.fullname" . }}-admission.$(POD_NAMESPACE).svc
+            - --namespace=$(POD_NAMESPACE)
+            - --secret-name={{ include "ingress-nginx.fullname" . }}-admission
+          env:
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
       restartPolicy: OnFailure
-      serviceAccountName: {{ template "nginx-ingress.fullname" . }}-admission
-      {{- with .Values.controller.admissionWebhooks.patch.nodeSelector }}
-      nodeSelector:
-{{ toYaml . | indent 8 }}
-      {{- end }}
+      serviceAccountName: {{ include "ingress-nginx.fullname" . }}-admission
+    {{- if .Values.controller.admissionWebhooks.patch.nodeSelector }}
+      nodeSelector: {{ toYaml .Values.controller.admissionWebhooks.patch.nodeSelector | nindent 8 }}
+    {{- end }}
+    {{- if .Values.controller.admissionWebhooks.patch.tolerations }}
+      tolerations: {{ toYaml .Values.controller.admissionWebhooks.patch.tolerations | nindent 8 }}
+    {{- end }}
       securityContext:
         runAsNonRoot: true
-        runAsUser: 2000
+        runAsUser: {{ .Values.controller.admissionWebhooks.patch.runAsUser }}
 {{- end }}

charts/rke2-ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml

@@ -1,57 +1,62 @@
-{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled }}
+{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}}
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: {{ template "nginx-ingress.fullname" . }}-admission-patch
+  name: {{ include "ingress-nginx.fullname" . }}-admission-patch
   annotations:
     "helm.sh/hook": post-install,post-upgrade
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
   labels:
-    app: {{ template "nginx-ingress.name" . }}
-    chart: {{ template "nginx-ingress.chart" . }}
-    component: "{{ .Values.controller.name }}"
-    heritage: {{ .Release.Service }}
-    release: {{ template "nginx-ingress.releaseLabel" . }}
+    {{- include "ingress-nginx.labels" . | nindent 4 }}
+    app.kubernetes.io/component: admission-webhook
 spec:
-  {{- if .Capabilities.APIVersions.Has "batch/v1alpha1" }}
+{{- if .Capabilities.APIVersions.Has "batch/v1alpha1" }}
   # Alpha feature since k8s 1.12
   ttlSecondsAfterFinished: 0
-  {{- end }}
+{{- end }}
   template:
     metadata:
-      name:   {{ template "nginx-ingress.fullname" . }}-admission-patch
-{{- with .Values.controller.admissionWebhooks.patch.podAnnotations }}
-      annotations:
-{{ toYaml .  | indent 8 }}
-{{- end }}
+      name: {{ include "ingress-nginx.fullname" . }}-admission-patch
+    {{- if .Values.controller.admissionWebhooks.patch.podAnnotations }}
+      annotations: {{ toYaml .Values.controller.admissionWebhooks.patch.podAnnotations | nindent 8 }}
+    {{- end }}
       labels:
-        app: {{ template "nginx-ingress.name" . }}
-        chart: {{ template "nginx-ingress.chart" . }}
-        component: "{{ .Values.controller.name }}"
-        heritage: {{ .Release.Service }}
-        release: {{ template "nginx-ingress.releaseLabel" . }}
+        {{- include "ingress-nginx.labels" . | nindent 8 }}
+        app.kubernetes.io/component: admission-webhook
     spec:
-      {{- if .Values.controller.admissionWebhooks.patch.priorityClassName }}
+    {{- if .Values.controller.admissionWebhooks.patch.priorityClassName }}
       priorityClassName: {{ .Values.controller.admissionWebhooks.patch.priorityClassName }}
-      {{- end }}
+    {{- end }}
+    {{- if .Values.imagePullSecrets }}
+      imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }}
+    {{- end }}
       containers:
         - name: patch
-          image: {{ template "system_default_registry" . }}{{ .Values.controller.admissionWebhooks.patch.image.repository }}:{{ .Values.controller.admissionWebhooks.patch.image.tag }}
-          imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.pullPolicy }}
+          {{- with .Values.controller.admissionWebhooks.patch.image }}
+          image: "{{ template "system_default_registry" . }}{{.repository}}:{{ .tag }}{{- if (.digest) -}} @{{.digest}} {{- end -}}"
+          {{- end }}
+          imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.image.pullPolicy }}
           args:
             - patch
-            - --webhook-name={{ template "nginx-ingress.fullname" . }}-admission
-            - --namespace={{ .Release.Namespace }}
+            - --webhook-name={{ include "ingress-nginx.fullname" . }}-admission
+            - --namespace=$(POD_NAMESPACE)
             - --patch-mutating=false
-            - --secret-name={{ template "nginx-ingress.fullname". }}-admission
+            - --secret-name={{ include "ingress-nginx.fullname" . }}-admission
             - --patch-failure-policy={{ .Values.controller.admissionWebhooks.failurePolicy }}
+          env:
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
       restartPolicy: OnFailure
-      serviceAccountName: {{ template "nginx-ingress.fullname" . }}-admission
-      {{- with .Values.controller.admissionWebhooks.patch.nodeSelector }}
-      nodeSelector:
-{{ toYaml . | indent 8 }}
-      {{- end }}
+      serviceAccountName: {{ include "ingress-nginx.fullname" . }}-admission
+    {{- if .Values.controller.admissionWebhooks.patch.nodeSelector }}
+      nodeSelector: {{ toYaml .Values.controller.admissionWebhooks.patch.nodeSelector | nindent 8 }}
+    {{- end }}
+    {{- if .Values.controller.admissionWebhooks.patch.tolerations }}
+      tolerations: {{ toYaml .Values.controller.admissionWebhooks.patch.tolerations | nindent 8 }}
+    {{- end }}
       securityContext:
         runAsNonRoot: true
-        runAsUser: 2000
+        runAsUser: {{ .Values.controller.admissionWebhooks.patch.runAsUser }}
 {{- end }}

charts/rke2-ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml

@@ -1,17 +1,14 @@
-{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.podSecurityPolicy.enabled }}
+{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.podSecurityPolicy.enabled -}}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
-  name: {{ template "nginx-ingress.fullname" . }}-admission
+  name: {{ include "ingress-nginx.fullname" . }}-admission
   annotations:
     "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
   labels:
-    app: {{ template "nginx-ingress.name" . }}
-    chart: {{ template "nginx-ingress.chart" . }}
-    component: "{{ .Values.controller.name }}"
-    heritage: {{ .Release.Service }}
-    release: {{ template "nginx-ingress.releaseLabel" . }}
+    {{- include "ingress-nginx.labels" . | nindent 4 }}
+    app.kubernetes.io/component: admission-webhook
 spec:
   allowPrivilegeEscalation: false
   fsGroup:

charts/rke2-ingress-nginx/templates/admission-webhooks/job-patch/role.yaml

@@ -1,17 +1,14 @@
-{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled }}
+{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name:  {{ template "nginx-ingress.fullname" . }}-admission
+  name:  {{ include "ingress-nginx.fullname" . }}-admission
   annotations:
     "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
   labels:
-    app: {{ template "nginx-ingress.name" . }}
-    chart: {{ template "nginx-ingress.chart" . }}
-    component: "{{ .Values.controller.name }}"
-    heritage: {{ .Release.Service }}
-    release: {{ template "nginx-ingress.releaseLabel" . }}
+    {{- include "ingress-nginx.labels" . | nindent 4 }}
+    app.kubernetes.io/component: admission-webhook
 rules:
   - apiGroups:
       - ""

charts/rke2-ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml

@@ -1,23 +1,20 @@
-{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled }}
+{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name:  {{ template "nginx-ingress.fullname" . }}-admission
+  name: {{ include "ingress-nginx.fullname" . }}-admission
   annotations:
     "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
   labels:
-    app: {{ template "nginx-ingress.name" . }}
-    chart: {{ template "nginx-ingress.chart" . }}
-    component: "{{ .Values.controller.name }}"
-    heritage: {{ .Release.Service }}
-    release: {{ template "nginx-ingress.releaseLabel" . }}
+    {{- include "ingress-nginx.labels" . | nindent 4 }}
+    app.kubernetes.io/component: admission-webhook
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
-  name: {{ template "nginx-ingress.fullname" . }}-admission
+  name: {{ include "ingress-nginx.fullname" . }}-admission
 subjects:
   - kind: ServiceAccount
-    name: {{ template "nginx-ingress.fullname" . }}-admission
+    name: {{ include "ingress-nginx.fullname" . }}-admission
     namespace: {{ .Release.Namespace }}
 {{- end }}

charts/rke2-ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml

@@ -1,15 +1,12 @@
-{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled }}
+{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name:  {{ template "nginx-ingress.fullname" . }}-admission
+  name: {{ include "ingress-nginx.fullname" . }}-admission
   annotations:
     "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
   labels:
-    app: {{ template "nginx-ingress.name" . }}
-    chart: {{ template "nginx-ingress.chart" . }}
-    component: "{{ .Values.controller.name }}"
-    heritage: {{ .Release.Service }}
-    release: {{ template "nginx-ingress.releaseLabel" . }}
+    {{- include "ingress-nginx.labels" . | nindent 4 }}
+    app.kubernetes.io/component: admission-webhook
 {{- end }}

charts/rke2-ingress-nginx/templates/admission-webhooks/validating-webhook.yaml

@@ -1,31 +1,33 @@
-{{- if .Values.controller.admissionWebhooks.enabled }}
-apiVersion: admissionregistration.k8s.io/v1beta1
+{{- if .Values.controller.admissionWebhooks.enabled -}}
+# before changing this value, check the required kubernetes version
+# https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisites
+apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
-    app: {{ template "nginx-ingress.name" . }}-admission
-    chart: {{ template "nginx-ingress.chart" . }}
-    component: "admission-webhook"
-    heritage: {{ .Release.Service }}
-    release: {{ template "nginx-ingress.releaseLabel" . }}
-  name: {{ template "nginx-ingress.fullname" . }}-admission
+    {{- include "ingress-nginx.labels" . | nindent 4 }}
+    app.kubernetes.io/component: admission-webhook
+  name: {{ include "ingress-nginx.fullname" . }}-admission
 webhooks:
   - name: validate.nginx.ingress.kubernetes.io
     rules:
       - apiGroups:
-          - extensions
           - networking.k8s.io
         apiVersions:
           - v1beta1
+          - v1
         operations:
           - CREATE
           - UPDATE
         resources:
           - ingresses
     failurePolicy: Fail
+    sideEffects: None
+    admissionReviewVersions:
+      - v1beta1
     clientConfig:
       service:
         namespace: {{ .Release.Namespace }}
-        name: {{ template "nginx-ingress.controller.fullname" . }}-admission
-        path: /extensions/v1beta1/ingresses
+        name: {{ include "ingress-nginx.controller.fullname" . }}-admission
+        path: /networking/v1beta1/ingresses
 {{- end }}

charts/rke2-ingress-nginx/templates/clusterrole.yaml

@@ -1,13 +1,10 @@
-{{- if and (.Values.rbac.create) (not .Values.rbac.scope) -}}
+{{- if and .Values.rbac.create (not .Values.rbac.scope) -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    app: {{ template "nginx-ingress.name" . }}
-    chart: {{ template "nginx-ingress.chart" . }}
-    heritage: {{ .Release.Service }}
-    release: {{ template "nginx-ingress.releaseLabel" . }}
-  name: {{ template "nginx-ingress.fullname" . }}
+    {{- include "ingress-nginx.labels" . | nindent 4 }}
+  name: {{ include "ingress-nginx.fullname" . }}
 rules:
   - apiGroups:
       - ""
@@ -68,4 +65,12 @@ rules:
       - ingresses/status
     verbs:
       - update
-{{- end -}}
+  - apiGroups:
+      - "networking.k8s.io" # k8s 1.14+
+    resources:
+      - ingressclasses
+    verbs:
+      - get
+      - list
+      - watch
+{{- end }}

charts/rke2-ingress-nginx/templates/clusterrolebinding.yaml

@@ -1,19 +1,16 @@
-{{- if and (.Values.rbac.create) (not .Values.rbac.scope) -}}
+{{- if and .Values.rbac.create (not .Values.rbac.scope) -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
-    app: {{ template "nginx-ingress.name" . }}
-    chart: {{ template "nginx-ingress.chart" . }}
-    heritage: {{ .Release.Service }}
-    release: {{ template "nginx-ingress.releaseLabel" . }}
-  name: {{ template "nginx-ingress.fullname" . }}
+    {{- include "ingress-nginx.labels" . | nindent 4 }}
+  name: {{ include "ingress-nginx.fullname" . }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: {{ template "nginx-ingress.fullname" . }}
+  name: {{ include "ingress-nginx.fullname" . }}
 subjects:
   - kind: ServiceAccount
-    name: {{ template "nginx-ingress.serviceAccountName" . }}
+    name: {{ template "ingress-nginx.serviceAccountName" . }}
     namespace: {{ .Release.Namespace }}
-{{- end -}}
+{{- end }}

charts/rke2-ingress-nginx/templates/controller-configmap-addheaders.yaml

@@ -0,0 +1,10 @@
+{{- if .Values.controller.addHeaders -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  labels:
+    {{- include "ingress-nginx.labels" . | nindent 4 }}
+    app.kubernetes.io/component: controller
+  name: {{ include "ingress-nginx.fullname" . }}-custom-add-headers
+data: {{ toYaml .Values.controller.addHeaders | nindent 2 }}
+{{- end }}

charts/rke2-ingress-nginx/templates/controller-configmap-proxyheaders.yaml

@@ -0,0 +1,15 @@
+{{- if or .Values.controller.proxySetHeaders .Values.controller.headers -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  labels:
+    {{- include "ingress-nginx.labels" . | nindent 4 }}
+    app.kubernetes.io/component: controller
+  name: {{ include "ingress-nginx.fullname" . }}-custom-proxy-headers
+data:
+{{- if .Values.controller.proxySetHeaders }}
+{{ toYaml .Values.controller.proxySetHeaders | indent 2 }}
+{{ else if and .Values.controller.headers (not .Values.controller.proxySetHeaders) }}
+{{ toYaml .Values.controller.headers | indent 2 }}
+{{- end }}
+{{- end }}

charts/rke2-ingress-nginx/templates/controller-configmap-tcp.yaml

@@ -0,0 +1,13 @@
+{{- if .Values.tcp -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  labels:
+    {{- include "ingress-nginx.labels" . | nindent 4 }}
+    app.kubernetes.io/component: controller
+{{- if .Values.controller.tcp.annotations }}
+  annotations: {{ toYaml .Values.controller.tcp.annotations | nindent 4 }}
+{{- end }}
+  name: {{ include "ingress-nginx.fullname" . }}-tcp
+data: {{ tpl (toYaml .Values.tcp) . | nindent 2 }}
+{{- end }}

charts/rke2-ingress-nginx/templates/controller-configmap-udp.yaml

@@ -0,0 +1,13 @@
+{{- if .Values.udp -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  labels:
+    {{- include "ingress-nginx.labels" . | nindent 4 }}
+    app.kubernetes.io/component: controller
+{{- if .Values.controller.udp.annotations }}
+  annotations: {{ toYaml .Values.controller.udp.annotations | nindent 4 }}
+{{- end }}
+  name: {{ include "ingress-nginx.fullname" . }}-udp
+data: {{ tpl (toYaml .Values.udp) . | nindent 2 }}
+{{- end }}

charts/rke2-ingress-nginx/templates/controller-configmap.yaml

@@ -1,22 +1,20 @@
-{{- if or .Values.controller.config (or (or .Values.controller.proxySetHeaders .Values.controller.headers) .Values.controller.addHeaders) }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
   labels:
-    app: {{ template "nginx-ingress.name" . }}
-    chart: {{ template "nginx-ingress.chart" . }}
-    component: "{{ .Values.controller.name }}"
-    heritage: {{ .Release.Service }}
-    release: {{ template "nginx-ingress.releaseLabel" . }}
-  name: {{ template "nginx-ingress.controller.fullname" . }}
+    {{- include "ingress-nginx.labels" . | nindent 4 }}
+    app.kubernetes.io/component: controller
+{{- if .Values.controller.configAnnotations }}
+  annotations: {{ toYaml .Values.controller.configAnnotations | nindent 4 }}
+{{- end }}
+  name: {{ include "ingress-nginx.controller.fullname" . }}
 data:
 {{- if .Values.controller.addHeaders }}
-  add-headers: {{ .Release.Namespace }}/{{ template "nginx-ingress.fullname" . }}-custom-add-headers
+  add-headers: {{ .Release.Namespace }}/{{ include "ingress-nginx.fullname" . }}-custom-add-headers
 {{- end }}
 {{- if or .Values.controller.proxySetHeaders .Values.controller.headers }}
-  proxy-set-headers: {{ .Release.Namespace }}/{{ template "nginx-ingress.fullname" . }}-custom-proxy-headers
+  proxy-set-headers: {{ .Release.Namespace }}/{{ include "ingress-nginx.fullname" . }}-custom-proxy-headers
 {{- end }}
 {{- if .Values.controller.config }}
-{{ toYaml .Values.controller.config | indent 2 }}
-{{- end }}
+  {{ toYaml .Values.controller.config | nindent 2 }}
 {{- end }}

charts/rke2-ingress-nginx/templates/controller-daemonset.yaml

@@ -1,106 +1,93 @@
-{{- if or (eq .Values.controller.kind "DaemonSet") (eq .Values.controller.kind "Both") }}
-{{- $useHostPort := .Values.controller.daemonset.useHostPort -}}
-{{- $hostPorts := .Values.controller.daemonset.hostPorts -}}
-apiVersion: {{ template "deployment.apiVersion" . }}
+{{- if or (eq .Values.controller.kind "DaemonSet") (eq .Values.controller.kind "Both") -}}
+{{- include  "isControllerTagValid" . -}}
+apiVersion: apps/v1
 kind: DaemonSet
 metadata:
   labels:
-    app: {{ template "nginx-ingress.name" . }}
-    chart: {{ template "nginx-ingress.chart" . }}
-    heritage: {{ .Release.Service }}
-    release: {{ template "nginx-ingress.releaseLabel" . }}
+    {{- include "ingress-nginx.labels" . | nindent 4 }}
     app.kubernetes.io/component: controller
-  name: {{ template "nginx-ingress.controller.fullname" . }}
-  annotations:    
-{{ toYaml .Values.controller.deploymentAnnotations | indent 4}}
+    {{- with .Values.controller.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  name: {{ include "ingress-nginx.controller.fullname" . }}
+  {{- if .Values.controller.annotations }}
+  annotations: {{ toYaml .Values.controller.annotations | nindent 4 }}
+  {{- end }}
 spec:
   selector:
     matchLabels:
-      app: {{ template "nginx-ingress.name" . }}
-      release: {{ template "nginx-ingress.releaseLabel" . }}
-    {{- if .Values.controller.useComponentLabel }}
+      {{- include "ingress-nginx.selectorLabels" . | nindent 6 }}
       app.kubernetes.io/component: controller
-    {{- end }}
   revisionHistoryLimit: {{ .Values.revisionHistoryLimit }}
-  updateStrategy:
-{{ toYaml .Values.controller.updateStrategy | indent 4 }}
+  {{- if .Values.controller.updateStrategy }}
+  updateStrategy: {{ toYaml .Values.controller.updateStrategy | nindent 4 }}
+  {{- end }}
   minReadySeconds: {{ .Values.controller.minReadySeconds }}
   template:
     metadata:
-      {{- if .Values.controller.podAnnotations }}
-      annotations:
-      {{- range $key, $value := .Values.controller.podAnnotations }}
-        {{ $key }}: {{ $value | quote }}
-      {{- end }}
-      {{- end }}
+    {{- if .Values.controller.podAnnotations }}
+      annotations: {{ toYaml .Values.controller.podAnnotations | nindent 8 }}
+    {{- end }}
       labels:
-        app: {{ template "nginx-ingress.name" . }}
-        release: {{ template "nginx-ingress.releaseLabel" . }}
-        component: "{{ .Values.controller.name }}"
+        {{- include "ingress-nginx.selectorLabels" . | nindent 8 }}
         app.kubernetes.io/component: controller
-        {{- if .Values.controller.podLabels }}
-{{ toYaml .Values.controller.podLabels | indent 8}}
-        {{- end }}
+      {{- if .Values.controller.podLabels }}
+        {{- toYaml .Values.controller.podLabels | nindent 8 }}
+      {{- end }}
     spec:
-{{- if .Values.controller.dnsConfig }}
-      dnsConfig:
-{{ toYaml .Values.controller.dnsConfig | indent 8 }}
-{{- end }}
+    {{- if .Values.controller.dnsConfig }}
+      dnsConfig: {{ toYaml .Values.controller.dnsConfig | nindent 8 }}
+    {{- end }}
       dnsPolicy: {{ .Values.controller.dnsPolicy }}
-      {{- if .Values.imagePullSecrets }}
-      imagePullSecrets:
-{{ toYaml .Values.imagePullSecrets | indent 8 }}
-      {{- end }}
-{{- if .Values.controller.priorityClassName }}
-      priorityClassName: "{{ .Values.controller.priorityClassName }}"
-{{- end }}
-      {{- if .Values.controller.podSecurityContext }}
+    {{- if .Values.imagePullSecrets }}
+      imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }}
+    {{- end }}
+    {{- if .Values.controller.priorityClassName }}
+      priorityClassName: {{ .Values.controller.priorityClassName }}
+    {{- end }}
+    {{- if or .Values.controller.podSecurityContext .Values.controller.sysctls }}
       securityContext:
-{{ toYaml .Values.controller.podSecurityContext | indent 8 }}
-      {{- end }}
+    {{- end }}
+    {{- if .Values.controller.podSecurityContext  }}
+        {{- toYaml .Values.controller.podSecurityContext | nindent 8 }}
+    {{- end }}
+    {{- if .Values.controller.sysctls }}
+        sysctls:
+    {{- range $sysctl, $value := .Values.controller.sysctls }}
+        - name: {{ $sysctl | quote }}
+          value: {{ $value | quote }}
+    {{- end }}
+    {{- end }}
       containers:
-        - name: {{ template "nginx-ingress.name" . }}-{{ .Values.controller.name }}
-          image: {{ template "system_default_registry" . }}{{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag }}
-          imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}"
-          {{- if .Values.controller.lifecycle }}
-          lifecycle:
-{{ toYaml .Values.controller.lifecycle | indent 12 }}
+        - name: controller
+          {{- with .Values.controller.image }}
+          image: "{{ template "system_default_registry" . }}{{.repository}}:{{ .tag }}{{- if (.digest) -}} @{{.digest}} {{- end -}}"
           {{- end }}
+          imagePullPolicy: {{ .Values.controller.image.pullPolicy }}
+        {{- if .Values.controller.lifecycle }}
+          lifecycle: {{ toYaml .Values.controller.lifecycle | nindent 12 }}
+        {{- end }}
           args:
             - /nginx-ingress-controller
           {{- if .Values.defaultBackend.enabled }}
-            - --default-backend-service={{ .Release.Namespace }}/{{ template "nginx-ingress.defaultBackend.fullname" . }}
-          {{- else }}
-            {{- if (semverCompare "<0.21.0" .Values.controller.image.tag) }}
-            - --default-backend-service={{ required ".Values.controller.defaultBackendService is required if .Values.defaultBackend.enabled=false and .Values.controller.image.tag < 0.21.0" .Values.controller.defaultBackendService }}
-            {{- else if .Values.controller.defaultBackendService }}
-            - --default-backend-service={{ .Values.controller.defaultBackendService }}
-            {{- end }}
+            - --default-backend-service={{ .Release.Namespace }}/{{ include "ingress-nginx.defaultBackend.fullname" . }}
           {{- end }}
-          {{- if and (semverCompare ">=0.9.0-beta.1" .Values.controller.image.tag) .Values.controller.publishService.enabled }}
-            - --publish-service={{ template "nginx-ingress.controller.publishServicePath" . }}
+          {{- if .Values.controller.publishService.enabled }}
+            - --publish-service={{ template "ingress-nginx.controller.publishServicePath" . }}
           {{- end }}
-          {{- if (semverCompare ">=0.9.0-beta.1" .Values.controller.image.tag) }}
             - --election-id={{ .Values.controller.electionID }}
-          {{- end }}
-          {{- if (semverCompare ">=0.9.0-beta.1" .Values.controller.image.tag) }}
             - --ingress-class={{ .Values.controller.ingressClass }}
-          {{- end }}
-          {{- if (semverCompare ">=0.9.0-beta.1" .Values.controller.image.tag) }}
-            - --configmap={{ .Release.Namespace }}/{{ template "nginx-ingress.controller.fullname" . }}
-          {{- else }}
-            - --nginx-configmap={{ .Release.Namespace }}/{{ template "nginx-ingress.controller.fullname" . }}
-          {{- end }}
+            - --configmap={{ .Release.Namespace }}/{{ include "ingress-nginx.controller.fullname" . }}
           {{- if .Values.tcp }}
-            - --tcp-services-configmap={{ .Release.Namespace }}/{{ template "nginx-ingress.fullname" . }}-tcp
+            - --tcp-services-configmap={{ .Release.Namespace }}/{{ include "ingress-nginx.fullname" . }}-tcp
           {{- end }}
           {{- if .Values.udp }}
-            - --udp-services-configmap={{ .Release.Namespace }}/{{ template "nginx-ingress.fullname" . }}-udp
+            - --udp-services-configmap={{ .Release.Namespace }}/{{ include "ingress-nginx.fullname" . }}-udp
           {{- end }}
           {{- if .Values.controller.scope.enabled }}
             - --watch-namespace={{ default .Release.Namespace .Values.controller.scope.namespace }}
           {{- end }}
-          {{- if and (.Values.controller.reportNodeInternalIp) (.Values.controller.hostNetwork)}}
+          {{- if and .Values.controller.reportNodeInternalIp .Values.controller.hostNetwork }}
             - --report-node-internal-ip-address={{ .Values.controller.reportNodeInternalIp }}
           {{- end }}
           {{- if .Values.controller.admissionWebhooks.enabled }}
@@ -111,14 +98,17 @@ spec:
           {{- if .Values.controller.maxmindLicenseKey }}
             - --maxmind-license-key={{ .Values.controller.maxmindLicenseKey }}
           {{- end }}
+          {{- if not (eq .Values.controller.healthCheckPath "/healthz") }}
+            - --health-check-path={{ .Values.controller.healthCheckPath }}
+          {{- end }}
           {{- range $key, $value := .Values.controller.extraArgs }}
-            {{- if $value }}
-            - --{{ $key }}={{ $value }}
-            {{- else }}
+            {{- /* Accept keys without values or with false as value */}}
+            {{- if eq ($value | quote | len) 2 }}
             - --{{ $key }}
+            {{- else }}
+            - --{{ $key }}={{ $value }}
             {{- end }}
           {{- end }}
-          {{- if (semverCompare ">=0.16.0" .Values.controller.image.tag) }}
           securityContext:
             capabilities:
                 drop:
@@ -127,7 +117,6 @@ spec:
                 - NET_BIND_SERVICE
             runAsUser: {{ .Values.controller.image.runAsUser }}
             allowPrivilegeEscalation: {{ .Values.controller.image.allowPrivilegeEscalation }}
-          {{- end }}
           env:
             - name: POD_NAME
               valueFrom:
@@ -137,8 +126,12 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace
+          {{- if .Values.controller.enableMimalloc }}
+            - name: LD_PRELOAD
+              value: /usr/local/lib/libmimalloc.so
+          {{- end }}
           {{- if .Values.controller.extraEnvs }}
-{{ toYaml .Values.controller.extraEnvs | indent 12 }}
+            {{- toYaml .Values.controller.extraEnvs | nindent 12 }}
           {{- end }}
           livenessProbe:
             httpGet:
@@ -150,13 +143,23 @@ spec:
             timeoutSeconds: {{ .Values.controller.livenessProbe.timeoutSeconds }}
             successThreshold: {{ .Values.controller.livenessProbe.successThreshold }}
             failureThreshold: {{ .Values.controller.livenessProbe.failureThreshold }}
+          readinessProbe:
+            httpGet:
+              path: /healthz
+              port: {{ .Values.controller.readinessProbe.port }}
+              scheme: HTTP
+            initialDelaySeconds: {{ .Values.controller.readinessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.controller.readinessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.controller.readinessProbe.timeoutSeconds }}
+            successThreshold: {{ .Values.controller.readinessProbe.successThreshold }}
+            failureThreshold: {{ .Values.controller.readinessProbe.failureThreshold }}
           ports:
           {{- range $key, $value := .Values.controller.containerPort }}
             - name: {{ $key }}
               containerPort: {{ $value }}
               protocol: TCP
-              {{- if $useHostPort }}
-              hostPort: {{ index $hostPorts $key | default $value }}
+              {{- if $.Values.controller.hostPort.enabled }}
+              hostPort: {{ index $.Values.controller.hostPort.ports $key | default $value }}
               {{- end }}
           {{- end }}
           {{- if .Values.controller.metrics.enabled }}
@@ -170,88 +173,80 @@ spec:
               protocol: TCP
           {{- end }}
           {{- range $key, $value := .Values.tcp }}
-            - name: "{{ $key }}-tcp"
+            - name: {{ $key }}-tcp
               containerPort: {{ $key }}
               protocol: TCP
-              {{- if $useHostPort }}
+              {{- if $.Values.controller.hostPort.enabled }}
               hostPort: {{ $key }}
               {{- end }}
           {{- end }}
           {{- range $key, $value := .Values.udp }}
-            - name: "{{ $key }}-udp"
+            - name: {{ $key }}-udp
               containerPort: {{ $key }}
               protocol: UDP
-              {{- if $useHostPort }}
+              {{- if $.Values.controller.hostPort.enabled }}
               hostPort: {{ $key }}
               {{- end }}
           {{- end }}
-          readinessProbe:
-            httpGet:
-              path: /healthz
-              port: {{ .Values.controller.readinessProbe.port }}
-              scheme: HTTP
-            initialDelaySeconds: {{ .Values.controller.readinessProbe.initialDelaySeconds }}
-            periodSeconds: {{ .Values.controller.readinessProbe.periodSeconds }}
-            timeoutSeconds: {{ .Values.controller.readinessProbe.timeoutSeconds }}
-            successThreshold: {{ .Values.controller.readinessProbe.successThreshold }}
-            failureThreshold: {{ .Values.controller.readinessProbe.failureThreshold }}
-{{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled) }}
+        {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled) }}
           volumeMounts:
-{{- end }}
-{{- if .Values.controller.customTemplate.configMapName }}
+          {{- if .Values.controller.customTemplate.configMapName }}
             - mountPath: /etc/nginx/template
               name: nginx-template-volume
               readOnly: true
-{{- end }}
-{{- if .Values.controller.admissionWebhooks.enabled }}
+          {{- end }}
+          {{- if .Values.controller.admissionWebhooks.enabled }}
             - name: webhook-cert
-              mountPath: "/usr/local/certificates/"
+              mountPath: /usr/local/certificates/
               readOnly: true
-{{- end }}
-{{- if .Values.controller.extraVolumeMounts }}
-{{ toYaml .Values.controller.extraVolumeMounts | indent 12}}
-{{- end }}
-          resources:
-{{ toYaml .Values.controller.resources | indent 12 }}
-{{- if .Values.controller.extraContainers }}
-{{ toYaml .Values.controller.extraContainers | indent 8}}
-{{- end }}
-{{- if .Values.controller.extraInitContainers }}
-      initContainers:
-{{ toYaml .Values.controller.extraInitContainers | indent 8}}
-{{- end }}
+          {{- end }}
+          {{- if .Values.controller.extraVolumeMounts }}
+            {{- toYaml .Values.controller.extraVolumeMounts | nindent 12 }}
+          {{- end }}
+        {{- end }}
+        {{- if .Values.controller.resources }}
+          resources: {{ toYaml .Values.controller.resources | nindent 12 }}
+        {{- end }}
+      {{- if .Values.controller.extraContainers }}
+        {{ toYaml .Values.controller.extraContainers | nindent 8 }}
+      {{- end }}
+    {{- if .Values.controller.extraInitContainers }}
+      initContainers: {{ toYaml .Values.controller.extraInitContainers | nindent 8 }}
+    {{- end }}
+    {{- if .Values.controller.hostNetwork }}
       hostNetwork: {{ .Values.controller.hostNetwork }}
+    {{- end }}
     {{- if .Values.controller.nodeSelector }}
-      nodeSelector:
-{{ toYaml .Values.controller.nodeSelector | indent 8 }}
+      nodeSelector: {{ toYaml .Values.controller.nodeSelector | nindent 8 }}
     {{- end }}
     {{- if .Values.controller.tolerations }}
-      tolerations:
-{{ toYaml .Values.controller.tolerations | indent 8 }}
+      tolerations: {{ toYaml .Values.controller.tolerations | nindent 8 }}
     {{- end }}
     {{- if .Values.controller.affinity }}
-      affinity:
-{{ toYaml .Values.controller.affinity | indent 8 }}
+      affinity: {{ toYaml .Values.controller.affinity | nindent 8 }}
     {{- end }}
-      serviceAccountName: {{ template "nginx-ingress.serviceAccountName" . }}
-      terminationGracePeriodSeconds: 60
-{{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes) }}
+    {{- if .Values.controller.topologySpreadConstraints }}
+      topologySpreadConstraints: {{ toYaml .Values.controller.topologySpreadConstraints | nindent 8 }}
+    {{- end }}
+      serviceAccountName: {{ template "ingress-nginx.serviceAccountName" . }}
+      terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }}
+    {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes) }}
       volumes:
-{{- end }}
-{{- if .Values.controller.customTemplate.configMapName }}
+      {{- if .Values.controller.customTemplate.configMapName }}
         - name: nginx-template-volume
           configMap:
             name: {{ .Values.controller.customTemplate.configMapName }}
             items:
             - key: {{ .Values.controller.customTemplate.configMapKey }}
               path: nginx.tmpl
-{{- end }}
-{{- if .Values.controller.admissionWebhooks.enabled }}
+      {{- end }}
+      {{- if .Values.controller.admissionWebhooks.enabled }}
         - name: webhook-cert
           secret:
-            secretName: {{ template "nginx-ingress.fullname". }}-admission
-{{- end }}
-{{- if .Values.controller.extraVolumes }}
-{{ toYaml .Values.controller.extraVolumes | indent 8}}
-{{- end }}
+            secretName: {{ include "ingress-nginx.fullname" . }}-admission
+      {{- end }}
+      {{- if .Values.controller.extraVolumes }}
+        {{ toYaml .Values.controller.extraVolumes | nindent 8 }}
+      {{- end }}
+    {{- end }}
 {{- end }}

charts/rke2-ingress-nginx/templates/controller-deployment.yaml

@@ -1,113 +1,97 @@
-{{- if or (eq .Values.controller.kind "Deployment") (eq .Values.controller.kind "Both") }}
-apiVersion: {{ template "deployment.apiVersion" . }}
+{{- if or (eq .Values.controller.kind "Deployment") (eq .Values.controller.kind "Both") -}}
+{{- include  "isControllerTagValid" . -}}
+apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    app: {{ template "nginx-ingress.name" . }}
-    chart: {{ template "nginx-ingress.chart" . }}
-    heritage: {{ .Release.Service }}
-    release: {{ template "nginx-ingress.releaseLabel" . }}
+    {{- include "ingress-nginx.labels" . | nindent 4 }}
     app.kubernetes.io/component: controller
-    {{- if .Values.controller.deploymentLabels }}
-{{ toYaml .Values.controller.deploymentLabels | indent 4 }}
+    {{- with .Values.controller.labels }}
+    {{- toYaml . | nindent 4 }}
     {{- end }}
-  name: {{ template "nginx-ingress.controller.fullname" . }}
-  annotations:
-{{ toYaml .Values.controller.deploymentAnnotations | indent 4}}
+  name: {{ include "ingress-nginx.controller.fullname" . }}
+  {{- if .Values.controller.annotations }}
+  annotations: {{ toYaml .Values.controller.annotations | nindent 4 }}
+  {{- end }}
 spec:
   selector:
     matchLabels:
-      app: {{ template "nginx-ingress.name" . }}
-      release: {{ template "nginx-ingress.releaseLabel" . }}
-    {{- if .Values.controller.useComponentLabel }}
+      {{- include "ingress-nginx.selectorLabels" . | nindent 6 }}
       app.kubernetes.io/component: controller
-    {{- end }}
-{{- if not .Values.controller.autoscaling.enabled }}
+  {{- if not .Values.controller.autoscaling.enabled }}
   replicas: {{ .Values.controller.replicaCount }}
-{{- end }}
+  {{- end }}
   revisionHistoryLimit: {{ .Values.revisionHistoryLimit }}
+  {{- if .Values.controller.updateStrategy }}
   strategy:
-{{ toYaml .Values.controller.updateStrategy | indent 4 }}
+    {{ toYaml .Values.controller.updateStrategy | nindent 4 }}
+  {{- end }}
   minReadySeconds: {{ .Values.controller.minReadySeconds }}
   template:
     metadata:
-      {{- if .Values.controller.podAnnotations }}
-      annotations:
-      {{- range $key, $value := .Values.controller.podAnnotations }}
-        {{ $key }}: {{ $value | quote }}
-      {{- end }}
-      {{- end }}
+    {{- if .Values.controller.podAnnotations }}
+      annotations: {{ toYaml .Values.controller.podAnnotations | nindent 8 }}
+    {{- end }}
       labels:
-        app: {{ template "nginx-ingress.name" . }}
-        release: {{ template "nginx-ingress.releaseLabel" . }}
-        component: "{{ .Values.controller.name }}"
+        {{- include "ingress-nginx.selectorLabels" . | nindent 8 }}
         app.kubernetes.io/component: controller
-        {{- if .Values.controller.podLabels }}
-{{ toYaml .Values.controller.podLabels | indent 8 }}
-        {{- end }}
+      {{- if .Values.controller.podLabels }}
+        {{- toYaml .Values.controller.podLabels | nindent 8 }}
+      {{- end }}
     spec:
-{{- if .Values.controller.dnsConfig }}
-      dnsConfig:
-{{ toYaml .Values.controller.dnsConfig | indent 8 }}
-{{- end }}
+    {{- if .Values.controller.dnsConfig }}
+      dnsConfig: {{ toYaml .Values.controller.dnsConfig | nindent 8 }}
+    {{- end }}
       dnsPolicy: {{ .Values.controller.dnsPolicy }}
-      {{- if .Values.imagePullSecrets }}
-      imagePullSecrets:
-{{ toYaml .Values.imagePullSecrets | indent 8 }}
-      {{- end }}
-{{- if .Values.controller.priorityClassName }}
-      priorityClassName: "{{ .Values.controller.priorityClassName }}"
-{{- end }}
-      {{- if .Values.controller.podSecurityContext }}
+    {{- if .Values.imagePullSecrets }}
+      imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }}
+    {{- end }}
+    {{- if .Values.controller.priorityClassName }}
+      priorityClassName: {{ .Values.controller.priorityClassName }}
+    {{- end }}
+    {{- if or .Values.controller.podSecurityContext .Values.controller.sysctls }}
       securityContext:
-{{ toYaml .Values.controller.podSecurityContext | indent 8 }}
-      {{- end }}
+    {{- end }}
+    {{- if .Values.controller.podSecurityContext }}
+        {{- toYaml .Values.controller.podSecurityContext | nindent 8 }}
+    {{- end }}
+    {{- if .Values.controller.sysctls }}
+        sysctls:
+    {{- range $sysctl, $value := .Values.controller.sysctls }}
+        - name: {{ $sysctl | quote }}
+          value: {{ $value | quote }}
+    {{- end }}
+    {{- end }}
       containers:
-        - name: {{ template "nginx-ingress.name" . }}-{{ .Values.controller.name }}
-          image: {{ template "system_default_registry" . }}{{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag }}
-          imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}"
-          {{- if .Values.controller.lifecycle }}
-          lifecycle:
-{{ toYaml .Values.controller.lifecycle | indent 12 }}
+        - name: controller
+          {{- with .Values.controller.image }}
+          image: "{{ template "system_default_registry" . }}{{.repository}}:{{ .tag }}{{- if (.digest) -}} @{{.digest}} {{- end -}}"
           {{- end }}
+          imagePullPolicy: {{ .Values.controller.image.pullPolicy }}
+        {{- if .Values.controller.lifecycle }}
+          lifecycle: {{ toYaml .Values.controller.lifecycle | nindent 12 }}
+        {{- end }}
           args:
             - /nginx-ingress-controller
           {{- if .Values.defaultBackend.enabled }}
-            - --default-backend-service={{ .Release.Namespace }}/{{ template "nginx-ingress.defaultBackend.fullname" . }}
-          {{- else }}
-            {{- if (semverCompare "<0.21.0" .Values.controller.image.tag) }}
-            - --default-backend-service={{ required ".Values.controller.defaultBackendService is required if .Values.defaultBackend.enabled=false and .Values.controller.image.tag < 0.21.0" .Values.controller.defaultBackendService }}
-            {{- else if .Values.controller.defaultBackendService }}
-            - --default-backend-service={{ .Values.controller.defaultBackendService }}
-            {{- end }}
+            - --default-backend-service=$(POD_NAMESPACE)/{{ include "ingress-nginx.defaultBackend.fullname" . }}
           {{- end }}
-          {{- if and (semverCompare ">=0.9.0-beta.1" (trimPrefix "nginx-" .Values.controller.image.tag)) .Values.controller.publishService.enabled }}
-            - --publish-service={{ template "nginx-ingress.controller.publishServicePath" . }}
+          {{- if .Values.controller.publishService.enabled }}
+            - --publish-service={{ template "ingress-nginx.controller.publishServicePath" . }}
           {{- end }}
-          {{- if (semverCompare ">=0.9.0-beta.1" (trimPrefix "nginx-" .Values.controller.image.tag)) }}
             - --election-id={{ .Values.controller.electionID }}
-          {{- end }}
-          {{- if (semverCompare ">=0.9.0-beta.1" (trimPrefix "nginx-" .Values.controller.image.tag)) }}
             - --ingress-class={{ .Values.controller.ingressClass }}
-          {{- end }}
-          {{- if (semverCompare ">=0.9.0-beta.1" (trimPrefix "nginx-" .Values.controller.image.tag)) }}
-            - --configmap={{ default .Release.Namespace .Values.controller.configMapNamespace }}/{{ template "nginx-ingress.controller.fullname" . }}
-          {{- else }}
-            - --nginx-configmap={{ default .Release.Namespace .Values.controller.configMapNamespace }}/{{ template "nginx-ingress.controller.fullname" . }}
-          {{- end }}
+            - --configmap=$(POD_NAMESPACE)/{{ include "ingress-nginx.controller.fullname" . }}
           {{- if .Values.tcp }}
-            - --tcp-services-configmap={{ default .Release.Namespace .Values.controller.tcp.configMapNamespace }}/{{ template "nginx-ingress.fullname" . }}-tcp
+            - --tcp-services-configmap=$(POD_NAMESPACE)/{{ include "ingress-nginx.fullname" . }}-tcp
           {{- end }}
           {{- if .Values.udp }}
-            - --udp-services-configmap={{ default .Release.Namespace .Values.controller.udp.configMapNamespace }}/{{ template "nginx-ingress.fullname" . }}-udp
+            - --udp-services-configmap=$(POD_NAMESPACE)/{{ include "ingress-nginx.fullname" . }}-udp
           {{- end }}
           {{- if .Values.controller.scope.enabled }}
-            - --watch-namespace={{ default .Release.Namespace .Values.controller.scope.namespace }}
+            - --watch-namespace={{ default "$(POD_NAMESPACE)" .Values.controller.scope.namespace }}
           {{- end }}
-          {{- if and (.Values.controller.scope.enabled) (.Values.rbac.scope) }}
-            - --update-status=false
-          {{- end }}
-          {{- if and (.Values.controller.reportNodeInternalIp) (.Values.controller.hostNetwork) }}
+          {{- if and .Values.controller.reportNodeInternalIp .Values.controller.hostNetwork }}
             - --report-node-internal-ip-address={{ .Values.controller.reportNodeInternalIp }}
           {{- end }}
           {{- if .Values.controller.admissionWebhooks.enabled }}
@@ -118,14 +102,17 @@ spec:
           {{- if .Values.controller.maxmindLicenseKey }}
             - --maxmind-license-key={{ .Values.controller.maxmindLicenseKey }}
           {{- end }}
+          {{- if not (eq .Values.controller.healthCheckPath "/healthz") }}
+            - --health-check-path={{ .Values.controller.healthCheckPath }}
+          {{- end }}
           {{- range $key, $value := .Values.controller.extraArgs }}
-            {{- if $value }}
-            - --{{ $key }}={{ $value }}
-            {{- else }}
+            {{- /* Accept keys without values or with false as value */}}
+            {{- if eq ($value | quote | len) 2 }}
             - --{{ $key }}
+            {{- else }}
+            - --{{ $key }}={{ $value }}
             {{- end }}
           {{- end }}
-          {{- if (semverCompare ">=0.16.0" (trimPrefix "nginx-" .Values.controller.image.tag)) }}
           securityContext:
             capabilities:
                 drop:
@@ -134,7 +121,6 @@ spec:
                 - NET_BIND_SERVICE
             runAsUser: {{ .Values.controller.image.runAsUser }}
             allowPrivilegeEscalation: {{ .Values.controller.image.allowPrivilegeEscalation }}
-          {{- end }}
           env:
             - name: POD_NAME
               valueFrom:
@@ -144,12 +130,16 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace
+          {{- if .Values.controller.enableMimalloc }}
+            - name: LD_PRELOAD
+              value: /usr/local/lib/libmimalloc.so
+          {{- end }}
           {{- if .Values.controller.extraEnvs }}
-{{ toYaml .Values.controller.extraEnvs | indent 12 }}
+            {{- toYaml .Values.controller.extraEnvs | nindent 12 }}
           {{- end }}
           livenessProbe:
             httpGet:
-              path: /healthz
+              path: {{ .Values.controller.healthCheckPath }}
               port: {{ .Values.controller.livenessProbe.port }}
               scheme: HTTP
             initialDelaySeconds: {{ .Values.controller.livenessProbe.initialDelaySeconds }}
@@ -157,11 +147,24 @@ spec:
             timeoutSeconds: {{ .Values.controller.livenessProbe.timeoutSeconds }}
             successThreshold: {{ .Values.controller.livenessProbe.successThreshold }}
             failureThreshold: {{ .Values.controller.livenessProbe.failureThreshold }}
+          readinessProbe:
+            httpGet:
+              path: {{ .Values.controller.healthCheckPath }}
+              port: {{ .Values.controller.readinessProbe.port }}
+              scheme: HTTP
+            initialDelaySeconds: {{ .Values.controller.readinessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.controller.readinessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.controller.readinessProbe.timeoutSeconds }}
+            successThreshold: {{ .Values.controller.readinessProbe.successThreshold }}
+            failureThreshold: {{ .Values.controller.readinessProbe.failureThreshold }}
           ports:
           {{- range $key, $value := .Values.controller.containerPort }}
             - name: {{ $key }}
               containerPort: {{ $value }}
               protocol: TCP
+              {{- if $.Values.controller.hostPort.enabled }}
+              hostPort: {{ index $.Values.controller.hostPort.ports $key | default $value }}
+              {{- end }}
           {{- end }}
           {{- if .Values.controller.metrics.enabled }}
             - name: metrics
@@ -174,82 +177,80 @@ spec:
               protocol: TCP
           {{- end }}
           {{- range $key, $value := .Values.tcp }}
-            - name: "{{ $key }}-tcp"
+            - name: {{ $key }}-tcp
               containerPort: {{ $key }}
               protocol: TCP
+              {{- if $.Values.controller.hostPort.enabled }}
+              hostPort: {{ $key }}
+              {{- end }}
           {{- end }}
           {{- range $key, $value := .Values.udp }}
-            - name: "{{ $key }}-udp"
+            - name: {{ $key }}-udp
               containerPort: {{ $key }}
               protocol: UDP
+              {{- if $.Values.controller.hostPort.enabled }}
+              hostPort: {{ $key }}
+              {{- end }}
           {{- end }}
-          readinessProbe:
-            httpGet:
-              path: /healthz
-              port: {{ .Values.controller.readinessProbe.port }}
-              scheme: HTTP
-            initialDelaySeconds: {{ .Values.controller.readinessProbe.initialDelaySeconds }}
-            periodSeconds: {{ .Values.controller.readinessProbe.periodSeconds }}
-            timeoutSeconds: {{ .Values.controller.readinessProbe.timeoutSeconds }}
-            successThreshold: {{ .Values.controller.readinessProbe.successThreshold }}
-            failureThreshold: {{ .Values.controller.readinessProbe.failureThreshold }}
-{{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled) }}
+        {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled) }}
           volumeMounts:
-{{- end }}
-{{- if .Values.controller.customTemplate.configMapName }}
+          {{- if .Values.controller.customTemplate.configMapName }}
             - mountPath: /etc/nginx/template
               name: nginx-template-volume
               readOnly: true
-{{- end }}
-{{- if .Values.controller.admissionWebhooks.enabled }}
+          {{- end }}
+          {{- if .Values.controller.admissionWebhooks.enabled }}
             - name: webhook-cert
-              mountPath: "/usr/local/certificates/"
+              mountPath: /usr/local/certificates/
               readOnly: true
-{{- end }}
-{{- if .Values.controller.extraVolumeMounts }}
-{{ toYaml .Values.controller.extraVolumeMounts | indent 12}}
-{{- end }}
-          resources:
-{{ toYaml .Values.controller.resources | indent 12 }}
-{{- if .Values.controller.extraContainers }}
-{{ toYaml .Values.controller.extraContainers | indent 8}}
-{{- end }}
-{{- if .Values.controller.extraInitContainers }}
-      initContainers:
-{{ toYaml .Values.controller.extraInitContainers | indent 8}}
-{{- end }}
+          {{- end }}
+          {{- if .Values.controller.extraVolumeMounts }}
+            {{- toYaml .Values.controller.extraVolumeMounts | nindent 12 }}
+          {{- end }}
+        {{- end }}
+        {{- if .Values.controller.resources }}
+          resources: {{ toYaml .Values.controller.resources | nindent 12 }}
+        {{- end }}
+      {{- if .Values.controller.extraContainers }}
+        {{ toYaml .Values.controller.extraContainers | nindent 8 }}
+      {{- end }}
+    {{- if .Values.controller.extraInitContainers }}
+      initContainers: {{ toYaml .Values.controller.extraInitContainers | nindent 8 }}
+    {{- end }}
+    {{- if .Values.controller.hostNetwork }}
       hostNetwork: {{ .Values.controller.hostNetwork }}
+    {{- end }}
     {{- if .Values.controller.nodeSelector }}
-      nodeSelector:
-{{ toYaml .Values.controller.nodeSelector | indent 8 }}
+      nodeSelector: {{ toYaml .Values.controller.nodeSelector | nindent 8 }}
     {{- end }}
     {{- if .Values.controller.tolerations }}
-      tolerations:
-{{ toYaml .Values.controller.tolerations | indent 8 }}
+      tolerations: {{ toYaml .Values.controller.tolerations | nindent 8 }}
     {{- end }}
     {{- if .Values.controller.affinity }}
-      affinity:
-{{ toYaml .Values.controller.affinity | indent 8 }}
+      affinity: {{ toYaml .Values.controller.affinity | nindent 8 }}
     {{- end }}
-      serviceAccountName: {{ template "nginx-ingress.serviceAccountName" . }}
+    {{- if .Values.controller.topologySpreadConstraints }}
+      topologySpreadConstraints: {{ toYaml .Values.controller.topologySpreadConstraints | nindent 8 }}
+    {{- end }}
+      serviceAccountName: {{ template "ingress-nginx.serviceAccountName" . }}
       terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }}
-{{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes) }}
+    {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes) }}
       volumes:
-{{- end }}
-{{- if .Values.controller.customTemplate.configMapName }}
+      {{- if .Values.controller.customTemplate.configMapName }}
         - name: nginx-template-volume
           configMap:
             name: {{ .Values.controller.customTemplate.configMapName }}
             items:
             - key: {{ .Values.controller.customTemplate.configMapKey }}
               path: nginx.tmpl
-{{- end }}
-{{- if .Values.controller.admissionWebhooks.enabled }}
+      {{- end }}
+      {{- if .Values.controller.admissionWebhooks.enabled }}
         - name: webhook-cert
           secret:
-            secretName: {{ template "nginx-ingress.fullname". }}-admission
-{{- end }}
-{{- if .Values.controller.extraVolumes }}
-{{ toYaml .Values.controller.extraVolumes | indent 8}}
-{{- end }}
+            secretName: {{ include "ingress-nginx.fullname" . }}-admission
+      {{- end }}
+      {{- if .Values.controller.extraVolumes }}
+        {{ toYaml .Values.controller.extraVolumes | nindent 8 }}
+      {{- end }}
+    {{- end }}
 {{- end }}

charts/rke2-ingress-nginx/templates/controller-hpa.yaml

@@ -1,34 +1,36 @@
-{{- if or (eq .Values.controller.kind "Deployment") (eq .Values.controller.kind "Both") }}
-{{- if .Values.controller.autoscaling.enabled }}
-apiVersion: autoscaling/v2beta1
+{{- if and .Values.controller.autoscaling.enabled (or (eq .Values.controller.kind "Deployment") (eq .Values.controller.kind "Both")) -}}
+apiVersion: autoscaling/v2beta2
 kind: HorizontalPodAutoscaler
 metadata:
   labels:
-    app: {{ template "nginx-ingress.name" . }}
-    chart: {{ template "nginx-ingress.chart" . }}
-    component: "{{ .Values.controller.name }}"
-    heritage: {{ .Release.Service }}
-    release: {{ template "nginx-ingress.releaseLabel" . }}
-  name: {{ template "nginx-ingress.controller.fullname" . }}
+    {{- include "ingress-nginx.labels" . | nindent 4 }}
+    app.kubernetes.io/component: controller
+  name: {{ include "ingress-nginx.controller.fullname" . }}
 spec:
   scaleTargetRef:
-    apiVersion: {{ template "deployment.apiVersion" . }}
+    apiVersion: apps/v1
     kind: Deployment
-    name: {{ template "nginx-ingress.controller.fullname" . }}
+    name: {{ include "ingress-nginx.controller.fullname" . }}
   minReplicas: {{ .Values.controller.autoscaling.minReplicas }}
   maxReplicas: {{ .Values.controller.autoscaling.maxReplicas }}
   metrics:
-{{- with .Values.controller.autoscaling.targetCPUUtilizationPercentage }}
-    - type: Resource
-      resource:
-        name: cpu
-        targetAverageUtilization: {{ . }}
-{{- end }}
-{{- with .Values.controller.autoscaling.targetMemoryUtilizationPercentage }}
-    - type: Resource
-      resource:
-        name: memory
-        targetAverageUtilization: {{ . }}
-{{- end }}
-{{- end }}
+  {{- with .Values.controller.autoscaling.targetCPUUtilizationPercentage }}
+  - type: Resource
+    resource:
+      name: cpu
+      target:
+        type: Utilization
+        averageUtilization: {{ . }}
+  {{- end }}
+  {{- with .Values.controller.autoscaling.targetMemoryUtilizationPercentage }}
+  - type: Resource 
+    resource: 
+      name: memory 
+      target:
+        type: Utilization
+        averageUtilization: {{ . }}
+  {{- end }}
+  {{- with .Values.controller.autoscalingTemplate }}
+{{- toYaml . | nindent 2 }}
+  {{- end }}
 {{- end }}

charts/rke2-ingress-nginx/templates/controller-poddisruptionbudget.yaml

@@ -1,19 +1,15 @@
-{{- if or (and .Values.controller.autoscaling.enabled (gt (.Values.controller.autoscaling.minReplicas | int) 1)) (gt (.Values.controller.replicaCount | int) 1) }}
+{{- if or (and .Values.controller.autoscaling.enabled (gt (.Values.controller.autoscaling.minReplicas | int) 1)) (gt (.Values.controller.replicaCount | int) 1) -}}
 apiVersion: policy/v1beta1
 kind: PodDisruptionBudget
 metadata:
   labels:
-    app: {{ template "nginx-ingress.name" . }}
-    chart: {{ template "nginx-ingress.chart" . }}
+    {{- include "ingress-nginx.labels" . | nindent 4 }}
     app.kubernetes.io/component: controller
-    heritage: {{ .Release.Service }}
-    release: {{ template "nginx-ingress.releaseLabel" . }}
-  name: {{ template "nginx-ingress.controller.fullname" . }}
+  name: {{ include "ingress-nginx.controller.fullname" . }}
 spec:
   selector:
     matchLabels:
-      app: {{ template "nginx-ingress.name" . }}
-      release: {{ template "nginx-ingress.releaseLabel" . }}
+      {{- include "ingress-nginx.selectorLabels" . | nindent 6 }}
       app.kubernetes.io/component: controller
   minAvailable: {{ .Values.controller.minAvailable }}
 {{- end }}

charts/rke2-ingress-nginx/templates/controller-prometheusrules.yaml

@@ -1,24 +1,21 @@
-{{- if and .Values.controller.metrics.enabled .Values.controller.metrics.prometheusRule.enabled }}
+{{- if and .Values.controller.metrics.enabled .Values.controller.metrics.prometheusRule.enabled -}}
 apiVersion: monitoring.coreos.com/v1
 kind: PrometheusRule
 metadata:
-  name: {{ template "nginx-ingress.controller.fullname" . }}
-  {{- if .Values.controller.metrics.prometheusRule.namespace }}
+  name: {{ include "ingress-nginx.controller.fullname" . }}
+{{- if .Values.controller.metrics.prometheusRule.namespace }}
   namespace: {{ .Values.controller.metrics.prometheusRule.namespace }}
-  {{- end }}
-  labels:
-    app: {{ template "nginx-ingress.name" . }}
-    chart: {{ template "nginx-ingress.chart" . }}
-    component: "{{ .Values.controller.name }}"
-    heritage: {{ .Release.Service }}
-    release: {{ template "nginx-ingress.releaseLabel" . }}
-    {{- if .Values.controller.metrics.prometheusRule.additionalLabels }}
-{{ toYaml .Values.controller.metrics.prometheusRule.additionalLabels | indent 4 }}
-    {{- end }}
-spec:
-  {{- with .Values.controller.metrics.prometheusRule.rules }}
-  groups:
-  - name: {{ template "nginx-ingress.name" $ }}
-    rules: {{- toYaml . | nindent 4 }}
-  {{- end }}
+{{- end }}
+  labels:
+    {{- include "ingress-nginx.labels" . | nindent 4 }}
+    app.kubernetes.io/component: controller
+  {{- if .Values.controller.metrics.prometheusRule.additionalLabels }}
+    {{- toYaml .Values.controller.metrics.prometheusRule.additionalLabels | nindent 4 }}
+  {{- end }}
+spec:
+{{- if .Values.controller.metrics.prometheusRule.rules }}
+  groups:
+  - name: {{ template "ingress-nginx.name" . }}
+    rules: {{- toYaml .Values.controller.metrics.prometheusRule.rules | nindent 4 }}
+{{- end }}
 {{- end }}

charts/rke2-ingress-nginx/templates/controller-psp.yaml

@@ -1,27 +1,33 @@
-{{- if .Values.podSecurityPolicy.enabled}}
-apiVersion: {{ template "podSecurityPolicy.apiVersion" . }}
+{{- if .Values.podSecurityPolicy.enabled -}}
+apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
-  name: {{ template "nginx-ingress.fullname" . }}
+  name: {{ include "ingress-nginx.fullname" . }}
   labels:
-    app: {{ template "nginx-ingress.name" . }}
-    chart: {{ template "nginx-ingress.chart" . }}
-    heritage: {{ .Release.Service }}
-    release: {{ template "nginx-ingress.releaseLabel" . }}
+    {{- include "ingress-nginx.labels" . | nindent 4 }}
+    app.kubernetes.io/component: controller
 spec:
   allowedCapabilities:
     - NET_BIND_SERVICE
+{{- if .Values.controller.sysctls }}
+  allowedUnsafeSysctls:
+  {{- range $sysctl, $value := .Values.controller.sysctls }}
+  - {{ $sysctl }}
+  {{- end }}
+{{- end }}
   privileged: false
   allowPrivilegeEscalation: true
   # Allow core volume types.
   volumes:
     - 'configMap'
     #- 'emptyDir'
-    - 'projected'
+    #- 'projected'
     - 'secret'
     #- 'downwardAPI'
+{{- if .Values.controller.hostNetwork }}
   hostNetwork: {{ .Values.controller.hostNetwork }}
-{{- if or .Values.controller.hostNetwork .Values.controller.daemonset.useHostPort }}
+{{- end }}
+{{- if or .Values.controller.hostNetwork .Values.controller.hostPort.enabled }}
   hostPorts:
 {{- if .Values.controller.hostNetwork }}
 {{- range $key, $value := .Values.controller.containerPort }}
@@ -29,8 +35,8 @@ spec:
   - min: {{ $value }}
     max: {{ $value }}
 {{- end }}
-{{- else if .Values.controller.daemonset.useHostPort }}
-{{- range $key, $value := .Values.controller.daemonset.hostPorts }}
+{{- else if .Values.controller.hostPort.enabled }}
+{{- range $key, $value := .Values.controller.hostPort.ports }}
   # {{ $key }}
   - min: {{ $value }}
     max: {{ $value }}

charts/rke2-ingress-nginx/templates/controller-role.yaml

@@ -3,11 +3,9 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    app: {{ template "nginx-ingress.name" . }}
-    chart: {{ template "nginx-ingress.chart" . }}
-    heritage: {{ .Release.Service }}
-    release: {{ template "nginx-ingress.releaseLabel" . }}
-  name: {{ template "nginx-ingress.fullname" . }}
+    {{- include "ingress-nginx.labels" . | nindent 4 }}
+    app.kubernetes.io/component: controller
+  name: {{ include "ingress-nginx.fullname" . }}
 rules:
   - apiGroups:
       - ""
@@ -51,6 +49,14 @@ rules:
       - ingresses/status
     verbs:
       - update
+  - apiGroups:
+      - "networking.k8s.io" # k8s 1.14+
+    resources:
+      - ingressclasses
+    verbs:
+      - get
+      - list
+      - watch
   - apiGroups:
       - ""
     resources:
@@ -82,10 +88,9 @@ rules:
       - create
       - patch
 {{- if .Values.podSecurityPolicy.enabled }}
-  - apiGroups:      ['{{ template "podSecurityPolicy.apiGroup" . }}']
+  - apiGroups:      [{{ template "podSecurityPolicy.apiGroup" . }}]
     resources:      ['podsecuritypolicies']
     verbs:          ['use']
-    resourceNames:  [{{ template "nginx-ingress.fullname" . }}]
+    resourceNames:  [{{ include "ingress-nginx.fullname" . }}]
+{{- end }}
 {{- end }}
-
-{{- end -}}

charts/rke2-ingress-nginx/templates/controller-rolebinding.yaml

@@ -3,17 +3,15 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    app: {{ template "nginx-ingress.name" . }}
-    chart: {{ template "nginx-ingress.chart" . }}
-    heritage: {{ .Release.Service }}
-    release: {{ template "nginx-ingress.releaseLabel" . }}
-  name: {{ template "nginx-ingress.fullname" . }}
+    {{- include "ingress-nginx.labels" . | nindent 4 }}
+    app.kubernetes.io/component: controller
+  name: {{ include "ingress-nginx.fullname" . }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
-  name: {{ template "nginx-ingress.fullname" . }}
+  name: {{ include "ingress-nginx.fullname" . }}
 subjects:
   - kind: ServiceAccount
-    name: {{ template "nginx-ingress.serviceAccountName" . }}
+    name: {{ template "ingress-nginx.serviceAccountName" . }}
     namespace: {{ .Release.Namespace }}
-{{- end -}}
+{{- end }}

charts/rke2-ingress-nginx/templates/controller-service-internal.yaml

@@ -0,0 +1,44 @@
+{{- if and .Values.controller.service.enabled .Values.controller.service.internal.enabled .Values.controller.service.internal.annotations}}
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+  {{- range $key, $value := .Values.controller.service.internal.annotations }}
+    {{ $key }}: {{ $value | quote }}
+  {{- end }}
+  labels:
+    {{- include "ingress-nginx.labels" . | nindent 4 }}
+    app.kubernetes.io/component: controller
+  {{- if .Values.controller.service.labels }}
+    {{- toYaml .Values.controller.service.labels | nindent 4 }}
+  {{- end }}
+  name: {{ include "ingress-nginx.controller.fullname" . }}-internal
+spec:
+  type: "{{ .Values.controller.service.type }}"
+{{- if .Values.controller.service.internal.externalTrafficPolicy }}
+  externalTrafficPolicy: {{ .Values.controller.service.internal.externalTrafficPolicy }}
+{{- end }}
+  ports:
+  {{- $setNodePorts := (or (eq .Values.controller.service.type "NodePort") (eq .Values.controller.service.type "LoadBalancer")) }}
+  {{- if .Values.controller.service.enableHttp }}
+    - name: http
+      port: {{ .Values.controller.service.ports.http }}
+      protocol: TCP
+      targetPort: {{ .Values.controller.service.targetPorts.http }}
+    {{- if (and $setNodePorts (not (empty .Values.controller.service.nodePorts.http))) }}
+      nodePort: {{ .Values.controller.service.nodePorts.http }}
+    {{- end }}
+  {{- end }}
+  {{- if .Values.controller.service.enableHttps }}
+    - name: https
+      port: {{ .Values.controller.service.ports.https }}
+      protocol: TCP
+      targetPort: {{ .Values.controller.service.targetPorts.https }}
+    {{- if (and $setNodePorts (not (empty .Values.controller.service.nodePorts.https))) }}
+      nodePort: {{ .Values.controller.service.nodePorts.https }}
+    {{- end }}
+  {{- end }}
+  selector:
+    {{- include "ingress-nginx.selectorLabels" . | nindent 4 }}
+    app.kubernetes.io/component: controller
+{{- end }}

charts/rke2-ingress-nginx/templates/controller-service-metrics.yaml

@@ -0,0 +1,43 @@
+{{- if .Values.controller.metrics.enabled -}}
+apiVersion: v1
+kind: Service
+metadata:
+{{- if .Values.controller.metrics.service.annotations }}
+  annotations: {{ toYaml .Values.controller.metrics.service.annotations | nindent 4 }}
+{{- end }}
+  labels:
+    {{- include "ingress-nginx.labels" . | nindent 4 }}
+    app.kubernetes.io/component: controller
+  {{- if .Values.controller.metrics.service.labels }}
+    {{- toYaml .Values.controller.metrics.service.labels | nindent 4 }}
+  {{- end }}
+  name: {{ include "ingress-nginx.controller.fullname" . }}-metrics
+spec:
+  type: {{ .Values.controller.metrics.service.type }}
+{{- if .Values.controller.metrics.service.clusterIP }}
+  clusterIP: {{ .Values.controller.metrics.service.clusterIP }}
+{{- end }}
+{{- if .Values.controller.metrics.service.externalIPs }}
+  externalIPs: {{ toYaml .Values.controller.metrics.service.externalIPs | nindent 4 }}
+{{- end }}
+{{- if .Values.controller.metrics.service.loadBalancerIP }}
+  loadBalancerIP: {{ .Values.controller.metrics.service.loadBalancerIP }}
+{{- end }}
+{{- if .Values.controller.metrics.service.loadBalancerSourceRanges }}
+  loadBalancerSourceRanges: {{ toYaml .Values.controller.metrics.service.loadBalancerSourceRanges | nindent 4 }}
+{{- end }}
+{{- if .Values.controller.metrics.service.externalTrafficPolicy }}
+  externalTrafficPolicy: {{ .Values.controller.metrics.service.externalTrafficPolicy }}
+{{- end }}
+  ports:
+    - name: metrics
+      port: {{ .Values.controller.metrics.service.servicePort }}
+      targetPort: metrics
+    {{- $setNodePorts := (or (eq .Values.controller.metrics.service.type "NodePort") (eq .Values.controller.metrics.service.type "LoadBalancer")) }}
+    {{- if (and $setNodePorts (not (empty .Values.controller.metrics.service.nodePort))) }}
+      nodePort: {{ .Values.controller.metrics.service.nodePort }}
+    {{- end }}
+  selector:
+    {{- include "ingress-nginx.selectorLabels" . | nindent 4 }}
+    app.kubernetes.io/component: controller
+{{- end }}

charts/rke2-ingress-nginx/templates/controller-service-webhook.yaml

@@ -0,0 +1,33 @@
+{{- if .Values.controller.admissionWebhooks.enabled -}}
+apiVersion: v1
+kind: Service
+metadata:
+{{- if .Values.controller.admissionWebhooks.service.annotations }}
+  annotations: {{ toYaml .Values.controller.admissionWebhooks.service.annotations | nindent 4 }}
+{{- end }}
+  labels:
+    {{- include "ingress-nginx.labels" . | nindent 4 }}
+    app.kubernetes.io/component: controller
+  name: {{ include "ingress-nginx.controller.fullname" . }}-admission
+spec:
+  type: {{ .Values.controller.admissionWebhooks.service.type }}
+{{- if .Values.controller.admissionWebhooks.service.clusterIP }}
+  clusterIP: {{ .Values.controller.admissionWebhooks.service.clusterIP }}
+{{- end }}
+{{- if .Values.controller.admissionWebhooks.service.externalIPs }}
+  externalIPs: {{ toYaml .Values.controller.admissionWebhooks.service.externalIPs | nindent 4 }}
+{{- end }}
+{{- if .Values.controller.admissionWebhooks.service.loadBalancerIP }}
+  loadBalancerIP: {{ .Values.controller.admissionWebhooks.service.loadBalancerIP }}
+{{- end }}
+{{- if .Values.controller.admissionWebhooks.service.loadBalancerSourceRanges }}
+  loadBalancerSourceRanges: {{ toYaml .Values.controller.admissionWebhooks.service.loadBalancerSourceRanges | nindent 4 }}
+{{- end }}
+  ports:
+    - name: https-webhook
+      port: 443
+      targetPort: webhook
+  selector:
+    {{- include "ingress-nginx.selectorLabels" . | nindent 4 }}
+    app.kubernetes.io/component: controller
+{{- end }}

charts/rke2-ingress-nginx/templates/controller-service.yaml

@@ -1,94 +1,83 @@
-{{- if .Values.controller.service.enabled }}
+{{- if .Values.controller.service.enabled -}}
 apiVersion: v1
 kind: Service
 metadata:
 {{- if .Values.controller.service.annotations }}
-  annotations:
-  {{- range $key, $value := .Values.controller.service.annotations }}
-    {{ $key }}: {{ $value | quote }}
-  {{- end }}
+  annotations: {{ toYaml .Values.controller.service.annotations | nindent 4 }}
 {{- end }}
   labels:
-{{- if .Values.controller.service.labels }}
-{{ toYaml .Values.controller.service.labels | indent 4 }}
-{{- end }}
-    app: {{ template "nginx-ingress.name" . }}
-    chart: {{ template "nginx-ingress.chart" . }}
-    component: "{{ .Values.controller.name }}"
-    heritage: {{ .Release.Service }}
-    release: {{ template "nginx-ingress.releaseLabel" . }}
-  name: {{ template "nginx-ingress.controller.fullname" . }}
-spec:
-{{- if not .Values.controller.service.omitClusterIP }}
-  {{- with .Values.controller.service.clusterIP }}
-  clusterIP: {{ if eq "-" . }}""{{ else }}{{ . | quote }}{{ end }}
+    {{- include "ingress-nginx.labels" . | nindent 4 }}
+    app.kubernetes.io/component: controller
+  {{- if .Values.controller.service.labels }}
+    {{- toYaml .Values.controller.service.labels | nindent 4 }}
   {{- end }}
+  name: {{ include "ingress-nginx.controller.fullname" . }}
+spec:
+  type: {{ .Values.controller.service.type }}
+{{- if .Values.controller.service.clusterIP }}
+  clusterIP: {{ .Values.controller.service.clusterIP }}
 {{- end }}
 {{- if .Values.controller.service.externalIPs }}
-  externalIPs:
-{{ toYaml .Values.controller.service.externalIPs | indent 4 }}
+  externalIPs: {{ toYaml .Values.controller.service.externalIPs | nindent 4 }}
 {{- end }}
 {{- if .Values.controller.service.loadBalancerIP }}
-  loadBalancerIP: "{{ .Values.controller.service.loadBalancerIP }}"
+  loadBalancerIP: {{ .Values.controller.service.loadBalancerIP }}
 {{- end }}
 {{- if .Values.controller.service.loadBalancerSourceRanges }}
-  loadBalancerSourceRanges:
-{{ toYaml .Values.controller.service.loadBalancerSourceRanges | indent 4 }}
+  loadBalancerSourceRanges: {{ toYaml .Values.controller.service.loadBalancerSourceRanges | nindent 4 }}
 {{- end }}
-{{- if and (semverCompare ">=1.7-0" .Capabilities.KubeVersion.GitVersion) (.Values.controller.service.externalTrafficPolicy) }}
-  externalTrafficPolicy: "{{ .Values.controller.service.externalTrafficPolicy }}"
+{{- if .Values.controller.service.externalTrafficPolicy }}
+  externalTrafficPolicy: {{ .Values.controller.service.externalTrafficPolicy }}
 {{- end }}
 {{- if .Values.controller.service.sessionAffinity }}
-  sessionAffinity: "{{ .Values.controller.service.sessionAffinity }}"
+  sessionAffinity: {{ .Values.controller.service.sessionAffinity }}
 {{- end }}
-{{- if and (semverCompare ">=1.7-0" .Capabilities.KubeVersion.GitVersion) (.Values.controller.service.healthCheckNodePort) }}
+{{- if .Values.controller.service.healthCheckNodePort }}
   healthCheckNodePort: {{ .Values.controller.service.healthCheckNodePort }}
 {{- end }}
   ports:
-    {{- $setNodePorts := (or (eq .Values.controller.service.type "NodePort") (eq .Values.controller.service.type "LoadBalancer")) }}
-    {{- if .Values.controller.service.enableHttp }}
+  {{- $setNodePorts := (or (eq .Values.controller.service.type "NodePort") (eq .Values.controller.service.type "LoadBalancer")) }}
+  {{- if .Values.controller.service.enableHttp }}
     - name: http
       port: {{ .Values.controller.service.ports.http }}
       protocol: TCP
       targetPort: {{ .Values.controller.service.targetPorts.http }}
-      {{- if (and $setNodePorts (not (empty .Values.controller.service.nodePorts.http))) }}
+    {{- if (and $setNodePorts (not (empty .Values.controller.service.nodePorts.http))) }}
       nodePort: {{ .Values.controller.service.nodePorts.http }}
-      {{- end }}
     {{- end }}
-    {{- if .Values.controller.service.enableHttps }}
+  {{- end }}
+  {{- if .Values.controller.service.enableHttps }}
     - name: https
       port: {{ .Values.controller.service.ports.https }}
       protocol: TCP
       targetPort: {{ .Values.controller.service.targetPorts.https }}
-      {{- if (and $setNodePorts (not (empty .Values.controller.service.nodePorts.https))) }}
+    {{- if (and $setNodePorts (not (empty .Values.controller.service.nodePorts.https))) }}
       nodePort: {{ .Values.controller.service.nodePorts.https }}
-      {{- end }}
     {{- end }}
+  {{- end }}
   {{- range $key, $value := .Values.tcp }}
-    - name: "{{ $key }}-tcp"
+    - name: {{ $key }}-tcp
       port: {{ $key }}
       protocol: TCP
-      targetPort: "{{ $key }}-tcp"
-     {{- if $.Values.controller.service.nodePorts.tcp }}
-      {{- if index $.Values.controller.service.nodePorts.tcp $key }}
+      targetPort: {{ $key }}-tcp
+    {{- if $.Values.controller.service.nodePorts.tcp }}
+    {{- if index $.Values.controller.service.nodePorts.tcp $key }}
       nodePort: {{ index $.Values.controller.service.nodePorts.tcp $key }}
-      {{- end }}
-     {{- end }}
+    {{- end }}
+    {{- end }}
   {{- end }}
   {{- range $key, $value := .Values.udp }}
-    - name: "{{ $key }}-udp"
+    - name: {{ $key }}-udp
       port: {{ $key }}
       protocol: UDP
-      targetPort: "{{ $key }}-udp"
-     {{- if $.Values.controller.service.nodePorts.udp }}
-      {{- if index $.Values.controller.service.nodePorts.udp $key }}
+      targetPort: {{ $key }}-udp
+    {{- if $.Values.controller.service.nodePorts.udp }}
+    {{- if index $.Values.controller.service.nodePorts.udp $key }}
       nodePort: {{ index $.Values.controller.service.nodePorts.udp $key }}
-      {{- end }}
-     {{- end }}
+    {{- end }}
+    {{- end }}
   {{- end }}
   selector:
-    app: {{ template "nginx-ingress.name" . }}
-    release: {{ template "nginx-ingress.releaseLabel" . }}
+    {{- include "ingress-nginx.selectorLabels" . | nindent 4 }}
     app.kubernetes.io/component: controller
-  type: "{{ .Values.controller.service.type }}"
 {{- end }}

charts/rke2-ingress-nginx/templates/controller-serviceaccount.yaml

@@ -3,9 +3,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    app: {{ template "nginx-ingress.name" . }}
-    chart: {{ template "nginx-ingress.chart" . }}
-    heritage: {{ .Release.Service }}
-    release: {{ template "nginx-ingress.releaseLabel" . }}
-  name: {{ template "nginx-ingress.serviceAccountName" . }}
-{{- end -}}
+    {{- include "ingress-nginx.labels" . | nindent 4 }}
+    app.kubernetes.io/component: controller
+  name: {{ template "ingress-nginx.serviceAccountName" . }}
+{{- end }}

charts/rke2-ingress-nginx/templates/controller-servicemonitor.yaml

@@ -1,38 +1,42 @@
-{{- if and .Values.controller.metrics.enabled .Values.controller.metrics.serviceMonitor.enabled }}
+{{- if and .Values.controller.metrics.enabled .Values.controller.metrics.serviceMonitor.enabled -}}
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
-  name: {{ template "nginx-ingress.controller.fullname" . }}
-  {{- if .Values.controller.metrics.serviceMonitor.namespace }}
+  name: {{ include "ingress-nginx.controller.fullname" . }}
+{{- if .Values.controller.metrics.serviceMonitor.namespace }}
   namespace: {{ .Values.controller.metrics.serviceMonitor.namespace }}
-  {{- end }}
+{{- end }}
   labels:
-    app: {{ template "nginx-ingress.name" . }}
-    chart: {{ template "nginx-ingress.chart" . }}
-    component: "{{ .Values.controller.name }}"
-    heritage: {{ .Release.Service }}
-    release: {{ template "nginx-ingress.releaseLabel" . }}
-    {{- if .Values.controller.metrics.serviceMonitor.additionalLabels }}
-{{ toYaml .Values.controller.metrics.serviceMonitor.additionalLabels | indent 4 }}
-    {{- end }}
+    {{- include "ingress-nginx.labels" . | nindent 4 }}
+    app.kubernetes.io/component: controller
+  {{- if .Values.controller.metrics.serviceMonitor.additionalLabels }}
+    {{- toYaml .Values.controller.metrics.serviceMonitor.additionalLabels | nindent 4 }}
+  {{- end }}
 spec:
   endpoints:
     - port: metrics
       interval: {{ .Values.controller.metrics.serviceMonitor.scrapeInterval }}
-      {{- if .Values.controller.metrics.serviceMonitor.honorLabels }}
+    {{- if .Values.controller.metrics.serviceMonitor.honorLabels }}
       honorLabels: true
-      {{- end }}
-  {{- if .Values.controller.metrics.serviceMonitor.namespaceSelector }}
-  namespaceSelector:
-{{ toYaml .Values.controller.metrics.serviceMonitor.namespaceSelector | indent 4 -}}
-  {{ else }}
+    {{- end }}
+    {{- if .Values.controller.metrics.serviceMonitor.metricRelabelings }}
+      metricRelabelings: {{ toYaml .Values.controller.metrics.serviceMonitor.metricRelabelings | nindent 8 }}
+    {{- end }}
+{{- if .Values.controller.metrics.serviceMonitor.namespaceSelector }}
+  namespaceSelector: {{ toYaml .Values.controller.metrics.serviceMonitor.namespaceSelector | nindent 4 }}
+{{ else }}
   namespaceSelector:
     matchNames:
       - {{ .Release.Namespace }}
+{{- end }}
+{{- if .Values.controller.metrics.serviceMonitor.targetLabels }}
+  targetLabels:
+  {{- range .Values.controller.metrics.serviceMonitor.targetLabels }}
+    - {{ . }}
   {{- end }}
+{{- end }}
   selector:
     matchLabels:
-      app: {{ template "nginx-ingress.name" . }}
-      component: "{{ .Values.controller.name }}"
-      release: {{ template "nginx-ingress.releaseLabel" . }}
+      {{- include "ingress-nginx.selectorLabels" . | nindent 6 }}
+      app.kubernetes.io/component: controller
 {{- end }}

charts/rke2-ingress-nginx/templates/default-backend-deployment.yaml

@@ -1,72 +1,61 @@
-{{- if .Values.defaultBackend.enabled }}
-apiVersion: {{ template "deployment.apiVersion" . }}
+{{- if .Values.defaultBackend.enabled -}}
+apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    app: {{ template "nginx-ingress.name" . }}
-    chart: {{ template "nginx-ingress.chart" . }}
-    heritage: {{ .Release.Service }}
-    release: {{ template "nginx-ingress.releaseLabel" . }}
+    {{- include "ingress-nginx.labels" . | nindent 4 }}
     app.kubernetes.io/component: default-backend
-    {{- if .Values.defaultBackend.deploymentLabels }}
-{{ toYaml .Values.defaultBackend.deploymentLabels | indent 4 }}
-    {{- end }}
-  name: {{ template "nginx-ingress.defaultBackend.fullname" . }}
+  name: {{ include "ingress-nginx.defaultBackend.fullname" . }}
 spec:
   selector:
     matchLabels:
-      app: {{ template "nginx-ingress.name" . }}
-      release: {{ template "nginx-ingress.releaseLabel" . }}
-    {{- if .Values.defaultBackend.useComponentLabel }}
+      {{- include "ingress-nginx.selectorLabels" . | nindent 6 }}
       app.kubernetes.io/component: default-backend
-    {{- end }}
   replicas: {{ .Values.defaultBackend.replicaCount }}
   revisionHistoryLimit: {{ .Values.revisionHistoryLimit }}
   template:
     metadata:
     {{- if .Values.defaultBackend.podAnnotations }}
-      annotations:
-      {{- range $key, $value := .Values.defaultBackend.podAnnotations }}
-        {{ $key }}: {{ $value | quote }}
-      {{- end }}
+      annotations: {{ toYaml .Values.defaultBackend.podAnnotations | nindent 8 }}
     {{- end }}
       labels:
-        app: {{ template "nginx-ingress.name" . }}
-        release: {{ template "nginx-ingress.releaseLabel" . }}
+        {{- include "ingress-nginx.selectorLabels" . | nindent 8 }}
         app.kubernetes.io/component: default-backend
-        {{- if .Values.defaultBackend.podLabels }}
-{{ toYaml .Values.defaultBackend.podLabels | indent 8 }}
-        {{- end }}
+      {{- if .Values.defaultBackend.podLabels }}
+        {{- toYaml .Values.defaultBackend.podLabels | nindent 8 }}
+      {{- end }}
     spec:
-      {{- if .Values.imagePullSecrets }}
-      imagePullSecrets:
-{{ toYaml .Values.imagePullSecrets | indent 8 }}
-      {{- end }}
-{{- if .Values.defaultBackend.priorityClassName }}
-      priorityClassName: "{{ .Values.defaultBackend.priorityClassName }}"
-{{- end }}
-      {{- if .Values.defaultBackend.podSecurityContext }}
-      securityContext:
-{{ toYaml .Values.defaultBackend.podSecurityContext | indent 8 }}
-      {{- end }}
+    {{- if .Values.imagePullSecrets }}
+      imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }}
+    {{- end }}
+    {{- if .Values.defaultBackend.priorityClassName }}
+      priorityClassName: {{ .Values.defaultBackend.priorityClassName }}
+    {{- end }}
+    {{- if .Values.defaultBackend.podSecurityContext }}
+      securityContext: {{ toYaml .Values.defaultBackend.podSecurityContext | nindent 8 }}
+    {{- end }}
       containers:
-        - name: {{ template "nginx-ingress.name" . }}-{{ .Values.defaultBackend.name }}
-          image:  {{ template "system_default_registry" . }}{{ .Values.defaultBackend.image.repository }}:{{ .Values.defaultBackend.image.tag }}
-          imagePullPolicy: "{{ .Values.defaultBackend.image.pullPolicy }}"
+        - name: {{ template "ingress-nginx.name" . }}-default-backend
+          {{- with .Values.defaultBackend.image }}
+          image: "{{ template "system_default_registry" . }}{{.repository}}:{{ .tag }}{{- if (.digest) -}} @{{.digest}} {{- end -}}"
+          {{- end }}
+          imagePullPolicy: {{ .Values.defaultBackend.image.pullPolicy }}
+        {{- if .Values.defaultBackend.extraArgs }}
           args:
           {{- range $key, $value := .Values.defaultBackend.extraArgs }}
-            {{- if $value }}
-            - --{{ $key }}={{ $value }}
-            {{- else }}
+            {{- /* Accept keys without values or with false as value */}}
+            {{- if eq ($value | quote | len) 2 }}
             - --{{ $key }}
+            {{- else }}
+            - --{{ $key }}={{ $value }}
             {{- end }}
           {{- end }}
+        {{- end }}
           securityContext:
             runAsUser: {{ .Values.defaultBackend.image.runAsUser }}
-          {{- if .Values.defaultBackend.extraEnvs }}
-          env:
-{{ toYaml .Values.defaultBackend.extraEnvs | indent 12 }}
-          {{- end }}
+        {{- if .Values.defaultBackend.extraEnvs }}
+          env: {{ toYaml .Values.defaultBackend.extraEnvs | nindent 12 }}
+        {{- end }}
           livenessProbe:
             httpGet:
               path: /healthz
@@ -91,20 +80,18 @@ spec:
             - name: http
               containerPort: {{ .Values.defaultBackend.port }}
               protocol: TCP
-          resources:
-{{ toYaml .Values.defaultBackend.resources | indent 12 }}
+        {{- if .Values.defaultBackend.resources }}
+          resources: {{ toYaml .Values.defaultBackend.resources | nindent 12 }}
+        {{- end }}
     {{- if .Values.defaultBackend.nodeSelector }}
-      nodeSelector:
-{{ toYaml .Values.defaultBackend.nodeSelector | indent 8 }}
+      nodeSelector: {{ toYaml .Values.defaultBackend.nodeSelector | nindent 8 }}
     {{- end }}
-      serviceAccountName: {{ template "nginx-ingress.defaultBackend.serviceAccountName" . }}
+      serviceAccountName: {{ template "ingress-nginx.defaultBackend.serviceAccountName" . }}
     {{- if .Values.defaultBackend.tolerations }}
-      tolerations:
-{{ toYaml .Values.defaultBackend.tolerations | indent 8 }}
+      tolerations: {{ toYaml .Values.defaultBackend.tolerations | nindent 8 }}
     {{- end }}
     {{- if .Values.defaultBackend.affinity }}
-      affinity:
-{{ toYaml .Values.defaultBackend.affinity | indent 8 }}
+      affinity: {{ toYaml .Values.defaultBackend.affinity | nindent 8 }}
     {{- end }}
       terminationGracePeriodSeconds: 60
 {{- end }}

charts/rke2-ingress-nginx/templates/default-backend-poddisruptionbudget.yaml

@@ -1,19 +1,15 @@
-{{- if gt (.Values.defaultBackend.replicaCount | int) 1 }}
+{{- if gt (.Values.defaultBackend.replicaCount | int) 1 -}}
 apiVersion: policy/v1beta1
 kind: PodDisruptionBudget
 metadata:
   labels:
-    app: {{ template "nginx-ingress.name" . }}
-    chart: {{ template "nginx-ingress.chart" . }}
+    {{- include "ingress-nginx.labels" . | nindent 4 }}
     app.kubernetes.io/component: default-backend
-    heritage: {{ .Release.Service }}
-    release: {{ template "nginx-ingress.releaseLabel" . }}
-  name: {{ template "nginx-ingress.defaultBackend.fullname" . }}
+  name: {{ include "ingress-nginx.defaultBackend.fullname" . }}
 spec:
   selector:
     matchLabels:
-      app: {{ template "nginx-ingress.name" . }}
-      release: {{ template "nginx-ingress.releaseLabel" . }}
+      {{- include "ingress-nginx.selectorLabels" . | nindent 6 }}
       app.kubernetes.io/component: default-backend
   minAvailable: {{ .Values.defaultBackend.minAvailable }}
 {{- end }}

charts/rke2-ingress-nginx/templates/default-backend-psp.yaml

@@ -1,13 +1,11 @@
 {{- if and .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled -}}
-apiVersion: {{ template "podSecurityPolicy.apiVersion" . }}
+apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
-  name: {{ template "nginx-ingress.fullname" . }}-backend
+  name: {{ include "ingress-nginx.fullname" . }}-backend
   labels:
-    app: {{ template "nginx-ingress.name" . }}
-    chart: {{ template "nginx-ingress.chart" . }}
-    heritage: {{ .Release.Service }}
-    release: {{ template "nginx-ingress.releaseLabel" . }}
+    {{- include "ingress-nginx.labels" . | nindent 4 }}
+    app.kubernetes.io/component: default-backend
 spec:
   allowPrivilegeEscalation: false
   fsGroup:
@@ -32,4 +30,4 @@ spec:
   - projected
   - secret
   - downwardAPI
-{{- end -}}
+{{- end }}

charts/rke2-ingress-nginx/templates/default-backend-role.yaml

@@ -3,14 +3,12 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    app: {{ template "nginx-ingress.name" . }}
-    chart: {{ template "nginx-ingress.chart" . }}
-    heritage: {{ .Release.Service }}
-    release: {{ template "nginx-ingress.releaseLabel" . }}
-  name: {{ template "nginx-ingress.fullname" . }}-backend
+    {{- include "ingress-nginx.labels" . | nindent 4 }}
+    app.kubernetes.io/component: default-backend
+  name: {{ include "ingress-nginx.fullname" . }}-backend
 rules:
-  - apiGroups:      ['{{ template "podSecurityPolicy.apiGroup" . }}']
+  - apiGroups:      [{{ template "podSecurityPolicy.apiGroup" . }}]
     resources:      ['podsecuritypolicies']
     verbs:          ['use']
-    resourceNames:  [{{ template "nginx-ingress.fullname" . }}-backend]
-{{- end -}}
+    resourceNames:  [{{ include "ingress-nginx.fullname" . }}-backend]
+{{- end }}

charts/rke2-ingress-nginx/templates/default-backend-rolebinding.yaml

@@ -3,17 +3,15 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    app: {{ template "nginx-ingress.name" . }}
-    chart: {{ template "nginx-ingress.chart" . }}
-    heritage: {{ .Release.Service }}
-    release: {{ template "nginx-ingress.releaseLabel" . }}
-  name: {{ template "nginx-ingress.fullname" . }}-backend
+    {{- include "ingress-nginx.labels" . | nindent 4 }}
+    app.kubernetes.io/component: default-backend
+  name: {{ include "ingress-nginx.fullname" . }}-backend
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
-  name: {{ template "nginx-ingress.fullname" . }}-backend
+  name: {{ include "ingress-nginx.fullname" . }}-backend
 subjects:
   - kind: ServiceAccount
-    name: {{ template "nginx-ingress.defaultBackend.serviceAccountName" . }}
+    name: {{ template "ingress-nginx.defaultBackend.serviceAccountName" . }}
     namespace: {{ .Release.Namespace }}
-{{- end -}}
+{{- end }}

charts/rke2-ingress-nginx/templates/default-backend-service.yaml

@@ -1,36 +1,27 @@
-{{- if .Values.defaultBackend.enabled }}
+{{- if .Values.defaultBackend.enabled -}}
 apiVersion: v1
 kind: Service
 metadata:
 {{- if .Values.defaultBackend.service.annotations }}
-  annotations:
-  {{- range $key, $value := .Values.defaultBackend.service.annotations }}
-    {{ $key }}: {{ $value | quote }}
-  {{- end }}
+  annotations: {{ toYaml .Values.defaultBackend.service.annotations | nindent 4 }}
 {{- end }}
   labels:
-    app: {{ template "nginx-ingress.name" . }}
-    chart: {{ template "nginx-ingress.chart" . }}
-    component: "{{ .Values.defaultBackend.name }}"
-    heritage: {{ .Release.Service }}
-    release: {{ template "nginx-ingress.releaseLabel" . }}
-  name: {{ template "nginx-ingress.defaultBackend.fullname" . }}
+    {{- include "ingress-nginx.labels" . | nindent 4 }}
+    app.kubernetes.io/component: default-backend
+  name: {{ include "ingress-nginx.defaultBackend.fullname" . }}
 spec:
-{{- if not .Values.defaultBackend.service.omitClusterIP }}
-  {{- with .Values.defaultBackend.service.clusterIP }}
-  clusterIP: {{ if eq "-" . }}""{{ else }}{{ . | quote }}{{ end }}
-  {{- end }}
+  type: {{ .Values.defaultBackend.service.type }}
+{{- if .Values.defaultBackend.service.clusterIP }}
+  clusterIP: {{ .Values.defaultBackend.service.clusterIP }}
 {{- end }}
 {{- if .Values.defaultBackend.service.externalIPs }}
-  externalIPs:
-{{ toYaml .Values.defaultBackend.service.externalIPs | indent 4 }}
+  externalIPs: {{ toYaml .Values.defaultBackend.service.externalIPs | nindent 4 }}
 {{- end }}
 {{- if .Values.defaultBackend.service.loadBalancerIP }}
-  loadBalancerIP: "{{ .Values.defaultBackend.service.loadBalancerIP }}"
+  loadBalancerIP: {{ .Values.defaultBackend.service.loadBalancerIP }}
 {{- end }}
 {{- if .Values.defaultBackend.service.loadBalancerSourceRanges }}
-  loadBalancerSourceRanges:
-{{ toYaml .Values.defaultBackend.service.loadBalancerSourceRanges | indent 4 }}
+  loadBalancerSourceRanges: {{ toYaml .Values.defaultBackend.service.loadBalancerSourceRanges | nindent 4 }}
 {{- end }}
   ports:
     - name: http
@@ -38,8 +29,6 @@ spec:
       protocol: TCP
       targetPort: http
   selector:
-    app: {{ template "nginx-ingress.name" . }}
-    release: {{ template "nginx-ingress.releaseLabel" . }}
+    {{- include "ingress-nginx.selectorLabels" . | nindent 4 }}
     app.kubernetes.io/component: default-backend
-  type: "{{ .Values.defaultBackend.service.type }}"
 {{- end }}

charts/rke2-ingress-nginx/templates/default-backend-serviceaccount.yaml

@@ -1,11 +1,9 @@
-{{- if and .Values.defaultBackend.enabled  .Values.defaultBackend.serviceAccount.create }}
+{{- if and .Values.defaultBackend.enabled  .Values.defaultBackend.serviceAccount.create -}}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    app: {{ template "nginx-ingress.name" . }}
-    chart: {{ template "nginx-ingress.chart" . }}
-    heritage: {{ .Release.Service }}
-    release: {{ template "nginx-ingress.releaseLabel" . }}
-  name: {{ template "nginx-ingress.defaultBackend.serviceAccountName" . }}
+    {{- include "ingress-nginx.labels" . | nindent 4 }}
+    app.kubernetes.io/component: default-backend
+  name: {{ template "ingress-nginx.defaultBackend.serviceAccountName" . }}
 {{- end }}

charts/rke2-ingress-nginx/values.yaml

@@ -2,20 +2,15 @@
 ## Ref: https://github.com/kubernetes/ingress/blob/master/controllers/nginx/configuration.md
 ##
 controller:
-  name: controller
   image:
     repository: rancher/nginx-ingress-controller
-    tag: "nginx-0.30.0-rancher1"
+    tag: "nginx-0.35.0-rancher2"
+    digest: sha256:fc4979d8b8443a831c9789b5155cded454cb7de737a8b727bc2ba0106d2eae8b
     pullPolicy: IfNotPresent
     # www-data -> uid 101
     runAsUser: 101
     allowPrivilegeEscalation: true
 
-  # This will fix the issue of HPA not being able to read the metrics.
-  # Note that if you enable it for existing deployments, it won't work as the labels are immutable.
-  # We recommend setting this to true for new deployments.
-  useComponentLabel: false
-
   # Configures the ports the nginx-controller listens on
   containerPort:
     http: 80
@@ -24,9 +19,9 @@ controller:
   # Will add custom configuration options to Nginx https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/
   config: {}
 
-  # Maxmind license key to download GeoLite2 Databases
-  # https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases
-  maxmindLicenseKey: ""
+  ## Annotations to be added to the controller config configuration configmap
+  ##
+  configAnnotations: {}
 
   # Will add custom headers before sending traffic to backends according to https://github.com/kubernetes/ingress-nginx/tree/master/docs/examples/customization/custom-headers
   proxySetHeaders: {}
@@ -34,11 +29,6 @@ controller:
   # Will add custom headers before sending response traffic to the client according to: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#add-headers
   addHeaders: {}
 
-  # Required for use with CNI based kubernetes installations (such as ones set up by kubeadm),
-  # since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920
-  # is merged
-  hostNetwork: true
-
   # Optionally customize the pod dnsConfig.
   dnsConfig: {}
 
@@ -51,19 +41,20 @@ controller:
   # Ingress status was blank because there is no Service exposing the NGINX Ingress controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply
   reportNodeInternalIp: false
 
-  ## Use host ports 80 and 443
-  daemonset:
-    useHostPort: false
+  # Required for use with CNI based kubernetes installations (such as ones set up by kubeadm),
+  # since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920
+  # is merged
+  hostNetwork: true
 
-    hostPorts:
+  ## Use host ports 80 and 443
+  ## Disabled by default
+  ##
+  hostPort:
+    enabled: false
+    ports:
       http: 80
       https: 443
 
-  ## Required only if defaultBackend.enabled = false
-  ## Must be <namespace>/<service_name>
-  ##
-  defaultBackendService: ""
-
   ## Election ID to use for status update
   ##
   electionID: ingress-controller-leader
@@ -72,23 +63,27 @@ controller:
   ##
   ingressClass: nginx
 
-  # labels to add to the deployment metadata
-  deploymentLabels: {}
-
   # labels to add to the pod container metadata
   podLabels: {}
   #  key: value
 
   ## Security Context policies for controller pods
-  ## See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for
-  ## notes on enabling and using sysctls
   ##
   podSecurityContext: {}
 
-  ## Allows customization of the external service
-  ## the ingress will be bound to via DNS
+  ## See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for
+  ## notes on enabling and using sysctls
+  ###
+  sysctls: {}
+  # sysctls:
+  #   "net.core.somaxconn": "8192"
+
+  ## Allows customization of the source of the IP address or FQDN to report
+  ## in the ingress status field. By default, it reads the information provided
+  ## by the service. If disable, the status field reports the IP address of the
+  ## node or nodes where an ingress controller pod is running.
   publishService:
-    enabled: false
+    enabled: true
     ## Allows overriding of the publish service to bind to
     ## Must be <namespace>/<service_name>
     ##
@@ -104,15 +99,19 @@ controller:
   ##
   configMapNamespace: ""   # defaults to .Release.Namespace
 
-  ## Allows customization of the tcp-services-configmap namespace
+  ## Allows customization of the tcp-services-configmap
   ##
   tcp:
     configMapNamespace: ""   # defaults to .Release.Namespace
+    ## Annotations to be added to the tcp config configmap
+    annotations: {}
 
-  ## Allows customization of the udp-services-configmap namespace
+  ## Allows customization of the udp-services-configmap
   ##
   udp:
     configMapNamespace: ""   # defaults to .Release.Namespace
+    ## Annotations to be added to the udp config configmap
+    annotations: {}
 
   ## Additional command line arguments to pass to nginx-ingress-controller
   ## E.g. to specify the default SSL certificate you can use
@@ -133,9 +132,17 @@ controller:
   ##
   kind: Deployment
 
-  ## Annotations to be added to the controller deployment
+  ## Annotations to be added to the controller Deployment or DaemonSet
   ##
-  deploymentAnnotations: {}
+  annotations: {}
+  #  keel.sh/pollSchedule: "@every 60m"
+
+  ## Labels to be added to the controller Deployment or DaemonSet
+  ##
+  labels: {}
+  #  keel.sh/policy: patch
+  #  keel.sh/trigger: poll
+
 
   # The update strategy to apply to the Deployment or DaemonSet
   ##
@@ -169,10 +176,18 @@ controller:
     #     podAffinityTerm:
     #       labelSelector:
     #         matchExpressions:
-    #         - key: app
+    #         - key: app.kubernetes.io/name
     #           operator: In
     #           values:
-    #           - nginx-ingress
+    #           - ingress-nginx
+    #         - key: app.kubernetes.io/instance
+    #           operator: In
+    #           values:
+    #           - ingress-nginx
+    #         - key: app.kubernetes.io/component
+    #           operator: In
+    #           values:
+    #           - controller
     #       topologyKey: kubernetes.io/hostname
 
     # # An example of required pod anti-affinity
@@ -180,15 +195,35 @@ controller:
     #   requiredDuringSchedulingIgnoredDuringExecution:
     #   - labelSelector:
     #       matchExpressions:
-    #       - key: app
+    #       - key: app.kubernetes.io/name
     #         operator: In
     #         values:
-    #         - nginx-ingress
+    #         - ingress-nginx
+    #       - key: app.kubernetes.io/instance
+    #         operator: In
+    #         values:
+    #         - ingress-nginx
+    #       - key: app.kubernetes.io/component
+    #         operator: In
+    #         values:
+    #         - controller
     #     topologyKey: "kubernetes.io/hostname"
 
-  ## terminationGracePeriodSeconds
+  ## Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in.
+  ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
   ##
-  terminationGracePeriodSeconds: 60
+  topologySpreadConstraints: []
+    # - maxSkew: 1
+    #   topologyKey: failure-domain.beta.kubernetes.io/zone
+    #   whenUnsatisfiable: DoNotSchedule
+    #   labelSelector:
+    #     matchLabels:
+    #       app.kubernetes.io/instance: ingress-nginx-internal
+
+  ## terminationGracePeriodSeconds
+  ## wait up to five minutes for the drain of connections
+  ##
+  terminationGracePeriodSeconds: 300
 
   ## Node labels for controller pod assignment
   ## Ref: https://kubernetes.io/docs/user-guide/node-selection/
@@ -199,7 +234,7 @@ controller:
   ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
   ##
   livenessProbe:
-    failureThreshold: 3
+    failureThreshold: 5
     initialDelaySeconds: 10
     periodSeconds: 10
     successThreshold: 1
@@ -213,6 +248,10 @@ controller:
     timeoutSeconds: 1
     port: 10254
 
+  # Path of the health check endpoint. All requests received on the port defined by
+  # the healthz-port parameter are forwarded internally to this path.
+  healthCheckPath: "/healthz"
+
   ## Annotations to be added to controller pods
   ##
   podAnnotations: {}
@@ -221,21 +260,41 @@ controller:
 
   minAvailable: 1
 
-  resources: {}
+  # Define requests resources to avoid probe issues due to CPU utilization in busy nodes
+  # ref: https://github.com/kubernetes/ingress-nginx/issues/4735#issuecomment-551204903
+  # Ideally, there should be no limits.
+  # https://engineering.indeedblog.com/blog/2019/12/cpu-throttling-regression-fix/
+  resources:
   #  limits:
   #    cpu: 100m
-  #    memory: 64Mi
-  #  requests:
-  #    cpu: 100m
-  #    memory: 64Mi
+  #    memory: 90Mi
+    requests:
+      cpu: 100m
+      memory: 90Mi
 
   autoscaling:
     enabled: false
-    minReplicas: 2
+    minReplicas: 1
     maxReplicas: 11
     targetCPUUtilizationPercentage: 50
     targetMemoryUtilizationPercentage: 50
 
+  autoscalingTemplate: []
+  # Custom or additional autoscaling metrics
+  # ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#support-for-custom-metrics
+  # - type: Pods
+  #   pods:
+  #     metric:
+  #       name: nginx_ingress_controller_nginx_process_requests_total
+  #     target:
+  #       type: AverageValue
+  #       averageValue: 10000m
+
+  ## Enable mimalloc as a drop-in replacement for malloc.
+  ## ref: https://github.com/microsoft/mimalloc
+  ##
+  enableMimalloc: true
+
   ## Override NGINX template
   customTemplate:
     configMapName: ""
@@ -246,8 +305,6 @@ controller:
 
     annotations: {}
     labels: {}
-    ## Deprecated, instead simply do not provide a clusterIP value
-    omitClusterIP: false
     # clusterIP: ""
 
     ## List of IP addresses at which the controller services are available
@@ -255,7 +312,7 @@ controller:
     ##
     externalIPs: []
 
-    loadBalancerIP: ""
+    # loadBalancerIP: ""
     loadBalancerSourceRanges: []
 
     enableHttp: true
@@ -264,13 +321,16 @@ controller:
     ## Set external traffic policy to: "Local" to preserve source IP on
     ## providers supporting it
     ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer
-    externalTrafficPolicy: ""
+    # externalTrafficPolicy: ""
 
     # Must be either "None" or "ClientIP" if set. Kubernetes will default to "None".
     # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
-    sessionAffinity: ""
+    # sessionAffinity: ""
 
-    healthCheckNodePort: 0
+    # specifies the health check node port (numeric port number) for the service. If healthCheckNodePort isn’t specified,
+    # the service controller allocates a port from your cluster’s NodePort range.
+    # Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
+    # healthCheckNodePort: 0
 
     ports:
       http: 80
@@ -294,6 +354,17 @@ controller:
       tcp: {}
       udp: {}
 
+    ## Enables an additional internal load balancer (besides the external one).
+    ## Annotations are mandatory for the load balancer to come up. Varies with the cloud service.
+    internal:
+      enabled: false
+      annotations: {}
+
+      ## Set external traffic policy to: "Local" to preserve source IP on
+      ## providers supporting it
+      ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer
+      # externalTrafficPolicy: ""
+
   extraContainers: []
   ## Additional containers to be added to the controller pod.
   ## See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example.
@@ -335,17 +406,15 @@ controller:
   #   command: ['sh', '-c', 'until nslookup myservice; do echo waiting for myservice; sleep 2; done;']
 
   admissionWebhooks:
-    enabled: false
+    enabled: true
     failurePolicy: Fail
     port: 8443
 
     service:
       annotations: {}
-      ## Deprecated, instead simply do not provide a clusterIP value
-      omitClusterIP: false
       # clusterIP: ""
       externalIPs: []
-      loadBalancerIP: ""
+      # loadBalancerIP: ""
       loadBalancerSourceRanges: []
       servicePort: 443
       type: ClusterIP
@@ -353,14 +422,16 @@ controller:
     patch:
       enabled: true
       image:
-        repository: jettech/kube-webhook-certgen
-        tag: v1.0.0
+        repository: docker.io/jettech/kube-webhook-certgen
+        tag: v1.3.0
         pullPolicy: IfNotPresent
       ## Provide a priority class name to the webhook patching job
       ##
       priorityClassName: ""
       podAnnotations: {}
       nodeSelector: {}
+      tolerations: []
+      runAsUser: 2000
 
   metrics:
     port: 10254
@@ -372,8 +443,6 @@ controller:
       # prometheus.io/scrape: "true"
       # prometheus.io/port: "10254"
 
-      ## Deprecated, instead simply do not provide a clusterIP value
-      omitClusterIP: false
       # clusterIP: ""
 
       ## List of IP addresses at which the stats-exporter service is available
@@ -381,10 +450,12 @@ controller:
       ##
       externalIPs: []
 
-      loadBalancerIP: ""
+      # loadBalancerIP: ""
       loadBalancerSourceRanges: []
       servicePort: 9913
       type: ClusterIP
+      # externalTrafficPolicy: ""
+      # nodePort: ""
 
     serviceMonitor:
       enabled: false
@@ -397,32 +468,60 @@ controller:
       #   any: true
       scrapeInterval: 30s
       # honorLabels: true
+      targetLabels: []
+      metricRelabelings: []
 
     prometheusRule:
       enabled: false
       additionalLabels: {}
-      namespace: ""
+      # namespace: ""
       rules: []
         # # These are just examples rules, please adapt them to your needs
-        # - alert: TooMany500s
+        # - alert: NGINXConfigFailed
+        #   expr: count(nginx_ingress_controller_config_last_reload_successful == 0) > 0
+        #   for: 1s
+        #   labels:
+        #     severity: critical
+        #   annotations:
+        #     description: bad ingress config - nginx config test failed
+        #     summary: uninstall the latest ingress changes to allow config reloads to resume
+        # - alert: NGINXCertificateExpiry
+        #   expr: (avg(nginx_ingress_controller_ssl_expire_time_seconds) by (host) - time()) < 604800
+        #   for: 1s
+        #   labels:
+        #     severity: critical
+        #   annotations:
+        #     description: ssl certificate(s) will expire in less then a week
+        #     summary: renew expiring certificates to avoid downtime
+        # - alert: NGINXTooMany500s
         #   expr: 100 * ( sum( nginx_ingress_controller_requests{status=~"5.+"} ) / sum(nginx_ingress_controller_requests) ) > 5
         #   for: 1m
         #   labels:
-        #     severity: critical
+        #     severity: warning
         #   annotations:
         #     description: Too many 5XXs
-        #     summary: More than 5% of the all requests did return 5XX, this require your attention
-        # - alert: TooMany400s
+        #     summary: More than 5% of all requests returned 5XX, this requires your attention
+        # - alert: NGINXTooMany400s
         #   expr: 100 * ( sum( nginx_ingress_controller_requests{status=~"4.+"} ) / sum(nginx_ingress_controller_requests) ) > 5
         #   for: 1m
         #   labels:
-        #     severity: critical
+        #     severity: warning
         #   annotations:
         #     description: Too many 4XXs
-        #     summary: More than 5% of the all requests did return 4XX, this require your attention
+        #     summary: More than 5% of all requests returned 4XX, this requires your attention
 
-
-  lifecycle: {}
+  ## Improve connection draining when ingress controller pod is deleted using a lifecycle hook:
+  ## With this new hook, we increased the default terminationGracePeriodSeconds from 30 seconds
+  ## to 300, allowing the draining of connections up to five minutes.
+  ## If the active connections end before that, the pod will terminate gracefully at that time.
+  ## To effectively take advantage of this feature, the Configmap feature
+  ## worker-shutdown-timeout new value is 240s instead of 10s.
+  ##
+  lifecycle:
+    preStop:
+      exec:
+        command:
+          - /wait-shutdown
 
   priorityClassName: ""
 
@@ -430,15 +529,16 @@ controller:
 ##
 revisionHistoryLimit: 10
 
+# Maxmind license key to download GeoLite2 Databases
+# https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases
+maxmindLicenseKey: ""
+
 ## Default 404 backend
 ##
 defaultBackend:
-
-  ## If false, controller.defaultBackendService must be provided
   ##
-  enabled: true
+  enabled: false
 
-  name: default-backend
   image:
     repository: rancher/nginx-ingress-controller-defaultbackend
     tag: "1.5-rancher1"
@@ -446,11 +546,6 @@ defaultBackend:
     # nobody user -> uid 65534
     runAsUser: 65534
 
-  # This will fix the issue of HPA not being able to read the metrics.
-  # Note that if you enable it for existing deployments, it won't work as the labels are immutable.
-  # We recommend setting this to true for new deployments.
-  useComponentLabel: false
-
   extraArgs: {}
 
   serviceAccount:
@@ -494,9 +589,6 @@ defaultBackend:
   ##
   podSecurityContext: {}
 
-  # labels to add to the deployment metadata
-  deploymentLabels: {}
-
   # labels to add to the pod container metadata
   podLabels: {}
   #  key: value
@@ -524,8 +616,7 @@ defaultBackend:
 
   service:
     annotations: {}
-    ## Deprecated, instead simply do not provide a clusterIP value
-    omitClusterIP: false
+
     # clusterIP: ""
 
     ## List of IP addresses at which the default backend service is available
@@ -533,16 +624,13 @@ defaultBackend:
     ##
     externalIPs: []
 
-    loadBalancerIP: ""
+    # loadBalancerIP: ""
     loadBalancerSourceRanges: []
     servicePort: 80
     type: ClusterIP
 
   priorityClassName: ""
 
-# If provided, the value will be used as the `release` label instead of .Release.Name
-releaseLabelOverride: ""
-
 ## Enable RBAC as per https://github.com/kubernetes/ingress/tree/master/examples/rbac/nginx and https://github.com/kubernetes/ingress/issues/266
 rbac:
   create: true

index.yaml

@@ -106,6 +106,25 @@ entries:
     - assets/rke2-coredns/rke2-coredns-1.10.101-build2021022301.tgz
     version: 1.10.101-build2021022301
   rke2-ingress-nginx:
+  - apiVersion: v1
+    appVersion: 0.35.0
+    created: "2021-02-24T21:42:02.60663315Z"
+    description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
+    digest: 2480ed0be9032f8f839913e12f0528128a15483ced57c851baed605156532782
+    home: https://github.com/kubernetes/ingress-nginx
+    icon: https://upload.wikimedia.org/wikipedia/commons/thumb/c/c5/Nginx_logo.svg/500px-Nginx_logo.svg.png
+    keywords:
+    - ingress
+    - nginx
+    kubeVersion: '>=1.16.0-0'
+    maintainers:
+    - name: ChiefAlexander
+    name: rke2-ingress-nginx
+    sources:
+    - https://github.com/kubernetes/ingress-nginx
+    urls:
+    - assets/rke2-ingress-nginx/rke2-ingress-nginx-3.3.000.tgz
+    version: 3.3.000
   - apiVersion: v1
     appVersion: 0.30.0
     created: "2021-02-19T16:11:27.47593126Z"
@@ -359,4 +378,4 @@ entries:
     urls:
     - assets/rke2-metrics-server/rke2-metrics-server-2.11.100-build2021022300.tgz
     version: 2.11.100-build2021022300
-generated: "2021-02-24T21:41:48.73617673Z"
+generated: "2021-02-24T21:42:02.60300284Z"

sha256sum/rke2-ingress-nginx/rke2-ingress-nginx.sum

@@ -1,2 +1,2 @@
-515919733171edb9efe6f53bcb5da5b03d2d61c5ee773a62f3bb7e931ce1e32f  packages/rke2-ingress-nginx/rke2-ingress-nginx.patch
-a6b3e1bf28d49b022e87e1dbb9d7c3bd8723ca0467509a934245dbe756cdbff2  packages/rke2-ingress-nginx/package.yaml
+3ab8fe9454ce25221d16fc687c3942744c1ddb73e1dd0ada9ddf7bc732935e3f  packages/rke2-ingress-nginx/rke2-ingress-nginx.patch
+816cccb4bd7850999be977f709b2ed8fb16396e3e89baeefa3237069be6a2e85  packages/rke2-ingress-nginx/package.yaml