chore: bump ingress-nginx to 1.12.1

2025-04-04 09:24:55 +02:00 · 2025-04-04 09:24:55 +02:00 · 67ed54afdc
commit 67ed54afdc
parent 71027364e1
23 changed files with 71 additions and 50 deletions
--- a/deploy/base/config-map-ingress-nginx.yaml
+++ b/deploy/base/config-map-ingress-nginx.yaml
@ -0,0 +1,6 @@
+# Add additional configmap setting required since ingress-nginx 1.12.0.
+# https://github.com/kubernetes/ingress-nginx/issues/13104
+- op: add
+  path: /data
+  value: 
+    annotations-risk-level: Critical
--- a/deploy/base/inflated/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
+++ b/deploy/base/inflated/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
@ -8,10 +8,10 @@ metadata:
    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
  labels:
-    helm.sh/chart: ingress-nginx-4.10.0
+    helm.sh/chart: ingress-nginx-4.12.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: "1.10.0"
+    app.kubernetes.io/version: "1.12.1"
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
--- a/deploy/base/inflated/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
+++ b/deploy/base/inflated/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
@ -8,10 +8,10 @@ metadata:
    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
  labels:
-    helm.sh/chart: ingress-nginx-4.10.0
+    helm.sh/chart: ingress-nginx-4.12.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: "1.10.0"
+    app.kubernetes.io/version: "1.12.1"
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
--- a/deploy/base/inflated/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
+++ b/deploy/base/inflated/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
@ -9,10 +9,10 @@ metadata:
    "helm.sh/hook": pre-install,pre-upgrade
    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
  labels:
-    helm.sh/chart: ingress-nginx-4.10.0
+    helm.sh/chart: ingress-nginx-4.12.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: "1.10.0"
+    app.kubernetes.io/version: "1.12.1"
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
@ -21,17 +21,17 @@ spec:
    metadata:
      name: ingress-nginx-admission-create
      labels:
-        helm.sh/chart: ingress-nginx-4.10.0
+        helm.sh/chart: ingress-nginx-4.12.1
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: "1.10.0"
+        app.kubernetes.io/version: "1.12.1"
        app.kubernetes.io/part-of: ingress-nginx
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/component: admission-webhook
    spec:
      containers:
        - name: create
-          image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.0@sha256:44d1d0e9f19c63f58b380c5fddaca7cf22c7cee564adeff365225a5df5ef3334
+          image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.5.2@sha256:e8825994b7a2c7497375a9b945f386506ca6a3eda80b89b74ef2db743f66a5ea
          imagePullPolicy: IfNotPresent
          args:
            - create
@ -49,6 +49,7 @@ spec:
              drop:
              - ALL
            readOnlyRootFilesystem: true
+            runAsGroup: 65532
            runAsNonRoot: true
            runAsUser: 65532
            seccompProfile:
--- a/deploy/base/inflated/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
+++ b/deploy/base/inflated/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
@ -9,10 +9,10 @@ metadata:
    "helm.sh/hook": post-install,post-upgrade
    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
  labels:
-    helm.sh/chart: ingress-nginx-4.10.0
+    helm.sh/chart: ingress-nginx-4.12.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: "1.10.0"
+    app.kubernetes.io/version: "1.12.1"
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
@ -21,17 +21,17 @@ spec:
    metadata:
      name: ingress-nginx-admission-patch
      labels:
-        helm.sh/chart: ingress-nginx-4.10.0
+        helm.sh/chart: ingress-nginx-4.12.1
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: "1.10.0"
+        app.kubernetes.io/version: "1.12.1"
        app.kubernetes.io/part-of: ingress-nginx
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/component: admission-webhook
    spec:
      containers:
        - name: patch
-          image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.0@sha256:44d1d0e9f19c63f58b380c5fddaca7cf22c7cee564adeff365225a5df5ef3334
+          image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.5.2@sha256:e8825994b7a2c7497375a9b945f386506ca6a3eda80b89b74ef2db743f66a5ea
          imagePullPolicy: IfNotPresent
          args:
            - patch
@ -51,6 +51,7 @@ spec:
              drop:
              - ALL
            readOnlyRootFilesystem: true
+            runAsGroup: 65532
            runAsNonRoot: true
            runAsUser: 65532
            seccompProfile:
--- a/deploy/base/inflated/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml
+++ b/deploy/base/inflated/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml
@ -9,10 +9,10 @@ metadata:
    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
  labels:
-    helm.sh/chart: ingress-nginx-4.10.0
+    helm.sh/chart: ingress-nginx-4.12.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: "1.10.0"
+    app.kubernetes.io/version: "1.12.1"
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
--- a/deploy/base/inflated/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml
+++ b/deploy/base/inflated/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml
@ -9,10 +9,10 @@ metadata:
    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
  labels:
-    helm.sh/chart: ingress-nginx-4.10.0
+    helm.sh/chart: ingress-nginx-4.12.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: "1.10.0"
+    app.kubernetes.io/version: "1.12.1"
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
--- a/deploy/base/inflated/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
+++ b/deploy/base/inflated/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
@ -9,10 +9,11 @@ metadata:
    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
  labels:
-    helm.sh/chart: ingress-nginx-4.10.0
+    helm.sh/chart: ingress-nginx-4.12.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: "1.10.0"
+    app.kubernetes.io/version: "1.12.1"
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
+automountServiceAccountToken: true
--- a/deploy/base/inflated/ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
+++ b/deploy/base/inflated/ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
@ -7,10 +7,10 @@ kind: ValidatingWebhookConfiguration
 metadata:
  annotations:
  labels:
-    helm.sh/chart: ingress-nginx-4.10.0
+    helm.sh/chart: ingress-nginx-4.12.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: "1.10.0"
+    app.kubernetes.io/version: "1.12.1"
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
@ -36,4 +36,5 @@ webhooks:
      service:
        name: ingress-nginx-controller-admission
        namespace: default
+        port: 443
        path: /networking/v1/ingresses
--- a/deploy/base/inflated/ingress-nginx/templates/clusterrole.yaml
+++ b/deploy/base/inflated/ingress-nginx/templates/clusterrole.yaml
@ -4,10 +4,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  labels:
-    helm.sh/chart: ingress-nginx-4.10.0
+    helm.sh/chart: ingress-nginx-4.12.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: "1.10.0"
+    app.kubernetes.io/version: "1.12.1"
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/managed-by: Helm
  name: ingress-nginx
--- a/deploy/base/inflated/ingress-nginx/templates/clusterrolebinding.yaml
+++ b/deploy/base/inflated/ingress-nginx/templates/clusterrolebinding.yaml
@ -4,10 +4,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  labels:
-    helm.sh/chart: ingress-nginx-4.10.0
+    helm.sh/chart: ingress-nginx-4.12.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: "1.10.0"
+    app.kubernetes.io/version: "1.12.1"
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/managed-by: Helm
  name: ingress-nginx
--- a/deploy/base/inflated/ingress-nginx/templates/controller-configmap.yaml
+++ b/deploy/base/inflated/ingress-nginx/templates/controller-configmap.yaml
@ -4,14 +4,13 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
  labels:
-    helm.sh/chart: ingress-nginx-4.10.0
+    helm.sh/chart: ingress-nginx-4.12.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: "1.10.0"
+    app.kubernetes.io/version: "1.12.1"
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx-controller
  namespace: default
 data:
-  allow-snippet-annotations: "false"
--- a/deploy/base/inflated/ingress-nginx/templates/controller-deployment.yaml
+++ b/deploy/base/inflated/ingress-nginx/templates/controller-deployment.yaml
@ -4,10 +4,10 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  labels:
-    helm.sh/chart: ingress-nginx-4.10.0
+    helm.sh/chart: ingress-nginx-4.12.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: "1.10.0"
+    app.kubernetes.io/version: "1.12.1"
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
@ -25,10 +25,10 @@ spec:
  template:
    metadata:
      labels:
-        helm.sh/chart: ingress-nginx-4.10.0
+        helm.sh/chart: ingress-nginx-4.12.1
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/instance: ingress-nginx
-        app.kubernetes.io/version: "1.10.0"
+        app.kubernetes.io/version: "1.12.1"
        app.kubernetes.io/part-of: ingress-nginx
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/component: controller
@ -36,7 +36,7 @@ spec:
      dnsPolicy: ClusterFirst
      containers:
        - name: controller
-          image: registry.k8s.io/ingress-nginx/controller:v1.10.0@sha256:42b3f0e5d0846876b1791cd3afeb5f1cbbe4259d6f35651dcc1b5c980925379c
+          image: registry.k8s.io/ingress-nginx/controller:v1.12.1@sha256:d2fbc4ec70d8aa2050dd91a91506e998765e86c96f32cffb56c503c9c34eed5b
          imagePullPolicy: IfNotPresent
          lifecycle: 
            preStop:
@ -53,9 +53,11 @@ spec:
            - --validating-webhook=:8443
            - --validating-webhook-certificate=/usr/local/certificates/cert
            - --validating-webhook-key=/usr/local/certificates/key
+            - --enable-metrics=true
          securityContext: 
            runAsNonRoot: true
            runAsUser: 101
+            runAsGroup: 82
            allowPrivilegeEscalation: false
            seccompProfile: 
              type: RuntimeDefault
--- a/deploy/base/inflated/ingress-nginx/templates/controller-ingressclass.yaml
+++ b/deploy/base/inflated/ingress-nginx/templates/controller-ingressclass.yaml
@ -1,15 +1,13 @@
 ---
 # Source: ingress-nginx/templates/controller-ingressclass.yaml
-# We don't support namespaced ingressClass yet
-# So a ClusterRole and a ClusterRoleBinding is required
 apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata:
  labels:
-    helm.sh/chart: ingress-nginx-4.10.0
+    helm.sh/chart: ingress-nginx-4.12.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: "1.10.0"
+    app.kubernetes.io/version: "1.12.1"
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
--- a/deploy/base/inflated/ingress-nginx/templates/controller-poddisruptionbudget.yaml
+++ b/deploy/base/inflated/ingress-nginx/templates/controller-poddisruptionbudget.yaml
@ -0,0 +1,4 @@
+---
+# Source: ingress-nginx/templates/controller-poddisruptionbudget.yaml
+# PDB is not supported for DaemonSets.
+# https://github.com/kubernetes/kubernetes/issues/108124
--- a/deploy/base/inflated/ingress-nginx/templates/controller-role.yaml
+++ b/deploy/base/inflated/ingress-nginx/templates/controller-role.yaml
@ -4,10 +4,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  labels:
-    helm.sh/chart: ingress-nginx-4.10.0
+    helm.sh/chart: ingress-nginx-4.12.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: "1.10.0"
+    app.kubernetes.io/version: "1.12.1"
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
--- a/deploy/base/inflated/ingress-nginx/templates/controller-rolebinding.yaml
+++ b/deploy/base/inflated/ingress-nginx/templates/controller-rolebinding.yaml
@ -4,10 +4,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  labels:
-    helm.sh/chart: ingress-nginx-4.10.0
+    helm.sh/chart: ingress-nginx-4.12.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: "1.10.0"
+    app.kubernetes.io/version: "1.12.1"
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
--- a/deploy/base/inflated/ingress-nginx/templates/controller-service-metrics.yaml
+++ b/deploy/base/inflated/ingress-nginx/templates/controller-service-metrics.yaml
@ -7,10 +7,10 @@ metadata:
    prometheus.io/port: "10254"
    prometheus.io/scrape: "true"
  labels:
-    helm.sh/chart: ingress-nginx-4.10.0
+    helm.sh/chart: ingress-nginx-4.12.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: "1.10.0"
+    app.kubernetes.io/version: "1.12.1"
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
--- a/deploy/base/inflated/ingress-nginx/templates/controller-service-webhook.yaml
+++ b/deploy/base/inflated/ingress-nginx/templates/controller-service-webhook.yaml
@ -4,10 +4,10 @@ apiVersion: v1
 kind: Service
 metadata:
  labels:
-    helm.sh/chart: ingress-nginx-4.10.0
+    helm.sh/chart: ingress-nginx-4.12.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: "1.10.0"
+    app.kubernetes.io/version: "1.12.1"
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
--- a/deploy/base/inflated/ingress-nginx/templates/controller-service.yaml
+++ b/deploy/base/inflated/ingress-nginx/templates/controller-service.yaml
@ -5,10 +5,10 @@ kind: Service
 metadata:
  annotations:
  labels:
-    helm.sh/chart: ingress-nginx-4.10.0
+    helm.sh/chart: ingress-nginx-4.12.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: "1.10.0"
+    app.kubernetes.io/version: "1.12.1"
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
--- a/deploy/base/inflated/ingress-nginx/templates/controller-serviceaccount.yaml
+++ b/deploy/base/inflated/ingress-nginx/templates/controller-serviceaccount.yaml
@ -4,10 +4,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
  labels:
-    helm.sh/chart: ingress-nginx-4.10.0
+    helm.sh/chart: ingress-nginx-4.12.1
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
-    app.kubernetes.io/version: "1.10.0"
+    app.kubernetes.io/version: "1.12.1"
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
--- a/deploy/base/kustomization.yaml
+++ b/deploy/base/kustomization.yaml
@ -134,6 +134,11 @@ patches:
    name: ingress-nginx-controller
  path: deploy-ingress-nginx.yaml

+- target:
+    kind: ConfigMap
+    name: ingress-nginx-controller
+  path: config-map-ingress-nginx.yaml
+
 - target:
    kind: Deployment
    name: external-dns
--- a/deploy/prod/deploy-ingress-nginx.yaml
+++ b/deploy/prod/deploy-ingress-nginx.yaml
@ -8,6 +8,9 @@
 - op: add
  path: /spec/template/spec/containers/0/args/-
  value: "--tcp-services-configmap=$(POD_NAMESPACE)/prod-ingress-nginx-tcp-services"
+- op: add
+  path: /spec/template/spec/containers/0/args/-
+  value: "--default-ssl-certificate=$(POD_NAMESPACE)/prod-ingress-tls"
 - op: replace
  path: /spec/template/spec/volumes/0/secret/secretName
  value: prod-ingress-nginx-admission