All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog and this project's packages adheres to Semantic Versioning.
3.9.2 - 2024-08-20
- Chart: Sync to upstream. (#687)
- Controller: Update image to v1.11.2.
- OpenTelemetry: Update image to v20240813-b933310d.
- Kube Webhook CertGen: Update image to v1.4.3.
- Chart: Sync to upstream. (#687)
- Helpers: Remove useless
isControllerTagValid
.
- Helpers: Remove useless
3.9.1 - 2024-07-29
- Chart: Sync to upstream. (#687)
- Chart: Explicitly set
runAsGroup
.
- Chart: Explicitly set
3.9.0 - 2024-07-21
- Chart: Sync to upstream. (#673)
- Values: Add
controller.disableLeaderElection
. - Values: Add
controller.electionTTL
.
- Values: Add
3.8.1 - 2024-07-21
3.8.0 - 2024-06-18
- Deployments/DaemonSets: Make pod affinity templatable. (#654)
- ServiceMonitor: Relabel app & node. (#654)
3.7.0 - 2024-06-03
- Ingress Class: Make annotations configurable. (#639)
- Admission Webhook: Make patch job RBAC configurable. (#639)
- Default Backend: Add topology spread constraints. (#639)
- Chart: Require Kubernetes version >= 1.21.0-0. (#639)
- Config Map: Support templates in values. (#639)
- Service: Fix app protocol semver comparison. (#639)
- Admission Webhook: Update patch job image to
v1.4.1
. (#639) - Default Backend: Reorder HPA. (#639)
3.6.1 - 2024-06-03
3.6.0 - 2024-03-26
Since upstream did not release a chroot
variant of the controller image for v1.10.0, one can not enable controller.image.chroot
in the chart values. If you although try to do so, your pods will not come up due to a missing image.
We are sorry for that inconvenience and hopefully bring back support for that in a future version!
- Chart: Add IngressClass aliases. (#609)
- Image: Update to
v1.10.0
. (#609)
NOTE: Upstream does not provide achroot
image for this version, yet. - Chart: Always deploy
PrometheusRule
when asked to. (#609) - Chart: Deploy
PodDisruptionBudget
with KEDA. (#609) - Chart: Improve IngressClass documentation. (#609)
- Chart: Align HPA & KEDA conditions. (#609)
- Chart: Render
controller.ingressClassResource.parameters
natively. (#609)
3.5.2 - 2024-02-23
- Metrics: Really disable them when told to. (#592)
3.5.1 - 2024-01-27
3.5.0 - 2024-01-15
- Service: Add CAPZ support. (#587)
3.4.2 - 2023-12-21
- Service Monitor: Add
controller.metrics.serviceMonitor.annotations
. (#584)
- Image: Update to
v1.9.5
. (#584) - Default Backend: Label pods with
ingress-nginx.labels
instead ofingress-nginx.selectorLabels
. (#584)
3.4.1 - 2023-12-15
- Chart: Add Helm unit tests from upstream. (#578)
- Role: Omit Ingress status permissions if
--update-chart=false
. (#579)
3.4.0 - 2023-12-13
- Service: Add
controller.service.internal.type
. (#571) - Default Backend: Add
defaultBackend.extraConfigMaps
. (#576)
- Chart: Simplify image templating. (#571)
- Deployment: Make extra modules image more configurable. (#572)
NOTE: This changes the schema ofcontroller.extraModules.image
&controller.opentelemetry.image
. Please update any overrides. - Configure
gsoci.azurecr.io
as the default container image registry. (#574)
3.3.1 - 2023-12-05
- Admission Webhook: Add
controller.admissionWebhooks.patch.networkPolicy.enabled
. (#568)
3.3.0 - 2023-11-21
- Chart: Add
namespaceOverride
. (#565) - Service: Add
controller.service.allocateLoadBalancerNodePorts
&controller.service.internal.allocateLoadBalancerNodePorts
. (#565)
- Admission Webhook: Truncate name. (#565)
3.2.1 - 2023-10-26
3.2.0 - 2023-10-18
This release contains security relevant changes. Please check your Ingress
resources for invalid annotations or paths before installing it.
- Values: Enable
controller.enableAnnotationValidations
by default. (#552)
NOTE: This change affects existing, new & updatedIngress
resources. Upstream is enabling this by default, too: kubernetes/ingress-nginx#10186. - Values: Enable
controller.config.strict-validate-path-type
by default. (#553)
NOTE: This change affects new & updatedIngress
resources only. Upstream is enabling this by default, too: https://github.com/kubernetes/ingress-nginx/issues/10186.\ See https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#strict-validate-path-type for further information.
3.1.2 - 2023-10-26
3.1.1 - 2023-10-18
- Controller: Fix
chroot
mode. (#550)
- Service: Remove redundant version check. (#550)
3.1.0 - 2023-10-12
- Controller: Add
controller.enableAnnotationValidations
. (#536) - OpenTelemetry: Add
controller.opentelemetry.resources
. (#536) - Values: Add
global.podSecurityStandards.enforced
. (#544)
- Image: Update to
v1.9.0
. (#536) - Deployment/DaemonSet: Make
controller.topologySpreadConstraints
an array. (#536)
NOTE: This is part of our alignment to upstream. Please convert any overrides ofcontroller.topologySpreadConstraints
to an array, too. - Tests: Upgrade dependencies & remove explicit ATS version. (#538)
- Service: Fix wildcard subdomain. (#539)
- Chart: Tighten
securityContext
s and Pod Security Policies. (#540) - OpenTelemetry: Use own registry. (#541)
- Admission Webhooks: Update
kube-webhook-certgen
image tov20231011-8b53cabe0
. (#542) - Image: Update to
v1.9.3
. (#547)
- Controller: Drop support for
controller.kind: Both
. (#547)
3.0.2 - 2023-10-12
3.0.1 - 2023-09-18
3.0.0 - 2023-08-28
This is the first public stable release of our new ingress-nginx
chart.
If you are currently using v2.x.x
, this release includes breaking changes. We set up a migration guide to make the upgrade as smooth as possible. Notable changes requiring your attention and/or manual intervention, like renaming, deprecation or removal of values, have been highlighted below.
Even though we highly recommend to upgrade to this and future releases, v2.x.x
will continue to receive bugfixes as long as possible.
All feedback regarding this release, its changes, or our migration guide is very welcome!
- Service: Align features from external service to internal one. (#467)
- Service: Add
controller.service.internal.ports
&controller.service.internal.targetPorts
. (#469) - PDB: Add
controller.annotations
. (#481) - KEDA: Add
fallback
. (#497) - OpenTelemetry: Add distroless
init_module
. (#498) - Service: Add
controller.service.loadBalancerClass
. (#503)
NOTE: The load balancer class of existing services can not be changed. The app deployment might fail when defining this for already installed app instances. - Deployment: Ignore
replicaCount
with KEDA enabled. (#513) - Service: Template annotations. (#514)
- Deployment/DaemonSet: Add
controller.hostAliases
. (#521)
- Helpers: Align labels to upstream. (#450)
- Values: Align CPU & memory requests to actual needs. (#453)
NOTE: This reduces the default resource requests. Please review & configure them to your actual needs. - Values: Deprecate
configmap
, usecontroller.config
instead. (#463)
NOTE: This is part of our alignment to upstream. Usecontroller.config
instead. - Chart: Rename to
ingress-nginx
. (#464) - HPA: Align to upstream. (#465)
- PDB: Improve checks. (#487)
- Images: Update OpenTelemetry & kube-webhook-certgen image. (#488)
- Image: Update to
v1.8.0
. (#489) - HPA: Partially revert #465. (#493)
- Metrics: Use
ServiceMonitor
. (#494) - Image: Update to
v1.8.1
. (#505) - Values: Update docs about
controller.enableTopologyAwareRouting
. (#520) - OpenTelemetry: Update image to
v20230721-3e2062ee5
. (#522) - ServiceMonitor: Explicitly set namespace. (#523)
- Service: Remove
controller.service.suffix
&controller.service.internal.suffix
. (#448)
NOTE: This is part of our alignment to upstream. There is no replacement for this key. - Params: Align to upstream. (#452)
- Params: Remove
controller.annotationsPrefix
.
NOTE: This is part of our alignment to upstream. Usecontroller.extraArgs
instead. - Params: Remove
controller.defaultSSLCertificate
.
NOTE: This is part of our alignment to upstream. Usecontroller.extraArgs
instead. - Params: Remove
controller.enableSSLChainCompletion
.
NOTE: This is part of our alignment to upstream. Usecontroller.extraArgs
instead. - Params: Remove
controller.updateIngressStatus
.
NOTE: This is part of our alignment to upstream. Usecontroller.extraArgs
instead.
- Params: Remove
- Service: Remove default values for
controller.service.nodePorts
&controller.service.internal.nodePorts
. (#461)
NOTE: If you are running on our KVM product, please make sure to manually set those keys to their prior values. - Params: Remove
controller.disableExternalNameForwarding
. (#462)
NOTE: This is part of our alignment to upstream. Usecontroller.extraArgs
instead.
2.30.1 - 2023-05-07
2.30.0 - 2023-04-18
Since we started working on aligning this chart to upstream as much as possible a while ago, this might be the last non-breaking release.
We're currently working on releasing v3.0.0, including several breaking changes and requiring to re-install the chart.
- Deployment/DaemonSet: Remove
cluster-autoscaler.kubernetes.io/safe-to-evict
annotation. (#449) - Deployment/DaemonSet: Remove duplicate Prometheus annotations. (#455)
- Values: Remove
configmap
keys matching defaults. (#457)- Values: Remove
configmap.error-log-level
. - Values: Remove
configmap.server-name-hash-bucket-size
. - Values: Remove
configmap.worker-processes
. - Values: Remove
configmap.worker-shutdown-timeout
. - Values: Remove
configmap.use-forwarded-headers
.
- Values: Remove
- Service: Remove deprecated & default annotations. (#458)
2.29.0 - 2023-04-03
- Default Backend: Add
NetworkPolicy
. (#443)
- DaemonSet: Align to
Deployment
(and vice versa). (#442)
2.28.0 - 2023-04-01
- Service: Add vCloud AVI annotations. (#439)
2.27.0 - 2023-03-22
- Helpers: Align to upstream. (#429)
- Helpers: Add
controller.containerSecurityContext
. - Helpers: Add
ingress-nginx.image
. - Helpers: Add
ingress-nginx.imageDigest
. - Helpers: Add
ingress-nginx.controller.publishServicePath
. - Helpers: Add
ingress-nginx.params
. - Helpers: Add
isControllerTagValid
. - Helpers: Add
extraModules
.
- Helpers: Add
- Chart: Align to upstream. (#431)
- Chart: Add
.helmignore
. - Chart: Add
NOTES.txt
.
- Chart: Add
- Chart: Add CI values from upstream. (#432)
- Deployment: Align to upstream. (#433)
-
Deployment: Implement
controller.kind
. -
Deployment: Implement
controller.labels
. -
Deployment: Implement
controller.annotations
. -
Deployment: Implement
revisionHistoryLimit
. -
Deployment: Implement
controller.podAnnotations
. -
Deployment: Implement
controller.dnsConfig
. -
Deployment: Implement
controller.hostname
. -
Deployment: Implement
controller.dnsPolicy
. -
Deployment: Implement
controller.podLabels
. -
Deployment: Implement
imagePullSecrets
. -
Deployment: Implement
controller.priorityClassName
.
NOTE: Removes the hardcoded defaultsystem-cluster-critical
. Please override if required. -
Deployment: Implement
controller.podSecurityContext
&controller.sysctls
. -
Deployment: Implement
controller.shareProcessNamespace
. -
Deployment: Implement
controller.containerName
. -
Deployment: Implement
controller.updateStrategy
. -
Deployment: Implement
controller.publishService
. -
Deployment: Implement
controller.ingressClass
.
NOTE: If you are currently overridingcontroller.ingressClassResource.name
, there are two cases which require manual intervention:- You are assigning ingresses to an ingress controller by annotation.
- You enabled
controller.ingressClassByName
.
Please set
controller.ingressClass
to the value ofcontroller.ingressClassResource.name
if any of these cases applies to you. -
Deployment: Implement
controller.configMapNamespace
. -
Deployment: Implement
controller.tcp.configMapNamespace
. -
Deployment: Implement
controller.udp.configMapNamespace
. -
Deployment: Implement
controller.scope.namespace
. -
Deployment: Implement
controller.scope.namespaceSelector
. -
Deployment: Implement
controller.reportNodeInternalIp
. -
Deployment: Implement
controller.admissionWebhooks.certificate
&controller.admissionWebhooks.key
. -
Deployment: Implement
controller.maxmindLicenseKey
. -
Deployment: Implement
controller.healthCheckHost
. -
Deployment: Implement
controller.healthCheckPath
. -
Deployment: Implement
controller.enableTopologyAwareRouting
. -
Deployment: Implement
controller.extraArgs
. -
Deployment: Implement
serviceAccount.name
. -
Deployment: Implement
controller.containerSecurityContext
. -
Deployment: Implement
controller.hostPort
. -
Deployment: Implement
controller.metrics.portName
. -
Deployment: Implement
tcp
&udp
ports. -
Deployment: Implement
controller.customTemplate
. -
Deployment: Implement
controller.extraVolumeMounts
. -
Deployment: Implement
controller.opentelemetry
. -
Deployment: Implement
controller.extraContainers
. -
Deployment: Implement
controller.extraInitContainers
. -
Deployment: Implement
controller.hostNetwork
. -
Deployment: Implement
controller.nodeSelector
. -
Deployment: Implement
controller.tolerations
. -
Deployment: Implement
controller.affinity
. -
Deployment: Add
DaemonSet
option.
-
- Helpers: Align to upstream. (#429)
- Helpers: Rename
name
toingress-nginx.name
. - Helpers: Rename
chart
toingress-nginx.chart
. - Helpers: Align
ingress-nginx.fullname
. - Helpers: Align
ingress-nginx.controller.fullname
. - Helpers: Align
ingress-nginx.controller.electionID
. - Helpers: Align
ingress-nginx.defaultBackend.fullname
. - Helpers: Align
ingress-nginx.labels
. - Helpers: Align
ingress-nginx.selectorLabels
. - Helpers: Align
ingress-nginx.defaultBackend.serviceAccountName
.
- Helpers: Rename
- Chart: Align to upstream. (#431)
- Chart: Align
Chart.yaml
.
- Chart: Align
- HPA: Use capabilities, reorder
if
. (#434) - Deployment: Align to upstream. (#433)
- Deployment: Align
controller.image
. - Deployment: Align
startupProbe
.
NOTE: Please removecontroller.startupProbe.enabled
from your overrides and remove/setcontroller.startupProbe
instead. - Deployment: Align
livenessProbe
.
NOTE: Please removecontroller.livenessProbe.enabled
from your overrides and remove/setcontroller.livenessProbe
instead. - Deployment: Align
readinessProbe
.
NOTE: Please removecontroller.readinessProbe.enabled
from your overrides and remove/setcontroller.readinessProbe
instead. - Deployment: Update
controller.image.tag
tov1.6.4
.
- Deployment: Align
- Helpers: Align to upstream. (#429)
- Helpers: Remove
resource.controller-service-internal.name
. - Helpers: Remove
resource.controller-service.name
.
- Helpers: Remove
- Deployment: Align to upstream. (#433)
- Deployment: Remove
controller.extraAnnotations.deployment
.
NOTE: This is part of our alignment to upstream. Usecontroller.annotations
instead. - Deployment: Remove
controller.extraAnnotations.pod
.
NOTE: This is part of our alignment to upstream. Usecontroller.podAnnotations
instead. - Deployment: Remove
sysctls
settingnet.ipv4.ip_local_port_range
.
NOTE: Set viacontroller.sysctls
if required. - Deployment: Remove
initContainers
settingnet.core.somaxconn
.
NOTE: Set viacontroller.sysctls
if required. - Deployment: Remove
controller.maxSurge
.
NOTE: This is part of our alignment to upstream. Usecontroller.updateStrategy
instead. - Deployment: Remove
controller.maxUnavailable
.
NOTE: This is part of our alignment to upstream. Usecontroller.updateStrategy
instead. - Deployment: Remove
controller.userID
.
NOTE: This is part of our alignment to upstream. Usecontroller.image.runAsUser
instead. - Deployment: Remove
controller.groupID
.
NOTE: This is part of our alignment to upstream. There is no replacement for this key. - Deployment: Remove
controller.antiAffinityScheduling
&controller.nodeAffinity
. NOTE: This is part of our alignment to upstream. Usecontroller.affinity
instead.
- Deployment: Remove
2.26.0 - 2023-03-09
- Service: Align to upstream. (#425)
- Service: Implement
controller.service.clusterIP
.
NOTE: The cluster IP of existing services can not be changed. The app deployment might fail when defining this for already installed app instances. - Service: Implement
controller.service.externalIPs
. - Service: Implement
controller.service.loadBalancerIP
. - Service: Implement
controller.service.sessionAffinity
. - Service: Implement
controller.service.healthCheckNodePort
.
NOTE: The health check node port of existing services can not be changed. The app deployment might fail when defining this for already installed app instances. - Service: Implement
controller.service.ipFamilyPolicy
. - Service: Implement
controller.service.ipFamilies
. - Service: Implement
controller.service.enableHttp
. - Service: Implement
controller.service.enableHttps
. - Service: Implement
controller.service.appProtocol
. - Service: Implement
controller.service.external.enabled
. - Service: Add
portNamePrefix
. - Service: Add
controller.service.nodePorts.tcp
&controller.service.nodePorts.udp
. - Service: Implement node ports for
tcp
andudp
. - Internal Service: Implement
controller.service.internal.loadBalancerIP
. - Internal Service: Implement
controller.service.enableHttp
&controller.service.enableHttps
. - Internal Service: Implement
controller.service.appProtocol
. - Internal Service: Add
controller.service.internal.nodePorts.tcp
&controller.service.internal.nodePorts.udp
. - Internal Service: Implement node ports for
tcp
andudp
.
- Service: Implement
- Service: Align to upstream. (#425)
- Service: Reorder name & namespace.
- Service: Align
controller.service.loadBalancerSourceRanges
. - Service: Align
controller.service.externalTrafficPolicy
. - Service: Align indention of
ports
. - Service: Align node port checks.
- Internal Service: Align initial check.
- Internal Service: Reorder name & namespace.
- Internal Service: Align
controller.service.internal.loadBalancerSourceRanges
. - Internal Service: Reorder
controller.service.internal.externalTrafficPolicy
. - Internal Service: Align indention of
ports
. - Internal Service: Align node port checks.
- Values: Align to upstream.
- Service: Align to upstream. (#425)
- Internal Service: Remove
controller.service.internal.labels
.
NOTE: This is part of our alignment to upstream. Usecontroller.service.labels
instead. - Internal Service: Remove
controller.service.internal.type
.
NOTE: This is part of our alignment to upstream. Usecontroller.service.type
instead. - Internal Service: Remove
controller.service.internal.ports.http
.
NOTE: This is part of our alignment to upstream. Usecontroller.service.ports.http
instead. - Internal Service: Remove
controller.service.internal.ports.https
.
NOTE: This is part of our alignment to upstream. Usecontroller.service.ports.https
instead.
- Internal Service: Remove
2.25.1 - 2023-03-03
- Webhook: Remove digest from image. (#426)
2.25.0 - 2023-03-02
- Default Backend: Add
defaultBackend.updateStrategy
&defaultBackend.minReadySeconds
. (#406) - ConfigMap: Align to upstream. (#409)
- ConfigMap: Implement
controller.configAnnotations
. - ConfigMap: Implement
controller.addHeaders
. - ConfigMap: Implement
controller.proxySetHeaders
. - ConfigMap: Implement
dhParam
. - ConfigMap: Implement
tcp
andudp
. - ConfigMap: Implement
controller.config
.
- ConfigMap: Implement
- Chart: Add KEDA resources. (#413)
- Chart: Add Prometheus rules. (#414)
- Chart: Add service monitor. (#415)
- NetworkPolicy: Align to upstream. (#408)
NOTE:controller.admissionWebhooks.networkPolicyEnabled
is being removed in favor ofcontroller.networkPolicy.enabled
. - ConfigMap: Align to upstream. (#409)
- ConfigMap: Align metadata.
- ConfigMap: Rename
configmap.yaml
->controller-configmap.yaml
. - ConfigMap: Align indention.
2.24.1 - 2023-03-02
- Webhook: Update digest to match last SHA. (#421)
2.24.0 - 2023-02-14
- Change
PodDisruptionBudget
to move frommaxUnavailable: 1
tomaxUnavailable: 25%
for better scaling
2.23.2 - 2023-05-16
- Jobs: Remove image digest.
2.23.1 - 2023-02-10
- Stop targeting default backend pods with the controller service. (#402)
2.23.0 - 2023-02-02
- Align to upstream: Allow configuring the default backend.
2.22.2 - 2023-05-16
- Jobs: Remove image digest.
2.22.1 - 2023-01-18
- Metrics: Add
app.kubernetes.io/component
to selector. (#393)
- HPA: Remove
controller.autoscaling.apiVersion
, use capabilites instead. (#392)
2.22.0 - 2023-01-17
- Service: Add CAPA support. (#380)
- Webhook: Use
cert-manager
for certificate lifecycle management. (#386) - HPA: Make
apiVersion
configurable. (#387) - Metrics: Align to upstream. (#388)
- Values: Align to upstream.
- Service: Make optional, enabled by default.
- Service: Implement
controller.metrics.service.annotations
. - Service: Implement
controller.metrics.service.type
. - Service: Implement
controller.metrics.service.clusterIP
. - Service: Implement
controller.metrics.service.externalIPs
. - Service: Implement
controller.metrics.service.loadBalancerIP
. - Service: Implement
controller.metrics.service.loadBalancerSourceRanges
. - Service: Implement
controller.metrics.service.externalTrafficPolicy
. - Service: Implement
controller.metrics.portName
. - Service: Implement
controller.metrics.service.nodePort
.
- Metrics: Align to upstream. (#388)
- Service: Rename
controller-metrics-service.yaml
->controller-service-metrics.yaml
. - Service: Align labels to upstream.
- Service: Order
name
&namespace
. - Service: Rename from
-monitoring
to-metrics
. - Service: Align indention of
ports
.
- Service: Rename
2.21.1 - 2023-05-16
- Jobs: Remove image digest. (#485)
2.21.0 - 2023-01-02
- HPA: Align to upstream. (#369)
- HPA: Add labels & annotations.
- HPA: Add
controller.kind
switch. - HPA: Add
controller.autoscalingTemplate
. - HPA: Add
controller.autoscaling.behavior
. - HPA: Add all KEDA values.
- PDB: Add
minAvailable
. (#373) - Webhook: Align to upstream. (#374)
- Webhook: Add
controller.admissionWebhooks.service.clusterIP
. - Webhook: Add
controller.admissionWebhooks.service.externalIPs
. - Webhook: Add
controller.admissionWebhooks.service.loadBalancerIP
. - Webhook: Add
controller.admissionWebhooks.service.loadBalancerSourceRanges
.
- Webhook: Add
- Ingress Class: Align to upstream. (#377)
- Ingress Class: Add
controller.ingressClass
.
- Ingress Class: Add
- RBAC: Align to upstream. (#378)
- Values: Add RBAC & service account configuration.
- Helpers: Add
ingress-nginx.serviceAccountName
. - Values: Add
controller.electionID
. - Helpers: Add
podSecurityPolicy.apiGroup
. - Values: Add
controller.existingPsp
. - Values: Add
controller.hostNetwork
&controller.hostPort
. - Values: Add
controller.image.chroot
. - Values: Add
controller.sysctls
. - Values: Add
controller.metrics.enabled
&controller.metrics.portName
. - Values: Add
tcp
&udp
.
- HPA: Align to upstream. (#369)
- HPA: Reorder name & namespace.
- HPA: Use
ingress-nginx.controller.fullname
. - HPA: Use
autoscaling/v2beta2
. - HPA: Fix indention.
- HPA: Swap CPU & memory block.
- HPA: Disable when KEDA is enabled.
- Admission Webhooks: Align from upstream. (#370)
- Ingress Class: Align from upstream. (#371, #374, #377)
- Helpers: Rename
labels.selector
toingress-nginx.selectorLabels
. (#372) - PDB: Align from upstream. (#373)
- Webhook: Align to upstream. (#374)
- RBAC: Align to upstream. (#378)
- RBAC: Move
ClusterRoleBinding
to separate file. - RBAC: Move
RoleBinding
to separate file. - RBAC: Move
ClusterRole
to separate file. - RBAC: Move
Role
to separate file. - RBAC: Rename
service-account.yaml
tocontroller-serviceaccount.yaml
. - RBAC: Rename
psp.yaml
tocontroller-psp.yaml
. - RBAC: Move PSP
ClusterRoleBinding
toclusterrolebinding.yaml
. - RBAC: Move PSP
ClusterRole
toclusterrole.yaml
. - RBAC: Align
ServiceAccount
. - RBAC: Align
ClusterRoleBinding
to upstream. - RBAC: Align
ClusterRole
to upstream. - RBAC: Reorder
coordination.k8s.io/leases
inClusterRole
. - RBAC: Indent
ClusterRole
. - RBAC: Indent
Role
. - Helpers: Rename
controller.leader.election.id
toingress-nginx.controller.electionID
. - Helpers: Align
ingress-nginx.controller.electionID
to upstream. - RBAC: Align
Role
to upstream. - RBAC: Align
RoleBinding
to upstream. - RBAC: Move PSP
ClusterRole
& PSPClusterRoleBinding
toRole
. - RBAC: Reorder & indent
PodSecurityPolicy
. - RBAC: Align
PodSecurityPolicy
to upstream.
- RBAC: Move
2.20.1 - 2023-05-16
- Jobs: Remove image digest. (#482)
2.20.0 - 2022-11-02
- Templates: Add
controller.admissionWebhooks.patch.labels
. (#360) - Templates: Add
controller.admissionWebhooks.annotations
. (#362) - Webhook: Add labels & selectors. (#364)
- Templates: Add
controller.admissionWebhooks.existingPsp
. (#365) - Webhook: Align values & functions. (#366)
- Webhook: Rename & align
NetworkPolicy
. - Helpers: Add
ingress-nginx.controller.fullname
. - Webhook: Add
controller.admissionWebhooks.extraEnvs
. - Webhook: Add
controller.admissionWebhooks.createSecretJob.resources
. - Webhook: Add
controller.admissionWebhooks.patchWebhookJob.resources
. - Webhook: Add
controller.admissionWebhooks.patch.securityContext
.
- Webhook: Rename & align
- Helpers: Rename
resource.default.name
toingress-nginx.fullname
. (#356) - Repository: Rename
master
tomain
. (#357) - Helpers: Rename
labels.common
toingress-nginx.labels
. (#358) - Templates: Align hook annotations, namespaces & indention. (#359, #361)
- Templates: Align
ValidatingWebhookConfiguration
. (#363) - Webhook: Align values & functions. (#366)
- Webhook: Disable privilege escalation.
- Webhook: Align image concatenation.
- Webhook: Align values.yaml.
- Webhook: Align values & functions. (#366)
- Webhook: Remove
controller.admissionWebhooks.patch.backoffLimit
.
backoffLimit
was set to the default value of 6 all the time anyway, so we remove it to ease future upstream alignments.
- Webhook: Remove
- Revert 'Add support to create internal Load Balancers on GCP.'. (#367)
2.19.0 - 2022-10-17
- Add support to create internal Load Balancers on GCP.
- Disable
PodSecurityPolicy
for Kubernetes >= v1.25. (#352)
Please upgrade to any v2.18.x
version before upgrading to this release or above since the controller image contained in there migrates your setup to the Lease API.
Additionally the controller version included in this release deprecates some metric names and introduces others as a replacement. See this PR and the upstream docs for more details.
2.18.2 - 2022-10-17
2.18.1 - 2022-09-29
- Validation for
controller.service.externalTrafficPolicy
andcontroller.service.internal.externalTrafficPolicy
to only allowLocal
andCluster
. (#344)
2.18.0 - 2022-09-27
controller.service.loadBalancerSourceRanges
&controller.service.internal.loadBalancerSourceRanges
for configuring source IP address ranges which can access the ingress service.
2.17.0 - 2022-09-13
- Enable
configmap.use-proxy-protocol
by default for AWS. Hint: Before this was achieved bycluster-operator
settingconfigmap.use-proxy-protocol
in the cluster values.
2.16.0 - 2022-08-24
This release removes support for Kubernetes v1.19.0 and adds support for Kubernetes v1.24.0
2.15.2 - 2022-08-15
- Support for labels on the controller metrics service.
2.15.1 - 2022-08-08
- Update initContainer v3.15.5
2.15.0 - 2022-08-03
- Support for annotations, labels and suffix on the internal controller service.
NOTE: Adding, changing or removing thesuffix
results in a different name of the controller service resource. Since Helm does not keep track of the old resource, we recommend to uninstall and reinstall the app when changing the suffix.
- Aligned internal controller service and its configuration parameters to the normal one.
- Omit
service.beta.kubernetes.io/aws-load-balancer-proxy-protocol
foruse-proxy-protocol: "false"
.
2.14.0 - 2022-06-24
- externalDNS annotations won't no longer be set on the ingress services if
baseDomain
is not set. (#321)
- Default value for
baseDomain
configuration value automatically set for workload cluster installations. (#321) - Unused configuration values for chart installations on management clusters. (#321)
2.13.1 - 2022-06-16
- Enable topology spread constraints by default. (#318)
2.13.0 - 2022-06-15
- Allow users to specify custom
nodeAffinity
configuration throughcontroller.nodeAffinity
configuration value. (#313) - Optional: Topology spread constraints for pod assignment (requires Kubernetes >= 1.19). Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints. Important: We strongly suggest you review these settings before applying onto your clusters. This document https://docs.giantswarm.io/advanced/high-availability/multi-az/ gives more insight.
2.12.1 - 2022-06-09
- Update controller container image to
v1.2.1
which removes the root and alias directives from the internal NGINX. (#311)
2.12.0 - 2022-05-13
- Reduced default resource requests to former profile
small
(at least 500m of CPU and 600Mi of memory) and let HPA care about scaling.
- Support for
cluster.profile
parameter. This parameter was not set on either management clusters nor workload clusters and so the default resource requests configured incontroller.resources
got used.
2.11.0 - 2022-04-22
- Update controller container image to
v1.2.0
which enables deep inspection on Ingress objects. This may increase CPU usage slightly. (#301)
2.10.0 - 2022-04-04
- Controller flag
--ingress-class
to use configuration valuecontroller.ingressClassResource.name
. This enables backwards compatibility withkubernetes.io/ingress.class
annotations onIngresses
. (#292) - Configuration value
ingressClassByName
to enable or disable processingIngressClass
per name (additionally as per spec.controller) (Default:false
). (#292)
- Added team ownership to default labels.
- Update controller container image to
v1.1.3
to fix CVE-2022-0778 in OpenSSL and CVE-2022-23308 in libxml2. It also upgrades Alpine to 3.14.4 and nginx to 1.19.10. (#292)
2.9.1 - 2022-02-23
- Added
maxSurge
parameter to values for the controller deployment strategy.
2.9.0 - 2022-02-10
- Allow enabling the
--enable-ssl-chain-completion
flag. Disabled by default. Use this to autocomplete SSL certificate chains with missing intermediate CA certificates. Certificates uploaded to Kubernetes must have the "Authority Information Access" X.509 v3 extension for this to succeed.
2.8.0 - 2022-01-27
This release contains a potential breaking change in case you are using and relying on the configuration setting use-forwarded-headers
. From now on the default value will change to false
. In case you're relying on this feature, you'll need override this in your customized values like this:
configmap:
use-forwarded-headers: "true"
- Push chart to control plane catalog.
- Disable
use-forwarded-headers
by default.
2.7.0 - 2022-01-19
- Allow disabling external-dns annotations.
- Augment monitoring annotations to have a stable name for monitoring. (#263)
- Update aws-load-balancer annotations for internal cluster use.
- Add required external-dns annotation to internal controller service.
- Add documentation for service configuration.
- Update controller container image to
v1.1.1
. (#264) - Swap kube-webhook-certgen container image for ingress-nginx image to ensure compatibility with kubernetes >= 1.22 (#265)
2.6.1 - 2021-12-03
- Fix LB Service name suffix introduced in v2.6.0.
2.6.0 - 2021-12-02
- Allow setting LB Service name suffix with new
controller.service.suffix
value.
2.5.0 - 2021-11-29
2.4.1 - 2021-10-22
- Internal change: Stop publishing nginx-ingress-controller-app to default catalog. (#235)
- Disallow the controller Ingress to parse and add *-snippet annotations created by the user. This can be changed by setting
controller.allowSnippetAnnotations
totrue
. We recommend enabling this option only if you TRUST users with permission to create Ingress objects, as this may allow a user to add restricted configurations to the final nginx.conf file. This is a mitigation against CVE-2021-25742. (#238)
2.4.0 - 2021-10-18
- Update controller container image to
v1.0.4
which disables ssl_session_cache due to possible memory fragmentation. (#231)
2.3.0 - 2021-10-07
- Update controller container image to
v1.0.3
which resolves issues related to lua modules used in the controller. (#225)
2.2.0 - 2021-09-09
- Breaking change Update controller container image to
v1.0.0
. From this version on, only clusters with kubernetes >= 1.19 are supported. Please make sure to read the upgrading notes. (#218).
2.1.4 - 2022-04-07
- Update controller container image to
v0.51.0
to fix CVE-2022-0778 in OpenSSL and CVE-2022-23308 in libxml2. It also upgrades Alpine to 3.14.4 and nginx to 1.19.10. (#294) - Added team ownership to default labels. (#294)
2.1.3 - 2021-12-20
2.1.2 - 2021-10-22
- Disallow the controller Ingress to parse and add *-snippet annotations/directives created by the user. This can be changed by setting
controller.enableSnippetDirectives
totrue
. We recommend enabling this option only if you TRUST users with permission to create Ingress objects, as this may allow a user to add restricted configurations to the final nginx.conf file. This is a mitigation against CVE-2021-25742. (#237)
2.1.1 - 2021-10-21
2.1.0 - 2021-08-26
2.0.0 - 2021-07-15
Note: This upgrade is only a breaking change in the unlikely event that you have been specifying services as externalName
with your Ingress as a backend. Otherwise, it is not a breaking change.
- Update controller container image to
v0.48.1
. (#211). This release contains several performance improvements related to the admission webhook. - Potentially Breaking: Define
--disable-svc-external-name
flag by default to disable forwarding traffic to ExternalName Services. If you require this feature, you can enable forwarding again through settingcontroller.disableExternalNameForwarding: false
in user values. (#211)
1.17.0 - 2021-06-16
1.16.1 - 2021-04-20
- Pass through annotations and labels to the controller service
1.16.0 - 2021-04-15
- Fixes validation of cpu requests and limits to allow for string and integer values.
- Update controller container image to
v0.45.0
to correct OpenSSL CVEs. (#188) - Change monitoring service port to
10254
. (#188)
1.15.1 - 2021-04-01
- Add configuration options for
failurePolicy
andtimeoutSeconds
of validating webhook configuration. (#186)
1.15.0 - 2021-03-01
- Update controller container image to
v0.44.0
and kube-webhook-certgen container image to 1.5.1. (#179) - Remove conflicting admission webhook api versions. (#178)
- Remove unecessary annotation. (#180)
1.14.1 - 2021-02-09
- Allow wildcard subdomains to be used in the external-dns annotation. (#174)
1.14.0 - 2021-02-03
- Add annotation to controller service for external-dns to use for filtering resources. (#169)
- Support user-provided annotations for the controller deployment. (#170)
1.13.0 - 2021-01-27
- Update image to
v0.43.0
. (#165)
1.12.0 - 2020-12-09
- Allow toggling of the
--update-status
flag. Disabling this feature stops NGINX IC from updating Ingress Loadbalancer status fields. (#151)
- Add ability to set podAntiAffinity scheduling method via the values file. (#146)
1.11.0 - 2020-11-18
- Add ability to extend
nginx-ingress-controller
with specific values from appcatalog. - User value validation through a values.schema.json file based on the current values.yaml.
- Update image to
v0.41.2
. (#133)
1.10.0 - 2020-10-07
-
Upgrade ingress-nginx-controller from v0.35.0 to v0.40.2.
Important upstream changes to pay special attention to:
- App/chart requires Kubernetes 1.16+ based platform release
- It is recommended to change API group of Ingress resources from
extensions/v1beta1
tonetworking.k8s.io/v1beta1
(available since Kubernetes 1.14)
- It is recommended to change API group of Ingress resources from
- Default configuration changes:
gzip-level
default changed from5
to1
ssl-session-tickets
default changed fromtrue
tofalse
use-gzip
default changed fromtrue
tofalse
upstream-keepalive-connections
changed from32
to320
upstream-keepalive-requests
changed from100
to10000
- App/chart requires Kubernetes 1.16+ based platform release
-
Support and enable by default mimalloc as a drop-in malloc replacement to reduce nginx memory utilization.
-
Support configuring additional environment variables for NGINX Ingress Controller container, to support configuring additional mimalloc options.
-
Adjust Helm
hook-delete-policy
andhook-weight
to make admission webhook management more reliable.
1.9.2 - 2020-09-02
giantswarm.io/monitoring
label (in addition to existing annotation) for the new sharded TC Prometheus to pick up the service.
- Upgrade to ingress-nginx v0.35.0.
1.9.1 - 2020-08-14
- Configure explicit helm hook weights to make validating webhook resource management reliable.
1.9.0 - 2020-08-13
- Support Ingress resources validating webhook.
1.8.4 - 2020-08-06
- Fix NetworkPolicy templating, to allow Pod ingress traffic (Prometheus scrape requests) on same port that the metrics/monitoring service advertises.
1.8.3 - 2020-07-31
- Fix controller RBAC permissions, granting "get" and "update" of leader election ConfigMap lock.
1.8.2 - 2020-07-31
- Fix controller RBAC permissions, granting "get" and "update" of leader election ConfigMap lock.
1.8.1 - 2020-07-28
- Make node ports configurable for NodePort Service type.
1.8.0 - 2020-07-24
In older releases the NGINX IC LoadBalancer Service name was hardcoded to nginx-ingress-controller
. As of this release, to ensure the Service name uniqueness for multiple NGINX ICs per cluster support, the LoadBalancer Service name was made to be dynamic, derived from Helm release i.e. App Custom Resource (CR) name. Therefore, if you're upgrading from an older NGINX IC App release to v1.8.0+, existing NGINX IC LoadBalancer Service may get replaced by a new one for every NGINC IC App CR whose name is not nginx-ingress-controller
.
When NGINX IC LoadBalancer Service gets recreated, cloud service provider (CSP) load balancer behind it gets recycled as well. It can take minute or so for ingress DNS records to be updated by external-dns
and change propagated to clients. During that time there's ingress traffic downtime, since clients still resolve old no longer present CSP load balancer.
Please take the potential ingress downtime (a minute or so) into consideration when planning the NGINX IC App upgrade from older to v1.8.0+.
To make sure the downtime is shortest possible, external-dns availability is important precondition. In recent platform releases (Azure v12.0.2, and AWS v12.1.4 and v11.5.4) we've improved external-dns monitoring and alerting.
Therefore, before upgrading NGINX IC optional app to v1.8.0+, please make sure that your cluster has been upgraded to the latest platform release.
- Support multiple NGINX IC App installations per tenant cluster.
- Dropped support for deprecated configuration properties:
configmap.annotations-prefix
configmap.default-ssl-certificate
configmap.hpa-enabled
configmap.hpa-max-replicas
configmap.hpa-min-replicas
configmap.hpa-target-cpu-utilization-percentage
configmap.hpa-target-memory-utilization-percentage
configmap.ingress-class
1.7.3 - 2020-07-16
- Upgrade to ingress-nginx v0.34.1.
1.7.2 2020-07-10
- Upgrade to ingress-nginx v0.34.0.
1.7.1 2020-07-07
- Support additional Service, for internal traffic. Existing Service can still be configured to be either for public (default) or internal traffic.
- Make monitoring headless Service non-optional.
- Enable managed app monitoring via monitoring service.
1.7.0 2020-06-29
- Use LoadBalancer Service on Azure.
- Change controller.service.type to LoadBalancer/NodePort, and introduce controller.service.public for public/internal service classification.
- Upgrade to ingress-nginx 0.33.0.
1.6.12 2020-06-04
- Make healthcheck probes configurable.
- Make liveness probe more resilient.
1.6.11 2020-05-26
- Align labels, use
app.kubernetes.io/name
instead ofk8s-app
where possible.k8s-app
remains to be used for compatibility reasons, as selectors are not modifiable without recreating the Deployment.
1.6.10 2020-04-29
- Make NGINX IC Service
externalTrafficPolicy
configurable and default toLocal
.
1.6.9 2020-04-22
- Restrict PodSecurityPolicy volumes to only those required (removes wildcard).
- Tune
net.ipv4.ip_local_port_range
to1024 65535
as a safe sysctl. - Tune
net.core.somaxconn
to32768
via an initContainer with privilege escalation. - Use
4
worker processes by default. - Use upstream default of max-worker-connections of
16384
. - Ignore NGINX IC Deployment replica count configuration when HorizontalPodAutoscaler is enabled.
- Drop unnecessary Helm release revision annotation from NGINX IC Deployment.
- Adjust README for display in the web interface context.
1.6.8 2020-04-09
- Default
max-worker-connections
to0
, making it same asmax-worker-open-files
i.e.max open files (system's limit) / worker-processes - 1024
. This optimizes for high load conditions where it improves performance at the cost of increasing RAM utilization (even on idle). - HorizontalPodAutoscaler was tuned to use
targetMemoryUtilizationPercentage
of80
due to increased RAM utilization with new default formax-worker-connections
of0
. - Removed use of
enable-dynamic-certificates
CLI flag, it has been deprecated since ingress-nginx 0.26.0 via ingress-nginx PR #4356 - Changed default
error-log-level
fromerror
tonotice
. - Added a link to the README in the sources of Chart.yaml
1.6.7 2020-04-08
- Align graceful termination configuration with changes made in upstream ingress-nginx 0.26.0 (see related PR #4487 and important section in 0.26.0 release notes).
- Make NGINX IC Deployment's
terminationGracePeriodSeconds
configurable and align its default withconfigmap.worker-shutdown-timeout
- Make NGINX IC controller container lifecycle hooks configurable, and change from
sleep 60
to using/wait-shutdown
as preStop hook.
- Make NGINX IC Deployment's
- Make
controller.minReadySeconds
configurable.
1.6.6 2020-04-01
- Change deployment to use release revision not time for Helm 3 support.
1.6.5 2020-03-23
- Fix small cluster profile resource requests. (#42)
1.6.4 2020-03-17
- Disable HPA and PDB for xs clusters since NGINX Deployment resource requests are not set there. (#40)
1.6.3 2020-03-16
-
Adjust resource requests, HPA and PDB depending on determined cluster profile; supported cluster profiles include xxs, xs, small, and larger than small or unknown. (#38)
By default, for nginx on:
- xxs clusters - clear resource requests, HPA and PDB are disabled
- xs clusters - clear resource requests, enabled HPA and PDB
- small clusters - have some resource requests, HPA and PDB are enabled
- clusters larger than small or unknown - have decent resource requests i.e. capacity out-of-the-box, and HPA and PDB are enabled.
1.6.2 2020-03-12
- Reintroduced config properties which should have been just deprecated but got dropped prematurely in v1.4.0 (#36)
configmap.annotations-prefix
configmap.default-ssl-certificate
configmap.hpa-enabled
configmap.hpa-max-replicas
configmap.hpa-min-replicas
configmap.hpa-target-cpu-utilization-percentage
configmap.hpa-target-memory-utilization-percentage
configmap.ingress-class
1.6.1 2020-03-10
- Disable HPA, PDB and clear resource requests for extra small clusters. (#34)
1.6.0 2020-02-28
- Upgrade to nginx-ingress-controller 0.30.0. (#31)
- Configured app icon. (#32)
- Enabled HorizontalPodAutoscaler by default. (#27)
- Based on HPA trials done so far, following settings have been adjusted to better fit actual observed usage profiles:
- CPU resource requests have been adjusted from 500m to 2 CPU
- 0.5 CPU was not enough for all the processes NGINX Ingress Controller starts
- Memory requests changed from 600Mi to 2.5GB
- Scaling out does not shard Ingress definitions and other configurations stored in memory of every nginx-ingress-controller replica
- Memory usage spikes during configuration reloads
- It improves the HPA stability
- Default number of nginx worker processes was changed from 4 to 1
- This reduced memory usage of each replica
- It didn't affect request handling capacity
- Better defaults considering CPU requests and number of processes running on every nginx-ingress-controller replica.
- CPU resource requests have been adjusted from 500m to 2 CPU
- To avoid cluster-operator and HPA collision and nginx service disruption, this release also breaks with cluster-operator controllable nginx ingress controller Deployment replicas count
ingressController.replicas
which was previously dynamically set by cluster-operator is now removed- New
controller.replicaCount
config property is introduced, default replica count is set to 1, and then by default enabled HPA takes it over from there, by default scaling the Deployment in range of 1 to 20 replicas - If HPA gets disabled on-demand, replica count will stay static if not manually or automatically changed by some third party.
1.5.0 2020-02-18
- Disable nginx NodePort Service by default, having legacy cluster-operator enable it for legacy Azure only. (#29)
- Upgrade to nginx-ingress-controller 0.29.0. (#30)
1.4.0 2020-02-10
- Support overriding all nginx configmap settings. (#26)
1.3.0 2020-01-30
- Upgrade to nginx-ingress-controller 0.28.0. (#24)
1.2.1 2020-01-29
- Support proxy protocol for AWS. (#23)
1.2.0 2020-01-21
- Upgrade to nginx-ingress-controller 0.27.1. (#20)
- Add metrics Service for prometheus-operator support. (#19)
- Allow overriding of nginx SSL protocol default setting. (#17)
1.1.1 2020-01-04
- Updated manifests for Kubernetes 1.16. (#16)
- Migrate to managed application structure.
kubernetes-nginx-ingress-controller repository is deprecated.
Previous versions changelog can be found here