From 67b4b08e99d1c768b64f031ae4405ab3c5523383 Mon Sep 17 00:00:00 2001 From: Caleb Boylan Date: Thu, 7 Aug 2025 06:37:14 -0700 Subject: [PATCH] feat: upgrade ingress-nginx (#537) Signed-off-by: Caleb Boylan Co-authored-by: Pankaj Walke --- .../cm-ingress-nginx-controller.yaml | 1 + hack/ingress-nginx/kustomization.yaml | 21 +++++++- .../resources/nginx/k8s/ingress-nginx.yaml | 53 +++++++++++-------- 3 files changed, 51 insertions(+), 24 deletions(-) diff --git a/hack/ingress-nginx/cm-ingress-nginx-controller.yaml b/hack/ingress-nginx/cm-ingress-nginx-controller.yaml index a99685421..65e726fe1 100644 --- a/hack/ingress-nginx/cm-ingress-nginx-controller.yaml +++ b/hack/ingress-nginx/cm-ingress-nginx-controller.yaml @@ -6,4 +6,5 @@ metadata: data: allow-snippet-annotations: "true" proxy-buffer-size: "32k" + proxy-busy-buffers-size: "32k" use-forwarded-headers: "true" diff --git a/hack/ingress-nginx/kustomization.yaml b/hack/ingress-nginx/kustomization.yaml index 8ddf09ad4..e96ca0ccd 100644 --- a/hack/ingress-nginx/kustomization.yaml +++ b/hack/ingress-nginx/kustomization.yaml @@ -1,7 +1,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.11.2/deploy/static/provider/kind/deploy.yaml + - https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.13.0/deploy/static/provider/kind/deploy.yaml patches: - path: deployment-ingress-nginx.yaml @@ -17,3 +17,22 @@ patches: kind: Kustomization metadata: name: ingress-nginx-controller + # ArgoCD has poor support for ttlSecondsAfterFinished and it shouldn't be essential to clean these up + - target: + group: batch + version: v1 + kind: Job + name: ingress-nginx-admission-create + namespace: ingress-nginx + patch: | + - op: remove + path: /spec/ttlSecondsAfterFinished + - target: + group: batch + version: v1 + kind: Job + name: ingress-nginx-admission-patch + namespace: ingress-nginx + patch: | + - op: remove + path: /spec/ttlSecondsAfterFinished diff --git a/pkg/controllers/localbuild/resources/nginx/k8s/ingress-nginx.yaml b/pkg/controllers/localbuild/resources/nginx/k8s/ingress-nginx.yaml index a68932bcc..1820fe560 100644 --- a/pkg/controllers/localbuild/resources/nginx/k8s/ingress-nginx.yaml +++ b/pkg/controllers/localbuild/resources/nginx/k8s/ingress-nginx.yaml @@ -17,7 +17,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.2 + app.kubernetes.io/version: 1.13.0 name: ingress-nginx namespace: ingress-nginx --- @@ -30,7 +30,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.2 + app.kubernetes.io/version: 1.13.0 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -42,7 +42,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.2 + app.kubernetes.io/version: 1.13.0 name: ingress-nginx namespace: ingress-nginx rules: @@ -132,7 +132,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.2 + app.kubernetes.io/version: 1.13.0 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -151,7 +151,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.2 + app.kubernetes.io/version: 1.13.0 name: ingress-nginx rules: - apiGroups: @@ -233,7 +233,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.2 + app.kubernetes.io/version: 1.13.0 name: ingress-nginx-admission rules: - apiGroups: @@ -252,7 +252,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.2 + app.kubernetes.io/version: 1.13.0 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -272,7 +272,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.2 + app.kubernetes.io/version: 1.13.0 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -291,7 +291,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.2 + app.kubernetes.io/version: 1.13.0 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -310,7 +310,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.2 + app.kubernetes.io/version: 1.13.0 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -325,6 +325,7 @@ apiVersion: v1 data: allow-snippet-annotations: "true" proxy-buffer-size: 32k + proxy-busy-buffers-size: 32k use-forwarded-headers: "true" kind: ConfigMap metadata: @@ -333,7 +334,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.2 + app.kubernetes.io/version: 1.13.0 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -345,7 +346,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.2 + app.kubernetes.io/version: 1.13.0 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -368,7 +369,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.2 + app.kubernetes.io/version: 1.13.0 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -392,6 +393,7 @@ spec: app.kubernetes.io/part-of: ingress-nginx app.kubernetes.io/version: 1.8.1 spec: + automountServiceAccountToken: true containers: - args: - /nginx-ingress-controller @@ -417,7 +419,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.11.2@sha256:d5f8217feeac4887cb1ed21f27c2674e58be06bd8f5184cacea2a69abaf78dce + image: registry.k8s.io/ingress-nginx/controller:v1.13.0@sha256:dc75a7baec7a3b827a5d7ab0acd10ab507904c7dad692365b3e3b596eca1afd2 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -469,6 +471,7 @@ spec: drop: - ALL readOnlyRootFilesystem: false + runAsGroup: 82 runAsNonRoot: true runAsUser: 101 seccompProfile: @@ -479,7 +482,6 @@ spec: readOnly: true dnsPolicy: ClusterFirst nodeSelector: - ingress-ready: "true" kubernetes.io/os: linux serviceAccountName: ingress-nginx terminationGracePeriodSeconds: 0 @@ -503,7 +505,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.2 + app.kubernetes.io/version: 1.13.0 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -514,9 +516,10 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.2 + app.kubernetes.io/version: 1.13.0 name: ingress-nginx-admission-create spec: + automountServiceAccountToken: true containers: - args: - create @@ -528,7 +531,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.3@sha256:a320a50cc91bd15fd2d6fa6de58bd98c1bd64b9a6f926ce23a600d87043455a3 + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.6.0@sha256:c9f76a75fd00e975416ea1b73300efd413116de0de8570346ed90766c5b5cefb imagePullPolicy: IfNotPresent name: create securityContext: @@ -537,6 +540,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 65532 runAsNonRoot: true runAsUser: 65532 seccompProfile: @@ -554,7 +558,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.2 + app.kubernetes.io/version: 1.13.0 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -565,9 +569,10 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.2 + app.kubernetes.io/version: 1.13.0 name: ingress-nginx-admission-patch spec: + automountServiceAccountToken: true containers: - args: - patch @@ -581,7 +586,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.3@sha256:a320a50cc91bd15fd2d6fa6de58bd98c1bd64b9a6f926ce23a600d87043455a3 + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.6.0@sha256:c9f76a75fd00e975416ea1b73300efd413116de0de8570346ed90766c5b5cefb imagePullPolicy: IfNotPresent name: patch securityContext: @@ -590,6 +595,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true + runAsGroup: 65532 runAsNonRoot: true runAsUser: 65532 seccompProfile: @@ -607,7 +613,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.2 + app.kubernetes.io/version: 1.13.0 name: nginx spec: controller: k8s.io/ingress-nginx @@ -620,7 +626,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.11.2 + app.kubernetes.io/version: 1.13.0 name: ingress-nginx-admission webhooks: - admissionReviewVersions: @@ -630,6 +636,7 @@ webhooks: name: ingress-nginx-controller-admission namespace: ingress-nginx path: /networking/v1/ingresses + port: 443 failurePolicy: Fail matchPolicy: Equivalent name: validate.nginx.ingress.kubernetes.io