kubectl code overview info

remove 0.46.0 from supported versions table (kubernetes#8258) Minor fix for missing pathType property (kubernetes#8244) Updated confusing error (kubernetes#8262) Add a certificate info metric (kubernetes#8253) When the ingress controller loads certificates (new ones or following a secret update), it performs a series of check to ensure its validity. In our systems, we detected a case where, when the secret object is compromised, for example when the certificate does not match the secret key, different pods of the ingress controller are serving a different version of the certificate. This behaviour is due to the cache mechanism of the ingress controller, keeping the last known certificate in case of corruption. When this happens, old ingress-controller pods will keep serving the old one, while new pods, by failing to load the corrupted certificates, would use the default certificate, causing invalid certificates for its clients. This generates a random error on the client side, depending on the actual pod instance it reaches. In order to allow detecting occurences of those situations, add a metric to expose, for all ingress controlller pods, detailed informations of the currently loaded certificate. This will, for example, allow setting an alert when there is a certificate discrepency across all ingress controller pods using a query similar to `sum(nginx_ingress_controller_ssl_certificate_info{host="name.tld"})by(serial_number)` This also allows to catch other exceptions loading certificates (failing to load the certificate from the k8s API, ... Co-authored-by: Daniel Ricart <[email protected]> Co-authored-by: Daniel Ricart <[email protected]> Issue#8241 (kubernetes#8273) * replace daemon set for deployment manifest * nit Start Release process for v1.1.2 (kubernetes#8275) Signed-off-by: Jintao Zhang <[email protected]> Add fsGroup value to admission-webhooks/job-patch charts (kubernetes#8267) * added fsGroup to admission createSecret and patchWebhook job * added fsGroup to admission createSecret and patchWebhook job * modified helm/README.md to add value for fsGroup * fixed patch job values ordering * remove manually edited README for replacement with helm-docs generated version * re-adding charts/README.md generated by helm-docs Add OpenSSF Best practices badge (kubernetes#8277) fix: deny locations with invalid auth-url annotation (kubernetes#8256) * fix: deny locations with invalid auth-url annotation Signed-off-by: m.nabokikh <[email protected]> * Delete duplicate test Signed-off-by: m.nabokikh <[email protected]> force prow job by changing something in images/ot dir (kubernetes#8281) Images dir was merged in before the test-infra prow job, so the image was never built. kubernetes#8013 Jan 16 https://github.com/kubernetes/test-infra/pull/25344/files Prow job 4 days ago. Fix OpenTelemetry sidecar image build (kubernetes#8286) * fix wrong checksum for nginx image * fix wrong platform. Arm64 has grpc, when arm doesn't update tag for image (kubernetes#8290) remove git tag env from cloud build the latest git tag is from helm, so force the make file use of TAG ?=v$(shell date +%m%d%Y)-$(shell git rev-parse --short HEAD) release-v1.1.2-continued (kubernetes#8294) * v1.1.2 release Signed-off-by: Jintao Zhang <[email protected]> * release-v1.1.2-continued Co-authored-by: Jintao Zhang <[email protected]> docs: fix changelog formatting (kubernetes#8302) leaving it the git tag (kubernetes#8311) fixing the git tag for the image version, it is what it is . Missing annotations (kubernetes#8288) Not quite sure but It seems that `nginx.ingress.kubernetes.io/canary-by-header` is missing. Names cannot contain _ (underscore)! So I changed it to -. (kubernetes#8300) * The name can't use _(underscore)! So fix it! The name can't use _(underscore)! So fix it! * Fix configMap name can't use _(underscore) Fix configMap name can't use _(underscore) Pinned GitHub workflows by SHA (kubernetes#8334) - Pinned actions by SHA https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies - Included permissions for some of the actions. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions Dependabot can upgrade pinned version of actions. Update monitoring.md (kubernetes#8324) Added missing repo on "helm upgrade" command Add the shareProcessNamespace as a configurable setting. (kubernetes#8287) Nginx v1.19.10 (kubernetes#8307) kubectl code overview info
kundan2707 · Mar 17, 2022 · b347d86 · b347d86
1 parent c9f6121
commit b347d86
Show file tree

Hide file tree

Showing 93 changed files with 7,883 additions and 1,819 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -9,9 +9,15 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
 
   changes:
+    permissions:
+      contents: read  # for dorny/paths-filter to fetch a list of changed files
+      pull-requests: read  # for dorny/paths-filter to read pull requests
     runs-on: ubuntu-latest
     outputs:
       go: ${{ steps.filter.outputs.go }}
@@ -20,9 +26,9 @@ jobs:
     steps:
 
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
 
-      - uses: dorny/paths-filter@v2
+      - uses: dorny/paths-filter@b2feaf19c27470162a626bd6fa8438ae5b263721 # v2
         id: filter
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -43,10 +49,10 @@ jobs:
     steps:
 
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
 
       - name: Run Gosec Security Scanner
-        uses: securego/gosec@master
+        uses: securego/gosec@b99b5f7838e43a4104354ad92a6a1774302ee1f9 # master
         with:
           # G601 for zz_generated.deepcopy.go
           # G306 TODO: Expect WriteFile permissions to be 0600 or less
@@ -61,17 +67,17 @@ jobs:
     steps:
 
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
 
       - name: Set up Go 1.17
         id: go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 # v2
         with:
           go-version: '1.17.6'
 
       - name: Set up Docker Buildx
         id: buildx
-        uses: crazy-max/ghaction-docker-buildx@v1
+        uses: crazy-max/ghaction-docker-buildx@e01797ad2ea9a981005ad58c99afa8d842e3d3eb # v1
         with:
           buildx-version: latest
           qemu-version: latest
@@ -104,7 +110,7 @@ jobs:
             | pigz > docker.tar.gz
 
       - name: cache
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2
         with:
           name: docker.tar.gz
           path: docker.tar.gz
@@ -121,15 +127,15 @@ jobs:
     steps:
 
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
 
       - name: Setup Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 # v2
         with:
           go-version: '1.17.6'
 
       - name: cache
-        uses: actions/download-artifact@v2
+        uses: actions/download-artifact@f023be2c48cc18debc3bacd34cb396e0295e2869 # v2
         with:
           name: docker.tar.gz
 
@@ -162,12 +168,12 @@ jobs:
 
       - name: Create Kubernetes cluster
         id: kind
-        uses: engineerd/[email protected]
+        uses: engineerd/setup-kind@aa272fe2a7309878ffc2a81c56cfe3ef108ae7d0 # v0.5.0
         with:
           version: v0.11.1
           image: kindest/node:v1.21.1
 
-      - uses: geekyeggo/delete-artifact@v1
+      - uses: geekyeggo/delete-artifact@a6ab43859c960a8b74cbc6291f362c7fb51829ba # v1
         with:
           name: docker.tar.gz
           failOnError: false
@@ -202,22 +208,22 @@ jobs:
     steps:
 
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
 
       - name: cache
-        uses: actions/download-artifact@v2
+        uses: actions/download-artifact@f023be2c48cc18debc3bacd34cb396e0295e2869 # v2
         with:
           name: docker.tar.gz
 
       - name: Create Kubernetes ${{ matrix.k8s }} cluster
         id: kind
-        uses: engineerd/[email protected]
+        uses: engineerd/setup-kind@aa272fe2a7309878ffc2a81c56cfe3ef108ae7d0 # v0.5.0
         with:
           version: v0.11.1
           config: test/e2e/kind.yaml
           image: kindest/node:${{ matrix.k8s }}
 
-      - uses: geekyeggo/delete-artifact@v1
+      - uses: geekyeggo/delete-artifact@a6ab43859c960a8b74cbc6291f362c7fb51829ba # v1
         with:
           name: docker.tar.gz
           failOnError: false
@@ -245,14 +251,17 @@ jobs:
           make kind-e2e-test
 
   test-image-build:
+    permissions:
+      contents: read  # for dorny/paths-filter to fetch a list of changed files
+      pull-requests: read  # for dorny/paths-filter to read pull requests
     runs-on: ubuntu-latest
     env:
       PLATFORMS: linux/amd64
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
 
-      - uses: dorny/paths-filter@v2
+      - uses: dorny/paths-filter@b2feaf19c27470162a626bd6fa8438ae5b263721 # v2
         id: filter-images
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -302,14 +311,17 @@ jobs:
           cd images/kube-webhook-certgen && make build
 
   test-image:
+    permissions:
+      contents: read  # for dorny/paths-filter to fetch a list of changed files
+      pull-requests: read  # for dorny/paths-filter to read pull requests
     runs-on: ubuntu-latest
     env:
       PLATFORMS: linux/amd64
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
 
-      - uses: dorny/paths-filter@v2
+      - uses: dorny/paths-filter@b2feaf19c27470162a626bd6fa8438ae5b263721 # v2
         id: filter-images
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -320,15 +332,15 @@ jobs:
       - name: Create Kubernetes cluster
         id: kind
         if: ${{ steps.filter-images.outputs.kube-webhook-certgen == 'true' }}
-        uses: engineerd/[email protected]
+        uses: engineerd/setup-kind@aa272fe2a7309878ffc2a81c56cfe3ef108ae7d0 # v0.5.0
         with:
           version: v0.11.1
           image: kindest/node:v1.21.1
 
       - name: Set up Go 1.17
         id: go
         if: ${{ steps.filter-images.outputs.kube-webhook-certgen == 'true' }}
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 # v2
         with:
           go-version: '1.17.6'
 

diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml
@@ -8,6 +8,9 @@ on:
 jobs:
 
   changes:
+    permissions:
+      contents: read  # for dorny/paths-filter to fetch a list of changed files
+      pull-requests: read  # for dorny/paths-filter to read pull requests
     runs-on: ubuntu-latest
     if: |
       (github.repository == 'kubernetes/ingress-nginx')
@@ -18,15 +21,15 @@ jobs:
     steps:
 
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
 
-      - uses: dorny/paths-filter@v2
+      - uses: dorny/paths-filter@b2feaf19c27470162a626bd6fa8438ae5b263721 # v2
         id: filter
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           filters: |
             docs:
-              - 'docs/**/*'
+             - 'docs/**/*'
 
   docs:
     name: Update
@@ -43,9 +46,9 @@ jobs:
     steps:
 
       - name: Checkout master
-        uses: actions/checkout@v2
+        uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
 
       - name: Deploy
         uses: ./.github/actions/mkdocs
         env:
-          PERSONAL_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+          PERSONAL_TOKEN: "${{ secrets.GITHUB_TOKEN }}" 
diff --git a/.github/workflows/helm.yaml b/.github/workflows/helm.yaml
@@ -9,6 +9,9 @@ on:
 jobs:
 
   changes:
+    permissions:
+      contents: read  # for dorny/paths-filter to fetch a list of changed files
+      pull-requests: read  # for dorny/paths-filter to read pull requests
     runs-on: ubuntu-latest
     if: |
       (github.repository == 'kubernetes/ingress-nginx')
@@ -19,9 +22,9 @@ jobs:
     steps:
 
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
 
-      - uses: dorny/paths-filter@v2
+      - uses: dorny/paths-filter@b2feaf19c27470162a626bd6fa8438ae5b263721 # v2
         id: filter
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -46,7 +49,7 @@ jobs:
     steps:
 
       - name: Checkout master
-        uses: actions/checkout@v2
+        uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
         with:
           # Fetch entire history. Required for chart-releaser; see https://github.com/helm/chart-releaser-action/issues/13#issuecomment-602063896
           fetch-depth: 0
@@ -58,7 +61,7 @@ jobs:
           git config --global user.email "[email protected]"
       
       - name: Run chart-releaser
-        uses: helm/[email protected]
+        uses: helm/chart-releaser-action@c25b74a986eb925b398320414b576227f375f946 # v1.2.1
         env:
           CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
           CR_RELEASE_NAME_TEMPLATE: "helm-chart-{{ .Version }}"

diff --git a/Changelog.md b/Changelog.md
@@ -1,5 +1,47 @@
 # Changelog
 
+### 1.1.2
+
+**Image:** 
+- k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
+
+This release bumps grpc version to 1.44.0 & runc to version 1.1.0. The release also re-introduces the ingress.class annotation, which was previously declared as deprecated. Besides that, several bug fixes and improvements are listed below.
+
+_Changes:_
+
+- [8291](https://github.com/kubernetes/ingress-nginx/pull/8291) remove git tag env from cloud build
+- [8286](https://github.com/kubernetes/ingress-nginx/pull/8286) Fix OpenTelemetry sidecar image build
+- [8277](https://github.com/kubernetes/ingress-nginx/pull/8277) Add OpenSSF Best practices badge
+- [8273](https://github.com/kubernetes/ingress-nginx/pull/8273) Issue#8241
+- [8267](https://github.com/kubernetes/ingress-nginx/pull/8267) Add fsGroup value to admission-webhooks/job-patch charts
+- [8262](https://github.com/kubernetes/ingress-nginx/pull/8262) Updated confusing error
+- [8256](https://github.com/kubernetes/ingress-nginx/pull/8256) fix: deny locations with invalid auth-url annotation
+- [8253](https://github.com/kubernetes/ingress-nginx/pull/8253) Add a certificate info metric
+- [8236](https://github.com/kubernetes/ingress-nginx/pull/8236) webhook: remove useless code.
+- [8227](https://github.com/kubernetes/ingress-nginx/pull/8227) Update libraries in webhook image
+- [8225](https://github.com/kubernetes/ingress-nginx/pull/8225) fix inconsistent-label-cardinality for prometheus metrics: nginx_ingress_controller_requests
+- [8221](https://github.com/kubernetes/ingress-nginx/pull/8221) Do not validate ingresses with unknown ingress class in admission webhook endpoint
+- [8210](https://github.com/kubernetes/ingress-nginx/pull/8210) Bump github.com/prometheus/client_golang from 1.11.0 to 1.12.1
+- [8209](https://github.com/kubernetes/ingress-nginx/pull/8209) Bump google.golang.org/grpc from 1.43.0 to 1.44.0
+- [8204](https://github.com/kubernetes/ingress-nginx/pull/8204) Add Artifact Hub lint
+- [8203](https://github.com/kubernetes/ingress-nginx/pull/8203) Fix Indentation of example and link to cert-manager tutorial
+- [8201](https://github.com/kubernetes/ingress-nginx/pull/8201) feat(metrics): add path and method labels to requests countera
+- [8199](https://github.com/kubernetes/ingress-nginx/pull/8199) use functional options to reduce number of methods creating an EchoDeployment
+- [8196](https://github.com/kubernetes/ingress-nginx/pull/8196) docs: fix inconsistent controller annotation
+- [8191](https://github.com/kubernetes/ingress-nginx/pull/8191) Using Go install for misspell
+- [8186](https://github.com/kubernetes/ingress-nginx/pull/8186) prometheus+grafana using servicemonitor
+- [8185](https://github.com/kubernetes/ingress-nginx/pull/8185) Append elements on match, instead of removing for cors-annotations
+- [8179](https://github.com/kubernetes/ingress-nginx/pull/8179) Bump github.com/opencontainers/runc from 1.0.3 to 1.1.0
+- [8173](https://github.com/kubernetes/ingress-nginx/pull/8173) Adding annotations to the controller service account
+- [8163](https://github.com/kubernetes/ingress-nginx/pull/8163) Update the $req_id placeholder description
+- [8162](https://github.com/kubernetes/ingress-nginx/pull/8162) Versioned static manifests
+- [8159](https://github.com/kubernetes/ingress-nginx/pull/8159) Adding some geoip variables and default values
+- [8155](https://github.com/kubernetes/ingress-nginx/pull/8155) #7271 feat: avoid-pdb-creation-when-default-backend-disabled-and-replicas-gt-1
+- [8151](https://github.com/kubernetes/ingress-nginx/pull/8151) Automatically generate helm docs
+- [8143](https://github.com/kubernetes/ingress-nginx/pull/8143) Allow to configure delay before controller exits
+- [8136](https://github.com/kubernetes/ingress-nginx/pull/8136) add ingressClass option to helm chart - back compatibility with ingress.class annotations
+
+
 ### 1.1.1
 
 **Image:** 

diff --git a/README.md b/README.md
@@ -1,5 +1,6 @@
 # Ingress NGINX Controller
 
+[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/5691/badge)](https://bestpractices.coreinfrastructure.org/projects/5691)
 [![Go Report Card](https://goreportcard.com/badge/github.com/kubernetes/ingress-nginx)](https://goreportcard.com/report/github.com/kubernetes/ingress-nginx)
 [![GitHub license](https://img.shields.io/github/license/kubernetes/ingress-nginx.svg)](https://github.com/kubernetes/ingress-nginx/blob/main/LICENSE)
 [![GitHub stars](https://img.shields.io/github/stars/kubernetes/ingress-nginx.svg)](https://github.com/kubernetes/ingress-nginx/stargazers)
@@ -30,6 +31,7 @@ For detailed changes on the `ingress-nginx` helm chart, please check the followi
 
 | Ingress-NGINX version | k8s supported version        | Alpine Version | Nginx Version |
 |-----------------------|------------------------------|----------------|---------------|
+| v1.1.2                | 1.23, 1.22, 1.21, 1.20, 1.19 | 3.14.2         |  1.19.9†      |
 | v1.1.1                | 1.23, 1.22, 1.21, 1.20, 1.19 | 3.14.2         |  1.19.9†      |
 | v1.1.0                | 1.22, 1.21, 1.20, 1.19       | 3.14.2         |  1.19.9†      |
 | v1.0.5                | 1.22, 1.21, 1.20, 1.19       | 3.14.2         |  1.19.9†      |
@@ -45,7 +47,6 @@ For detailed changes on the `ingress-nginx` helm chart, please check the followi
 | v0.49.0               | 1.21, 1.20, 1.19             | 3.13.5         |  1.20.1       |
 | v0.48.1               | 1.21, 1.20, 1.19             | 3.13.5         |  1.20.1       |
 | v0.47.0               | 1.21, 1.20, 1.19             | 3.13.5         |  1.20.1       |
-| v0.46.0               | 1.21, 1.20, 1.19             | 3.13.2         |  1.19.6       |
 
 † _This build is [patched against CVE-2021-23017](https://github.com/openresty/openresty/commit/4b5ec7edd78616f544abc194308e0cf4b788725b#diff-42ef841dc27fe0b5aa2d06bd31308bb63a59cdcddcbcddd917248349d22020a3)._
 

diff --git a/RELEASE.md b/RELEASE.md
@@ -205,10 +205,10 @@ Promoting the images basically means that images, that were pushed to staging co
             done <$file
 
             ```
-          - If you saved the bash script content above, in a file called `prlist_to_changelog.sh`, then you could execute a command like this to get your prlist in a text file called changelog_content.txt;`
+          - If you saved the bash script content above, in a file like `$HOME/bin/prlist_to_changelog.sh`, then you could execute a command like this to get your prlist in a text file called changelog_content.txt;`
 
           ```
-          prlist_to_changelog.sh prlist.txt > changelog_content.txt`
+          prlist_to_changelog.sh prlist.txt > /tmp/changelog_content.txt`
           ```
 
 ### d. Edit the values.yaml and run helm-docs
@@ -233,13 +233,9 @@ Promoting the images basically means that images, that were pushed to staging co
   - This script depends on kustomize and helm. The versions are pinned in `hack/.tool-versions` and you can use [asdf](https://github.com/asdf-vm/asdf#asdf) to install them
 
   - Execute the script to update static manifests using that script [hack/generate-deploy-scripts.sh](https://github.com/kubernetes/ingress-nginx/blob/main/hack/generate-deploy-scripts.sh)
-
   - Open some of the manifests and check if the script worked properly
 
-  - Use grep -ir to search for any misses by the script or undesired changes
-
-  - The script should properly set the image and the digest fields to the desired tag and semver
-
+  - Use `grep -ir image: | less` on the deploy directory, to view for any misses by the script on image digest value or other undesired changes. The script should properly set the image and the digest fields to the desired tag and semver
 
 
 ### f. Edit the changelog

diff --git a/TAG b/TAG
@@ -1 +1 @@
-v1.1.1
+v1.1.2