From 6ce07ed730d105ae519379c66cb9a8ecf4c20d54 Mon Sep 17 00:00:00 2001 From: Luca Comellini Date: Tue, 27 Jun 2023 20:35:19 +0200 Subject: [PATCH] Release 3.2.0 (#4055) --- CHANGELOG.md | 161 +++++++++- README.md | 4 +- deployments/daemon-set/nginx-ingress.yaml | 4 +- .../daemon-set/nginx-plus-ingress.yaml | 4 +- deployments/deployment/nginx-ingress.yaml | 4 +- .../deployment/nginx-plus-ingress.yaml | 4 +- deployments/helm-chart/Chart.yaml | 8 +- deployments/helm-chart/README.md | 64 ++-- deployments/helm-chart/values-icp.yaml | 2 +- deployments/helm-chart/values-plus.yaml | 2 +- deployments/helm-chart/values.yaml | 3 +- docs/content/app-protect-dos/configuration.md | 10 +- docs/content/app-protect-dos/installation.md | 25 +- docs/content/app-protect-waf/configuration.md | 82 ++--- docs/content/app-protect-waf/installation.md | 16 +- .../configuration/configuration-examples.md | 5 +- .../configmap-resource.md | 21 +- .../global-configuration/custom-templates.md | 2 +- .../handling-host-and-listener-collisions.md | 24 +- ...advanced-configuration-with-annotations.md | 53 ++-- .../ingress-resources/basic-configuration.md | 13 +- .../cross-namespace-configuration.md | 4 +- .../ingress-resources/custom-annotations.md | 31 +- docs/content/configuration/policy-resource.md | 111 +++++-- .../configuration/transportserver-resource.md | 59 +++- ...server-and-virtualserverroute-resources.md | 84 +++-- .../building-ingress-controller-image.md | 8 +- .../installation/installation-with-helm.md | 64 ++-- .../installation-with-manifests.md | 168 ++++++---- .../installation-with-operator.md | 10 +- .../pulling-ingress-controller-image.md | 66 ++-- .../using-the-jwt-token-docker-secret.md | 36 ++- .../intro/nginx-ingress-controllers.md | 4 +- docs/content/intro/nginx-plus.md | 6 +- docs/content/releases.md | 294 ++++++++++++++++-- docs/content/technical-specifications.md | 31 +- docs/content/tutorials/custom-listen-ports.md | 6 +- docs/content/tutorials/nginx-ingress-istio.md | 35 +-- docs/content/tutorials/nginx-ingress-osm.md | 48 ++- .../tutorials/oidc-custom-configuration.md | 47 +-- .../transport-server/README.md | 29 +- .../service-insight/README.md | 81 +++-- 42 files changed, 1187 insertions(+), 546 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 20d14a8a480..15f736ba68e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,11 @@ # Changelog +### 3.2.0 + +An automatically generated list of changes can be found on GitHub at: [3.2.0 Release](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v3.2.0) + +A curated list of changes can be found on the [Releases](http://docs.nginx.com/nginx-ingress-controller/releases/) page on the NGINX Documentation website. + ### 3.1.1 An automatically generated list of changes can be found on GitHub at: [3.1.1 Release](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v3.1.1) @@ -177,14 +183,17 @@ A curated list of changes can be found in the [Releases](http://docs.nginx.com/n ### 1.10.1 CHANGES: + * Update NGINX version to 1.19.8. * Add Kubernetes 1.20 support. * [1373](https://github.com/nginxinc/kubernetes-ingress/pull/1373), [1439](https://github.com/nginxinc/kubernetes-ingress/pull/1439), [1440](https://github.com/nginxinc/kubernetes-ingress/pull/1440): Fix various issues in the Makefile. In 1.10.0, a bug was introduced that prevented building Ingress Controller images on versions of make < 4.1. HELM CHART: + * The version of the Helm chart is now 0.8.1. UPGRADE: + * For NGINX, use the 1.10.1 image from our DockerHub: `nginx/nginx-ingress:1.10.1`, `nginx/nginx-ingress:1.10.1-alpine` or `nginx/nginx-ingress:1.10.1-ubi` * For NGINX Plus, please build your own image using the 1.10.1 source code. * For Helm, use version 0.8.1 of the chart. @@ -194,6 +203,7 @@ UPGRADE: OVERVIEW: Release 1.10.0 includes: + * Open ID Connect authentication policy. * Improved handling of Secret resources with extended validation and error reporting. * Improved visibility with Prometheus metrics for the configuration workqueue and the ability to annotate NGINX logs with the metadata of Kubernetes resources. @@ -203,17 +213,21 @@ Release 1.10.0 includes: You will find the complete changelog for release 1.10.0, including bug fixes, improvements, and changes below. FEATURES FOR POLICY RESOURCE: + * [1304](https://github.com/nginxinc/kubernetes-ingress/pull/1304) Add Open ID Connect policy. FEATURES FOR NGINX APP PROTECT: + * [1281](https://github.com/nginxinc/kubernetes-ingress/pull/1281) Add support for App Protect User Defined Signatures. FEATURES: + * [1266](https://github.com/nginxinc/kubernetes-ingress/pull/1266) Add workqueue metrics to Prometheus metrics. * [1233](https://github.com/nginxinc/kubernetes-ingress/pull/1233) Annotate tcp metrics with k8s object labels. * [1231](https://github.com/nginxinc/kubernetes-ingress/pull/1231) Support k8s objects variables in log format. IMPROVEMENTS: + * [1270](https://github.com/nginxinc/kubernetes-ingress/pull/1270) and [1277](https://github.com/nginxinc/kubernetes-ingress/pull/1277) Improve validation of Ingress annotations. * [1265](https://github.com/nginxinc/kubernetes-ingress/pull/1265) Report warnings for misconfigured TLS and JWK secrets. * [1262](https://github.com/nginxinc/kubernetes-ingress/pull/1262) Use setcap(8) only once. [1263](https://github.com/nginxinc/kubernetes-ingress/pull/1263) Use chown(8) only once. [1264](https://github.com/nginxinc/kubernetes-ingress/pull/1264) Use mkdir(1) only once. Thanks to [Sergey A. Osokin](https://github.com/osokin). @@ -223,12 +237,14 @@ IMPROVEMENTS: * Documentation improvements: [1282](https://github.com/nginxinc/kubernetes-ingress/pull/1282), [1293](https://github.com/nginxinc/kubernetes-ingress/pull/1293), [1303](https://github.com/nginxinc/kubernetes-ingress/pull/1303), [1315](https://github.com/nginxinc/kubernetes-ingress/pull/1315). HELM CHART: + * The version of the helm chart is now 0.8.0. * [1290](https://github.com/nginxinc/kubernetes-ingress/pull/1290) Add new preview policies parameter to chart. `controller.enablePreviewPolicies` was added. * [1232](https://github.com/nginxinc/kubernetes-ingress/pull/1232) Replace deprecated imagePullSecrets helm setting. `controller.serviceAccount.imagePullSecrets` was removed. `controller.serviceAccount.imagePullSecretName` was added. * [1228](https://github.com/nginxinc/kubernetes-ingress/pull/1228) Fix installation of ingressclass on Kubernetes versions `v1.18.x-*` CHANGES: + * [1299](https://github.com/nginxinc/kubernetes-ingress/pull/1299) Update NGINX App Protect version to 2.3 and debian distribution to `debian:buster-slim`. * [1291](https://github.com/nginxinc/kubernetes-ingress/pull/1291) Update NGINX OSS to `1.19.6`. Update NGINX Plus to `R23`. * [1290](https://github.com/nginxinc/kubernetes-ingress/pull/1290) Graduate policy resource and accessControl policy to generally available. @@ -236,15 +252,18 @@ CHANGES: * [1237](https://github.com/nginxinc/kubernetes-ingress/pull/1237) Deprecate support for helm2 clients. UPGRADE: + * For NGINX, use the 1.10.0 image from our DockerHub: `nginx/nginx-ingress:1.10.0`, `nginx/nginx-ingress:1.10.0-alpine` or `nginx-ingress:1.10.0-ubi` * For NGINX Plus, please build your own image using the 1.10.0 source code. * For Helm, use version 0.8.0 of the chart. * As a result of [1270](https://github.com/nginxinc/kubernetes-ingress/pull/1270) and [1277](https://github.com/nginxinc/kubernetes-ingress/pull/1277), the Ingress Controller improved validation of Ingress annotations: more annotations are validated and validation errors are reported via events for Ingress resources. Additionally, the default behavior for invalid annotation values was changed: instead of using the default values, the Ingress Controller will reject a resource with an invalid annotation value, which will make clients see `404` responses from NGINX. See this [document](https://docs.nginx.com/nginx-ingress-controller/configuration/ingress-resources/advanced-configuration-with-annotations/#validation) to learn more. Before upgrading, ensure the Ingress resources don't have annotations with invalid values. Otherwise, after the upgrade, the Ingress Controller will reject such resources. * In [1232](https://github.com/nginxinc/kubernetes-ingress/pull/1232) `controller.serviceAccount.imagePullSecrets` was removed. Use the new `controller.serviceAccount.imagePullSecretName` instead. * The Policy resource was promoted to `v1`. If you used the `alpha1` version, the policies are needed to be recreated with the `v1` version. Before upgrading the Ingress Controller, run the following command to remove the `alpha1` policies CRD (that will also remove all existing `alpha1` policies): - ``` + + ```console kubectl delete crd policies.k8s.nginx.org ``` + As part of the upgrade, make sure to create the `v1` policies CRD. See the corresponding instructions for the [manifests](https://docs.nginx.com/nginx-ingress-controller/installation/installation-with-manifests/#create-custom-resources) and [Helm](https://docs.nginx.com/nginx-ingress-controller/installation/installation-with-helm/#upgrading-the-crds) installations. Also note that all policies except for `accessControl` are still in preview. To enable them, run the Ingress Controller with `- -enable-preview-policies` command-line argument (`controller.enablePreviewPolicies` Helm parameter). @@ -253,43 +272,51 @@ UPGRADE: UPDATING SECRETS: In [1225](https://github.com/nginxinc/kubernetes-ingress/pull/1225), as part of improving how the Ingress Controller handles secret resources, we added a requirement for secrets to be of one of the following types: -- `kubernetes.io/tls` for TLS secrets. -- `nginx.org/jwk` for JWK secrets. -- `nginx.org/ca` for CA secrets. + +* `kubernetes.io/tls` for TLS secrets. +* `nginx.org/jwk` for JWK secrets. +* `nginx.org/ca` for CA secrets. The Ingress Controller now ignores secrets that are not of a supported type. As a consequence, special upgrade steps are required. Before upgrading, ensure that the secrets referenced in Ingress, VirtualServer or Policies resources are of a supported type, which is configured via the `type` field. Because that field is immutable, it is necessary to either: + * Recreate the secrets. Note that in this case, the client traffic for the affected resources will be rejected for the period during which a secret doesn't exist in the cluster. * Create copies of the secrets and update the affected resources to reference the copies. The copies need to be of a supported type. In contrast with the previous options, this will not make NGINX reject the client traffic. It is also necessary to update the default server secret and the wildcard secret (if it was configured) in case their type is not `kubernetes.io/tls`. The steps depend on how you installed the Ingress Controller: via manifests or Helm. Performing the steps will not lead to a disruption of the client traffic, as the Ingress Controller retains the default and wildcard secrets if they are removed. For *manifests installation*: + 1. Recreate the default server secret and the wildcard secret with the type `kubernetes.io/tls`. 1. Upgrade the Ingress Controller. For *Helm installation*, there two cases: + 1. If Helm created the secrets (you configured `controller.defaultTLS.cert` and `controller.defaultTLS.key` for the default secret and `controller.wildcardTLS.cert` and `controller.wildcardTLS.key` for the wildcard secret), then no special upgrade steps are required: during the upgrade, the Helm will remove the existing default and wildcard secrets and create new ones with different names with the type `kubernetes.io/tls`. -1. If you created the secrets separately from Helm (you configured `controller.defaultTLS.secret` for the default secret and `controller.wildcardTLS.secret` for the wildcard secret): +1. If you created the secrets separately from Helm (you configured `controller.defaultTLS.secret` for the default secret and `controller.wildcardTLS.secret` for the wildcard secret): 1. Recreate the secrets with the type `kubernetes.io/tls`. 1. Upgrade to the new Helm release. NOTES: -* Helm 2 clients are no longer supported due to reaching End of Life: https://helm.sh/blog/helm-2-becomes-unsupported/ + +* Helm 2 clients are no longer supported due to reaching End of Life: ### 1.9.1 CHANGES: + * Fix deployment of ingressclass resource via helm on some versions of Kubernetes. * Update the base ubi images to 8.3. * Renew CA cert for egress-mtls example. * Add imagePullSecretName support to helm chart. HELM CHART: + * The version of the Helm chart is now 0.7.1. UPGRADE: + * For NGINX, use the 1.9.1 image from our DockerHub: `nginx/nginx-ingress:1.9.1`, `nginx/nginx-ingress:1.9.1-alpine` or `nginx/nginx-ingress:1.9.1-ubi` * For NGINX Plus, please build your own image using the 1.9.1 source code. * For Helm, use version 0.7.1 of the chart. @@ -299,6 +326,7 @@ UPGRADE: OVERVIEW: Release 1.9.0 includes: + * Support for new Prometheus metrics and enhancements of the existing ones, including configuration reload reason, NGINX worker processes count, upstream latency, and more. * Support for rate limiting, JWT authentication, ingress(client) and egress(upstream) mutual TLS via the Policy resource. * Support for the latest Ingress resource features and the IngressClass resource. @@ -307,6 +335,7 @@ Release 1.9.0 includes: You will find the complete changelog for release 1.9.0, including bug fixes, improvements, and changes below. FEATURES FOR POLICY RESOURCE: + * [1180](https://github.com/nginxinc/kubernetes-ingress/pull/1180) Add support for EgressMTLS. * [1166](https://github.com/nginxinc/kubernetes-ingress/pull/1166) Add IngressMTLS policy support. * [1154](https://github.com/nginxinc/kubernetes-ingress/pull/1154) Add JWT policy support. @@ -314,18 +343,21 @@ FEATURES FOR POLICY RESOURCE: * [1058](https://github.com/nginxinc/kubernetes-ingress/pull/1058) Support policies in VS routes and VSR subroutes. FEATURES FOR NGINX APP PROTECT: + * [1147](https://github.com/nginxinc/kubernetes-ingress/pull/1147) Add option to specify other log destinations in AppProtect. * [1131](https://github.com/nginxinc/kubernetes-ingress/pull/1131) Update packages and CRDs to AppProtect 2.0. This update includes features such as: [JSON Schema Validation](https://docs.nginx.com/nginx-app-protect/configuration#applying-a-json-schema), [User-Defined URLs](https://docs.nginx.com/nginx-app-protect/configuration/#user-defined-urls) and [User-Defined Parameters](https://docs.nginx.com/nginx-app-protect/configuration/#user-defined-parameters). See the [release notes](https://docs.nginx.com/nginx-app-protect/releases/#release-2-0) for a complete feature list. * [1100](https://github.com/nginxinc/kubernetes-ingress/pull/1100) Add external references to AppProtect. * [1085](https://github.com/nginxinc/kubernetes-ingress/pull/1085) Add installation of threat campaigns package. FEATURES: + * [1133](https://github.com/nginxinc/kubernetes-ingress/pull/1133) Add support for IngressClass resources. * [1130](https://github.com/nginxinc/kubernetes-ingress/pull/1130) Add prometheus latency collector. * [1076](https://github.com/nginxinc/kubernetes-ingress/pull/1076) Add prometheus worker process metrics. * [1075](https://github.com/nginxinc/kubernetes-ingress/pull/1075) Add support for NGINX Service Mesh internal routes. IMPROVEMENTS: + * [1178](https://github.com/nginxinc/kubernetes-ingress/pull/1178) Resolve host collisions in VirtualServer and Ingresses. * [1158](https://github.com/nginxinc/kubernetes-ingress/pull/1158) Support variables in action proxy headers. * [1137](https://github.com/nginxinc/kubernetes-ingress/pull/1137) Add pod_owner label to metrics when -spire-agent-address is set. @@ -337,19 +369,23 @@ IMPROVEMENTS: * Documentation improvements: [1083](https://github.com/nginxinc/kubernetes-ingress/pull/1083), [1092](https://github.com/nginxinc/kubernetes-ingress/pull/1092), [1089](https://github.com/nginxinc/kubernetes-ingress/pull/1089), [1174](https://github.com/nginxinc/kubernetes-ingress/pull/1174), [1175](https://github.com/nginxinc/kubernetes-ingress/pull/1175), [1171](https://github.com/nginxinc/kubernetes-ingress/pull/1171). BUGFIXES: + * [1179](https://github.com/nginxinc/kubernetes-ingress/pull/1179) Fix TransportServers in debian AppProtect image. * [1129](https://github.com/nginxinc/kubernetes-ingress/pull/1129) Support real-ip in default server. * [1110](https://github.com/nginxinc/kubernetes-ingress/pull/1110) Add missing threat campaigns key to AppProtect CRD. HELM CHART: + * The version of the helm chart is now 0.7.0 * [1105](https://github.com/nginxinc/kubernetes-ingress/pull/1105) Fix GlobalConfiguration support in helm chart. * Add new parameters to the Chart: `controller.setAsDefaultIngress`, `controller.enableLatencyMetrics`. Added in [1133](https://github.com/nginxinc/kubernetes-ingress/pull/1133) and [1148](https://github.com/nginxinc/kubernetes-ingress/pull/1148). CHANGES: + * [1182](https://github.com/nginxinc/kubernetes-ingress/pull/1182) Update NGINX version to 1.19.3. UPGRADE: + * For NGINX, use the 1.9.0 image from our DockerHub: `nginx/nginx-ingress:1.9.0`, `nginx/nginx-ingress:1.9.0-alpine` or `nginx-ingress:1.9.0-ubi` * For NGINX Plus, please build your own image using the 1.9.0 source code. * For Helm, use version 0.7.0 of the chart. @@ -357,32 +393,37 @@ UPGRADE: For Kubernetes >= 1.18, when upgrading using the [manifests](https://docs.nginx.com/nginx-ingress-controller/installation/installation-with-manifests/), make sure to update the [ClusterRole](deployments/rbac/rbac.yaml) and create the [IngressClass resource](deployments/common/ingress-class.yaml), which is required for Kubernetes >= 1.18. Otherwise, the Ingress Controller will fail to start. If you run multiple NGINX Ingress Controllers in the cluster, each Ingress Controller has to have its own IngressClass resource. Make sure your Ingress resources have the `ingressClassName` field or the `kubernetes.io/ingress.class` annotation set to the name of the IngressClass resource. Otherwise, the Ingress Controller will ignore them. HELM UPGRADE: + * If you're using custom resources like VirtualServer and TransportServer (`controller.enableCustomResources` is set to `true`), after you run the `helm upgrade` command, the CRDs will not be upgraded. After running the `helm upgrade` command, run `kubectl apply -f deployments/helm-chart/crds` to upgrade the CRDs. * For Kubernetes >= 1.18, a dedicated IngressClass resource, which is configured by `controller.ingressClass`, is required per helm release. Ensure `controller.ingressClass` is not set to the name of the IngressClass of other releases or Ingress Controllers. Make sure your Ingress resources have the `ingressClassName` field or the `kubernetes.io/ingress.class` annotation set to the value of `controller.ingressClass`. Otherwise, the Ingress Controller will ignore them. NOTES: + * When using Kubernetes >= 1.18 the Ingress Controller will only process resources that belong to its class. See [IngressClass doc](https://docs.nginx.com/nginx-ingress-controller/installation/running-multiple-ingress-controllers/#ingress-class) to learn more. * For Kubernetes >= 1.18, a dedicated IngressClass resource, which is configured by `controller.ingressClass`, is required per helm release. When upgrading or installing releases, ensure `controller.ingressClass` is not set to the name of the IngressClass of other releases or Ingress Controllers. ### 1.8.1 CHANGES: + * Update NGINX version to 1.19.2. HELM CHART: + * The version of the Helm chart is now 0.6.1. UPGRADE: + * For NGINX, use the 1.8.1 image from our DockerHub: `nginx/nginx-ingress:1.8.1`, `nginx/nginx-ingress:1.8.1-alpine` or `nginx/nginx-ingress:1.8.1-ubi` * For NGINX Plus, please build your own image using the 1.8.1 source code. * For Helm, use version 0.6.1 of the chart. - ### 1.8.0 OVERVIEW: Release 1.8.0 includes: + * Support for NGINX App Protect Web Application Firewall. * Support for configuration snippets and custom template for VirtualServer and VirtualServerRoute resources. * Support for request/response header manipulation and request URI rewriting for VirtualServer/VirtualServerRoute. @@ -391,6 +432,7 @@ Release 1.8.0 includes: You will find the complete changelog for release 1.8.0, including bug fixes, improvements, and changes below. FEATURES FOR VIRTUALSERVER AND VIRTUALSERVERROUTE RESOURCES: + * [1036](https://github.com/nginxinc/kubernetes-ingress/pull/1036): Add VirtualServer custom template support. * [1028](https://github.com/nginxinc/kubernetes-ingress/pull/1028): Add access control policy. * [1019](https://github.com/nginxinc/kubernetes-ingress/pull/1019): Add VirtualServer/VirtualServerRoute snippets support. @@ -399,29 +441,35 @@ FEATURES FOR VIRTUALSERVER AND VIRTUALSERVERROUTE RESOURCES: * [973](https://github.com/nginxinc/kubernetes-ingress/pull/973): Add status to VirtualServer and VirtualServerRoute. FEATURES: + * [1035](https://github.com/nginxinc/kubernetes-ingress/pull/1035): Support for App Protect module. * [1029](https://github.com/nginxinc/kubernetes-ingress/pull/1029): Add readiness endpoint. IMPROVEMENTS: + * [995](https://github.com/nginxinc/kubernetes-ingress/pull/995): Emit event for orphaned VirtualServerRoutes. * Documentation improvements: [946](https://github.com/nginxinc/kubernetes-ingress/pull/946) thanks to [谭九鼎](https://github.com/imba-tjd), [948](https://github.com/nginxinc/kubernetes-ingress/pull/948), [972](https://github.com/nginxinc/kubernetes-ingress/pull/972), [965](https://github.com/nginxinc/kubernetes-ingress/pull/965). BUGFIXES: + * [1030](https://github.com/nginxinc/kubernetes-ingress/pull/1030): Fix port range validation in cli arguments. * [953](https://github.com/nginxinc/kubernetes-ingress/pull/953): Fix error logging of master/minion ingresses. HELM CHART: + * The version of the helm chart is now 0.6.0. * Add new parameters to the Chart: `controller.appprotect.enable`, `controller.globalConfiguration.create`, `controller.globalConfiguration.spec`, `controller.readyStatus.enable`, `controller.readyStatus.port`, `controller.config.annotations`, `controller.reportIngressStatus.annotations`. Added in [1035](https://github.com/nginxinc/kubernetes-ingress/pull/1035), [1034](https://github.com/nginxinc/kubernetes-ingress/pull/1034), [1029](https://github.com/nginxinc/kubernetes-ingress/pull/1029), [1003](https://github.com/nginxinc/kubernetes-ingress/pull/1003) thanks to [RubyLangdon](https://github.com/RubyLangdon). * [1047](https://github.com/nginxinc/kubernetes-ingress/pull/1047) and [1009](https://github.com/nginxinc/kubernetes-ingress/pull/1009): Change how Helm manages the custom resource definitions (CRDs) to support installing multiple Ingress Controller releases. **Note**: If you're using the custom resources (`controller.enableCustomResources` is set to `true`), this is a breaking change. See the HELM UPGRADE section below for the upgrade instructions. CHANGES: + * Update NGINX version to 1.19.1. * Update NGINX Plus to R22. * [1029](https://github.com/nginxinc/kubernetes-ingress/pull/1029): Add readiness endpoint. The Ingress Controller now exposes a readiness endpoint on port `8081` and the path `/nginx-ready`. The endpoint returns a `200` response after the Ingress Controller finishes the initial configuration of NGINX at the start. The pod template was updated to use that endpoint in a readiness probe. * [980](https://github.com/nginxinc/kubernetes-ingress/pull/980): Enable leader election by default. UPGRADE: + * For NGINX, use the 1.8.0 image from our DockerHub: `nginx/nginx-ingress:1.8.0`, `nginx/nginx-ingress:1.8.0-alpine` or `nginx-ingress:1.8.0-ubi` * For NGINX Plus, please build your own image using the 1.8.0 source code. * For Helm, use version 0.6.0 of the chart. @@ -431,17 +479,21 @@ HELM UPGRADE: If you're using custom resources like VirtualServer and TransportServer (`controller.enableCustomResources` is set to `true`), after you run the `helm upgrade` command, the CRDs and the corresponding custom resources will be removed from the cluster. Before upgrading, make sure to back up the custom resources. After running the `helm upgrade` command, run `kubectl apply -f deployments/helm-chart/crds` to re-install the CRDs and then restore the custom resources. NOTES: + * As part of installing a release, Helm will install the CRDs unless that step is disabled (see the [corresponding doc](https://docs.nginx.com/nginx-ingress-controller/installation/installation-with-helm/)). The installed CRDs include the CRDs for all Ingress Controller features, including the ones disabled by default (like App Protect with `aplogconfs.appprotect.f5.com` and `appolicies.appprotect.f5.com` CRDs). ### 1.7.2 CHANGES: + * Update NGINX Plus version to R22. HELM CHART: + * The version of the Helm chart is now 0.5.2. UPGRADE: + * For NGINX, use the 1.7.2 image from our DockerHub: `nginx/nginx-ingress:1.7.2`, `nginx/nginx-ingress:1.7.2-alpine` or `nginx/nginx-ingress:1.7.2-ubi` * For NGINX Plus, please build your own image using the 1.7.2 source code. * For Helm, use version 0.5.2 of the chart. @@ -449,12 +501,15 @@ UPGRADE: ### 1.7.1 CHANGES: + * Update NGINX version to 1.19.0. HELM CHART: + * The version of the Helm chart is now 0.5.1. UPGRADE: + * For NGINX, use the 1.7.1 image from our DockerHub: `nginx/nginx-ingress:1.7.1`, `nginx/nginx-ingress:1.7.1-alpine` or `nginx/nginx-ingress:1.7.1-ubi` * For NGINX Plus, please build your own image using the 1.7.1 source code. * For Helm, use version 0.5.1 of the chart. @@ -464,6 +519,7 @@ UPGRADE: OVERVIEW: Release 1.7.0 includes: + * Support for TCP, UDP, and TLS Passthrough load balancing with the new configuration resources: TransportServer and GlobalConfiguration. The resources allow users to deliver complex, non-HTTP-based applications from Kubernetes using the NGINX Ingress Controller. * Support for error pages in VirtualServer and VirtualServerRoute resources. A user can now specify custom error responses for errors returned by backend applications or generated by NGINX, such as a 502 response. * Improved validation of VirtualServer and VirtualServerRoute resources. kubectl and the Kubernetes API server can now detect violations of the structure of VirtualServer/VirtualServerRoute resources and return an error. @@ -474,10 +530,12 @@ See the [1.7.0 release announcement blog post](https://www.nginx.com/blog/announ You will find the complete changelog for release 1.7.0, including bug fixes, improvements, and changes below. FEATURES FOR VIRTUALSERVER AND VIRTUALSERVERROUTE RESOURCES: + * [868](https://github.com/nginxinc/kubernetes-ingress/pull/868): Add OpenAPI CRD schema validation. * [847](https://github.com/nginxinc/kubernetes-ingress/pull/847): Add support for error pages for VS/VSR. FEATURES: + * [902](https://github.com/nginxinc/kubernetes-ingress/pull/902): Add TransportServer and GlobalConfiguration Resources. * [894](https://github.com/nginxinc/kubernetes-ingress/pull/894): Add Dockerfile for NGINX Open Source for Openshift. * [857](https://github.com/nginxinc/kubernetes-ingress/pull/857): Add Openshift Dockerfile for NGINX Plus. @@ -485,20 +543,23 @@ FEATURES: * [845](https://github.com/nginxinc/kubernetes-ingress/pull/845): Add log-format-escaping and stream-log-format-escaping configmap keys. Thanks to [Alexey Maslov](https://github.com/alxmsl). * [827](https://github.com/nginxinc/kubernetes-ingress/pull/827): Add ingress class label to all Prometheus metrics. - IMPROVEMENTS: + * [850](https://github.com/nginxinc/kubernetes-ingress/pull/850): Extend redirect URI validation with protocol check in VS/VSR. * [832](https://github.com/nginxinc/kubernetes-ingress/pull/832): Update the examples to run the `nginxdemos/nginx-hello:plain-text` image, that doesn't require root user. * [825](https://github.com/nginxinc/kubernetes-ingress/pull/825): Add multi-stage docker builds. BUGFIXES: + * [828](https://github.com/nginxinc/kubernetes-ingress/pull/828): Fix error messages for actions of the type return. HELM CHART: + * The version of the helm chart is now 0.5.0. * Add new parameters to the Chart: `controller.enableTLSPassthrough`, `controller.volumes`, `controller.volumeMounts`, `controller.priorityClassName`. Added in [921](https://github.com/nginxinc/kubernetes-ingress/pull/921), [878](https://github.com/nginxinc/kubernetes-ingress/pull/878), [807](https://github.com/nginxinc/kubernetes-ingress/pull/807) thanks to [Greg Snow](https://github.com/gsnegovskiy). CHANGES: + * Update NGINX version to 1.17.10. * Update NGINX Plus to R21. * [854](https://github.com/nginxinc/kubernetes-ingress/pull/854): Update the Debian base images for NGINX Plus to `debian:buster-slim`. @@ -508,6 +569,7 @@ CHANGES: * [825](https://github.com/nginxinc/kubernetes-ingress/pull/825): Add multi-stage docker builds. When building the Ingress Controller image in Docker, we now use a multi-stage docker build. UPGRADE: + * For NGINX, use the 1.7.0 image from our DockerHub: `nginx/nginx-ingress:1.7.0`, `nginx/nginx-ingress:1.7.0-alpine` or `nginx-ingress:1.7.0-ubi` * For NGINX Plus, please build your own image using the 1.7.0 source code. * For Helm, use version 0.5.0 of the chart. @@ -517,12 +579,15 @@ When upgrading using the [manifests](https://docs.nginx.com/nginx-ingress-contro ### 1.6.3 CHANGES: + * Update NGINX version to 1.17.9. HELM CHART: + * The version of the Helm chart is now 0.4.3. UPGRADE: + * For NGINX, use the 1.6.3 image from our DockerHub: `nginx/nginx-ingress:1.6.3` or `nginx/nginx-ingress:1.6.3-alpine` * For NGINX Plus, please build your own image using the 1.6.3 source code. * For Helm, use version 0.4.3 of the chart. @@ -530,12 +595,15 @@ UPGRADE: ### 1.6.2 CHANGES: + * Update NGINX version to 1.17.8. HELM CHART: + * The version of the Helm chart is now 0.4.2. UPGRADE: + * For NGINX, use the 1.6.2 image from our DockerHub: `nginx/nginx-ingress:1.6.2` or `nginx/nginx-ingress:1.6.2-alpine` * For NGINX Plus, please build your own image using the 1.6.2 source code. * For Helm, use version 0.4.2 of the chart. @@ -543,12 +611,15 @@ UPGRADE: ### 1.6.1 CHANGES: + * Update NGINX version to 1.17.7. HELM CHART: + * The version of the Helm chart is now 0.4.1. UPGRADE: + * For NGINX, use the 1.6.1 image from our DockerHub: `nginx/nginx-ingress:1.6.1` or `nginx/nginx-ingress:1.6.1-alpine` * For NGINX Plus, please build your own image using the 1.6.1 source code. * For Helm, use version 0.4.1 of the chart. @@ -558,15 +629,17 @@ UPGRADE: OVERVIEW: Release 1.6.0 includes: + * Improvements to VirtualServer and VirtualServerRoute resources, adding support for richer load balancing behavior, more sophisticated request routing, redirects, direct responses, and blue-green and circuit breaker patterns. The VirtualServer and VirtualServerRoute resources are enabled by default and are ready for production use. * Support for OpenTracing, helping you to monitor and debug complex transactions. * An improved security posture, with support to run the Ingress Controller as a non-root user. -The release announcement blog post includes the overview for each feature. See https://www.nginx.com/blog/announcing-nginx-ingress-controller-for-kubernetes-release-1-6-0/ +The release announcement blog post includes the overview for each feature. See You will find the complete changelog for release 1.6.0, including bug fixes, improvements, and changes below. FEATURES FOR VIRTUALSERVER AND VIRTUALSERVERROUTE RESOURCES: + * [780](https://github.com/nginxinc/kubernetes-ingress/pull/780): Add support for canned responses to VS/VSR. * [778](https://github.com/nginxinc/kubernetes-ingress/pull/778): Add redirect support in VS/VSR. * [766](https://github.com/nginxinc/kubernetes-ingress/pull/766): Add exact matches and regex support to location paths in VS/VSR. @@ -594,6 +667,7 @@ FEATURES FOR VIRTUALSERVER AND VIRTUALSERVERROUTE RESOURCES: * [596](https://github.com/nginxinc/kubernetes-ingress/pull/596): Add lb-method support in vs and vsr. FEATURES: + * [750](https://github.com/nginxinc/kubernetes-ingress/pull/750): Add support for health status uri customisation. * [691](https://github.com/nginxinc/kubernetes-ingress/pull/691): Helper Functions for custom annotations. * [631](https://github.com/nginxinc/kubernetes-ingress/pull/631): Add max_conns support for NGINX plus. @@ -602,13 +676,14 @@ FEATURES: * [615](https://github.com/nginxinc/kubernetes-ingress/pull/615): Add support for Opentracing. * [614](https://github.com/nginxinc/kubernetes-ingress/pull/614): Add max-conns annotation. Thanks to [Victor Regalado](https://github.com/vrrs). - IMPROVEMENTS: + * [678](https://github.com/nginxinc/kubernetes-ingress/pull/678): Increase defaults for server-names-hash-max-size and servers-names-hash-bucket-size ConfigMap keys. * [694](https://github.com/nginxinc/kubernetes-ingress/pull/694): Reject VS/VSR resources with enabled plus features for OSS. * Documentation improvements: [713](https://github.com/nginxinc/kubernetes-ingress/pull/713) thanks to [Matthew Wahner](https://github.com/mattwahner). BUGFIXES: + * [788](https://github.com/nginxinc/kubernetes-ingress/pull/788): Fix VSR updates when namespace is set implicitly. * [736](https://github.com/nginxinc/kubernetes-ingress/pull/736): Init Ingress labeled metrics on start. * [686](https://github.com/nginxinc/kubernetes-ingress/pull/686): Check if config map created for leader-election. @@ -616,12 +691,14 @@ BUGFIXES: * [632](https://github.com/nginxinc/kubernetes-ingress/pull/632): Fix hsts support when not using SSL. Thanks to [Martín Fernández](https://github.com/bilby91). HELM CHART: + * The version of the helm chart is now 0.4.0. * Add new parameters to the Chart: `controller.healthCheckURI`, `controller.resources`, `controller.logLevel`, `controller.customPorts`, `controller.service.customPorts`. Added in [750](https://github.com/nginxinc/kubernetes-ingress/pull/750), [636](https://github.com/nginxinc/kubernetes-ingress/pull/636) thanks to [Guilherme Oki](https://github.com/guilhermeoki), [600](https://github.com/nginxinc/kubernetes-ingress/pull/600), [581](https://github.com/nginxinc/kubernetes-ingress/pull/581) thanks to [Alex Meijer](https://github.com/ameijer-corsha). * [722](https://github.com/nginxinc/kubernetes-ingress/pull/722): Fix trailing leader election cm when using helm. This change might lead to a failed upgrade. See the helm upgrade instruction below. * [573](https://github.com/nginxinc/kubernetes-ingress/pull/573): Use Controller name value for app selectors. CHANGES: + * Update NGINX versions to 1.17.6. * Update NGINX Plus version to R20. * [799](https://github.com/nginxinc/kubernetes-ingress/pull/779): Enable CRDs by default. VirtualServer and VirtualServerRoute resources are now enabled by default. @@ -632,6 +709,7 @@ CHANGES: * [603](https://github.com/nginxinc/kubernetes-ingress/pull/603): Update apiVersion in Deployments and DaemonSets to apps/v1. UPGRADE: + * For NGINX, use the 1.6.0 image from our DockerHub: `nginx/nginx-ingress:1.6.0` or `nginx/nginx-ingress:1.6.0-alpine` * For NGINX Plus, please build your own image using the 1.6.0 source code. * For Helm, use version 0.4.0 of the chart. @@ -639,6 +717,7 @@ UPGRADE: HELM UPGRADE: If leader election (the `controller.reportIngressStatus.enableLeaderElection` parameter) is enabled, when upgrading to the new version of the Helm chart: + 1. Make sure to specify a new ConfigMap lock name (`controller.reportIngressStatus.leaderElectionLockName`) different from the one that was created by the current version. To find out the current name, check ConfigMap resources in the namespace where the Ingress Controller is running. 1. After the upgrade, delete the old ConfigMap. @@ -647,13 +726,16 @@ Otherwise, the helm upgrade will not succeed. ### 1.5.8 CHANGES: + * Update NGINX version to 1.17.6. * Update deployment and daemonset manifests to apps/v1. HELM CHART: + * The version of the Helm chart is now 0.3.8. UPGRADE: + * For NGINX, use the 1.5.8 image from our DockerHub: `nginx/nginx-ingress:1.5.8` or `nginx/nginx-ingress:1.5.8-alpine` * For NGINX Plus, please build your own image using the 1.5.8 source code. * For Helm, use version 0.3.8 of the chart. @@ -661,12 +743,15 @@ UPGRADE: ### 1.5.7 CHANGES: + * Update NGINX version to 1.17.5. HELM CHART: + * The version of the Helm chart is now 0.3.7. UPGRADE: + * For NGINX, use the 1.5.7 image from our DockerHub: `nginx/nginx-ingress:1.5.7` or `nginx/nginx-ingress:1.5.7-alpine` * For NGINX Plus, please build your own image using the 1.5.7 source code. * For Helm, use version 0.3.7 of the chart. @@ -674,12 +759,15 @@ UPGRADE: ### 1.5.6 CHANGES: + * Update NGINX version to 1.17.4. HELM CHART: + * The version of the Helm chart is now 0.3.6. UPGRADE: + * For NGINX, use the 1.5.6 image from our DockerHub: `nginx/nginx-ingress:1.5.6` or `nginx/nginx-ingress:1.5.6-alpine` * For NGINX Plus, please build your own image using the 1.5.6 source code. * For Helm, use version 0.3.6 of the chart. @@ -687,12 +775,15 @@ UPGRADE: ### 1.5.5 CHANGES: + * Update NGINX Plus version to R19. HELM CHART: + * The version of the Helm chart is now 0.3.5. UPGRADE: + * For NGINX, use the 1.5.5 image from our DockerHub: `nginx/nginx-ingress:1.5.5` or `nginx/nginx-ingress:1.5.5-alpine` * For NGINX Plus, please build your own image using the 1.5.5 source code. * For Helm, use version 0.3.5 of the chart. @@ -700,12 +791,15 @@ UPGRADE: ### 1.5.4 CHANGES: + * Update NGINX version to 1.17.3. HELM CHART: + * The version of the Helm chart is now 0.3.4. UPGRADE: + * For NGINX, use the 1.5.4 image from our DockerHub: `nginx/nginx-ingress:1.5.4` or `nginx/nginx-ingress:1.5.4-alpine` * For NGINX Plus, please build your own image using the 1.5.4 source code. * For Helm, use version 0.3.4 of the chart. @@ -713,12 +807,15 @@ UPGRADE: ### 1.5.3 CHANGES: + * Update NGINX Plus version to R18p1. HELM CHART: + * The version of the Helm chart is now 0.3.3. UPGRADE: + * For NGINX, use the 1.5.3 image from our DockerHub: `nginx/nginx-ingress:1.5.3` or `nginx/nginx-ingress:1.5.3-alpine` * For NGINX Plus, please build your own image using the 1.5.3 source code. * For Helm, use version 0.3.3 of the chart. @@ -726,12 +823,15 @@ UPGRADE: ### 1.5.2 CHANGES: + * Update NGINX version to 1.17.2. HELM CHART: + * The version of the Helm chart is now 0.3.2. UPGRADE: + * For NGINX, use the 1.5.2 image from our DockerHub: `nginx/nginx-ingress:1.5.2` or `nginx/nginx-ingress:1.5.2-alpine` * For NGINX Plus, please build your own image using the 1.5.2 source code. * For Helm, use version 0.3.2 of the chart. @@ -739,13 +839,16 @@ UPGRADE: ### 1.5.1 CHANGES: + * Update NGINX version to 1.17.1. HELM CHART: + * The version of the Helm chart is now 0.3.1. * [593](https://github.com/nginxinc/kubernetes-ingress/pull/593): Fix the selector in the Ingress Controller service when the `controller.name` parameter is set. This introduces a change, see the HELM UPGRADE section. UPGRADE: + * For NGINX, use the 1.5.1 image from our DockerHub: `nginx/nginx-ingress:1.5.1` or `nginx/nginx-ingress:1.5.1-alpine` * For NGINX Plus, please build your own image using the 1.5.1 source code. * For Helm, use version 0.3.1 of the chart. @@ -755,6 +858,7 @@ HELM UPGRADE: In the changelog of Release 1.5.0, we advised not to upgrade the helm chart from `0.2.1` to `0.3.0` unless the mentioned in the changelog problems were acceptable. This release we provide mitigation instructions on how to upgrade from `0.2.1` to `0.3.1` without disruptions. When you upgrade from `0.2.1` to `0.3.1`, make sure to configure the following parameters: + * `controller.name` is set to `nginx-ingress` or the previously used value in case you customized it. This ensures the Deployment/Daemonset will not be recreated. * `controller.service.name` is set to `nginx-ingress`. This ensures the service will not be recreated. * `controller.config.name` is set to `nginx-config`. This ensures the ConfigMap will not be recreated. @@ -764,21 +868,25 @@ Upgrading from `0.3.0` to `0.3.1`: Upgrading is not affected unless you customiz ### 1.5.0 FEATURES: + * [560](https://github.com/nginxinc/kubernetes-ingress/pull/560): Add new configuration resources -- VirtualServer and VirtualServerRoute. * [554](https://github.com/nginxinc/kubernetes-ingress/pull/554): Add new Prometheus metrics related to the Ingress Controller's operation (as opposed to NGINX/NGINX Plus metrics). * [496](https://github.com/nginxinc/kubernetes-ingress/pull/496): Support a wildcard TLS certificate for TLS-enabled Ingress resources. * [485](https://github.com/nginxinc/kubernetes-ingress/pull/485): Support ExternalName services in Ingress backends. IMPROVEMENTS: + * Add new ConfigMap keys: `keepalive-timeout`, `keepalive-requests`, `access-log-off`, `variables-hash-bucket-size`, `variables-hash-max-size`. Added in [565](https://github.com/nginxinc/kubernetes-ingress/pull/565), [511](https://github.com/nginxinc/kubernetes-ingress/pull/511). * [504](https://github.com/nginxinc/kubernetes-ingress/pull/504): Run the Prometheus exporter inside the Ingress Controller process instead of a sidecar container. BUGFIXES: + * [520](https://github.com/nginxinc/kubernetes-ingress/pull/520): Fix the type of the Prometheus port annotation in manifests. * [481](https://github.com/nginxinc/kubernetes-ingress/pull/481): Fix the HSTS support. * [439](https://github.com/nginxinc/kubernetes-ingress/pull/439): Fix the validation of the `lb-method` ConfigMap key and `nginx.org/lb-method` annotation. HELM CHART: + * The version of the helm chart is now 0.3.0. * The helm chart is now available in our helm chart repo `helm.nginx.com/stable`. * Add new parameters to the Chart: `controller.service.httpPort.targetPort`, `controller.service.httpsPort.targetPort`, `controller.service.name`, `controller.pod.annotations`, `controller.config.name`, `controller.reportIngressStatus.leaderElectionLockName`, `controller.service.httpPort`, `controller.service.httpsPort`, `controller.service.loadBalancerIP`, `controller.service.loadBalancerSourceRanges`, `controller.tolerations`, `controller.affinity`. Added in [562](https://github.com/nginxinc/kubernetes-ingress/pull/562), [561](https://github.com/nginxinc/kubernetes-ingress/pull/561), [553](https://github.com/nginxinc/kubernetes-ingress/pull/553), [534](https://github.com/nginxinc/kubernetes-ingress/pull/534) thanks to [Paulo Ribeiro](https://github.com/paigr), [479](https://github.com/nginxinc/kubernetes-ingress/pull/479) thanks to [Alejandro Llanes](https://github.com/sombralibre), [468](https://github.com/nginxinc/kubernetes-ingress/pull/468), [456](https://github.com/nginxinc/kubernetes-ingress/pull/456). @@ -786,10 +894,12 @@ HELM CHART: * [542](https://github.com/nginxinc/kubernetes-ingress/pull/542): Reduce the required privileges in the RBAC manifests. CHANGES: + * Update NGINX version to 1.15.12. * Prometheus metrics for NGINX/NGINX Plus have new namespace `nginx_ingress`. Examples: `nginx_http_requests_total` -> `nginx_ingress_http_requests_total`, `nginxplus_http_requests_total` -> `nginx_ingress_nginxplus_http_requests_total`. UPGRADE: + * For NGINX, use the 1.5.0 image from our DockerHub: `nginx/nginx-ingress:1.5.0` or `nginx/nginx-ingress:1.5.0-alpine` * For NGINX Plus, please build your own image using the 1.5.0 source code. * For Helm, use version 0.3.0 of the chart. @@ -797,6 +907,7 @@ UPGRADE: HELM UPGRADE: The new version of the helm chart uses different names for the generated resources. This makes it possible to deploy multiple Ingress Controllers in a cluster. However, as a side effect, during the upgrade from the previous version, helm will recreate the resources, instead of updating the existing ones. This, in turn, might cause problems for the following resources: + * Service: If the service was created with the type LoadBalancer, the public IP of the new service might change. Additionally, helm updates the selector of the service, so that the old pods will be immediately excluded from the service. * Deployment/DaemonSet: Because the resource is recreated, the old pods will be removed and the new ones will be launched, instead of the default Deployment/Daemonset upgrade strategy. * ConfigMap: After the helm removes the resource, the old Ingress Controller pods will be immediately reconfigured to use the default values of the ConfigMap keys. During a small window between the reconfiguration and the shutdown of the old pods, NGINX will use the configuration with the default values. @@ -806,13 +917,16 @@ We advise not to upgrade to the new version of the helm chart unless the mention ### 1.4.6 CHANGES: + * Update NGINX version to 1.15.11. * Update NGINX Plus version to R18. HELM CHART: + * The version of the Helm chart is now 0.2.1. UPGRADE: + * For NGINX, use the 1.4.6 image from our DockerHub: `nginx/nginx-ingress:1.4.6` or `nginx/nginx-ingress:1.4.6-alpine` * For NGINX Plus, please build your own image using the 1.4.6 source code. * For Helm, use version 0.2.1 of the chart. @@ -820,51 +934,62 @@ UPGRADE: ### 1.4.5 CHANGES: + * Update NGINX version to 1.15.10. UPGRADE: + * For NGINX, use the 1.4.5 image from our DockerHub: `nginx/nginx-ingress:1.4.5` or `nginx/nginx-ingress:1.4.5-alpine` * For NGINX Plus, please build your own image using the 1.4.5 source code. ### 1.4.4 CHANGES: + * Update NGINX version to 1.15.9. UPGRADE: + * For NGINX, use the 1.4.4 image from our DockerHub: `nginx/nginx-ingress:1.4.4` or `nginx/nginx-ingress:1.4.4-alpine` * For NGINX Plus, please build your own image using the 1.4.4 source code. ### 1.4.3 CHANGES: + * Update NGINX version to 1.15.8. UPGRADE: + * For NGINX, use the 1.4.3 image from our DockerHub: `nginx/nginx-ingress:1.4.3` or `nginx/nginx-ingress:1.4.3-alpine` * For NGINX Plus, please build your own image using the 1.4.3 source code. ### 1.4.2 CHANGES: + * Update NGINX Plus version to R17. UPGRADE: + * For NGINX, use the 1.4.2 image from our DockerHub: `nginx/nginx-ingress:1.4.2` or `nginx/nginx-ingress:1.4.2-alpine` * For NGINX Plus, please build your own image using the 1.4.2 source code. ### 1.4.1 CHANGES: + * Update NGINX version to 1.15.7. UPGRADE: + * For NGINX, use the 1.4.1 image from our DockerHub: `nginx/nginx-ingress:1.4.1` or `nginx/nginx-ingress:1.4.1-alpine` * For NGINX Plus, please build your own image using the 1.4.1 source code. ### 1.4.0 FEATURES: + * [401](https://github.com/nginxinc/kubernetes-ingress/pull/401): Add the `-nginx-debug` flag for enabling debugging of NGINX using the `nginx-debug` binary. * [387](https://github.com/nginxinc/kubernetes-ingress/pull/387): Add the `-nginx-status-allow-cidrs` command-line argument for white listing IPv4 IP/CIDR blocks to allow access to NGINX stub_status or the NGINX Plus API. Thanks to [Jasmine Hegman](https://github.com/r4j4h). * [376](https://github.com/nginxinc/kubernetes-ingress/pull/376): Support the [random](http://nginx.org/en/docs/http/ngx_http_upstream_module.html#random) load balancing method. @@ -875,6 +1000,7 @@ FEATURES: * [320](https://github.com/nginxinc/kubernetes-ingress/pull/340): Support TCP/UDP load balancing via the `stream-snippets` configmap key. IMPROVEMENTS: + * [434](https://github.com/nginxinc/kubernetes-ingress/pull/434): Improve consistency of templates. * [432](https://github.com/nginxinc/kubernetes-ingress/pull/432): Fix cli-docs and Improve main test. * [419](https://github.com/nginxinc/kubernetes-ingress/pull/419): Refactor config writing. Thanks to [feifeiiiiiiiiii](https://github.com/feifeiiiiiiiiiii). @@ -889,6 +1015,7 @@ IMPROVEMENTS: * [351](https://github.com/nginxinc/kubernetes-ingress/pull/351): Make socket address obvious. BUGFIXES: + * [429](https://github.com/nginxinc/kubernetes-ingress/pull/429): Fix panic with health checks. * [386](https://github.com/nginxinc/kubernetes-ingress/pull/386): Fix Configmap/Mergeable Ingress Add/Update event logging. * [379](https://github.com/nginxinc/kubernetes-ingress/pull/379): Fix configmap update. @@ -896,6 +1023,7 @@ BUGFIXES: * [348](https://github.com/nginxinc/kubernetes-ingress/pull/348): Fix Configurator error check. HELM CHART: + * [430](https://github.com/nginxinc/kubernetes-ingress/pull/430): Add the `controller.serviceAccount.imagePullSecrets` parameter to the helm chart. See also the CHANGES section. * [420](https://github.com/nginxinc/kubernetes-ingress/pull/420): Simplify values files for Helm Chart. * [398](https://github.com/nginxinc/kubernetes-ingress/pull/398): Add the `controller.nginxStatus.allowCidrs` and `controller.service.externalIPs` parameters to helm chart. @@ -906,6 +1034,7 @@ HELM CHART: * The version of the Helm chart is now 0.2.0. CHANGES: + * Update NGINX version to 1.15.6. * Update NGINX Plus version to R16p1. * Update NGINX Prometheus Exporter to 0.2.0. @@ -919,30 +1048,36 @@ CHANGES: DOC AND EXAMPLES FIXES/IMPROVEMENTS: [435](https://github.com/nginxinc/kubernetes-ingress/pull/435), [433](https://github.com/nginxinc/kubernetes-ingress/pull/433), [432](https://github.com/nginxinc/kubernetes-ingress/pull/432), [418](https://github.com/nginxinc/kubernetes-ingress/pull/418) (Thanks to [Hal Deadman](https://github.com/hdeadman)), [406](https://github.com/nginxinc/kubernetes-ingress/pull/406), [381](https://github.com/nginxinc/kubernetes-ingress/pull/381), [349](https://github.com/nginxinc/kubernetes-ingress/pull/349) (Thanks to [Artur Geraschenko](https://github.com/arturgspb)), [343](https://github.com/nginxinc/kubernetes-ingress/pull/343) UPGRADE: + * For NGINX, use the 1.4.0 image from our DockerHub: `nginx/nginx-ingress:1.4.0` or `nginx/nginx-ingress:1.4.0-alpine` * For NGINX Plus, please build your own image using the 1.4.0 source code. ### 1.3.2 CHANGES: + * Update NGINX version to 1.15.6. UPGRADE: + * For NGINX, use the 1.3.2 image from our DockerHub: `nginx/nginx-ingress:1.3.2` or `nginx/nginx-ingress:1.3.2-alpine` * For NGINX Plus, please build your own image using the 1.3.2 source code. ### 1.3.1 CHANGES: + * Update NGINX Plus version to R15p2. UPGRADE: + * For NGINX, use the 1.3.1 image from our DockerHub: `nginx/nginx-ingress:1.3.1` or `nginx/nginx-ingress:1.3.1-alpine` * For NGINX Plus, please build your own image using the 1.3.1 source code. ### 1.3.0 IMPROVEMENTS: + * [325](https://github.com/nginxinc/kubernetes-ingress/pull/325): Report ingress status. * [311](https://github.com/nginxinc/kubernetes-ingress/pull/311): Support JWT auth in mergeable minions. * [310](https://github.com/nginxinc/kubernetes-ingress/pull/310): NGINX configuration template custom path support. @@ -957,15 +1092,17 @@ IMPROVEMENTS: * [286](https://github.com/nginxinc/kubernetes-ingress/pull/286): Add support for active health checks for Plus. CHANGES: + * [330](https://github.com/nginxinc/kubernetes-ingress/pull/330): Update NGINX version to 1.15.2. * [329](https://github.com/nginxinc/kubernetes-ingress/pull/329): Enforce annotations inheritance in minions. BUGFIXES: + * [326](https://github.com/nginxinc/kubernetes-ingress/pull/326): Fix find ingress for secret ns bug. * [284](https://github.com/nginxinc/kubernetes-ingress/pull/284): Correct Logs for Mergeable Types with Duplicate Location. Thanks to [Fernando Diaz](https://github.com/diazjf). - UPGRADE: + * For NGINX, use the 1.3.0 image from our DockerHub: `nginx/nginx-ingress:1.3.0` * For NGINX Plus, please build your own image using the 1.3.0 source code. @@ -997,7 +1134,6 @@ UPGRADE: * Update NGINX version to 1.13.12. * Update NGINX Plus version to R15 P1. - ### 1.1.1 * [228](https://github.com/nginxinc/kubernetes-ingress/pull/228): Add worker-rlimit-nofile configmap key. Thanks to [Aleksandr Lysenko](https://github.com/Sarga). @@ -1096,7 +1232,6 @@ the Ingress Controller will reject the Ingress object. but retries every 5s. Tha The previous version was 0.3 - ### Notes * Except when mentioned otherwise, the controller refers both to the NGINX and the NGINX Plus Ingress Controllers. diff --git a/README.md b/README.md index 120bb580413..28719601580 100644 --- a/README.md +++ b/README.md @@ -51,7 +51,7 @@ In the case of NGINX, the Ingress Controller is deployed in a pod along with the We publish NGINX Ingress Controller releases on GitHub. See our [releases page](https://github.com/nginxinc/kubernetes-ingress/releases). -The latest stable release is [3.1.1](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v3.1.1). For production use, we recommend that you choose the latest stable release. +The latest stable release is [3.2.0](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v3.2.0). For production use, we recommend that you choose the latest stable release. The edge version is useful for experimenting with new features that are not yet published in a stable release. To use it, choose the *edge* version built from the [latest commit](https://github.com/nginxinc/kubernetes-ingress/commits/main) from the main branch. @@ -67,7 +67,7 @@ The table below summarizes the options regarding the images, Helm chart, manifes | Version | Description | Image for NGINX | Image for NGINX Plus | Installation Manifests and Helm Chart | Documentation and Examples | | ------- | ----------- | --------------- | -------------------- | ---------------------------------------| -------------------------- | -| Latest stable release | For production use | Use the 3.1.1 images from [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/), [GitHub Container](https://github.com/nginxinc/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress) or [build your own image](https://docs.nginx.com/nginx-ingress-controller/installation/building-ingress-controller-image/). | Use the 3.1.1 images from the [F5 Container Registry](https://docs.nginx.com/nginx-ingress-controller/installation/pulling-ingress-controller-image/) or the [AWS Marketplace](https://aws.amazon.com/marketplace/search/?CREATOR=741df81b-dfdc-4d36-b8da-945ea66b522c&FULFILLMENT_OPTION_TYPE=CONTAINER&filters=CREATOR%2CFULFILLMENT_OPTION_TYPE) or [Build your own image](https://docs.nginx.com/nginx-ingress-controller/installation/building-ingress-controller-image/). | [Manifests](https://github.com/nginxinc/kubernetes-ingress/tree/v3.1.1/deployments). [Helm chart](https://github.com/nginxinc/kubernetes-ingress/tree/v3.1.1/deployments/helm-chart). | [Documentation](https://docs.nginx.com/nginx-ingress-controller/). [Examples](https://docs.nginx.com/nginx-ingress-controller/configuration/configuration-examples/). | +| Latest stable release | For production use | Use the 3.2.0 images from [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/), [GitHub Container](https://github.com/nginxinc/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress) or [build your own image](https://docs.nginx.com/nginx-ingress-controller/installation/building-ingress-controller-image/). | Use the 3.2.0 images from the [F5 Container Registry](https://docs.nginx.com/nginx-ingress-controller/installation/pulling-ingress-controller-image/) or the [AWS Marketplace](https://aws.amazon.com/marketplace/search/?CREATOR=741df81b-dfdc-4d36-b8da-945ea66b522c&FULFILLMENT_OPTION_TYPE=CONTAINER&filters=CREATOR%2CFULFILLMENT_OPTION_TYPE) or [Build your own image](https://docs.nginx.com/nginx-ingress-controller/installation/building-ingress-controller-image/). | [Manifests](https://github.com/nginxinc/kubernetes-ingress/tree/v3.2.0/deployments). [Helm chart](https://github.com/nginxinc/kubernetes-ingress/tree/v3.2.0/deployments/helm-chart). | [Documentation](https://docs.nginx.com/nginx-ingress-controller/). [Examples](https://docs.nginx.com/nginx-ingress-controller/configuration/configuration-examples/). | | Edge/Nightly | For testing and experimenting | Use the edge or nightly images from [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/), [GitHub Container](https://github.com/nginxinc/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress) or [build your own image](https://github.com/nginxinc/kubernetes-ingress/tree/main/docs/content/installation/building-ingress-controller-image.md). | [Build your own image](https://github.com/nginxinc/kubernetes-ingress/tree/main/docs/content/installation/building-ingress-controller-image.md). | [Manifests](https://github.com/nginxinc/kubernetes-ingress/tree/main/deployments). [Helm chart](https://github.com/nginxinc/kubernetes-ingress/tree/main/deployments/helm-chart). | [Documentation](https://github.com/nginxinc/kubernetes-ingress/tree/main/docs/content). [Examples](https://github.com/nginxinc/kubernetes-ingress/tree/main/examples). | ## SBOM (Software Bill of Materials) diff --git a/deployments/daemon-set/nginx-ingress.yaml b/deployments/daemon-set/nginx-ingress.yaml index 14c855718e8..ae07ff43dc3 100644 --- a/deployments/daemon-set/nginx-ingress.yaml +++ b/deployments/daemon-set/nginx-ingress.yaml @@ -32,7 +32,7 @@ spec: # - name: nginx-log # emptyDir: {} containers: - - image: nginx/nginx-ingress:3.1.1 + - image: nginx/nginx-ingress:3.2.0 imagePullPolicy: IfNotPresent name: nginx-ingress ports: @@ -96,7 +96,7 @@ spec: #- -enable-prometheus-metrics #- -global-configuration=$(POD_NAMESPACE)/nginx-configuration # initContainers: -# - image: nginx/nginx-ingress:3.1.1 +# - image: nginx/nginx-ingress:3.2.0 # imagePullPolicy: IfNotPresent # name: init-nginx-ingress # command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc'] diff --git a/deployments/daemon-set/nginx-plus-ingress.yaml b/deployments/daemon-set/nginx-plus-ingress.yaml index cdc896d8da0..20dd7f095a1 100644 --- a/deployments/daemon-set/nginx-plus-ingress.yaml +++ b/deployments/daemon-set/nginx-plus-ingress.yaml @@ -32,7 +32,7 @@ spec: # - name: nginx-log # emptyDir: {} containers: - - image: nginx-plus-ingress:3.1.1 + - image: nginx-plus-ingress:3.2.0 imagePullPolicy: IfNotPresent name: nginx-plus-ingress ports: @@ -99,7 +99,7 @@ spec: #- -enable-prometheus-metrics #- -global-configuration=$(POD_NAMESPACE)/nginx-configuration # initContainers: -# - image: nginx/nginx-ingress:3.1.1 +# - image: nginx/nginx-ingress:3.2.0 # imagePullPolicy: IfNotPresent # name: init-nginx-ingress # command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc'] diff --git a/deployments/deployment/nginx-ingress.yaml b/deployments/deployment/nginx-ingress.yaml index 5454272e635..43c91520001 100644 --- a/deployments/deployment/nginx-ingress.yaml +++ b/deployments/deployment/nginx-ingress.yaml @@ -33,7 +33,7 @@ spec: # - name: nginx-log # emptyDir: {} containers: - - image: nginx/nginx-ingress:3.1.1 + - image: nginx/nginx-ingress:3.2.0 imagePullPolicy: IfNotPresent name: nginx-ingress ports: @@ -97,7 +97,7 @@ spec: #- -enable-prometheus-metrics #- -global-configuration=$(POD_NAMESPACE)/nginx-configuration # initContainers: -# - image: nginx/nginx-ingress:3.1.1 +# - image: nginx/nginx-ingress:3.2.0 # imagePullPolicy: IfNotPresent # name: init-nginx-ingress # command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc'] diff --git a/deployments/deployment/nginx-plus-ingress.yaml b/deployments/deployment/nginx-plus-ingress.yaml index ebf9ed4ec74..24c3bcc6b57 100644 --- a/deployments/deployment/nginx-plus-ingress.yaml +++ b/deployments/deployment/nginx-plus-ingress.yaml @@ -33,7 +33,7 @@ spec: # - name: nginx-log # emptyDir: {} containers: - - image: nginx-plus-ingress:3.1.1 + - image: nginx-plus-ingress:3.2.0 imagePullPolicy: IfNotPresent name: nginx-plus-ingress ports: @@ -103,7 +103,7 @@ spec: #- -enable-service-insight #- -global-configuration=$(POD_NAMESPACE)/nginx-configuration # initContainers: -# - image: nginx/nginx-ingress:3.1.1 +# - image: nginx/nginx-ingress:3.2.0 # imagePullPolicy: IfNotPresent # name: init-nginx-ingress # command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc'] diff --git a/deployments/helm-chart/Chart.yaml b/deployments/helm-chart/Chart.yaml index cb8377dc780..3f0c0f39c13 100644 --- a/deployments/helm-chart/Chart.yaml +++ b/deployments/helm-chart/Chart.yaml @@ -1,14 +1,14 @@ apiVersion: v2 name: nginx-ingress -version: 0.17.1 -appVersion: 3.1.1 +version: 0.18.0 +appVersion: 3.2.0 kubeVersion: ">= 1.22.0-0" type: application description: NGINX Ingress Controller -icon: https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.1.1/deployments/helm-chart/chart-icon.png +icon: https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.2.0/deployments/helm-chart/chart-icon.png home: https://github.com/nginxinc/kubernetes-ingress sources: - - https://github.com/nginxinc/kubernetes-ingress/tree/v3.1.1/deployments/helm-chart + - https://github.com/nginxinc/kubernetes-ingress/tree/v3.2.0/deployments/helm-chart keywords: - ingress - nginx diff --git a/deployments/helm-chart/README.md b/deployments/helm-chart/README.md index 15a4ade5d1e..998c8cb8ec8 100644 --- a/deployments/helm-chart/README.md +++ b/deployments/helm-chart/README.md @@ -6,14 +6,14 @@ This chart deploys the NGINX Ingress Controller in your Kubernetes cluster. ## Prerequisites - - A [Kubernetes Version Supported by the Ingress Controller](https://docs.nginx.com/nginx-ingress-controller/technical-specifications/#supported-kubernetes-versions) - - Helm 3.0+. - - If you’d like to use NGINX Plus: - - To pull from the F5 Container registry, configure a docker registry secret using your JWT token from the MyF5 portal by following the instructions from [here](https://docs.nginx.com/nginx-ingress-controller/installation/using-the-jwt-token-docker-secret). Make sure to specify the secret using `controller.serviceAccount.imagePullSecretName` parameter. - - Alternatively, pull an Ingress Controller image with NGINX Plus and push it to your private registry by following the instructions from [here](https://docs.nginx.com/nginx-ingress-controller/installation/pulling-ingress-controller-image). - - Alternatively, you can build an Ingress Controller image with NGINX Plus and push it to your private registry by following the instructions from [here](https://docs.nginx.com/nginx-ingress-controller/installation/building-ingress-controller-image). - - Update the `controller.image.repository` field of the `values-plus.yaml` accordingly. - - If you’d like to use App Protect DoS, please install App Protect DoS Arbitrator [helm chart](https://github.com/nginxinc/nap-dos-arbitrator-helm-chart). Make sure to install in the same namespace as the NGINX Ingress Controller. Note that if you install multiple NGINX Ingress Controllers in the same namespace, they will need to share the same Arbitrator because it is not possible to install more than one Arbitrator in a single namespace. +- A [Kubernetes Version Supported by the Ingress Controller](https://docs.nginx.com/nginx-ingress-controller/technical-specifications/#supported-kubernetes-versions) +- Helm 3.0+. +- If you’d like to use NGINX Plus: + - To pull from the F5 Container registry, configure a docker registry secret using your JWT token from the MyF5 portal by following the instructions from [here](https://docs.nginx.com/nginx-ingress-controller/installation/using-the-jwt-token-docker-secret). Make sure to specify the secret using `controller.serviceAccount.imagePullSecretName` parameter. + - Alternatively, pull an Ingress Controller image with NGINX Plus and push it to your private registry by following the instructions from [here](https://docs.nginx.com/nginx-ingress-controller/installation/pulling-ingress-controller-image). + - Alternatively, you can build an Ingress Controller image with NGINX Plus and push it to your private registry by following the instructions from [here](https://docs.nginx.com/nginx-ingress-controller/installation/building-ingress-controller-image). + - Update the `controller.image.repository` field of the `values-plus.yaml` accordingly. +- If you’d like to use App Protect DoS, please install App Protect DoS Arbitrator [helm chart](https://github.com/nginxinc/nap-dos-arbitrator-helm-chart). Make sure to install in the same namespace as the NGINX Ingress Controller. Note that if you install multiple NGINX Ingress Controllers in the same namespace, they will need to share the same Arbitrator because it is not possible to install more than one Arbitrator in a single namespace. ## CRDs @@ -26,8 +26,9 @@ If you do not use the custom resources that require those CRDs (which correspond To upgrade the CRDs, pull the chart sources as described in [Pulling the Chart](#pulling-the-chart) and then run: ```console -$ kubectl apply -f crds/ +kubectl apply -f crds/ ``` + > **Note** > > The following warning is expected and can be ignored: `Warning: kubectl apply should be used on resource created by either kubectl create --save-config or kubectl apply`. @@ -39,26 +40,29 @@ $ kubectl apply -f crds/ To remove the CRDs, pull the chart sources as described in [Pulling the Chart](#pulling-the-chart) and then run: ```console -$ kubectl delete -f crds/ +kubectl delete -f crds/ ``` + > **Note** > > This command will delete all the corresponding custom resources in your cluster across all namespaces. Please ensure there are no custom resources that you want to keep and there are no other Ingress Controller releases running in the cluster. - ## Managing the Chart via OCI Registry + ### Installing the Chart To install the chart with the release name my-release (my-release is the name that you choose): For NGINX: + ```console -$ helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 0.17.1 +helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 0.18.0 ``` For NGINX Plus: (assuming you have pushed the Ingress Controller image `nginx-plus-ingress` to your private registry `myregistry.example.com`) + ```console -$ helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 0.17.1 --set controller.image.repository=myregistry.example.com/nginx-plus-ingress --set controller.nginxplus=true +helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 0.18.0 --set controller.image.repository=myregistry.example.com/nginx-plus-ingress --set controller.nginxplus=true ``` This will install the latest `edge` version of the Ingress Controller from GitHub Container Registry. If you prefer to use Docker Hub, you can replace `ghcr.io/nginxinc/charts/nginx-ingress` with `registry-1.docker.io/nginxcharts/nginx-ingress`. @@ -70,7 +74,7 @@ Helm does not upgrade the CRDs during a release upgrade. Before you upgrade a re To upgrade the release `my-release`: ```console -$ helm upgrade my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 0.17.1 +helm upgrade my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 0.18.0 ``` ### Uninstalling the Chart @@ -78,8 +82,9 @@ $ helm upgrade my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version To uninstall/delete the release `my-release`: ```console -$ helm uninstall my-release +helm uninstall my-release ``` + The command removes all the Kubernetes components associated with the release and deletes the release. Uninstalling the release does not remove the CRDs. To remove the CRDs, see [Uninstalling the CRDs](#uninstalling-the-crds). @@ -90,14 +95,13 @@ To test the latest changes in NGINX Ingress Controller before a new release, you You can install the `edge` version by specifying the `--version` flag with the value `0.0.0-edge`: ```console -$ helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 0.0.0-edge +helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 0.0.0-edge ``` > **Warning** > > The `edge` version is not intended for production use. It is intended for testing and development purposes only. - ## Managing the Chart via Sources ### Pulling the Chart @@ -105,13 +109,15 @@ $ helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version This step is required if you're installing the chart using its sources. Additionally, the step is also required for managing the custom resource definitions (CRDs), which the Ingress Controller requires by default, or for upgrading/deleting the CRDs. 1. Pull the chart sources: + ```console - $ helm pull oci://ghcr.io/nginxinc/charts/nginx-ingress --untar --version 0.17.1 + helm pull oci://ghcr.io/nginxinc/charts/nginx-ingress --untar --version 0.18.0 ``` 2. Change your working directory to nginx-ingress: + ```console - $ cd nginx-ingress + cd nginx-ingress ``` ### Installing the Chart @@ -119,13 +125,15 @@ This step is required if you're installing the chart using its sources. Addition To install the chart with the release name my-release (my-release is the name that you choose): For NGINX: + ```console -$ helm install my-release . +helm install my-release . ``` For NGINX Plus: + ```console -$ helm install my-release -f values-plus.yaml . +helm install my-release -f values-plus.yaml . ``` The command deploys the Ingress Controller in your Kubernetes cluster in the default configuration. The configuration section lists the parameters that can be configured during installation. @@ -137,7 +145,7 @@ Helm does not upgrade the CRDs during a release upgrade. Before you upgrade a re To upgrade the release `my-release`: ```console -$ helm upgrade my-release . +helm upgrade my-release . ``` ### Uninstalling the Chart @@ -145,7 +153,7 @@ $ helm upgrade my-release . To uninstall/delete the release `my-release`: ```console -$ helm uninstall my-release +helm uninstall my-release ``` The command removes all the Kubernetes components associated with the release and deletes the release. @@ -158,7 +166,6 @@ If you are running multiple Ingress Controller releases in your cluster with ena See [running multiple Ingress Controllers](https://docs.nginx.com/nginx-ingress-controller/installation/running-multiple-ingress-controllers/) for more details. - ## Configuration The following tables lists the configurable parameters of the NGINX Ingress Controller chart and their default values. @@ -174,9 +181,9 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont |`controller.dnsPolicy` | DNS policy for the Ingress Controller pods. | ClusterFirst | |`controller.nginxDebug` | Enables debugging for NGINX. Uses the `nginx-debug` binary. Requires `error-log-level: debug` in the ConfigMap via `controller.config.entries`. | false | |`controller.logLevel` | The log level of the Ingress Controller. | 1 | -|`controller.image.digest ` | The image digest of the Ingress Controller. | None | +|`controller.image.digest` | The image digest of the Ingress Controller. | None | |`controller.image.repository` | The image repository of the Ingress Controller. | nginx/nginx-ingress | -|`controller.image.tag` | The tag of the Ingress Controller image. | 3.1.1 | +|`controller.image.tag` | The tag of the Ingress Controller image. | 3.2.0 | |`controller.image.pullPolicy` | The pull policy for the Ingress Controller image. | IfNotPresent | |`controller.lifecycle` | The lifecycle of the Ingress Controller pods. | {} | |`controller.customConfigMap` | The name of the custom ConfigMap used by the Ingress Controller. If set, then the default config is ignored. | "" | @@ -293,5 +300,6 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont |`nginxServiceMesh.enableEgress` | Enable NGINX Service Mesh workloads to route egress traffic through the Ingress Controller. See the NGINX Service Mesh [docs](https://docs.nginx.com/nginx-service-mesh/tutorials/kic/deploy-with-kic/#enabling-egress) for more details. Requires `nginxServiceMesh.enable`. | false | ## Notes -* The values-icp.yaml file is used for deploying the Ingress Controller on IBM Cloud Private. See the [blog post](https://www.nginx.com/blog/nginx-ingress-controller-ibm-cloud-private/) for more details. -* The values-nsm.yaml file is used for deploying the Ingress Controller with NGINX Service Mesh. See the NGINX Service Mesh [docs](https://docs.nginx.com/nginx-service-mesh/tutorials/kic/deploy-with-kic/) for more details. + +- The values-icp.yaml file is used for deploying the Ingress Controller on IBM Cloud Private. See the [blog post](https://www.nginx.com/blog/nginx-ingress-controller-ibm-cloud-private/) for more details. +- The values-nsm.yaml file is used for deploying the Ingress Controller with NGINX Service Mesh. See the NGINX Service Mesh [docs](https://docs.nginx.com/nginx-service-mesh/tutorials/kic/deploy-with-kic/) for more details. diff --git a/deployments/helm-chart/values-icp.yaml b/deployments/helm-chart/values-icp.yaml index 4eb2c6d65d3..1b68d4321d1 100644 --- a/deployments/helm-chart/values-icp.yaml +++ b/deployments/helm-chart/values-icp.yaml @@ -4,7 +4,7 @@ controller: nginxplus: true image: repository: mycluster.icp:8500/kube-system/nginx-plus-ingress - tag: "3.1.1" + tag: "3.2.0" nodeSelector: beta.kubernetes.io/arch: "amd64" proxy: true diff --git a/deployments/helm-chart/values-plus.yaml b/deployments/helm-chart/values-plus.yaml index 60e00179c6e..210ee505a3f 100644 --- a/deployments/helm-chart/values-plus.yaml +++ b/deployments/helm-chart/values-plus.yaml @@ -3,4 +3,4 @@ controller: nginxplus: true image: repository: nginx-plus-ingress - tag: "3.1.1" + tag: "3.2.0" diff --git a/deployments/helm-chart/values.yaml b/deployments/helm-chart/values.yaml index d99ff35b98c..32ace3bf9a3 100644 --- a/deployments/helm-chart/values.yaml +++ b/deployments/helm-chart/values.yaml @@ -54,7 +54,7 @@ controller: repository: nginx/nginx-ingress ## The tag of the Ingress Controller image. If not specified the appVersion from Chart.yaml is used as a tag. - # tag: "3.1.1" + # tag: "3.2.0" ## The digest of the Ingress Controller image. ## If digest is specified it has precedence over tag and will be used instead @@ -142,7 +142,6 @@ controller: # cpu: 1 # memory: 1Gi - ## The tolerations of the Ingress Controller pods. tolerations: [] diff --git a/docs/content/app-protect-dos/configuration.md b/docs/content/app-protect-dos/configuration.md index 22d57dd5a96..579e78d8fca 100644 --- a/docs/content/app-protect-dos/configuration.md +++ b/docs/content/app-protect-dos/configuration.md @@ -9,7 +9,7 @@ docs: "DOCS-580" --- This document describes how to configure the NGINX App Protect DoS module -> Check out the complete [NGINX Ingress Controller with App Protect DoS example for VirtualServer](https://github.com/nginxinc/kubernetes-ingress/tree/v3.1.1/examples/custom-resources/app-protect-dos) and the [NGINX Ingress Controller with App Protect DoS example for Ingress](https://github.com/nginxinc/kubernetes-ingress/tree/v3.1.1/examples/ingress-resources/app-protect-dos). +> Check out the complete [NGINX Ingress Controller with App Protect DoS example for VirtualServer](https://github.com/nginxinc/kubernetes-ingress/tree/v3.2.0/examples/custom-resources/app-protect-dos) and the [NGINX Ingress Controller with App Protect DoS example for Ingress](https://github.com/nginxinc/kubernetes-ingress/tree/v3.2.0/examples/ingress-resources/app-protect-dos). ## App Protect DoS Configuration @@ -17,6 +17,7 @@ A `DosProtectedResource` is a [Custom Resource](https://kubernetes.io/docs/conce An [Ingress](/nginx-ingress-controller/configuration/ingress-resources/basic-configuration), [VirtualServer and VirtualServerRoute](/nginx-ingress-controller/configuration/virtualserver-and-virtualserverroute-resources/) can be protected by specifying a reference to the DosProtectedResource. 1. Create an `DosProtectedResource` Custom resource manifest. As an example: + ```yaml apiVersion: appprotectdos.f5.com/v1beta1 kind: DosProtectedResource @@ -30,7 +31,9 @@ spec: protocol: "http1" timeout: 5 ``` + 2. Enable App Protect DoS on an Ingress by adding an annotation on the Ingress. Set the value of the annotation to the qualified identifier(`namespace/name`) of a DosProtectedResource: + ```yaml apiVersion: networking.k8s.io/v1 kind: Ingress @@ -39,7 +42,9 @@ spec: annotations: appprotectdos.f5.com/app-protect-dos-resource: "default/dos-protected" ``` + 3. Enable App Protect DoS on a VirtualServer by setting the `dos` field value to the qualified identifier(`namespace/name`) of a DosProtectedResource: + ```yaml apiVersion: k8s.nginx.org/v1 kind: VirtualServer @@ -90,6 +95,7 @@ You would create an `APDosPolicy` resource with the policy defined in the `spec` ``` Then add a reference in the `DosProtectedResource` to the `ApDosPolicy`: + ```yaml apiVersion: appprotectdos.f5.com/v1beta1 kind: DosProtectedResource @@ -134,6 +140,7 @@ spec: ``` Then add a reference in the `DosProtectedResource` to the `APDosLogConf`: + ```yaml apiVersion: appprotectdos.f5.com/v1beta1 kind: DosProtectedResource @@ -149,6 +156,7 @@ Then add a reference in the `DosProtectedResource` to the `APDosLogConf`: apDosLogConf: "doslogconf" dosLogDest: "syslog-svc.default.svc.cluster.local:514" ``` + ## Global Configuration The NGINX Ingress Controller has a set of global configuration parameters that align with those available in the NGINX App Protect DoS module. See [ConfigMap keys](/nginx-ingress-controller/configuration/global-configuration/configmap-resource/#modules) for the complete list. The App Protect parameters use the `app-protect-dos*` prefix. diff --git a/docs/content/app-protect-dos/installation.md b/docs/content/app-protect-dos/installation.md index d516eb3e8fc..f5810e9256f 100644 --- a/docs/content/app-protect-dos/installation.md +++ b/docs/content/app-protect-dos/installation.md @@ -18,9 +18,10 @@ This document provides an overview of the steps required to use NGINX App Protec * To pull from the F5 Container registry in your Kubernetes cluster, configure a docker registry secret using your JWT token from the MyF5 portal by following the instructions from [here](/nginx-ingress-controller/installation/using-the-jwt-token-docker-secret). * It is also possible to build your own image and push it to your private Docker registry by following the instructions from [here](/nginx-ingress-controller/installation/building-ingress-controller-image). 2. Clone the Ingress Controller repo: + ``` - $ git clone https://github.com/nginxinc/kubernetes-ingress.git --branch v3.1.1 - $ cd kubernetes-ingress/deployments + git clone https://github.com/nginxinc/kubernetes-ingress.git --branch v3.2.0 + cd kubernetes-ingress/deployments ``` ## Install the App Protect DoS Arbitrator @@ -30,7 +31,7 @@ This document provides an overview of the steps required to use NGINX App Protec The App Protect DoS Arbitrator can be installed using the [NGINX App Protect DoS Helm Chart](https://github.com/nginxinc/nap-dos-arbitrator-helm-chart). If you have the NGINX Helm Repository already added, you can install the App Protect DoS Arbitrator by running the following command: -```bash +```console helm install my-release-dos nginx-stable/nginx-appprotect-dos-arbitrator ``` @@ -38,14 +39,15 @@ helm install my-release-dos nginx-stable/nginx-appprotect-dos-arbitrator Alternatively, you can install the App Protect DoS Arbitrator using the YAML manifests provided in the Ingress Controller repo. -- Create the namespace and service account +* Create the namespace and service account -```bash +```console kubectl apply -f common/ns-and-sa.yaml ``` -- Deploy the app protect dos arbitrator - ```bash +* Deploy the app protect dos arbitrator + + ```console kubectl apply -f deployment/appprotect-dos-arb.yaml kubectl apply -f service/appprotect-dos-arb-svc.yaml ``` @@ -54,18 +56,19 @@ Alternatively, you can install the App Protect DoS Arbitrator using the YAML man Take the steps below to create the Docker image that you'll use to deploy NGINX Ingress Controller with App Protect DoS in Kubernetes. -- [Build the NGINX Ingress Controller image](/nginx-ingress-controller/installation/building-ingress-controller-image). +* [Build the NGINX Ingress Controller image](/nginx-ingress-controller/installation/building-ingress-controller-image). When running the `make` command to build the image, be sure to use the `debian-image-dos-plus` target. For example: - ```bash + ```console make debian-image-dos-plus PREFIX=/nginx-plus-ingress ``` + Alternatively, if you want to run on an [OpenShift](https://www.openshift.com/) cluster, use the `ubi-image-dos-plus` target. If you want to include the App Protect WAF module in the image, you can use the `debian-image-nap-dos-plus` target or the `ubi-image-nap-dos-plus` target for OpenShift. -- [Push the image to your local Docker registry](/nginx-ingress-controller/installation/building-ingress-controller-image/#building-the-image-and-pushing-it-to-the-private-registry). +* [Push the image to your local Docker registry](/nginx-ingress-controller/installation/building-ingress-controller-image/#building-the-image-and-pushing-it-to-the-private-registry). ## Install the Ingress Controller @@ -79,4 +82,4 @@ Take the steps below to set up and deploy the NGINX Ingress Controller and App P 3. Enable the App Protect Dos module by adding the `enable-app-protect-dos` [cli argument](/nginx-ingress-controller/configuration/global-configuration/command-line-arguments/#cmdoption-enable-app-protect-dos) to your Deployment or DaemonSet file. 4. [Deploy the Ingress Controller](/nginx-ingress-controller/installation/installation-with-manifests/#3-deploy-the-ingress-controller). -For more information, see the [Configuration guide](/nginx-ingress-controller/app-protect-dos/configuration),the [NGINX Ingress Controller with App Protect DoS example for VirtualServer](https://github.com/nginxinc/kubernetes-ingress/tree/v3.1.1/examples/custom-resources/app-protect-dos) and the [NGINX Ingress Controller with App Protect DoS example for Ingress](https://github.com/nginxinc/kubernetes-ingress/tree/v3.1.1/examples/ingress-resources/app-protect-dos). +For more information, see the [Configuration guide](/nginx-ingress-controller/app-protect-dos/configuration),the [NGINX Ingress Controller with App Protect DoS example for VirtualServer](https://github.com/nginxinc/kubernetes-ingress/tree/v3.2.0/examples/custom-resources/app-protect-dos) and the [NGINX Ingress Controller with App Protect DoS example for Ingress](https://github.com/nginxinc/kubernetes-ingress/tree/v3.2.0/examples/ingress-resources/app-protect-dos). diff --git a/docs/content/app-protect-waf/configuration.md b/docs/content/app-protect-waf/configuration.md index 0e81b6eaade..5bd852d6f45 100644 --- a/docs/content/app-protect-waf/configuration.md +++ b/docs/content/app-protect-waf/configuration.md @@ -8,7 +8,7 @@ docs: "DOCS-578" aliases: ["/app-protect/configuration/"] --- -> Check out the complete NGINX Ingress Controller with NGINX App Protect WAF example resources on GitHub [for VirtualServer resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.1.1/examples/custom-resources/app-protect-waf) and [for Ingress resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.1.1/examples/ingress-resources/app-protect-waf). +> Check out the complete NGINX Ingress Controller with NGINX App Protect WAF example resources on GitHub [for VirtualServer resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.2.0/examples/custom-resources/app-protect-waf) and [for Ingress resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.2.0/examples/ingress-resources/app-protect-waf). ## Global Configuration @@ -22,7 +22,6 @@ To configure NGINX App Protect WAF on a VirtualServer resource, you would create To configure NGINX App Protect WAF on an Ingress resource, you would apply the [`app-protect` annotations](/nginx-ingress-controller/configuration/ingress-resources/advanced-configuration-with-annotations/#app-protect) to each desired resource. - ## NGINX App Protect WAF Policies You can define NGINX App Protect WAF policies for your VirtualServer, VirtualServerRoute, or Ingress resources by creating an `APPolicy` [Custom Resource](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/). @@ -100,7 +99,6 @@ To add any [NGINX App Protect WAF policy](/nginx-app-protect-waf/declarative-pol ``` > Notice how the fields match exactly in name and level. NGINX Ingress Controller will transform the YAML into a valid JSON WAF policy config. -
## NGINX App Protect WAF Logs @@ -144,6 +142,7 @@ spec: max_request_size: any max_message_size: 5k ``` + ## NGINX App Protect WAF User Defined Signatures You can define NGINX App Protect WAF [User-Defined Signatures](/nginx-app-protect-waf/configuration-guide/configuration/#user-defined-signatures) for your VirtualServer or Ingress resources by creating an `APUserSig` [Custom Resource](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/). @@ -215,6 +214,7 @@ The OpenAPI Specification defines the spec file format needed to describe RESTfu NGINX Ingress Controller supports OpenAPI Specification versions 2.0 and 3.0. The simplest way to create an API protection policy is using an OpenAPI Specification file to import the details of the APIs. If you use an OpenAPI Specification file, NGINX App Protect WAF will automatically create a policy for the following properties (depending on what's included in the spec file): + * Methods * URLs * Parameters @@ -245,18 +245,18 @@ These are the typical steps to deploy an OpenAPI protection Policy in NGINX Ingr 3. Make other custom changes if needed (e.g. enable Data Guard protection). 4. Use a tool to convert the result to YAML. There are many, for example: [`yq` utility](https://github.com/mikefarah/yq). 5. Add the YAML properties to create an `APPolicy` Custom Resource putting the policy itself (as in step 4) within the `spec` property of the Custom Resource. Refer to the [NGINX App Protect Policies](#nginx-app-protect-waf-policies) section above. -6. Create a `Policy` object which references the `APPolicy` Custom Resource as in [this example](https://github.com/nginxinc/kubernetes-ingress/blob/v3.1.1/examples/custom-resources/app-protect-waf/waf.yaml). -7. Finally, attach the `Policy` object to a `VirtualServer` resource as in [this example](https://github.com/nginxinc/kubernetes-ingress/blob/v3.1.1/examples/custom-resources/app-protect-waf/virtual-server.yaml). +6. Create a `Policy` object which references the `APPolicy` Custom Resource as in [this example](https://github.com/nginxinc/kubernetes-ingress/blob/v3.2.0/examples/custom-resources/app-protect-waf/waf.yaml). +7. Finally, attach the `Policy` object to a `VirtualServer` resource as in [this example](https://github.com/nginxinc/kubernetes-ingress/blob/v3.2.0/examples/custom-resources/app-protect-waf/virtual-server.yaml). **Note**: You need to make sure that the server where the resource files are located is always available when you are compiling your policy. -##### Example Configuration +### Example Configuration In this example, we are adding an OpenAPI Specification file reference to `/etc/app_protect/conf/NginxApiSecurityPolicy.yaml` using the [link](https://raw.githubusercontent.com/aws-samples/api-gateway-secure-pet-store/master/src/main/resources/swagger.yaml). This will configure allowed data types for `query_int` and `query_str` parameters values. **Policy configuration:** -~~~yaml +```yaml --- apiVersion: appprotect.f5.com/v1beta1 kind: APPolicy @@ -326,12 +326,11 @@ apiVersion: appprotect.f5.com/v1beta1 - block: true description: Illegal repeated parameter name name: VIOL_PARAMETER_REPEATED - -~~~ +``` Content of the referenced file `myapi.yaml`: -~~~yaml +```yaml openapi: 3.0.1 info: title: 'Primitive data types' @@ -364,7 +363,7 @@ paths: description: OK 404: description: NotFound -~~~ +``` In this case, the following request will trigger an `Illegal parameter data type` violation, as we expect to have an integer value in the `query_int` parameter: @@ -378,61 +377,69 @@ The `link` option is also available in the `openApiFileReference` property and i **Note**: `openApiFileReference` is not an array. - ## Configuration in NGINX Plus Ingress Controller using Virtual Server Resource + In this example we deploy NGINX Ingress Controller with NGINX Plus and NGINX App Protect WAF, deploy a simple web application, and then configure load balancing and WAF protection for that application using the VirtualServer resource. -**Note:** You can find the example, and the files referenced, on [GitHub](https://github.com/nginxinc/kubernetes-ingress/tree/v3.1.1/examples/custom-resources/app-protect-waf). +**Note:** You can find the example, and the files referenced, on [GitHub](https://github.com/nginxinc/kubernetes-ingress/tree/v3.2.0/examples/custom-resources/app-protect-waf). ## Prerequisites 1. Follow the installation [instructions](https://docs.nginx.com/nginx-ingress-controller/installation) to deploy NGINX Ingress Controller with NGINX Plus and NGINX App Protect WAF. 2. Save the public IP address of NGINX Ingress Controller into a shell variable: - ``` - $ IC_IP=XXX.YYY.ZZZ.III + + ```console + IC_IP=XXX.YYY.ZZZ.III ``` 3. Save the HTTP port of NGINX Ingress Controller into a shell variable: + + ```console + IC_HTTP_PORT= ``` - $ IC_HTTP_PORT= - ``` ### Step 1. Deploy a Web Application Create the application deployment and service: - ``` - $ kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.1.1/examples/custom-resources/app-protect-waf/webapp.yaml + + ```console + kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.2.0/examples/custom-resources/app-protect-waf/webapp.yaml ``` ### Step 2. Deploy the AP Policy 1. Create the syslog service and pod for the NGINX App Protect WAF security logs: - ``` - $ kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.1.1/examples/custom-resources/app-protect-waf/syslog.yaml + + ```console + kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.2.0/examples/custom-resources/app-protect-waf/syslog.yaml ``` 2. Create the User-Defined Signature, WAF policy, and log configuration: - ``` - $ kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.1.1/examples/custom-resources/app-protect-waf/ap-apple-uds.yaml - $ kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.1.1/examples/custom-resources/app-protect-waf/ap-dataguard-alarm-policy.yaml - $ kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.1.1/examples/custom-resources/app-protect-waf/ap-logconf.yaml + ```console + kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.2.0/examples/custom-resources/app-protect-waf/ap-apple-uds.yaml + kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.2.0/examples/custom-resources/app-protect-waf/ap-dataguard-alarm-policy.yaml + kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.2.0/examples/custom-resources/app-protect-waf/ap-logconf.yaml ``` ### Step 3 - Deploy the WAF Policy Create the WAF policy + + ```console + kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.2.0/examples/custom-resources/app-protect-waf/waf.yaml ``` - $ kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.1.1/examples/custom-resources/app-protect-waf/waf.yaml - ``` + Note the NGINX App Protect WAF configuration settings in the Policy resource. They enable WAF protection by configuring NGINX App Protect WAF with the policy and log configuration created in the previous step. ### Step 4 - Configure Load Balancing 1. Create the VirtualServer Resource: + + ```console + kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.2.0/examples/custom-resources/app-protect-waf/virtual-server.yaml ``` - $ kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.1.1/examples/custom-resources/app-protect-waf/virtual-server.yaml - ``` + Note that the VirtualServer references the policy waf-policy created in Step 3. ### Step 5 - Test the Application @@ -440,33 +447,38 @@ Note that the VirtualServer references the policy waf-policy created in Step 3. To access the application, curl the coffee and the tea services. We'll use the --resolve option to set the Host header of a request with `webapp.example.com` 1. Send a request to the application: - ``` + + ```console $ curl --resolve webapp.example.com:$IC_HTTP_PORT:$IC_IP http://webapp.example.com:$IC_HTTP_PORT/ Server address: 10.12.0.18:80 Server name: webapp-7586895968-r26zn ``` 2. Now, let's try to send a request with a suspicious URL: - ``` + + ```console $ curl --resolve webapp.example.com:$IC_HTTP_PORT:$IC_IP "http://webapp.example.com:$IC_HTTP_PORT/