Merge pull request kubernetes#25 from kd7lxl/controller-fips-45

Update fips build with ingress-nginx 0.45.0
kd7lxl · Apr 7, 2021 · 555f2f8 · 555f2f8
2 parents 4cb6447 + 5c1c27c
commit 555f2f8
Show file tree

Hide file tree

Showing 44 changed files with 728 additions and 336 deletions.
diff --git a/Changelog.md b/Changelog.md
@@ -1,5 +1,31 @@
 # Changelog
 
+### 0.45.0
+
+**Image:**
+
+- `k8s.gcr.io/ingress-nginx/controller:v0.45.0@sha256:c4390c53f348c3bd4e60a5dd6a11c35799ae78c49388090140b9d72ccede1755`
+
+_New Features:_
+
+- Update the Ingress Controller Image to correct OpenSSL CVEs
+- Add support for Jaeger Endpoint [#6884](https://github.com/kubernetes/ingress-nginx/pull/6884)
+- Allow Multiple Publish Status Addresses [#6856](https://github.com/kubernetes/ingress-nginx/pull/6856)
+
+_Changes:_
+
+- [X] [#6995](https://github.com/kubernetes/ingress-nginx/pull/6995) updating nginx base image across repo
+- [X] [#6983](https://github.com/kubernetes/ingress-nginx/pull/6983) Expose Geo IP subdivision 1 as variables
+- [X] [#6979](https://github.com/kubernetes/ingress-nginx/pull/6979) Changed servicePort value for metrics
+- [X] [#6971](https://github.com/kubernetes/ingress-nginx/pull/6971) Fix crl not reload when crl got updated in the ca secret
+- [X] [#6957](https://github.com/kubernetes/ingress-nginx/pull/6957) Add ability to specify automountServiceAccountToken
+- [X] [#6956](https://github.com/kubernetes/ingress-nginx/pull/6956) update nginx base image, handle jaeger propagation format 
+- [X] [#6936](https://github.com/kubernetes/ingress-nginx/pull/6936) update tracing libraries for opentracing 1.6.0 
+- [X] [#6908](https://github.com/kubernetes/ingress-nginx/pull/6908) feat(chart) Add volumes to default-backend deployment #6908 
+- [X] [#6884](https://github.com/kubernetes/ingress-nginx/pull/6884) jaeger-endpoint feature for non-agent trace collectors
+- [X] [#6856](https://github.com/kubernetes/ingress-nginx/pull/6856) Allow multiple publish status addresses
+- [X] [#6971](https://github.com/kubernetes/ingress-nginx/pull/6971) Fix bug related to CRL update
+
 ### 0.44.0
 
 **Image:**

diff --git a/Makefile b/Makefile
@@ -52,7 +52,7 @@ endif
 
 REGISTRY ?= gcr.io/k8s-staging-ingress-nginx
 
-BASE_IMAGE ?= k8s.gcr.io/ingress-nginx/nginx:v20210115-gba0502603@sha256:224da667cf3047998ea691e9766fedd1eab94257a39df81374bfa14536da3688
+BASE_IMAGE ?= k8s.gcr.io/ingress-nginx/nginx:v20210324-g8baef769d@sha256:fcfa3e9d1f8ec3141efedbf77cf659640f452a9c22165c78006ea462b84d06f6
 
 GOARCH=$(ARCH)
 

diff --git a/OWNERS b/OWNERS
@@ -6,6 +6,8 @@ approvers:
   - ElvinEfendi
 
 reviewers:
-  - aledbf
   - ElvinEfendi
   - cmluciano
+
+emeritus_approvers:
+  - aledbf  # 2020-04-02
diff --git a/OWNERS_ALIASES b/OWNERS_ALIASES
@@ -7,6 +7,4 @@ aliases:
     - thockin
   ingress-nginx-admins:
     - bowei
-    - aledbf
   ingress-nginx-maintainers:
-    - aledbf
diff --git a/SECURITY_CONTACTS b/SECURITY_CONTACTS
@@ -10,4 +10,3 @@
 # DO NOT REPORT SECURITY VULNERABILITIES DIRECTLY TO THESE NAMES, FOLLOW THE
 # INSTRUCTIONS AT https://kubernetes.io/security/
 
-aledbf
diff --git a/TAG b/TAG
@@ -1 +1 @@
-v0.44.0
+v0.45.0
diff --git a/build/run-in-docker.sh b/build/run-in-docker.sh
@@ -34,7 +34,7 @@ function cleanup {
 }
 trap cleanup EXIT
 
-E2E_IMAGE=${E2E_IMAGE:-k8s.gcr.io/ingress-nginx/e2e-test-runner:v20210104-g81a8d5cd8@sha256:bfd55f589ea998f961825a9d09158d766cf621d1b8fc5d8c905aba07d9794e08}
+E2E_IMAGE=${E2E_IMAGE:-k8s.gcr.io/ingress-nginx/e2e-test-runner:v20210326-gb52c538bb@sha256:b1b684ac3cc6a1ba68611707467fe2c9fe1c9c4a60f85e19ee10ea14b5343432}
 
 DOCKER_OPTS=${DOCKER_OPTS:-}
 DOCKER_IN_DOCKER_ENABLED=${DOCKER_IN_DOCKER_ENABLED:-}

diff --git a/charts/ingress-nginx/CHANGELOG.md b/charts/ingress-nginx/CHANGELOG.md
@@ -4,6 +4,22 @@ This file documents all notable changes to [ingress-nginx](https://github.com/ku
 
 ### Unreleased
 
+### 3.27.0
+
+- Update ingress-nginx v0.45.0
+
+### 3.26.0
+
+- [X] [#6979](https://github.com/kubernetes/ingress-nginx/pull/6979) Changed servicePort value for metrics
+
+### 3.25.0
+
+- [X] [#6957](https://github.com/kubernetes/ingress-nginx/pull/6957) Add ability to specify automountServiceAccountToken
+
+### 3.24.0
+
+- [X] [#6908](https://github.com/kubernetes/ingress-nginx/pull/6908) Add volumes to default-backend deployment
+
 ### 3.23.0
 
 - Update ingress-nginx v0.44.0

diff --git a/charts/ingress-nginx/Chart.yaml b/charts/ingress-nginx/Chart.yaml
@@ -2,8 +2,8 @@ apiVersion: v2
 name: ingress-nginx
 # When the version is modified, make sure the artifacthub.io/changes list is updated
 # Also update CHANGELOG.md
-version: 3.23.0
-appVersion: 0.44.0
+version: 3.27.0
+appVersion: 0.45.0
 home: https://github.com/kubernetes/ingress-nginx
 description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
 icon: https://upload.wikimedia.org/wikipedia/commons/thumb/c/c5/Nginx_logo.svg/500px-Nginx_logo.svg.png
@@ -21,4 +21,4 @@ annotations:
   # List of changes for the release in artifacthub.io
   # https://artifacthub.io/packages/helm/ingress-nginx/ingress-nginx?modal=changelog
   artifacthub.io/changes: |
-    - Update ingress-nginx v0.44.0
+    - Update ingress-nginx v0.45.0
diff --git a/charts/ingress-nginx/templates/controller-serviceaccount.yaml b/charts/ingress-nginx/templates/controller-serviceaccount.yaml
@@ -6,4 +6,5 @@ metadata:
     {{- include "ingress-nginx.labels" . | nindent 4 }}
     app.kubernetes.io/component: controller
   name: {{ template "ingress-nginx.serviceAccountName" . }}
+automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
 {{- end }}
diff --git a/charts/ingress-nginx/templates/default-backend-deployment.yaml b/charts/ingress-nginx/templates/default-backend-deployment.yaml
@@ -88,6 +88,9 @@ spec:
             - name: http
               containerPort: {{ .Values.defaultBackend.port }}
               protocol: TCP
+        {{- if .Values.defaultBackend.extraVolumeMounts }}
+          volumeMounts: {{- toYaml .Values.defaultBackend.extraVolumeMounts | nindent 12 }}
+        {{- end }}
         {{- if .Values.defaultBackend.resources }}
           resources: {{ toYaml .Values.defaultBackend.resources | nindent 12 }}
         {{- end }}
@@ -102,4 +105,7 @@ spec:
       affinity: {{ toYaml .Values.defaultBackend.affinity | nindent 8 }}
     {{- end }}
       terminationGracePeriodSeconds: 60
+    {{- if .Values.defaultBackend.extraVolumes }}
+      volumes: {{ toYaml .Values.defaultBackend.extraVolumes | nindent 8 }}
+    {{- end }}
 {{- end }}
diff --git a/charts/ingress-nginx/templates/default-backend-serviceaccount.yaml b/charts/ingress-nginx/templates/default-backend-serviceaccount.yaml
@@ -6,4 +6,5 @@ metadata:
     {{- include "ingress-nginx.labels" . | nindent 4 }}
     app.kubernetes.io/component: default-backend
   name: {{ template "ingress-nginx.defaultBackend.serviceAccountName" . }}
+automountServiceAccountToken: {{ .Values.defaultBackend.serviceAccount.automountServiceAccountToken }}
 {{- end }}
diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml
@@ -11,8 +11,8 @@ controller:
   name: controller
   image:
     repository: k8s.gcr.io/ingress-nginx/controller
-    tag: "v0.44.0"
-    digest: sha256:3dd0fac48073beaca2d67a78c746c7593f9c575168a17139a9955a82c63c4b9a
+    tag: "v0.45.0"
+    digest: sha256:c4390c53f348c3bd4e60a5dd6a11c35799ae78c49388090140b9d72ccede1755
     pullPolicy: IfNotPresent
     # www-data -> uid 101
     runAsUser: 101
@@ -515,7 +515,7 @@ controller:
 
       # loadBalancerIP: ""
       loadBalancerSourceRanges: []
-      servicePort: 9913
+      servicePort: 10254
       type: ClusterIP
       # externalTrafficPolicy: ""
       # nodePort: ""
@@ -614,6 +614,7 @@ defaultBackend:
   serviceAccount:
     create: true
     name: ""
+    automountServiceAccountToken: true
   ## Additional environment variables to set for defaultBackend pods
   extraEnvs: []
 
@@ -677,6 +678,16 @@ defaultBackend:
   #   cpu: 10m
   #   memory: 20Mi
 
+  extraVolumeMounts: []
+  ## Additional volumeMounts to the default backend container.
+  #  - name: copy-portal-skins
+  #   mountPath: /var/lib/lemonldap-ng/portal/skins
+
+  extraVolumes: []
+  ## Additional volumes to the default backend pod.
+  #  - name: copy-portal-skins
+  #    emptyDir: {}
+
   autoscaling:
     enabled: false
     minReplicas: 1
@@ -714,6 +725,7 @@ podSecurityPolicy:
 serviceAccount:
   create: true
   name: ""
+  automountServiceAccountToken: true
 
 ## Optional array of imagePullSecrets containing private registry credentials
 ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/

diff --git a/cmd/nginx/flags.go b/cmd/nginx/flags.go
@@ -138,7 +138,7 @@ extension for this to succeed.`)
 			`Define the sync frequency upper limit`)
 
 		publishStatusAddress = flags.String("publish-status-address", "",
-			`Customized address to set as the load-balancer status of Ingress objects this controller satisfies.
+			`Customized address (or addresses, separated by comma) to set as the load-balancer status of Ingress objects this controller satisfies.
 Requires the update-status parameter.`)
 
 		enableMetrics = flags.Bool("enable-metrics", true,
-Original file line number
+Diff line change
@@ Expand Up / @@ -7,6 +7,4 @@ aliases: @@
         - thockin
       ingress-nginx-admins:
         - bowei
-        - aledbf
       ingress-nginx-maintainers:
-        - aledbf
Original file line number	Diff line number	Diff line change
Expand Up		@@ -10,4 +10,3 @@
		# DO NOT REPORT SECURITY VULNERABILITIES DIRECTLY TO THESE NAMES, FOLLOW THE
		# INSTRUCTIONS AT https://kubernetes.io/security/

		aledbf