NODE-4669: Merge tag 'helm-chart-4.2.3' into main

# Conflicts: # .github/workflows/ci.yaml # .github/workflows/depreview.yaml # charts/ingress-nginx/Chart.yaml
wallarm · Aug 31, 2022 · ef319fa · ef319fa
2 parents 64a9aa1 + ffcf13c
commit ef319fa
Show file tree

Hide file tree

Showing 133 changed files with 710 additions and 26,871 deletions.
diff --git a/.github/workflows/plugin.yaml b/.github/workflows/plugin.yaml
@@ -0,0 +1,37 @@
+name: kubectl plugin
+
+on:
+  push:
+    branches:
+      - "main"
+    paths:
+      - "cmd/plugin/**"
+    tags:
+      - "v*"
+
+jobs:
+  release-plugin:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3.0.2
+        with:
+          fetch-depth: 0
+
+      - name: Set up Go
+        uses: actions/setup-go@b22fbbc2921299758641fab08929b4ac52b32923 # v3.2.0
+        with:
+          go-version: 1.18
+
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@68acf3b1adf004ac9c2f0a4259e85c5f66e99bef # v3.0.0
+        with:
+          version: latest
+          args: release --rm-dist
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Update new version in krew-index
+        uses: rajatjindal/krew-release-bot@92da038bbf995803124a8e50ebd438b2f37bbbb0 # v0.0.43
+        with:
+          krew_template_file: cmd/plugin/krew.yaml
diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
@@ -57,6 +57,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@2ca79b6fa8d3ec278944088b4aa5f46912db5d63 # v2.1.14
+        uses: github/codeql-action/upload-sarif@7fee4ca032ac341c12486c4c06822c5221c76533 # v2.1.14
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/vulnerability-scans.yaml b/.github/workflows/vulnerability-scans.yaml
@@ -0,0 +1,92 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+name: Vulnerability Scan
+
+on:
+  workflow_dispatch:
+  release:
+  schedule:
+    - cron: '00 9 * * 1'
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  version:
+    runs-on: ubuntu-latest
+    outputs:
+      versions: ${{ steps.version.outputs.TAGS }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
+        with:
+          fetch-depth: 0
+
+      - name: Latest Tag
+        id: version
+        shell: bash
+        run: |
+          readarray -t TAGS_ARRAY <<<"$(git tag --list 'controller-v*.*.*' --sort=-version:refname | grep -v 'beta\|alpha')"
+          FULL_TAGS=(${TAGS_ARRAY[0]} ${TAGS_ARRAY[1]} ${TAGS_ARRAY[2]})
+          SHORT_TAGS=()
+          for i in ${FULL_TAGS[@]}
+          do
+            echo "tag: $i"
+            short=$(echo "$i" | cut -d - -f 2)
+            SHORT_TAGS+=($short)
+          done
+          echo "${SHORT_TAGS[0]},${SHORT_TAGS[1]},${SHORT_TAGS[2]}"
+          TAGS_JSON="[\"${SHORT_TAGS[0]}\",\"${SHORT_TAGS[1]}\",\"${SHORT_TAGS[2]}\"]"
+          echo "${TAGS_JSON}"
+          echo "::set-output name=TAGS::${TAGS_JSON}"
+
+  scan:
+    runs-on: ubuntu-latest
+    needs:     version
+    strategy:
+      matrix:
+        versions: ${{ fromJSON(needs.version.outputs.versions) }}
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
+
+    - shell: bash
+      id: test
+      run: echo "Scanning registry.k8s.io/ingress-nginx/controller@${{ matrix.versions }}"
+
+    - name: Scan image with AquaSec/Trivy
+      id: scan
+      uses: aquasecurity/trivy-action@d63413b0a4a4482237085319f7f4a1ce99a8f2ac #v0.5.1
+      with:
+        image-ref: registry.k8s.io/ingress-nginx/controller:${{ matrix.versions }}
+        format: 'sarif'
+        output: trivy-results-${{ matrix.versions }}.sarif
+        exit-code: 0
+        vuln-type: 'os,library'
+        severity: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN'
+
+    - name: Output Sarif File
+      shell: bash
+      run: cat ${{ github.workspace }}/trivy-results-${{ matrix.versions }}.sarif
+
+    # This step checks out a copy of your repository.
+    - name: Upload SARIF file
+      uses: github/codeql-action/upload-sarif@7fee4ca032ac341c12486c4c06822c5221c76533
+      with:
+        token: ${{ github.token }}
+        # Path to SARIF file relative to the root of the repository
+        sarif_file: ${{ github.workspace }}/trivy-results-${{ matrix.versions }}.sarif
+
+    - name: Vulz Count
+      shell: bash
+      run: |
+        TRIVY_COUNT=$(cat ${{ github.workspace }}/trivy-results-${{ matrix.versions }}.sarif | jq '.runs[0].results | length')
+        echo "TRIVY_COUNT: $TRIVY_COUNT"
+        echo "Image Vulnerability scan output" >> $GITHUB_STEP_SUMMARY
+        echo "Image ID: registry.k8s.io/ingress-nginx/controller@${{ matrix.versions }}" >> $GITHUB_STEP_SUMMARY
+        echo "" >> $GITHUB_STEP_SUMMARY
+        echo "Trivy Count: $TRIVY_COUNT" >> $GITHUB_STEP_SUMMARY
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
@@ -0,0 +1,29 @@
+project_name: ingress-nginx
+release:
+  github:
+    owner: kubernetes
+    name: ingress-nginx
+builds:
+  - id: ingress-nginx
+    goos:
+    - darwin
+    - linux
+    - windows
+    goarch:
+    - arm64
+    - amd64
+    env:
+    - CGO_ENABLED=0
+    - GO111MODULE=on
+    main: cmd/plugin/main.go
+    binary: kubectl-ingress-nginx
+    ldflags: |
+      -s -w
+      -X k8s.io/ingress-nginx/version.COMMIT={{ .Commit }}
+      -X k8s.io/ingress-nginx/version.RELEASE={{ .Tag }}
+archives:
+  - id: ingress-nginx
+    builds:
+    - ingress-nginx
+    name_template: "kubectl-{{ .ProjectName }}_{{ .Os }}_{{ .Arch }}"
+    format: tar.gz
diff --git a/Makefile b/Makefile
@@ -127,18 +127,6 @@ build:  ## Build ingress controller, debug tool and pre-stop hook.
 		build/build.sh
 
 
-.PHONY: build-plugin
-build-plugin:  ## Build ingress-nginx krew plugin.
-	@build/run-in-docker.sh \
-		PKG=$(PKG) \
-		MAC_OS=$(MAC_OS) \
-		ARCH=$(ARCH) \
-		COMMIT_SHA=$(COMMIT_SHA) \
-		REPO_INFO=$(REPO_INFO) \
-		TAG=$(TAG) \
-		build/build-plugin.sh
-
-
 .PHONY: clean
 clean: ## Remove .gocache directory.
 	rm -rf bin/ .gocache/ .cache/

diff --git a/NGINX_BASE b/NGINX_BASE
@@ -1 +1 @@
-registry.k8s.io/ingress-nginx/nginx:f0490cbfbf29a7a05caaac29998dde56173ac2bb@sha256:f0d8d32a20f8c1a7c98b504a03b162931d93edd60ecc2c745917a32e9e3e92ad
+registry.k8s.io/ingress-nginx/nginx:9fdbef829c327b95a3c6d6816a301df41bda997f@sha256:46c27294e467f46d0006ad1eb5fd3f7005eb3cbd00dd43be2ed9b02edfc6e828
diff --git a/build/build-plugin.sh b/build/build-plugin.sh
diff --git a/charts/ingress-nginx/Chart.yaml b/charts/ingress-nginx/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: wallarm-ingress
-version: 4.2.0
+version: 4.2.1
 appVersion: 4.2.0-1
 home: https://github.com/wallarm/ingress
 description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer with Wallarm module

diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md
@@ -2,7 +2,7 @@
 
 [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
 
-![Version: 4.2.1](https://img.shields.io/badge/Version-4.2.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.3.0](https://img.shields.io/badge/AppVersion-1.3.0-informational?style=flat-square)
+![Version: 4.2.3](https://img.shields.io/badge/Version-4.2.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.3.0](https://img.shields.io/badge/AppVersion-1.3.0-informational?style=flat-square)
 
 To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources.
 
@@ -249,9 +249,9 @@ Kubernetes: `>=1.20.0-0`
 | controller.admissionWebhooks.key | string | `"/usr/local/certificates/key"` |  |
 | controller.admissionWebhooks.labels | object | `{}` | Labels to be added to admission webhooks |
 | controller.admissionWebhooks.namespaceSelector | object | `{}` |  |
+| controller.admissionWebhooks.networkPolicyEnabled | bool | `false` |  |
 | controller.admissionWebhooks.objectSelector | object | `{}` |  |
 | controller.admissionWebhooks.patch.enabled | bool | `true` |  |
-| controller.admissionWebhooks.patch.fsGroup | int | `2000` |  |
 | controller.admissionWebhooks.patch.image.digest | string | `"sha256:549e71a6ca248c5abd51cdb73dbc3083df62cf92ed5e6147c780e30f7e007a47"` |  |
 | controller.admissionWebhooks.patch.image.image | string | `"ingress-nginx/kube-webhook-certgen"` |  |
 | controller.admissionWebhooks.patch.image.pullPolicy | string | `"IfNotPresent"` |  |
@@ -261,7 +261,9 @@ Kubernetes: `>=1.20.0-0`
 | controller.admissionWebhooks.patch.nodeSelector."kubernetes.io/os" | string | `"linux"` |  |
 | controller.admissionWebhooks.patch.podAnnotations | object | `{}` |  |
 | controller.admissionWebhooks.patch.priorityClassName | string | `""` | Provide a priority class name to the webhook patching job |
-| controller.admissionWebhooks.patch.runAsUser | int | `2000` |  |
+| controller.admissionWebhooks.patch.securityContext.fsGroup | int | `2000` |  |
+| controller.admissionWebhooks.patch.securityContext.runAsNonRoot | bool | `true` |  |
+| controller.admissionWebhooks.patch.securityContext.runAsUser | int | `2000` |  |
 | controller.admissionWebhooks.patch.tolerations | list | `[]` |  |
 | controller.admissionWebhooks.patchWebhookJob.resources | object | `{}` |  |
 | controller.admissionWebhooks.port | int | `8443` |  |

diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
@@ -72,8 +72,8 @@ spec:
     {{- if .Values.controller.admissionWebhooks.patch.tolerations }}
       tolerations: {{ toYaml .Values.controller.admissionWebhooks.patch.tolerations | nindent 8 }}
     {{- end }}
+      {{- if .Values.controller.admissionWebhooks.patch.securityContext }}
       securityContext:
-        runAsNonRoot: true
-        runAsUser: {{ .Values.controller.admissionWebhooks.patch.runAsUser }}
-        fsGroup: {{ .Values.controller.admissionWebhooks.patch.fsGroup }}
+        {{- toYaml .Values.controller.admissionWebhooks.patch.securityContext | nindent 8 }}
+      {{- end }}
 {{- end }}
diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
@@ -74,8 +74,8 @@ spec:
     {{- if .Values.controller.admissionWebhooks.patch.tolerations }}
       tolerations: {{ toYaml .Values.controller.admissionWebhooks.patch.tolerations | nindent 8 }}
     {{- end }}
+      {{- if .Values.controller.admissionWebhooks.patch.securityContext }}
       securityContext:
-        runAsNonRoot: true
-        runAsUser: {{ .Values.controller.admissionWebhooks.patch.runAsUser }}
-        fsGroup: {{ .Values.controller.admissionWebhooks.patch.fsGroup }}
+        {{- toYaml .Values.controller.admissionWebhooks.patch.securityContext | nindent 8 }}
+      {{- end }}
 {{- end }}
diff --git a/charts/ingress-nginx/templates/controller-daemonset.yaml b/charts/ingress-nginx/templates/controller-daemonset.yaml
@@ -114,7 +114,7 @@ spec:
               {{- end }}
           {{- end }}
           {{- if .Values.controller.metrics.enabled }}
-            - name: metrics
+            - name: http-metrics
               containerPort: {{ .Values.controller.metrics.port }}
               protocol: TCP
           {{- end }}

diff --git a/charts/ingress-nginx/templates/controller-deployment.yaml b/charts/ingress-nginx/templates/controller-deployment.yaml
@@ -118,7 +118,7 @@ spec:
               {{- end }}
           {{- end }}
           {{- if .Values.controller.metrics.enabled }}
-            - name: metrics
+            - name: http-metrics
               containerPort: {{ .Values.controller.metrics.port }}
               protocol: TCP
           {{- end }}

diff --git a/charts/ingress-nginx/templates/controller-role.yaml b/charts/ingress-nginx/templates/controller-role.yaml
@@ -58,6 +58,11 @@ rules:
       - get
       - list
       - watch
+  # TODO(Jintao Zhang)
+  # Once we release a new version of the controller,
+  # we will be able to remove the configmap related permissions
+  # We have used the Lease API for selection
+  # ref: https://github.com/kubernetes/ingress-nginx/pull/8921
   - apiGroups:
       - ""
     resources:

diff --git a/charts/ingress-nginx/templates/controller-service-metrics.yaml b/charts/ingress-nginx/templates/controller-service-metrics.yaml
@@ -31,10 +31,10 @@ spec:
   externalTrafficPolicy: {{ .Values.controller.metrics.service.externalTrafficPolicy }}
 {{- end }}
   ports:
-    - name: metrics
+    - name: http-metrics
       port: {{ .Values.controller.metrics.service.servicePort }}
       protocol: TCP
-      targetPort: metrics
+      targetPort: http-metrics
     {{- $setNodePorts := (or (eq .Values.controller.metrics.service.type "NodePort") (eq .Values.controller.metrics.service.type "LoadBalancer")) }}
     {{- if (and $setNodePorts (not (empty .Values.controller.metrics.service.nodePort))) }}
       nodePort: {{ .Values.controller.metrics.service.nodePort }}

diff --git a/charts/ingress-nginx/templates/controller-servicemonitor.yaml b/charts/ingress-nginx/templates/controller-servicemonitor.yaml
@@ -14,7 +14,7 @@ metadata:
   {{- end }}
 spec:
   endpoints:
-    - port: metrics
+    - port: http-metrics
       interval: {{ .Values.controller.metrics.serviceMonitor.scrapeInterval }}
     {{- if .Values.controller.metrics.serviceMonitor.honorLabels }}
       honorLabels: true