From b6c6f51d47ae9ecd20a71db727a2073b177a56f9 Mon Sep 17 00:00:00 2001 From: Rich Braun Date: Fri, 29 Aug 2025 15:29:24 -0700 Subject: [PATCH] SYS-661 bump ingress-nginx from 1.11.2 to 1.13.1 --- k8s/Makefile | 16 ++++------------ k8s/Makefile.versions | 4 ++-- k8s/install/ingress-nginx.yaml | 14 +++++++++++++- 3 files changed, 19 insertions(+), 15 deletions(-) diff --git a/k8s/Makefile b/k8s/Makefile index f0e83b4d..4ec58687 100644 --- a/k8s/Makefile +++ b/k8s/Makefile @@ -196,23 +196,15 @@ include Makefile.sops # cert-manager ########## +# Note - need both, to define the CRD and the ClusterIssuer resources +# make imports/cert-manager +# make install/cert-manager + imports/cert-manager.yaml: imports/cert-manager-$(VERSION_CERT_MANAGER).yaml ln -s $(notdir $<) $@ imports/cert-manager-$(VERSION_CERT_MANAGER).yaml: curl -sLo $@ https://github.com/jetstack/cert-manager/releases/download/v$(VERSION_CERT_MANAGER)/cert-manager.yaml -# TODO: remove this once it's clear the above works without helm -# When updating, do "helm delete --purge cert-manager" first -cert-manager-helm: helm_install - helm install stable/cert-manager \ - --name cert-manager --namespace cert-manager \ - --set ingressShim.defaultIssuerName=letsencrypt-prod \ - --set ingressShim.defaultIssuerKind=ClusterIssuer \ - --set webhook.enabled=false \ - --kube-context=sudo - kubectl label namespace cert-manager --context=sudo \ - certmanager.k8s.io/disable-validation=true - ########## # Add-ons ########## diff --git a/k8s/Makefile.versions b/k8s/Makefile.versions index aad170a7..76f974a7 100644 --- a/k8s/Makefile.versions +++ b/k8s/Makefile.versions @@ -4,11 +4,11 @@ export VERSION_LOGSPOUT ?= v3.2.14 export VERSION_NGINX ?= 1.27.2-alpine # Third-party versions - other (quay.io, k8s.gcr.io, crunchydata.com) -export VERSION_CERT_MANAGER ?= 1.16.1 +export VERSION_CERT_MANAGER ?= 1.16.5 export VERSION_DEFAULTBACKEND ?= 1.5 export VERSION_FLANNEL ?= 0.26.1 export VERSION_HELM ?= 3.16.2 -export VERSION_INGRESS_NGINX ?= 1.11.2 +export VERSION_INGRESS_NGINX ?= 1.13.1 export VERSION_METRICS ?= 2.15.0 # Held back versions - more effort to upgrade diff --git a/k8s/install/ingress-nginx.yaml b/k8s/install/ingress-nginx.yaml index 352f75cd..7c846243 100644 --- a/k8s/install/ingress-nginx.yaml +++ b/k8s/install/ingress-nginx.yaml @@ -71,6 +71,7 @@ spec: fieldPath: metadata.namespace args: - /nginx-ingress-controller + - --configmap=$K8S_NAMESPACE/nginx-ingress-controller - --ingress-class=nginx - --election-id=ingress-controller-leader-external - --default-backend-service=$(POD_NAMESPACE)/default-http-backend @@ -241,7 +242,7 @@ rules: - "discovery.k8s.io" resources: - endpointslices - verbs: [get, list] + verbs: [get, list, watch] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -277,3 +278,14 @@ data: $PORT_DOVECOT_IMAPD: $K8S_NAMESPACE/dovecot:$PORT_DOVECOT_IMAPD $PORT_DOVECOT_IMAPS: $K8S_NAMESPACE/dovecot:$PORT_DOVECOT_IMAPS $PORT_DOVECOT_SMTP: $K8S_NAMESPACE/dovecot:$PORT_DOVECOT_SMTP +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: nginx-ingress-controller + namespace: $K8S_NAMESPACE +data: + # needed for some services that use config snippets, e.g. for + # adjusting fastcgi_buffers + annotations-risk-level: Critical + allowSnippetAnnotations: "true"