From 232dc08a975d7859f47f883e6fade3d006a8cf62 Mon Sep 17 00:00:00 2001 From: Gabor Javorszky Date: Fri, 19 Sep 2025 14:49:26 +0100 Subject: [PATCH 1/8] Update the openid-connect.js to current latest version --- internal/configs/oidc/openid_connect.js | 357 +++++++++++++++++------- 1 file changed, 255 insertions(+), 102 deletions(-) diff --git a/internal/configs/oidc/openid_connect.js b/internal/configs/oidc/openid_connect.js index cc819a203b..ed0d734d07 100644 --- a/internal/configs/oidc/openid_connect.js +++ b/internal/configs/oidc/openid_connect.js @@ -1,14 +1,15 @@ /* * JavaScript functions for providing OpenID Connect with NGINX Plus * - * Copyright (C) 2024 Nginx, Inc. + * Copyright (C) 2025 Nginx, Inc. */ export default { auth, codeExchange, extractTokenClaims, - logout + logout, + handleFrontChannelLogout }; // The main authentication flow, called before serving a protected resource. @@ -32,17 +33,20 @@ async function auth(r, afterSyncCheck) { } // Validate refreshed ID token - const claims = await validateIdToken(r, tokenset.id_token); - if (!claims) { + let claims; + try { + claims = await validateIdToken(r, tokenset.id_token); + } catch (e) { // If validation failed, reset and reinitiate auth r.variables.refresh_token = "-"; - r.return(302, r.variables.request_uri); + r.headersOut["Location"] = r.variables.request_uri; + oidcError(r, 302, getRefId(r, "auth.validate"), e); return; } // Determine session ID and store session data const sessionId = getSessionId(r, false); - storeSessionData(r, tokenset, false); + storeSessionData(r, sessionId, claims, tokenset, true); r.log("OIDC success, refreshing session " + sessionId); @@ -50,17 +54,20 @@ async function auth(r, afterSyncCheck) { retryOriginalRequest(r); } -// The code exchange handler, called after IdP redirects back with a authorization code. +// The code exchange handler, called after IdP redirects back with an authorization code. async function codeExchange(r) { // Check authorization code presence - if (!r.variables.arg_code || r.variables.arg_code.length == 0) { + if (!r.variables.arg_code || r.variables.arg_code.length === 0) { + const ref = getRefId(r, "codeExchange.code"); if (r.variables.arg_error) { - r.error("OIDC error receiving authorization code: " + - r.variables.arg_error_description); + oidcError(r, 502, ref, + new Error(`OIDC error receiving authorization code: ` + + `${r.variables.arg_error_description || r.variables.arg_error}`)); } else { - r.error("OIDC expected authorization code but received: " + r.uri); + oidcError(r, 502, ref, + new Error(`OIDC expected authorization code but received: ` + + `${r.variables.request_uri}`)); } - r.return(502); return; } @@ -71,15 +78,17 @@ async function codeExchange(r) { } // Validate ID token - const claims = await validateIdToken(r, tokenset.id_token); - if (!claims) { - r.return(500); + let claims; + try { + claims = await validateIdToken(r, tokenset.id_token); + } catch (e) { + oidcError(r, 500, getRefId(r, "codeExchange.validate"), e); return; } // Determine session ID and store session data for a new session const sessionId = getSessionId(r, true); - storeSessionData(r, tokenset, true); + storeSessionData(r, sessionId, claims, tokenset, true); r.log("OIDC success, creating session " + sessionId); @@ -90,20 +99,18 @@ async function codeExchange(r) { // Extracts claims from token by calling the internal endpoint. function getTokenClaims(r, token) { - return new Promise((resolve) => { + return new Promise((resolve, reject) => { r.subrequest('/_token_validation', 'token=' + token, function(reply) { if (reply.status !== 200) { - r.error("Failed to retrieve claims: HTTP " + reply.status); - resolve(null); + reject(new Error(`Failed to retrieve claims: HTTP ${reply.status}`)); return; } try { const claims = JSON.parse(reply.responseText); resolve(claims); } catch (e) { - r.error("Failed to parse claims: " + e); - resolve(null); + reject(new Error(`Failed to parse claims: ${e}`)); } } ); @@ -113,14 +120,7 @@ function getTokenClaims(r, token) { // Extracts and validates claims from the ID Token. async function validateIdToken(r, idToken) { const claims = await getTokenClaims(r, idToken); - if (!claims) { - return null; - } - - if (!validateIdTokenClaims(r, claims)) { - return null; - } - + validateIdTokenClaims(r, claims); return claims; } @@ -130,50 +130,55 @@ function validateIdTokenClaims(r, claims) { const missingClaims = requiredClaims.filter((claim) => !claims[claim]); if (missingClaims.length > 0) { - r.error(`OIDC ID Token validation error: missing claim(s) ${missingClaims.join(' ')}`); - return false; + throw new Error( + `OIDC ID Token validation error: missing claim(s) ${missingClaims.join(' ')}` + ); } // Check 'iat' validity const iat = Math.floor(Number(claims.iat)); if (String(iat) !== claims.iat || iat < 1) { - r.error("OIDC ID Token validation error: iat claim is not a valid number"); - return false; + throw new Error("OIDC ID Token validation error: iat claim is not a valid number"); } // Audience must include the configured client const aud = Array.isArray(claims.aud) ? claims.aud : claims.aud.split(','); if (!aud.includes(r.variables.oidc_client)) { - r.error(`OIDC ID Token validation error: aud claim (${claims.aud}) ` + - `does not include $oidc_client (${r.variables.oidc_client})`); - return false; + throw new Error( + `OIDC ID Token validation error: aud claim (${claims.aud}) ` + + `does not include $oidc_client (${r.variables.oidc_client})` + ); } // Nonce validation for initial authentication if (claims.nonce) { const clientNonceHash = r.variables.cookie_auth_nonce ? require('crypto') - .createHmac('sha256', r.variables.oidc_hmac_key) - .update(r.variables.cookie_auth_nonce) - .digest('base64url') + .createHmac('sha256', r.variables.oidc_hmac_key) + .update(r.variables.cookie_auth_nonce) + .digest('base64url') : ''; if (claims.nonce !== clientNonceHash) { - r.error(`OIDC ID Token validation error: nonce from token (${claims.nonce}) ` + - `does not match client (${clientNonceHash})`); - return false; + throw new Error( + `OIDC ID Token validation error: nonce from token (${claims.nonce}) ` + + `does not match client (${clientNonceHash})` + ); } } else if (isNewSession(r)) { - r.error("OIDC ID Token validation error: " + - "missing nonce claim during initial authentication."); - return false; + throw new Error( + "OIDC ID Token validation error: missing nonce claim during initial authentication." + ); } - - return true; } // Store session data in the key-val store -function storeSessionData(r, tokenset, isNewSession) { +function storeSessionData(r, sessionId, claims, tokenset, isNewSession) { + if (claims.sid) { + r.variables.idp_sid = claims.sid; + r.variables.client_sid = sessionId; + } + if (isNewSession) { r.variables.new_session = tokenset.id_token; r.variables.new_access_token = tokenset.access_token || ""; @@ -190,7 +195,7 @@ function storeSessionData(r, tokenset, isNewSession) { // Extracts claims from the validated ID Token (used by /_token_validation) function extractTokenClaims(r) { const claims = {}; - const claimNames = ["sub", "iss", "iat", "nonce"]; + const claimNames = ["sub", "iss", "iat", "nonce", "sid"]; claimNames.forEach((name) => { const value = r.variables["jwt_claim_" + name]; @@ -216,41 +221,70 @@ function isNewSession(r) { // Exchange authorization code for tokens using the internal /_token endpoint async function exchangeCodeForTokens(r) { + let params; + try { + params = generateTokenRequestParams(r, "authorization_code"); + } catch (e) { + oidcError(r, 500, getRefId(r, "token.params"), e); + return null; + } const reply = await new Promise((resolve) => { - r.subrequest("/_token", generateTokenRequestParams(r, "authorization_code"), resolve); + r.subrequest("/_token", params, resolve); }); + const ref = getRefId(r, "token.exchange"); + if (reply.status === 504) { - r.error("OIDC timeout connecting to IdP during code exchange"); - r.return(504); + oidcError(r, 504, ref, new Error("OIDC timeout connecting to IdP during code exchange")); return null; } if (reply.status !== 200) { - handleTokenError(r, reply); - r.return(502); + let message; + try { + const errorset = JSON.parse(reply.responseText); + if (errorset.error) { + message = `OIDC error from IdP during token exchange: ${errorset.error}, ` + + `${errorset.error_description || ""}`; + } else { + message = `OIDC unexpected response from IdP (HTTP ${reply.status}). ` + + `${reply.responseText}`; + } + } catch (_e) { + message = `OIDC unexpected response from IdP (HTTP ${reply.status}). ` + + `${reply.responseText}`; + } + oidcError(r, 502, ref, new Error(message)); return null; } try { const tokenset = JSON.parse(reply.responseText); if (tokenset.error) { - r.error("OIDC " + tokenset.error + " " + tokenset.error_description); - r.return(500); + oidcError(r, 500, ref, + new Error(`OIDC token response error: ${tokenset.error}` + + ` ${tokenset.error_description}`) + ); return null; } return tokenset; - } catch (e) { - r.error("OIDC token response not JSON: " + reply.responseText); - r.return(502); + } catch (_e) { + oidcError(r, 502, ref, new Error(`OIDC token response not JSON: ${reply.responseText}`)); return null; } } // Refresh tokens using the internal /_refresh endpoint async function refreshTokens(r) { + let params; + try { + params = generateTokenRequestParams(r, "refresh_token"); + } catch (e) { + oidcError(r, 500, getRefId(r, "refresh.params"), e); + return null; + } const reply = await new Promise((resolve) => { - r.subrequest("/_refresh", generateTokenRequestParams(r, "refresh_token"), resolve); + r.subrequest("/_refresh", params, resolve); }); if (reply.status !== 200) { @@ -261,32 +295,43 @@ async function refreshTokens(r) { try { const tokenset = JSON.parse(reply.responseText); if (!tokenset.id_token) { - r.error("OIDC refresh response did not include id_token"); - if (tokenset.error) { - r.error("OIDC " + tokenset.error + " " + tokenset.error_description); - } + r.log("OIDC refresh response did not include id_token" + + (tokenset.error ? ("; " + tokenset.error + " " + tokenset.error_description) : "")); return null; } return tokenset; - } catch (e) { + } catch (_e) { r.variables.refresh_token = "-"; - r.return(302, r.variables.request_uri); + r.headersOut["Location"] = r.variables.request_uri; + oidcError(r, 302, getRefId(r, "refresh.parse"), new Error("OIDC refresh response not JSON")); return null; } } // Logout handler function logout(r) { - r.log("RP-Initiated Logout for " + (r.variables.cookie_auth_token || "unknown")); + r.log("OIDC RP-Initiated Logout for " + (r.variables.cookie_auth_token || "unknown")); function getLogoutRedirectUrl(base, redirect) { return redirect.match(/^(http|https):\/\//) ? redirect : base + redirect; } var logoutRedirectUrl = getLogoutRedirectUrl(r.variables.redirect_base, - r.variables.oidc_logout_redirect); + r.variables.oidc_logout_redirect); + + async function performLogout(redirectUrl, idToken) { + // Clean up $idp_sid -> $client_sid mapping + if (idToken && idToken !== '-') { + try { + const claims = await getTokenClaims(r, idToken); + if (claims.sid) { + r.variables.idp_sid = claims.sid; + r.variables.client_sid = '-'; + } + } catch (_e) { + } + } - function performLogout(redirectUrl) { r.variables.session_jwt = '-'; r.variables.access_token = '-'; r.variables.refresh_token = '-'; @@ -304,13 +349,87 @@ function logout(r) { } var logoutArgs = "?post_logout_redirect_uri=" + encodeURIComponent(logoutRedirectUrl) + - "&id_token_hint=" + encodeURIComponent(r.variables.session_jwt); - performLogout(r.variables.oidc_end_session_endpoint + logoutArgs); + "&id_token_hint=" + encodeURIComponent(r.variables.session_jwt); + performLogout(r.variables.oidc_end_session_endpoint + logoutArgs, r.variables.session_jwt); } else { - performLogout(logoutRedirectUrl); + performLogout(logoutRedirectUrl, r.variables.session_jwt); } } +/** + * Handles Front-Channel Logout as per OpenID Connect Front-Channel Logout 1.0 spec. + * @see https://openid.net/specs/openid-connect-frontchannel-1_0.html + */ +async function handleFrontChannelLogout(r) { + const sid = r.args.sid; + const requestIss = r.args.iss; + + // Validate input parameters + if (!sid) { + oidcError(r, 400, getRefId(r, "frontchannel.missingSid"), + new Error("Missing sid parameter in front-channel logout request")); + return; + } + + if (!requestIss) { + oidcError(r, 400, getRefId(r, "frontchannel.missingIss"), + new Error("Missing iss parameter in front-channel logout request")); + return; + } + + r.log("OIDC Front-Channel Logout initiated for sid: " + sid); + + // Define idp_sid as a key to get the client_sid from the key-value store + r.variables.idp_sid = sid; + + const clientSid = r.variables.client_sid; + if (!clientSid || clientSid === '-') { + r.log("No client session found for sid: " + sid); + r.return(200, "Logout successful"); + return; + } + + /* TODO: Since we cannot use the cookie_auth_token var as a key (it does not exist if cookies + are absent), we use the request_id as a workaround. */ + r.variables.request_id = clientSid; + var sessionJwt = r.variables.new_session; + + if (!sessionJwt || sessionJwt === '-') { + r.log("No associated ID token found for client session: " + clientSid); + cleanSessionData(r); + r.return(200, "Logout successful"); + return; + } + + let claims; + try { + claims = await getTokenClaims(r, sessionJwt); + } catch (e) { + oidcError(r, 400, getRefId(r, "frontchannel.claims"), e); + return; + } + + if (claims.iss !== requestIss) { + oidcError(r, 400, getRefId(r, "frontchannel.issMismatch"), + new Error(`Issuer mismatch during logout. ` + + `Received iss: ${requestIss}, expected: ${claims.iss}`)); + return; + } + + // idp_sid needs to be updated after subrequest + r.variables.idp_sid = sid; + cleanSessionData(r); + + r.return(200, "Logout successful"); +} + +function cleanSessionData(r) { + r.variables.new_session = '-'; + r.variables.new_access_token = '-'; + r.variables.new_refresh = '-'; + r.variables.client_sid = '-'; +} + // Initiate a new authentication flow by redirecting to the IdP's authorization endpoint function initiateNewAuth(r) { const oidcConfigurables = ["authz_endpoint", "scopes", "hmac_key", "cookie_flags"]; @@ -319,8 +438,10 @@ function initiateNewAuth(r) { ); if (missingConfig.length) { - r.error("OIDC missing configuration variables: $oidc_" + missingConfig.join(" $oidc_")); - r.return(500, r.variables.internal_error_message); + oidcError(r, 500, getRefId(r, "init.missingConfig"), + new Error(`OIDC missing configuration variables: $oidc_` + + `${missingConfig.join(" $oidc_")}`) + ); return; } @@ -336,9 +457,9 @@ function getAuthZArgs(r) { var nonceHash = h.digest('base64url'); var authZArgs = "?response_type=code&scope=" + r.variables.oidc_scopes + - "&client_id=" + r.variables.oidc_client + - "&redirect_uri=" + r.variables.redirect_base + r.variables.redir_location + - "&nonce=" + nonceHash; + "&client_id=" + r.variables.oidc_client + + "&redirect_uri=" + r.variables.redirect_base + r.variables.redir_location + + "&nonce=" + nonceHash; if (r.variables.oidc_authz_extra_args) { authZArgs += "&" + r.variables.oidc_authz_extra_args; @@ -360,7 +481,7 @@ function getAuthZArgs(r) { r.variables.pkce_code_verifier = pkce_code_verifier; authZArgs += "&code_challenge_method=S256&code_challenge=" + - pkce_code_challenge + "&state=" + r.variables.pkce_id; + pkce_code_challenge + "&state=" + r.variables.pkce_id; } else { authZArgs += "&state=0"; } @@ -375,7 +496,7 @@ function generateTokenRequestParams(r, grant_type) { switch(grant_type) { case "authorization_code": body += "&code=" + r.variables.arg_code + - "&redirect_uri=" + r.variables.redirect_base + r.variables.redir_location; + "&redirect_uri=" + r.variables.redirect_base + r.variables.redir_location; if (r.variables.oidc_pkce_enable == 1) { r.variables.pkce_id = r.variables.arg_state; body += "&code_verifier=" + r.variables.pkce_code_verifier; @@ -385,8 +506,7 @@ function generateTokenRequestParams(r, grant_type) { body += "&refresh_token=" + r.variables.refresh_token; break; default: - r.error("Unsupported grant type: " + grant_type); - return; + throw new Error("Unsupported grant type: " + grant_type); } var options = { @@ -397,7 +517,7 @@ function generateTokenRequestParams(r, grant_type) { if (r.variables.oidc_pkce_enable != 1) { if (r.variables.oidc_client_auth_method === "client_secret_basic") { let auth_basic = "Basic " + Buffer.from(r.variables.oidc_client + ":" + - r.variables.oidc_client_secret).toString('base64'); + r.variables.oidc_client_secret).toString('base64'); options.args = "secret_basic=" + auth_basic; } else { options.body += "&client_secret=" + r.variables.oidc_client_secret; @@ -407,40 +527,27 @@ function generateTokenRequestParams(r, grant_type) { return options; } -function handleTokenError(r, reply) { - try { - const errorset = JSON.parse(reply.responseText); - if (errorset.error) { - r.error("OIDC error from IdP during token exchange: " + - errorset.error + ", " + errorset.error_description); - } else { - r.error("OIDC unexpected response from IdP (HTTP " + - reply.status + "). " + reply.responseText); - } - } catch (e) { - r.error("OIDC unexpected response from IdP (HTTP " + reply.status + "). " + - reply.responseText); - } -} - - +// Handle refresh error: log + reset refresh + redirect 302 to original request function handleRefreshError(r, reply) { + const ref = getRefId(r, "refresh.error"); let errorLog = "OIDC refresh failure"; + if (reply.status === 504) { errorLog += ", timeout waiting for IdP"; } else if (reply.status === 400) { try { const errorset = JSON.parse(reply.responseText); errorLog += ": " + errorset.error + " " + errorset.error_description; - } catch (e) { + } catch (_e) { errorLog += ": " + reply.responseText; } } else { errorLog += " " + reply.status; } - r.error(errorLog); + r.variables.refresh_token = "-"; - r.return(302, r.variables.request_uri); + r.headersOut["Location"] = r.variables.request_uri; + oidcError(r, 302, ref, new Error(errorLog)); } /* If the ID token has not been synced yet, poll the variable every 100ms until @@ -459,3 +566,49 @@ function retryOriginalRequest(r) { delete r.headersOut["WWW-Authenticate"]; r.internalRedirect(r.variables.uri + r.variables.is_args + (r.variables.args || '')); } + +function oidcError(r, http_code, refId, e) { + const hasDebug = !!r.variables.oidc_debug; + const msg = (e && e.message) ? String(e.message) : (e ? String(e) : "Unexpected Error"); + const stack = (hasDebug && e && e.stack) ? String(e.stack) : ""; + + const clientIp = r.remoteAddress || "-"; + const host = r.headersIn.host || r.variables.host || "-"; + const requestLine = `${r.method} ${r.uri} HTTP/${r.httpVersion}`; + + if (r.variables.oidc_log_format === "json") { + const errorObj = { + refId: refId, + message: msg, + clientIp: clientIp, + host: host, + method: r.method, + uri: r.uri, + httpVersion: r.httpVersion + }; + if (stack) { + errorObj.stack = stack; + } + r.error(JSON.stringify(errorObj)); + } else { + let logEntry = `OIDC Error: ReferenceID: ${refId} ${msg}; ` + + `client: ${clientIp}, host: ${host}, request: "${requestLine}"`; + if (stack) { + logEntry += `\n${stack}`; + } + r.error(logEntry); + } + + if (hasDebug) { + r.variables.internal_error_message = stack + ? `ReferenceID: ${refId} ${msg}\n${stack}` + : `ReferenceID: ${refId} ${msg}`; + } + + r.return(http_code); +} + +function getRefId(r, context) { + const base = (r.variables.request_id).substring(0, 8); + return context ? `${base}:${context}` : base; +} From d6a2cc2c3836c7d3284c1967f22410db0ac0af41 Mon Sep 17 00:00:00 2001 From: Gabor Javorszky Date: Fri, 26 Sep 2025 16:17:56 +0100 Subject: [PATCH 2/8] Update pytest keycloak from 25.0.2 to 26.3 --- tests/data/common/app/keycloak/app.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/data/common/app/keycloak/app.yaml b/tests/data/common/app/keycloak/app.yaml index 727ef3e9d9..56f0efbeb2 100644 --- a/tests/data/common/app/keycloak/app.yaml +++ b/tests/data/common/app/keycloak/app.yaml @@ -30,7 +30,7 @@ spec: spec: containers: - name: keycloak - image: quay.io/keycloak/keycloak:25.0.2 + image: quay.io/keycloak/keycloak:26.3 args: ["start-dev"] env: - name: KEYCLOAK_ADMIN From 85a6cc68f7ce4c2a084eed4fb69c91a8a09f7d29 Mon Sep 17 00:00:00 2001 From: Gabor Javorszky Date: Fri, 26 Sep 2025 16:18:28 +0100 Subject: [PATCH 3/8] Remove unused variable from test_oidc.py --- tests/suite/test_oidc.py | 1 - 1 file changed, 1 deletion(-) diff --git a/tests/suite/test_oidc.py b/tests/suite/test_oidc.py index da4f55d7f2..b6aad44954 100644 --- a/tests/suite/test_oidc.py +++ b/tests/suite/test_oidc.py @@ -27,7 +27,6 @@ username = "nginx-user-" + secrets.token_hex(4) password = secrets.token_hex(8) -keycloak_src = f"{TEST_DATA}/oidc/keycloak.yaml" keycloak_vs_src = f"{TEST_DATA}/oidc/virtual-server-idp.yaml" oidc_secret_src = f"{TEST_DATA}/oidc/client-secret.yaml" oidc_pol_src = f"{TEST_DATA}/oidc/oidc.yaml" From 566777fff093002406f14ae1cacf8efbd43b9cdf Mon Sep 17 00:00:00 2001 From: Gabor Javorszky Date: Fri, 26 Sep 2025 16:19:08 +0100 Subject: [PATCH 4/8] Add front channel logout configs to oidc conf --- internal/configs/oidc/oidc.conf | 8 ++++++++ internal/configs/oidc/oidc_common.conf | 2 ++ 2 files changed, 10 insertions(+) diff --git a/internal/configs/oidc/oidc.conf b/internal/configs/oidc/oidc.conf index 700d3d38cb..67e1a84f2f 100644 --- a/internal/configs/oidc/oidc.conf +++ b/internal/configs/oidc/oidc.conf @@ -1,6 +1,7 @@ # Advanced configuration START set $internal_error_message "NGINX / OpenID Connect login failure\n"; set $pkce_id ""; + set $idp_sid ""; # resolver 8.8.8.8; # For DNS lookup of IdP endpoints; subrequest_output_buffer_size 32k; # To fit a complete tokenset response gunzip on; # Decompress IdP responses if necessary @@ -79,6 +80,13 @@ js_content oidc.logout; } + location = /front_channel_logout { + status_zone "OIDC logout"; + add_header Cache-Control "no-store"; + default_type text/plain; + js_content oidc.handleFrontChannelLogout; + } + location = /_logout { # This location is the default value of $oidc_logout_redirect (in case it wasn't configured) default_type text/plain; diff --git a/internal/configs/oidc/oidc_common.conf b/internal/configs/oidc/oidc_common.conf index 30d5d37a5d..a7c2a2984a 100644 --- a/internal/configs/oidc/oidc_common.conf +++ b/internal/configs/oidc/oidc_common.conf @@ -20,6 +20,7 @@ proxy_cache_path /var/cache/nginx/jwk levels=1 keys_zone=jwk:64k max_size=1m; keyval_zone zone=oidc_id_tokens:1M timeout=1h sync; keyval_zone zone=oidc_access_tokens:1M timeout=1h sync; keyval_zone zone=refresh_tokens:1M timeout=8h sync; +keyval_zone zone=oidc_sids:1M timeout=8h sync; keyval $cookie_auth_token $session_jwt zone=oidc_id_tokens; # Exchange cookie for ID token(JWT) keyval $cookie_auth_token $access_token zone=oidc_access_tokens; # Exchange cookie for access token @@ -27,6 +28,7 @@ keyval $cookie_auth_token $refresh_token zone=refresh_tokens; # Exchange coo keyval $request_id $new_session zone=oidc_id_tokens; # For initial session creation keyval $request_id $new_access_token zone=oidc_access_tokens; keyval $request_id $new_refresh zone=refresh_tokens; # '' +keyval $idp_sid $client_sid zone=oidc_sids; auth_jwt_claim_set $jwt_audience aud; # In case aud is an array js_import oidc from oidc/openid_connect.js; From a382df0f5019588e6b80ba5344ba99e2c6867668 Mon Sep 17 00:00:00 2001 From: Gabor Javorszky Date: Tue, 30 Sep 2025 17:23:13 +0100 Subject: [PATCH 5/8] Move the idp sid keyval into virtualserver template --- internal/configs/oidc/oidc_common.conf | 1 - internal/configs/version2/nginx-plus.virtualserver.tmpl | 8 ++++++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/internal/configs/oidc/oidc_common.conf b/internal/configs/oidc/oidc_common.conf index a7c2a2984a..7b14bf961c 100644 --- a/internal/configs/oidc/oidc_common.conf +++ b/internal/configs/oidc/oidc_common.conf @@ -28,7 +28,6 @@ keyval $cookie_auth_token $refresh_token zone=refresh_tokens; # Exchange coo keyval $request_id $new_session zone=oidc_id_tokens; # For initial session creation keyval $request_id $new_access_token zone=oidc_access_tokens; keyval $request_id $new_refresh zone=refresh_tokens; # '' -keyval $idp_sid $client_sid zone=oidc_sids; auth_jwt_claim_set $jwt_audience aud; # In case aud is an array js_import oidc from oidc/openid_connect.js; diff --git a/internal/configs/version2/nginx-plus.virtualserver.tmpl b/internal/configs/version2/nginx-plus.virtualserver.tmpl index 4cd3039d6f..7c6a34a4a6 100644 --- a/internal/configs/version2/nginx-plus.virtualserver.tmpl +++ b/internal/configs/version2/nginx-plus.virtualserver.tmpl @@ -115,8 +115,12 @@ map $request_method $cache_purge_{{ replaceAll $l.Cache.ZoneName "-" "_" }} { {{- end }} {{- end }} -{{- if and $s.OIDC $s.OIDC.PKCEEnable }} -include oidc/oidc_pkce_supplements.conf; +{{- if $s.OIDC }} + keyval $idp_sid $client_sid zone=oidc_sids; + + {{ if $s.OIDC.PKCEEnable }} + include oidc/oidc_pkce_supplements.conf; + {{- end }} {{- end }} server { From f2072269d6f299cee5e7d7d630fd1a035563ca35 Mon Sep 17 00:00:00 2001 From: Gabor Javorszky Date: Thu, 2 Oct 2025 15:53:45 +0100 Subject: [PATCH 6/8] Update keycloak image version and env vars --- tests/data/common/app/keycloak/app.yaml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/tests/data/common/app/keycloak/app.yaml b/tests/data/common/app/keycloak/app.yaml index 56f0efbeb2..af2c2a99c5 100644 --- a/tests/data/common/app/keycloak/app.yaml +++ b/tests/data/common/app/keycloak/app.yaml @@ -30,15 +30,17 @@ spec: spec: containers: - name: keycloak - image: quay.io/keycloak/keycloak:26.3 + image: quay.io/keycloak/keycloak:26.4 args: ["start-dev"] env: - - name: KEYCLOAK_ADMIN + - name: KC_BOOTSTRAP_ADMIN_USERNAME value: "admin" - - name: KEYCLOAK_ADMIN_PASSWORD + - name: KC_BOOTSTRAP_ADMIN_PASSWORD value: "admin" - - name: KC_PROXY - value: "edge" + - name: KC_HOSTNAME_STRICT + value: "false" + - name: KC_PROXY_HEADERS + value: "xforwarded" ports: - name: http containerPort: 8080 From 95342178209141f6f3a28a399e7f6526b580b655 Mon Sep 17 00:00:00 2001 From: Gabor Javorszky Date: Thu, 2 Oct 2025 16:12:08 +0100 Subject: [PATCH 7/8] Fix virtualserver template and snaps --- charts/tests/__snapshots__/helmunit_test.snap | 2519 +++++++---------- .../__snapshots__/templates_test.snap | 1 + .../version2/nginx-plus.virtualserver.tmpl | 9 +- 3 files changed, 1033 insertions(+), 1496 deletions(-) diff --git a/charts/tests/__snapshots__/helmunit_test.snap b/charts/tests/__snapshots__/helmunit_test.snap index 3d91c099a9..e0fca15301 100755 --- a/charts/tests/__snapshots__/helmunit_test.snap +++ b/charts/tests/__snapshots__/helmunit_test.snap @@ -4834,18 +4834,18 @@ metadata: app.kubernetes.io/managed-by: Helm --- -[TestHelmNICTemplate/globalConfigCustomName - 1] +[TestHelmNICTemplate/ingressClass - 1] /-/-/-/ # Source: nginx-ingress/templates/controller-serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: - name: global-config-custom-name-nginx-ingress + name: ingress-class-nginx-ingress namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: global-config-custom-name + app.kubernetes.io/instance: ingress-class app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm /-/-/-/ @@ -4853,12 +4853,12 @@ metadata: apiVersion: v1 kind: ConfigMap metadata: - name: global-config-custom-name-nginx-ingress + name: ingress-class-nginx-ingress namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: global-config-custom-name + app.kubernetes.io/instance: ingress-class app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm data: @@ -4868,12 +4868,12 @@ data: apiVersion: v1 kind: ConfigMap metadata: - name: global-config-custom-name-nginx-ingress-leader-election + name: ingress-class-nginx-ingress-leader-election namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: global-config-custom-name + app.kubernetes.io/instance: ingress-class app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm /-/-/-/ @@ -4881,11 +4881,11 @@ metadata: kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: global-config-custom-name-nginx-ingress + name: ingress-class-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: global-config-custom-name + app.kubernetes.io/instance: ingress-class app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm rules: @@ -4996,31 +4996,31 @@ rules: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: global-config-custom-name-nginx-ingress + name: ingress-class-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: global-config-custom-name + app.kubernetes.io/instance: ingress-class app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm subjects: - kind: ServiceAccount - name: global-config-custom-name-nginx-ingress + name: ingress-class-nginx-ingress namespace: default roleRef: kind: ClusterRole - name: global-config-custom-name-nginx-ingress + name: ingress-class-nginx-ingress apiGroup: rbac.authorization.k8s.io /-/-/-/ # Source: nginx-ingress/templates/controller-role.yaml kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: global-config-custom-name-nginx-ingress + name: ingress-class-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: global-config-custom-name + app.kubernetes.io/instance: ingress-class app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm namespace: default @@ -5061,7 +5061,7 @@ rules: resources: - leases resourceNames: - - global-config-custom-name-nginx-ingress-leader-election + - ingress-class-nginx-ingress-leader-election verbs: - get - update @@ -5076,33 +5076,33 @@ rules: kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: global-config-custom-name-nginx-ingress + name: ingress-class-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: global-config-custom-name + app.kubernetes.io/instance: ingress-class app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm namespace: default roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: global-config-custom-name-nginx-ingress + name: ingress-class-nginx-ingress subjects: - kind: ServiceAccount - name: global-config-custom-name-nginx-ingress + name: ingress-class-nginx-ingress namespace: default /-/-/-/ # Source: nginx-ingress/templates/controller-service.yaml apiVersion: v1 kind: Service metadata: - name: global-config-custom-name-nginx-ingress-controller + name: ingress-class-nginx-ingress-controller namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: global-config-custom-name + app.kubernetes.io/instance: ingress-class app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm spec: @@ -5121,18 +5121,18 @@ spec: nodePort: selector: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: global-config-custom-name + app.kubernetes.io/instance: ingress-class /-/-/-/ # Source: nginx-ingress/templates/controller-deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: - name: global-config-custom-name-nginx-ingress-controller + name: ingress-class-nginx-ingress-controller namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: global-config-custom-name + app.kubernetes.io/instance: ingress-class app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm spec: @@ -5140,19 +5140,19 @@ spec: selector: matchLabels: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: global-config-custom-name + app.kubernetes.io/instance: ingress-class template: metadata: labels: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: global-config-custom-name + app.kubernetes.io/instance: ingress-class annotations: prometheus.io/scrape: "true" prometheus.io/port: "9113" prometheus.io/scheme: "http" spec: volumes: [] - serviceAccountName: global-config-custom-name-nginx-ingress + serviceAccountName: ingress-class-nginx-ingress automountServiceAccountToken: true securityContext: seccompProfile: @@ -5211,8 +5211,8 @@ spec: - -nginx-reload-timeout=60000 - -enable-app-protect=false - -enable-app-protect-dos=false - - -nginx-configmaps=$(POD_NAMESPACE)/global-config-custom-name-nginx-ingress - - -ingress-class=nginx + - -nginx-configmaps=$(POD_NAMESPACE)/ingress-class-nginx-ingress + - -ingress-class=changed - -health-status=false - -health-status-uri=/nginx-health - -nginx-debug=false @@ -5222,9 +5222,9 @@ spec: - -nginx-status-port=8080 - -nginx-status-allow-cidrs=127.0.0.1 - -report-ingress-status - - -external-service=global-config-custom-name-nginx-ingress-controller + - -external-service=ingress-class-nginx-ingress-controller - -enable-leader-election=true - - -leader-election-lock-name=global-config-custom-name-nginx-ingress-leader-election + - -leader-election-lock-name=ingress-class-nginx-ingress-leader-election - -enable-prometheus-metrics=true - -prometheus-metrics-listen-port=9113 - -prometheus-tls-secret= @@ -5240,7 +5240,6 @@ spec: - -enable-external-dns=false - -default-http-listener-port=80 - -default-https-listener-port=443 - - -global-configuration=test-namespace/my-custom-global-config - -ready-status=true - -ready-status-port=8081 - -enable-latency-metrics=false @@ -5252,63 +5251,47 @@ spec: apiVersion: networking.k8s.io/v1 kind: IngressClass metadata: - name: nginx + name: changed labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: global-config-custom-name + app.kubernetes.io/instance: ingress-class app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm + annotations: + ingressclass.kubernetes.io/is-default-class: "true" spec: controller: nginx.org/ingress-controller /-/-/-/ # Source: nginx-ingress/templates/controller-configmap.yaml /-/-/-/ /-/-/-/ -# Source: nginx-ingress/templates/controller-globalconfiguration.yaml -apiVersion: k8s.nginx.org/v1 -kind: GlobalConfiguration -metadata: - name: my-custom-global-config - namespace: test-namespace - labels: - helm.sh/chart: nginx-ingress-2.4.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: global-config-custom-name - app.kubernetes.io/version: "5.3.0" - app.kubernetes.io/managed-by: Helm -spec: - listeners: - - name: dns-udp - port: 5353 - protocol: UDP -/-/-/-/ # Source: nginx-ingress/templates/controller-lease.yaml apiVersion: coordination.k8s.io/v1 kind: Lease metadata: - name: global-config-custom-name-nginx-ingress-leader-election + name: ingress-class-nginx-ingress-leader-election namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: global-config-custom-name + app.kubernetes.io/instance: ingress-class app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm --- -[TestHelmNICTemplate/globalConfigCustomName - 1] +[TestHelmNICTemplate/namespace - 1] /-/-/-/ # Source: nginx-ingress/templates/controller-serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: - name: global-config-custom-name-nginx-ingress - namespace: default + name: namespace-nginx-ingress + namespace: nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: global-config-custom-name + app.kubernetes.io/instance: namespace app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm /-/-/-/ @@ -5316,12 +5299,12 @@ metadata: apiVersion: v1 kind: ConfigMap metadata: - name: global-config-custom-name-nginx-ingress - namespace: default + name: namespace-nginx-ingress + namespace: nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: global-config-custom-name + app.kubernetes.io/instance: namespace app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm data: @@ -5331,12 +5314,12 @@ data: apiVersion: v1 kind: ConfigMap metadata: - name: global-config-custom-name-nginx-ingress-leader-election - namespace: default + name: namespace-nginx-ingress-leader-election + namespace: nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: global-config-custom-name + app.kubernetes.io/instance: namespace app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm /-/-/-/ @@ -5344,11 +5327,11 @@ metadata: kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: global-config-custom-name-nginx-ingress + name: namespace-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: global-config-custom-name + app.kubernetes.io/instance: namespace app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm rules: @@ -5459,34 +5442,34 @@ rules: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: global-config-custom-name-nginx-ingress + name: namespace-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: global-config-custom-name + app.kubernetes.io/instance: namespace app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm subjects: - kind: ServiceAccount - name: global-config-custom-name-nginx-ingress - namespace: default + name: namespace-nginx-ingress + namespace: nginx-ingress roleRef: kind: ClusterRole - name: global-config-custom-name-nginx-ingress + name: namespace-nginx-ingress apiGroup: rbac.authorization.k8s.io /-/-/-/ # Source: nginx-ingress/templates/controller-role.yaml kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: global-config-custom-name-nginx-ingress + name: namespace-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: global-config-custom-name + app.kubernetes.io/instance: namespace app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm - namespace: default + namespace: nginx-ingress rules: - apiGroups: - "" @@ -5524,7 +5507,7 @@ rules: resources: - leases resourceNames: - - global-config-custom-name-nginx-ingress-leader-election + - namespace-nginx-ingress-leader-election verbs: - get - update @@ -5539,33 +5522,33 @@ rules: kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: global-config-custom-name-nginx-ingress + name: namespace-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: global-config-custom-name + app.kubernetes.io/instance: namespace app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm - namespace: default + namespace: nginx-ingress roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: global-config-custom-name-nginx-ingress + name: namespace-nginx-ingress subjects: - kind: ServiceAccount - name: global-config-custom-name-nginx-ingress - namespace: default + name: namespace-nginx-ingress + namespace: nginx-ingress /-/-/-/ # Source: nginx-ingress/templates/controller-service.yaml apiVersion: v1 kind: Service metadata: - name: global-config-custom-name-nginx-ingress-controller - namespace: default + name: namespace-nginx-ingress-controller + namespace: nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: global-config-custom-name + app.kubernetes.io/instance: namespace app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm spec: @@ -5584,18 +5567,18 @@ spec: nodePort: selector: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: global-config-custom-name + app.kubernetes.io/instance: namespace /-/-/-/ # Source: nginx-ingress/templates/controller-deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: - name: global-config-custom-name-nginx-ingress-controller - namespace: default + name: namespace-nginx-ingress-controller + namespace: nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: global-config-custom-name + app.kubernetes.io/instance: namespace app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm spec: @@ -5603,19 +5586,19 @@ spec: selector: matchLabels: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: global-config-custom-name + app.kubernetes.io/instance: namespace template: metadata: labels: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: global-config-custom-name + app.kubernetes.io/instance: namespace annotations: prometheus.io/scrape: "true" prometheus.io/port: "9113" prometheus.io/scheme: "http" spec: volumes: [] - serviceAccountName: global-config-custom-name-nginx-ingress + serviceAccountName: namespace-nginx-ingress automountServiceAccountToken: true securityContext: seccompProfile: @@ -5674,7 +5657,7 @@ spec: - -nginx-reload-timeout=60000 - -enable-app-protect=false - -enable-app-protect-dos=false - - -nginx-configmaps=$(POD_NAMESPACE)/global-config-custom-name-nginx-ingress + - -nginx-configmaps=$(POD_NAMESPACE)/namespace-nginx-ingress - -ingress-class=nginx - -health-status=false - -health-status-uri=/nginx-health @@ -5685,9 +5668,9 @@ spec: - -nginx-status-port=8080 - -nginx-status-allow-cidrs=127.0.0.1 - -report-ingress-status - - -external-service=global-config-custom-name-nginx-ingress-controller + - -external-service=namespace-nginx-ingress-controller - -enable-leader-election=true - - -leader-election-lock-name=global-config-custom-name-nginx-ingress-leader-election + - -leader-election-lock-name=namespace-nginx-ingress-leader-election - -enable-prometheus-metrics=true - -prometheus-metrics-listen-port=9113 - -prometheus-tls-secret= @@ -5703,7 +5686,6 @@ spec: - -enable-external-dns=false - -default-http-listener-port=80 - -default-https-listener-port=443 - - -global-configuration=test-namespace/my-custom-global-config - -ready-status=true - -ready-status-port=8081 - -enable-latency-metrics=false @@ -5719,7 +5701,7 @@ metadata: labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: global-config-custom-name + app.kubernetes.io/instance: namespace app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm spec: @@ -5728,50 +5710,32 @@ spec: # Source: nginx-ingress/templates/controller-configmap.yaml /-/-/-/ /-/-/-/ -# Source: nginx-ingress/templates/controller-globalconfiguration.yaml -apiVersion: k8s.nginx.org/v1 -kind: GlobalConfiguration -metadata: - name: my-custom-global-config - namespace: test-namespace - labels: - helm.sh/chart: nginx-ingress-2.4.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: global-config-custom-name - app.kubernetes.io/version: "5.3.0" - app.kubernetes.io/managed-by: Helm -spec: - listeners: - - name: dns-udp - port: 5353 - protocol: UDP -/-/-/-/ # Source: nginx-ingress/templates/controller-lease.yaml apiVersion: coordination.k8s.io/v1 kind: Lease metadata: - name: global-config-custom-name-nginx-ingress-leader-election - namespace: default + name: namespace-nginx-ingress-leader-election + namespace: nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: global-config-custom-name + app.kubernetes.io/instance: namespace app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm --- -[TestHelmNICTemplate/ingressClass - 1] +[TestHelmNICTemplate/ossAgentV3 - 1] /-/-/-/ # Source: nginx-ingress/templates/controller-serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: - name: ingress-class-nginx-ingress + name: oss-agent-nginx-ingress namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: ingress-class + app.kubernetes.io/instance: oss-agent app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm /-/-/-/ @@ -5779,42 +5743,83 @@ metadata: apiVersion: v1 kind: ConfigMap metadata: - name: ingress-class-nginx-ingress + name: oss-agent-nginx-ingress namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: ingress-class + app.kubernetes.io/instance: oss-agent app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm data: {} /-/-/-/ -# Source: nginx-ingress/templates/controller-leader-election-configmap.yaml +# Source: nginx-ingress/templates/controller-configmap.yaml apiVersion: v1 kind: ConfigMap metadata: - name: ingress-class-nginx-ingress-leader-election + name: oss-agent-nginx-ingress-agent-config namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: ingress-class + app.kubernetes.io/instance: oss-agent app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm +data: + nginx-agent.conf: |- + + log: + # set log level (error, info, debug; default "info") + level: info + # set log path. if empty, don't log to file. + path: "" + + allowed_directories: + - /etc/nginx + - /usr/lib/nginx/modules + + features: + - certificates + - connection + - metrics + - file-watcher + + ## command server settings + command: + server: + host: agent.connect.nginx.com + port: 443 + auth: + tokenpath: "/etc/nginx-agent/secrets/dataplane.key" + tls: + skip_verify: false /-/-/-/ -# Source: nginx-ingress/templates/clusterrole.yaml -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 +# Source: nginx-ingress/templates/controller-leader-election-configmap.yaml +apiVersion: v1 +kind: ConfigMap metadata: - name: ingress-class-nginx-ingress + name: oss-agent-nginx-ingress-leader-election + namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: ingress-class + app.kubernetes.io/instance: oss-agent app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm -rules: +/-/-/-/ +# Source: nginx-ingress/templates/clusterrole.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: oss-agent-nginx-ingress + labels: + helm.sh/chart: nginx-ingress-2.4.0 + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: oss-agent + app.kubernetes.io/version: "5.3.0" + app.kubernetes.io/managed-by: Helm +rules: - apiGroups: - "" resources: @@ -5922,31 +5927,31 @@ rules: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: ingress-class-nginx-ingress + name: oss-agent-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: ingress-class + app.kubernetes.io/instance: oss-agent app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm subjects: - kind: ServiceAccount - name: ingress-class-nginx-ingress + name: oss-agent-nginx-ingress namespace: default roleRef: kind: ClusterRole - name: ingress-class-nginx-ingress + name: oss-agent-nginx-ingress apiGroup: rbac.authorization.k8s.io /-/-/-/ # Source: nginx-ingress/templates/controller-role.yaml kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: ingress-class-nginx-ingress + name: oss-agent-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: ingress-class + app.kubernetes.io/instance: oss-agent app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm namespace: default @@ -5987,7 +5992,7 @@ rules: resources: - leases resourceNames: - - ingress-class-nginx-ingress-leader-election + - oss-agent-nginx-ingress-leader-election verbs: - get - update @@ -6002,33 +6007,33 @@ rules: kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: ingress-class-nginx-ingress + name: oss-agent-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: ingress-class + app.kubernetes.io/instance: oss-agent app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm namespace: default roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: ingress-class-nginx-ingress + name: oss-agent-nginx-ingress subjects: - kind: ServiceAccount - name: ingress-class-nginx-ingress + name: oss-agent-nginx-ingress namespace: default /-/-/-/ # Source: nginx-ingress/templates/controller-service.yaml apiVersion: v1 kind: Service metadata: - name: ingress-class-nginx-ingress-controller + name: oss-agent-nginx-ingress-controller namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: ingress-class + app.kubernetes.io/instance: oss-agent app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm spec: @@ -6047,18 +6052,18 @@ spec: nodePort: selector: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: ingress-class + app.kubernetes.io/instance: oss-agent /-/-/-/ # Source: nginx-ingress/templates/controller-deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: - name: ingress-class-nginx-ingress-controller + name: oss-agent-nginx-ingress-controller namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: ingress-class + app.kubernetes.io/instance: oss-agent app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm spec: @@ -6066,19 +6071,27 @@ spec: selector: matchLabels: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: ingress-class + app.kubernetes.io/instance: oss-agent template: metadata: labels: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: ingress-class + app.kubernetes.io/instance: oss-agent + agent-configuration-revision-hash: "e150cd8a" annotations: prometheus.io/scrape: "true" prometheus.io/port: "9113" prometheus.io/scheme: "http" spec: - volumes: [] - serviceAccountName: ingress-class-nginx-ingress + volumes: + + - name: agent-conf + configMap: + name: oss-agent-nginx-ingress-agent-config + - name: dataplane-key + secret: + secretName: dataplane-key + serviceAccountName: oss-agent-nginx-ingress automountServiceAccountToken: true securityContext: seccompProfile: @@ -6121,7 +6134,13 @@ spec: - ALL add: - NET_BIND_SERVICE - volumeMounts: [] + volumeMounts: + + - name: agent-conf + mountPath: /etc/nginx-agent/nginx-agent.conf + subPath: nginx-agent.conf + - name: dataplane-key + mountPath: /etc/nginx-agent/secrets env: - name: POD_NAMESPACE valueFrom: @@ -6137,8 +6156,8 @@ spec: - -nginx-reload-timeout=60000 - -enable-app-protect=false - -enable-app-protect-dos=false - - -nginx-configmaps=$(POD_NAMESPACE)/ingress-class-nginx-ingress - - -ingress-class=changed + - -nginx-configmaps=$(POD_NAMESPACE)/oss-agent-nginx-ingress + - -ingress-class=nginx - -health-status=false - -health-status-uri=/nginx-health - -nginx-debug=false @@ -6148,9 +6167,9 @@ spec: - -nginx-status-port=8080 - -nginx-status-allow-cidrs=127.0.0.1 - -report-ingress-status - - -external-service=ingress-class-nginx-ingress-controller + - -external-service=oss-agent-nginx-ingress-controller - -enable-leader-election=true - - -leader-election-lock-name=ingress-class-nginx-ingress-leader-election + - -leader-election-lock-name=oss-agent-nginx-ingress-leader-election - -enable-prometheus-metrics=true - -prometheus-metrics-listen-port=9113 - -prometheus-tls-secret= @@ -6172,52 +6191,48 @@ spec: - -ssl-dynamic-reload=true - -enable-telemetry-reporting=true - -weight-changes-dynamic-reload=false + - -agent=true /-/-/-/ # Source: nginx-ingress/templates/controller-ingress-class.yaml apiVersion: networking.k8s.io/v1 kind: IngressClass metadata: - name: changed + name: nginx labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: ingress-class + app.kubernetes.io/instance: oss-agent app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm - annotations: - ingressclass.kubernetes.io/is-default-class: "true" spec: controller: nginx.org/ingress-controller /-/-/-/ -# Source: nginx-ingress/templates/controller-configmap.yaml -/-/-/-/ -/-/-/-/ # Source: nginx-ingress/templates/controller-lease.yaml apiVersion: coordination.k8s.io/v1 kind: Lease metadata: - name: ingress-class-nginx-ingress-leader-election + name: oss-agent-nginx-ingress-leader-election namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: ingress-class + app.kubernetes.io/instance: oss-agent app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm --- -[TestHelmNICTemplate/namespace - 1] +[TestHelmNICTemplate/plus - 1] /-/-/-/ # Source: nginx-ingress/templates/controller-serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: - name: namespace-nginx-ingress - namespace: nginx-ingress + name: plus-nginx-ingress + namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: namespace + app.kubernetes.io/instance: plus app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm /-/-/-/ @@ -6225,27 +6240,43 @@ metadata: apiVersion: v1 kind: ConfigMap metadata: - name: namespace-nginx-ingress - namespace: nginx-ingress + name: plus-nginx-ingress + namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: namespace + app.kubernetes.io/instance: plus app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm data: {} /-/-/-/ +# Source: nginx-ingress/templates/controller-configmap.yaml +/-/-/-/ +apiVersion: v1 +kind: ConfigMap +metadata: + name: plus-nginx-ingress-mgmt + namespace: default + labels: + helm.sh/chart: nginx-ingress-2.4.0 + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: plus + app.kubernetes.io/version: "5.3.0" + app.kubernetes.io/managed-by: Helm +data: + license-token-secret-name: license-token +/-/-/-/ # Source: nginx-ingress/templates/controller-leader-election-configmap.yaml apiVersion: v1 kind: ConfigMap metadata: - name: namespace-nginx-ingress-leader-election - namespace: nginx-ingress + name: plus-nginx-ingress-leader-election + namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: namespace + app.kubernetes.io/instance: plus app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm /-/-/-/ @@ -6253,11 +6284,11 @@ metadata: kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: namespace-nginx-ingress + name: plus-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: namespace + app.kubernetes.io/instance: plus app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm rules: @@ -6368,34 +6399,34 @@ rules: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: namespace-nginx-ingress + name: plus-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: namespace + app.kubernetes.io/instance: plus app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm subjects: - kind: ServiceAccount - name: namespace-nginx-ingress - namespace: nginx-ingress + name: plus-nginx-ingress + namespace: default roleRef: kind: ClusterRole - name: namespace-nginx-ingress + name: plus-nginx-ingress apiGroup: rbac.authorization.k8s.io /-/-/-/ # Source: nginx-ingress/templates/controller-role.yaml kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: namespace-nginx-ingress + name: plus-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: namespace + app.kubernetes.io/instance: plus app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm - namespace: nginx-ingress + namespace: default rules: - apiGroups: - "" @@ -6433,7 +6464,7 @@ rules: resources: - leases resourceNames: - - namespace-nginx-ingress-leader-election + - plus-nginx-ingress-leader-election verbs: - get - update @@ -6448,33 +6479,33 @@ rules: kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: namespace-nginx-ingress + name: plus-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: namespace + app.kubernetes.io/instance: plus app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm - namespace: nginx-ingress + namespace: default roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: namespace-nginx-ingress + name: plus-nginx-ingress subjects: - kind: ServiceAccount - name: namespace-nginx-ingress - namespace: nginx-ingress + name: plus-nginx-ingress + namespace: default /-/-/-/ # Source: nginx-ingress/templates/controller-service.yaml apiVersion: v1 kind: Service metadata: - name: namespace-nginx-ingress-controller - namespace: nginx-ingress + name: plus-nginx-ingress-controller + namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: namespace + app.kubernetes.io/instance: plus app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm spec: @@ -6493,18 +6524,18 @@ spec: nodePort: selector: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: namespace + app.kubernetes.io/instance: plus /-/-/-/ # Source: nginx-ingress/templates/controller-deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: - name: namespace-nginx-ingress-controller - namespace: nginx-ingress + name: plus-nginx-ingress-controller + namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: namespace + app.kubernetes.io/instance: plus app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm spec: @@ -6512,19 +6543,19 @@ spec: selector: matchLabels: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: namespace + app.kubernetes.io/instance: plus template: metadata: labels: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: namespace + app.kubernetes.io/instance: plus annotations: prometheus.io/scrape: "true" prometheus.io/port: "9113" prometheus.io/scheme: "http" spec: volumes: [] - serviceAccountName: namespace-nginx-ingress + serviceAccountName: plus-nginx-ingress automountServiceAccountToken: true securityContext: seccompProfile: @@ -6579,11 +6610,12 @@ spec: fieldPath: metadata.name args: - - -nginx-plus=false + - -nginx-plus=true - -nginx-reload-timeout=60000 - -enable-app-protect=false - -enable-app-protect-dos=false - - -nginx-configmaps=$(POD_NAMESPACE)/namespace-nginx-ingress + - -nginx-configmaps=$(POD_NAMESPACE)/plus-nginx-ingress + - -mgmt-configmap=$(POD_NAMESPACE)/plus-nginx-ingress-mgmt - -ingress-class=nginx - -health-status=false - -health-status-uri=/nginx-health @@ -6594,9 +6626,9 @@ spec: - -nginx-status-port=8080 - -nginx-status-allow-cidrs=127.0.0.1 - -report-ingress-status - - -external-service=namespace-nginx-ingress-controller + - -external-service=plus-nginx-ingress-controller - -enable-leader-election=true - - -leader-election-lock-name=namespace-nginx-ingress-leader-election + - -leader-election-lock-name=plus-nginx-ingress-leader-election - -enable-prometheus-metrics=true - -prometheus-metrics-listen-port=9113 - -prometheus-tls-secret= @@ -6627,41 +6659,38 @@ metadata: labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: namespace + app.kubernetes.io/instance: plus app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm spec: controller: nginx.org/ingress-controller /-/-/-/ -# Source: nginx-ingress/templates/controller-configmap.yaml -/-/-/-/ -/-/-/-/ # Source: nginx-ingress/templates/controller-lease.yaml apiVersion: coordination.k8s.io/v1 kind: Lease metadata: - name: namespace-nginx-ingress-leader-election - namespace: nginx-ingress + name: plus-nginx-ingress-leader-election + namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: namespace + app.kubernetes.io/instance: plus app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm --- -[TestHelmNICTemplate/ossAgentV3 - 1] +[TestHelmNICTemplate/plus-debug - 1] /-/-/-/ # Source: nginx-ingress/templates/controller-serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: - name: oss-agent-nginx-ingress + name: plus-debug-nginx-ingress namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: oss-agent + app.kubernetes.io/instance: plus-debug app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm /-/-/-/ @@ -6669,68 +6698,43 @@ metadata: apiVersion: v1 kind: ConfigMap metadata: - name: oss-agent-nginx-ingress + name: plus-debug-nginx-ingress namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: oss-agent + app.kubernetes.io/instance: plus-debug app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm data: {} /-/-/-/ # Source: nginx-ingress/templates/controller-configmap.yaml +/-/-/-/ apiVersion: v1 kind: ConfigMap metadata: - name: oss-agent-nginx-ingress-agent-config + name: plus-debug-nginx-ingress-mgmt namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: oss-agent + app.kubernetes.io/instance: plus-debug app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm data: - nginx-agent.conf: |- - - log: - # set log level (error, info, debug; default "info") - level: info - # set log path. if empty, don't log to file. - path: "" - - allowed_directories: - - /etc/nginx - - /usr/lib/nginx/modules - - features: - - certificates - - connection - - metrics - - file-watcher - - ## command server settings - command: - server: - host: agent.connect.nginx.com - port: 443 - auth: - tokenpath: "/etc/nginx-agent/secrets/dataplane.key" - tls: - skip_verify: false + license-token-secret-name: license-token /-/-/-/ # Source: nginx-ingress/templates/controller-leader-election-configmap.yaml apiVersion: v1 kind: ConfigMap metadata: - name: oss-agent-nginx-ingress-leader-election + name: plus-debug-nginx-ingress-leader-election namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: oss-agent + app.kubernetes.io/instance: plus-debug app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm /-/-/-/ @@ -6738,11 +6742,11 @@ metadata: kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: oss-agent-nginx-ingress + name: plus-debug-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: oss-agent + app.kubernetes.io/instance: plus-debug app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm rules: @@ -6853,31 +6857,31 @@ rules: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: oss-agent-nginx-ingress + name: plus-debug-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: oss-agent + app.kubernetes.io/instance: plus-debug app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm subjects: - kind: ServiceAccount - name: oss-agent-nginx-ingress + name: plus-debug-nginx-ingress namespace: default roleRef: kind: ClusterRole - name: oss-agent-nginx-ingress + name: plus-debug-nginx-ingress apiGroup: rbac.authorization.k8s.io /-/-/-/ # Source: nginx-ingress/templates/controller-role.yaml kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: oss-agent-nginx-ingress + name: plus-debug-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: oss-agent + app.kubernetes.io/instance: plus-debug app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm namespace: default @@ -6918,7 +6922,7 @@ rules: resources: - leases resourceNames: - - oss-agent-nginx-ingress-leader-election + - plus-debug-nginx-ingress-leader-election verbs: - get - update @@ -6933,33 +6937,33 @@ rules: kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: oss-agent-nginx-ingress + name: plus-debug-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: oss-agent + app.kubernetes.io/instance: plus-debug app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm namespace: default roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: oss-agent-nginx-ingress + name: plus-debug-nginx-ingress subjects: - kind: ServiceAccount - name: oss-agent-nginx-ingress + name: plus-debug-nginx-ingress namespace: default /-/-/-/ # Source: nginx-ingress/templates/controller-service.yaml apiVersion: v1 kind: Service metadata: - name: oss-agent-nginx-ingress-controller + name: plus-debug-nginx-ingress-controller namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: oss-agent + app.kubernetes.io/instance: plus-debug app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm spec: @@ -6978,18 +6982,18 @@ spec: nodePort: selector: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: oss-agent + app.kubernetes.io/instance: plus-debug /-/-/-/ # Source: nginx-ingress/templates/controller-deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: - name: oss-agent-nginx-ingress-controller + name: plus-debug-nginx-ingress-controller namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: oss-agent + app.kubernetes.io/instance: plus-debug app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm spec: @@ -6997,27 +7001,19 @@ spec: selector: matchLabels: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: oss-agent + app.kubernetes.io/instance: plus-debug template: metadata: labels: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: oss-agent - agent-configuration-revision-hash: "e150cd8a" + app.kubernetes.io/instance: plus-debug annotations: prometheus.io/scrape: "true" prometheus.io/port: "9113" prometheus.io/scheme: "http" spec: - volumes: - - - name: agent-conf - configMap: - name: oss-agent-nginx-ingress-agent-config - - name: dataplane-key - secret: - secretName: dataplane-key - serviceAccountName: oss-agent-nginx-ingress + volumes: [] + serviceAccountName: plus-debug-nginx-ingress automountServiceAccountToken: true securityContext: seccompProfile: @@ -7060,13 +7056,7 @@ spec: - ALL add: - NET_BIND_SERVICE - volumeMounts: - - - name: agent-conf - mountPath: /etc/nginx-agent/nginx-agent.conf - subPath: nginx-agent.conf - - name: dataplane-key - mountPath: /etc/nginx-agent/secrets + volumeMounts: [] env: - name: POD_NAMESPACE valueFrom: @@ -7078,11 +7068,22 @@ spec: fieldPath: metadata.name args: - - -nginx-plus=false + - --listen=:2345 + - --headless=true + - --log=true + - --log-output=debugger,debuglineerr,gdbwire,lldbout,rpc,dap,fncall,minidump,stack + - --accept-multiclient + - --api-version=2 + - exec + - ./nginx-ingress + - --continue + - -- + - -nginx-plus=true - -nginx-reload-timeout=60000 - -enable-app-protect=false - -enable-app-protect-dos=false - - -nginx-configmaps=$(POD_NAMESPACE)/oss-agent-nginx-ingress + - -nginx-configmaps=$(POD_NAMESPACE)/plus-debug-nginx-ingress + - -mgmt-configmap=$(POD_NAMESPACE)/plus-debug-nginx-ingress-mgmt - -ingress-class=nginx - -health-status=false - -health-status-uri=/nginx-health @@ -7093,9 +7094,9 @@ spec: - -nginx-status-port=8080 - -nginx-status-allow-cidrs=127.0.0.1 - -report-ingress-status - - -external-service=oss-agent-nginx-ingress-controller + - -external-service=plus-debug-nginx-ingress-controller - -enable-leader-election=true - - -leader-election-lock-name=oss-agent-nginx-ingress-leader-election + - -leader-election-lock-name=plus-debug-nginx-ingress-leader-election - -enable-prometheus-metrics=true - -prometheus-metrics-listen-port=9113 - -prometheus-tls-secret= @@ -7117,7 +7118,6 @@ spec: - -ssl-dynamic-reload=true - -enable-telemetry-reporting=true - -weight-changes-dynamic-reload=false - - -agent=true /-/-/-/ # Source: nginx-ingress/templates/controller-ingress-class.yaml apiVersion: networking.k8s.io/v1 @@ -7127,7 +7127,7 @@ metadata: labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: oss-agent + app.kubernetes.io/instance: plus-debug app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm spec: @@ -7137,28 +7137,28 @@ spec: apiVersion: coordination.k8s.io/v1 kind: Lease metadata: - name: oss-agent-nginx-ingress-leader-election + name: plus-debug-nginx-ingress-leader-election namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: oss-agent + app.kubernetes.io/instance: plus-debug app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm --- -[TestHelmNICTemplate/plus - 1] +[TestHelmNICTemplate/plus-mgmt - 1] /-/-/-/ # Source: nginx-ingress/templates/controller-serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: - name: plus-nginx-ingress + name: plus-mgmt-nginx-ingress namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus + app.kubernetes.io/instance: plus-mgmt app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm /-/-/-/ @@ -7166,12 +7166,12 @@ metadata: apiVersion: v1 kind: ConfigMap metadata: - name: plus-nginx-ingress + name: plus-mgmt-nginx-ingress namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus + app.kubernetes.io/instance: plus-mgmt app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm data: @@ -7182,27 +7182,37 @@ data: apiVersion: v1 kind: ConfigMap metadata: - name: plus-nginx-ingress-mgmt + name: plus-mgmt-nginx-ingress-mgmt namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus + app.kubernetes.io/instance: plus-mgmt app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm data: - license-token-secret-name: license-token + license-token-secret-name: license + ssl-verify: "false" + enforce-initial-report: "true" + usage-report-endpoint: "11.22.33.44" + usage-report-interval: "7h" + usage-report-proxy-host: "44.55.66.77:88" + ssl-trusted-certificate-secret-name: "ssl-trusted" + ssl-certificate-secret-name: "ssl-cert" + resolver-addresses: "example.com" + resolver-ipv6: "false" + resolver-valid: "15s" /-/-/-/ # Source: nginx-ingress/templates/controller-leader-election-configmap.yaml apiVersion: v1 kind: ConfigMap metadata: - name: plus-nginx-ingress-leader-election + name: plus-mgmt-nginx-ingress-leader-election namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus + app.kubernetes.io/instance: plus-mgmt app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm /-/-/-/ @@ -7210,11 +7220,11 @@ metadata: kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: plus-nginx-ingress + name: plus-mgmt-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus + app.kubernetes.io/instance: plus-mgmt app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm rules: @@ -7325,31 +7335,31 @@ rules: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: plus-nginx-ingress + name: plus-mgmt-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus + app.kubernetes.io/instance: plus-mgmt app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm subjects: - kind: ServiceAccount - name: plus-nginx-ingress + name: plus-mgmt-nginx-ingress namespace: default roleRef: kind: ClusterRole - name: plus-nginx-ingress + name: plus-mgmt-nginx-ingress apiGroup: rbac.authorization.k8s.io /-/-/-/ # Source: nginx-ingress/templates/controller-role.yaml kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: plus-nginx-ingress + name: plus-mgmt-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus + app.kubernetes.io/instance: plus-mgmt app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm namespace: default @@ -7390,7 +7400,7 @@ rules: resources: - leases resourceNames: - - plus-nginx-ingress-leader-election + - plus-mgmt-nginx-ingress-leader-election verbs: - get - update @@ -7405,33 +7415,33 @@ rules: kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: plus-nginx-ingress + name: plus-mgmt-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus + app.kubernetes.io/instance: plus-mgmt app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm namespace: default roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: plus-nginx-ingress + name: plus-mgmt-nginx-ingress subjects: - kind: ServiceAccount - name: plus-nginx-ingress + name: plus-mgmt-nginx-ingress namespace: default /-/-/-/ # Source: nginx-ingress/templates/controller-service.yaml apiVersion: v1 kind: Service metadata: - name: plus-nginx-ingress-controller + name: plus-mgmt-nginx-ingress-controller namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus + app.kubernetes.io/instance: plus-mgmt app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm spec: @@ -7450,18 +7460,18 @@ spec: nodePort: selector: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus + app.kubernetes.io/instance: plus-mgmt /-/-/-/ # Source: nginx-ingress/templates/controller-deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: - name: plus-nginx-ingress-controller + name: plus-mgmt-nginx-ingress-controller namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus + app.kubernetes.io/instance: plus-mgmt app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm spec: @@ -7469,19 +7479,19 @@ spec: selector: matchLabels: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus + app.kubernetes.io/instance: plus-mgmt template: metadata: labels: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus + app.kubernetes.io/instance: plus-mgmt annotations: prometheus.io/scrape: "true" prometheus.io/port: "9113" prometheus.io/scheme: "http" spec: volumes: [] - serviceAccountName: plus-nginx-ingress + serviceAccountName: plus-mgmt-nginx-ingress automountServiceAccountToken: true securityContext: seccompProfile: @@ -7534,14 +7544,24 @@ spec: valueFrom: fieldRef: fieldPath: metadata.name + - name: PROXY_USER + valueFrom: + secretKeyRef: + name: proxy-credentials + key: username + - name: PROXY_PASS + valueFrom: + secretKeyRef: + name: proxy-credentials + key: password args: - -nginx-plus=true - -nginx-reload-timeout=60000 - -enable-app-protect=false - -enable-app-protect-dos=false - - -nginx-configmaps=$(POD_NAMESPACE)/plus-nginx-ingress - - -mgmt-configmap=$(POD_NAMESPACE)/plus-nginx-ingress-mgmt + - -nginx-configmaps=$(POD_NAMESPACE)/plus-mgmt-nginx-ingress + - -mgmt-configmap=$(POD_NAMESPACE)/plus-mgmt-nginx-ingress-mgmt - -ingress-class=nginx - -health-status=false - -health-status-uri=/nginx-health @@ -7552,9 +7572,9 @@ spec: - -nginx-status-port=8080 - -nginx-status-allow-cidrs=127.0.0.1 - -report-ingress-status - - -external-service=plus-nginx-ingress-controller + - -external-service=plus-mgmt-nginx-ingress-controller - -enable-leader-election=true - - -leader-election-lock-name=plus-nginx-ingress-leader-election + - -leader-election-lock-name=plus-mgmt-nginx-ingress-leader-election - -enable-prometheus-metrics=true - -prometheus-metrics-listen-port=9113 - -prometheus-tls-secret= @@ -7585,7 +7605,7 @@ metadata: labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus + app.kubernetes.io/instance: plus-mgmt app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm spec: @@ -7595,28 +7615,28 @@ spec: apiVersion: coordination.k8s.io/v1 kind: Lease metadata: - name: plus-nginx-ingress-leader-election + name: plus-mgmt-nginx-ingress-leader-election namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus + app.kubernetes.io/instance: plus-mgmt app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm --- -[TestHelmNICTemplate/plus-debug - 1] +[TestHelmNICTemplate/plus-mgmt-custom-endpoint - 1] /-/-/-/ # Source: nginx-ingress/templates/controller-serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: - name: plus-debug-nginx-ingress + name: plus-mgmt-custom-endpoint-nginx-ingress namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-debug + app.kubernetes.io/instance: plus-mgmt-custom-endpoint app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm /-/-/-/ @@ -7624,12 +7644,12 @@ metadata: apiVersion: v1 kind: ConfigMap metadata: - name: plus-debug-nginx-ingress + name: plus-mgmt-custom-endpoint-nginx-ingress namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-debug + app.kubernetes.io/instance: plus-mgmt-custom-endpoint app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm data: @@ -7640,27 +7660,28 @@ data: apiVersion: v1 kind: ConfigMap metadata: - name: plus-debug-nginx-ingress-mgmt + name: plus-mgmt-custom-endpoint-nginx-ingress-mgmt namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-debug + app.kubernetes.io/instance: plus-mgmt-custom-endpoint app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm data: license-token-secret-name: license-token + usage-report-endpoint: "11.22.33.44" /-/-/-/ # Source: nginx-ingress/templates/controller-leader-election-configmap.yaml apiVersion: v1 kind: ConfigMap metadata: - name: plus-debug-nginx-ingress-leader-election + name: plus-mgmt-custom-endpoint-nginx-ingress-leader-election namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-debug + app.kubernetes.io/instance: plus-mgmt-custom-endpoint app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm /-/-/-/ @@ -7668,11 +7689,11 @@ metadata: kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: plus-debug-nginx-ingress + name: plus-mgmt-custom-endpoint-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-debug + app.kubernetes.io/instance: plus-mgmt-custom-endpoint app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm rules: @@ -7783,31 +7804,31 @@ rules: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: plus-debug-nginx-ingress + name: plus-mgmt-custom-endpoint-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-debug + app.kubernetes.io/instance: plus-mgmt-custom-endpoint app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm subjects: - kind: ServiceAccount - name: plus-debug-nginx-ingress + name: plus-mgmt-custom-endpoint-nginx-ingress namespace: default roleRef: kind: ClusterRole - name: plus-debug-nginx-ingress + name: plus-mgmt-custom-endpoint-nginx-ingress apiGroup: rbac.authorization.k8s.io /-/-/-/ # Source: nginx-ingress/templates/controller-role.yaml kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: plus-debug-nginx-ingress + name: plus-mgmt-custom-endpoint-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-debug + app.kubernetes.io/instance: plus-mgmt-custom-endpoint app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm namespace: default @@ -7848,7 +7869,7 @@ rules: resources: - leases resourceNames: - - plus-debug-nginx-ingress-leader-election + - plus-mgmt-custom-endpoint-nginx-ingress-leader-election verbs: - get - update @@ -7863,33 +7884,33 @@ rules: kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: plus-debug-nginx-ingress + name: plus-mgmt-custom-endpoint-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-debug + app.kubernetes.io/instance: plus-mgmt-custom-endpoint app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm namespace: default roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: plus-debug-nginx-ingress + name: plus-mgmt-custom-endpoint-nginx-ingress subjects: - kind: ServiceAccount - name: plus-debug-nginx-ingress + name: plus-mgmt-custom-endpoint-nginx-ingress namespace: default /-/-/-/ # Source: nginx-ingress/templates/controller-service.yaml apiVersion: v1 kind: Service metadata: - name: plus-debug-nginx-ingress-controller + name: plus-mgmt-custom-endpoint-nginx-ingress-controller namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-debug + app.kubernetes.io/instance: plus-mgmt-custom-endpoint app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm spec: @@ -7908,18 +7929,18 @@ spec: nodePort: selector: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-debug + app.kubernetes.io/instance: plus-mgmt-custom-endpoint /-/-/-/ # Source: nginx-ingress/templates/controller-deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: - name: plus-debug-nginx-ingress-controller + name: plus-mgmt-custom-endpoint-nginx-ingress-controller namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-debug + app.kubernetes.io/instance: plus-mgmt-custom-endpoint app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm spec: @@ -7927,19 +7948,19 @@ spec: selector: matchLabels: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-debug + app.kubernetes.io/instance: plus-mgmt-custom-endpoint template: metadata: labels: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-debug + app.kubernetes.io/instance: plus-mgmt-custom-endpoint annotations: prometheus.io/scrape: "true" prometheus.io/port: "9113" prometheus.io/scheme: "http" spec: volumes: [] - serviceAccountName: plus-debug-nginx-ingress + serviceAccountName: plus-mgmt-custom-endpoint-nginx-ingress automountServiceAccountToken: true securityContext: seccompProfile: @@ -7994,22 +8015,12 @@ spec: fieldPath: metadata.name args: - - --listen=:2345 - - --headless=true - - --log=true - - --log-output=debugger,debuglineerr,gdbwire,lldbout,rpc,dap,fncall,minidump,stack - - --accept-multiclient - - --api-version=2 - - exec - - ./nginx-ingress - - --continue - - -- - -nginx-plus=true - -nginx-reload-timeout=60000 - -enable-app-protect=false - -enable-app-protect-dos=false - - -nginx-configmaps=$(POD_NAMESPACE)/plus-debug-nginx-ingress - - -mgmt-configmap=$(POD_NAMESPACE)/plus-debug-nginx-ingress-mgmt + - -nginx-configmaps=$(POD_NAMESPACE)/plus-mgmt-custom-endpoint-nginx-ingress + - -mgmt-configmap=$(POD_NAMESPACE)/plus-mgmt-custom-endpoint-nginx-ingress-mgmt - -ingress-class=nginx - -health-status=false - -health-status-uri=/nginx-health @@ -8020,9 +8031,9 @@ spec: - -nginx-status-port=8080 - -nginx-status-allow-cidrs=127.0.0.1 - -report-ingress-status - - -external-service=plus-debug-nginx-ingress-controller + - -external-service=plus-mgmt-custom-endpoint-nginx-ingress-controller - -enable-leader-election=true - - -leader-election-lock-name=plus-debug-nginx-ingress-leader-election + - -leader-election-lock-name=plus-mgmt-custom-endpoint-nginx-ingress-leader-election - -enable-prometheus-metrics=true - -prometheus-metrics-listen-port=9113 - -prometheus-tls-secret= @@ -8053,7 +8064,7 @@ metadata: labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-debug + app.kubernetes.io/instance: plus-mgmt-custom-endpoint app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm spec: @@ -8063,28 +8074,28 @@ spec: apiVersion: coordination.k8s.io/v1 kind: Lease metadata: - name: plus-debug-nginx-ingress-leader-election + name: plus-mgmt-custom-endpoint-nginx-ingress-leader-election namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-debug + app.kubernetes.io/instance: plus-mgmt-custom-endpoint app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm --- -[TestHelmNICTemplate/plus-mgmt - 1] +[TestHelmNICTemplate/plus-mgmt-proxy-host - 1] /-/-/-/ # Source: nginx-ingress/templates/controller-serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: - name: plus-mgmt-nginx-ingress + name: plus-mgmt-proxy-host-nginx-ingress namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt + app.kubernetes.io/instance: plus-mgmt-proxy-host app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm /-/-/-/ @@ -8092,12 +8103,12 @@ metadata: apiVersion: v1 kind: ConfigMap metadata: - name: plus-mgmt-nginx-ingress + name: plus-mgmt-proxy-host-nginx-ingress namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt + app.kubernetes.io/instance: plus-mgmt-proxy-host app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm data: @@ -8108,37 +8119,28 @@ data: apiVersion: v1 kind: ConfigMap metadata: - name: plus-mgmt-nginx-ingress-mgmt + name: plus-mgmt-proxy-host-nginx-ingress-mgmt namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt + app.kubernetes.io/instance: plus-mgmt-proxy-host app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm data: - license-token-secret-name: license - ssl-verify: "false" - enforce-initial-report: "true" - usage-report-endpoint: "11.22.33.44" - usage-report-interval: "7h" + license-token-secret-name: license-token usage-report-proxy-host: "44.55.66.77:88" - ssl-trusted-certificate-secret-name: "ssl-trusted" - ssl-certificate-secret-name: "ssl-cert" - resolver-addresses: "example.com" - resolver-ipv6: "false" - resolver-valid: "15s" /-/-/-/ # Source: nginx-ingress/templates/controller-leader-election-configmap.yaml apiVersion: v1 kind: ConfigMap metadata: - name: plus-mgmt-nginx-ingress-leader-election + name: plus-mgmt-proxy-host-nginx-ingress-leader-election namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt + app.kubernetes.io/instance: plus-mgmt-proxy-host app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm /-/-/-/ @@ -8146,11 +8148,11 @@ metadata: kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: plus-mgmt-nginx-ingress + name: plus-mgmt-proxy-host-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt + app.kubernetes.io/instance: plus-mgmt-proxy-host app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm rules: @@ -8261,31 +8263,31 @@ rules: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: plus-mgmt-nginx-ingress + name: plus-mgmt-proxy-host-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt + app.kubernetes.io/instance: plus-mgmt-proxy-host app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm subjects: - kind: ServiceAccount - name: plus-mgmt-nginx-ingress + name: plus-mgmt-proxy-host-nginx-ingress namespace: default roleRef: kind: ClusterRole - name: plus-mgmt-nginx-ingress + name: plus-mgmt-proxy-host-nginx-ingress apiGroup: rbac.authorization.k8s.io /-/-/-/ # Source: nginx-ingress/templates/controller-role.yaml kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: plus-mgmt-nginx-ingress + name: plus-mgmt-proxy-host-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt + app.kubernetes.io/instance: plus-mgmt-proxy-host app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm namespace: default @@ -8326,7 +8328,7 @@ rules: resources: - leases resourceNames: - - plus-mgmt-nginx-ingress-leader-election + - plus-mgmt-proxy-host-nginx-ingress-leader-election verbs: - get - update @@ -8341,33 +8343,33 @@ rules: kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: plus-mgmt-nginx-ingress + name: plus-mgmt-proxy-host-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt + app.kubernetes.io/instance: plus-mgmt-proxy-host app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm namespace: default roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: plus-mgmt-nginx-ingress + name: plus-mgmt-proxy-host-nginx-ingress subjects: - kind: ServiceAccount - name: plus-mgmt-nginx-ingress + name: plus-mgmt-proxy-host-nginx-ingress namespace: default /-/-/-/ # Source: nginx-ingress/templates/controller-service.yaml apiVersion: v1 kind: Service metadata: - name: plus-mgmt-nginx-ingress-controller + name: plus-mgmt-proxy-host-nginx-ingress-controller namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt + app.kubernetes.io/instance: plus-mgmt-proxy-host app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm spec: @@ -8386,18 +8388,18 @@ spec: nodePort: selector: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt + app.kubernetes.io/instance: plus-mgmt-proxy-host /-/-/-/ # Source: nginx-ingress/templates/controller-deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: - name: plus-mgmt-nginx-ingress-controller + name: plus-mgmt-proxy-host-nginx-ingress-controller namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt + app.kubernetes.io/instance: plus-mgmt-proxy-host app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm spec: @@ -8405,19 +8407,19 @@ spec: selector: matchLabels: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt + app.kubernetes.io/instance: plus-mgmt-proxy-host template: metadata: labels: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt + app.kubernetes.io/instance: plus-mgmt-proxy-host annotations: prometheus.io/scrape: "true" prometheus.io/port: "9113" prometheus.io/scheme: "http" spec: volumes: [] - serviceAccountName: plus-mgmt-nginx-ingress + serviceAccountName: plus-mgmt-proxy-host-nginx-ingress automountServiceAccountToken: true securityContext: seccompProfile: @@ -8470,24 +8472,14 @@ spec: valueFrom: fieldRef: fieldPath: metadata.name - - name: PROXY_USER - valueFrom: - secretKeyRef: - name: proxy-credentials - key: username - - name: PROXY_PASS - valueFrom: - secretKeyRef: - name: proxy-credentials - key: password args: - -nginx-plus=true - -nginx-reload-timeout=60000 - -enable-app-protect=false - -enable-app-protect-dos=false - - -nginx-configmaps=$(POD_NAMESPACE)/plus-mgmt-nginx-ingress - - -mgmt-configmap=$(POD_NAMESPACE)/plus-mgmt-nginx-ingress-mgmt + - -nginx-configmaps=$(POD_NAMESPACE)/plus-mgmt-proxy-host-nginx-ingress + - -mgmt-configmap=$(POD_NAMESPACE)/plus-mgmt-proxy-host-nginx-ingress-mgmt - -ingress-class=nginx - -health-status=false - -health-status-uri=/nginx-health @@ -8498,9 +8490,9 @@ spec: - -nginx-status-port=8080 - -nginx-status-allow-cidrs=127.0.0.1 - -report-ingress-status - - -external-service=plus-mgmt-nginx-ingress-controller + - -external-service=plus-mgmt-proxy-host-nginx-ingress-controller - -enable-leader-election=true - - -leader-election-lock-name=plus-mgmt-nginx-ingress-leader-election + - -leader-election-lock-name=plus-mgmt-proxy-host-nginx-ingress-leader-election - -enable-prometheus-metrics=true - -prometheus-metrics-listen-port=9113 - -prometheus-tls-secret= @@ -8531,7 +8523,7 @@ metadata: labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt + app.kubernetes.io/instance: plus-mgmt-proxy-host app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm spec: @@ -8541,28 +8533,28 @@ spec: apiVersion: coordination.k8s.io/v1 kind: Lease metadata: - name: plus-mgmt-nginx-ingress-leader-election + name: plus-mgmt-proxy-host-nginx-ingress-leader-election namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt + app.kubernetes.io/instance: plus-mgmt-proxy-host app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm --- -[TestHelmNICTemplate/plus-mgmt-custom-endpoint - 1] +[TestHelmNICTemplate/plus-mgmt-proxy-host-auth - 1] /-/-/-/ # Source: nginx-ingress/templates/controller-serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: - name: plus-mgmt-custom-endpoint-nginx-ingress + name: plus-mgmt-proxy-host-auth-nginx-ingress namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-custom-endpoint + app.kubernetes.io/instance: plus-mgmt-proxy-host-auth app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm /-/-/-/ @@ -8570,12 +8562,12 @@ metadata: apiVersion: v1 kind: ConfigMap metadata: - name: plus-mgmt-custom-endpoint-nginx-ingress + name: plus-mgmt-proxy-host-auth-nginx-ingress namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-custom-endpoint + app.kubernetes.io/instance: plus-mgmt-proxy-host-auth app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm data: @@ -8586,28 +8578,28 @@ data: apiVersion: v1 kind: ConfigMap metadata: - name: plus-mgmt-custom-endpoint-nginx-ingress-mgmt + name: plus-mgmt-proxy-host-auth-nginx-ingress-mgmt namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-custom-endpoint + app.kubernetes.io/instance: plus-mgmt-proxy-host-auth app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm data: license-token-secret-name: license-token - usage-report-endpoint: "11.22.33.44" + usage-report-proxy-host: "44.55.66.77:88" /-/-/-/ # Source: nginx-ingress/templates/controller-leader-election-configmap.yaml apiVersion: v1 kind: ConfigMap metadata: - name: plus-mgmt-custom-endpoint-nginx-ingress-leader-election + name: plus-mgmt-proxy-host-auth-nginx-ingress-leader-election namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-custom-endpoint + app.kubernetes.io/instance: plus-mgmt-proxy-host-auth app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm /-/-/-/ @@ -8615,11 +8607,11 @@ metadata: kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: plus-mgmt-custom-endpoint-nginx-ingress + name: plus-mgmt-proxy-host-auth-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-custom-endpoint + app.kubernetes.io/instance: plus-mgmt-proxy-host-auth app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm rules: @@ -8730,31 +8722,31 @@ rules: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: plus-mgmt-custom-endpoint-nginx-ingress + name: plus-mgmt-proxy-host-auth-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-custom-endpoint + app.kubernetes.io/instance: plus-mgmt-proxy-host-auth app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm subjects: - kind: ServiceAccount - name: plus-mgmt-custom-endpoint-nginx-ingress + name: plus-mgmt-proxy-host-auth-nginx-ingress namespace: default roleRef: kind: ClusterRole - name: plus-mgmt-custom-endpoint-nginx-ingress + name: plus-mgmt-proxy-host-auth-nginx-ingress apiGroup: rbac.authorization.k8s.io /-/-/-/ # Source: nginx-ingress/templates/controller-role.yaml kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: plus-mgmt-custom-endpoint-nginx-ingress + name: plus-mgmt-proxy-host-auth-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-custom-endpoint + app.kubernetes.io/instance: plus-mgmt-proxy-host-auth app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm namespace: default @@ -8795,7 +8787,7 @@ rules: resources: - leases resourceNames: - - plus-mgmt-custom-endpoint-nginx-ingress-leader-election + - plus-mgmt-proxy-host-auth-nginx-ingress-leader-election verbs: - get - update @@ -8810,33 +8802,33 @@ rules: kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: plus-mgmt-custom-endpoint-nginx-ingress + name: plus-mgmt-proxy-host-auth-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-custom-endpoint + app.kubernetes.io/instance: plus-mgmt-proxy-host-auth app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm namespace: default roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: plus-mgmt-custom-endpoint-nginx-ingress + name: plus-mgmt-proxy-host-auth-nginx-ingress subjects: - kind: ServiceAccount - name: plus-mgmt-custom-endpoint-nginx-ingress + name: plus-mgmt-proxy-host-auth-nginx-ingress namespace: default /-/-/-/ # Source: nginx-ingress/templates/controller-service.yaml apiVersion: v1 kind: Service metadata: - name: plus-mgmt-custom-endpoint-nginx-ingress-controller + name: plus-mgmt-proxy-host-auth-nginx-ingress-controller namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-custom-endpoint + app.kubernetes.io/instance: plus-mgmt-proxy-host-auth app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm spec: @@ -8855,18 +8847,18 @@ spec: nodePort: selector: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-custom-endpoint + app.kubernetes.io/instance: plus-mgmt-proxy-host-auth /-/-/-/ # Source: nginx-ingress/templates/controller-deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: - name: plus-mgmt-custom-endpoint-nginx-ingress-controller + name: plus-mgmt-proxy-host-auth-nginx-ingress-controller namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-custom-endpoint + app.kubernetes.io/instance: plus-mgmt-proxy-host-auth app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm spec: @@ -8874,19 +8866,19 @@ spec: selector: matchLabels: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-custom-endpoint + app.kubernetes.io/instance: plus-mgmt-proxy-host-auth template: metadata: labels: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-custom-endpoint + app.kubernetes.io/instance: plus-mgmt-proxy-host-auth annotations: prometheus.io/scrape: "true" prometheus.io/port: "9113" prometheus.io/scheme: "http" spec: volumes: [] - serviceAccountName: plus-mgmt-custom-endpoint-nginx-ingress + serviceAccountName: plus-mgmt-proxy-host-auth-nginx-ingress automountServiceAccountToken: true securityContext: seccompProfile: @@ -8939,14 +8931,24 @@ spec: valueFrom: fieldRef: fieldPath: metadata.name + - name: PROXY_USER + valueFrom: + secretKeyRef: + name: custom-credentials + key: username + - name: PROXY_PASS + valueFrom: + secretKeyRef: + name: custom-credentials + key: password args: - -nginx-plus=true - -nginx-reload-timeout=60000 - -enable-app-protect=false - -enable-app-protect-dos=false - - -nginx-configmaps=$(POD_NAMESPACE)/plus-mgmt-custom-endpoint-nginx-ingress - - -mgmt-configmap=$(POD_NAMESPACE)/plus-mgmt-custom-endpoint-nginx-ingress-mgmt + - -nginx-configmaps=$(POD_NAMESPACE)/plus-mgmt-proxy-host-auth-nginx-ingress + - -mgmt-configmap=$(POD_NAMESPACE)/plus-mgmt-proxy-host-auth-nginx-ingress-mgmt - -ingress-class=nginx - -health-status=false - -health-status-uri=/nginx-health @@ -8957,9 +8959,9 @@ spec: - -nginx-status-port=8080 - -nginx-status-allow-cidrs=127.0.0.1 - -report-ingress-status - - -external-service=plus-mgmt-custom-endpoint-nginx-ingress-controller + - -external-service=plus-mgmt-proxy-host-auth-nginx-ingress-controller - -enable-leader-election=true - - -leader-election-lock-name=plus-mgmt-custom-endpoint-nginx-ingress-leader-election + - -leader-election-lock-name=plus-mgmt-proxy-host-auth-nginx-ingress-leader-election - -enable-prometheus-metrics=true - -prometheus-metrics-listen-port=9113 - -prometheus-tls-secret= @@ -8990,7 +8992,7 @@ metadata: labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-custom-endpoint + app.kubernetes.io/instance: plus-mgmt-proxy-host-auth app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm spec: @@ -9000,28 +9002,28 @@ spec: apiVersion: coordination.k8s.io/v1 kind: Lease metadata: - name: plus-mgmt-custom-endpoint-nginx-ingress-leader-election + name: plus-mgmt-proxy-host-auth-nginx-ingress-leader-election namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-custom-endpoint + app.kubernetes.io/instance: plus-mgmt-proxy-host-auth app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm --- -[TestHelmNICTemplate/plus-mgmt-proxy-host - 1] +[TestHelmNICTemplate/plusAgentV3 - 1] /-/-/-/ # Source: nginx-ingress/templates/controller-serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: - name: plus-mgmt-proxy-host-nginx-ingress + name: plus-agent-nginx-ingress namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-proxy-host + app.kubernetes.io/instance: plus-agent app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm /-/-/-/ @@ -9029,44 +9031,83 @@ metadata: apiVersion: v1 kind: ConfigMap metadata: - name: plus-mgmt-proxy-host-nginx-ingress + name: plus-agent-nginx-ingress namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-proxy-host + app.kubernetes.io/instance: plus-agent app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm data: {} /-/-/-/ # Source: nginx-ingress/templates/controller-configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: plus-agent-nginx-ingress-agent-config + namespace: default + labels: + helm.sh/chart: nginx-ingress-2.4.0 + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: plus-agent + app.kubernetes.io/version: "5.3.0" + app.kubernetes.io/managed-by: Helm +data: + nginx-agent.conf: |- + + log: + # set log level (error, info, debug; default "info") + level: info + # set log path. if empty, don't log to file. + path: "" + + allowed_directories: + - /etc/nginx + - /usr/lib/nginx/modules + + features: + - certificates + - connection + - metrics + - file-watcher + + ## command server settings + command: + server: + host: agent.connect.nginx.com + port: 443 + auth: + tokenpath: "/etc/nginx-agent/secrets/dataplane.key" + tls: + skip_verify: false /-/-/-/ +# Source: nginx-ingress/templates/controller-configmap.yaml apiVersion: v1 kind: ConfigMap metadata: - name: plus-mgmt-proxy-host-nginx-ingress-mgmt + name: plus-agent-nginx-ingress-mgmt namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-proxy-host + app.kubernetes.io/instance: plus-agent app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm data: license-token-secret-name: license-token - usage-report-proxy-host: "44.55.66.77:88" /-/-/-/ # Source: nginx-ingress/templates/controller-leader-election-configmap.yaml apiVersion: v1 kind: ConfigMap metadata: - name: plus-mgmt-proxy-host-nginx-ingress-leader-election + name: plus-agent-nginx-ingress-leader-election namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-proxy-host + app.kubernetes.io/instance: plus-agent app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm /-/-/-/ @@ -9074,11 +9115,11 @@ metadata: kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: plus-mgmt-proxy-host-nginx-ingress + name: plus-agent-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-proxy-host + app.kubernetes.io/instance: plus-agent app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm rules: @@ -9189,31 +9230,31 @@ rules: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: plus-mgmt-proxy-host-nginx-ingress + name: plus-agent-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-proxy-host + app.kubernetes.io/instance: plus-agent app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm subjects: - kind: ServiceAccount - name: plus-mgmt-proxy-host-nginx-ingress + name: plus-agent-nginx-ingress namespace: default roleRef: kind: ClusterRole - name: plus-mgmt-proxy-host-nginx-ingress + name: plus-agent-nginx-ingress apiGroup: rbac.authorization.k8s.io /-/-/-/ # Source: nginx-ingress/templates/controller-role.yaml kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: plus-mgmt-proxy-host-nginx-ingress + name: plus-agent-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-proxy-host + app.kubernetes.io/instance: plus-agent app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm namespace: default @@ -9254,7 +9295,7 @@ rules: resources: - leases resourceNames: - - plus-mgmt-proxy-host-nginx-ingress-leader-election + - plus-agent-nginx-ingress-leader-election verbs: - get - update @@ -9269,33 +9310,33 @@ rules: kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: plus-mgmt-proxy-host-nginx-ingress + name: plus-agent-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-proxy-host + app.kubernetes.io/instance: plus-agent app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm namespace: default roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: plus-mgmt-proxy-host-nginx-ingress + name: plus-agent-nginx-ingress subjects: - kind: ServiceAccount - name: plus-mgmt-proxy-host-nginx-ingress + name: plus-agent-nginx-ingress namespace: default /-/-/-/ # Source: nginx-ingress/templates/controller-service.yaml apiVersion: v1 kind: Service metadata: - name: plus-mgmt-proxy-host-nginx-ingress-controller + name: plus-agent-nginx-ingress-controller namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-proxy-host + app.kubernetes.io/instance: plus-agent app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm spec: @@ -9314,18 +9355,18 @@ spec: nodePort: selector: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-proxy-host + app.kubernetes.io/instance: plus-agent /-/-/-/ # Source: nginx-ingress/templates/controller-deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: - name: plus-mgmt-proxy-host-nginx-ingress-controller + name: plus-agent-nginx-ingress-controller namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-proxy-host + app.kubernetes.io/instance: plus-agent app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm spec: @@ -9333,19 +9374,27 @@ spec: selector: matchLabels: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-proxy-host + app.kubernetes.io/instance: plus-agent template: metadata: labels: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-proxy-host + app.kubernetes.io/instance: plus-agent + agent-configuration-revision-hash: "e150cd8a" annotations: prometheus.io/scrape: "true" prometheus.io/port: "9113" prometheus.io/scheme: "http" spec: - volumes: [] - serviceAccountName: plus-mgmt-proxy-host-nginx-ingress + volumes: + + - name: agent-conf + configMap: + name: plus-agent-nginx-ingress-agent-config + - name: dataplane-key + secret: + secretName: dataplane-key + serviceAccountName: plus-agent-nginx-ingress automountServiceAccountToken: true securityContext: seccompProfile: @@ -9388,7 +9437,13 @@ spec: - ALL add: - NET_BIND_SERVICE - volumeMounts: [] + volumeMounts: + + - name: agent-conf + mountPath: /etc/nginx-agent/nginx-agent.conf + subPath: nginx-agent.conf + - name: dataplane-key + mountPath: /etc/nginx-agent/secrets env: - name: POD_NAMESPACE valueFrom: @@ -9404,8 +9459,8 @@ spec: - -nginx-reload-timeout=60000 - -enable-app-protect=false - -enable-app-protect-dos=false - - -nginx-configmaps=$(POD_NAMESPACE)/plus-mgmt-proxy-host-nginx-ingress - - -mgmt-configmap=$(POD_NAMESPACE)/plus-mgmt-proxy-host-nginx-ingress-mgmt + - -nginx-configmaps=$(POD_NAMESPACE)/plus-agent-nginx-ingress + - -mgmt-configmap=$(POD_NAMESPACE)/plus-agent-nginx-ingress-mgmt - -ingress-class=nginx - -health-status=false - -health-status-uri=/nginx-health @@ -9416,9 +9471,9 @@ spec: - -nginx-status-port=8080 - -nginx-status-allow-cidrs=127.0.0.1 - -report-ingress-status - - -external-service=plus-mgmt-proxy-host-nginx-ingress-controller + - -external-service=plus-agent-nginx-ingress-controller - -enable-leader-election=true - - -leader-election-lock-name=plus-mgmt-proxy-host-nginx-ingress-leader-election + - -leader-election-lock-name=plus-agent-nginx-ingress-leader-election - -enable-prometheus-metrics=true - -prometheus-metrics-listen-port=9113 - -prometheus-tls-secret= @@ -9440,6 +9495,7 @@ spec: - -ssl-dynamic-reload=true - -enable-telemetry-reporting=true - -weight-changes-dynamic-reload=false + - -agent=true /-/-/-/ # Source: nginx-ingress/templates/controller-ingress-class.yaml apiVersion: networking.k8s.io/v1 @@ -9449,7 +9505,7 @@ metadata: labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-proxy-host + app.kubernetes.io/instance: plus-agent app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm spec: @@ -9459,28 +9515,28 @@ spec: apiVersion: coordination.k8s.io/v1 kind: Lease metadata: - name: plus-mgmt-proxy-host-nginx-ingress-leader-election + name: plus-agent-nginx-ingress-leader-election namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-proxy-host + app.kubernetes.io/instance: plus-agent app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm --- -[TestHelmNICTemplate/plus-mgmt-proxy-host-auth - 1] +[TestHelmNICTemplate/plusAgentV3All - 1] /-/-/-/ # Source: nginx-ingress/templates/controller-serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: - name: plus-mgmt-proxy-host-auth-nginx-ingress - namespace: default + name: plus-agent-all-nginx-ingress + namespace: custom labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-proxy-host-auth + app.kubernetes.io/instance: plus-agent-all app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm /-/-/-/ @@ -9488,44 +9544,83 @@ metadata: apiVersion: v1 kind: ConfigMap metadata: - name: plus-mgmt-proxy-host-auth-nginx-ingress - namespace: default + name: plus-agent-all-nginx-ingress + namespace: custom labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-proxy-host-auth + app.kubernetes.io/instance: plus-agent-all app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm data: {} /-/-/-/ # Source: nginx-ingress/templates/controller-configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: plus-agent-all-nginx-ingress-agent-config + namespace: custom + labels: + helm.sh/chart: nginx-ingress-2.4.0 + app.kubernetes.io/name: nginx-ingress + app.kubernetes.io/instance: plus-agent-all + app.kubernetes.io/version: "5.3.0" + app.kubernetes.io/managed-by: Helm +data: + nginx-agent.conf: |- + + log: + # set log level (error, info, debug; default "info") + level: debug + # set log path. if empty, don't log to file. + path: "" + + allowed_directories: + - /etc/nginx + - /usr/lib/nginx/modules + + features: + - certificates + - connection + - metrics + - file-watcher + + ## command server settings + command: + server: + host: my-host.example.com + port: 8443 + auth: + tokenpath: "/etc/nginx-agent/secrets/dataplane.key" + tls: + skip_verify: true /-/-/-/ +# Source: nginx-ingress/templates/controller-configmap.yaml apiVersion: v1 kind: ConfigMap metadata: - name: plus-mgmt-proxy-host-auth-nginx-ingress-mgmt - namespace: default + name: plus-agent-all-nginx-ingress-mgmt + namespace: custom labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-proxy-host-auth + app.kubernetes.io/instance: plus-agent-all app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm data: license-token-secret-name: license-token - usage-report-proxy-host: "44.55.66.77:88" /-/-/-/ # Source: nginx-ingress/templates/controller-leader-election-configmap.yaml apiVersion: v1 kind: ConfigMap metadata: - name: plus-mgmt-proxy-host-auth-nginx-ingress-leader-election - namespace: default + name: plus-agent-all-nginx-ingress-leader-election + namespace: custom labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-proxy-host-auth + app.kubernetes.io/instance: plus-agent-all app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm /-/-/-/ @@ -9533,11 +9628,11 @@ metadata: kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: plus-mgmt-proxy-host-auth-nginx-ingress + name: plus-agent-all-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-proxy-host-auth + app.kubernetes.io/instance: plus-agent-all app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm rules: @@ -9648,34 +9743,34 @@ rules: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: plus-mgmt-proxy-host-auth-nginx-ingress + name: plus-agent-all-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-proxy-host-auth + app.kubernetes.io/instance: plus-agent-all app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm subjects: - kind: ServiceAccount - name: plus-mgmt-proxy-host-auth-nginx-ingress - namespace: default + name: plus-agent-all-nginx-ingress + namespace: custom roleRef: kind: ClusterRole - name: plus-mgmt-proxy-host-auth-nginx-ingress + name: plus-agent-all-nginx-ingress apiGroup: rbac.authorization.k8s.io /-/-/-/ # Source: nginx-ingress/templates/controller-role.yaml kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: plus-mgmt-proxy-host-auth-nginx-ingress + name: plus-agent-all-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-proxy-host-auth + app.kubernetes.io/instance: plus-agent-all app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm - namespace: default + namespace: custom rules: - apiGroups: - "" @@ -9713,7 +9808,7 @@ rules: resources: - leases resourceNames: - - plus-mgmt-proxy-host-auth-nginx-ingress-leader-election + - plus-agent-all-nginx-ingress-leader-election verbs: - get - update @@ -9728,33 +9823,33 @@ rules: kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: plus-mgmt-proxy-host-auth-nginx-ingress + name: plus-agent-all-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-proxy-host-auth + app.kubernetes.io/instance: plus-agent-all app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm - namespace: default + namespace: custom roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: plus-mgmt-proxy-host-auth-nginx-ingress + name: plus-agent-all-nginx-ingress subjects: - kind: ServiceAccount - name: plus-mgmt-proxy-host-auth-nginx-ingress - namespace: default + name: plus-agent-all-nginx-ingress + namespace: custom /-/-/-/ # Source: nginx-ingress/templates/controller-service.yaml apiVersion: v1 kind: Service metadata: - name: plus-mgmt-proxy-host-auth-nginx-ingress-controller - namespace: default + name: plus-agent-all-nginx-ingress-controller + namespace: custom labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-proxy-host-auth + app.kubernetes.io/instance: plus-agent-all app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm spec: @@ -9773,18 +9868,18 @@ spec: nodePort: selector: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-proxy-host-auth + app.kubernetes.io/instance: plus-agent-all /-/-/-/ # Source: nginx-ingress/templates/controller-deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: - name: plus-mgmt-proxy-host-auth-nginx-ingress-controller - namespace: default + name: plus-agent-all-nginx-ingress-controller + namespace: custom labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-proxy-host-auth + app.kubernetes.io/instance: plus-agent-all app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm spec: @@ -9792,19 +9887,27 @@ spec: selector: matchLabels: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-proxy-host-auth + app.kubernetes.io/instance: plus-agent-all template: metadata: labels: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-proxy-host-auth + app.kubernetes.io/instance: plus-agent-all + agent-configuration-revision-hash: "8c900020" annotations: prometheus.io/scrape: "true" prometheus.io/port: "9113" prometheus.io/scheme: "http" spec: - volumes: [] - serviceAccountName: plus-mgmt-proxy-host-auth-nginx-ingress + volumes: + + - name: agent-conf + configMap: + name: plus-agent-all-nginx-ingress-agent-config + - name: dataplane-key + secret: + secretName: dataplane-key + serviceAccountName: plus-agent-all-nginx-ingress automountServiceAccountToken: true securityContext: seccompProfile: @@ -9847,7 +9950,13 @@ spec: - ALL add: - NET_BIND_SERVICE - volumeMounts: [] + volumeMounts: + + - name: agent-conf + mountPath: /etc/nginx-agent/nginx-agent.conf + subPath: nginx-agent.conf + - name: dataplane-key + mountPath: /etc/nginx-agent/secrets env: - name: POD_NAMESPACE valueFrom: @@ -9857,24 +9966,14 @@ spec: valueFrom: fieldRef: fieldPath: metadata.name - - name: PROXY_USER - valueFrom: - secretKeyRef: - name: custom-credentials - key: username - - name: PROXY_PASS - valueFrom: - secretKeyRef: - name: custom-credentials - key: password args: - -nginx-plus=true - -nginx-reload-timeout=60000 - -enable-app-protect=false - -enable-app-protect-dos=false - - -nginx-configmaps=$(POD_NAMESPACE)/plus-mgmt-proxy-host-auth-nginx-ingress - - -mgmt-configmap=$(POD_NAMESPACE)/plus-mgmt-proxy-host-auth-nginx-ingress-mgmt + - -nginx-configmaps=$(POD_NAMESPACE)/plus-agent-all-nginx-ingress + - -mgmt-configmap=$(POD_NAMESPACE)/plus-agent-all-nginx-ingress-mgmt - -ingress-class=nginx - -health-status=false - -health-status-uri=/nginx-health @@ -9885,9 +9984,9 @@ spec: - -nginx-status-port=8080 - -nginx-status-allow-cidrs=127.0.0.1 - -report-ingress-status - - -external-service=plus-mgmt-proxy-host-auth-nginx-ingress-controller + - -external-service=plus-agent-all-nginx-ingress-controller - -enable-leader-election=true - - -leader-election-lock-name=plus-mgmt-proxy-host-auth-nginx-ingress-leader-election + - -leader-election-lock-name=plus-agent-all-nginx-ingress-leader-election - -enable-prometheus-metrics=true - -prometheus-metrics-listen-port=9113 - -prometheus-tls-secret= @@ -9909,6 +10008,7 @@ spec: - -ssl-dynamic-reload=true - -enable-telemetry-reporting=true - -weight-changes-dynamic-reload=false + - -agent=true /-/-/-/ # Source: nginx-ingress/templates/controller-ingress-class.yaml apiVersion: networking.k8s.io/v1 @@ -9918,7 +10018,7 @@ metadata: labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-proxy-host-auth + app.kubernetes.io/instance: plus-agent-all app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm spec: @@ -9928,28 +10028,28 @@ spec: apiVersion: coordination.k8s.io/v1 kind: Lease metadata: - name: plus-mgmt-proxy-host-auth-nginx-ingress-leader-election - namespace: default + name: plus-agent-all-nginx-ingress-leader-election + namespace: custom labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-mgmt-proxy-host-auth + app.kubernetes.io/instance: plus-agent-all app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm --- -[TestHelmNICTemplate/plusAgentV3 - 1] +[TestHelmNICTemplate/startupStatusValid - 1] /-/-/-/ # Source: nginx-ingress/templates/controller-serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: - name: plus-agent-nginx-ingress + name: startupstatus-nginx-ingress namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-agent + app.kubernetes.io/instance: startupstatus app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm /-/-/-/ @@ -9957,83 +10057,27 @@ metadata: apiVersion: v1 kind: ConfigMap metadata: - name: plus-agent-nginx-ingress + name: startupstatus-nginx-ingress namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-agent + app.kubernetes.io/instance: startupstatus app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm data: {} /-/-/-/ -# Source: nginx-ingress/templates/controller-configmap.yaml +# Source: nginx-ingress/templates/controller-leader-election-configmap.yaml apiVersion: v1 kind: ConfigMap metadata: - name: plus-agent-nginx-ingress-agent-config + name: startupstatus-nginx-ingress-leader-election namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-agent - app.kubernetes.io/version: "5.3.0" - app.kubernetes.io/managed-by: Helm -data: - nginx-agent.conf: |- - - log: - # set log level (error, info, debug; default "info") - level: info - # set log path. if empty, don't log to file. - path: "" - - allowed_directories: - - /etc/nginx - - /usr/lib/nginx/modules - - features: - - certificates - - connection - - metrics - - file-watcher - - ## command server settings - command: - server: - host: agent.connect.nginx.com - port: 443 - auth: - tokenpath: "/etc/nginx-agent/secrets/dataplane.key" - tls: - skip_verify: false -/-/-/-/ -# Source: nginx-ingress/templates/controller-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: plus-agent-nginx-ingress-mgmt - namespace: default - labels: - helm.sh/chart: nginx-ingress-2.4.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-agent - app.kubernetes.io/version: "5.3.0" - app.kubernetes.io/managed-by: Helm -data: - license-token-secret-name: license-token -/-/-/-/ -# Source: nginx-ingress/templates/controller-leader-election-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: plus-agent-nginx-ingress-leader-election - namespace: default - labels: - helm.sh/chart: nginx-ingress-2.4.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-agent + app.kubernetes.io/instance: startupstatus app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm /-/-/-/ @@ -10041,11 +10085,11 @@ metadata: kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: plus-agent-nginx-ingress + name: startupstatus-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-agent + app.kubernetes.io/instance: startupstatus app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm rules: @@ -10156,31 +10200,31 @@ rules: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: plus-agent-nginx-ingress + name: startupstatus-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-agent + app.kubernetes.io/instance: startupstatus app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm subjects: - kind: ServiceAccount - name: plus-agent-nginx-ingress + name: startupstatus-nginx-ingress namespace: default roleRef: kind: ClusterRole - name: plus-agent-nginx-ingress + name: startupstatus-nginx-ingress apiGroup: rbac.authorization.k8s.io /-/-/-/ # Source: nginx-ingress/templates/controller-role.yaml kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: plus-agent-nginx-ingress + name: startupstatus-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-agent + app.kubernetes.io/instance: startupstatus app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm namespace: default @@ -10221,7 +10265,7 @@ rules: resources: - leases resourceNames: - - plus-agent-nginx-ingress-leader-election + - startupstatus-nginx-ingress-leader-election verbs: - get - update @@ -10236,33 +10280,33 @@ rules: kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: plus-agent-nginx-ingress + name: startupstatus-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-agent + app.kubernetes.io/instance: startupstatus app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm namespace: default roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: plus-agent-nginx-ingress + name: startupstatus-nginx-ingress subjects: - kind: ServiceAccount - name: plus-agent-nginx-ingress + name: startupstatus-nginx-ingress namespace: default /-/-/-/ # Source: nginx-ingress/templates/controller-service.yaml apiVersion: v1 kind: Service metadata: - name: plus-agent-nginx-ingress-controller + name: startupstatus-nginx-ingress-controller namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-agent + app.kubernetes.io/instance: startupstatus app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm spec: @@ -10281,18 +10325,18 @@ spec: nodePort: selector: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-agent + app.kubernetes.io/instance: startupstatus /-/-/-/ # Source: nginx-ingress/templates/controller-deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: - name: plus-agent-nginx-ingress-controller + name: startupstatus-nginx-ingress-controller namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-agent + app.kubernetes.io/instance: startupstatus app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm spec: @@ -10300,27 +10344,19 @@ spec: selector: matchLabels: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-agent + app.kubernetes.io/instance: startupstatus template: metadata: labels: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-agent - agent-configuration-revision-hash: "e150cd8a" + app.kubernetes.io/instance: startupstatus annotations: prometheus.io/scrape: "true" prometheus.io/port: "9113" prometheus.io/scheme: "http" spec: - volumes: - - - name: agent-conf - configMap: - name: plus-agent-nginx-ingress-agent-config - - name: dataplane-key - secret: - secretName: dataplane-key - serviceAccountName: plus-agent-nginx-ingress + volumes: [] + serviceAccountName: startupstatus-nginx-ingress automountServiceAccountToken: true securityContext: seccompProfile: @@ -10343,12 +10379,23 @@ spec: containerPort: 9113 - name: readiness-port containerPort: 8081 + - name: startup-port + containerPort: 9999 readinessProbe: httpGet: path: /nginx-ready port: readiness-port periodSeconds: 1 initialDelaySeconds: 0 + startupProbe: + httpGet: + path: / + port: startup-port + initialDelaySeconds: 7 + periodSeconds: 2 + timeoutSeconds: 3 + successThreshold: 1 + failureThreshold: 5 resources: requests: cpu: 100m @@ -10363,13 +10410,7 @@ spec: - ALL add: - NET_BIND_SERVICE - volumeMounts: - - - name: agent-conf - mountPath: /etc/nginx-agent/nginx-agent.conf - subPath: nginx-agent.conf - - name: dataplane-key - mountPath: /etc/nginx-agent/secrets + volumeMounts: [] env: - name: POD_NAMESPACE valueFrom: @@ -10381,12 +10422,11 @@ spec: fieldPath: metadata.name args: - - -nginx-plus=true + - -nginx-plus=false - -nginx-reload-timeout=60000 - -enable-app-protect=false - -enable-app-protect-dos=false - - -nginx-configmaps=$(POD_NAMESPACE)/plus-agent-nginx-ingress - - -mgmt-configmap=$(POD_NAMESPACE)/plus-agent-nginx-ingress-mgmt + - -nginx-configmaps=$(POD_NAMESPACE)/startupstatus-nginx-ingress - -ingress-class=nginx - -health-status=false - -health-status-uri=/nginx-health @@ -10397,9 +10437,9 @@ spec: - -nginx-status-port=8080 - -nginx-status-allow-cidrs=127.0.0.1 - -report-ingress-status - - -external-service=plus-agent-nginx-ingress-controller + - -external-service=startupstatus-nginx-ingress-controller - -enable-leader-election=true - - -leader-election-lock-name=plus-agent-nginx-ingress-leader-election + - -leader-election-lock-name=startupstatus-nginx-ingress-leader-election - -enable-prometheus-metrics=true - -prometheus-metrics-listen-port=9113 - -prometheus-tls-secret= @@ -10421,7 +10461,6 @@ spec: - -ssl-dynamic-reload=true - -enable-telemetry-reporting=true - -weight-changes-dynamic-reload=false - - -agent=true /-/-/-/ # Source: nginx-ingress/templates/controller-ingress-class.yaml apiVersion: networking.k8s.io/v1 @@ -10431,38 +10470,41 @@ metadata: labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-agent + app.kubernetes.io/instance: startupstatus app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm spec: controller: nginx.org/ingress-controller /-/-/-/ +# Source: nginx-ingress/templates/controller-configmap.yaml +/-/-/-/ +/-/-/-/ # Source: nginx-ingress/templates/controller-lease.yaml apiVersion: coordination.k8s.io/v1 kind: Lease metadata: - name: plus-agent-nginx-ingress-leader-election + name: startupstatus-nginx-ingress-leader-election namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-agent + app.kubernetes.io/instance: startupstatus app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm --- -[TestHelmNICTemplate/plusAgentV3All - 1] +[TestHelmNICTemplate/statefulset - 1] /-/-/-/ # Source: nginx-ingress/templates/controller-serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: - name: plus-agent-all-nginx-ingress - namespace: custom + name: statefulset-nginx-ingress + namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-agent-all + app.kubernetes.io/instance: statefulset app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm /-/-/-/ @@ -10470,83 +10512,27 @@ metadata: apiVersion: v1 kind: ConfigMap metadata: - name: plus-agent-all-nginx-ingress - namespace: custom + name: statefulset-nginx-ingress + namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-agent-all + app.kubernetes.io/instance: statefulset app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm data: {} /-/-/-/ -# Source: nginx-ingress/templates/controller-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: plus-agent-all-nginx-ingress-agent-config - namespace: custom - labels: - helm.sh/chart: nginx-ingress-2.4.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-agent-all - app.kubernetes.io/version: "5.3.0" - app.kubernetes.io/managed-by: Helm -data: - nginx-agent.conf: |- - - log: - # set log level (error, info, debug; default "info") - level: debug - # set log path. if empty, don't log to file. - path: "" - - allowed_directories: - - /etc/nginx - - /usr/lib/nginx/modules - - features: - - certificates - - connection - - metrics - - file-watcher - - ## command server settings - command: - server: - host: my-host.example.com - port: 8443 - auth: - tokenpath: "/etc/nginx-agent/secrets/dataplane.key" - tls: - skip_verify: true -/-/-/-/ -# Source: nginx-ingress/templates/controller-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: plus-agent-all-nginx-ingress-mgmt - namespace: custom - labels: - helm.sh/chart: nginx-ingress-2.4.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-agent-all - app.kubernetes.io/version: "5.3.0" - app.kubernetes.io/managed-by: Helm -data: - license-token-secret-name: license-token -/-/-/-/ # Source: nginx-ingress/templates/controller-leader-election-configmap.yaml apiVersion: v1 kind: ConfigMap metadata: - name: plus-agent-all-nginx-ingress-leader-election - namespace: custom + name: statefulset-nginx-ingress-leader-election + namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-agent-all + app.kubernetes.io/instance: statefulset app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm /-/-/-/ @@ -10554,11 +10540,11 @@ metadata: kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: plus-agent-all-nginx-ingress + name: statefulset-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-agent-all + app.kubernetes.io/instance: statefulset app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm rules: @@ -10669,34 +10655,34 @@ rules: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: plus-agent-all-nginx-ingress + name: statefulset-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-agent-all + app.kubernetes.io/instance: statefulset app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm subjects: - kind: ServiceAccount - name: plus-agent-all-nginx-ingress - namespace: custom + name: statefulset-nginx-ingress + namespace: default roleRef: kind: ClusterRole - name: plus-agent-all-nginx-ingress + name: statefulset-nginx-ingress apiGroup: rbac.authorization.k8s.io /-/-/-/ # Source: nginx-ingress/templates/controller-role.yaml kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: plus-agent-all-nginx-ingress + name: statefulset-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-agent-all + app.kubernetes.io/instance: statefulset app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm - namespace: custom + namespace: default rules: - apiGroups: - "" @@ -10734,7 +10720,7 @@ rules: resources: - leases resourceNames: - - plus-agent-all-nginx-ingress-leader-election + - statefulset-nginx-ingress-leader-election verbs: - get - update @@ -10749,33 +10735,33 @@ rules: kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: plus-agent-all-nginx-ingress + name: statefulset-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-agent-all + app.kubernetes.io/instance: statefulset app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm - namespace: custom + namespace: default roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: plus-agent-all-nginx-ingress + name: statefulset-nginx-ingress subjects: - kind: ServiceAccount - name: plus-agent-all-nginx-ingress - namespace: custom + name: statefulset-nginx-ingress + namespace: default /-/-/-/ # Source: nginx-ingress/templates/controller-service.yaml apiVersion: v1 kind: Service metadata: - name: plus-agent-all-nginx-ingress-controller - namespace: custom + name: statefulset-nginx-ingress-controller + namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-agent-all + app.kubernetes.io/instance: statefulset app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm spec: @@ -10794,46 +10780,39 @@ spec: nodePort: selector: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-agent-all + app.kubernetes.io/instance: statefulset /-/-/-/ -# Source: nginx-ingress/templates/controller-deployment.yaml +# Source: nginx-ingress/templates/controller-statefulset.yaml apiVersion: apps/v1 -kind: Deployment +kind: StatefulSet metadata: - name: plus-agent-all-nginx-ingress-controller - namespace: custom + name: statefulset-nginx-ingress-controller + namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-agent-all + app.kubernetes.io/instance: statefulset app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm spec: replicas: 1 + serviceName: statefulset-nginx-ingress-controller selector: matchLabels: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-agent-all + app.kubernetes.io/instance: statefulset template: metadata: labels: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-agent-all - agent-configuration-revision-hash: "8c900020" + app.kubernetes.io/instance: statefulset annotations: prometheus.io/scrape: "true" prometheus.io/port: "9113" prometheus.io/scheme: "http" spec: - volumes: - - - name: agent-conf - configMap: - name: plus-agent-all-nginx-ingress-agent-config - - name: dataplane-key - secret: - secretName: dataplane-key - serviceAccountName: plus-agent-all-nginx-ingress + volumes: [] + serviceAccountName: statefulset-nginx-ingress automountServiceAccountToken: true securityContext: seccompProfile: @@ -10878,11 +10857,8 @@ spec: - NET_BIND_SERVICE volumeMounts: - - name: agent-conf - mountPath: /etc/nginx-agent/nginx-agent.conf - subPath: nginx-agent.conf - - name: dataplane-key - mountPath: /etc/nginx-agent/secrets + - mountPath: /var/cache/nginx + name: nginx-cache env: - name: POD_NAMESPACE valueFrom: @@ -10894,12 +10870,11 @@ spec: fieldPath: metadata.name args: - - -nginx-plus=true + - -nginx-plus=false - -nginx-reload-timeout=60000 - -enable-app-protect=false - -enable-app-protect-dos=false - - -nginx-configmaps=$(POD_NAMESPACE)/plus-agent-all-nginx-ingress - - -mgmt-configmap=$(POD_NAMESPACE)/plus-agent-all-nginx-ingress-mgmt + - -nginx-configmaps=$(POD_NAMESPACE)/statefulset-nginx-ingress - -ingress-class=nginx - -health-status=false - -health-status-uri=/nginx-health @@ -10910,9 +10885,9 @@ spec: - -nginx-status-port=8080 - -nginx-status-allow-cidrs=127.0.0.1 - -report-ingress-status - - -external-service=plus-agent-all-nginx-ingress-controller + - -external-service=statefulset-nginx-ingress-controller - -enable-leader-election=true - - -leader-election-lock-name=plus-agent-all-nginx-ingress-leader-election + - -leader-election-lock-name=statefulset-nginx-ingress-leader-election - -enable-prometheus-metrics=true - -prometheus-metrics-listen-port=9113 - -prometheus-tls-secret= @@ -10934,7 +10909,20 @@ spec: - -ssl-dynamic-reload=true - -enable-telemetry-reporting=true - -weight-changes-dynamic-reload=false - - -agent=true + + podManagementPolicy: OrderedReady + persistentVolumeClaimRetentionPolicy: + whenDeleted: Retain + whenScaled: Retain + volumeClaimTemplates: + - metadata: + name: nginx-cache + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: "256Mi" /-/-/-/ # Source: nginx-ingress/templates/controller-ingress-class.yaml apiVersion: networking.k8s.io/v1 @@ -10944,38 +10932,41 @@ metadata: labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-agent-all + app.kubernetes.io/instance: statefulset app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm spec: controller: nginx.org/ingress-controller /-/-/-/ +# Source: nginx-ingress/templates/controller-configmap.yaml +/-/-/-/ +/-/-/-/ # Source: nginx-ingress/templates/controller-lease.yaml apiVersion: coordination.k8s.io/v1 kind: Lease metadata: - name: plus-agent-all-nginx-ingress-leader-election - namespace: custom + name: statefulset-nginx-ingress-leader-election + namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: plus-agent-all + app.kubernetes.io/instance: statefulset app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm --- -[TestHelmNICTemplate/startupStatusValid - 1] +[TestHelmNICTemplate/statefulset-config - 1] /-/-/-/ # Source: nginx-ingress/templates/controller-serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: - name: startupstatus-nginx-ingress + name: statefulset-config-nginx-ingress namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: startupstatus + app.kubernetes.io/instance: statefulset-config app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm /-/-/-/ @@ -10983,12 +10974,12 @@ metadata: apiVersion: v1 kind: ConfigMap metadata: - name: startupstatus-nginx-ingress + name: statefulset-config-nginx-ingress namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: startupstatus + app.kubernetes.io/instance: statefulset-config app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm data: @@ -10998,12 +10989,12 @@ data: apiVersion: v1 kind: ConfigMap metadata: - name: startupstatus-nginx-ingress-leader-election + name: statefulset-config-nginx-ingress-leader-election namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: startupstatus + app.kubernetes.io/instance: statefulset-config app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm /-/-/-/ @@ -11011,11 +11002,11 @@ metadata: kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: startupstatus-nginx-ingress + name: statefulset-config-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: startupstatus + app.kubernetes.io/instance: statefulset-config app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm rules: @@ -11126,31 +11117,31 @@ rules: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: startupstatus-nginx-ingress + name: statefulset-config-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: startupstatus + app.kubernetes.io/instance: statefulset-config app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm subjects: - kind: ServiceAccount - name: startupstatus-nginx-ingress + name: statefulset-config-nginx-ingress namespace: default roleRef: kind: ClusterRole - name: startupstatus-nginx-ingress + name: statefulset-config-nginx-ingress apiGroup: rbac.authorization.k8s.io /-/-/-/ # Source: nginx-ingress/templates/controller-role.yaml kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: startupstatus-nginx-ingress + name: statefulset-config-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: startupstatus + app.kubernetes.io/instance: statefulset-config app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm namespace: default @@ -11191,7 +11182,7 @@ rules: resources: - leases resourceNames: - - startupstatus-nginx-ingress-leader-election + - statefulset-config-nginx-ingress-leader-election verbs: - get - update @@ -11206,33 +11197,33 @@ rules: kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: startupstatus-nginx-ingress + name: statefulset-config-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: startupstatus + app.kubernetes.io/instance: statefulset-config app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm namespace: default roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: startupstatus-nginx-ingress + name: statefulset-config-nginx-ingress subjects: - kind: ServiceAccount - name: startupstatus-nginx-ingress + name: statefulset-config-nginx-ingress namespace: default /-/-/-/ # Source: nginx-ingress/templates/controller-service.yaml apiVersion: v1 kind: Service metadata: - name: startupstatus-nginx-ingress-controller + name: statefulset-config-nginx-ingress-controller namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: startupstatus + app.kubernetes.io/instance: statefulset-config app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm spec: @@ -11251,38 +11242,39 @@ spec: nodePort: selector: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: startupstatus + app.kubernetes.io/instance: statefulset-config /-/-/-/ -# Source: nginx-ingress/templates/controller-deployment.yaml +# Source: nginx-ingress/templates/controller-statefulset.yaml apiVersion: apps/v1 -kind: Deployment +kind: StatefulSet metadata: - name: startupstatus-nginx-ingress-controller + name: statefulset-config-nginx-ingress-controller namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: startupstatus + app.kubernetes.io/instance: statefulset-config app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm spec: replicas: 1 + serviceName: statefulset-config-nginx-ingress-controller selector: matchLabels: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: startupstatus + app.kubernetes.io/instance: statefulset-config template: metadata: labels: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: startupstatus + app.kubernetes.io/instance: statefulset-config annotations: prometheus.io/scrape: "true" prometheus.io/port: "9113" prometheus.io/scheme: "http" spec: volumes: [] - serviceAccountName: startupstatus-nginx-ingress + serviceAccountName: statefulset-config-nginx-ingress automountServiceAccountToken: true securityContext: seccompProfile: @@ -11305,23 +11297,12 @@ spec: containerPort: 9113 - name: readiness-port containerPort: 8081 - - name: startup-port - containerPort: 9999 readinessProbe: httpGet: path: /nginx-ready port: readiness-port periodSeconds: 1 initialDelaySeconds: 0 - startupProbe: - httpGet: - path: / - port: startup-port - initialDelaySeconds: 7 - periodSeconds: 2 - timeoutSeconds: 3 - successThreshold: 1 - failureThreshold: 5 resources: requests: cpu: 100m @@ -11336,7 +11317,10 @@ spec: - ALL add: - NET_BIND_SERVICE - volumeMounts: [] + volumeMounts: + + - mountPath: /var/cache/nginx + name: nginx-cache env: - name: POD_NAMESPACE valueFrom: @@ -11352,7 +11336,7 @@ spec: - -nginx-reload-timeout=60000 - -enable-app-protect=false - -enable-app-protect-dos=false - - -nginx-configmaps=$(POD_NAMESPACE)/startupstatus-nginx-ingress + - -nginx-configmaps=$(POD_NAMESPACE)/statefulset-config-nginx-ingress - -ingress-class=nginx - -health-status=false - -health-status-uri=/nginx-health @@ -11363,9 +11347,9 @@ spec: - -nginx-status-port=8080 - -nginx-status-allow-cidrs=127.0.0.1 - -report-ingress-status - - -external-service=startupstatus-nginx-ingress-controller + - -external-service=statefulset-config-nginx-ingress-controller - -enable-leader-election=true - - -leader-election-lock-name=startupstatus-nginx-ingress-leader-election + - -leader-election-lock-name=statefulset-config-nginx-ingress-leader-election - -enable-prometheus-metrics=true - -prometheus-metrics-listen-port=9113 - -prometheus-tls-secret= @@ -11387,6 +11371,21 @@ spec: - -ssl-dynamic-reload=true - -enable-telemetry-reporting=true - -weight-changes-dynamic-reload=false + + podManagementPolicy: Parallel + persistentVolumeClaimRetentionPolicy: + whenDeleted: Delete + whenScaled: Delete + volumeClaimTemplates: + - metadata: + name: nginx-cache + spec: + accessModes: + - ReadWriteMany + storageClassName: "premium-rwx" + resources: + requests: + storage: "2Gi" /-/-/-/ # Source: nginx-ingress/templates/controller-ingress-class.yaml apiVersion: networking.k8s.io/v1 @@ -11396,7 +11395,7 @@ metadata: labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: startupstatus + app.kubernetes.io/instance: statefulset-config app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm spec: @@ -11409,28 +11408,28 @@ spec: apiVersion: coordination.k8s.io/v1 kind: Lease metadata: - name: startupstatus-nginx-ingress-leader-election + name: statefulset-config-nginx-ingress-leader-election namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: startupstatus + app.kubernetes.io/instance: statefulset-config app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm --- -[TestHelmNICTemplate/statefulset - 1] +[TestHelmNICTemplate/statefulset-no-storageclass - 1] /-/-/-/ # Source: nginx-ingress/templates/controller-serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: - name: statefulset-nginx-ingress + name: statefulset-no-storageclass-nginx-ingress namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: statefulset + app.kubernetes.io/instance: statefulset-no-storageclass app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm /-/-/-/ @@ -11438,12 +11437,12 @@ metadata: apiVersion: v1 kind: ConfigMap metadata: - name: statefulset-nginx-ingress + name: statefulset-no-storageclass-nginx-ingress namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: statefulset + app.kubernetes.io/instance: statefulset-no-storageclass app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm data: @@ -11453,12 +11452,12 @@ data: apiVersion: v1 kind: ConfigMap metadata: - name: statefulset-nginx-ingress-leader-election + name: statefulset-no-storageclass-nginx-ingress-leader-election namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: statefulset + app.kubernetes.io/instance: statefulset-no-storageclass app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm /-/-/-/ @@ -11466,11 +11465,11 @@ metadata: kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: statefulset-nginx-ingress + name: statefulset-no-storageclass-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: statefulset + app.kubernetes.io/instance: statefulset-no-storageclass app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm rules: @@ -11581,31 +11580,31 @@ rules: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: statefulset-nginx-ingress + name: statefulset-no-storageclass-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: statefulset + app.kubernetes.io/instance: statefulset-no-storageclass app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm subjects: - kind: ServiceAccount - name: statefulset-nginx-ingress + name: statefulset-no-storageclass-nginx-ingress namespace: default roleRef: kind: ClusterRole - name: statefulset-nginx-ingress + name: statefulset-no-storageclass-nginx-ingress apiGroup: rbac.authorization.k8s.io /-/-/-/ # Source: nginx-ingress/templates/controller-role.yaml kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: statefulset-nginx-ingress + name: statefulset-no-storageclass-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: statefulset + app.kubernetes.io/instance: statefulset-no-storageclass app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm namespace: default @@ -11646,7 +11645,7 @@ rules: resources: - leases resourceNames: - - statefulset-nginx-ingress-leader-election + - statefulset-no-storageclass-nginx-ingress-leader-election verbs: - get - update @@ -11661,33 +11660,33 @@ rules: kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: statefulset-nginx-ingress + name: statefulset-no-storageclass-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: statefulset + app.kubernetes.io/instance: statefulset-no-storageclass app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm namespace: default roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: statefulset-nginx-ingress + name: statefulset-no-storageclass-nginx-ingress subjects: - kind: ServiceAccount - name: statefulset-nginx-ingress + name: statefulset-no-storageclass-nginx-ingress namespace: default /-/-/-/ # Source: nginx-ingress/templates/controller-service.yaml apiVersion: v1 kind: Service metadata: - name: statefulset-nginx-ingress-controller + name: statefulset-no-storageclass-nginx-ingress-controller namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: statefulset + app.kubernetes.io/instance: statefulset-no-storageclass app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm spec: @@ -11706,39 +11705,39 @@ spec: nodePort: selector: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: statefulset + app.kubernetes.io/instance: statefulset-no-storageclass /-/-/-/ # Source: nginx-ingress/templates/controller-statefulset.yaml apiVersion: apps/v1 kind: StatefulSet metadata: - name: statefulset-nginx-ingress-controller + name: statefulset-no-storageclass-nginx-ingress-controller namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: statefulset + app.kubernetes.io/instance: statefulset-no-storageclass app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm spec: replicas: 1 - serviceName: statefulset-nginx-ingress-controller + serviceName: statefulset-no-storageclass-nginx-ingress-controller selector: matchLabels: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: statefulset + app.kubernetes.io/instance: statefulset-no-storageclass template: metadata: labels: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: statefulset + app.kubernetes.io/instance: statefulset-no-storageclass annotations: prometheus.io/scrape: "true" prometheus.io/port: "9113" prometheus.io/scheme: "http" spec: volumes: [] - serviceAccountName: statefulset-nginx-ingress + serviceAccountName: statefulset-no-storageclass-nginx-ingress automountServiceAccountToken: true securityContext: seccompProfile: @@ -11800,7 +11799,7 @@ spec: - -nginx-reload-timeout=60000 - -enable-app-protect=false - -enable-app-protect-dos=false - - -nginx-configmaps=$(POD_NAMESPACE)/statefulset-nginx-ingress + - -nginx-configmaps=$(POD_NAMESPACE)/statefulset-no-storageclass-nginx-ingress - -ingress-class=nginx - -health-status=false - -health-status-uri=/nginx-health @@ -11811,9 +11810,9 @@ spec: - -nginx-status-port=8080 - -nginx-status-allow-cidrs=127.0.0.1 - -report-ingress-status - - -external-service=statefulset-nginx-ingress-controller + - -external-service=statefulset-no-storageclass-nginx-ingress-controller - -enable-leader-election=true - - -leader-election-lock-name=statefulset-nginx-ingress-leader-election + - -leader-election-lock-name=statefulset-no-storageclass-nginx-ingress-leader-election - -enable-prometheus-metrics=true - -prometheus-metrics-listen-port=9113 - -prometheus-tls-secret= @@ -11836,19 +11835,19 @@ spec: - -enable-telemetry-reporting=true - -weight-changes-dynamic-reload=false - podManagementPolicy: OrderedReady + podManagementPolicy: Parallel persistentVolumeClaimRetentionPolicy: - whenDeleted: Retain - whenScaled: Retain + whenDeleted: Delete + whenScaled: Delete volumeClaimTemplates: - metadata: name: nginx-cache spec: accessModes: - - ReadWriteOnce + - ReadWriteMany resources: requests: - storage: "256Mi" + storage: "2Gi" /-/-/-/ # Source: nginx-ingress/templates/controller-ingress-class.yaml apiVersion: networking.k8s.io/v1 @@ -11858,7 +11857,7 @@ metadata: labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: statefulset + app.kubernetes.io/instance: statefulset-no-storageclass app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm spec: @@ -11871,28 +11870,28 @@ spec: apiVersion: coordination.k8s.io/v1 kind: Lease metadata: - name: statefulset-nginx-ingress-leader-election + name: statefulset-no-storageclass-nginx-ingress-leader-election namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: statefulset + app.kubernetes.io/instance: statefulset-no-storageclass app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm --- -[TestHelmNICTemplate/statefulset-config - 1] +[TestHelmNICTemplate/statefulset-readonly - 1] /-/-/-/ # Source: nginx-ingress/templates/controller-serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: - name: statefulset-config-nginx-ingress + name: statefulset-readonly-nginx-ingress namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: statefulset-config + app.kubernetes.io/instance: statefulset-readonly app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm /-/-/-/ @@ -11900,12 +11899,12 @@ metadata: apiVersion: v1 kind: ConfigMap metadata: - name: statefulset-config-nginx-ingress + name: statefulset-readonly-nginx-ingress namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: statefulset-config + app.kubernetes.io/instance: statefulset-readonly app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm data: @@ -11915,12 +11914,12 @@ data: apiVersion: v1 kind: ConfigMap metadata: - name: statefulset-config-nginx-ingress-leader-election + name: statefulset-readonly-nginx-ingress-leader-election namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: statefulset-config + app.kubernetes.io/instance: statefulset-readonly app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm /-/-/-/ @@ -11928,11 +11927,11 @@ metadata: kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: statefulset-config-nginx-ingress + name: statefulset-readonly-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: statefulset-config + app.kubernetes.io/instance: statefulset-readonly app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm rules: @@ -12043,31 +12042,31 @@ rules: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: statefulset-config-nginx-ingress + name: statefulset-readonly-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: statefulset-config + app.kubernetes.io/instance: statefulset-readonly app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm subjects: - kind: ServiceAccount - name: statefulset-config-nginx-ingress + name: statefulset-readonly-nginx-ingress namespace: default roleRef: kind: ClusterRole - name: statefulset-config-nginx-ingress + name: statefulset-readonly-nginx-ingress apiGroup: rbac.authorization.k8s.io /-/-/-/ # Source: nginx-ingress/templates/controller-role.yaml kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: statefulset-config-nginx-ingress + name: statefulset-readonly-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: statefulset-config + app.kubernetes.io/instance: statefulset-readonly app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm namespace: default @@ -12108,7 +12107,7 @@ rules: resources: - leases resourceNames: - - statefulset-config-nginx-ingress-leader-election + - statefulset-readonly-nginx-ingress-leader-election verbs: - get - update @@ -12123,33 +12122,33 @@ rules: kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: statefulset-config-nginx-ingress + name: statefulset-readonly-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: statefulset-config + app.kubernetes.io/instance: statefulset-readonly app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm namespace: default roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: statefulset-config-nginx-ingress + name: statefulset-readonly-nginx-ingress subjects: - kind: ServiceAccount - name: statefulset-config-nginx-ingress + name: statefulset-readonly-nginx-ingress namespace: default /-/-/-/ # Source: nginx-ingress/templates/controller-service.yaml apiVersion: v1 kind: Service metadata: - name: statefulset-config-nginx-ingress-controller + name: statefulset-readonly-nginx-ingress-controller namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: statefulset-config + app.kubernetes.io/instance: statefulset-readonly app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm spec: @@ -12168,39 +12167,48 @@ spec: nodePort: selector: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: statefulset-config + app.kubernetes.io/instance: statefulset-readonly /-/-/-/ # Source: nginx-ingress/templates/controller-statefulset.yaml apiVersion: apps/v1 kind: StatefulSet metadata: - name: statefulset-config-nginx-ingress-controller + name: statefulset-readonly-nginx-ingress-controller namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: statefulset-config + app.kubernetes.io/instance: statefulset-readonly app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm spec: replicas: 1 - serviceName: statefulset-config-nginx-ingress-controller + serviceName: statefulset-readonly-nginx-ingress-controller selector: matchLabels: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: statefulset-config + app.kubernetes.io/instance: statefulset-readonly template: metadata: labels: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: statefulset-config + app.kubernetes.io/instance: statefulset-readonly annotations: prometheus.io/scrape: "true" prometheus.io/port: "9113" prometheus.io/scheme: "http" spec: - volumes: [] - serviceAccountName: statefulset-config-nginx-ingress + volumes: + + - name: nginx-etc + emptyDir: {} + - name: nginx-lib + emptyDir: {} + - name: nginx-state + emptyDir: {} + - name: nginx-log + emptyDir: {} + serviceAccountName: statefulset-readonly-nginx-ingress automountServiceAccountToken: true securityContext: seccompProfile: @@ -12234,19 +12242,27 @@ spec: cpu: 100m memory: 128Mi securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: false - runAsUser: 101 #nginx - runAsNonRoot: true + allowPrivilegeEscalation: true capabilities: + add: + - NET_BIND_SERVICE drop: - ALL - add: - - NET_BIND_SERVICE + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 101 volumeMounts: + - mountPath: /etc/nginx + name: nginx-etc - mountPath: /var/cache/nginx name: nginx-cache + - mountPath: /var/lib/nginx + name: nginx-lib + - mountPath: /var/lib/nginx/state + name: nginx-state + - mountPath: /var/log/nginx + name: nginx-log env: - name: POD_NAMESPACE valueFrom: @@ -12262,7 +12278,7 @@ spec: - -nginx-reload-timeout=60000 - -enable-app-protect=false - -enable-app-protect-dos=false - - -nginx-configmaps=$(POD_NAMESPACE)/statefulset-config-nginx-ingress + - -nginx-configmaps=$(POD_NAMESPACE)/statefulset-readonly-nginx-ingress - -ingress-class=nginx - -health-status=false - -health-status-uri=/nginx-health @@ -12273,9 +12289,9 @@ spec: - -nginx-status-port=8080 - -nginx-status-allow-cidrs=127.0.0.1 - -report-ingress-status - - -external-service=statefulset-config-nginx-ingress-controller + - -external-service=statefulset-readonly-nginx-ingress-controller - -enable-leader-election=true - - -leader-election-lock-name=statefulset-config-nginx-ingress-leader-election + - -leader-election-lock-name=statefulset-readonly-nginx-ingress-leader-election - -enable-prometheus-metrics=true - -prometheus-metrics-listen-port=9113 - -prometheus-tls-secret= @@ -12298,20 +12314,39 @@ spec: - -enable-telemetry-reporting=true - -weight-changes-dynamic-reload=false - podManagementPolicy: Parallel + initContainers: + - name: init-nginx-ingress + image: nginx/nginx-ingress:5.3.0 + imagePullPolicy: "IfNotPresent" + command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc'] + resources: + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 101 #nginx + runAsNonRoot: true + capabilities: + drop: + - ALL + volumeMounts: + - mountPath: /mnt/etc + name: nginx-etc + podManagementPolicy: OrderedReady persistentVolumeClaimRetentionPolicy: - whenDeleted: Delete - whenScaled: Delete + whenDeleted: Retain + whenScaled: Retain volumeClaimTemplates: - metadata: name: nginx-cache spec: accessModes: - - ReadWriteMany - storageClassName: "premium-rwx" + - ReadWriteOnce resources: requests: - storage: "2Gi" + storage: "256Mi" /-/-/-/ # Source: nginx-ingress/templates/controller-ingress-class.yaml apiVersion: networking.k8s.io/v1 @@ -12321,7 +12356,7 @@ metadata: labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: statefulset-config + app.kubernetes.io/instance: statefulset-readonly app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm spec: @@ -12334,28 +12369,28 @@ spec: apiVersion: coordination.k8s.io/v1 kind: Lease metadata: - name: statefulset-config-nginx-ingress-leader-election + name: statefulset-readonly-nginx-ingress-leader-election namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: statefulset-config + app.kubernetes.io/instance: statefulset-readonly app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm --- -[TestHelmNICTemplate/statefulset-no-storageclass - 1] +[TestHelmNICTemplate/globalConfigCustomName - 1] /-/-/-/ # Source: nginx-ingress/templates/controller-serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: - name: statefulset-no-storageclass-nginx-ingress + name: global-config-custom-name-nginx-ingress namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: statefulset-no-storageclass + app.kubernetes.io/instance: global-config-custom-name app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm /-/-/-/ @@ -12363,12 +12398,12 @@ metadata: apiVersion: v1 kind: ConfigMap metadata: - name: statefulset-no-storageclass-nginx-ingress + name: global-config-custom-name-nginx-ingress namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: statefulset-no-storageclass + app.kubernetes.io/instance: global-config-custom-name app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm data: @@ -12378,12 +12413,12 @@ data: apiVersion: v1 kind: ConfigMap metadata: - name: statefulset-no-storageclass-nginx-ingress-leader-election + name: global-config-custom-name-nginx-ingress-leader-election namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: statefulset-no-storageclass + app.kubernetes.io/instance: global-config-custom-name app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm /-/-/-/ @@ -12391,11 +12426,11 @@ metadata: kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: statefulset-no-storageclass-nginx-ingress + name: global-config-custom-name-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: statefulset-no-storageclass + app.kubernetes.io/instance: global-config-custom-name app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm rules: @@ -12506,31 +12541,31 @@ rules: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: statefulset-no-storageclass-nginx-ingress + name: global-config-custom-name-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: statefulset-no-storageclass + app.kubernetes.io/instance: global-config-custom-name app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm subjects: - kind: ServiceAccount - name: statefulset-no-storageclass-nginx-ingress + name: global-config-custom-name-nginx-ingress namespace: default roleRef: kind: ClusterRole - name: statefulset-no-storageclass-nginx-ingress + name: global-config-custom-name-nginx-ingress apiGroup: rbac.authorization.k8s.io /-/-/-/ # Source: nginx-ingress/templates/controller-role.yaml kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: statefulset-no-storageclass-nginx-ingress + name: global-config-custom-name-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: statefulset-no-storageclass + app.kubernetes.io/instance: global-config-custom-name app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm namespace: default @@ -12571,7 +12606,7 @@ rules: resources: - leases resourceNames: - - statefulset-no-storageclass-nginx-ingress-leader-election + - global-config-custom-name-nginx-ingress-leader-election verbs: - get - update @@ -12586,33 +12621,33 @@ rules: kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: statefulset-no-storageclass-nginx-ingress + name: global-config-custom-name-nginx-ingress labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: statefulset-no-storageclass + app.kubernetes.io/instance: global-config-custom-name app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm namespace: default roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: statefulset-no-storageclass-nginx-ingress + name: global-config-custom-name-nginx-ingress subjects: - kind: ServiceAccount - name: statefulset-no-storageclass-nginx-ingress + name: global-config-custom-name-nginx-ingress namespace: default /-/-/-/ # Source: nginx-ingress/templates/controller-service.yaml apiVersion: v1 kind: Service metadata: - name: statefulset-no-storageclass-nginx-ingress-controller + name: global-config-custom-name-nginx-ingress-controller namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: statefulset-no-storageclass + app.kubernetes.io/instance: global-config-custom-name app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm spec: @@ -12631,39 +12666,38 @@ spec: nodePort: selector: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: statefulset-no-storageclass + app.kubernetes.io/instance: global-config-custom-name /-/-/-/ -# Source: nginx-ingress/templates/controller-statefulset.yaml +# Source: nginx-ingress/templates/controller-deployment.yaml apiVersion: apps/v1 -kind: StatefulSet +kind: Deployment metadata: - name: statefulset-no-storageclass-nginx-ingress-controller + name: global-config-custom-name-nginx-ingress-controller namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: statefulset-no-storageclass + app.kubernetes.io/instance: global-config-custom-name app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm spec: replicas: 1 - serviceName: statefulset-no-storageclass-nginx-ingress-controller selector: matchLabels: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: statefulset-no-storageclass + app.kubernetes.io/instance: global-config-custom-name template: metadata: labels: app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: statefulset-no-storageclass + app.kubernetes.io/instance: global-config-custom-name annotations: prometheus.io/scrape: "true" prometheus.io/port: "9113" prometheus.io/scheme: "http" spec: volumes: [] - serviceAccountName: statefulset-no-storageclass-nginx-ingress + serviceAccountName: global-config-custom-name-nginx-ingress automountServiceAccountToken: true securityContext: seccompProfile: @@ -12706,10 +12740,7 @@ spec: - ALL add: - NET_BIND_SERVICE - volumeMounts: - - - mountPath: /var/cache/nginx - name: nginx-cache + volumeMounts: [] env: - name: POD_NAMESPACE valueFrom: @@ -12725,7 +12756,7 @@ spec: - -nginx-reload-timeout=60000 - -enable-app-protect=false - -enable-app-protect-dos=false - - -nginx-configmaps=$(POD_NAMESPACE)/statefulset-no-storageclass-nginx-ingress + - -nginx-configmaps=$(POD_NAMESPACE)/global-config-custom-name-nginx-ingress - -ingress-class=nginx - -health-status=false - -health-status-uri=/nginx-health @@ -12736,9 +12767,9 @@ spec: - -nginx-status-port=8080 - -nginx-status-allow-cidrs=127.0.0.1 - -report-ingress-status - - -external-service=statefulset-no-storageclass-nginx-ingress-controller + - -external-service=global-config-custom-name-nginx-ingress-controller - -enable-leader-election=true - - -leader-election-lock-name=statefulset-no-storageclass-nginx-ingress-leader-election + - -leader-election-lock-name=global-config-custom-name-nginx-ingress-leader-election - -enable-prometheus-metrics=true - -prometheus-metrics-listen-port=9113 - -prometheus-tls-secret= @@ -12754,26 +12785,13 @@ spec: - -enable-external-dns=false - -default-http-listener-port=80 - -default-https-listener-port=443 + - -global-configuration=test-namespace/my-custom-global-config - -ready-status=true - -ready-status-port=8081 - -enable-latency-metrics=false - -ssl-dynamic-reload=true - -enable-telemetry-reporting=true - -weight-changes-dynamic-reload=false - - podManagementPolicy: Parallel - persistentVolumeClaimRetentionPolicy: - whenDeleted: Delete - whenScaled: Delete - volumeClaimTemplates: - - metadata: - name: nginx-cache - spec: - accessModes: - - ReadWriteMany - resources: - requests: - storage: "2Gi" /-/-/-/ # Source: nginx-ingress/templates/controller-ingress-class.yaml apiVersion: networking.k8s.io/v1 @@ -12783,7 +12801,7 @@ metadata: labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: statefulset-no-storageclass + app.kubernetes.io/instance: global-config-custom-name app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm spec: @@ -12792,515 +12810,34 @@ spec: # Source: nginx-ingress/templates/controller-configmap.yaml /-/-/-/ /-/-/-/ -# Source: nginx-ingress/templates/controller-lease.yaml -apiVersion: coordination.k8s.io/v1 -kind: Lease -metadata: - name: statefulset-no-storageclass-nginx-ingress-leader-election - namespace: default - labels: - helm.sh/chart: nginx-ingress-2.4.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: statefulset-no-storageclass - app.kubernetes.io/version: "5.3.0" - app.kubernetes.io/managed-by: Helm ---- - -[TestHelmNICTemplate/statefulset-readonly - 1] -/-/-/-/ -# Source: nginx-ingress/templates/controller-serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount +# Source: nginx-ingress/templates/controller-globalconfiguration.yaml +apiVersion: k8s.nginx.org/v1 +kind: GlobalConfiguration metadata: - name: statefulset-readonly-nginx-ingress - namespace: default + name: my-custom-global-config + namespace: test-namespace labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: statefulset-readonly + app.kubernetes.io/instance: global-config-custom-name app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm +spec: + listeners: + - name: dns-udp + port: 5353 + protocol: UDP /-/-/-/ -# Source: nginx-ingress/templates/controller-configmap.yaml -apiVersion: v1 -kind: ConfigMap +# Source: nginx-ingress/templates/controller-lease.yaml +apiVersion: coordination.k8s.io/v1 +kind: Lease metadata: - name: statefulset-readonly-nginx-ingress + name: global-config-custom-name-nginx-ingress-leader-election namespace: default labels: helm.sh/chart: nginx-ingress-2.4.0 app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: statefulset-readonly - app.kubernetes.io/version: "5.3.0" - app.kubernetes.io/managed-by: Helm -data: - {} -/-/-/-/ -# Source: nginx-ingress/templates/controller-leader-election-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: statefulset-readonly-nginx-ingress-leader-election - namespace: default - labels: - helm.sh/chart: nginx-ingress-2.4.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: statefulset-readonly - app.kubernetes.io/version: "5.3.0" - app.kubernetes.io/managed-by: Helm -/-/-/-/ -# Source: nginx-ingress/templates/clusterrole.yaml -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: statefulset-readonly-nginx-ingress - labels: - helm.sh/chart: nginx-ingress-2.4.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: statefulset-readonly - app.kubernetes.io/version: "5.3.0" - app.kubernetes.io/managed-by: Helm -rules: -- apiGroups: - - "" - resources: - - configmaps - - namespaces - - pods - - secrets - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - list -- apiGroups: - - "" - resources: - - services - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - list - - watch -- apiGroups: - - discovery.k8s.io - resources: - - endpointslices - verbs: - - get - - list - - watch -- apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - nodes - verbs: - - list -- apiGroups: - - "apps" - resources: - - replicasets - - daemonsets - - statefulsets - verbs: - - get -- apiGroups: - - networking.k8s.io - resources: - - ingressclasses - verbs: - - get - - list -- apiGroups: - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update -- apiGroups: - - k8s.nginx.org - resources: - - virtualservers - - virtualserverroutes - - globalconfigurations - - transportservers - - policies - verbs: - - list - - watch - - get -- apiGroups: - - k8s.nginx.org - resources: - - virtualservers/status - - virtualserverroutes/status - - policies/status - - transportservers/status - verbs: - - update -/-/-/-/ -# Source: nginx-ingress/templates/clusterrolebinding.yaml -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: statefulset-readonly-nginx-ingress - labels: - helm.sh/chart: nginx-ingress-2.4.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: statefulset-readonly - app.kubernetes.io/version: "5.3.0" - app.kubernetes.io/managed-by: Helm -subjects: -- kind: ServiceAccount - name: statefulset-readonly-nginx-ingress - namespace: default -roleRef: - kind: ClusterRole - name: statefulset-readonly-nginx-ingress - apiGroup: rbac.authorization.k8s.io -/-/-/-/ -# Source: nginx-ingress/templates/controller-role.yaml -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: statefulset-readonly-nginx-ingress - labels: - helm.sh/chart: nginx-ingress-2.4.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: statefulset-readonly - app.kubernetes.io/version: "5.3.0" - app.kubernetes.io/managed-by: Helm - namespace: default -rules: -- apiGroups: - - "" - resources: - - configmaps - - pods - - secrets - - services - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - namespaces - verbs: - - get -- apiGroups: - - "" - resources: - - pods - verbs: - - update -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - list -- apiGroups: - - coordination.k8s.io - resources: - - leases - resourceNames: - - statefulset-readonly-nginx-ingress-leader-election - verbs: - - get - - update -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - create -/-/-/-/ -# Source: nginx-ingress/templates/controller-rolebinding.yaml -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: statefulset-readonly-nginx-ingress - labels: - helm.sh/chart: nginx-ingress-2.4.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: statefulset-readonly - app.kubernetes.io/version: "5.3.0" - app.kubernetes.io/managed-by: Helm - namespace: default -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: statefulset-readonly-nginx-ingress -subjects: -- kind: ServiceAccount - name: statefulset-readonly-nginx-ingress - namespace: default -/-/-/-/ -# Source: nginx-ingress/templates/controller-service.yaml -apiVersion: v1 -kind: Service -metadata: - name: statefulset-readonly-nginx-ingress-controller - namespace: default - labels: - helm.sh/chart: nginx-ingress-2.4.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: statefulset-readonly - app.kubernetes.io/version: "5.3.0" - app.kubernetes.io/managed-by: Helm -spec: - externalTrafficPolicy: Local - type: LoadBalancer - ports: - - port: 80 - targetPort: 80 - protocol: TCP - name: http - nodePort: - - port: 443 - targetPort: 443 - protocol: TCP - name: https - nodePort: - selector: - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: statefulset-readonly -/-/-/-/ -# Source: nginx-ingress/templates/controller-statefulset.yaml -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: statefulset-readonly-nginx-ingress-controller - namespace: default - labels: - helm.sh/chart: nginx-ingress-2.4.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: statefulset-readonly - app.kubernetes.io/version: "5.3.0" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - serviceName: statefulset-readonly-nginx-ingress-controller - selector: - matchLabels: - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: statefulset-readonly - template: - metadata: - labels: - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: statefulset-readonly - annotations: - prometheus.io/scrape: "true" - prometheus.io/port: "9113" - prometheus.io/scheme: "http" - spec: - volumes: - - - name: nginx-etc - emptyDir: {} - - name: nginx-lib - emptyDir: {} - - name: nginx-state - emptyDir: {} - - name: nginx-log - emptyDir: {} - serviceAccountName: statefulset-readonly-nginx-ingress - automountServiceAccountToken: true - securityContext: - seccompProfile: - type: RuntimeDefault - terminationGracePeriodSeconds: 30 - hostNetwork: false - dnsPolicy: ClusterFirst - containers: - - image: nginx/nginx-ingress:5.3.0 - name: nginx-ingress - imagePullPolicy: "IfNotPresent" - ports: - - name: http - containerPort: 80 - protocol: TCP - - name: https - containerPort: 443 - protocol: TCP - - name: prometheus - containerPort: 9113 - - name: readiness-port - containerPort: 8081 - readinessProbe: - httpGet: - path: /nginx-ready - port: readiness-port - periodSeconds: 1 - initialDelaySeconds: 0 - resources: - requests: - cpu: 100m - memory: 128Mi - securityContext: - allowPrivilegeEscalation: true - capabilities: - add: - - NET_BIND_SERVICE - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 101 - volumeMounts: - - - mountPath: /etc/nginx - name: nginx-etc - - mountPath: /var/cache/nginx - name: nginx-cache - - mountPath: /var/lib/nginx - name: nginx-lib - - mountPath: /var/lib/nginx/state - name: nginx-state - - mountPath: /var/log/nginx - name: nginx-log - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - args: - - - -nginx-plus=false - - -nginx-reload-timeout=60000 - - -enable-app-protect=false - - -enable-app-protect-dos=false - - -nginx-configmaps=$(POD_NAMESPACE)/statefulset-readonly-nginx-ingress - - -ingress-class=nginx - - -health-status=false - - -health-status-uri=/nginx-health - - -nginx-debug=false - - -log-level=info - - -log-format=glog - - -nginx-status=true - - -nginx-status-port=8080 - - -nginx-status-allow-cidrs=127.0.0.1 - - -report-ingress-status - - -external-service=statefulset-readonly-nginx-ingress-controller - - -enable-leader-election=true - - -leader-election-lock-name=statefulset-readonly-nginx-ingress-leader-election - - -enable-prometheus-metrics=true - - -prometheus-metrics-listen-port=9113 - - -prometheus-tls-secret= - - -enable-service-insight=false - - -service-insight-listen-port=9114 - - -service-insight-tls-secret= - - -enable-custom-resources=true - - -enable-snippets=false - - -disable-ipv6=false - - -enable-tls-passthrough=false - - -enable-cert-manager=false - - -enable-oidc=false - - -enable-external-dns=false - - -default-http-listener-port=80 - - -default-https-listener-port=443 - - -ready-status=true - - -ready-status-port=8081 - - -enable-latency-metrics=false - - -ssl-dynamic-reload=true - - -enable-telemetry-reporting=true - - -weight-changes-dynamic-reload=false - - initContainers: - - name: init-nginx-ingress - image: nginx/nginx-ingress:5.3.0 - imagePullPolicy: "IfNotPresent" - command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc'] - resources: - requests: - cpu: 100m - memory: 128Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsUser: 101 #nginx - runAsNonRoot: true - capabilities: - drop: - - ALL - volumeMounts: - - mountPath: /mnt/etc - name: nginx-etc - podManagementPolicy: OrderedReady - persistentVolumeClaimRetentionPolicy: - whenDeleted: Retain - whenScaled: Retain - volumeClaimTemplates: - - metadata: - name: nginx-cache - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: "256Mi" -/-/-/-/ -# Source: nginx-ingress/templates/controller-ingress-class.yaml -apiVersion: networking.k8s.io/v1 -kind: IngressClass -metadata: - name: nginx - labels: - helm.sh/chart: nginx-ingress-2.4.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: statefulset-readonly - app.kubernetes.io/version: "5.3.0" - app.kubernetes.io/managed-by: Helm -spec: - controller: nginx.org/ingress-controller -/-/-/-/ -# Source: nginx-ingress/templates/controller-configmap.yaml -/-/-/-/ -/-/-/-/ -# Source: nginx-ingress/templates/controller-lease.yaml -apiVersion: coordination.k8s.io/v1 -kind: Lease -metadata: - name: statefulset-readonly-nginx-ingress-leader-election - namespace: default - labels: - helm.sh/chart: nginx-ingress-2.4.0 - app.kubernetes.io/name: nginx-ingress - app.kubernetes.io/instance: statefulset-readonly + app.kubernetes.io/instance: global-config-custom-name app.kubernetes.io/version: "5.3.0" app.kubernetes.io/managed-by: Helm --- diff --git a/internal/configs/version2/__snapshots__/templates_test.snap b/internal/configs/version2/__snapshots__/templates_test.snap index 829fbfad7c..98fb6b3709 100644 --- a/internal/configs/version2/__snapshots__/templates_test.snap +++ b/internal/configs/version2/__snapshots__/templates_test.snap @@ -1470,6 +1470,7 @@ server { [TestExecuteVirtualServerTemplateWithOIDCAndPKCEPolicyNGINXPlus - 1] +keyval $idp_sid $client_sid zone=oidc_sids; include oidc/oidc_pkce_supplements.conf; server { diff --git a/internal/configs/version2/nginx-plus.virtualserver.tmpl b/internal/configs/version2/nginx-plus.virtualserver.tmpl index 7c6a34a4a6..19a4bcc8dc 100644 --- a/internal/configs/version2/nginx-plus.virtualserver.tmpl +++ b/internal/configs/version2/nginx-plus.virtualserver.tmpl @@ -116,11 +116,10 @@ map $request_method $cache_purge_{{ replaceAll $l.Cache.ZoneName "-" "_" }} { {{- end }} {{- if $s.OIDC }} - keyval $idp_sid $client_sid zone=oidc_sids; - - {{ if $s.OIDC.PKCEEnable }} - include oidc/oidc_pkce_supplements.conf; - {{- end }} +keyval $idp_sid $client_sid zone=oidc_sids; +{{- if $s.OIDC.PKCEEnable }} +include oidc/oidc_pkce_supplements.conf; +{{- end }} {{- end }} server { From 26e2c26d4a7f61e9dae18792cfa85f3404a5d623 Mon Sep 17 00:00:00 2001 From: Gabor Javorszky Date: Fri, 3 Oct 2025 13:58:53 +0100 Subject: [PATCH 8/8] Keycloak 26.4 uses button type submit --- tests/suite/test_oidc.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/suite/test_oidc.py b/tests/suite/test_oidc.py index b6aad44954..5b2d0f0481 100644 --- a/tests/suite/test_oidc.py +++ b/tests/suite/test_oidc.py @@ -230,7 +230,7 @@ def run_oidc(browser_type, ip_address, port): page.fill('input[name="password"]', password) with page.expect_navigation(): - page.click('input[type="submit"]') + page.click('button[type="submit"]') page.wait_for_load_state("load") page_text = page.text_content("body") fields_to_check = [