feat: upgrade ingress-nginx (#537)

squidboylan · punkwalker · web-flow · commit 67b4b08e99d1 · 2025-08-07T06:37:14.000-07:00
Signed-off-by: Caleb Boylan &lt;calebboylan@gmail.com&gt;
Co-authored-by: Pankaj Walke &lt;punkwalker@gmail.com&gt;
diff --git a/hack/ingress-nginx/cm-ingress-nginx-controller.yaml b/hack/ingress-nginx/cm-ingress-nginx-controller.yaml
@@ -6,4 +6,5 @@ metadata:
 data:
   allow-snippet-annotations: "true"
   proxy-buffer-size: "32k"
+  proxy-busy-buffers-size: "32k"
   use-forwarded-headers: "true"
diff --git a/hack/ingress-nginx/kustomization.yaml b/hack/ingress-nginx/kustomization.yaml
@@ -1,7 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.11.2/deploy/static/provider/kind/deploy.yaml
+  - https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.13.0/deploy/static/provider/kind/deploy.yaml
 
 patches:
   - path: deployment-ingress-nginx.yaml
@@ -17,3 +17,22 @@ patches:
       kind: Kustomization
       metadata:
         name: ingress-nginx-controller
+  # ArgoCD has poor support for ttlSecondsAfterFinished and it shouldn't be essential to clean these up
+  - target:
+      group: batch
+      version: v1
+      kind: Job
+      name: ingress-nginx-admission-create
+      namespace: ingress-nginx
+    patch: |
+      - op: remove
+        path: /spec/ttlSecondsAfterFinished
+  - target:
+      group: batch
+      version: v1
+      kind: Job
+      name: ingress-nginx-admission-patch
+      namespace: ingress-nginx
+    patch: |
+      - op: remove
+        path: /spec/ttlSecondsAfterFinished
diff --git a/pkg/controllers/localbuild/resources/nginx/k8s/ingress-nginx.yaml b/pkg/controllers/localbuild/resources/nginx/k8s/ingress-nginx.yaml
@@ -17,7 +17,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.2
+    app.kubernetes.io/version: 1.13.0
   name: ingress-nginx
   namespace: ingress-nginx
 ---
@@ -30,7 +30,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.2
+    app.kubernetes.io/version: 1.13.0
   name: ingress-nginx-admission
   namespace: ingress-nginx
 ---
@@ -42,7 +42,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.2
+    app.kubernetes.io/version: 1.13.0
   name: ingress-nginx
   namespace: ingress-nginx
 rules:
@@ -132,7 +132,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.2
+    app.kubernetes.io/version: 1.13.0
   name: ingress-nginx-admission
   namespace: ingress-nginx
 rules:
@@ -151,7 +151,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.2
+    app.kubernetes.io/version: 1.13.0
   name: ingress-nginx
 rules:
 - apiGroups:
@@ -233,7 +233,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.2
+    app.kubernetes.io/version: 1.13.0
   name: ingress-nginx-admission
 rules:
 - apiGroups:
@@ -252,7 +252,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.2
+    app.kubernetes.io/version: 1.13.0
   name: ingress-nginx
   namespace: ingress-nginx
 roleRef:
@@ -272,7 +272,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.2
+    app.kubernetes.io/version: 1.13.0
   name: ingress-nginx-admission
   namespace: ingress-nginx
 roleRef:
@@ -291,7 +291,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.2
+    app.kubernetes.io/version: 1.13.0
   name: ingress-nginx
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -310,7 +310,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.2
+    app.kubernetes.io/version: 1.13.0
   name: ingress-nginx-admission
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -325,6 +325,7 @@ apiVersion: v1
 data:
   allow-snippet-annotations: "true"
   proxy-buffer-size: 32k
+  proxy-busy-buffers-size: 32k
   use-forwarded-headers: "true"
 kind: ConfigMap
 metadata:
@@ -333,7 +334,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.2
+    app.kubernetes.io/version: 1.13.0
   name: ingress-nginx-controller
   namespace: ingress-nginx
 ---
@@ -345,7 +346,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.2
+    app.kubernetes.io/version: 1.13.0
   name: ingress-nginx-controller-admission
   namespace: ingress-nginx
 spec:
@@ -368,7 +369,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.2
+    app.kubernetes.io/version: 1.13.0
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
@@ -392,6 +393,7 @@ spec:
         app.kubernetes.io/part-of: ingress-nginx
         app.kubernetes.io/version: 1.8.1
     spec:
+      automountServiceAccountToken: true
       containers:
       - args:
         - /nginx-ingress-controller
@@ -417,7 +419,7 @@ spec:
               fieldPath: metadata.namespace
         - name: LD_PRELOAD
           value: /usr/local/lib/libmimalloc.so
-        image: registry.k8s.io/ingress-nginx/controller:v1.11.2@sha256:d5f8217feeac4887cb1ed21f27c2674e58be06bd8f5184cacea2a69abaf78dce
+        image: registry.k8s.io/ingress-nginx/controller:v1.13.0@sha256:dc75a7baec7a3b827a5d7ab0acd10ab507904c7dad692365b3e3b596eca1afd2
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -469,6 +471,7 @@ spec:
             drop:
             - ALL
           readOnlyRootFilesystem: false
+          runAsGroup: 82
           runAsNonRoot: true
           runAsUser: 101
           seccompProfile:
@@ -479,7 +482,6 @@ spec:
           readOnly: true
       dnsPolicy: ClusterFirst
       nodeSelector:
-        ingress-ready: "true"
         kubernetes.io/os: linux
       serviceAccountName: ingress-nginx
       terminationGracePeriodSeconds: 0
@@ -503,7 +505,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.2
+    app.kubernetes.io/version: 1.13.0
   name: ingress-nginx-admission-create
   namespace: ingress-nginx
 spec:
@@ -514,9 +516,10 @@ spec:
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.11.2
+        app.kubernetes.io/version: 1.13.0
       name: ingress-nginx-admission-create
     spec:
+      automountServiceAccountToken: true
       containers:
       - args:
         - create
@@ -528,7 +531,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.3@sha256:a320a50cc91bd15fd2d6fa6de58bd98c1bd64b9a6f926ce23a600d87043455a3
+        image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.6.0@sha256:c9f76a75fd00e975416ea1b73300efd413116de0de8570346ed90766c5b5cefb
         imagePullPolicy: IfNotPresent
         name: create
         securityContext:
@@ -537,6 +540,7 @@ spec:
             drop:
             - ALL
           readOnlyRootFilesystem: true
+          runAsGroup: 65532
           runAsNonRoot: true
           runAsUser: 65532
           seccompProfile:
@@ -554,7 +558,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.2
+    app.kubernetes.io/version: 1.13.0
   name: ingress-nginx-admission-patch
   namespace: ingress-nginx
 spec:
@@ -565,9 +569,10 @@ spec:
         app.kubernetes.io/instance: ingress-nginx
         app.kubernetes.io/name: ingress-nginx
         app.kubernetes.io/part-of: ingress-nginx
-        app.kubernetes.io/version: 1.11.2
+        app.kubernetes.io/version: 1.13.0
       name: ingress-nginx-admission-patch
     spec:
+      automountServiceAccountToken: true
       containers:
       - args:
         - patch
@@ -581,7 +586,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.3@sha256:a320a50cc91bd15fd2d6fa6de58bd98c1bd64b9a6f926ce23a600d87043455a3
+        image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.6.0@sha256:c9f76a75fd00e975416ea1b73300efd413116de0de8570346ed90766c5b5cefb
         imagePullPolicy: IfNotPresent
         name: patch
         securityContext:
@@ -590,6 +595,7 @@ spec:
             drop:
             - ALL
           readOnlyRootFilesystem: true
+          runAsGroup: 65532
           runAsNonRoot: true
           runAsUser: 65532
           seccompProfile:
@@ -607,7 +613,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.2
+    app.kubernetes.io/version: 1.13.0
   name: nginx
 spec:
   controller: k8s.io/ingress-nginx
@@ -620,7 +626,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.11.2
+    app.kubernetes.io/version: 1.13.0
   name: ingress-nginx-admission
 webhooks:
 - admissionReviewVersions:
@@ -630,6 +636,7 @@ webhooks:
       name: ingress-nginx-controller-admission
       namespace: ingress-nginx
       path: /networking/v1/ingresses
+      port: 443
   failurePolicy: Fail
   matchPolicy: Equivalent
   name: validate.nginx.ingress.kubernetes.io
