-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update nginx image #3968
Merged
Merged
Update nginx image #3968
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
k8s-ci-robot
added
cncf-cla: yes
Indicates the PR's author has signed the CNCF CLA.
size/XS
Denotes a PR that changes 0-9 lines, ignoring generated files.
labels
Apr 6, 2019
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: aledbf The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
Indicates a PR has been approved by an approver from all required OWNERS files.
label
Apr 6, 2019
schaze
pushed a commit
to schaze/ingress-nginx
that referenced
this pull request
May 30, 2019
morganwu277
added a commit
to morganwu277/ingress-nginx
that referenced
this pull request
Jun 20, 2019
* update GKE header to match link in contents * extract common logic into a helper * do not repeat cert verification against root ca * clean up certificate processing * adjust unit tests * bugfix: when secret includes ca.crt store it on disk even in dynamic cert mode * fix function comment * Allow the use of a secret located in a different namespace * Refactor status update * Fix status tests * Add promehteus metric about leader election status * Use full election leader ID * Fix documentation * Remove useless nodeip call and deprecate --force-namespace-isolation * Improve text, error level, tests... * Only the leader updates metrics for SSL certificate expiration * Force travis rebuild * Improve kubectl plugin * Separate out annotation assignment logic * Make sure cli-arguments doc is in alphabetical order * Remove sort-backends flag from cli docs * Correctly format ipv6 resolver config for lua Fixes kubernetes#3881 * enable dynamic SSL mode by default * Improve "Sticky sessions" documentation page * Remove unnecessary copy of GeoIP databases * Update nginx image * Migrate e2e cluster to kind * Add support for IPV6 resolvers * Set `X-Request-ID` for the `default-backend`, too. * Aligned to `golint` * Add lint subcommand * Update apiVersion to apps/v1, drop duplicate line * Update nginx to 1.15.10 * Update nginx image * Fix dynamic SSL certificate for aliases and redirect-from-to-www * Update dependencies client-go to release-11.0 and kubernetes-1.14.0 * Update go dependencies * fix typo: delete '`' fix typo: delete '`' * Adds a log warning when falling back to default fake cert * Simplify x-forwarded-prefix annotation * Fix e2e-tests * Add plugin lint for this change * replace some of the Nginx configuration to Lua code * properly parse x-forwarded-host * Fix load-balance configmap value * Plugin select deployment using replicaset name * Fix segfault on reference to nonexistent configmap * Refactor equals * lua plugin system * Proper use of quotes for running the command $1 on a shell has a special meaning and inside of double quotes (") it will be expaned to an empty string. Using single quotes fixes the issue. * Update nginx image (kubernetes#3968) * Update nginx image to 0.84 (kubernetes#3969) * Release 0.24.0 * Update yaml files to 0.24.0 [skip-ci] (kubernetes#3975) * Fix CA certificate example docs * Refactor isIterable * Add missing PR in changelog [skip ci] (kubernetes#3981) * Add kubectl plugin docs * Link to kubectl plugin docs in nav * fix custom default backend test title * regression test for dynamic cert related default-certificate issue * fix dynamic cert bug * Update README.md * Remove valgrind * better logging in certificate.lua * properly handle default and custom default certs in dynamic ssl mode * handle default certificate correctly in Lua * better certificate lua unit tests * adjust default ssl cert e2e test * fix luacheck warning * do not create empty access_by_lua_block * make sure unit test create fakecertificate * Release 0.24.1 * refactor GetFakeSSLCert * Switch to go modules * Support proxy_next_upstream_timeout * Add homepage and .exe to plugin * Update nginx to 1.15.12 * Update nginx image and Go to 1.12.4 (kubernetes#4010) * add e2e coverage for multi auth * Implement a validation webhook In case some ingress have a syntax error in the snippet configuration, the freshly generated configuration will not be reloaded to prevent tearing down existing rules. Although, once inserted, this configuration is preventing from any other valid configuration to be inserted as it remains in the ingresses of the cluster. To solve this problem, implement an optional validation webhook that simulates the addition of the ingress to be added together with the rest of ingresses. In case the generated configuration is not validated by nginx, deny the insertion of the ingress. In case certificates are mounted using kubernetes secrets, when those changes, keys are automatically updated in the container volume, and the controller reloads it using the filewatcher. Related changes: - Update vendors - Extract useful functions to check configuration with an additional ingress - Update documentation for validating webhook - Add validating webhook examples - Add a metric for each syntax check success and errors - Add more certificate generation examples * 🔧 fix navigation error in file baremetal.md Signed-off-by: William Zhang <zhang.wanmin@zte.com.cn> * Docs have incorrect command in baremetal.md The output shown is for `kubectl get node` and not `kubectl describe node`. I've updated the docs to use the correct command. * [doc] fixing regex in example of rewrite avoids /somethingfoo to be matched by regex Signed-off-by: Marcos Estevez <marcos.stvz@gmail.com> * Fix default Content-Type for custom-error-pages example This should fix issue [4039](kubernetes#4039). This default backend fails to send the correct `Content-Type` header when it fails to decode the `Accept` request header. This patch simply forces `text/html` in that specific scenario. * Release custom error pages image v0.4 [skip-ci] (kubernetes#4042) * Added Global External Authentication settings to configmap parameters incl. addons * Fixed typos * Update go to 1.12.5, kubectl to 1.14.1 and kind to 0.2.1 (kubernetes#4064) * Trim spaces from annotations that can contain multiple lines * fix e2e-test make target - explicitly wait for api token - only use posix shell conditionals * fix typo: deployement->deployment * Don't try to create e2e runner rbac resources twice * load modsecurity.conf on ModSecurity.Enable * Explain references in custom-headers documentation Augment description of custom-headers behavior. Explain the purpose of the two configmaps, making explicit that one cites the other by `namespace/name`. Link the two example yaml files, so they're more easily navigated to from a browser looking at https://kubernetes.github.io/ingress-nginx/examples/customization/custom-headers/ Campfire: grammar, standard installation is in the `ingress-nginx` namespace. * Add image for prow jobs * Run tests with only one worker * Add option to run scripts in debug mode * Refactor scripts to run e2e tests * Update generated code * Add dependencies for code generator * Docs: configmap: use-gzip Move the "gzip-types" value default from the "use-gzip" to the "gzip-types" heading, and link to it from use-gzip. Document that the "use-gzip" default is "true", matching the style of other configmap items. * Cleanup * Add binaries required by kubernetes-sigs/testing_frameworks * Allow to use a custom k8s version in e2e tests * Update configmap about adding custom locations * Remove stop controller endpoint * Docs - Update capture group `placeholder` The current ingress example uses the `$2` capture group placeholder, however the description refers to the `$1` placeholder (this was previously correct, but was not updated when the ingress example changed from $1 to $2). * reduce memory footprint and cpu usage when modsecurity and owasp rules are enabled globally * Rearrange deployment files into kustomizations * UPT: Add variable to define custom sampler host and port, add commituser * UPT: Modify configmap to include jaeger sampler host and jaeger sampler port * UPT: Opentracing configmap documentation * Clear up some inconsistent / unclear wording IPv6 enabled/disabled working was confusing or contradicting itself. This updates the wording to what is expected, based on the default values in the table above, and the behaviour that I could find in code. * Refactor ListIngresses to add filters * Use a real apiserver to test the store * Update go dependencies * Add retry to LookupHost used to check the content of ExternalName * Update e2e images (kubernetes#4110) * Force GOOS to linux * log info when endpoints change for a balancer * updated nginx and some other modules * Update nginx image to 0.86 * use nkeys for counting lua table elements * Refactor whitelist from map to standard allow directives * Added support for annotation `session-cookie-change-on-failure` 1. Session cookie is updated on previous attempt failure when `session-cookie-change-on-failure = true` (default value is `false`). 2. Added tests to check both cases. 3. Updated docs. Co-Authored-By: Vladimir Grishin <yadolov@users.noreply.github.com> * Refactor e2e test * feature(collectors): Added services to collectorLabels and requests Countervec to capture the name of the kubernetes service used to serve the client request. * Update README.md for external-auth Test 4 Title for Test 4 should be `secure service with valid auth header`. The current one is the same as Test 3. * Use apps/v1 api group in e2e tests * Run PodSecurityPolicy E2E test in parallel Previously, this test modified a ClusterRole used by _every_ test. It had to be run serially, with a special teardown function that restored the state of the ClusterRole for any other serial tests. Now every test gets its own cluster role, which means this test can be safely run in parallel with all the others, without any special teardown. * update modsecurity to latest, libmodsecurity to v3.0.3 and owasp-scrs to v3.1.0 (kubernetes#4140) * Update nginx (kubernetes#4150) * Update nginx image * Fix IPV6 test issues in Prow * Add clarification on how to enable path matching The fact that you need to explicitly add the annotation is easy to miss. This makes this more explicit, while leaving the finer details to the linked annotations document. * Partially revert usage of kustomize for installation (kubernetes#4159) * SSL expiration metrics cannot be tied to dynamic updates * fix source file mods * Session Affinity ChangeOnFailure should be boolean * Add "text/javascript" to compressible MIME types Based on the HTML Standard, https://html.spec.whatwg.org/multipage/scripting.html#scriptingLanguages, servers _should_ use `text/javascript`. * simplify sticky balancer * bugfix: check all previously failing upstreams, not just the last one * Add unit test case for balancer.route_to_alternative_balancer() * Add unit test case for canary by weight * Add unit test case for canary by cookie * Add unit test case for canary by header * Only load modsecurity_module when ModSec is active * increase lua_shared_dict config data * Fix: fillout missing health check timeout on health check. * Migrate to new networking.k8s.io/v1beta1 package * Update go dependencies * Add e2e test for service type=ExternalName
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
approved
Indicates a PR has been approved by an approver from all required OWNERS files.
cncf-cla: yes
Indicates the PR's author has signed the CNCF CLA.
size/XS
Denotes a PR that changes 0-9 lines, ignoring generated files.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What this PR does / why we need it:
Fixes several security vulnerabilities https://quay.io/repository/kubernetes-ingress-controller/nginx?tab=tags
Which issue this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close that issue when PR gets merged): fixes #Special notes for your reviewer: