[ingress-nginx] upgrade to 1.6.4 (#9818)

1 year ago · 260dad8f10
5 changed files with 10 additions and 25 deletions
--- a/README.md
+++ b/README.md
@ -169,7 +169,7 @@ Note: Upstart/SysV init based OS types are not supported.
 - Application
  - [cert-manager](https://github.com/jetstack/cert-manager) v1.11.0
  - [coredns](https://github.com/coredns/coredns) v1.9.3
-  - [ingress-nginx](https://github.com/kubernetes/ingress-nginx) v1.5.1
+  - [ingress-nginx](https://github.com/kubernetes/ingress-nginx) v1.6.4
  - [krew](https://github.com/kubernetes-sigs/krew) v0.4.3
  - [argocd](https://argoproj.github.io/) v2.5.10
  - [helm](https://helm.sh/) v3.10.3
--- a/roles/download/defaults/main.yml
+++ b/roles/download/defaults/main.yml
@ -992,11 +992,11 @@ rbd_provisioner_image_tag: "{{ rbd_provisioner_version }}"
 local_path_provisioner_version: "v0.0.22"
 local_path_provisioner_image_repo: "{{ docker_image_repo }}/rancher/local-path-provisioner"
 local_path_provisioner_image_tag: "{{ local_path_provisioner_version }}"
-ingress_nginx_version: "v1.5.1"
+ingress_nginx_version: "v1.6.4"
 ingress_nginx_controller_image_repo: "{{ kube_image_repo }}/ingress-nginx/controller"
 ingress_nginx_controller_image_tag: "{{ ingress_nginx_version }}"
-ingress_nginx_kube_webhook_certgen_imae_repo: "{{ kube_image_repo }}/ingress-nginx/kube-webhook-certgen"
-ingress_nginx_kube_webhook_certgen_imae_tag: "v1.3.0"
+ingress_nginx_kube_webhook_certgen_image_repo: "{{ kube_image_repo }}/ingress-nginx/kube-webhook-certgen"
+ingress_nginx_kube_webhook_certgen_image_tag: "v20220916-gd32f8c343"
 alb_ingress_image_repo: "{{ docker_image_repo }}/amazon/aws-alb-ingress-controller"
 alb_ingress_image_tag: "v1.1.9"
 cert_manager_version: "v1.11.0"
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/admission-webhook-job.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/admission-webhook-job.yml.j2
@ -26,7 +26,7 @@ spec:
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
-        image: "{{ ingress_nginx_kube_webhook_certgen_imae_repo }}:{{ ingress_nginx_kube_webhook_certgen_imae_tag }}"
+        image: "{{ ingress_nginx_kube_webhook_certgen_image_repo }}:{{ ingress_nginx_kube_webhook_certgen_image_tag }}"
        imagePullPolicy: {{ k8s_image_pull_policy }}
        name: create
        securityContext:
@ -70,7 +70,7 @@ spec:
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
-        image: "{{ ingress_nginx_kube_webhook_certgen_imae_repo }}:{{ ingress_nginx_kube_webhook_certgen_imae_tag }}"
+        image: "{{ ingress_nginx_kube_webhook_certgen_image_repo }}:{{ ingress_nginx_kube_webhook_certgen_image_tag }}"
        imagePullPolicy: {{ k8s_image_pull_policy }}
        name: patch
        securityContext:
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/clusterrole-ingress-nginx.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/clusterrole-ingress-nginx.yml.j2
@ -8,7 +8,7 @@ metadata:
    app.kubernetes.io/part-of: ingress-nginx
 rules:
  - apiGroups: [""]
-    resources: ["configmaps", "endpoints", "nodes", "pods", "secrets"]
+    resources: ["configmaps", "endpoints", "nodes", "pods", "secrets", "namespaces"]
    verbs: ["list", "watch"]
  - apiGroups: [""]
    resources: ["nodes"]
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/role-ingress-nginx.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/role-ingress-nginx.yml.j2
@ -17,23 +17,15 @@ rules:
  - apiGroups: [""]
    resources: ["services"]
    verbs: ["get", "list", "watch"]
-  - apiGroups: ["extensions", "networking.k8s.io"]
-    resources: ["ingresses", "ingressclasses"]
+  - apiGroups: ["networking.k8s.io"]
+    resources: ["ingresses"]
    verbs: ["get", "list", "watch"]
-  - apiGroups: ["extensions", "networking.k8s.io"]
+  - apiGroups: ["networking.k8s.io"]
    resources: ["ingresses/status"]
    verbs: ["update"]
  - apiGroups: ["networking.k8s.io"]
    resources: ["ingressclasses"]
    verbs: ["get", "list", "watch"]
-  - apiGroups: [""]
-    resources: ["configmaps"]
-    # Defaults to "<election-id>-<ingress-class>"
-    # Here: "<ingress-controller-leader>-<nginx>"
-    # This has to be adapted if you change either parameter
-    # when launching the nginx-ingress-controller.
-    resourceNames: [{% if ingress_class is defined %}"ingress-controller-leader-{{ ingress_nginx_class | default('nginx') }}"{% else %}"ingress-controller-leader"{% endif %}]
-    verbs: ["get", "update"]
  - apiGroups: ["coordination.k8s.io"]
    resources: ["leases"]
    # Defaults to "<election-id>-<ingress-class>"
@ -42,16 +34,9 @@ rules:
    # when launching the nginx-ingress-controller.
    resourceNames: [{% if ingress_class is defined %}"ingress-controller-leader-{{ ingress_nginx_class | default('nginx') }}"{% else %}"ingress-controller-leader"{% endif %}]
    verbs: ["get", "update"]
-  - apiGroups: [""]
-    resources: ["configmaps"]
-    verbs: ["create", "update"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]
-  - apiGroups: ["policy"]
-    resourceNames: ["ingress-nginx"]
-    resources: ["podsecuritypolicies"]
-    verbs: ["use"]
  - apiGroups: ["coordination.k8s.io"]
    resources: ["leases"]
    # Defaults to "<election-id>-<ingress-class>"