Release controller v1.13.3 & chart v4.13.3. (#13999)

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

.github/workflows/ci.yaml

@@ -271,7 +271,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        k8s: [v1.30.13, v1.31.12, v1.32.8, v1.33.4, v1.34.0]
+        k8s: [v1.29.14, v1.30.13, v1.31.12, v1.32.8, v1.33.4]
 
     steps:
       - name: Checkout code
@@ -303,7 +303,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        k8s: [v1.30.13, v1.31.12, v1.32.8, v1.33.4, v1.34.0]
+        k8s: [v1.29.14, v1.30.13, v1.31.12, v1.32.8, v1.33.4]
     uses: ./.github/workflows/zz-tmpl-k8s-e2e.yaml
     with:
       k8s-version: ${{ matrix.k8s }}
@@ -318,7 +318,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        k8s: [v1.30.13, v1.31.12, v1.32.8, v1.33.4, v1.34.0]
+        k8s: [v1.29.14, v1.30.13, v1.31.12, v1.32.8, v1.33.4]
     uses: ./.github/workflows/zz-tmpl-k8s-e2e.yaml
     with:
       k8s-version: ${{ matrix.k8s }}

.github/workflows/images.yaml

@@ -136,7 +136,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        k8s: [v1.30.13, v1.31.12, v1.32.8, v1.33.4, v1.34.0]
+        k8s: [v1.29.14, v1.30.13, v1.31.12, v1.32.8, v1.33.4]
     steps:
     - name: Checkout
       uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

README.md

@@ -43,9 +43,6 @@ the versions listed. Ingress-Nginx versions **may** work on older versions, but
 |    🔄     | **v1.13.2**           | 1.33, 1.32, 1.31, 1.30, 1.29  | 3.22.1         | 1.27.1        | 4.13.2             |
 |    🔄     | **v1.13.1**           | 1.33, 1.32, 1.31, 1.30, 1.29  | 3.22.1         | 1.27.1        | 4.13.1             |
 |    🔄     | **v1.13.0**           | 1.33, 1.32, 1.31, 1.30, 1.29  | 3.22.0         | 1.27.1        | 4.13.0             |
-|    🔄     | **v1.12.7**           | 1.32, 1.31, 1.30, 1.29, 1.28  | 3.22.1         | 1.25.5        | 4.12.7             |
-|    🔄     | **v1.12.6**           | 1.32, 1.31, 1.30, 1.29, 1.28  | 3.22.1         | 1.25.5        | 4.12.6             |
-|    🔄     | **v1.12.5**           | 1.32, 1.31, 1.30, 1.29, 1.28  | 3.22.1         | 1.25.5        | 4.12.5             |
 |    🔄     | **v1.12.4**           | 1.32, 1.31, 1.30, 1.29, 1.28  | 3.22.0         | 1.25.5        | 4.12.4             |
 |    🔄     | **v1.12.3**           | 1.32, 1.31, 1.30, 1.29, 1.28  | 3.21.3         | 1.25.5        | 4.12.3             |
 |    🔄     | **v1.12.2**           | 1.32, 1.31, 1.30, 1.29, 1.28  | 3.21.3         | 1.25.5        | 4.12.2             |

TAG

@@ -1 +1 @@
-v1.13.0
+v1.13.3

changelog/controller-1.12.5.md

@@ -1,56 +0,0 @@
-# Changelog
-
-### controller-v1.12.5
-
-Images:
-
-* registry.k8s.io/ingress-nginx/controller:v1.12.5@sha256:f4a204a39ce99e7d297c54b02e64e421d872675c5ee29ab1b6edb62d4d69be5c
-* registry.k8s.io/ingress-nginx/controller-chroot:v1.12.5@sha256:5bee417e81f5478b166e35b66b62824275fba150cb737adf665ba05c61ff4632
-
-### All changes:
-
-* Images: Trigger controller build. (#13768)
-* Chart: Bump Kube Webhook CertGen. (#13764)
-* Tests & Docs: Bump images. (#13763)
-* Go: Update dependencies. (#13751)
-* Images: Remove redundant ModSecurity-nginx patch. (#13748)
-* Tests: Add `ssl-session-*` config values tests. (#13746)
-* Docs: Bump mkdocs to v9.6.16, fix links. (#13744)
-* Docs: Fix default config values and links. (#13739)
-* Images: Trigger other builds (2/2). (#13734)
-* Images: Trigger other builds (1/2). (#13733)
-* Tests: Bump Test Runner to v1.4.1. (#13728)
-* Images: Trigger Test Runner build. (#13723)
-* Go: Bump to v1.24.6. (#13720)
-* Images: Bump NGINX to v1.3.1. (#13717)
-* Images: Trigger NGINX build. (#13712)
-* Annotations: Quote auth proxy headers. (#13709)
-* Go: Update dependencies. (#13702)
-* CI: Fix typo. (#13699)
-* Chart: Push to OCI registry. (#13696)
-* Docs: Remove `X-XSS-Protection` header from hardening guide. (#13687)
-* Controller: Fix nil pointer in path validation. (#13682)
-* Go: Update dependencies. (#13677)
-* NGINX: Disable mimalloc's architecture specific optimizations. (#13670)
-* Controller: Fix SSL session ticket path. (#13668)
-* Docs: Use HTTPS for NGINX links. (#13664)
-* Docs: Fix links and formatting in user guide. (#13662)
-* Make: Add `helm-test` target. (#13660)
-* Docs: Update prerequisites in `getting-started.md`. (#13658)
-* Hack: Bump `golangci-lint` to v2.3.0. (#13656)
-* CI: Update KIND to v1.33.2. (#13648)
-* Docs: Improve `opentelemetry-trust-incoming-span`. (#13637)
-* Go: Update dependencies. (#13626)
-* CI: Update Kubernetes to v1.33.3. (#13632)
-* Go: Bump to v1.24.5. (#13631)
-* Bye bye, v1.11. (#13616)
-
-### Dependency updates:
-
-* Bump the actions group with 3 updates (#13757)
-* Bump actions/download-artifact from 4.3.0 to 5.0.0 (#13756)
-* Bump github/codeql-action from 3.29.3 to 3.29.5 in the actions group (#13707)
-* Bump github/codeql-action from 3.29.2 to 3.29.3 in the actions group across 1 directory (#13644)
-* Bump the actions group with 3 updates (#13641)
-
-**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.12.4...controller-v1.12.5

changelog/controller-1.12.6.md

@@ -1,43 +0,0 @@
-# Changelog
-
-### controller-v1.12.6
-
-Images:
-
-* registry.k8s.io/ingress-nginx/controller:v1.12.6@sha256:c371fbf42b4f23584ce879d99303463131f4f31612f0875482b983354eeca7e6
-* registry.k8s.io/ingress-nginx/controller-chroot:v1.12.6@sha256:7ff9cdb081b18f9431b84d4c3ccd3db9d921ed5f5b7682a45f6a351bfc4ceed4
-
-### All changes:
-
-* Images: Trigger controller build. (#13864)
-* Metrics: Fix `nginx_ingress_controller_config_last_reload_successful`. (#13859)
-* Chart: Bump Kube Webhook CertGen. (#13858)
-* Tests & Docs: Bump images. (#13857)
-* Docs: Remove `datadog` ConfigMap options. (#13852)
-* Images: Trigger other builds (2/2). (#13849)
-* Images: Trigger other builds (1/2). (#13848)
-* Tests: Bump Test Runner to v1.4.2. (#13843)
-* Images: Trigger Test Runner build. (#13840)
-* Images: Bump NGINX to v1.3.2. (#13837)
-* Images: Trigger NGINX build. (#13834)
-* Go: Update dependencies. (#13829)
-* Annotations/AuthTLS: Allow named redirects. (#13820)
-* Tests: Bump Ginkgo to v2.25.1. (#13817)
-* Docs: Replace no-break spaces (U+A0). (#13814)
-* Tests: Bump Ginkgo to v2.25.0. (#13808)
-* Tests: Bump Ginkgo to v2.24.0. (#13803)
-* Ingresses: Allow `.` in `Exact` and `Prefix` paths. (#13800)
-* Tests: Enable default backend access logging tests. (#13789)
-* Security: Harden socket creation and validate error code input. (#13786)
-* Tests: Enhance SSL Proxy. (#13784)
-* Chores: Migrate deprecated `wait.Poll*` to context-aware equivalents. (#13782)
-* Go: Update dependencies. (#13779)
-* CI: Update Kubernetes to v1.33.4. (#13777)
-
-### Dependency updates:
-
-* Bump the actions group with 3 updates (#13826)
-* Bump actions/checkout from 4.3.0 to 5.0.0 (#13797)
-* Bump the actions group with 2 updates (#13795)
-
-**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.12.5...controller-v1.12.6

changelog/controller-1.12.7.md

@@ -1,50 +0,0 @@
-# Changelog
-
-### controller-v1.12.7
-
-Images:
-
-* registry.k8s.io/ingress-nginx/controller:v1.12.7@sha256:6ca5f62d18ac6b2e57484ecde310dccd3079b545acecff01c4c71eb5fb222438
-* registry.k8s.io/ingress-nginx/controller-chroot:v1.12.7@sha256:1d20779a1f805fa2820a2631929fb53da59cb9ce023395fae681a60b17ed771f
-
-### All changes:
-
-* Images: Trigger controller build. (#13985)
-* Chart: Bump Kube Webhook CertGen. (#13983)
-* Tests & Docs: Bump images. (#13982)
-* Images: Trigger other builds (2/2). (#13977)
-* Images: Trigger other builds (1/2). (#13976)
-* Tests: Bump Test Runner to v1.4.3. (#13965)
-* Images: Trigger Test Runner build. (#13962)
-* Go: Update dependencies. (#13956)
-* Images: Bump NGINX to v1.3.3. (#13959)
-* Images: Trigger NGINX build. (#13953)
-* Docs: Update link to Kubernetes controller documentation. (#13947)
-* Go: Update dependencies. (#13936)
-* CI: Update Helm to v3.19.0. (#13939)
-* Plugin: Change `rewriteTargetWithoutCaptureGroup` lint to include any numbered capture group. (#13933)
-* Go: Update dependencies. (#13929)
-* CI: Update Kubernetes to v1.34.1. (#13926)
-* Go: Update dependencies. (#13909)
-* Tests: Bump Ginkgo to v2.25.3. (#13904)
-* Go: Update dependencies. (#13901)
-* Go: Bump to v1.25.1. (#13898)
-* GitHub: Remove 'Stale Issues and PRs' workflow. (#13893)
-* Go: Update dependencies. (#13890)
-* Tests: Bump Ginkgo to v2.25.2. (#13886)
-* CI: Update Helm to v3.18.6. (#13883)
-* CI: Update Kubernetes to v1.34.0. (#13880)
-* CI: Update KIND to v1.34.0. (#13879)
-* Go: Bump to v1.25.0. (#13874)
-* Images: Use Alpine v3.22.1. (#13871)
-
-### Dependency updates:
-
-* Bump docker/login-action from 3.5.0 to 3.6.0 in the actions group across 1 directory (#13996)
-* Bump the actions group with 2 updates (#13990)
-* Bump github/codeql-action from 3.30.1 to 3.30.3 in the actions group (#13941)
-* Bump actions/setup-go from 5.5.0 to 6.0.0 (#13919)
-* Bump the actions group with 3 updates (#13917)
-* Bump actions/setup-python from 5.6.0 to 6.0.0 (#13915)
-
-**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.12.6...controller-v1.12.7

charts/ingress-nginx/README.md

@@ -264,8 +264,6 @@ metadata:
 | controller.admissionWebhooks.createSecretJob.name | string | `"create"` |  |
 | controller.admissionWebhooks.createSecretJob.resources | object | `{}` |  |
 | controller.admissionWebhooks.createSecretJob.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsGroup":65532,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for secret creation containers |
-| controller.admissionWebhooks.createSecretJob.volumeMounts | list | `[]` | Volume mounts for secret creation containers |
-| controller.admissionWebhooks.createSecretJob.volumes | list | `[]` | Volumes for secret creation pod |
 | controller.admissionWebhooks.enabled | bool | `true` |  |
 | controller.admissionWebhooks.extraEnvs | list | `[]` | Additional environment variables to set |
 | controller.admissionWebhooks.failurePolicy | string | `"Fail"` | Admission Webhook failure policy to use |
@@ -297,8 +295,6 @@ metadata:
 | controller.admissionWebhooks.patchWebhookJob.name | string | `"patch"` |  |
 | controller.admissionWebhooks.patchWebhookJob.resources | object | `{}` |  |
 | controller.admissionWebhooks.patchWebhookJob.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsGroup":65532,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for webhook patch containers |
-| controller.admissionWebhooks.patchWebhookJob.volumeMounts | list | `[]` | Volume mounts for webhook patch containers |
-| controller.admissionWebhooks.patchWebhookJob.volumes | list | `[]` | Volumes for webhook patch pod |
 | controller.admissionWebhooks.port | int | `8443` |  |
 | controller.admissionWebhooks.service.annotations | object | `{}` |  |
 | controller.admissionWebhooks.service.externalIPs | list | `[]` |  |
@@ -443,7 +439,6 @@ metadata:
 | controller.readinessProbe.timeoutSeconds | int | `1` |  |
 | controller.replicaCount | int | `1` |  |
 | controller.reportNodeInternalIp | bool | `false` | Bare-metal considerations via the host network https://kubernetes.github.io/ingress-nginx/deploy/baremetal/#via-the-host-network Ingress status was blank because there is no Service exposing the Ingress-Nginx Controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply |
-| controller.resizePolicy | list | `[]` | Resize policy for controller containers. Ref: https://kubernetes.io/docs/tasks/configure-pod-container/resize-container-resources |
 | controller.resources.requests.cpu | string | `"100m"` |  |
 | controller.resources.requests.memory | string | `"90Mi"` |  |
 | controller.runtimeClassName | string | `""` | Instruct the kubelet to use the named RuntimeClass to run the pod |

charts/ingress-nginx/changelog/helm-chart-4.12.5.md

@@ -1,10 +0,0 @@
-# Changelog
-
-This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
-
-### 4.12.5
-
-* Make: Add `helm-test` target. (#13660)
-* Update Ingress-Nginx version controller-v1.12.5
-
-**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.12.4...helm-chart-4.12.5

charts/ingress-nginx/changelog/helm-chart-4.12.6.md

@@ -1,9 +0,0 @@
-# Changelog
-
-This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
-
-### 4.12.6
-
-* Update Ingress-Nginx version controller-v1.12.6
-
-**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.12.5...helm-chart-4.12.6

charts/ingress-nginx/changelog/helm-chart-4.12.7.md

@@ -1,9 +0,0 @@
-# Changelog
-
-This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
-
-### 4.12.7
-
-* Update Ingress-Nginx version controller-v1.12.7
-
-**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.12.7...helm-chart-4.12.7

charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml

@@ -68,9 +68,6 @@ spec:
           {{- if .Values.controller.admissionWebhooks.createSecretJob.resources }}
           resources: {{ toYaml .Values.controller.admissionWebhooks.createSecretJob.resources | nindent 12 }}
           {{- end }}
-          {{- if .Values.controller.admissionWebhooks.createSecretJob.volumeMounts }}
-          volumeMounts: {{- toYaml .Values.controller.admissionWebhooks.createSecretJob.volumeMounts | nindent 12 }}
-          {{- end }}
       restartPolicy: OnFailure
       serviceAccountName: {{ include "ingress-nginx.admissionWebhooks.patch.serviceAccountName" . }}
       automountServiceAccountToken: {{ .Values.controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken }}
@@ -83,7 +80,4 @@ spec:
     {{- if .Values.controller.admissionWebhooks.patch.securityContext }}
       securityContext: {{ toYaml .Values.controller.admissionWebhooks.patch.securityContext | nindent 8 }}
     {{- end }}
-    {{- if .Values.controller.admissionWebhooks.createSecretJob.volumes }}
-      volumes: {{- toYaml .Values.controller.admissionWebhooks.createSecretJob.volumes | nindent 8 }}
-    {{- end }}
 {{- end }}

charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml

@@ -70,9 +70,6 @@ spec:
           {{- if .Values.controller.admissionWebhooks.patchWebhookJob.resources }}
           resources: {{ toYaml .Values.controller.admissionWebhooks.patchWebhookJob.resources | nindent 12 }}
           {{- end }}
-          {{- if .Values.controller.admissionWebhooks.patchWebhookJob.volumeMounts }}
-          volumeMounts: {{- toYaml .Values.controller.admissionWebhooks.patchWebhookJob.volumeMounts | nindent 12 }}
-          {{- end }}
       restartPolicy: OnFailure
       serviceAccountName: {{ include "ingress-nginx.admissionWebhooks.patch.serviceAccountName" . }}
       automountServiceAccountToken: {{ .Values.controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken }}
@@ -85,7 +82,4 @@ spec:
     {{- if .Values.controller.admissionWebhooks.patch.securityContext }}
       securityContext: {{ toYaml .Values.controller.admissionWebhooks.patch.securityContext | nindent 8 }}
     {{- end }}
-    {{- if .Values.controller.admissionWebhooks.patchWebhookJob.volumes }}
-      volumes: {{- toYaml .Values.controller.admissionWebhooks.patchWebhookJob.volumes | nindent 8 }}
-    {{- end }}
 {{- end }}

charts/ingress-nginx/templates/controller-daemonset.yaml

@@ -174,11 +174,6 @@ spec:
         {{- if .Values.controller.resources }}
           resources: {{ toYaml .Values.controller.resources | nindent 12 }}
         {{- end }}
-        {{- if semverCompare ">=1.33.0-0" .Capabilities.KubeVersion.Version }}
-        {{- if .Values.controller.resizePolicy }}
-          resizePolicy: {{ toYaml .Values.controller.resizePolicy | nindent 12 }}
-        {{- end }}
-        {{- end }}
       {{- if .Values.controller.extraContainers }}
         {{- toYaml .Values.controller.extraContainers | nindent 8 }}
       {{- end }}

charts/ingress-nginx/templates/controller-deployment.yaml

@@ -180,11 +180,6 @@ spec:
         {{- if .Values.controller.resources }}
           resources: {{ toYaml .Values.controller.resources | nindent 12 }}
         {{- end }}
-        {{- if semverCompare ">=1.33.0-0" .Capabilities.KubeVersion.Version }}
-        {{- if .Values.controller.resizePolicy }}
-          resizePolicy: {{ toYaml .Values.controller.resizePolicy | nindent 12 }}
-        {{- end }}
-        {{- end }}
       {{- if .Values.controller.extraContainers }}
         {{- toYaml .Values.controller.extraContainers | nindent 8 }}
       {{- end }}

charts/ingress-nginx/templates/default-backend-deployment.yaml

@@ -118,6 +118,6 @@ spec:
     {{- end }}
       terminationGracePeriodSeconds: 60
     {{- if .Values.defaultBackend.extraVolumes }}
-      volumes: {{ tpl (toYaml .Values.defaultBackend.extraVolumes) $ | nindent 8 }}
+      volumes: {{ toYaml .Values.defaultBackend.extraVolumes | nindent 8 }}
     {{- end }}
 {{- end }}

charts/ingress-nginx/tests/admission-webhooks/job-patch/job-createSecret_test.yaml

@@ -18,61 +18,3 @@ tests:
       - equal:
           path: spec.activeDeadlineSeconds
           value: 1
-
-  - it: should create a Job with custom volumes and volume mounts if `controller.admissionWebhooks.createSecretJob.volumes` and `controller.admissionWebhooks.createSecretJob.volumeMounts` are set
-    set:
-      controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken: false
-      controller.admissionWebhooks.createSecretJob.volumeMounts:
-        - name: kube-api-access
-          mountPath: /var/run/secrets/kubernetes.io/serviceaccount
-          readOnly: true
-      controller.admissionWebhooks.createSecretJob.volumes:
-        - name: kube-api-access
-          projected:
-            defaultMode: 0444
-            sources:
-              - serviceAccountToken:
-                  path: token
-                  expirationSeconds: 3600
-              - configMap:
-                  name: kube-root-ca.crt
-                  items:
-                    - key: ca.crt
-                      path: ca.crt
-              - downwardAPI:
-                  items:
-                    - path: namespace
-                      fieldRef:
-                        apiVersion: v1
-                        fieldPath: metadata.namespace
-    asserts:
-      - equal:
-          path: spec.template.spec.automountServiceAccountToken
-          value: false
-      - equal:
-          path: spec.template.spec.containers[0].volumeMounts
-          value:
-            - name: kube-api-access
-              mountPath: /var/run/secrets/kubernetes.io/serviceaccount
-              readOnly: true
-      - equal:
-          path: spec.template.spec.volumes
-          value:
-            - name: kube-api-access
-              projected:
-                defaultMode: 0444
-                sources:
-                  - serviceAccountToken:
-                      path: token
-                      expirationSeconds: 3600
-                  - configMap:
-                      name: kube-root-ca.crt
-                      items:
-                        - key: ca.crt
-                          path: ca.crt
-                  - downwardAPI:
-                      items:
-                        - path: namespace
-                          fieldRef:
-                            apiVersion: v1
-                            fieldPath: metadata.namespace

charts/ingress-nginx/tests/admission-webhooks/job-patch/job-patchWebhook_test.yaml

@@ -18,61 +18,3 @@ tests:
       - equal:
           path: spec.activeDeadlineSeconds
           value: 1
-
-  - it: should create a Job with custom volumes and volume mounts if `controller.admissionWebhooks.patchWebhookJob.volumes` and `controller.admissionWebhooks.patchWebhookJob.volumeMounts` are set
-    set:
-      controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken: false
-      controller.admissionWebhooks.patchWebhookJob.volumeMounts:
-        - name: kube-api-access
-          mountPath: /var/run/secrets/kubernetes.io/serviceaccount
-          readOnly: true
-      controller.admissionWebhooks.patchWebhookJob.volumes:
-        - name: kube-api-access
-          projected:
-            defaultMode: 0444
-            sources:
-              - serviceAccountToken:
-                  path: token
-                  expirationSeconds: 3600
-              - configMap:
-                  name: kube-root-ca.crt
-                  items:
-                    - key: ca.crt
-                      path: ca.crt
-              - downwardAPI:
-                  items:
-                    - path: namespace
-                      fieldRef:
-                        apiVersion: v1
-                        fieldPath: metadata.namespace
-    asserts:
-      - equal:
-          path: spec.template.spec.automountServiceAccountToken
-          value: false
-      - equal:
-          path: spec.template.spec.containers[0].volumeMounts
-          value:
-            - name: kube-api-access
-              mountPath: /var/run/secrets/kubernetes.io/serviceaccount
-              readOnly: true
-      - equal:
-          path: spec.template.spec.volumes
-          value:
-            - name: kube-api-access
-              projected:
-                defaultMode: 0444
-                sources:
-                  - serviceAccountToken:
-                      path: token
-                      expirationSeconds: 3600
-                  - configMap:
-                      name: kube-root-ca.crt
-                      items:
-                        - key: ca.crt
-                          path: ca.crt
-                  - downwardAPI:
-                      items:
-                        - path: namespace
-                          fieldRef:
-                            apiVersion: v1
-                            fieldPath: metadata.namespace

charts/ingress-nginx/tests/controller-daemonset_test.yaml

@@ -208,23 +208,3 @@ tests:
       - equal:
           path: spec.template.spec.runtimeClassName
           value: myClass
-
-  - it: should create a DaemonSet with resize policy if `controller.resizePolicy` is set
-    capabilities:
-      majorVersion: 1
-      minorVersion: 33
-    set:
-      controller.kind: DaemonSet
-      controller.resizePolicy:
-        - resourceName: cpu
-          restartPolicy: NotRequired
-        - resourceName: memory
-          restartPolicy: RestartContainer
-    asserts:
-      - equal:
-          path: spec.template.spec.containers[0].resizePolicy
-          value:
-            - resourceName: cpu
-              restartPolicy: NotRequired
-            - resourceName: memory
-              restartPolicy: RestartContainer

charts/ingress-nginx/tests/controller-deployment_test.yaml

@@ -231,22 +231,3 @@ tests:
       - equal:
           path: spec.template.spec.runtimeClassName
           value: myClass
-
-  - it: should create a Deployment with resize policy if `controller.resizePolicy` is set
-    capabilities:
-      majorVersion: 1
-      minorVersion: 33
-    set:
-      controller.resizePolicy:
-        - resourceName: cpu
-          restartPolicy: NotRequired
-        - resourceName: memory
-          restartPolicy: RestartContainer
-    asserts:
-      - equal:
-          path: spec.template.spec.containers[0].resizePolicy
-          value:
-            - resourceName: cpu
-              restartPolicy: NotRequired
-            - resourceName: memory
-              restartPolicy: RestartContainer

charts/ingress-nginx/tests/default-backend-deployment_test.yaml

@@ -196,26 +196,3 @@ tests:
       - equal:
           path: spec.template.spec.automountServiceAccountToken
           value: false
-
-  - it: should create a Deployment with extra volumes if `defaultBackend.extraVolumes` is set
-    set:
-      defaultBackend.enabled: true
-      defaultBackend.extraVolumes:
-        - name: extra-volume
-          configMap:
-            name: '{{ .Release.Name }}'
-      defaultBackend.extraVolumeMounts:
-        - name: extra-volume
-          mountPath: /extra
-    asserts:
-      - equal:
-          path: spec.template.spec.volumes
-          value:
-            - name: extra-volume
-              configMap:
-                name: RELEASE-NAME
-      - equal:
-          path: spec.template.spec.containers[0].volumeMounts
-          value:
-            - name: extra-volume
-              mountPath: /extra

charts/ingress-nginx/values.yaml

@@ -401,13 +401,6 @@ controller:
     requests:
       cpu: 100m
       memory: 90Mi
-  # -- Resize policy for controller containers.
-  # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/resize-container-resources
-  resizePolicy: []
-  # - resourceName: cpu
-  #   restartPolicy: NotRequired
-  # - resourceName: memory
-  #   restartPolicy: RestartContainer
   # Mutually exclusive with keda autoscaling
   autoscaling:
     enabled: false
@@ -802,16 +795,6 @@ controller:
       # requests:
       #   cpu: 10m
       #   memory: 20Mi
-      # -- Volume mounts for secret creation containers
-      volumeMounts: []
-      # - name: certs
-      #   mountPath: /etc/webhook/certs
-      #   readOnly: true
-      # -- Volumes for secret creation pod
-      volumes: []
-      # - name: certs
-      #   secret:
-      #     secretName: my-webhook-secret
     patchWebhookJob:
       name: patch
       # -- Deadline in seconds for the job to complete. Must be greater than 0 to enforce. If unset or 0, no deadline is enforced.
@@ -829,16 +812,6 @@ controller:
             - ALL
         readOnlyRootFilesystem: true
       resources: {}
-      # -- Volume mounts for webhook patch containers
-      volumeMounts: []
-      # - name: certs
-      #   mountPath: /etc/webhook/certs
-      #   readOnly: true
-      # -- Volumes for webhook patch pod
-      volumes: []
-      # - name: certs
-      #   secret:
-      #     secretName: my-webhook-secret
     patch:
       enabled: true
       image:

docs/user-guide/nginx-configuration/configmap.md

@@ -84,7 +84,7 @@ The following table shows a configuration option's name, type, and the default v
 | [proxy-headers-hash-bucket-size](#proxy-headers-hash-bucket-size)               | int          | 64                                                                                                                                                                                                                                                                                                                                                           |                                                                                     |
 | [reuse-port](#reuse-port)                                                       | bool         | "true"                                                                                                                                                                                                                                                                                                                                                       |                                                                                     |
 | [server-tokens](#server-tokens)                                                 | bool         | "false"                                                                                                                                                                                                                                                                                                                                                      |                                                                                     |
-| [ssl-ciphers](#ssl-ciphers)                                                     | string       | "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256"                                                                                                                          |                                                                                     |
+| [ssl-ciphers](#ssl-ciphers)                                                     | string       | "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"                                                                                                                          |                                                                                     |
 | [ssl-ecdh-curve](#ssl-ecdh-curve)                                               | string       | "auto"                                                                                                                                                                                                                                                                                                                                                       |                                                                                     |
 | [ssl-dh-param](#ssl-dh-param)                                                   | string       | ""                                                                                                                                                                                                                                                                                                                                                           |                                                                                     |
 | [ssl-protocols](#ssl-protocols)                                                 | string       | "TLSv1.2 TLSv1.3"                                                                                                                                                                                                                                                                                                                                            |                                                                                     |
@@ -606,7 +606,7 @@ Send NGINX Server header in responses and display NGINX version in error pages.
 Sets the [ciphers](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers) list to enable. The ciphers are specified in the format understood by the OpenSSL library.
 
 The default cipher list is:
- `ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256`.
+ `ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384`.
 
 The ordering of a ciphersuite is very important because it decides which algorithms are going to be selected in priority. The recommendation above prioritizes algorithms that provide perfect [forward secrecy](https://wiki.mozilla.org/Security/Server_Side_TLS#Forward_Secrecy).
 

docs/user-guide/tls.md

@@ -145,7 +145,7 @@ apiVersion: v1
 metadata:
   name: nginx-config
 data:
-  ssl-ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
+  ssl-ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
   ssl-protocols: "TLSv1.2 TLSv1.3"
 ```
 

go.mod

@@ -4,6 +4,7 @@ go 1.25.1
 
 require (
 	dario.cat/mergo v1.0.2
+	github.com/armon/go-proxyproto v0.1.0
 	github.com/eapache/channels v1.1.0
 	github.com/fsnotify/fsnotify v1.9.0
 	github.com/google/go-github/v48 v48.2.0
@@ -17,7 +18,6 @@ require (
 	github.com/ncabatoff/process-exporter v0.8.7
 	github.com/onsi/ginkgo/v2 v2.25.3
 	github.com/opencontainers/cgroups v0.0.5
-	github.com/pires/go-proxyproto v0.8.1
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2
 	github.com/prometheus/client_golang v1.23.2
 	github.com/prometheus/client_model v0.6.2

go.sum

@@ -10,6 +10,8 @@ github.com/BurntSushi/toml v1.5.0 h1:W5quZX/G/csjUnuI8SUYlsHs9M38FC7znL0lIO+DvMg
 github.com/BurntSushi/toml v1.5.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
 github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0=
 github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
+github.com/armon/go-proxyproto v0.1.0 h1:TWWcSsjco7o2itn6r25/5AqKBiWmsiuzsUDLT/MTl7k=
+github.com/armon/go-proxyproto v0.1.0/go.mod h1:Xj90dce2VKbHzRAeiVQAMBtj4M5oidoXJ8lmgyW21mw=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM=
@@ -192,8 +194,6 @@ github.com/opencontainers/cgroups v0.0.5 h1:DRITAqcOnY0uSBzIpt1RYWLjh5DPDiqUs4fY
 github.com/opencontainers/cgroups v0.0.5/go.mod h1:oWVzJsKK0gG9SCRBfTpnn16WcGEqDI8PAcpMGbqWxcs=
 github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
-github.com/pires/go-proxyproto v0.8.1 h1:9KEixbdJfhrbtjpz/ZwCdWDD2Xem0NZ38qMYaASJgp0=
-github.com/pires/go-proxyproto v0.8.1/go.mod h1:ZKAAyp3cgy5Y5Mo4n9AlScrkCZwUy0g3Jf+slqQVcuU=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=

internal/ingress/controller/config/config.go

@@ -63,7 +63,7 @@ const (
 
 	// Enabled ciphers list to enabled. The ciphers are specified in the format understood by the OpenSSL library
 	// https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers
-	sslCiphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256"
+	sslCiphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
 
 	// SSL enabled protocols to use
 	// https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols

internal/ingress/controller/nginx.go

@@ -37,8 +37,8 @@ import (
 	"time"
 	"unicode"
 
+	proxyproto "github.com/armon/go-proxyproto"
 	"github.com/eapache/channels"
-	proxyproto "github.com/pires/go-proxyproto"
 	apiv1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/client-go/kubernetes/scheme"
@@ -832,7 +832,7 @@ func (n *NGINXController) setupSSLProxy() {
 		klog.Fatalf("%v", err)
 	}
 
-	proxyList := &proxyproto.Listener{Listener: listener, ReadHeaderTimeout: cfg.ProxyProtocolHeaderTimeout}
+	proxyList := &proxyproto.Listener{Listener: listener, ProxyHeaderTimeout: cfg.ProxyProtocolHeaderTimeout}
 
 	// accept TCP connections on the configured HTTPS port
 	go func() {