From fcbb16c9c3c9092e95d63f4c9fe835e8277ef764 Mon Sep 17 00:00:00 2001 From: jschaul Date: Thu, 22 Jan 2026 16:25:53 +0100 Subject: [PATCH 1/7] upgrade nginx-ingress-controller chart, update default flags --- changelog.d/5-internal/nginx-ingress-controller-upgrade | 1 + charts/ingress-nginx-controller/Chart.yaml | 2 +- charts/ingress-nginx-controller/values.yaml | 3 ++- 3 files changed, 4 insertions(+), 2 deletions(-) create mode 100644 changelog.d/5-internal/nginx-ingress-controller-upgrade diff --git a/changelog.d/5-internal/nginx-ingress-controller-upgrade b/changelog.d/5-internal/nginx-ingress-controller-upgrade new file mode 100644 index 00000000000..e6ab1b62a09 --- /dev/null +++ b/changelog.d/5-internal/nginx-ingress-controller-upgrade @@ -0,0 +1 @@ +Upgrade nginx-ingress-controller from 4.11.5 to 4.13.5 (k8s 1.29 - 1.33 officially supported - other version may also work) diff --git a/charts/ingress-nginx-controller/Chart.yaml b/charts/ingress-nginx-controller/Chart.yaml index 64e708e97a8..bdfd92237bf 100644 --- a/charts/ingress-nginx-controller/Chart.yaml +++ b/charts/ingress-nginx-controller/Chart.yaml @@ -4,5 +4,5 @@ name: ingress-nginx-controller version: 0.0.42 dependencies: - name: ingress-nginx - version: 4.11.5 # k8s compatibility [1.26 - 1.30] + version: 4.13.5 # k8s compatibility [1.29 - 1.33] repository: https://kubernetes.github.io/ingress-nginx diff --git a/charts/ingress-nginx-controller/values.yaml b/charts/ingress-nginx-controller/values.yaml index c28eb2a065c..587bc47ae3e 100644 --- a/charts/ingress-nginx-controller/values.yaml +++ b/charts/ingress-nginx-controller/values.yaml @@ -14,6 +14,7 @@ # for all possible values to override. ingress-nginx: controller: + enableAnnotationValidations: false # due to https://github.com/kubernetes/ingress-nginx/issues/12709 enableTopologyAwareRouting: true # Use kind: `DaemonSet` (when using NodePort) or `Deployment` (when using # LoadBalancer) @@ -56,4 +57,4 @@ ingress-nginx: # Also add ssl/tls protocol/cipher to gain some observability here (can we turn off TLS 1.2?) log-format-escape-json: true log-format-upstream: '{"bytes_sent": "$bytes_sent", "duration": "$request_time", "http_referrer": "$http_referer", "http_user_agent": "$http_user_agent", "method": "$request_method", "path": "$uri", "remote_addr": "$proxy_protocol_addr", "remote_user": "$remote_user", "request_id": "$req_id", "request_length": "$request_length", "request_proto": "$server_protocol", "request_time": "$request_time", "status": "$status", "time": "$time_iso8601", "tls_cipher": "$ssl_cipher", "tls_protocol": "$ssl_protocol", "vhost": "$host", "x_forwarded_for": "$proxy_add_x_forwarded_for"}' - allowSnippetAnnotations: true + allow-snippet-annotations: true From c3b1e4c613523f9238d28bc756fe33c9a3f182ac Mon Sep 17 00:00:00 2001 From: jschaul Date: Mon, 26 Jan 2026 13:00:49 +0100 Subject: [PATCH 2/7] Hi CI From 6545eaae101b8da62b08f3efb6945052b151af6a Mon Sep 17 00:00:00 2001 From: jschaul Date: Mon, 26 Jan 2026 14:27:45 +0100 Subject: [PATCH 3/7] re-add the older style allowSnippetAnnotations --- charts/ingress-nginx-controller/values.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/charts/ingress-nginx-controller/values.yaml b/charts/ingress-nginx-controller/values.yaml index 587bc47ae3e..1020ceef6a8 100644 --- a/charts/ingress-nginx-controller/values.yaml +++ b/charts/ingress-nginx-controller/values.yaml @@ -57,4 +57,5 @@ ingress-nginx: # Also add ssl/tls protocol/cipher to gain some observability here (can we turn off TLS 1.2?) log-format-escape-json: true log-format-upstream: '{"bytes_sent": "$bytes_sent", "duration": "$request_time", "http_referrer": "$http_referer", "http_user_agent": "$http_user_agent", "method": "$request_method", "path": "$uri", "remote_addr": "$proxy_protocol_addr", "remote_user": "$remote_user", "request_id": "$req_id", "request_length": "$request_length", "request_proto": "$server_protocol", "request_time": "$request_time", "status": "$status", "time": "$time_iso8601", "tls_cipher": "$ssl_cipher", "tls_protocol": "$ssl_protocol", "vhost": "$host", "x_forwarded_for": "$proxy_add_x_forwarded_for"}' - allow-snippet-annotations: true + allow-snippet-annotations: true # new format for this flag in newer versions + allowSnippetAnnotations: true # needed up to and including version 1.13 From d450e7cbcb876d245aeaa280e08b7c88131819e9 Mon Sep 17 00:00:00 2001 From: jschaul Date: Mon, 26 Jan 2026 21:48:48 +0100 Subject: [PATCH 4/7] try whether it's a class naming issue --- hack/helm_vars/ingress-nginx-controller/values.yaml.gotmpl | 3 +++ 1 file changed, 3 insertions(+) diff --git a/hack/helm_vars/ingress-nginx-controller/values.yaml.gotmpl b/hack/helm_vars/ingress-nginx-controller/values.yaml.gotmpl index c137f045884..9fb9410cbca 100644 --- a/hack/helm_vars/ingress-nginx-controller/values.yaml.gotmpl +++ b/hack/helm_vars/ingress-nginx-controller/values.yaml.gotmpl @@ -1,6 +1,9 @@ ingress-nginx: fullnameOverride: "{{ .Release.Namespace }}-nginx-ingress" controller: + # Must match the controllerValue on the IngressClass or the controller + # will ignore the ingress resources. + class: "k8s.io/{{ .Release.Namespace }}-nginx-ingress" ingressClassResource: name: "nginx-{{ .Release.Namespace }}" # -- Is this ingressClass enabled or not From 73a5d229829731841795b55cd6c3e284c4cf6372 Mon Sep 17 00:00:00 2001 From: jschaul Date: Tue, 27 Jan 2026 11:13:19 +0100 Subject: [PATCH 5/7] remove flag --- charts/ingress-nginx-controller/values.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/charts/ingress-nginx-controller/values.yaml b/charts/ingress-nginx-controller/values.yaml index 1020ceef6a8..20b01797e21 100644 --- a/charts/ingress-nginx-controller/values.yaml +++ b/charts/ingress-nginx-controller/values.yaml @@ -57,5 +57,4 @@ ingress-nginx: # Also add ssl/tls protocol/cipher to gain some observability here (can we turn off TLS 1.2?) log-format-escape-json: true log-format-upstream: '{"bytes_sent": "$bytes_sent", "duration": "$request_time", "http_referrer": "$http_referer", "http_user_agent": "$http_user_agent", "method": "$request_method", "path": "$uri", "remote_addr": "$proxy_protocol_addr", "remote_user": "$remote_user", "request_id": "$req_id", "request_length": "$request_length", "request_proto": "$server_protocol", "request_time": "$request_time", "status": "$status", "time": "$time_iso8601", "tls_cipher": "$ssl_cipher", "tls_protocol": "$ssl_protocol", "vhost": "$host", "x_forwarded_for": "$proxy_add_x_forwarded_for"}' - allow-snippet-annotations: true # new format for this flag in newer versions - allowSnippetAnnotations: true # needed up to and including version 1.13 + allowSnippetAnnotations: true From 2c210f6093a018296f97cbd758811a98e73879c8 Mon Sep 17 00:00:00 2001 From: jschaul Date: Tue, 27 Jan 2026 12:29:04 +0100 Subject: [PATCH 6/7] Revert "remove flag" This reverts commit 73a5d229829731841795b55cd6c3e284c4cf6372. --- charts/ingress-nginx-controller/values.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/charts/ingress-nginx-controller/values.yaml b/charts/ingress-nginx-controller/values.yaml index 20b01797e21..1020ceef6a8 100644 --- a/charts/ingress-nginx-controller/values.yaml +++ b/charts/ingress-nginx-controller/values.yaml @@ -57,4 +57,5 @@ ingress-nginx: # Also add ssl/tls protocol/cipher to gain some observability here (can we turn off TLS 1.2?) log-format-escape-json: true log-format-upstream: '{"bytes_sent": "$bytes_sent", "duration": "$request_time", "http_referrer": "$http_referer", "http_user_agent": "$http_user_agent", "method": "$request_method", "path": "$uri", "remote_addr": "$proxy_protocol_addr", "remote_user": "$remote_user", "request_id": "$req_id", "request_length": "$request_length", "request_proto": "$server_protocol", "request_time": "$request_time", "status": "$status", "time": "$time_iso8601", "tls_cipher": "$ssl_cipher", "tls_protocol": "$ssl_protocol", "vhost": "$host", "x_forwarded_for": "$proxy_add_x_forwarded_for"}' - allowSnippetAnnotations: true + allow-snippet-annotations: true # new format for this flag in newer versions + allowSnippetAnnotations: true # needed up to and including version 1.13 From eff7aec07b9be91b90002b6df7e1c25d1879f5be Mon Sep 17 00:00:00 2001 From: jschaul Date: Tue, 27 Jan 2026 12:29:29 +0100 Subject: [PATCH 7/7] try one more thing --- hack/helm_vars/ingress-nginx-controller/values.yaml.gotmpl | 3 +++ 1 file changed, 3 insertions(+) diff --git a/hack/helm_vars/ingress-nginx-controller/values.yaml.gotmpl b/hack/helm_vars/ingress-nginx-controller/values.yaml.gotmpl index 9fb9410cbca..fdcd7c9c5cb 100644 --- a/hack/helm_vars/ingress-nginx-controller/values.yaml.gotmpl +++ b/hack/helm_vars/ingress-nginx-controller/values.yaml.gotmpl @@ -4,6 +4,9 @@ ingress-nginx: # Must match the controllerValue on the IngressClass or the controller # will ignore the ingress resources. class: "k8s.io/{{ .Release.Namespace }}-nginx-ingress" + # Accept IngressClass names even if the IngressClass object is not found yet + # (controller still filters by the class string). + ingressClassByName: true ingressClassResource: name: "nginx-{{ .Release.Namespace }}" # -- Is this ingressClass enabled or not