v1.4.0 NSG and Tagging Support

Caution

Starting from this version, OCI Native Ingress Controller will start configuring NSG associations and tags for LoadBalancers managed by it. Please see the Upgrade Steps section to see preparatory steps you may need to perform before upgrading to this version.

New Features and Support

• NSG support is now available, for details see Network Security Groups Support. You may need to perform preparatory steps before upgrading to this version if you already have LoadBalancers assigned to any NSGs, please check the Upgrade Steps section if you do.
• Tagging support is now available, for details see Tagging Support. You may need to perform preparatory steps before upgrading to this version if you already have defined or freeform tags applied to your LoadBalancers, please check the Upgrade Steps section if you do.
• Users can now signal NIC to not delete a LoadBalancer when the corresponding IngressClass resource is deleted, please see Load Balancer Preservation on IngressClass delete for details.

Upgrade Steps

Pre-Upgrade

• For all LoadBalancers managed by NIC that have NSG associations, add the oci-native-ingress.oraclecloud.com/network-security-group-ids annotation in the corresponding IngressClass resource to ensure NIC will retain them on upgrade.
  Example:

apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
 annotations:
   oci-native-ingress.oraclecloud.com/network-security-group-ids: ocid1.networksecuritygroup.oc1.abc,ocid1.networksecuritygroup.oc1.xyz

• For all LoadBalancers managed by NIC that have defined and freeform tags, add the oci-native-ingress.oraclecloud.com/defined-tags and oci-native-ingress.oraclecloud.com/freeform-tags annotations in the corresponding IngressClass resource to ensure NIC will retain them on upgrade.
  Example:

apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
  annotations:
    oci-native-ingress.oraclecloud.com/defined-tags: '{"namespace-1": {"key1": "value1", "key2": "value2"}, "namespace-2": {"key1": "value1"}}'
    oci-native-ingress.oraclecloud.com/freeform-tags: '{"key1": "value1", "key2": "value2"}'

• Add an appropriate policy to give NIC permissions to use tag-namespaces for any defined tags that NIC has to manage. See Policy Reference for more information.
  An example policy that grants NIC permission to use all tag-namespaces in tenancy:

Allow <subject> to use tag-namespaces in tenancy

Upgrade

Upgrade normally according to Deployment, according to your installation method. Please use the latest helm chart while upgrading, since additional permissions have been added to the ClusterRole used by NIC.

What's Changed

• Fix finalizer removal logic for ingresses by @piyush-tiwari in #87
• Support for dynamic workload resource principal by @akka19 in #92
• Sync with internal repo by @piyush-tiwari in #99
  • Add delete-protection-enabled annotation for IngressClasses
  • Add NSG support for IngressClasses
  • Fix update logic for BackendSets and Listeners
• Add tagging support for IngressClass by @piyush-tiwari in #103
• Sync with internal repo by @piyush-tiwari in #107
  • Add PodSecurityContext for stricter default security posture
  • Fix GetSSLConfigForBackendSet logic for secret type artifacts
  • Update base image to Oracle Linux 8
  • Add default tagging support

New Contributors

• @akka19 made their first contribution in #92

Full Changelog: v1.3.9...v1.4.0

v1.3.9 Bugfix release

What's Changed

• Sync with Internal Repo for bug fixes by @piyush-tiwari in #83
  -- Fixed a bug where Native Ingress Controller panics if no TLS configuration is supplied for HTTP2 annotated ingresses
  -- Fixed Issue #78, where LB BackenSets weren't getting created for Ingresses which referenced services with named TargetPort, in clusters with Native Pod Networking as the CNI
• Bump protobuf and net dependencies by @piyush-tiwari in #84

Full Changelog: v1.3.8...v1.3.9

v1.3.8 TCP Listener Support

What's Changed

• Extract CA chain from tls.crt if ca.crt is missing for secret-type tls artifact by @antoniolago and @piyush-tiwari in #76
• Add TCP listener support by @piyush-tiwari in #81

Full Changelog: v1.3.7...v1.3.8

New features and support

• For HTTPS/TLS support, you can now supply the entire certificate chain in tls.crt field and omit the ca.crt field in the sample configuration. Expected order is server certificate first, and then the certificate authority chain.
• TCP Listeners are supported now, sample Ingress available at TCP Listener Support.

v1.3.7 Ingress-level Listener Port Support

What's Changed

• Added support for ingress-level listener port annotations by @piyush-tiwari in #73

Full Changelog: v1.3.6...v1.3.7

Release Notes

Currently, NIC creates a listener port on the IngressClass backed LB for each backend service port specified in the Ingress resource.

Users can now use the following annotations on their Ingress resources to specify a single listener LB port for all HTTP(S) communication. The values for these annotations should be numeric strings and they have no nil value, they should be removed entirely if not in use. :

oci-native-ingress.oraclecloud.com/http-listener-port: "80"
oci-native-ingress.oraclecloud.com/https-listener-port: "443"

Behaviour

• The port configured in oci-native-ingress.oraclecloud.com/http-listener-port will be used for all HTTP traffic handled by the LB for the Ingress. The routing policies will be configured accordingly, merging all rules specified in the Ingress resource.
• The port configured in oci-native-ingress.oraclecloud.com/https-listener-port will be used for all HTTPS traffic for TLS configured hosts by the LB for the Ingress. The routing policies will be configured accordingly, merging all rules specified in the Ingress resource. Note that if a Certificate Annotation is used in the Ingress resource, all hosts are considered TLS configured.

v1.3.6 Bugfix release

What's Changed

• Update default cni for get cluster calls by @Inbaraj-S in #72

Full Changelog: v1.3.5...v1.3.6

v1.3.5 Bugfix release

What's Changed

• Add metadata env variable by @piyush-tiwari in #67
• Fix namespace deletion on helm upgrade by @piyush-tiwari in #68

New Contributors

• @piyush-tiwari made their first contribution in #67

Full Changelog: v1.3.4...v1.3.5

v1.3.4 Bugfix Release

What's Changed

• oke-30296-fix-multi-nodeport-bug by @Inbaraj-S in #52
• Added missing namespace check during install by @matthewmcdaniel in #55
• Specify region in values.yaml during deployment.yaml by @matthewmcdaniel in #53

PS: In this release we have found a issue in the chart where the namespace may get deleted if user tries to upgrade after installing the 1.3.4 chart version. You will be impacted if you have taken the latest chart from this release and try to run subsequent upgrade of helm. If you are already working under this release please move to 1.3.5 before any helm upgrade.

New Contributors

• @matthewmcdaniel made their first contribution in #55

Full Changelog: v1.3.3...v1.3.4

v1.3.3 SSL Termination at LB

What's Changed

• Add support to disable TLS on the backend via the new annotation oci-native-ingress.oraclecloud.com/backend-tls-enabled: "false".
• Release doc update v1.3.3 by @Inbaraj-S in #50

New Contributors

• @robo-cap made their first contribution in #44

Full Changelog: v1.3.2...v1.3.3

V1.3.2 Multi arch support

Updates

• Added support for Multi-Arch-Manifest images(ARM and AMD).

• Bugfix:

  • Ingress state build failure due to missing ingressclass definition. #33

Multi-Arch Image Test Release

• Sanity test for ARM/AMD support.