"ingress-nginx" has been added to your repositories
helmfile-tests, ingress-nginx, ClusterRole (rbac.authorization.k8s.io) has changed:
helmfile-tests, ingress-nginx, ClusterRoleBinding (rbac.authorization.k8s.io) has changed:
  # Source: ingress-nginx/templates/clusterrolebinding.yaml
  apiVersion: rbac.authorization.k8s.io/v1
  kind: ClusterRoleBinding
  metadata:
    labels:
      app.kubernetes.io/name: ingress-nginx
      app.kubernetes.io/instance: ingress-nginx
      app.kubernetes.io/part-of: ingress-nginx
      app.kubernetes.io/managed-by: Helm
    name: ingress-nginx
  roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: ClusterRole
    name: ingress-nginx
  subjects:
    - kind: ServiceAccount
      name: ingress-nginx
-     namespace: "helmfile-tests"
+     namespace: helmfile-tests
helmfile-tests, ingress-nginx, Role (rbac.authorization.k8s.io) has changed:
  # Source: ingress-nginx/templates/controller-role.yaml
  apiVersion: rbac.authorization.k8s.io/v1
  kind: Role
  metadata:
    labels:
      app.kubernetes.io/name: ingress-nginx
      app.kubernetes.io/instance: ingress-nginx
      app.kubernetes.io/part-of: ingress-nginx
      app.kubernetes.io/managed-by: Helm
      app.kubernetes.io/component: controller
    name: ingress-nginx
    namespace: helmfile-tests
  rules:
    - apiGroups:
        - ""
      resources:
        - namespaces
      verbs:
        - get
    - apiGroups:
        - ""
      resources:
        - configmaps
        - pods
        - secrets
        - endpoints
      verbs:
        - get
        - list
        - watch
    - apiGroups:
        - ""
      resources:
        - services
      verbs:
        - get
        - list
        - watch
    - apiGroups:
        - networking.k8s.io
      resources:
        - ingresses
      verbs:
        - get
        - list
        - watch
+   # Omit Ingress status permissions if `--update-status` is disabled.
    - apiGroups:
        - networking.k8s.io
      resources:
        - ingresses/status
      verbs:
        - update
    - apiGroups:
        - networking.k8s.io
      resources:
        - ingressclasses
      verbs:
        - get
        - list
        - watch
    - apiGroups:
        - coordination.k8s.io
      resources:
        - leases
      resourceNames:
        - ingress-nginx-leader
      verbs:
        - get
        - update
    - apiGroups:
        - coordination.k8s.io
      resources:
        - leases
      verbs:
        - create
    - apiGroups:
        - ""
      resources:
        - events
      verbs:
        - create
        - patch
    - apiGroups:
        - discovery.k8s.io
      resources:
        - endpointslices
      verbs:
        - list
        - watch
        - get
helmfile-tests, ingress-nginx, RoleBinding (rbac.authorization.k8s.io) has changed:
  # Source: ingress-nginx/templates/controller-rolebinding.yaml
  apiVersion: rbac.authorization.k8s.io/v1
  kind: RoleBinding
  metadata:
    labels:
      app.kubernetes.io/name: ingress-nginx
      app.kubernetes.io/instance: ingress-nginx
      app.kubernetes.io/part-of: ingress-nginx
      app.kubernetes.io/managed-by: Helm
      app.kubernetes.io/component: controller
    name: ingress-nginx
    namespace: helmfile-tests
  roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: Role
    name: ingress-nginx
  subjects:
    - kind: ServiceAccount
      name: ingress-nginx
-     namespace: "helmfile-tests"
+     namespace: helmfile-tests
helmfile-tests, ingress-nginx, ServiceAccount (v1) has changed:
helmfile-tests, ingress-nginx-admission, ClusterRole (rbac.authorization.k8s.io) has changed:
helmfile-tests, ingress-nginx-admission, ClusterRoleBinding (rbac.authorization.k8s.io) has changed:
  # Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
  apiVersion: rbac.authorization.k8s.io/v1
  kind: ClusterRoleBinding
  metadata:
    name: ingress-nginx-admission
    annotations:
      "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
      "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
    labels:
      app.kubernetes.io/name: ingress-nginx
      app.kubernetes.io/instance: ingress-nginx
      app.kubernetes.io/part-of: ingress-nginx
      app.kubernetes.io/managed-by: Helm
      app.kubernetes.io/component: admission-webhook
  roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: ClusterRole
    name: ingress-nginx-admission
  subjects:
    - kind: ServiceAccount
      name: ingress-nginx-admission
-     namespace: "helmfile-tests"
+     namespace: helmfile-tests
helmfile-tests, ingress-nginx-admission, Role (rbac.authorization.k8s.io) has changed:
  # Source: ingress-nginx/templates/admission-webhooks/job-patch/role.yaml
  apiVersion: rbac.authorization.k8s.io/v1
  kind: Role
  metadata:
-   name:  ingress-nginx-admission
+   name: ingress-nginx-admission
    namespace: helmfile-tests
    annotations:
      "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
      "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
    labels:
      app.kubernetes.io/name: ingress-nginx
      app.kubernetes.io/instance: ingress-nginx
      app.kubernetes.io/part-of: ingress-nginx
      app.kubernetes.io/managed-by: Helm
      app.kubernetes.io/component: admission-webhook
  rules:
    - apiGroups:
        - ""
      resources:
        - secrets
      verbs:
        - get
        - create
helmfile-tests, ingress-nginx-admission, RoleBinding (rbac.authorization.k8s.io) has changed:
  # Source: ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml
  apiVersion: rbac.authorization.k8s.io/v1
  kind: RoleBinding
  metadata:
    name: ingress-nginx-admission
    namespace: helmfile-tests
    annotations:
      "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
      "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
    labels:
      app.kubernetes.io/name: ingress-nginx
      app.kubernetes.io/instance: ingress-nginx
      app.kubernetes.io/part-of: ingress-nginx
      app.kubernetes.io/managed-by: Helm
      app.kubernetes.io/component: admission-webhook
  roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: Role
    name: ingress-nginx-admission
  subjects:
    - kind: ServiceAccount
      name: ingress-nginx-admission
-     namespace: "helmfile-tests"
+     namespace: helmfile-tests
helmfile-tests, ingress-nginx-admission, ServiceAccount (v1) has changed:
helmfile-tests, ingress-nginx-admission, ValidatingWebhookConfiguration (admissionregistration.k8s.io) has changed:
  # Source: ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
  # before changing this value, check the required kubernetes version
  # https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisites
  apiVersion: admissionregistration.k8s.io/v1
  kind: ValidatingWebhookConfiguration
  metadata:
    annotations:
    labels:
      app.kubernetes.io/name: ingress-nginx
      app.kubernetes.io/instance: ingress-nginx
      app.kubernetes.io/part-of: ingress-nginx
      app.kubernetes.io/managed-by: Helm
      app.kubernetes.io/component: admission-webhook
    name: ingress-nginx-admission
  webhooks:
    - name: validate.nginx.ingress.kubernetes.io
      matchPolicy: Equivalent
      rules:
        - apiGroups:
            - networking.k8s.io
          apiVersions:
            - v1
          operations:
            - CREATE
            - UPDATE
          resources:
            - ingresses
      failurePolicy: Fail
      sideEffects: None
      admissionReviewVersions:
        - v1
      clientConfig:
        service:
-         namespace: "helmfile-tests"
          name: ingress-nginx-controller-admission
+         namespace: helmfile-tests
          path: /networking/v1/ingresses
helmfile-tests, ingress-nginx-admission-create, Job (batch) has changed:
  # Source: ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
  apiVersion: batch/v1
  kind: Job
  metadata:
    name: ingress-nginx-admission-create
    namespace: helmfile-tests
    annotations:
      "helm.sh/hook": pre-install,pre-upgrade
      "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
    labels:
      app.kubernetes.io/name: ingress-nginx
      app.kubernetes.io/instance: ingress-nginx
      app.kubernetes.io/part-of: ingress-nginx
      app.kubernetes.io/managed-by: Helm
      app.kubernetes.io/component: admission-webhook
  spec:
    template:
      metadata:
        name: ingress-nginx-admission-create
        labels:
          app.kubernetes.io/name: ingress-nginx
          app.kubernetes.io/instance: ingress-nginx
          app.kubernetes.io/part-of: ingress-nginx
          app.kubernetes.io/managed-by: Helm
          app.kubernetes.io/component: admission-webhook
      spec:
        containers:
          - name: create
-           image: "registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20231011-8b53cabe0@sha256:a7943503b45d552785aa3b5e457f169a5661fb94d82b8a3373bcd9ebaf9aac80"
+           image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20231011-8b53cabe0@sha256:a7943503b45d552785aa3b5e457f169a5661fb94d82b8a3373bcd9ebaf9aac80
            imagePullPolicy: IfNotPresent
            args:
              - create
              - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
              - --namespace=$(POD_NAMESPACE)
              - --secret-name=ingress-nginx-admission
            env:
              - name: POD_NAMESPACE
                valueFrom:
                  fieldRef:
                    fieldPath: metadata.namespace
            securityContext: 
              allowPrivilegeEscalation: false
+             capabilities:
+               drop:
+               - ALL
+             readOnlyRootFilesystem: true
+             runAsNonRoot: true
+             runAsUser: 65532
+             seccompProfile:
+               type: RuntimeDefault
        restartPolicy: OnFailure
        serviceAccountName: ingress-nginx-admission
        nodeSelector: 
          kubernetes.io/os: linux
-       securityContext:
-         fsGroup: 2000
-         runAsNonRoot: true
-         runAsUser: 2000
helmfile-tests, ingress-nginx-admission-patch, Job (batch) has changed:
  # Source: ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
  apiVersion: batch/v1
  kind: Job
  metadata:
    name: ingress-nginx-admission-patch
    namespace: helmfile-tests
    annotations:
      "helm.sh/hook": post-install,post-upgrade
      "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
    labels:
      app.kubernetes.io/name: ingress-nginx
      app.kubernetes.io/instance: ingress-nginx
      app.kubernetes.io/part-of: ingress-nginx
      app.kubernetes.io/managed-by: Helm
      app.kubernetes.io/component: admission-webhook
  spec:
    template:
      metadata:
        name: ingress-nginx-admission-patch
        labels:
          app.kubernetes.io/name: ingress-nginx
          app.kubernetes.io/instance: ingress-nginx
          app.kubernetes.io/part-of: ingress-nginx
          app.kubernetes.io/managed-by: Helm
          app.kubernetes.io/component: admission-webhook
      spec:
        containers:
          - name: patch
-           image: "registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20231011-8b53cabe0@sha256:a7943503b45d552785aa3b5e457f169a5661fb94d82b8a3373bcd9ebaf9aac80"
+           image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20231011-8b53cabe0@sha256:a7943503b45d552785aa3b5e457f169a5661fb94d82b8a3373bcd9ebaf9aac80
            imagePullPolicy: IfNotPresent
            args:
              - patch
              - --webhook-name=ingress-nginx-admission
              - --namespace=$(POD_NAMESPACE)
              - --patch-mutating=false
              - --secret-name=ingress-nginx-admission
              - --patch-failure-policy=Fail
            env:
              - name: POD_NAMESPACE
                valueFrom:
                  fieldRef:
                    fieldPath: metadata.namespace
            securityContext: 
              allowPrivilegeEscalation: false
+             capabilities:
+               drop:
+               - ALL
+             readOnlyRootFilesystem: true
+             runAsNonRoot: true
+             runAsUser: 65532
+             seccompProfile:
+               type: RuntimeDefault
        restartPolicy: OnFailure
        serviceAccountName: ingress-nginx-admission
        nodeSelector: 
          kubernetes.io/os: linux
-       securityContext:
-         fsGroup: 2000
-         runAsNonRoot: true
-         runAsUser: 2000
helmfile-tests, ingress-nginx-controller, ConfigMap (v1) has changed:
helmfile-tests, ingress-nginx-controller, Deployment (apps) has changed:
  # Source: ingress-nginx/templates/controller-deployment.yaml
  apiVersion: apps/v1
  kind: Deployment
  metadata:
    labels:
      app.kubernetes.io/name: ingress-nginx
      app.kubernetes.io/instance: ingress-nginx
      app.kubernetes.io/part-of: ingress-nginx
      app.kubernetes.io/managed-by: Helm
      app.kubernetes.io/component: controller
    name: ingress-nginx-controller
    namespace: helmfile-tests
  spec:
    selector:
      matchLabels:
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/component: controller
    replicas: 1
    revisionHistoryLimit: 10
    minReadySeconds: 0
    template:
      metadata:
        labels:
          app.kubernetes.io/name: ingress-nginx
          app.kubernetes.io/instance: ingress-nginx
          app.kubernetes.io/part-of: ingress-nginx
          app.kubernetes.io/managed-by: Helm
          app.kubernetes.io/component: controller
      spec:
        dnsPolicy: ClusterFirst
        containers:
          - name: controller
-           image: "registry.k8s.io/ingress-nginx/controller:v1.9.4@sha256:5b161f051d017e55d358435f295f5e9a297e66158f136321d9b04520ec6c48a3"
+           image: registry.k8s.io/ingress-nginx/controller:v1.9.5@sha256:b3aba22b1da80e7acfc52b115cae1d4c687172cbf2b742d5b502419c25ff340e
            imagePullPolicy: IfNotPresent
            lifecycle: 
              preStop:
                exec:
                  command:
                  - /wait-shutdown
-           args:
+           args: 
              - /nginx-ingress-controller
              - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
              - --election-id=ingress-nginx-leader
              - --controller-class=k8s.io/ingress-nginx
              - --ingress-class=nginx
              - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
              - --validating-webhook=:8443
              - --validating-webhook-certificate=/usr/local/certificates/cert
              - --validating-webhook-key=/usr/local/certificates/key
            securityContext: 
+             runAsNonRoot: true
+             runAsUser: 101
+             allowPrivilegeEscalation: false
+             seccompProfile: 
+               type: RuntimeDefault
              capabilities:
                drop:
                - ALL
                add:
                - NET_BIND_SERVICE
-             runAsUser: 101
-             allowPrivilegeEscalation: true
+             readOnlyRootFilesystem: false
            env:
              - name: POD_NAME
                valueFrom:
                  fieldRef:
                    fieldPath: metadata.name
              - name: POD_NAMESPACE
                valueFrom:
                  fieldRef:
                    fieldPath: metadata.namespace
              - name: LD_PRELOAD
                value: /usr/local/lib/libmimalloc.so
            livenessProbe: 
              failureThreshold: 5
              httpGet:
                path: /healthz
                port: 10254
                scheme: HTTP
              initialDelaySeconds: 10
              periodSeconds: 10
              successThreshold: 1
              timeoutSeconds: 1
            readinessProbe: 
              failureThreshold: 3
              httpGet:
                path: /healthz
                port: 10254
                scheme: HTTP
              initialDelaySeconds: 10
              periodSeconds: 10
              successThreshold: 1
              timeoutSeconds: 1
            ports:
              - name: http
                containerPort: 80
                protocol: TCP
              - name: https
                containerPort: 443
                protocol: TCP
              - name: webhook
                containerPort: 8443
                protocol: TCP
            volumeMounts:
              - name: webhook-cert
                mountPath: /usr/local/certificates/
                readOnly: true
            resources: 
              requests:
                cpu: 100m
                memory: 90Mi
        nodeSelector: 
          kubernetes.io/os: linux
        serviceAccountName: ingress-nginx
        terminationGracePeriodSeconds: 300
        volumes:
          - name: webhook-cert
            secret:
              secretName: ingress-nginx-admission
helmfile-tests, ingress-nginx-controller, Service (v1) has changed:
helmfile-tests, ingress-nginx-controller-admission, Service (v1) has changed:
helmfile-tests, nginx, IngressClass (networking.k8s.io) has changed:
helmfile-tests, ingress-nginx-admission, NetworkPolicy (networking.k8s.io) has been removed:
- # Source: ingress-nginx/templates/admission-webhooks/job-patch/networkpolicy.yaml
- apiVersion: networking.k8s.io/v1
- kind: NetworkPolicy
- metadata:
-   name: ingress-nginx-admission
-   namespace: helmfile-tests
-   annotations:
-     "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
-     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
-   labels:
-     app.kubernetes.io/name: ingress-nginx
-     app.kubernetes.io/instance: ingress-nginx
-     app.kubernetes.io/part-of: ingress-nginx
-     app.kubernetes.io/managed-by: Helm
-     app.kubernetes.io/component: admission-webhook
- spec:
-   podSelector:
-     matchLabels:
-       app.kubernetes.io/name: ingress-nginx
-       app.kubernetes.io/instance: ingress-nginx
-       app.kubernetes.io/component: admission-webhook
-   policyTypes:
-     - Ingress
-     - Egress
-   egress:
-     - {}
+ 
Comparing release=ingress-nginx, chart=ingress-nginx/ingress-nginx, namespace=helmfile-tests
