Merge branch 'master' into chore/helm-chart-repo

Author: juzhiyuan

.github/workflows/ci.yaml

@@ -29,11 +29,12 @@ jobs:
               --name ct-lint \
               --volume $PWD:/workdir \
               --workdir /workdir/charts/apisix \
-              quay.io/helmpack/chart-testing:v3.4.0 sh -c 'helm dependency update \
+              quay.io/helmpack/chart-testing:v3.13.0 sh -c 'helm dependency update \
                && cd ../.. \
                && helm repo add bitnami https://charts.bitnami.com/bitnami \
                && helm repo add apisix https://apache.github.io/apisix-helm-chart \
                && ct lint \
+                  --validate-maintainers=false \
                   --charts charts/apisix \
                   --charts charts/apisix-dashboard \
                   --charts charts/apisix-ingress-controller'
@@ -62,7 +63,7 @@ jobs:
               --volume $HOME/.kube/kind-config-kind:/root/.kube/config \
               --volume $PWD:/workdir \
               --workdir /workdir/charts/apisix \
-              quay.io/helmpack/chart-testing:v3.4.0 sh -c 'helm dependency update \
+              quay.io/helmpack/chart-testing:v3.13.0 sh -c 'helm dependency update \
                && cd ../.. \
                && helm repo add bitnami https://charts.bitnami.com/bitnami \
                && helm repo add apisix https://apache.github.io/apisix-helm-chart \

charts/apisix-ingress-controller/Chart.yaml

@@ -24,8 +24,8 @@ keywords:
   - nginx
   - crd
 type: application
-version: 1.0.3
-appVersion: 2.0.0-rc2
+version: 1.0.5
+appVersion: 2.0.0-rc4
 sources:
   - https://github.com/apache/apisix-helm-chart
 

charts/apisix-ingress-controller/README.md

@@ -124,14 +124,15 @@ The same for container level, you need to set:
 | config.metricsAddr | string | `":8080"` |  |
 | config.probeAddr | string | `":8081"` |  |
 | config.provider.initSyncDelay | string | `"20m"` |  |
-| config.provider.syncPeriod | string | `"1s"` |  |
+| config.provider.syncPeriod | string | `"1m"` |  |
 | config.provider.type | string | `"apisix"` |  |
 | config.secureMetrics | bool | `false` |  |
+| deployment.adcContainer | object | `{"config":{"logLevel":"info"},"image":{"repository":"ghcr.io/api7/adc","tag":"0.21.0"}}` | Set adc sidecar container configuration |
 | deployment.affinity | object | `{}` |  |
 | deployment.annotations | object | `{}` | Add annotations to Apache APISIX ingress controller resource |
 | deployment.image.pullPolicy | string | `"IfNotPresent"` |  |
 | deployment.image.repository | string | `"apache/apisix-ingress-controller"` |  |
-| deployment.image.tag | string | `"2.0.0-rc2"` |  |
+| deployment.image.tag | string | `"2.0.0-rc4"` |  |
 | deployment.nodeSelector | object | `{}` |  |
 | deployment.podAnnotations | object | `{}` |  |
 | deployment.podSecurityContext | object | `{}` |  |
@@ -151,3 +152,9 @@ The same for container level, you need to set:
 | podDisruptionBudget.enabled | bool | `false` | Enable or disable podDisruptionBudget |
 | podDisruptionBudget.maxUnavailable | int | `1` | Set the maxUnavailable of podDisruptionBudget |
 | podDisruptionBudget.minAvailable | string | `"90%"` | Set the `minAvailable` of podDisruptionBudget. You can specify only one of `maxUnavailable` and `minAvailable` in a single PodDisruptionBudget. See [Specifying a Disruption Budget for your Application](https://kubernetes.io/docs/tasks/run-application/configure-pdb/#specifying-a-poddisruptionbudget) for more details |
+| serviceMonitor.annotations | object | `{}` | @param serviceMonitor.annotations ServiceMonitor annotations |
+| serviceMonitor.enabled | bool | `false` | Enable or disable ServiceMonitor |
+| serviceMonitor.interval | string | `"15s"` | @param serviceMonitor.interval Interval at which metrics should be scraped |
+| serviceMonitor.labels | object | `{}` | @param serviceMonitor.labels ServiceMonitor extra labels |
+| serviceMonitor.metricRelabelings | object | `{}` | @param serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion. ref: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs |
+| serviceMonitor.namespace | string | `"monitoring"` | @param serviceMonitor.namespace Namespace in which to create the ServiceMonitor |

charts/apisix-ingress-controller/templates/deployment.yaml

@@ -53,6 +53,11 @@ spec:
             fieldRef:
               fieldPath: metadata.name
         image: "{{ .Values.deployment.image.repository }}:{{ .Values.deployment.image.tag }}"
+        imagePullPolicy: {{ .Values.deployment.image.pullPolicy }}
+        ports:
+        - containerPort: {{ splitList ":" .Values.config.metricsAddr | last | int }}
+          name: metrics
+          protocol: TCP
         volumeMounts:
         - name: {{ .Release.Name }}-ingress-config
           mountPath: /app/conf/config.yaml
@@ -74,6 +79,43 @@ spec:
           {{- toYaml .Values.deployment.resources | nindent 10 }}
         securityContext:
           {{- toYaml .Values.deployment.podSecurityContext | nindent 10 }}
+      - name: adc-server
+        image: "{{ .Values.deployment.adcContainer.image.repository }}:{{ .Values.deployment.adcContainer.image.tag }}"
+        imagePullPolicy: {{ .Values.deployment.image.pullPolicy }}
+        args:
+        - "server"
+        - "--listen"
+        - "http://127.0.0.1:3000"
+        - "--listen-status"
+        - "3001"
+        env:
+        - name: ADC_RUNNING_MODE
+          value: "ingress"
+        - name: ADC_EXPERIMENTAL_FEATURE_FLAGS
+          value: "remote-state-file,parallel-backend-request"
+        - name: ADC_INGRESS_LOG_LEVEL
+          value: "{{ .Values.deployment.adcContainer.config.logLevel }}"
+        ports:
+        - name: http-status
+          containerPort: 3001
+          protocol: TCP
+        livenessProbe:
+          httpGet:
+            path: /healthz/ready
+            port: 3001
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          timeoutSeconds: 10
+        readinessProbe:
+          httpGet:
+            path: /healthz/ready
+            port: 3001
+          initialDelaySeconds: 5
+          periodSeconds: 5
+        resources:
+          {{- toYaml .Values.deployment.resources | nindent 10 }}
+        securityContext:
+          {{- toYaml .Values.deployment.podSecurityContext | nindent 10 }}
       {{- with .Values.deployment.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

charts/apisix-ingress-controller/templates/service.yaml

@@ -19,13 +19,13 @@ kind: Service
 metadata:
   labels:
     {{- include "apisix-ingress-controller-manager.labels" . | nindent 4 }}
-  name: {{ .Release.Name }}-metrics-service
+  name: {{ include "apisix-ingress-controller-manager.name.fullname" . }}
   namespace: {{ .Release.Namespace }}
 spec:
   ports:
-  - name: https
-    port: 8443
+  - name: metrics
+    port: 8080
     protocol: TCP
-    targetPort: 8443
+    targetPort: metrics
   selector:
    {{- include "apisix-ingress-controller-manager.selectorLabels" . | nindent 4 }}

charts/apisix-ingress-controller/templates/servicemonitor.yaml

@@ -0,0 +1,48 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+{{- if .Values.serviceMonitor.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ include "apisix-ingress-controller-manager.name.fullname" . }}
+  {{- if .Values.serviceMonitor.namespace }}
+  namespace: {{ .Values.serviceMonitor.namespace }}
+  {{- end }}
+  {{- if .Values.serviceMonitor.labels }}
+  labels: {{- toYaml .Values.serviceMonitor.labels | nindent 4 }}
+  {{- end }}
+  {{- if .Values.serviceMonitor.annotations }}
+  annotations: {{- toYaml .Values.serviceMonitor.annotations | nindent 4 }}
+  {{- end }}
+spec:
+  endpoints:
+  - targetPort: metrics
+    scheme: http
+    {{- if .Values.serviceMonitor.interval }}
+    interval: {{ .Values.serviceMonitor.interval }}
+    {{- end }}
+    {{- with .Values.serviceMonitor.metricRelabelings }}
+    metricRelabelings: {{ toYaml . | nindent 6 }}
+    {{- end }}
+  namespaceSelector:
+    matchNames:
+    - {{ .Release.Namespace }}
+
+  selector:
+    matchLabels:
+      {{- include "apisix-ingress-controller-manager.labels" . | nindent 6 }}
+{{- end }}

charts/apisix-ingress-controller/values.yaml

@@ -60,10 +60,18 @@ deployment:
   image:
     repository: apache/apisix-ingress-controller
     pullPolicy: IfNotPresent
-    tag: "2.0.0-rc2"
+    tag: "2.0.0-rc4"
   # -- Set pod resource requests & limits
   resources: {}
 
+  # -- Set adc sidecar container configuration
+  adcContainer:
+    image:
+      repository: ghcr.io/api7/adc
+      tag: "0.21.0"
+    config:
+      logLevel: "info"
+
 config:
   logLevel: "info"
   controllerName: apisix.apache.org/apisix-ingress-controller
@@ -80,7 +88,7 @@ config:
   execADCTimeout: "15s"
   provider:
     type: "apisix"
-    syncPeriod: "1s"
+    syncPeriod: "1m"
     initSyncDelay: "20m"
   kubernetes:
     ingressClass: apisix
@@ -102,3 +110,18 @@ apisix:
     namespace: apisix-ingress
     name: apisix-admin
     port: 9180
+
+serviceMonitor:
+  # -- Enable or disable ServiceMonitor
+  enabled: false
+  # -- @param serviceMonitor.namespace Namespace in which to create the ServiceMonitor
+  namespace: "monitoring"
+  # -- @param serviceMonitor.interval Interval at which metrics should be scraped
+  interval: 15s
+  # -- @param serviceMonitor.labels ServiceMonitor extra labels
+  labels: {}
+  # -- @param serviceMonitor.annotations ServiceMonitor annotations
+  annotations: {}
+  # -- @param serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion.
+  # ref: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs
+  metricRelabelings: {}

charts/apisix/Chart.lock

@@ -1,9 +1,9 @@
 dependencies:
 - name: etcd
   repository: https://charts.bitnami.com/bitnami
-  version: 9.7.3
+  version: 12.0.18
 - name: apisix-ingress-controller
   repository: https://apache.github.io/apisix-helm-chart
-  version: 1.0.2
-digest: sha256:61e0700375e4227a0b091c52661ffd39d8d8a5faf8e6331af9736ee7c55f2346
-generated: "2025-07-29T15:34:25.528135+08:00"
+  version: 1.0.5
+digest: sha256:645325383aa153ba7b41ef4f63ba38f5169173b2791aaeb32b0754ecbb922884
+generated: "2025-09-01T16:08:09.544116895+08:00"

charts/apisix/Chart.yaml

@@ -31,7 +31,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 2.11.4
+version: 2.11.6
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
@@ -42,11 +42,11 @@ sources:
 
 dependencies:
   - name: etcd
-    version: 9.7.3
+    version: 12.0.18
     repository: https://charts.bitnami.com/bitnami
     condition: etcd.enabled
   - name: apisix-ingress-controller
-    version: 1.0.2
+    version: 1.0.5
     repository: https://apache.github.io/apisix-helm-chart
     condition: ingress-controller.enabled
     alias: ingress-controller

charts/apisix/README.md

@@ -123,6 +123,7 @@ The command removes all the Kubernetes components associated with the chart and
 | apisix.ssl.enabled | bool | `false` |  |
 | apisix.ssl.existingCASecret | string | `""` | Specifies the name of Secret contains trusted CA certificates in the PEM format used to verify the certificate when APISIX needs to do SSL/TLS handshaking with external services (e.g. etcd) |
 | apisix.ssl.fallbackSNI | string | `""` | Define SNI to fallback if none is presented by client |
+| apisix.ssl.sslCiphers | string | `"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA"` | TLS ciphers allowed to use. |
 | apisix.ssl.sslProtocols | string | `"TLSv1.2 TLSv1.3"` | TLS protocols allowed to use. |
 | apisix.status.ip | string | `"0.0.0.0"` |  |
 | apisix.status.port | int | `7085` |  |
@@ -150,7 +151,7 @@ The command removes all the Kubernetes components associated with the chart and
 | control.service.port | int | `9090` | which port to use for Apache APISIX Control API |
 | control.service.servicePort | int | `9090` | Service port to use for Apache APISIX Control API |
 | control.service.type | string | `"ClusterIP"` | Control service type |
-| etcd | object | `{"auth":{"rbac":{"create":false,"rootPassword":""},"tls":{"certFilename":"","certKeyFilename":"","enabled":false,"existingSecret":"","sni":"","verify":true}},"autoCompactionMode":"periodic","autoCompactionRetention":"1h","containerSecurityContext":{"enabled":false},"enabled":true,"prefix":"/apisix","replicaCount":3,"service":{"port":2379},"timeout":30}` | etcd configuration use the FQDN address or the IP of the etcd |
+| etcd | object | `{"auth":{"rbac":{"create":false,"rootPassword":""},"tls":{"certFilename":"","certKeyFilename":"","enabled":false,"existingSecret":"","sni":"","verify":true}},"autoCompactionMode":"periodic","autoCompactionRetention":"1h","containerSecurityContext":{"enabled":false},"enabled":true,"image":{"registry":"docker.io","repository":"bitnami/etcd","tag":"latest"},"prefix":"/apisix","replicaCount":3,"service":{"port":2379},"timeout":30}` | etcd configuration use the FQDN address or the IP of the etcd |
 | etcd.auth | object | `{"rbac":{"create":false,"rootPassword":""},"tls":{"certFilename":"","certKeyFilename":"","enabled":false,"existingSecret":"","sni":"","verify":true}}` | if etcd.enabled is true, set more values of bitnami/etcd helm chart |
 | etcd.auth.rbac.create | bool | `false` | No authentication by default. Switch to enable RBAC authentication |
 | etcd.auth.rbac.rootPassword | string | `""` | root password for etcd. Requires etcd.auth.rbac.create to be true. |
@@ -161,7 +162,9 @@ The command removes all the Kubernetes components associated with the chart and
 | etcd.auth.tls.sni | string | `""` | specify the TLS Server Name Indication extension, the ETCD endpoint hostname will be used when this setting is unset. |
 | etcd.auth.tls.verify | bool | `true` | whether to verify the etcd endpoint certificate when setup a TLS connection to etcd |
 | etcd.containerSecurityContext | object | `{"enabled":false}` | added for backward compatibility with old kubernetes versions, as seccompProfile is not supported in kubernetes < 1.19 |
-| etcd.enabled | bool | `true` | install etcd(v3) by default, set false if do not want to install etcd(v3) together |
+| etcd.enabled | bool | `true` | install built-in etcd by default, set false if do not want to install built-in etcd together, this etcd is based on bitnami/etcd helm chart and latest bitnami docker image, only for development and testing purposes, if you want to use etcd in production, we recommend you to install etcd by yourself and use `externalEtcd` to connect it. |
+| etcd.image | object | `{"registry":"docker.io","repository":"bitnami/etcd","tag":"latest"}` | docker image for built-in etcd |
+| etcd.image.tag | string | `"latest"` | `bitnami/etcd` only provide `latest` tag now, ref: https://github.com/bitnami/containers/issues/83267, you can switch `etcd.image.repository` to `bitnamilegacy/etcd` to use old versioned tags. |
 | etcd.prefix | string | `"/apisix"` | apisix configurations prefix |
 | etcd.timeout | int | `30` | Set the timeout value in seconds for subsequent socket operations from apisix to etcd cluster |
 | externalEtcd | object | `{"existingSecret":"","host":["http://etcd.host:2379"],"password":"","secretPasswordKey":"etcd-root-password","user":"root"}` | external etcd configuration. If etcd.enabled is false, these configuration will be used. |