Skip to Content

Migrating NGINX Ingress Controller container images to Chainguard-maintained container images

You must update the Kubernetes NGINX Ingress Controller to use the Chainguard‑maintained images to ensure compatibility and supportability.

Warning

Important

  • You might experience downtime while upgrading the NGINX Ingress Controller.
  • In this documentation, NGINX Ingress Controller refers to the Open-Source NGINX Ingress Controller maintained by Kubernetes.

Best practice
Run the following command to check the current version of nginx-ingress-controller and record it. Make sure to save this information in case you need to revert the update.

kubectl -n ingress-nginx get ds -o yaml | grep -i image:attach:xwiki:Helix-Common-Services.Intelligent-Integrations.BMC-Helix-Intelligent-Integrations.bhii262.Upgrading-the-BMC-Helix-Intelligent-Integrations-on-premises-gateway.Migrating-NGINX-Ingress-Controller-container-images-to-Chainguard-maintained-container-images.WebHome@filename

Before you begin

Create a temporary directory and back up the secrets, configmap, and daemonset resources from the ingress-nginx namespace.

  1. To create a temporary directory at a location of your choice, run the following command:
    mkdir -p /opt/ingress-nginx-backup
    cd /opt/ingress-nginx-backup
  2. Navigate to the temporary directory.
  3. To back up the secret (my-tls-secret), run the following command:
    kubectl -n ingress-nginx get secrets my-tls-secret -o yaml > my-tls-secret.yaml
  4. To back up the configmap (ingress-nginx-controller), run the following command:
    kubectl -n ingress-nginx get cm ingress-nginx-controller -o yaml > ingress-nginx-controller_cm.yaml
  5.  To back up the daemonset, run the following command:
    kubectl -n ingress-nginx get ds ingress-nginx-controller -o yaml > ingress-nginx-controller_ds.yaml

To update to the Chainguard-maintained images

To update your existing Kubernetes NGINX Ingress Controller deployment to use the Chainguard‑maintained images, you must update the image reference in the existing daemonset.

Example target Chainguard-maintained image:
docker.io/bmchelix/lp0lz:ingress-nginx-controller-v1.14.4-nginx.1.27

Warning
Important

The NGINX Ingress Controller image is published by BMC to Docker Hub and is built and maintained following Chainguard‑based practices.

  1. Create a Docker registry secret in the ingress-nginx namespace to allow the cluster to authenticate and pull the Chainguard-maintained image by using the following commands:
    kubectl create secret docker-registry bmc-dtrhub \
      -n ingress-nginx \
      --docker-server=docker.io \
      --docker-username=<docker-username> \
      --docker-password='<docker-password>' \

  2. To patch the daemonset to reference the Docker registry pull secret, run the following command:
    kubectl patch ds ingress-nginx-controller -n ingress-nginx \
      --type='json' \
      -p='[{"op":"add","path":"/spec/template/spec/imagePullSecrets","value":[{"name":"bmc-dtrhub"}]}]'

    Warning
    Important

    If imagePullSecrets is already defined, merge the new secret with the existing list instead of applying this patch.

  3. Update the existing NGINX Ingress Controller image:
    1. If the controller is deployed as a daemonset, edit the daemonset and replace the existing NGINX Ingress Controller image with the following Chainguard‑maintained version:
      docker.io/bmchelix/lp0lz:ingress-nginx-controller-v1.14.4-nginx.1.27
    2. If the controller is deployed as a deployment, edit the deployment and replace the existing NGINX Ingress Controller image with the following Chainguard‑maintained version:docker.io/bmchelix/lp0lz:ingress-nginx-controller-v1.14.4-nginx.1.27
  4. Restart the NGINX Ingress Controller:
    1. Run the following command to restart the daemonset:
      kubectl -n ingress-nginx rollout restart ds ingress-nginx-controller
    2. Run the following command to restart the deployment:kubectl -n ingress-nginx rollout restart deployment ingress-nginx-controller
  5. Verify the update:
    1. To monitor the pods as they restart with the updated Chainguard-maintained image, run the following command:
      kubectl -n ingress-nginx get pods -w
    2. Verify that the updated image is running, and the output includes an updated image reference:
      image:attach:xwiki:Helix-Common-Services.Intelligent-Integrations.BMC-Helix-Intelligent-Integrations.bhii262.Upgrading-the-BMC-Helix-Intelligent-Integrations-on-premises-gateway.Migrating-NGINX-Ingress-Controller-container-images-to-Chainguard-maintained-container-images.WebHome@filename docker.io/bmchelix/lp0lz:ingress-nginx-controller-v1.14.4-nginx.1.27
    3. To verify that the updated Chainguard-maintained image is successfully pulled,  run the following command:
      kubectl describe pod -n ingress-nginx <ingress-pod-name> | grep -i image
      The expected output must include the updated Chainguard-maintained image, as shown in the following example:
      image:attach:xwiki:Helix-Common-Services.Intelligent-Integrations.BMC-Helix-Intelligent-Integrations.bhii262.Upgrading-the-BMC-Helix-Intelligent-Integrations-on-premises-gateway.Migrating-NGINX-Ingress-Controller-container-images-to-Chainguard-maintained-container-images.WebHome@filename docker.io/bmchelix/lp0lz:ingress-nginx-controller-v1.14.4-nginx.1.27

Related topics

Statement of direction: End of support for Kubernetes NGINX Ingress controller

System requirements for the on-premises gateway

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC Helix Intelligent Integrations 26.2