Skip to Content

Migrating from Nginx Ingress Controller to Chainguard-maintained images

You must update the Kubernetes NGINX Ingress Controller to use the Chainguard‑maintained images to ensure compatibility and supportability.

Warning

Important

  • You might experience downtime while upgrading the NGINX Ingress Controller.
  • In this documentation, NGINX Ingress Controller refers to the Open-Source NGINX Ingress Controller maintained by Kubernetes.

Related topics

Statement of direction: End of support for Kubernetes NGINX Ingress controller

Best practice
Run the following command to check the current version of nginx-ingress-controller and record it. Make sure to save this information in case you need to revert the upgrade.

kubectl -n ingress-nginx get ds -o yaml | grep -i image:attach:xwiki:IT-Operations-Management.On-Premises-Deployment.BMC-Helix-IT-Operations-Management-Deployment.itomdeploy261.Upgrading.Migrating-from-Nginx-Ingress-Controller-to-Chainguard-maintained-images.WebHome@filename

Before you begin

Create a temporary directory and back up the secrets, configmap, and daemonset resources from the ingress-nginx namespace.

  1. To create a temporary directory at a location of your choice, run the following command:
    mkdir -p /opt/ingress-nginx-backup
    cd /opt/ingress-nginx-backup
  2. Navigate to the directory
  3. To back up the secret (my-tls-secret), run the following command:
    kubectl -n ingress-nginx get secrets my-tls-secret -o yaml > my-tls-secret.yaml
  4. To back up the configmap (ingress-nginx-controller), run the following command:
    kubectl -n ingress-nginx get cm ingress-nginx-controller -o yaml > ingress-nginx-controller_cm.yaml
  5.  To back up the daemonset, run the following command:
    kubectl -n ingress-nginx get ds ingress-nginx-controller -o yaml > ingress-nginx-controller_ds.yaml

To upgrade to Chainguard-maintained images

To upgrade your existing Kubernetes NGINX Ingress Controller deployment to use the Chainguard‑maintained images, you must update the image reference in the existing daemonset.

Example target Chainguard-maintained image:
docker.io/bmchelix/lp0lz:ingress-nginx-controller-v1.14.4-nginx.1.27

Important

The NGINX Ingress Controller image is published by BMC Helix to Docker Hub and is built and maintained following Chainguard‑based practices.

  1. Create a Docker registry secret in the ingress-nginx namespace to allow the cluster to authenticate and pull the Chainguard-maintained image by using the following commands:
    kubectl create secret docker-registry bmc-dtrhub \
     -n ingress-nginx \
     --docker-server=docker.io \
      --docker-username=<docker-username> \
      --docker-password='<docker-password>' \
  2. To patch the daemonset to reference the Docker registry pull secret, run the following command:
    kubectl patch ds ingress-nginx-controller -n ingress-nginx \
     --type='json' \
      -p='[{"op":"add","path":"/spec/template/spec/imagePullSecrets","value":[{"name":"bmc-dtrhub"}]}]'

    Important
    If imagePullSecrets is already defined, merge the new secret with the existing list instead of applying this patch.
     
  3. Update the existing NGINX Ingress Controller image
    1. If the controller is deployed as a daemonset, edit the daemonset and replace the existing NGINX Ingress Controller image with the following Chainguard‑maintained version:
      docker.io/bmchelix/lp0lz:ingress-nginx-controller-v1.14.4-nginx.1.27
    2. If the controller is deployed as a deployment, edit the deployment and replace the existing NGINX Ingress Controller image with the following Chainguard‑maintained version:
      docker.io/bmchelix/lp0lz:ingress-nginx-controller-v1.14.4-nginx.1.27
  4. Restart the NGINX Ingress Controller
    1. Run the following command to restart the daemonset:
      kubectl -n ingress-nginx rollout restart ds ingress-nginx-controller
    2. Run the following command to restart the deployment:
      kubectl -n ingress-nginx rollout restart deployment ingress-nginx-controller
  5. Verify the upgrade.
    1. To monitor the pods as they restart with the updated Chainguard-maintained image, run the following command:
      kubectl -n ingress-nginx get pods -w
    2. Verify the updated image is running, and the output must include an updated image reference:
      image:attach:xwiki:IT-Operations-Management.On-Premises-Deployment.BMC-Helix-IT-Operations-Management-Deployment.itomdeploy261.Upgrading.Migrating-from-Nginx-Ingress-Controller-to-Chainguard-maintained-images.WebHome@filename docker.io/bmchelix/lp0lz:ingress-nginx-controller-v1.14.4-nginx.1.27
    3. To verify the updated Chainguard-maintained image is successfully pulled,  run the following command:
      kubectl describe pod -n ingress-nginx <ingress-pod-name> | grep -i image
      The expected output must include the updated Chainguard-maintained image
      image:attach:xwiki:IT-Operations-Management.On-Premises-Deployment.BMC-Helix-IT-Operations-Management-Deployment.itomdeploy261.Upgrading.Migrating-from-Nginx-Ingress-Controller-to-Chainguard-maintained-images.WebHome@filename docker.io/bmchelix/lp0lz:ingress-nginx-controller-v1.14.4-nginx.1.27

 

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC Helix IT Operations Management deployment 26.1