upgrade nginx-ingress-controller chart, update default flags

[jschaul]

Checklist

• Add a new entry in an appropriate subdirectory of changelog.d
• Read and follow the PR guidelines

related to WPB-23269
related to WPB-23412

[lwille]

rebased on develop to rerun pipelines

[lwille]

federator tests show

2026-02-11T15:50:27.043302886Z   Ingress
2026-02-11T15:50:27.110531463Z     should be accessible using http2 and forward to the local brig [✘]
2026-02-11T15:50:27.208112857Z   testRejectRequestsWithoutClientCertIngress [✘]
2026-02-11T15:50:27.210909973Z 
2026-02-11T15:50:27.211521416Z Failures:
2026-02-11T15:50:27.211545306Z 
2026-02-11T15:50:27.211552635Z   test/integration/Test/Federator/IngressSpec.hs:57:5: 
2026-02-11T15:50:27.211559965Z   1) Federator.API.Ingress should be accessible using http2 and forward to the local brig
2026-02-11T15:50:27.211568045Z        uncaught exception: HUnitFailure
2026-02-11T15:50:27.211574745Z        HUnitFailure [("assertFailure",SrcLoc {srcLocPackage = "federator-1.0.0-63t2KKsCchZBEpLPmSzBgl-federator-integration", srcLocModule = "Test.Federator.Util", srcLocFile = "test/integration/Test/Federator/Util.hs", srcLocStartLine = 340, srcLocStartCol = 29, srcLocEndLine = 340, srcLocEndCol = 42})] "Unexpected error: RemoteError (SrvTarget {srvTargetDomain = \"federation-test-helper.test-kvhjfmkd7uvx.svc.cluster.local\", srvTargetPort = 443}) \"/federation/brig/get-users-by-ids\" (FederatorClientTLSException ProtocolError \"error:0A000086:SSL routines::certificate verify failed\")"
2026-02-11T15:50:27.211580385Z 
2026-02-11T15:50:27.211586335Z   To rerun use: --match "/Federator.API/Ingress/should be accessible using http2 and forward to the local brig/" --seed 1878016947
2026-02-11T15:50:27.211591465Z 
2026-02-11T15:50:27.211596905Z   test/integration/Test/Federator/IngressSpec.hs:111:9: 
2026-02-11T15:50:27.211602345Z   2) Federator.API testRejectRequestsWithoutClientCertIngress
2026-02-11T15:50:27.211607705Z        Expected client certificate error, got remote error

ingress-nginx log

"ignoring ingressclass as the spec.controller is not the same of this ingress" ingressclass="nginx-test-kvhjfmkd7uvx-fed2"
....
controller.go:1442] Error getting SSL certificate "wire-federation-v0/disallowed-clients-tls": local SSL certificate wire-federation-v0/disallowed-clients-tls was not found. Using default certificate

wire-federation-v0/federator log:

2026-02-11T15:40:37.656515850Z {"code":"525","domain":"federation-test-helper.test-kvhjfmkd7uvx.svc.cluster.local.","label":"federation-tls-error","level":"Error","msgs":["\"ProtocolError \"error:0A000086:SSL routines::certificate verify failed\"\""],"path":"/federation/brig/api-version","response":""}
2026-02-11T15:40:37.656568930Z {"code":"525","label":"server-error","level":"Error","msgs":["\"{\"code\":525,\"data\":{\"domain\":\"federation-test-helper.test-kvhjfmkd7uvx.svc.cluster.local.\",\"path\":\"/federation/brig/api-version\",\"response\":null,\"type\":\"federation\"},\"label\":\"federation-tls-error\",\"message\":\"ProtocolError \\\"error:0A000086:SSL routines::certificate verify failed\\\"\"}\""],"request":"N/A"}

[jschaul]

some kube-ci test failures:

* Timed out waiting for service Federator ingress to come up

* many errors with a 525 HTTP status indicate an SSL problem

* Federator logs: s3://wire-server-test-logs/test-logs-0.0.2-pr.13440/federator-0.0.2-pr.13440-1770811039.log

NAME: wire-server
LAST DEPLOYED: Wed Feb 11 11:31:53 2026
NAMESPACE: test-piajj4xfkfvc
STATUS: deployed
REVISION: 1
TEST SUITE:     wire-server-integration-integration
Last Started:   Wed Feb 11 11:33:21 2026
Last Completed: Wed Feb 11 11:45:19 2026
Phase:          Failed
TEST SUITE:     wire-server-stern-integration
Last Started:   Wed Feb 11 11:45:21 2026
Last Completed: Wed Feb 11 11:45:47 2026
Phase:          Succeeded
TEST SUITE:     wire-server-galley-integration
Last Started:   Wed Feb 11 11:45:49 2026
Last Completed: Wed Feb 11 11:46:40 2026
Phase:          Succeeded
TEST SUITE:     wire-server-cargohold-integration
Last Started:   Wed Feb 11 11:46:41 2026
Last Completed: Wed Feb 11 11:46:44 2026
Phase:          Succeeded
TEST SUITE:     wire-server-gundeck-integration
Last Started:   Wed Feb 11 11:46:45 2026
Last Completed: Wed Feb 11 11:49:29 2026
Phase:          Succeeded
TEST SUITE:     wire-server-federator-integration
Last Started:   Wed Feb 11 11:49:30 2026
Last Completed: Wed Feb 11 11:49:34 2026
Phase:          Failed
NOTES:
⚠️ ⚠️ ⚠️ User/Team creation is possible from outside the cluster, via Internet ⚠️ ⚠️ ⚠️
To disable, Set brig.optSettings.setRestrictUserCreation to true.

Federator.API
  Inward
    should be able to call brig [✔]
    testShouldRejectMissmatchingOriginDomainInward [✔]
    should be able to call cargohold [✔]
    should return 404 'no-endpoint' response from Brig [✔]
    should not accept invalid/disallowed paths [✔]
    should only accept /federation/ paths [✔]
    testRejectRequestsWithoutClientCertInward [✔]
  Ingress
    should be accessible using http2 and forward to the local brig [✘]
  testRejectRequestsWithoutClientCertIngress [✘]

Failures:

  test/integration/Test/Federator/IngressSpec.hs:57:5: 
  1) Federator.API.Ingress should be accessible using http2 and forward to the local brig
       uncaught exception: HUnitFailure
       HUnitFailure [("assertFailure",SrcLoc {srcLocPackage = "federator-1.0.0-63t2KKsCchZBEpLPmSzBgl-federator-integration", srcLocModule = "Test.Federator.Util", srcLocFile = "test/integration/Test/Federator/Util.hs", srcLocStartLine = 340, srcLocStartCol = 29, srcLocEndLine = 340, srcLocEndCol = 42})] "Unexpected error: RemoteError (SrvTarget {srvTargetDomain = \"federation-test-helper.test-piajj4xfkfvc.svc.cluster.local\", srvTargetPort = 443}) \"/federation/brig/get-users-by-ids\" (FederatorClientTLSException ProtocolError \"error:0A000086:SSL routines::certificate verify failed\")"

  To rerun use: --match "/Federator.API/Ingress/should be accessible using http2 and forward to the local brig/" --seed 307773674

  test/integration/Test/Federator/IngressSpec.hs:111:9: 
  2) Federator.API testRejectRequestsWithoutClientCertIngress
       Expected client certificate error, got remote error

  To rerun use: --match "/Federator.API/testRejectRequestsWithoutClientCertIngress/" --seed 307773674

Randomized with seed 307773674

Finished in 0.3835 seconds
9 examples, 2 failures

The problem is in the ingress controller logs, somehow the names of the ingress class and of the controllers don't match so the federator ingress doesn't get created, and then the tests fail. I didn't get round to debugging this further; but just rebasing and trying again won't help 😄 , CI is catching a real problem here.