From de86f566efa744255644444cdb061265d12e54a5 Mon Sep 17 00:00:00 2001 From: Sarthak Agrawal <68310924+sarthyparty@users.noreply.github.com> Date: Wed, 3 Sep 2025 10:16:01 -0700 Subject: [PATCH 1/8] Update compability doc (#1054) Update compatability doc with Port for ParentRef --- content/ngf/overview/gateway-api-compatibility.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/content/ngf/overview/gateway-api-compatibility.md b/content/ngf/overview/gateway-api-compatibility.md index ab641d44c..f78d051c2 100644 --- a/content/ngf/overview/gateway-api-compatibility.md +++ b/content/ngf/overview/gateway-api-compatibility.md @@ -146,7 +146,7 @@ See the [controller]({{< ref "/ngf/reference/cli-help.md#controller">}}) command **Fields**: - `spec` - - `parentRefs`: Partially supported. Port not supported. + - `parentRefs`: Supported. - `hostnames`: Supported. - `rules` - `matches` @@ -196,7 +196,7 @@ See the [controller]({{< ref "/ngf/reference/cli-help.md#controller">}}) command **Fields**: - `spec` - - `parentRefs`: Partially supported. Port not supported. + - `parentRefs`: Supported. - `hostnames`: Supported. - `rules` - `matches` @@ -259,7 +259,7 @@ Fields: **Fields**: - `spec` - - `parentRefs`: Partially supported. Port not supported. + - `parentRefs`: Supported. - `hostnames`: Supported. - `rules` - `backendRefs`: Partially supported. Only one backend ref allowed. From ecb9222fa95f0258120599a073ee82587584d3c0 Mon Sep 17 00:00:00 2001 From: bjee19 <139261241+bjee19@users.noreply.github.com> Date: Mon, 15 Sep 2025 15:49:48 -0700 Subject: [PATCH 2/8] NGF: Update gateway addresses compatibility document (#1109) Update gateway addresses compatibility document. --- content/ngf/overview/gateway-api-compatibility.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/content/ngf/overview/gateway-api-compatibility.md b/content/ngf/overview/gateway-api-compatibility.md index f78d051c2..c64e0872e 100644 --- a/content/ngf/overview/gateway-api-compatibility.md +++ b/content/ngf/overview/gateway-api-compatibility.md @@ -101,7 +101,9 @@ See the [controller]({{< ref "/ngf/reference/cli-help.md#controller">}}) command - `certificateRefs` - The TLS certificate and key must be stored in a Secret resource of type `kubernetes.io/tls`. Only a single reference is supported. - `options`: Not supported. - `allowedRoutes`: Supported. - - `addresses`: Not supported. + - `addresses`: Valid IPAddresses will be added to the `externalIP` field in the related Services fronting NGINX. + - `type`: Partially supported. Allowed value: `IPAddress`. + - `value`: Partially supported. Dynamic address allocation when value is unspecified is not supported. - `backendTLS`: Not supported. - `allowedListeners`: Not supported. - `status` From 29a305d65ad37b8eb9c5da249a0f5ac7648f77bd Mon Sep 17 00:00:00 2001 From: bjee19 <139261241+bjee19@users.noreply.github.com> Date: Tue, 16 Sep 2025 16:37:03 -0700 Subject: [PATCH 3/8] NGF: Update gateway addresses compatibility document with IP family comment (#1126) Add a small comment on IP families to gateway addresses compatibility document. --- content/ngf/overview/gateway-api-compatibility.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/ngf/overview/gateway-api-compatibility.md b/content/ngf/overview/gateway-api-compatibility.md index c64e0872e..5b9cd9d3e 100644 --- a/content/ngf/overview/gateway-api-compatibility.md +++ b/content/ngf/overview/gateway-api-compatibility.md @@ -101,7 +101,7 @@ See the [controller]({{< ref "/ngf/reference/cli-help.md#controller">}}) command - `certificateRefs` - The TLS certificate and key must be stored in a Secret resource of type `kubernetes.io/tls`. Only a single reference is supported. - `options`: Not supported. - `allowedRoutes`: Supported. - - `addresses`: Valid IPAddresses will be added to the `externalIP` field in the related Services fronting NGINX. + - `addresses`: Valid IPAddresses will be added to the `externalIP` field in the related Services fronting NGINX. Users should ensure that the IP Family of the address matches the IP Family set in the NginxProxy resource (default is dual, meaning both IPv4 and IPv6), otherwise there may be networking issues. - `type`: Partially supported. Allowed value: `IPAddress`. - `value`: Partially supported. Dynamic address allocation when value is unspecified is not supported. - `backendTLS`: Not supported. From 8d59f4265df29a51a05ed2daab57946e8b327784 Mon Sep 17 00:00:00 2001 From: "Tina U." Date: Wed, 17 Sep 2025 15:14:25 +0100 Subject: [PATCH 4/8] New NGF CLI parameter for Trial period enforcement (#1128) --- content/ngf/reference/cli-help.md | 1 + 1 file changed, 1 insertion(+) diff --git a/content/ngf/reference/cli-help.md b/content/ngf/reference/cli-help.md index a25a2faff..e97631e13 100644 --- a/content/ngf/reference/cli-help.md +++ b/content/ngf/reference/cli-help.md @@ -50,6 +50,7 @@ This command runs the NGINX Gateway Fabric control plane. | _usage-report-skip-verify_ | _bool_ | Disable client verification of the NGINX Plus usage reporting server certificate. | | _usage-report-ca-secret_ | _string_ | The name of the Secret containing the NGINX Instance Manager CA certificate. Must exist in the same namespace that the NGINX Gateway Fabric control plane is running in (default namespace: nginx-gateway) | | _usage-report-client-ssl-secret_ | _string_ | The name of the Secret containing the client certificate and key for authenticating with NGINX Instance Manager. Must exist in the same namespace that the NGINX Gateway Fabric control plane is running in (default namespace: nginx-gateway) | +| _usage-report-enforce-initial-report_ | _bool_ | Enables or disables the 180-day grace period for sending the initial usage report. | | _snippets-filters_ | _bool_ | Enable SnippetsFilters feature. SnippetsFilters allow inserting NGINX configuration into the generated NGINX config for HTTPRoute and GRPCRoute resources. | | _nginx-scc_ | _string_ | The name of the SecurityContextConstraints to be used with the NGINX data plane Pods. Only applicable in OpenShift. | | _nginx-one-dataplane-key-secret_ | _string_ | The name of the secret which holds the dataplane key that is required to authenticate with the NGINX One Console. Secret must exist in the same namespace that the NGINX Gateway Fabric control plane is running in (default namespace: nginx-gateway). | From 6822326dbadfffefcaa3d69e23a7be2615b0d5d0 Mon Sep 17 00:00:00 2001 From: "Tina U." Date: Thu, 9 Oct 2025 17:57:52 +0100 Subject: [PATCH 5/8] RouteRules and Gateway unsupported fields update (#1268) Added mention about unsupported fields for RouteRules and Gateways Closes nginx/nginx-gateway-fabric#3784 --- .../ngf/overview/gateway-api-compatibility.md | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/content/ngf/overview/gateway-api-compatibility.md b/content/ngf/overview/gateway-api-compatibility.md index 924b13130..6ad9b4116 100644 --- a/content/ngf/overview/gateway-api-compatibility.md +++ b/content/ngf/overview/gateway-api-compatibility.md @@ -36,7 +36,10 @@ Gateway API features has three [support levels](https://gateway-api.sigs.k8s.io/ - _Not supported_. The resource or field is not yet supported. It will become partially or fully supported in future releases. -{{< call-out "note" >}} It's possible that NGINX Gateway Fabric will never support some resources or fields of the Gateway API. They will be documented on a case by case basis. {{< /call-out >}} +{{< call-out "note" >}} It's possible that NGINX Gateway Fabric will never support some resources or fields of the Gateway API. They will be documented on a case by case basis. + +Please note that while we make every effort to reflect the support status of experimental fields in our code and documentation, there may be instances where this is not explicitly +indicated. Support for such fields is provided on a best-effort basis.{{< /call-out >}} ## Resources @@ -116,6 +119,7 @@ See the [controller]({{< ref "/ngf/reference/cli-help.md#controller">}}) command - `Accepted/False/UnsupportedValue`: Custom reason for when a value of a field in a Gateway is invalid or not supported. - `Programmed/True/Programmed` - `Programmed/False/Invalid` + - `Accepted/True/UnsupportedField`: Custom reason for when the Gateway is accepted but contains an unsupported field - `listeners` - `name`: Supported. - `supportedKinds`: Supported. @@ -165,6 +169,10 @@ See the [controller]({{< ref "/ngf/reference/cli-help.md#controller">}}) command - `requestMirror`: Supported. Multiple mirrors can be specified. Percent and fraction-based mirroring are supported. - `extensionRef`: Supported for SnippetsFilters. - `backendRefs`: Partially supported. Backend ref `filters` are not supported. + - `name`: Not supported. + - `timeouts`: Not supported. + - `retry`: Not supported. + - `sessionPersistence`: Not supported. - `status` - `parents` - `parentRef`: Supported. @@ -185,6 +193,9 @@ See the [controller]({{< ref "/ngf/reference/cli-help.md#controller">}}) command - `ResolvedRefs/False/InvalidIPFamily`: Custom reason for when one of the HTTPRoute rules has a backendRef that has an invalid IPFamily. - `ResolvedRefs/False/UnsupportedProtocol` - `PartiallyInvalid/True/UnsupportedValue` + - `Accepted/True/UnsupportedField`: Custom reason for when the HTTPRouteRule is accepted but contains an unsupported field + + {{< call-out "note" >}} If `name`, `timeouts`, `retry` or `sessionPersistence` are defined for a HTTPRoute rule, they will be ignored and rule still will be created. {{< /call-out >}} ### GRPCRoute @@ -210,6 +221,8 @@ See the [controller]({{< ref "/ngf/reference/cli-help.md#controller">}}) command - `requestMirror`: Supported. Multiple mirrors can be specified. - `extensionRef`: Supported for SnippetsFilters. - `backendRefs`: Partially supported. Backend ref `filters` are not supported. + - `name`: Not supported. + - `sessionPersistence`: Not supported. - `status` - `parents` - `parentRef`: Supported. @@ -227,6 +240,9 @@ See the [controller]({{< ref "/ngf/reference/cli-help.md#controller">}}) command - `ResolvedRefs/False/BackendNotFound` - `ResolvedRefs/False/UnsupportedValue`: Custom reason for when one of the GRPCRoute rules has a backendRef with an unsupported value. - `PartiallyInvalid/True/UnsupportedValue` + - `Accepted/True/UnsupportedField`: Custom reason for when the GRPCRouteRule is accepted but contains an unsupported field + +{{< call-out "note" >}} If `name` or `sessionPersistence` are defined for a GRPCRoute rule, they will be ignored and rule still will be created. {{< /call-out >}} ### ReferenceGrant From 4b0aa635c92c1ec72a89ca01428103af7386a4cd Mon Sep 17 00:00:00 2001 From: Ciara Stacke <18287516+ciarams87@users.noreply.github.com> Date: Fri, 10 Oct 2025 19:21:14 +0100 Subject: [PATCH 6/8] NGF: Update advanced routing guide for Regex PathType (#1286) feat: Update advanced routing guide for regex path --- .../traffic-management/advanced-routing.md | 63 ++++++++++++++++++- 1 file changed, 62 insertions(+), 1 deletion(-) diff --git a/content/ngf/traffic-management/advanced-routing.md b/content/ngf/traffic-management/advanced-routing.md index ba52cc477..66c05c594 100644 --- a/content/ngf/traffic-management/advanced-routing.md +++ b/content/ngf/traffic-management/advanced-routing.md @@ -11,7 +11,7 @@ Learn how to deploy multiple applications and HTTPRoutes with request conditions ## Overview -In this guide we will configure advanced routing rules for multiple applications. These rules will showcase request matching by path, headers, query parameters, and method. For an introduction to exposing your application, we recommend that you follow the [basic guide]({{< ref "/ngf/traffic-management/basic-routing.md" >}}) first. +In this guide we will configure advanced routing rules for multiple applications. These rules will showcase request matching by path (including prefix, exact, and regex patterns), headers, query parameters, and method. For an introduction to exposing your application, we recommend that you follow the [basic guide]({{< ref "/ngf/traffic-management/basic-routing.md" >}}) first. The following image shows the traffic flow that we will be creating with these rules. @@ -321,6 +321,67 @@ Server name: tea-post-b59b8596b-g586r This request should receive a response from the `tea-post` pod. Any other type of method, such as PATCH, will result in a `404 Not Found` response. +## Path matching types + +NGINX Gateway Fabric supports three types of path matching: + +- **PathPrefix**: Matches based on a URL path prefix split by `/`. For example, `/coffee` matches `/coffee`, `/coffee/`, and `/coffee/latte`. +- **Exact**: Matches the exact path in the request. For example, `/coffee` matches only `/coffee`. +- **RegularExpression**: Matches based on RE2-compatible regular expressions. For example, `/coffee/[a-z]+` matches `/coffee/latte` and `/coffee/mocha` but not `/coffee/123`. + +{{< call-out "note" >}} Regular expression path matching uses the RE2 syntax. Patterns are automatically anchored to the beginning of the path. {{< /call-out >}} + +### Example: Using regex path matching + +To route requests based on regex patterns in the path, use `type: RegularExpression`: + +```yaml +kubectl apply -f - < Date: Tue, 14 Oct 2025 15:10:31 +0100 Subject: [PATCH 7/8] Add details on BuildOS and InferencePoolCount to Product Telemetry docs (#1284) * Add details on BuildOS and InferencePoolCount to Product Telemetry docs * Add InferencePoolCount * Move InferencePool resource into "Count of Resources" section --- content/ngf/overview/product-telemetry.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/ngf/overview/product-telemetry.md b/content/ngf/overview/product-telemetry.md index 45237d56d..573460d8a 100644 --- a/content/ngf/overview/product-telemetry.md +++ b/content/ngf/overview/product-telemetry.md @@ -27,13 +27,13 @@ Telemetry data is collected once every 24 hours and sent to a service managed by - **Version:** the version of the NGINX Gateway Fabric Deployment. - **Deployment UID:** the UID of the NGINX Gateway Fabric Deployment. - **Image Build Source:** whether the image was built by GitHub or locally (values are `gha`, `local`, or `unknown`). The source repository of the images is **not** collected. +- **Build OS:** the base operating system the image was built on (values are currently `alpine` or `ubi`). - **Deployment Flags:** a list of NGINX Gateway Fabric Deployment flags that are specified by a user. The actual values of non-boolean flags are **not** collected; we only record that they are either `true` or `false` for boolean flags and `default` or `user-defined` for the rest. -- **Count of Resources:** the total count of resources related to NGINX Gateway Fabric. This includes `GatewayClasses`, `Gateways`, `HTTPRoutes`,`GRPCRoutes`, `TLSRoutes`, `Secrets`, `Services`, `BackendTLSPolicies`, `ClientSettingsPolicies`, `NginxProxies`, `ObservabilityPolicies`, `UpstreamSettingsPolicies`, `SnippetsFilters`, and `Endpoints`. The data within these resources is **not** collected. +- **Count of Resources:** the total count of resources related to NGINX Gateway Fabric. This includes `GatewayClasses`, `Gateways`, `HTTPRoutes`,`GRPCRoutes`, `TLSRoutes`, `InferencePool`, `Secrets`, `Services`, `BackendTLSPolicies`, `ClientSettingsPolicies`, `NginxProxies`, `ObservabilityPolicies`, `UpstreamSettingsPolicies`, `SnippetsFilters`, and `Endpoints`. The data within these resources is **not** collected. - **SnippetsFilters Info** a list of directive-context strings from applied SnippetFilters and a total count per strings. The actual value of any NGINX directive is **not** collected. - **Control Plane Pod Count** the count of NGINX Gateway Fabric Pods. - **Data Plane Pod Count** the count of NGINX data plane Pods. - **NGINX One Console Connection Info** indicates whether the connection to the NGINX One Console is enabled. -This data is used to identify the following information: - The flavors of Kubernetes environments that are most popular among our users. - The number of unique NGINX Gateway Fabric installations. From 86f80510e35e13b027be3dee9efaecc1bdda11f7 Mon Sep 17 00:00:00 2001 From: Ciara Stacke Date: Wed, 22 Oct 2025 10:46:05 +0100 Subject: [PATCH 8/8] Chore: Update api docs and version for release --- content/ngf/reference/api.md | 180 ++++++++++++++++++++++++++++ layouts/shortcodes/version-ngf.html | 2 +- 2 files changed, 181 insertions(+), 1 deletion(-) diff --git a/content/ngf/reference/api.md b/content/ngf/reference/api.md index 47984b6a3..549a0444f 100644 --- a/content/ngf/reference/api.md +++ b/content/ngf/reference/api.md @@ -899,6 +899,7 @@ longer necessary.

ClientKeepAlive, ClientKeepAliveTimeout, UpstreamKeepAlive, +DNSResolver, TelemetryExporter)

@@ -1869,6 +1870,21 @@ int32 Default is 1024.

+ + +dnsResolver
+ + +DNSResolver + + + + +(Optional) +

DNSResolver specifies the DNS resolver configuration for external name resolution. +This enables support for routing to ExternalName Services.

+ + @@ -2245,6 +2261,155 @@ ReadinessProbeSpec +

DNSResolver + +

+

+(Appears on: +NginxProxySpec) +

+

+

DNSResolver specifies the DNS resolver configuration for NGINX. +This enables dynamic DNS resolution for ExternalName Services. +Corresponds to the NGINX resolver directive: https://nginx.org/en/docs/http/ngx_http_core_module.html#resolver

+

+ + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
+timeout
+ + +Duration + + +		 +(Optional) +

Timeout specifies the timeout for name resolution.

+
+cacheTTL
+ + +Duration + + +		 +(Optional) +

CacheTTL specifies how long to cache DNS responses.

+
+disableIPv6
+ +bool + +		 +(Optional) +

DisableIPv6 disables IPv6 lookups. +If not specified, or set to false, IPv6 lookups will be enabled.

+
+addresses
+ + +[]DNSResolverAddress + + +		 +

Addresses specifies the list of DNS server addresses. +Each address can be an IP address or hostname. +Example: [{“type”: “IPAddress”, “value”: “8.8.8.8”}, {“type”: “Hostname”, “value”: “dns.google”}]

+
+

DNSResolverAddress + +

+

+(Appears on: +DNSResolver) +

+

+

DNSResolverAddress specifies the address type and value for a DNS resolver address.

+

+ + + + + + + + + + + + + + + + + +
FieldDescription
+type
+ + +DNSResolverAddressType + + +		 +

Type specifies the type of address.

+
+value
+ +string + +		 +

Value specifies the address value. +When Type is “IPAddress”, this must be a valid IPv4 or IPv6 address. +When Type is “Hostname”, this must be a valid hostname.

+
+

DNSResolverAddressType +(string alias)

+

+

+(Appears on: +DNSResolverAddress) +

+

+

DNSResolverAddressType specifies the type of DNS resolver address.

+

+ + + + + + + + + + + + +
ValueDescription

"Hostname"

DNSResolverHostnameType specifies that the address is a hostname.

+

"IPAddress"

DNSResolverIPAddressType specifies that the address is an IP address.

+

DaemonSetSpec

@@ -3041,6 +3206,21 @@ int32 Default is 1024.

+ + +dnsResolver
+ + +DNSResolver + + + + +(Optional) +

DNSResolver specifies the DNS resolver configuration for external name resolution. +This enables support for routing to ExternalName Services.

+ +

NodePort diff --git a/layouts/shortcodes/version-ngf.html b/layouts/shortcodes/version-ngf.html index c346e7a04..e3a4f1933 100644 --- a/layouts/shortcodes/version-ngf.html +++ b/layouts/shortcodes/version-ngf.html @@ -1 +1 @@ -2.1.4 \ No newline at end of file +2.2.0 \ No newline at end of file