From 243a3e8c011baf81d29df72febacac2d1ab245de Mon Sep 17 00:00:00 2001 From: Alan Dooley Date: Mon, 10 Nov 2025 15:31:12 +0000 Subject: [PATCH 1/6] feat: Update NIC information architecture and content This commit flattens the information architecture of the installation section for NGINX Ingress Controller, flattening it and simplifying the URLs. It also adds a new Changelog section to replace the previous releases page, updates the Helm chart reference information, and addresses Markdown and metadata conventions for each affected page. --- .../installation/create-custom-resources.md | 3 +- content/nginx-one/k8s/add-nic.md | 4 +- content/nic/_index.md | 2 +- content/nic/changelog/2019.md | 111 + content/nic/changelog/2020.md | 309 ++ content/nic/changelog/2021.md | 485 ++++ content/nic/changelog/2022.md | 383 +++ content/nic/changelog/2023.md | 437 +++ content/nic/changelog/2024.md | 530 ++++ content/nic/changelog/_index.md | 259 ++ content/nic/community.md | 2 +- content/nic/configuration/_index.md | 2 +- content/nic/configuration/access-control.md | 6 +- .../command-line-arguments.md | 145 +- .../configmap-resource.md | 12 +- .../globalconfiguration-resource.md | 16 +- ...advanced-configuration-with-annotations.md | 25 +- .../ingress-resources/basic-configuration.md | 12 +- content/nic/configuration/policy-resource.md | 16 +- content/nic/configuration/security.md | 2 +- content/nic/glossary.md | 2 +- .../nic/{installation => install}/_index.md | 2 +- .../build.md} | 22 +- .../helm.md} | 62 +- content/nic/install/images/_index.md | 5 + .../images}/add-image-to-cluster.md | 13 +- .../images}/registry-download.md | 7 +- .../images}/use-aws-image.md | 4 +- .../images}/use-gcp-image.md | 0 .../license-secret.md} | 8 +- .../manifests.md} | 82 +- .../migrate-ingress-nginx.md} | 141 +- .../multiple-controllers.md} | 13 +- .../operator.md} | 29 +- .../upgrade-version.md => install/upgrade.md} | 12 +- .../waf-helm.md} | 9 +- .../nic/installation/installing-nic/_index.md | 6 - .../nic/installation/integrations/_index.md | 6 - content/nic/installation/nic-images/_index.md | 5 - content/nic/integrations/_index.md | 6 + .../integrations/app-protect-dos/_index.md | 0 .../app-protect-dos/configuration.md | 0 .../app-protect-dos/dos-protected.md | 8 +- .../app-protect-dos/installation.md | 37 +- .../troubleshoot-app-protect-dos.md | 2 + .../integrations/app-protect-waf-v5/_index.md | 0 .../compile-waf-policies.md | 10 +- .../app-protect-waf-v5/configuration.md | 2 +- .../app-protect-waf-v5/installation.md | 39 +- .../troubleshoot-app-protect-waf.md | 0 .../integrations/app-protect-waf/_index.md | 1 - .../app-protect-waf/configuration.md | 11 +- .../app-protect-waf/installation.md | 43 +- .../integrations/f5-ingresslink.md | 8 +- content/nic/logging-and-monitoring/_index.md | 2 +- .../logging-and-monitoring/opentelemetry.md | 2 +- .../nic/logging-and-monitoring/opentracing.md | 2 +- .../nic/logging-and-monitoring/prometheus.md | 3 +- .../logging-and-monitoring/service-insight.md | 2 +- content/nic/overview/design.md | 4 +- content/nic/releases.md | 2538 ----------------- content/nic/technical-specifications.md | 31 +- content/nic/troubleshooting/_index.md | 2 +- content/nic/tutorials/_index.md | 2 +- .../nic/tutorials/nginx-ingress-linkerd.md | 39 +- content/nic/tutorials/nginx-ingress-osm.md | 25 +- .../tutorials/oidc-custom-configuration.md | 2 +- content/nic/tutorials/security-monitoring.md | 9 +- ...rtual-server-with-custom-listener-ports.md | 10 +- 69 files changed, 2921 insertions(+), 3108 deletions(-) create mode 100644 content/nic/changelog/2019.md create mode 100644 content/nic/changelog/2020.md create mode 100644 content/nic/changelog/2021.md create mode 100644 content/nic/changelog/2022.md create mode 100644 content/nic/changelog/2023.md create mode 100644 content/nic/changelog/2024.md create mode 100644 content/nic/changelog/_index.md rename content/nic/{installation => install}/_index.md (70%) rename content/nic/{installation/build-nginx-ingress-controller.md => install/build.md} (96%) rename content/nic/{installation/installing-nic/installation-with-helm.md => install/helm.md} (97%) create mode 100644 content/nic/install/images/_index.md rename content/nic/{installation/nic-images => install/images}/add-image-to-cluster.md (88%) rename content/nic/{installation/nic-images => install/images}/registry-download.md (97%) rename content/nic/{installation/nic-images => install/images}/use-aws-image.md (99%) rename content/nic/{installation/nic-images => install/images}/use-gcp-image.md (100%) rename content/nic/{installation/create-license-secret.md => install/license-secret.md} (95%) rename content/nic/{installation/installing-nic/installation-with-manifests.md => install/manifests.md} (85%) rename content/nic/{installation/ingress-nginx.md => install/migrate-ingress-nginx.md} (90%) rename content/nic/{installation/run-multiple-ingress-controllers.md => install/multiple-controllers.md} (85%) rename content/nic/{installation/installing-nic/installation-with-operator.md => install/operator.md} (64%) rename content/nic/{installation/upgrade-version.md => install/upgrade.md} (95%) rename content/nic/{installation/installing-nic/deploy-with-nap-using-helm.md => install/waf-helm.md} (99%) delete mode 100644 content/nic/installation/installing-nic/_index.md delete mode 100644 content/nic/installation/integrations/_index.md delete mode 100644 content/nic/installation/nic-images/_index.md create mode 100644 content/nic/integrations/_index.md rename content/nic/{installation => }/integrations/app-protect-dos/_index.md (100%) rename content/nic/{installation => }/integrations/app-protect-dos/configuration.md (100%) rename content/nic/{installation => }/integrations/app-protect-dos/dos-protected.md (97%) rename content/nic/{installation => }/integrations/app-protect-dos/installation.md (88%) rename content/nic/{installation => }/integrations/app-protect-dos/troubleshoot-app-protect-dos.md (99%) rename content/nic/{installation => }/integrations/app-protect-waf-v5/_index.md (100%) rename content/nic/{installation => }/integrations/app-protect-waf-v5/compile-waf-policies.md (99%) rename content/nic/{installation => }/integrations/app-protect-waf-v5/configuration.md (96%) rename content/nic/{installation => }/integrations/app-protect-waf-v5/installation.md (91%) rename content/nic/{installation => }/integrations/app-protect-waf-v5/troubleshoot-app-protect-waf.md (100%) rename content/nic/{installation => }/integrations/app-protect-waf/_index.md (78%) rename content/nic/{installation => }/integrations/app-protect-waf/configuration.md (98%) rename content/nic/{installation => }/integrations/app-protect-waf/installation.md (85%) rename content/nic/{installation => }/integrations/f5-ingresslink.md (95%) delete mode 100644 content/nic/releases.md diff --git a/content/includes/nic/installation/create-custom-resources.md b/content/includes/nic/installation/create-custom-resources.md index 950f203f4..6401c06a8 100644 --- a/content/includes/nic/installation/create-custom-resources.md +++ b/content/includes/nic/installation/create-custom-resources.md @@ -32,11 +32,10 @@ kubectl apply -f https://raw.githubusercontent.com/nginx/kubernetes-ingress/v{{< {{< call-out "note" >}} -Read the steps outlined in [Upgrade from 3.x to 4.x]({{< ref "/nic/installation/upgrade-version.md#upgrade-from-3x-to-4x" >}}) before running the CRD upgrade and perform the steps if applicable. +Read the steps outlined in [Upgrade from 3.x to 4.x]({{< ref "/nic/install/upgrade.md#upgrade-from-3x-to-4x" >}}) before running the CRD upgrade and perform the steps if applicable. {{< /call-out >}} - ```shell kubectl apply -f config/crd/bases/k8s.nginx.org_virtualservers.yaml kubectl apply -f config/crd/bases/k8s.nginx.org_virtualserverroutes.yaml diff --git a/content/nginx-one/k8s/add-nic.md b/content/nginx-one/k8s/add-nic.md index 55ed44b93..006e9a5ff 100644 --- a/content/nginx-one/k8s/add-nic.md +++ b/content/nginx-one/k8s/add-nic.md @@ -66,7 +66,7 @@ Upgrade or install NGINX Ingress Controller with the following command to config The `dataplaneKeySecretName` is used to authenticate the agent with NGINX One Console. See the [NGINX One Console Docs]({{< ref "/nginx-one/connect-instances/create-manage-data-plane-keys.md" >}}) for instructions on how to generate your dataplane key from the NGINX One Console. -Follow the [Installation with Helm]({{< ref "/nic/installation/installing-nic/installation-with-helm.md" >}}) instructions to deploy NGINX Ingress Controller. +Follow the [Installation with Helm]({{< ref "/nic/install/helm.md" >}}) instructions to deploy NGINX Ingress Controller. {{%/tab%}} {{%tab name="Manifests"%}} @@ -134,7 +134,7 @@ volumes: secretName: "" ``` -Follow the [Installation with Manifests]({{< ref "/nic/installation/installing-nic/installation-with-manifests.md" >}}) instructions to deploy NGINX Ingress Controller. +Follow the [Installation with Manifests]({{< ref "/nic/install/manifests.md" >}}) instructions to deploy NGINX Ingress Controller. {{%/tab%}} {{}} diff --git a/content/nic/_index.md b/content/nic/_index.md index cbde101dc..d0a01958a 100644 --- a/content/nic/_index.md +++ b/content/nic/_index.md @@ -33,7 +33,7 @@ It supports standard [Ingress]({{< ref "/nic/glossary.md#ingress">}}) features s {{}} Replace an Ingress-NGINX cluster with NGINX Ingress Controller {{}} - {{}} + {{}} Review the changes from the latest NGINX Ingress Controller releases {{}} {{}} \ No newline at end of file diff --git a/content/nic/changelog/2019.md b/content/nic/changelog/2019.md new file mode 100644 index 000000000..0b847842e --- /dev/null +++ b/content/nic/changelog/2019.md @@ -0,0 +1,111 @@ +--- +title: "2019 archive" +# Weights are assigned in increments of 100: determines sorting order +weight: 600 +# Creates a table of contents and sidebar, useful for large documents +toc: true +# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this +nd-content-type: reference +nd-product: NIC +--- + +## 1.6.0 + +19 December 2019 + +### Overview + +Release 1.6.0 includes: + +- Improvements to VirtualServer and VirtualServerRoute resources, adding support for richer load balancing behavior, more sophisticated request routing, redirects, direct responses, and blue-green and circuit breaker patterns. The VirtualServer and VirtualServerRoute resources are enabled by default and are ready for production use. +- Support for OpenTracing, helping you to monitor and debug complex transactions. +- An improved security posture, with support to run the Ingress Controller as a non-root user. + +The release announcement blog post includes the overview for each feature. See + +You will find the complete changelog for release 1.6.0, including bug fixes, improvements, and changes below. + +FEATURES FOR VIRTUALSERVER AND VIRTUALSERVERROUTE RESOURCES: + +- [780](https://github.com/nginx/kubernetes-ingress/pull/780): Add support for canned responses to VS/VSR. +- [778](https://github.com/nginx/kubernetes-ingress/pull/778): Add redirect support in VS/VSR. +- [766](https://github.com/nginx/kubernetes-ingress/pull/766): Add exact matches and regex support to location paths in VS/VSR. +- [748](https://github.com/nginx/kubernetes-ingress/pull/748): Add TLS redirect support in Virtualserver. +- [745](https://github.com/nginx/kubernetes-ingress/pull/745): Improve routing rules in VS/VSR +- [728](https://github.com/nginx/kubernetes-ingress/pull/728): Add session persistence in VS/VSR. +- [724](https://github.com/nginx/kubernetes-ingress/pull/724): Add VS/VSR Prometheus metrics. +- [712](https://github.com/nginx/kubernetes-ingress/pull/712): Add service subselector support in vs/vsr. +- [707](https://github.com/nginx/kubernetes-ingress/pull/707): Emit warning events in VS/VSR. +- [701](https://github.com/nginx/kubernetes-ingress/pull/701): Add support queue in upstreams for plus in VS/VSR. +- [693](https://github.com/nginx/kubernetes-ingress/pull/693): Add ServerStatusZones support in vs/vsr. +- [670](https://github.com/nginx/kubernetes-ingress/pull/670): Add buffering support for vs/vsr. +- [660](https://github.com/nginx/kubernetes-ingress/pull/660): Add ClientBodyMaxSize support in vs/vsr. +- [659](https://github.com/nginx/kubernetes-ingress/pull/659): Support configuring upstream zone sizes in VS/VSR. +- [655](https://github.com/nginx/kubernetes-ingress/pull/655): Add slow-start support in vs/vsr. +- [653](https://github.com/nginx/kubernetes-ingress/pull/653): Add websockets support for vs/vsr upstreams. +- [641](https://github.com/nginx/kubernetes-ingress/pull/641): Add support for ExternalName Services for vs/vsr. +- [635](https://github.com/nginx/kubernetes-ingress/pull/635): Add HealthChecks support for vs/vsr. +- [634](https://github.com/nginx/kubernetes-ingress/pull/634): Add Active Connections support to vs/vsr. +- [628](https://github.com/nginx/kubernetes-ingress/pull/628): Add retries support for vs/vsr. +- [621](https://github.com/nginx/kubernetes-ingress/pull/621): Add TLS support for vs/vsr upstreams. +- [617](https://github.com/nginx/kubernetes-ingress/pull/617): Add keepalive support to vs/vsr. +- [612](https://github.com/nginx/kubernetes-ingress/pull/612): Add timeouts support to vs/vsr. +- [607](https://github.com/nginx/kubernetes-ingress/pull/607): Add fail-timeout and max-fails support to vs/vsr. +- [596](https://github.com/nginx/kubernetes-ingress/pull/596): Add lb-method support in vs and vsr. + +### Features + +- [750](https://github.com/nginx/kubernetes-ingress/pull/750): Add support for health status uri customisation. +- [691](https://github.com/nginx/kubernetes-ingress/pull/691): Helper Functions for custom annotations. +- [631](https://github.com/nginx/kubernetes-ingress/pull/631): Add max_conns support for NGINX plus. +- [629](https://github.com/nginx/kubernetes-ingress/pull/629): Added upstream zone directive annotation. Thanks to [Victor Regalado](https://github.com/vrrs). +- [616](https://github.com/nginx/kubernetes-ingress/pull/616): Add proxy-send-timeout to configmap key and annotation. +- [615](https://github.com/nginx/kubernetes-ingress/pull/615): Add support for Opentracing. +- [614](https://github.com/nginx/kubernetes-ingress/pull/614): Add max-conns annotation. Thanks to [Victor Regalado](https://github.com/vrrs). +- [678](https://github.com/nginx/kubernetes-ingress/pull/678): Increase defaults for server-names-hash-max-size and servers-names-hash-bucket-size ConfigMap keys. +- [694](https://github.com/nginx/kubernetes-ingress/pull/694): Reject VS/VSR resources with enabled plus features for OSS. +- [799](https://github.com/nginx/kubernetes-ingress/pull/779): Enable CRDs by default. VirtualServer and VirtualServerRoute resources are now enabled by default. +- [772](https://github.com/nginx/kubernetes-ingress/pull/772): Update VS/VSR version from v1alpha1 to v1. Make sure to update the `apiVersion` of your VirtualServer and VirtualServerRoute resources. +- [748](https://github.com/nginx/kubernetes-ingress/pull/748): Add TLS redirect support in VirtualServer. The `redirect-to-https` and `ssl-redirect` ConfigMap keys no longer have any effect on generated configs for VirtualServer resources. +- [745](https://github.com/nginx/kubernetes-ingress/pull/745): Improve routing rules. Update the spec of VirtualServer and VirtualServerRoute accordingly. See YAML examples of the changes [here](https://github.com/nginx/kubernetes-ingress/pull/745). +- [710](https://github.com/nginx/kubernetes-ingress/pull/710): Run IC as non-root. Make sure to use the updated manifests to install/upgrade the Ingress Controller. +- [603](https://github.com/nginx/kubernetes-ingress/pull/603): Update apiVersion in Deployments and DaemonSets to apps/v1. +- Documentation improvements: [713](https://github.com/nginx/kubernetes-ingress/pull/713) thanks to [Matthew Wahner](https://github.com/mattwahner). + +### Fixes + +- [788](https://github.com/nginx/kubernetes-ingress/pull/788): Fix VSR updates when namespace is set implicitly. +- [736](https://github.com/nginx/kubernetes-ingress/pull/736): Init Ingress labeled metrics on start. +- [686](https://github.com/nginx/kubernetes-ingress/pull/686): Check if config map created for leader-election. +- [664](https://github.com/nginx/kubernetes-ingress/pull/664): Fix reporting events for Ingress minions. +- [632](https://github.com/nginx/kubernetes-ingress/pull/632): Fix hsts support when not using SSL. Thanks to [Martín Fernández](https://github.com/bilby91). + +### Helm Chart + +- Add new parameters to the Chart: `controller.healthCheckURI`, `controller.resources`, `controller.logLevel`, `controller.customPorts`, `controller.service.customPorts`. Added in [750](https://github.com/nginx/kubernetes-ingress/pull/750), [636](https://github.com/nginx/kubernetes-ingress/pull/636) thanks to [Guilherme Oki](https://github.com/guilhermeoki), [600](https://github.com/nginx/kubernetes-ingress/pull/600), [581](https://github.com/nginx/kubernetes-ingress/pull/581) thanks to [Alex Meijer](https://github.com/ameijer-corsha). +- [722](https://github.com/nginx/kubernetes-ingress/pull/722): Fix trailing leader election cm when using helm. This change might lead to a failed upgrade. See the helm upgrade instruction below. +- [573](https://github.com/nginx/kubernetes-ingress/pull/573): Use Controller name value for app selectors. + +### Dependencies + +- Update NGINX versions to 1.17.6. +- Update NGINX Plus version to R20. + +### Upgrade + +- For NGINX, use the 1.6.0 image from our DockerHub: `nginx/nginx-ingress:1.6.0` or `nginx/nginx-ingress:1.6.0-alpine` +- For NGINX Plus, please build your own image using the 1.6.0 source code. +- For Helm, use version 0.4.0 of the chart. + +#### Helm upgrade + +If leader election (the `controller.reportIngressStatus.enableLeaderElection` parameter) is enabled, when upgrading to the new version of the Helm chart: + +1. Make sure to specify a new ConfigMap lock name (`controller.reportIngressStatus.leaderElectionLockName`) different from the one that was created by the current version. To find out the current name, check ConfigMap resources in the namespace where the Ingress Controller is running. +1. After the upgrade, delete the old ConfigMap. + +Otherwise, the helm upgrade will not succeed. + +## Previous Releases + +To see the previous releases, see the [Releases page](https://github.com/nginx/kubernetes-ingress/releases) on the Ingress Controller GitHub repo. diff --git a/content/nic/changelog/2020.md b/content/nic/changelog/2020.md new file mode 100644 index 000000000..7dfd1f85c --- /dev/null +++ b/content/nic/changelog/2020.md @@ -0,0 +1,309 @@ +--- +title: "2020 archive" +# Weights are assigned in increments of 100: determines sorting order +weight: 500 +# Creates a table of contents and sidebar, useful for large documents +toc: true +# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this +nd-content-type: reference +nd-product: NIC +--- + +## 1.9.1 + +23 November 2020 + +### Dependencies + +- Update the base ubi images to 8.3. + +### Features + +- Fix deployment of ingressclass resource via helm on some versions of Kubernetes. +- Renew CA cert for egress-mtls example. +- Add imagePullSecretName support to helm chart. + +### Upgrade + +- For NGINX, use the 1.9.1 image from our DockerHub: `nginx/nginx-ingress:1.9.1`, `nginx/nginx-ingress:1.9.1-alpine` or `nginx/nginx-ingress:1.9.1-ubi` +- For NGINX Plus, please build your own image using the 1.9.1 source code. +- For Helm, use version 0.7.1 of the chart. + +## 1.9.0 + +20 October 2020 + +### Overview + +Release 1.9.0 includes: + +- Support for new Prometheus metrics and enhancements of the existing ones, including configuration reload reason, NGINX worker processes count, upstream latency, and more. +- Support for rate limiting, JWT authentication, ingress(client) and egress(upstream) mutual TLS via the Policy resource. +- Support for the latest Ingress resource features and the IngressClass resource. +- Support for NGINX Service Mesh. + +You will find the complete changelog for release 1.9.0, including bug fixes, improvements, and changes below. + +### Features + +- [1180](https://github.com/nginx/kubernetes-ingress/pull/1180) Add support for EgressMTLS. +- [1166](https://github.com/nginx/kubernetes-ingress/pull/1166) Add IngressMTLS policy support. +- [1154](https://github.com/nginx/kubernetes-ingress/pull/1154) Add JWT policy support. +- [1120](https://github.com/nginx/kubernetes-ingress/pull/1120) Add RateLimit policy support. +- [1058](https://github.com/nginx/kubernetes-ingress/pull/1058) Support policies in VS routes and VSR subroutes. +- [1147](https://github.com/nginx/kubernetes-ingress/pull/1147) Add option to specify other log destinations in AppProtect. +- [1131](https://github.com/nginx/kubernetes-ingress/pull/1131) Update packages and CRDs to AppProtect 2.0. This update includes features such as [JSON Schema Validation]({{< ref "/waf/policies/xml-json-content.md" >}}) and [User-defined URLs and parameters]({{< ref "/waf/policies/user-urls-parameters.md" >}}). See the [release notes]({{< ref "/waf/changelog.md" >}}) for a complete feature list. +- [1100](https://github.com/nginx/kubernetes-ingress/pull/1100) Add external references to AppProtect. +- [1085](https://github.com/nginx/kubernetes-ingress/pull/1085) Add installation of threat campaigns package. +- [1133](https://github.com/nginx/kubernetes-ingress/pull/1133) Add support for IngressClass resources. +- [1130](https://github.com/nginx/kubernetes-ingress/pull/1130) Add prometheus latency collector. +- [1076](https://github.com/nginx/kubernetes-ingress/pull/1076) Add prometheus worker process metrics. +- [1075](https://github.com/nginx/kubernetes-ingress/pull/1075) Add support for NGINX Service Mesh internal routes. +- [1178](https://github.com/nginx/kubernetes-ingress/pull/1178) Resolve host collisions in VirtualServer and Ingresses. +- [1158](https://github.com/nginx/kubernetes-ingress/pull/1158) Support variables in action proxy headers. +- [1137](https://github.com/nginx/kubernetes-ingress/pull/1137) Add pod_owner label to metrics when -spire-agent-address is set. +- [1107](https://github.com/nginx/kubernetes-ingress/pull/1107) Extend Upstream Servers with pod_name label. +- [1099](https://github.com/nginx/kubernetes-ingress/pull/1099) Add reason label to total_reload metrics. +- [1088](https://github.com/nginx/kubernetes-ingress/pull/1088) Extend Upstream Servers and Server Zones metrics, thanks to [Raúl](https://github.com/Rulox). +- [1080](https://github.com/nginx/kubernetes-ingress/pull/1080) Support pathType field in the Ingress resource. +- [1078](https://github.com/nginx/kubernetes-ingress/pull/1078) Remove trailing blank lines in vs/vsr snippets. +- Documentation improvements: [1083](https://github.com/nginx/kubernetes-ingress/pull/1083), [1092](https://github.com/nginx/kubernetes-ingress/pull/1092), [1089](https://github.com/nginx/kubernetes-ingress/pull/1089), [1174](https://github.com/nginx/kubernetes-ingress/pull/1174), [1175](https://github.com/nginx/kubernetes-ingress/pull/1175), [1171](https://github.com/nginx/kubernetes-ingress/pull/1171). + +### Fixes + +- [1179](https://github.com/nginx/kubernetes-ingress/pull/1179) Fix TransportServers in debian AppProtect image. +- [1129](https://github.com/nginx/kubernetes-ingress/pull/1129) Support real-ip in default server. +- [1110](https://github.com/nginx/kubernetes-ingress/pull/1110) Add missing threat campaigns key to AppProtect CRD. + +### Helm Chart + +- [1105](https://github.com/nginx/kubernetes-ingress/pull/1105) Fix GlobalConfiguration support in helm chart. +- Add new parameters to the Chart: `controller.setAsDefaultIngress`, `controller.enableLatencyMetrics`. Added in [1133](https://github.com/nginx/kubernetes-ingress/pull/1133) and [1148](https://github.com/nginx/kubernetes-ingress/pull/1148). + +### Dependencies + +- [1182](https://github.com/nginx/kubernetes-ingress/pull/1182) Update NGINX version to 1.19.3. + +### Upgrade + +- For NGINX, use the 1.9.0 image from our DockerHub: `nginx/nginx-ingress:1.9.0`, `nginx/nginx-ingress:1.9.0-alpine` or `nginx-ingress:1.9.0-ubi` +- For NGINX Plus, please build your own image using the 1.9.0 source code. +- For Helm, use version 0.7.0 of the chart. + +For Kubernetes >= 1.18, when upgrading using [Manifests]({{< ref "/nic/install/manifests.md" >}}), make sure to update the [ClusterRole](https://github.com/nginx/kubernetes-ingress/blob/v1.9.0/deployments/rbac/rbac.yaml) and create the [IngressClass resource](https://github.com/nginx/kubernetes-ingress/blob/v1.9.0/deployments/common/ingress-class.yaml), which is required for Kubernetes >= 1.18. Otherwise, the Ingress Controller will fail to start. If you run multiple NGINX Ingress Controllers in the cluster, each Ingress Controller must have its own IngressClass resource. As the `-use-ingress-class-only` argument is now ignored (see NOTES), make sure your Ingress resources have the `ingressClassName` field or the `kubernetes.io/ingress.class` annotation set to the name of the IngressClass resource. Otherwise, the Ingress Controller will ignore them. + +#### Helm Upgrade + +- If you're using custom resources like VirtualServer and TransportServer (`controller.enableCustomResources` is set to `true`), after you run the `helm upgrade` command, the CRDs will not be upgraded. After running the `helm upgrade` command, run `kubectl apply -f deployments/helm-chart/crds` to upgrade the CRDs. +- For Kubernetes >= 1.18, a dedicated IngressClass resource, which is configured by `controller.ingressClass`, is required per helm release. Ensure `controller.ingressClass` is not set to the name of the IngressClass of other releases or Ingress Controllers. As the `controller.useIngressClassOnly` parameter is now ignored (see NOTES), make sure your Ingress resources have the `ingressClassName` field or the `kubernetes.io/ingress.class` annotation set to the value of `controller.ingressClass`. Otherwise, the Ingress Controller will ignore them. + +### Notes + +- When using Kubernetes >= 1.18, the `-use-ingress-class-only` command-line argument is now ignored, and the Ingress Controller will only process resources that belong to its class. See [IngressClass doc]({{< ref "/nic/install/multiple-controllers.md#ingress-class" >}}) for more details. +- For Kubernetes >= 1.18, a dedicated IngressClass resource, which is configured by `controller.ingressClass`, is required per helm release. When upgrading or installing releases, ensure `controller.ingressClass` is not set to the name of the IngressClass of other releases or Ingress Controllers. + +## 1.8.1 + +14 August 2020 + +### Dependencies + +- Update NGINX version to 1.19.2. + +### Upgrade + +- For NGINX, use the 1.8.1 image from our DockerHub: `nginx/nginx-ingress:1.8.1`, `nginx/nginx-ingress:1.8.1-alpine` or `nginx/nginx-ingress:1.8.1-ubi` +- For NGINX Plus, please build your own image using the 1.8.1 source code. +- For Helm, use version 0.6.1 of the chart. + +## 1.8.0 + +22 July 2020 + +### Overview + +Release 1.8.0 includes: + +- Support for NGINX App Protect Web Application Firewall. +- Support for configuration snippets and custom template for VirtualServer and VirtualServerRoute resources. +- Support for request/response header manipulation and request URI rewriting for VirtualServer/VirtualServerRoute. +- Introducing a new configuration resource - Policy - with the first policy for IP-based access control. + +You will find the complete changelog for release 1.8.0, including bug fixes, improvements, and changes below. + +FEATURES FOR VIRTUALSERVER AND VIRTUALSERVERROUTE RESOURCES: + +- [1036](https://github.com/nginx/kubernetes-ingress/pull/1036): Add VirtualServer custom template support. +- [1028](https://github.com/nginx/kubernetes-ingress/pull/1028): Add access control policy. +- [1019](https://github.com/nginx/kubernetes-ingress/pull/1019): Add VirtualServer/VirtualServerRoute snippets support. +- [1006](https://github.com/nginx/kubernetes-ingress/pull/1006): Add request/response modifiers to VS and VSR. +- [994](https://github.com/nginx/kubernetes-ingress/pull/994): Support Class Field in VS/VSR. +- [973](https://github.com/nginx/kubernetes-ingress/pull/973): Add status to VirtualServer and VirtualServerRoute. + +### Features + +- [1035](https://github.com/nginx/kubernetes-ingress/pull/1035): Support for App Protect module. +- [1029](https://github.com/nginx/kubernetes-ingress/pull/1029): Add readiness endpoint. +- [995](https://github.com/nginx/kubernetes-ingress/pull/995): Emit event for orphaned VirtualServerRoutes. +- [1029](https://github.com/nginx/kubernetes-ingress/pull/1029): Add readiness endpoint. The Ingress Controller now exposes a readiness endpoint on port `8081` and the path `/nginx-ready`. The endpoint returns a `200` response after the Ingress Controller finishes the initial configuration of NGINX at the start. The pod template was updated to use that endpoint in a readiness probe. +- [980](https://github.com/nginx/kubernetes-ingress/pull/980): Enable leader election by default. +- Documentation improvements: [946](https://github.com/nginx/kubernetes-ingress/pull/946) thanks to [谭九鼎](https://github.com/imba-tjd), [948](https://github.com/nginx/kubernetes-ingress/pull/948), [972](https://github.com/nginx/kubernetes-ingress/pull/972), [965](https://github.com/nginx/kubernetes-ingress/pull/965). + +### Fixes + +- [1030](https://github.com/nginx/kubernetes-ingress/pull/1030): Fix port range validation in cli arguments. +- [953](https://github.com/nginx/kubernetes-ingress/pull/953): Fix error logging of master/minion ingresses. + +### Helm Chart + +- Add new parameters to the Chart: `controller.appprotect.enable`, `controller.globalConfiguration.create`, `controller.globalConfiguration.spec`, `controller.readyStatus.enable`, `controller.readyStatus.port`, `controller.config.annotations`, `controller.reportIngressStatus.annotations`. Added in [1035](https://github.com/nginx/kubernetes-ingress/pull/1035), [1034](https://github.com/nginx/kubernetes-ingress/pull/1034), [1029](https://github.com/nginx/kubernetes-ingress/pull/1029), [1003](https://github.com/nginx/kubernetes-ingress/pull/1003) thanks to [RubyLangdon](https://github.com/RubyLangdon). +- [1047](https://github.com/nginx/kubernetes-ingress/pull/1047) and [1009](https://github.com/nginx/kubernetes-ingress/pull/1009): Change how Helm manages the custom resource definitions (CRDs) to support installing multiple Ingress Controller releases. **Note**: If you're using the custom resources (`controller.enableCustomResources` is set to `true`), this is a breaking change. See the HELM UPGRADE section below for the upgrade instructions. + +### Dependencies + +- Update NGINX version to 1.19.1. +- Update NGINX Plus to R22. + +### Upgrade + +- For NGINX, use the 1.8.0 image from our DockerHub: `nginx/nginx-ingress:1.8.0`, `nginx/nginx-ingress:1.8.0-alpine` or `nginx-ingress:1.8.0-ubi` +- For NGINX Plus, please build your own image using the 1.8.0 source code. +- For Helm, use version 0.6.0 of the chart. + +#### Helm Upgrade + +If you're using custom resources like VirtualServer and TransportServer (`controller.enableCustomResources` is set to `true`), after you run the `helm upgrade` command, the CRDs and the corresponding custom resources will be removed from the cluster. Before upgrading, make sure to back up the custom resources. After running the `helm upgrade` command, run `kubectl apply -f deployments/helm-chart/crds` to re-install the CRDs and then restore the custom resources. + +### Notes + +- As part of installing a release, Helm will install the CRDs unless that step is disabled (see the [corresponding doc]({{< ref "/nic/install/helm.md" >}}). The installed CRDs include the CRDs for all Ingress Controller features, including the ones disabled by default (like App Protect with `aplogconfs.appprotect.f5.com` and `appolicies.appprotect.f5.com` CRDs). + +## 1.7.2 + +23 June 2020 + +### Dependencies + +- Update NGINX Plus version to R22. + +### Upgrade + +- For NGINX, use the 1.7.2 image from our DockerHub: `nginx/nginx-ingress:1.7.2`, `nginx/nginx-ingress:1.7.2-alpine` or `nginx/nginx-ingress:1.7.2-ubi` +- For NGINX Plus, please build your own image using the 1.7.2 source code. +- For Helm, use version 0.5.2 of the chart. + +## 1.7.1 + +4 June 2020 + +### Dependencies + +- Update NGINX version to 1.19.0. + +### Upgrade + +- For NGINX, use the 1.7.1 image from our DockerHub: `nginx/nginx-ingress:1.7.1`, `nginx/nginx-ingress:1.7.1-alpine` or `nginx/nginx-ingress:1.7.1-ubi` +- For NGINX Plus, please build your own image using the 1.7.1 source code. +- For Helm, use version 0.5.1 of the chart. + +## 1.7.0 + +30 April 2020 + +### Overview + +Release 1.7.0 includes: + +- Support for TCP, UDP, and TLS Passthrough load balancing with the new configuration resources: TransportServer and GlobalConfiguration. The resources allow users to deliver complex, non-HTTP-based applications from Kubernetes using NGINX Ingress Controller. +- Support for error pages in VirtualServer and VirtualServerRoute resources. A user can now specify custom error responses for errors returned by backend applications or generated by NGINX, such as a 502 response. +- Improved validation of VirtualServer and VirtualServerRoute resources. kubectl and the Kubernetes API server can now detect violations of the structure of VirtualServer/VirtualServerRoute resources and return an error. +- Support for an operator which manages the lifecycle of the Ingress Controller on Kubernetes or OpenShift. See the [NGINX Ingress Operator GitHub repo](https://github.com/nginxinc/nginx-ingress-operator). + +See the [1.7.0 release announcement blog post](https://www.nginx.com/blog/announcing-nginx-ingress-controller-for-kubernetes-release-1-7-0/), which includes an overview of each feature. + +You will find the complete changelog for release 1.7.0, including bug fixes, improvements, and changes below. + +FEATURES FOR VIRTUALSERVER AND VIRTUALSERVERROUTE RESOURCES: + +- [868](https://github.com/nginx/kubernetes-ingress/pull/868): Add OpenAPI CRD schema validation. +- [847](https://github.com/nginx/kubernetes-ingress/pull/847): Add support for error pages for VS/VSR. + +### Features + +- [902](https://github.com/nginx/kubernetes-ingress/pull/902): Add TransportServer and GlobalConfiguration Resources. +- [894](https://github.com/nginx/kubernetes-ingress/pull/894): Add Dockerfile for NGINX Open Source for Openshift. +- [857](https://github.com/nginx/kubernetes-ingress/pull/857): Add Openshift Dockerfile for NGINX Plus. +- [852](https://github.com/nginx/kubernetes-ingress/pull/852): Add default-server-access-log-off to configmap. +- [845](https://github.com/nginx/kubernetes-ingress/pull/845): Add log-format-escaping and stream-log-format-escaping configmap keys. Thanks to [Alexey Maslov](https://github.com/alxmsl). +- [827](https://github.com/nginx/kubernetes-ingress/pull/827): Add ingress class label to all Prometheus metrics. +- [850](https://github.com/nginx/kubernetes-ingress/pull/850): Extend redirect URI validation with protocol check in VS/VSR. +- [832](https://github.com/nginx/kubernetes-ingress/pull/832): Update the examples to run the `nginxdemos/nginx-hello:plain-text` image, that doesn't require root user. +- [825](https://github.com/nginx/kubernetes-ingress/pull/825): Add multi-stage docker builds. +- [852](https://github.com/nginx/kubernetes-ingress/pull/852): Add default-server-access-log-off to configmap. The access logs for the default server are now enabled by default. +- [847](https://github.com/nginx/kubernetes-ingress/pull/847): Add support for error pages for VS/VSR. The PR affects how the Ingress Controller generates configuration for VirtualServer and VirtualServerRoutes. See [this comment](https://github.com/nginx/kubernetes-ingress/pull/847) for more details. +- [827](https://github.com/nginx/kubernetes-ingress/pull/827): Add ingress class label to all Prometheus metrics. Every Prometheus metric exposed by the Ingress Controller now includes the label `class` with the value of the Ingress Controller class (by default `nginx`), +- [825](https://github.com/nginx/kubernetes-ingress/pull/825): Add multi-stage docker builds. When building the Ingress Controller image in Docker, we now use a multi-stage docker build. + +### Fixes + +- [828](https://github.com/nginx/kubernetes-ingress/pull/828): Fix error messages for actions of the type return. + +### Helm Chart + +- Add new parameters to the Chart: `controller.enableTLSPassthrough`, `controller.volumes`, `controller.volumeMounts`, `controller.priorityClassName`. Added in [921](https://github.com/nginx/kubernetes-ingress/pull/921), [878](https://github.com/nginx/kubernetes-ingress/pull/878), [807](https://github.com/nginx/kubernetes-ingress/pull/807) thanks to [Greg Snow](https://github.com/gsnegovskiy). + +### Dependencies + +- Update NGINX version to 1.17.10. +- Update NGINX Plus to R21. +- [854](https://github.com/nginx/kubernetes-ingress/pull/854): Update the Debian base images for NGINX Plus to `debian:buster-slim`. + +### Upgrade + +- For NGINX, use the 1.7.0 image from our DockerHub: `nginx/nginx-ingress:1.7.0`, `nginx/nginx-ingress:1.7.0-alpine` or `nginx-ingress:1.7.0-ubi` +- For NGINX Plus, please build your own image using the 1.7.0 source code. +- For Helm, use version 0.5.0 of the chart. + +When upgrading using the [manifests]({{< ref "/nic/install/manifests.md" >}}), make sure to deploy the new TransportServer CRD (`common/ts-definition.yaml`), as it is required by the Ingress Controller. Otherwise, you will get error messages in the Ingress Controller logs. + +## 1.6.3 + +6 March 2020 + +### Dependencies + +- Update NGINX version to 1.17.9. + +### Upgrade + +- For NGINX, use the 1.6.3 image from our DockerHub: `nginx/nginx-ingress:1.6.3` or `nginx/nginx-ingress:1.6.3-alpine` +- For NGINX Plus, please build your own image using the 1.6.3 source code. +- For Helm, use version 0.4.3 of the chart. + +## 1.6.2 + +6 February 2020 + +### Dependencies + +- Update NGINX version to 1.17.8. + +### Upgrade + +- For NGINX, use the 1.6.2 image from our DockerHub: `nginx/nginx-ingress:1.6.2` or `nginx/nginx-ingress:1.6.2-alpine` +- For NGINX Plus, please build your own image using the 1.6.2 source code. +- For Helm, use version 0.4.2 of the chart. + +## 1.6.1 + +14 January 2020 + +### Dependencies + +- Update NGINX version to 1.17.7. + +### Upgrade + +- For NGINX, use the 1.6.1 image from our DockerHub: `nginx/nginx-ingress:1.6.1` or `nginx/nginx-ingress:1.6.1-alpine` +- For NGINX Plus, please build your own image using the 1.6.1 source code. +- For Helm, use version 0.4.1 of the chart. diff --git a/content/nic/changelog/2021.md b/content/nic/changelog/2021.md new file mode 100644 index 000000000..f2af68315 --- /dev/null +++ b/content/nic/changelog/2021.md @@ -0,0 +1,485 @@ +--- +title: "2021 archive" +# Weights are assigned in increments of 100: determines sorting order +weight: 400 +# Creates a table of contents and sidebar, useful for large documents +toc: true +# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this +nd-content-type: reference +nd-product: NIC +--- + +## 2.0.3 + +28 October 2021 + +### Breaking Changes + +- [2124](https://github.com/nginx/kubernetes-ingress/pull/2124) Apply -enable-snippets cli arg to Ingresses. This PR extends the existing -enable-snippets cli argument to apply to Ingress resources. If snippets are not enabled, the Ingress Controller will reject any Ingress resources with snippets annotations. Previously, the argument only applied to VirtualServer, VirtualServerRoute and TransportServer resources. Please Note: this is a breaking change. See the `UPGRADE` instructions below. + +### Fixes + +- [2132](https://github.com/nginx/kubernetes-ingress/pull/2132) Install libcurl on OpenTracing for NGINX Plus. + +### Upgrade + +- For NGINX, use the 2.0.3 image from our DockerHub: `nginx/nginx-ingress:2.0.3`, `nginx/nginx-ingress:2.0.3-alpine` or `nginx/nginx-ingress:2.0.3-ubi` +- For NGINX Plus, please build your own image using the 2.0.3 source code. +- For Helm, use version 0.11.3 of the chart. +- We changed the behaviour of snippets in Ingress resources by extending the existing -enable-snippets cli argument to apply to Ingress resources as well as VirtualServer, VirtualServerRoute and TransportServer resources. Because the default value of -enable-snippets is false, if you are using snippets in Ingress resources, you must explicitly set the -enable-snippets to true before upgrading the Ingress Controller, so that the new version of the Ingress Controller doesn't reject Ingresses with snippets annotations. + +## 1.12.3 + +28 October 2021 + +### Fixes + +- [2133](https://github.com/nginx/kubernetes-ingress/pull/2133) Use release specific repo for the App Protect packages on Debian. This fixes an error when building Debian-based images with NGINX Plus with App Protect: previously, building an image would fail with the error `nginx-plus-module-appprotect : Depends: app-protect-plugin (= 3.639.0-1~buster) but 3.671.0-1~buster is to be installed`. The bug first appeared when NGINX App Protect version 3.6 was released on 13 October 2021. +- [2134](https://github.com/nginx/kubernetes-ingress/pull/2134) Apply -enable-snippets cli arg to Ingresses. This PR extends the existing -enable-snippets cli argument to apply to Ingress resources. If snippets are not enabled, the Ingress Controller will reject any Ingress resources with snippets annotations. Previously, the argument only applied to VirtualServer, VirtualServerRoute and TransportServer resources. Please Note: this is a breaking change. See the `UPGRADE` instructions below. + +### Upgrade + +- For NGINX, use the 1.12.3 image from our DockerHub: `nginx/nginx-ingress:1.12.3`, `nginx/nginx-ingress:1.12.3-alpine` or `nginx/nginx-ingress:1.12.3-ubi` +- For NGINX Plus, please build your own image using the 1.12.3 source code. +- For Helm, use version 0.10.3 of the chart. +- We changed the behaviour of snippets in Ingress resources by extending the existing -enable-snippets cli argument to apply to Ingress resources as well as VirtualServer, VirtualServerRoute and TransportServer resources. Because the default value of -enable-snippets is false, if you are using snippets in Ingress resources, you must explicitly set the -enable-snippets to true before upgrading the Ingress Controller, so that the new version of the Ingress Controller doesn't reject Ingresses with snippets annotations. + +## 2.0.2 + +13 October 2021 + +### Dependencies + +- Update NGINX App Protect version to 3.6. +- Update NGINX Plus version to R25 in NGINX App Protect enabled images. + +### Features + +- [2074](https://github.com/nginx/kubernetes-ingress/pull/2074) Update JWT library to `golang-jwt/jwt`. Previously, the Ingress Controller used `dgrijalva/jwt-go`, which has a vulnerability [CVE-2020-26160](https://nvd.nist.gov/vuln/detail/CVE-2020-26160). Note that the Ingress Controller wasn’t affected by this vulnerability, and the jwt library was used only in the NGINX Plus images from AWS Marketplace for Containers. + +### Upgrade + +- For NGINX, use the 2.0.2 image from our DockerHub. +- For NGINX Plus, use the 2.0.2 from the F5 Container registry or build your own image using the 2.0.2 source code. +- For Helm, use version 0.11.2 of the chart. + +## 2.0.1 + +07 October 2021 + +### Fixes + +- [2051](https://github.com/nginx/kubernetes-ingress/pull/2051) Use release specific repo for NGINX Plus on Debian. This fixes an error when building the Debian-based image with NGINX Plus and App Protect: previously, building the image would fail with the error `Package 'nginx-plus-r24' has no installation candidate`. + +### Upgrade + +- For NGINX, use the 2.0.1 image from our DockerHub. +- For NGINX Plus, use the 2.0.1 from the F5 Container registry or build your own image using the 2.0.1 source code. +- For Helm, use version 0.11.1 of the chart. + +## 1.12.2 + +7 October 2021 + +### Fixes + +- [2048](https://github.com/nginx/kubernetes-ingress/pull/2048) Use release specific repo for NGINX Plus on Debian. This fixes an error when building Debian-based images with NGINX Plus: previously, building an image would fail with the error `Package 'nginx-plus-r24' has no installation candidate`. The bug first appeared when NGINX Plus R25 was released on 28 September 2021. + +### Upgrade + +- For NGINX, use the 1.12.2 image from our DockerHub: `nginx/nginx-ingress:1.12.2`, `nginx/nginx-ingress:1.12.2-alpine` or `nginx/nginx-ingress:1.12.2-ubi` +- For NGINX Plus, please build your own image using the 1.12.2 source code. +- For Helm, use version 0.10.2 of the chart. + +## 2.0.0 + +28 September 2021 + +### Overview + +Release 2.0.0 includes: + +- *Support for Ingress networking.k8s.io/v1*. Kubernetes 1.22 removes support for networking.k8s.io/v1beta1. To support Kubernetes 1.22, NGINX Ingress Controller 2.0 is also compatible with only the networking.k8s.io/v1 version of the Ingress and IngressClass resources. This has the following implications: + 1. The minimum supported version of Kubernetes is now 1.19. For older Kubernetes versions, use the 1.12.x release of the Ingress Controller. + 2. For Kubernetes versions 1.19-1.21, you can continue using the `networking.k8s.io/v1beta1` of the Ingress and IngressClass resources. + 3. For Kubernetes 1.22, you need to migrate your Ingress and IngressClass resources to `networking.k8s.io/v1`. + 4. If you are using the deprecated `kubernetes.io/ingress.class` annotation in your Ingress resources, it is recommended to switch to the `ingressClassName` field. + + We migrated all our documentation and examples to use `networking.k8s.io/v1` and the `ingressClassName` field of the Ingress resource. +- *Scalability improvements*. We improved the time for an Ingress Controller pod to become ready and start receiving traffic. This is especially noticeable when you have hundreds of Ingress or other configuration resources like VirtualServers: instead of several minutes or more in rare cases, a pod will become ready within a few minutes. +- *Documentation improvements* We changed the look and feel of our documentation as well as the underlying publishing technology, which will allow us to bring even more improvements in the next releases. +- *Upgrade path for k8s.nginx.org/v1alpha1 Policy resource* If you’re running release 1.9.0 and using the k8s.nginx.org/v1alpha1 Policy, the Ingress Controller now supports an upgrade path from v1alpha1 to v1 Policy version without downtime. See UPDATING POLICIES section below. + +You will find the complete changelog for release 2.0.0, including bug fixes, improvements, and changes below. + +### Breaking Changes + +- [1850](https://github.com/nginx/kubernetes-ingress/pull/1850) Support Ingress and IngressClass v1. + +### Features + +- [1908](https://github.com/nginx/kubernetes-ingress/pull/1908) Add NTLM support to VirtualServer and VirtualServerRoute upstreams. +- [1746](https://github.com/nginx/kubernetes-ingress/pull/1746) Add ingressClassName field to Policy. +- [1956](https://github.com/nginx/kubernetes-ingress/pull/1956) Add v1alpha1 version back to policy CRD. +- [1907](https://github.com/nginx/kubernetes-ingress/pull/1907) Remove libs compilation for OpenTracing in Dockerfile; add Zipkin and Datadog in addition to the already supported Jaeger tracer; additionally, for NGINX we now publish a Docker image with the tracers and the OpenTracing module on DockerHub: `nginx-ic/nginx-plus-ingress:1.12.0-ot`. Also thanks to [MatyRi](https://github.com/MatyRi) for upgrading OpenTracing in [1883](https://github.com/nginx/kubernetes-ingress/pull/1883). +- [1788](https://github.com/nginx/kubernetes-ingress/pull/1788) Reload only once during the start. This significantly reduces the time it takes for an Ingress Controller pod to become ready when hundreds of Ingress or other supported resources are created in the cluster. +- [1721](https://github.com/nginx/kubernetes-ingress/pull/1721) Increase default reload timeout to 60s: the Ingress Controller will wait for 60s for NGINX to start or reload. Previously, the default was 4 seconds. +- [2009](https://github.com/nginx/kubernetes-ingress/pull/2009) Increase default upstream zone size for NGINX Plus. See the INCREASED UPSTREAM ZONES section below. + +### Fixes + +- [1926](https://github.com/nginx/kubernetes-ingress/pull/1926) Fix increased IC pod startup time when hundreds of VirtualServerRoutes are used +- [1712](https://github.com/nginx/kubernetes-ingress/pull/1712) Allow `make` to build image when .git directory is missing. + +### Documentation + +- [1932](https://github.com/nginx/kubernetes-ingress/pull/1932) Add IAM instructions for NGINX Plus AWS Marketplace images. +- [1927](https://github.com/nginx/kubernetes-ingress/pull/1927) Fix function name comments typo. Thanks to [Sven Nebel](https://github.com/snebel29). +- [1898](https://github.com/nginx/kubernetes-ingress/pull/1898) Add instructions for configuring MyF5 JWT as a Docker registry secret for the F5 Container registry for NGINX Plus images. +- [1851](https://github.com/nginx/kubernetes-ingress/pull/1851) Update docs and examples to use networking.k8s.io/v1. +- [1765](https://github.com/nginx/kubernetes-ingress/pull/1765) Create documentation for pulling NGINX Plus images from the F5 Container registry. +- [1740](https://github.com/nginx/kubernetes-ingress/pull/1740) Publish docs using Hugo and Netlify. +- [1702](https://github.com/nginx/kubernetes-ingress/pull/1702) Add security recommendations documentation. + +### Helm Chart + +- Add new parameters to the Chart: `controller.pod.extraLabels`. Added in [1884](https://github.com/nginx/kubernetes-ingress/pull/1884). + +### Dependencies + +- [1855](https://github.com/nginx/kubernetes-ingress/pull/1855) Update minimum Kubernetes version to 1.19; remove the `-use-ingress-class-only` command-line argument, which doesn't work with Kubernetes >= 1.19. +- Update NGINX Plus version to R25. **Note**: images with NGINX App Protect will continue to use R24 until App Protect 3.6 is released. +- Update NGINX version to 1.21.3. + +### Upgrade + +- For NGINX, use the 2.0.0 image from our DockerHub. +- For NGINX Plus, use the 2.0.0 from the F5 Container registry or build your own image using the 2.0.0 source code. +- For Helm, use version 0.11.0 of the chart. + +See the complete list of supported images for NGINX and NGINX Plus on the [Technical Specifications]({{< ref "/nic/technical-specifications.md#supported-docker-images" >}}) page. + +INCREASED UPSTREAM ZONES + +We increased the default size of an upstream zone from 256K to 512K to accommodate a change in NGINX Plus R25. The change makes NGINX Plus allocate more memory for storing upstream server (peer) data, which means upstream server zones will use more memory to account for that new data. + +The increase in the zone size is to prevent NGINX Plus configuration reload failures after an upgrade to release 1.13.0. Note that If a zone becomes full, NGINX Plus will fail to reload and fail to add more upstream servers via the API. + +The new 512K default value will be able to hold ~270 upstream servers per upstream, similarly to how the old 256K value was able to hold the same number of upstream servers in the previous Ingress Controller releases. You can understand the utilization of the upstream zones via [NGINX Plus API](http://nginx.org/en/docs/http/ngx_http_api_module.html#slabs) and the [NGINX Plus dashboard]({{< ref "/nic/logging-and-monitoring/status-page.md#accessing-live-activity-monitoring-dashboard" >}}) (the shared zones tab). + +If you have a large number of upstream in the NGINX Plus configuration of the Ingress Controller, expect that after an upgrade NGINX Plus will consume more memory: +256K per upstream. If you don’t have upstreams with huge number of upstream serves and you’d like to reduce the memory usage of NGINX Plus, you can configure the `upstream-zone-size` [ConfigMap key]({{< ref "/nic/configuration/global-configuration/configmap-resource.md#backend-services-upstreams" >}}) with a lower value. Additionally, the Ingress resource supports `nginx.org/upstream-zone-size` [annotation]({{< ref "/nic/configuration/ingress-resources/advanced-configuration-with-annotations.md#backend-services-upstreams" >}}) to configure zone sizes for the upstreams of an Ingress resource rather than globally. + +UPDATING POLICIES + +This section is only relevant if you’re running release 1.9.0 and planning to upgrade to release 2.0.0. + +Release 1.10 removed the `k8s.nginx.org/v1alpha1 version` of the Policy resource and introduced the `k8s.nginx.org/v1` version. This means that to upgrade to release 1.10 users had to re-create v1alpha1 Policies with the v1 version, which caused downtime for their applications. Release 2.0.0 brings back the support for the v1alpha1 Policy, which makes it possible to upgrade from 1.9.0 to 2.0.0 release without causing downtime: + +- If the Policy is marked as a preview feature in the [documentation]({{< ref "/nic/configuration/policy-resource.md" >}}), make sure the -enable-preview-policies command-line argument is set in 2.0.0 Ingress Controller. +- During the upgrade, the existing Policies will not be removed. +- After the upgrade, make sure to update the Policy manifests to k8s.nginx.org/v1 version. + +Please also read the [release 1.10 changelog](#1100) for the instructions on how to update Secret resources, which is also necessary since some of the Policies reference Secrets. + +Note that 2.1.0 will remove support for the v1alpha1 version of the Policy. + +### Supported Platforms + +We will provide technical support for NGINX Ingress Controller on any Kubernetes platform that is currently supported by its provider and which passes the Kubernetes conformance tests. This release was fully tested on the following Kubernetes versions: 1.19-1.22. + +## 1.12.1 + +8 September 2021 + +### Dependencies + +- Update NGINX App Protect version to 3.5. + +### Upgrade + +- For NGINX, use the 1.12.1 image from our DockerHub: `nginx/nginx-ingress:1.12.1`, `nginx/nginx-ingress:1.12.1-alpine` or `nginx/nginx-ingress:1.12.1-ubi` +- For NGINX Plus, use the 1.12.1 image from the F5 Container Registry - see [the documentation here]({{< ref "/nic/install/images/registry-download.md">}}) +- Alternatively, you can also build your own image using the 1.12.1 source code. +- For Helm, use version 0.10.1 of the chart. + +## 1.12.0 + +30 June 2021 + +### Overview + +Release 1.12.0 includes: + +- The introduction of pre-built containers for advanced capabilities with NGINX Plus through the F5 Container Registry. +- TransportServer supports TCP/UDP connections through the NGINX streams module adding support for matching specific health check response patterns for granular availability testing of your application, maximum connections to protect your applications from overload, supporting fine tuning of load balancing behavior, and snippets for advanced capability support as soon as you are ready to implement. +- Availability through the AWS Container marketplace supporting Elastic Kubernetes Service. +- NGINX App Protect capabilities have been extended to support the latest version and its capabilities. + +You will find the complete changelog for release 1.12.0, including bug fixes, improvements, and changes below. + +### Features + +- [1633](https://github.com/nginx/kubernetes-ingress/pull/1633) Support match in TransportServer health checks. +- [1619](https://github.com/nginx/kubernetes-ingress/pull/1619) Add AWS Marketplace Entitlement verification. +- [1480](https://github.com/nginx/kubernetes-ingress/pull/1480) Add max connections to TransportServer. +- [1479](https://github.com/nginx/kubernetes-ingress/pull/1479) Add load balancing method to TransportServer. +- [1466](https://github.com/nginx/kubernetes-ingress/pull/1466) Support snippets in TransportServer. +- [1578](https://github.com/nginx/kubernetes-ingress/pull/1578) Add support for CSRF protection in APPolicy. +- [1513](https://github.com/nginx/kubernetes-ingress/pull/1513) Support multiple log security configs in Ingresses. +- [1481](https://github.com/nginx/kubernetes-ingress/pull/1481) Add support for user defined browsers in APPolicy. +- [1411](https://github.com/nginx/kubernetes-ingress/pull/1411) Add unary gRPC support in APPolicy. +- [1671](https://github.com/nginx/kubernetes-ingress/pull/1671) Simplify Dockerfile stages for Debian. +- [1652](https://github.com/nginx/kubernetes-ingress/pull/1652) Add HTTPS option to Prometheus endpoint. +- [1646](https://github.com/nginx/kubernetes-ingress/pull/1646) Improve Dockerfile. +- [1574](https://github.com/nginx/kubernetes-ingress/pull/1574) Add Docker image for Alpine with NGINX Plus. +- [1512](https://github.com/nginx/kubernetes-ingress/pull/1512) Don't require default server TLS secret. +- [1500](https://github.com/nginx/kubernetes-ingress/pull/1500) Support ssl_reject_handshake in Ingress and VS. +- [1494](https://github.com/nginx/kubernetes-ingress/pull/1494) Add logs around NGINX Plus binary/flag mismatch. +- [1492](https://github.com/nginx/kubernetes-ingress/pull/1492) Update the IC so that GlobalConfiguration is not mandatory when configured. +- [1500](https://github.com/nginx/kubernetes-ingress/pull/1500) Support ssl_reject_handshake in Ingress and VS. Previously, to handle missing or invalid TLS Secrets in Ingress and VirtualServer resources, the Ingress Controller would configure NGINX to break any attempts for clients to establish TLS connections to the affected hosts using `ssl_ciphers NULL;` in the NGINX configuration. The method didn't work for TLS v1.3. Now the Ingress Controller uses `ssl_reject_handshake on;`, which works for TLS v1.3. +- Documentation improvements: [1649](https://github.com/nginx/kubernetes-ingress/pull/1649). + +### Fixes + +- [1658](https://github.com/nginx/kubernetes-ingress/pull/1658) Add missing njs module to the openshift-image-nap-plus image. +- [1654](https://github.com/nginx/kubernetes-ingress/pull/1654) Fix incorrect configuration and unexpected warnings about Secrets at the IC start. +- [1501](https://github.com/nginx/kubernetes-ingress/pull/1501) Fix ungraceful shutdown of NGINX. +- Documentation fixes: [1668](https://github.com/nginx/kubernetes-ingress/pull/1668), [1594](https://github.com/nginx/kubernetes-ingress/pull/1594) thanks to [shaggy245](https://github.com/shaggy245), [1563](https://github.com/nginx/kubernetes-ingress/pull/1563), [1551](https://github.com/nginx/kubernetes-ingress/pull/1551). + +### Helm Chart + +- Add new parameters to the Chart: `prometheus.scheme`, `prometheus.secret`. Added in [1652](https://github.com/nginx/kubernetes-ingress/pull/1652). + +### Dependencies + +- [1604](https://github.com/nginx/kubernetes-ingress/pull/1604) Update NGINX Plus to R24. Previously, the Dockerfile had a fixed NGINX Plus version. Now the Dockerfile has a floating version that corresponds to the latest major NGINX Plus version. In the event of a patch version of NGINX Plus being released, make sure to rebuild your image to get the latest version (previously, we released a new Ingress Controller release in that case). Additionally, the AppProtect related packages are no longer fixed -- the Dockerfile will always install the latest version of the packages that work with the latest NGINX Plus version. +- Update NGINX version to 1.21.0. + +### Upgrade + +- For NGINX, use the 1.12.0 image from our DockerHub: `nginx/nginx-ingress:1.12.0`, `nginx/nginx-ingress:1.12.0-alpine` or `nginx-ingress:1.12.0-ubi` +- For NGINX Plus, please build your own image using the 1.12.0 source code. +- For Helm, use version 0.10.0 of the chart. + +### Supported Platforms + +We will provide technical support for NGINX Ingress Controller on any Kubernetes platform that is currently supported by its provider and which passes the Kubernetes conformance tests. This release was fully tested on the following Kubernetes versions: 1.16-1.21. + +## 1.11.3 + +25 May 2021 + +### Dependencies + +- Update NGINX version to 1.21.0. + +### Upgrade + +- For NGINX, use the 1.11.3 image from our DockerHub: `nginx/nginx-ingress:1.11.3`, `nginx/nginx-ingress:1.11.3-alpine` or `nginx/nginx-ingress:1.11.3-ubi` +- For NGINX Plus, please build your own image using the 1.11.3 source code. +- For Helm, use version 0.9.3 of the chart. + +## 1.11.2 + +19 May 2021 + +### Dependencies + +- Update NGINX Plus version to R23 P1. + +### Upgrade + +- For NGINX, use the 1.11.2 image from our DockerHub: `nginx/nginx-ingress:1.11.2`, `nginx/nginx-ingress:1.11.2-alpine` or `nginx/nginx-ingress:1.11.2-ubi` +- For NGINX Plus, please build your own image using the 1.11.2 source code. +- For Helm, use version 0.9.2 of the chart. + +## 1.11.1 + +7 April 2021 + +### Dependencies + +- Update NGINX version to 1.19.9. +- Update the OpenSSL libraries used in the UBI images + +### Upgrade + +- For NGINX, use the 1.11.1 image from our DockerHub: `nginx/nginx-ingress:1.11.1`, `nginx/nginx-ingress:1.11.1-alpine` or `nginx/nginx-ingress:1.11.1-ubi` +- For NGINX Plus, please build your own image using the 1.11.1 source code. +- For Helm, use version 0.9.1 of the chart. + +## 1.11.0 + +31 March 2021 + +### Overview + +Release 1.11.0 includes: + +- Native NGINX Ingress Controller App Protect (WAF) policy +- TransportServer improvements in terms of reliability, added features and operational aspects +- Integration of NGINX Ingress Controller with Istio service mesh + +You will find the complete changelog for release 1.11.0, including bug fixes, improvements, and changes below. + +### Features + +- [1317](https://github.com/nginx/kubernetes-ingress/pull/1317) Add status field to Policy resource. +- [1449](https://github.com/nginx/kubernetes-ingress/pull/1449) Add support for ClusterIP in upstreams in VirtualServers/VirtualServerRoutes. +- [1413](https://github.com/nginx/kubernetes-ingress/pull/1413) Add serverSnippets to TransportServer. +- [1425](https://github.com/nginx/kubernetes-ingress/pull/1425) Add status field to TransportServer resource. +- [1384](https://github.com/nginx/kubernetes-ingress/pull/1384) Add active health checks to TransportServer. +- [1382](https://github.com/nginx/kubernetes-ingress/pull/1382) Add passive health checks to TransportServer. +- [1346](https://github.com/nginx/kubernetes-ingress/pull/1346) Add configurable timeouts to TransportServer. +- [1297](https://github.com/nginx/kubernetes-ingress/pull/1297) Support custom return in the default server. Thanks to [030](https://github.com/030). +- [1378](https://github.com/nginx/kubernetes-ingress/pull/1378) Add WAF Policy. +- [1420](https://github.com/nginx/kubernetes-ingress/pull/1420) Support IngressClassName in TransportServer. +- [1415](https://github.com/nginx/kubernetes-ingress/pull/1415) Handle host and listener collisions for TransportServer resource. +- [1322](https://github.com/nginx/kubernetes-ingress/pull/1322) Improve VirtualServer/VirtualServerRoute warnings for Policies. +- [1288](https://github.com/nginx/kubernetes-ingress/pull/1288) Add stricter validation for some ingress annotations. +- [1241](https://github.com/nginx/kubernetes-ingress/pull/1241) Refactor Dockerfile and Makefile. +- Documentation improvements: [1320](https://github.com/nginx/kubernetes-ingress/pull/1320), [1326](https://github.com/nginx/kubernetes-ingress/pull/1326), and [1377](https://github.com/nginx/kubernetes-ingress/pull/1377). + +### Fixes + +- [1457](https://github.com/nginx/kubernetes-ingress/pull/1457) Wait for caches to sync when the Ingress Controller starts. +- [1444](https://github.com/nginx/kubernetes-ingress/pull/1444) Fix setting host header in action proxy in VirtualServer/VirtualServerRoute. +- [1396](https://github.com/nginx/kubernetes-ingress/pull/1396) Fix reload timeout calculation for verifying NGINX reloads. + +### Dependencies + +- [1455](https://github.com/nginx/kubernetes-ingress/pull/1455) Update NGINX version to 1.19.8. +- [1428](https://github.com/nginx/kubernetes-ingress/pull/1428) Update Nginx App Protect version to 3.0. **Note**: [The Advanced gRPC Protection for Unary Traffic](/nginx-app-protect/configuration/#advanced-grpc-protection-for-unary-traffic) is not currently supported. + +### Known Issues + +- [1448](https://github.com/nginx/kubernetes-ingress/issues/1448) When an Ingress Controller pod starts, it can report warnings about missing secrets for Ingress and other resources that reference secrets. Those warnings are intermittent - once the Ingress Controller fully processes the resources of the cluster, it will clear the warnings. Only after that, the Ingress Controller will become ready to accept client traffic - its readiness probe will succeed. + +### Upgrade + +- For NGINX, use the 1.11.0 image from our DockerHub: `nginx/nginx-ingress:1.11.0`, `nginx/nginx-ingress:1.11.0-alpine` or `nginx-ingress:1.11.0-ubi` +- For NGINX Plus, please build your own image using the 1.11.0 source code. +- For Helm, use version 0.9.0 of the chart. +- [1241](https://github.com/nginx/kubernetes-ingress/pull/1241) improved the Makefile. As a result, the commands for building the Ingress Controller image were changed. See the updated commands [here]({{< ref "/nic/install/build.md" >}}). +- [1241](https://github.com/nginx/kubernetes-ingress/pull/1241) also consolidated all Dockerfiles into a single Dockerfile. If you customized any of the Dockerfiles, make sure to port the changes to the new Dockerfile. +- [1288](https://github.com/nginx/kubernetes-ingress/pull/1288) further improved validation of Ingress annotations. See this [document]({{< ref "/nic/configuration/ingress-resources/advanced-configuration-with-annotations.md#validation" >}}) to learn more about which annotations are validated. Note that the Ingress Controller will reject resources with invalid annotations, which means clients will see `404` responses from NGINX. Before upgrading, ensure the Ingress resources don't have annotations with invalid values. Otherwise, after the upgrade, the Ingress Controller will reject such resources. +- [1457](https://github.com/nginx/kubernetes-ingress/pull/1457) fixed the bug when an Ingress Controller pod could become ready before it generated the configuration for all relevant resources in the cluster. The fix also requires that the Ingress Controller can successfully list the relevant resources from the Kubernetes API. For example, if the `-enable-custom-resources` cli argument is `true` (which is the default), the VirtualServer, VirtualServerRoute, TransportServer, and Policy CRDs must be created in the cluster, so that the Ingress Controller can list them. This is similar to other custom resources -- see the list [here]({{< ref "/nic/install/manifests.md#create-custom-resources" >}}). Thus, before upgrading, make sure that the CRDs are created in the cluster. Otherwise, the Ingress Controller pods will not become ready. + +### Supported Platforms + +We will provide technical support for NGINX Ingress Controller on any Kubernetes platform that is currently supported by its provider and which passes the Kubernetes conformance tests. This release was fully tested on the following Kubernetes versions: 1.16-1.20. + +## 1.10.1 + +16 March 2021 + +### Dependencies + +- Update NGINX version to 1.19.8. +- Add Kubernetes 1.20 support. + +### Fixes + +- [1373](https://github.com/nginx/kubernetes-ingress/pull/1373), [1439](https://github.com/nginx/kubernetes-ingress/pull/1439), [1440](https://github.com/nginx/kubernetes-ingress/pull/1440): Fix various issues in the Makefile. In 1.10.0, a bug was introduced that prevented building Ingress Controller images on versions of make < 4.1. + +### Upgrade + +- For NGINX, use the 1.10.1 image from our DockerHub: `nginx/nginx-ingress:1.10.1`, `nginx/nginx-ingress:1.10.1-alpine` or `nginx/nginx-ingress:1.10.1-ubi` +- For NGINX Plus, please build your own image using the 1.10.1 source code. +- For Helm, use version 0.8.1 of the chart. + +## 1.10.0 + +26 January 2021 + +### Overview + +Release 1.10.0 includes: + +- Open ID Connect authentication policy. +- Improved handling of Secret resources with extended validation and error reporting. +- Improved visibility with Prometheus metrics for the configuration workqueue and the ability to annotate NGINX logs with the metadata of Kubernetes resources. +- NGINX App Protect User-Defined signatures support. +- Improved validation of Ingress annotations. + +You will find the complete changelog for release 1.10.0, including bug fixes, improvements, and changes below. + +### Features + +- [1304](https://github.com/nginx/kubernetes-ingress/pull/1304) Add Open ID Connect policy. +- [1281](https://github.com/nginx/kubernetes-ingress/pull/1281) Add support for App Protect User Defined Signatures. +- [1266](https://github.com/nginx/kubernetes-ingress/pull/1266) Add workqueue metrics to Prometheus metrics. +- [1233](https://github.com/nginx/kubernetes-ingress/pull/1233) Annotate tcp metrics with k8s object labels. +- [1231](https://github.com/nginx/kubernetes-ingress/pull/1231) Support k8s objects variables in log format. +- [1270](https://github.com/nginx/kubernetes-ingress/pull/1270) and [1277](https://github.com/nginx/kubernetes-ingress/pull/1277) Improve validation of Ingress annotations. +- [1265](https://github.com/nginx/kubernetes-ingress/pull/1265) Report warnings for misconfigured TLS and JWK secrets. +- [1262](https://github.com/nginx/kubernetes-ingress/pull/1262) Use setcap(8) only once. [1263](https://github.com/nginx/kubernetes-ingress/pull/1263) Use chown(8) only once. [1264](https://github.com/nginx/kubernetes-ingress/pull/1264) Use mkdir(1) only once. Thanks to [Sergey A. Osokin](https://github.com/osokin). +- [1256](https://github.com/nginx/kubernetes-ingress/pull/1256) and [1260](https://github.com/nginx/kubernetes-ingress/pull/1260) Improve handling of secret resources. +- [1240](https://github.com/nginx/kubernetes-ingress/pull/1240) Validate TLS and CA secrets. +- [1235](https://github.com/nginx/kubernetes-ingress/pull/1235) Use buildkit secret flag for NGINX plus images. +- [1290](https://github.com/nginx/kubernetes-ingress/pull/1290) Graduate policy resource and accessControl policy to generally available. +- [1225](https://github.com/nginx/kubernetes-ingress/pull/1225) Require secrets to have types. +- [1237](https://github.com/nginx/kubernetes-ingress/pull/1237) Deprecate support for helm2 clients. +- Documentation improvements: [1282](https://github.com/nginx/kubernetes-ingress/pull/1282), [1293](https://github.com/nginx/kubernetes-ingress/pull/1293), [1303](https://github.com/nginx/kubernetes-ingress/pull/1303), [1315](https://github.com/nginx/kubernetes-ingress/pull/1315). + +### Helm Chart + +- [1290](https://github.com/nginx/kubernetes-ingress/pull/1290) Add new preview policies parameter to chart. `controller.enablePreviewPolicies` was added. +- [1232](https://github.com/nginx/kubernetes-ingress/pull/1232) Replace deprecated imagePullSecrets helm setting. `controller.serviceAccount.imagePullSecrets` was removed. `controller.serviceAccount.imagePullSecretName` was added. +- [1228](https://github.com/nginx/kubernetes-ingress/pull/1228) Fix installation of ingressclass on Kubernetes versions `v1.18.x-*` + +### Dependencies + +- [1299](https://github.com/nginx/kubernetes-ingress/pull/1299) Update NGINX App Protect version to 2.3 and debian distribution to `debian:buster-slim`. +- [1291](https://github.com/nginx/kubernetes-ingress/pull/1291) Update NGINX OSS to `1.19.6`. Update NGINX Plus to `R23`. + +### Upgrade + +- For NGINX, use the 1.10.0 image from our DockerHub: `nginx/nginx-ingress:1.10.0`, `nginx/nginx-ingress:1.10.0-alpine` or `nginx-ingress:1.10.0-ubi` +- For NGINX Plus, please build your own image using the 1.10.0 source code. +- For Helm, use version 0.8.0 of the chart. +- As a result of [1270](https://github.com/nginx/kubernetes-ingress/pull/1270) and [1277](https://github.com/nginx/kubernetes-ingress/pull/1277), the Ingress Controller improved validation of Ingress annotations: more annotations are validated and validation errors are reported via events for Ingress resources. Additionally, the default behavior for invalid annotation values was changed: instead of using the default values, the Ingress Controller will reject a resource with an invalid annotation value, which will make clients see `404` responses from NGINX. See this [document]({{< ref "/nic/configuration/ingress-resources/advanced-configuration-with-annotations.md#validation" >}}) to learn more. Before upgrading, ensure the Ingress resources don't have annotations with invalid values. Otherwise, after the upgrade, the Ingress Controller will reject such resources. +- In [1232](https://github.com/nginx/kubernetes-ingress/pull/1232) `controller.serviceAccount.imagePullSecrets` was removed. Use the new `controller.serviceAccount.imagePullSecretName` instead. +- The Policy resource was promoted to `v1`. If you used the `alpha1` version, the policies are needed to be recreated with the `v1` version. Before upgrading the Ingress Controller, run the following command to remove the `alpha1` policies CRD (that will also remove all existing `alpha1` policies): + + ```shell + kubectl delete crd policies.k8s.nginx.org + ``` + + As part of the upgrade, make sure to create the `v1` policies CRD. See the corresponding instructions for [Manifests]({{< ref "/nic/install/manifests.md#create-custom-resources" >}}) and [Helm]({{< ref "/nic/install/helm.md#upgrading-the-crds" >}}) installations. + + Also note that all policies except for `accessControl` are still in preview. To enable them, run the Ingress Controller with `- -enable-preview-policies` command-line argument (`controller.enablePreviewPolicies` Helm parameter). +- It is necessary to update secret resources. See the section UPDATING SECRETS below. + +UPDATING SECRETS: + +In [1225](https://github.com/nginx/kubernetes-ingress/pull/1225), as part of improving how the Ingress Controller handles secret resources, we added a requirement for secrets to be of one of the following types: + +- `kubernetes.io/tls` for TLS secrets. +- `nginx.org/jwk` for JWK secrets. +- `nginx.org/ca` for CA secrets. + +The Ingress Controller now ignores secrets that are not of a supported type. As a consequence, special upgrade steps are required. + +Before upgrading, ensure that the secrets referenced in Ingress, VirtualServer or Policies resources are of a supported type, which is configured via the `type` field. Because that field is immutable, it is necessary to either: + +- Recreate the secrets. Note that in this case, the client traffic for the affected resources will be rejected for the period during which a secret doesn't exist in the cluster. +- Create copies of the secrets and update the affected resources to reference the copies. The copies need to be of a supported type. In contrast with the previous options, this will not make NGINX reject the client traffic. + +It is also necessary to update the default server secret and the wildcard secret (if it was configured) in case their type is not `kubernetes.io/tls`. The steps depend on how you installed the Ingress Controller: via manifests or Helm. Performing the steps will not lead to a disruption of the client traffic, as the Ingress Controller retains the default and wildcard secrets if they are removed. + +For *manifests installation*: + +1. Recreate the default server secret and the wildcard secret with the type `kubernetes.io/tls`. +1. Upgrade the Ingress Controller. + +For *Helm installation*, there two cases: + +1. If Helm created the secrets (you configured `controller.defaultTLS.cert` and `controller.defaultTLS.key` for the default secret and `controller.wildcardTLS.cert` and `controller.wildcardTLS.key` for the wildcard secret), then no special upgrade steps are required: during the upgrade, the Helm will remove the existing default and wildcard secrets and create new ones with different names with the type `kubernetes.io/tls`. +1. If you created the secrets separately from Helm (you configured `controller.defaultTLS.secret` for the default secret and `controller.wildcardTLS.secret` for the wildcard secret): + 1. Recreate the secrets with the type `kubernetes.io/tls`. + 1. Upgrade to the new Helm release. + +NOTES: + +- Helm 2 clients are no longer supported due to reaching End of Life: \ No newline at end of file diff --git a/content/nic/changelog/2022.md b/content/nic/changelog/2022.md new file mode 100644 index 000000000..4940e7f83 --- /dev/null +++ b/content/nic/changelog/2022.md @@ -0,0 +1,383 @@ +--- +title: "2022 archive" +# Weights are assigned in increments of 100: determines sorting order +weight: 300 +# Creates a table of contents and sidebar, useful for large documents +toc: true +# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this +nd-content-type: reference +nd-product: NIC +--- + +## 2.4.2 + +30 Nov 2022 + +### Dependencies + +- Update NGINX Plus version to R28. +- Update F5 WAF for NGINX version to 4.0. +- Update F5 DoS for NGINX version to 3.1. + +### Upgrade + +- For NGINX, use the 2.4.2 images from our [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=2.4.2), [GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress). +- For NGINX Plus, use the 2.4.2 images from the F5 Container registry or build your own image using the 2.4.2 source code. +- For Helm, use version 0.15.2 of the chart. + +## 2.4.1 + +19 October 2022 + +### Dependencies + +- [3183](https://github.com/nginx/kubernetes-ingress/pull/3183) Update NGINX version to 1.23.2. +- [3175](https://github.com/nginx/kubernetes-ingress/pull/3175) Update Go dependencies. +- Update NGINX Plus version to R27 P1. + +### Fixes + +- [3139](https://github.com/nginx/kubernetes-ingress/pull/3139) Remove all IPV6 listeners in ingress resources with -disable-ipv6 command line. + +### Upgrade + +- For NGINX, use the 2.4.1 images from our [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=2.4.1), [GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress). +- For NGINX Plus, use the 2.4.1 images from the F5 Container registry or the AWS Marketplace or build your own image using the 2.4.1 source code. +- For Helm, use version 0.15.1 of the chart. + +## 1.12.5 + +19 October 2022 + +### Dependencies + +- Update NGINX version to 1.23.2. +- Update NGINX Plus version to R27 P1. +- Update Alpine to 3.16. +- Update Go to 1.19 and Go dependencies. + +### Upgrade + +- For NGINX, use the 1.12.5 image from our DockerHub: `nginx/nginx-ingress:1.12.5`, `nginx/nginx-ingress:1.12.5-alpine` or `nginx/nginx-ingress:1.12.5-ubi` +- For NGINX Plus, please build your own image using the 1.12.5 source code. +- For Helm, use version 0.10.5 of the chart. + +## 2.4.0 + +04 October 2022 + +### Overview + +- Added support for enabling [proxy_protocol](https://github.com/nginx/kubernetes-ingress/tree/v2.4.0/examples/shared-examples/proxy-protocol) when port 443 is being used for both HTTPS traffic and [TLS Passthrough traffic](https://github.com/nginx/kubernetes-ingress/tree/v2.4.0/examples/custom-resources/tls-passthrough). +- Updates to the TransportServer resource to support using [ExternalName services](https://kubernetes.io/docs/concepts/services-networking/service/#externalname). For examples, see [externalname-services](https://github.com/nginx/kubernetes-ingress/tree/v2.4.0/examples/custom-resources/externalname-services). +- VirtualServer resource now supports [wildcard hostname](https://kubernetes.io/docs/concepts/services-networking/ingress/#hostname-wildcards). +- NGINX Ingress Controller images including the combined NGINX AppProtect WAF and NGINX AppProtect DoS solutions are now published to our registry. See [Images with NGINX Plus]({{< ref "/nic/technical-specifications.md#images-with-nginx-plus" >}}) for a detailed list of images in our registry. +- Added support for watching multiple namespaces using the [-watch-namespace]({{< ref "/nic/configuration/global-configuration/command-line-arguments.md#-watch-namespace-string" >}}) cli argument. This can configured by passing a comma-separated list of namespaces to the `-watch-namespace` CLI argument (e.g. `-watch-namespace=ns-1,ns-2`). +- A new cli argument has been added: [-include-year]({{< ref "/nic/configuration/global-configuration/command-line-arguments.md#-include-year" >}}). This appends the current year to the log output from the Ingress Controller. Example output: `I20220512 09:20:42.345457`. +- Post-startup configuration reloads have been optimized to reduce traffic impacts. When many resources are modified at the same time, changes are combined to reduce the number of data plane reloads. + +### Features + +- [2986](https://github.com/nginx/kubernetes-ingress/pull/2986) Batch reloads at runtime. +- [2914](https://github.com/nginx/kubernetes-ingress/pull/2914) Support watching multiple namespaces. +- [2884](https://github.com/nginx/kubernetes-ingress/pull/2884) Include year in logs. +- [2993](https://github.com/nginx/kubernetes-ingress/pull/2993) Accept proxy protocol when TLS passthrough enabled. +- [3041](https://github.com/nginx/kubernetes-ingress/pull/3041) Support external name service for TransportServer. +- [2939](https://github.com/nginx/kubernetes-ingress/pull/2939) Add support for wildcard hostname in VirtualServer. +- [3040](https://github.com/nginx/kubernetes-ingress/pull/3040) Add command line argument to manually disable IPV6 listeners for unsupported clusters. +- [3088](https://github.com/nginx/kubernetes-ingress/pull/3088) Filter secrets of type helm.sh/release.v1. + +### Fixes + +- [2971](https://github.com/nginx/kubernetes-ingress/pull/2971) fix: Correct error message on missing path in path validation. Thanks to [Zachary Seguin](https://github.com/zachomedia). +- [3095](https://github.com/nginx/kubernetes-ingress/pull/3095) do not create configmap if customConfigMap is used. Thanks to [Bryan Hendryx](https://github.com/coolbry95). + +### Helm Chart + +- [3087](https://github.com/nginx/kubernetes-ingress/pull/3087) Allow omitting the default server secret from Helm installs. +- [2831](https://github.com/nginx/kubernetes-ingress/pull/2831) Add ServiceMonitor to Helm Chart. Thanks to [araineUnity](https://github.com/araineUnity). +- [2855](https://github.com/nginx/kubernetes-ingress/pull/2854) Add initialDelaySeconds to helm charts. Thanks to [Daniel Edgar](https://github.com/aknot242). +- [2979](https://github.com/nginx/kubernetes-ingress/pull/2979) Allow to specify image with digest in helm chart. Thanks to [Hans Feldt](https://github.com/hafe). +- [3031](https://github.com/nginx/kubernetes-ingress/pull/3031) Adding automountServiceAccountToken to helm chart. + +### Upgrade + +- For NGINX, use the 2.4.0 images from our [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=2.4.0), [GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress) or [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress). +- For NGINX Plus, use the 2.4.0 images from the F5 Container registry or the AWS Marketplace or build your own image using the 2.4.0 source code. +- For Helm, use version 0.15.0 of the chart. If you're using custom resources like VirtualServer and TransportServer (`controller.enableCustomResources` is set to `true`), after you run the `helm upgrade` command, the CRDs will not be upgraded. After running the `helm upgrade` command, run `kubectl apply -f deployments/helm-chart/crds` to upgrade the CRDs. + +### Supported Platforms + +We will provide technical support for NGINX Ingress Controller on any Kubernetes platform that is currently supported by its provider and that passes the Kubernetes conformance tests. This release was fully tested on the following Kubernetes versions: 1.19-1.25. + +## 2.3.1 + +16 September 2022 + +### Dependencies + +- [3048](https://github.com/nginx/kubernetes-ingress/pull/3048) Bump NGINX to 1.23.1 +- [3049](https://github.com/nginx/kubernetes-ingress/pull/3049) Update Go dependencies. + +### Helm Chart + +- [3031](https://github.com/nginx/kubernetes-ingress/pull/3031) Add automountServiceAccountToken to helm chart + +### Upgrade + +- For NGINX, use the 2.3.1 images from our [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=2.3.1), [GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress). +- For NGINX Plus, use the 2.3.1 images from the F5 Container registry or build your own image using the 2.3.1 source code. +- For Helm, use version 0.14.1 of the chart. + +## 2.3.0 + +12 July 2022 + +### Overview + +- Support making VirtualServer resources discoverable via public DNS servers using [external-dns](https://kubernetes-sigs.github.io/external-dns). Examples for configuring external-dns with NGINX Ingress Controller can be found [here](https://github.com/nginx/kubernetes-ingress/tree/v2.3.0/examples/custom-resources/external-dns). +- Resolves [CVE-2022-30535](https://support.f5.com/csp/article/K52125139). This vulnerability impacted the visibility of secrets accessible by NGINX Ingress Controller. In some cases, secrets visible to NGINX Ingress Controller could be exposed to any authenticated user with permission to create and update Ingress objects. This vulnerability affected Ingress objects only - our Custom Resources (VirtualServer and TransportServer) were not affected. Customers unable to upgrade should migrate any Ingress resources to VirtualServer resources where possible, and use RBAC to restrict write access for users for Ingress objects. +- Support using HTTP basic authentication with [VirtualServer](https://github.com/nginx/kubernetes-ingress/tree/v2.3.1/examples/custom-resources/basic-auth) and [Ingress](https://github.com/nginx/kubernetes-ingress/tree/v2.3.0/examples/basic-auth) resources. Special thanks to [Simon Wachter](https://github.com/svvac). +- Support HTTP01 type ACME Issuers for use with VirtualServer resources with [cert-manager](https://cert-manager.io/docs/). + +### Features + +- [2581](https://github.com/nginx/kubernetes-ingress/pull/2581) Add OpenTracing to all Debian and Alpine based images. +- [2328](https://github.com/nginx/kubernetes-ingress/pull/2328) Add handling of multiple log destinations. +- [2691](https://github.com/nginx/kubernetes-ingress/pull/2691) AP: log-conf escaping chars. +- [2759](https://github.com/nginx/kubernetes-ingress/pull/2759) Add support for HTTP01 Challenges on VirtualServer resources. +- [2762](https://github.com/nginx/kubernetes-ingress/pull/2762) Add DNSEndpoint CRD for integration with ExternalDNS. +- [2801](https://github.com/nginx/kubernetes-ingress/pull/2801) Add SBOMs to release. +- [2269](https://github.com/nginx/kubernetes-ingress/pull/2269) HTTP basic auth support. Thanks to [Simon Wachter](https://github.com/svvac). +- [2800](https://github.com/nginx/kubernetes-ingress/pull/2800) Integrate external-dns with VirtualServer resources. +- [2583](https://github.com/nginx/kubernetes-ingress/pull/2583) Add runAsNonRoot in deployments. +- [2484](https://github.com/nginx/kubernetes-ingress/pull/2484) Add container resource requests. +- [2627](https://github.com/nginx/kubernetes-ingress/pull/2627) Update InternalRoute server_name. +- [2742](https://github.com/nginx/kubernetes-ingress/pull/2742) Add additional unit tests to confirm special characters can't be used in the lb-method annotation. +- [2730](https://github.com/nginx/kubernetes-ingress/pull/2730) Add string sanitisation for proxy-pass-headers & proxy-hide-headers. +- [2733](https://github.com/nginx/kubernetes-ingress/pull/2733) Add string validation to server-tokens annotation. +- [2734](https://github.com/nginx/kubernetes-ingress/pull/2734) Validate rewrite annotation. +- [2754](https://github.com/nginx/kubernetes-ingress/pull/2754) Validate JWT key, realm and login url for ingress resources annotations. +- [2751](https://github.com/nginx/kubernetes-ingress/pull/2751) Add string validation to sticky-cookie-services annotation. +- [2775](https://github.com/nginx/kubernetes-ingress/pull/2775) Add validation to Ingress path. +- [2774](https://github.com/nginx/kubernetes-ingress/pull/2774) Sanitize nginx.com/jwt-token. +- [2783](https://github.com/nginx/kubernetes-ingress/pull/2783) Update validation regex for path spec. +- [2781](https://github.com/nginx/kubernetes-ingress/pull/2781) Report Hostname in ExternalEndpoint for VS and VSR resources. + +### Fixes + +- [2617](https://github.com/nginx/kubernetes-ingress/pull/2617) Fix Dockerfile for amd64 microarchitectures. +- [2637](https://github.com/nginx/kubernetes-ingress/pull/2637) Add terminationGracePeriodSeconds to deployment. Thanks to [Maksym Iv](https://github.com/maksym-iv). +- [2654](https://github.com/nginx/kubernetes-ingress/pull/2654) Sync changes from OIDC repo, add field in policy. +- [2673](https://github.com/nginx/kubernetes-ingress/pull/2673) Fix status.loadbalancer.hostname deletion on OOMKill. Thanks to [Heiko Voigt](https://github.com/hvoigt). +- [2718](https://github.com/nginx/kubernetes-ingress/pull/2718) Fix cases where CM enabled but no TLS block specified in VS. + +### Helm Chart + +- [2418](https://github.com/nginx/kubernetes-ingress/pull/2418) Add support for allocateLoadBalancerNodePorts, ipFamilyPolicy and ipFamilies. Thanks to [centromere](https://github.com/centromere). +- [2672](https://github.com/nginx/kubernetes-ingress/pull/2672) Add minReadySeconds & strategy support. Thanks to [Ciaran](https://github.com/cmk-pcs). +- [2625](https://github.com/nginx/kubernetes-ingress/pull/2625) allow configuring topologySpreadConstraints in Helm chart. Thanks to [Kamil Domański](https://github.com/kdomanski). + +### Upgrade + +- For NGINX, use the 2.3.0 images from our [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=2.3.0), [GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress) or [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress). +- For NGINX Plus, use the 2.3.0 images from the F5 Container registry or the AWS Marketplace or build your own image using the 2.3.0 source code. +- For Helm, use version 0.14.0 of the chart. If you're using custom resources like VirtualServer and TransportServer (`controller.enableCustomResources` is set to `true`), after you run the `helm upgrade` command, the CRDs will not be upgraded. After running the `helm upgrade` command, run `kubectl apply -f deployments/helm-chart/crds` to upgrade the CRDs. +- When upgrading using [Manifests]({{< ref "/nic/install/manifests.md" >}}), make sure to update the [ClusterRole](https://github.com/nginx/kubernetes-ingress/blob/v2.3.1/deployments/rbac/rbac.yaml). This is required to enable the ExternalDNS for VirtualServer resources integration. + +### Supported Platforms + +We will provide technical support for NGINX Ingress Controller on any Kubernetes platform that is currently supported by its provider and which passes the Kubernetes conformance tests. This release was fully tested on the following Kubernetes versions: 1.19-1.24. + +## 2.2.2 + +23 May 2022 + +### Fixes + +- [2627](https://github.com/nginx/kubernetes-ingress/pull/2627) Update InternalRoute server_name. + +### Upgrade + +- For NGINX, use the 2.2.2 images from our [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=2.2.2), [GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress) or [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress). +- For NGINX Plus, use the 2.2.2 images from the F5 Container registry or build your own image using the 2.2.2 source code. +- For Helm, use version 0.13.2 of the chart. + +## 2.2.1 + +17 May 2022 + +### Dependencies + +- Update Go dependencies. + +### Fixes + +- [2654](https://github.com/nginx/kubernetes-ingress/pull/2654) Sync changes from [nginx-openid-connect](https://github.com/nginxinc/nginx-openid-connect) repo, add zoneSyncLeeway field in policy. For more information on the fixes, see [pull request 52](https://github.com/nginxinc/nginx-openid-connect/pull/52). + +### Upgrade + +- For NGINX, use the 2.2.1 images from our [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=2.2.1), [GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress) or [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress). +- For NGINX Plus, use the 2.2.1 images from the F5 Container registry or build your own image using the 2.2.1 source code. +- For Helm, use version 0.13.1 of the chart. + +## 2.2.0 + +12 April 2022 + +### Overview + +- Support for automatic provisioning and management of Certificate resources for VirtualServer resources using [cert-manager](https://cert-manager.io/docs/). Examples for configuring cert-manager with NGINX Ingress Controller can be found [here](https://github.com/nginx/kubernetes-ingress/tree/v2.2.0/examples/custom-resources/certmanager). Please note that HTTP01 type ACME Issuers are not yet supported for use with VirtualServer resources. + +- Full support for IPv6 using the NGINX Ingress Controller [VirtualServer and VirtualServerRoute]({{< ref "/nic/configuration/virtualserver-and-virtualserverroute-resources.md" >}}) custom resources, and Ingress resources. + +- The [-enable-preview-policies]({{< ref "/nic/configuration/global-configuration/command-line-arguments.md#-enable-preview-policies" >}}) cli argument has been deprecated and is no longer required for the usage of any Policy resource type. This argument will be removed completely in v2.6.0. + +- A new [-enable-oidc]({{< ref "/nic/configuration/global-configuration/command-line-arguments.md#-enable-oidc" >}}) cli argument has been added to enable OIDC policies. Previously, this behaviour was achieved through the usage of the `-enable-preview-policies` cli argument. + +### Features + +- [2576](https://github.com/nginx/kubernetes-ingress/pull/2576) Add support for IPv6. +- [2572](https://github.com/nginx/kubernetes-ingress/pull/2572) Automate provisioning of Certificate resources for VirtualServer resources using cert-manager. +- [2346](https://github.com/nginx/kubernetes-ingress/pull/2346) Use os.ReadDir for lightweight directory reading. Thanks to [Eng Zer Jun](https://github.com/Juneezee). +- [2360](https://github.com/nginx/kubernetes-ingress/pull/2360) Add NGINX App Protect reconnect period directive. +- [2479](https://github.com/nginx/kubernetes-ingress/pull/2479) Add cli argument to configure NGINX App Protect log level. +- [2455](https://github.com/nginx/kubernetes-ingress/pull/2455) Increase memory available for NGINX App Protect xml parser. +- [2580](https://github.com/nginx/kubernetes-ingress/pull/2580) Create -enable-oidc command line argument for OIDC policy. +- [2566](https://github.com/nginx/kubernetes-ingress/pull/2566) Unbind policy from preview policies. +- [2582](https://github.com/nginx/kubernetes-ingress/pull/2582) Rename Make targets from `openshift` to `ubi`. + +### Fixes + +- [2378](https://github.com/nginx/kubernetes-ingress/pull/2378) Fix healthcheck ports. +- [2404](https://github.com/nginx/kubernetes-ingress/pull/2404) Start nginx with -e stderr parameter. +- [2414](https://github.com/nginx/kubernetes-ingress/pull/2414) Fix in file nginx-plus.virtualserver.tmpl ApDosMonitor->ApDosMonitorURI. + +### Helm Chart + +- [2525](https://github.com/nginx/kubernetes-ingress/pull/2525) Extend helm chart to include NGINX Service Mesh fields. +- [2294](https://github.com/nginx/kubernetes-ingress/pull/2294) Add extra containers to helm chart. Thanks to [Márk Sági-Kazár](https://github.com/sagikazarmark). + +### Upgrade + +- For NGINX, use the 2.2.0 images from our [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=2.2.0), [GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress) or [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress). +- For NGINX Plus, use the 2.2.0 images from the F5 Container registry or the [AWS Marketplace](https://aws.amazon.com/marketplace/search/?CREATOR=741df81b-dfdc-4d36-b8da-945ea66b522c&FULFILLMENT_OPTION_TYPE=CONTAINER&filters=CREATOR%2CFULFILLMENT_OPTION_TYPE) or build your own image using the 2.2.0 source code. +- For Helm, use version 0.13.0 of the chart. If you're using custom resources like VirtualServer and TransportServer (`controller.enableCustomResources` is set to `true`), after you run the `helm upgrade` command, the CRDs will not be upgraded. After running the `helm upgrade` command, run `kubectl apply -f deployments/helm-chart/crds` to upgrade the CRDs. +- When upgrading using [Manifests]({{< ref "/nic/install/manifests.md" >}}), make sure to update the [ClusterRole](https://github.com/nginx/kubernetes-ingress/blob/v2.2.0/deployments/rbac/rbac.yaml). This is required to enable the cert-manager for VirtualServer resources integration. +- The -enable-preview-policies cli argument has been deprecated, and is no longer required for any Policy resources. +- Enabling OIDC Policies now requires the use of -enable-oidc cli argument instead of the -enable-preview-policies cli argument. + +### Supported Platforms + +We will provide technical support for NGINX Ingress Controller on any Kubernetes platform that is currently supported by its provider and which passes the Kubernetes conformance tests. This release was fully tested on the following Kubernetes versions: 1.19-1.23. + +## 2.1.2 + +29 March 2022 + +### Dependencies + +- Update UBI based images to 8. + +### Upgrade + +- For NGINX, use the 2.1.2 images from our [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=2.1.2), [GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress) or [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress). +- For NGINX Plus, use the 2.1.2 images from the F5 Container registry or the AWS Marketplace or build your own image using the 2.1.2 source code. +- For Helm, use version 0.12.2 of the chart. + +## 1.12.4 + +23 March 2022 + +### Dependencies + +- Update NGINX version to 1.21.6. +- Update NGINX Plus version to R26. +- Update Debian to Bullseye. +- Update Alpine to 3.15. +- Update UBI to 8. +- Update Go to 1.17 and Go dependencies. + +### Fixes + +- Fix OpenTracing not working with NGINX Plus. + +### Upgrade + +- For NGINX, use the 1.12.4 image from our DockerHub: `nginx/nginx-ingress:1.12.4`, `nginx/nginx-ingress:1.12.4-alpine` or `nginx/nginx-ingress:1.12.4-ubi` +- For NGINX Plus, please build your own image using the 1.12.4 source code. +- For Helm, use version 0.10.4 of the chart. + +## 2.1.1 + +17 February 2022 + +### Dependencies + +- Update NGINX version to 1.21.6. +- Update NGINX Plus version to R26. + +### Upgrade + +- For NGINX, use the 2.1.1 images from our [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=2.1.1), [GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress) or [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress). +- For NGINX Plus, use the 2.1.1 images from the F5 Container registry or build your own image using the 2.1.1 source code. +- For Helm, use version 0.12.1 of the chart. + +## 2.1.0 + +06 January 2022 + +### Overview + +- Support for NGINX App Protect Denial of Service protection with NGINX Ingress Controller. More information about [F5 DoS for NGINX](https://www.nginx.com/products/nginx-app-protect/denial-of-service/). Examples for configuring F5 DoS for NGINX with NGINX Ingress Controller can be found [here](https://github.com/nginx/kubernetes-ingress/tree/v2.1.1/examples/appprotect-dos). + +- Full support for gRPC services using the NGINX Ingress Controller [VirtualServer and VirtualServerRoute]({{< ref "/nic/configuration/virtualserver-and-virtualserverroute-resources.md" >}}) custom resource definitions. This makes configuring and supporting gRPC services much easier, giving a simple YAML configuration and removing the need for snippets. Resource definition examples for gRPC can be found [here](https://github.com/nginx/kubernetes-ingress/tree/v2.1.1/examples/custom-resources/grpc-upstreams). + +- Implementation of NGINX mandatory and persistent health checks in VirtualServer and VirtualServerRoute to further reduce interruptions to your service traffic as configuration changes continuously happen in your dynamic Kubernetes environment(s). Health checks have been extended to include `mandatory` and `persistent` fields. Mandatory health checks ensures that a new upstream server starts receiving traffic only after the health check passes. Mandatory health checks can be marked as persistent, so that the previous state is remembered when the Ingress Controller reloads NGINX Plus configuration. When combined with the slow-start parameter, the mandatory health check give a new upstream server more time to connect to databases and “warm up” before being asked to handle their full share of traffic. See the settings [here]({{< ref "/nic/configuration/virtualserver-and-virtualserverroute-resources.md#upstreamhealthcheck" >}}). More about the [NGINX Plus mandatory and persistent health check features]({{< ref "/nginx/admin-guide/load-balancer/http-health-check.md#mandatory-health-checks" >}}). +Mandatory health checks can be marked as persistent, so that the previous state is remembered when reloading configuration. When combined with the slow-start parameter, it gives a new service pod more time to connect to databases and “warm up” before being asked to handle their full share of traffic. +See the settings [here]({{< ref "/nic/configuration/virtualserver-and-virtualserverroute-resources.md#upstreamhealthcheck" >}}). +More about the [NGINX Plus mandatory and persistent health check features]({{< ref "/nginx/admin-guide/load-balancer/http-health-check.md#mandatory-health-checks" >}}) + +### Features + +- [2251](https://github.com/nginx/kubernetes-ingress/pull/2251) Enable setting mandatory and persistent in upstream healthchecks in VS and VSR. +- [2241](https://github.com/nginx/kubernetes-ingress/pull/2241) Add support for F5 DoS for NGINX. +- [2200](https://github.com/nginx/kubernetes-ingress/pull/2200) Add Alpine image with OpenTracing. +- [2178](https://github.com/nginx/kubernetes-ingress/pull/2178) Support healthchecks in gRPC upstreams. +- [2110](https://github.com/nginx/kubernetes-ingress/pull/2110) Support gRPC in the Upstreams of the virtual server resources. Particular thanks to [Chiyu Zhong](https://github.com/CatTail) for all their work. +- [2149](https://github.com/nginx/kubernetes-ingress/pull/2149) Add metric about total number of TransportServers. +- [2100](https://github.com/nginx/kubernetes-ingress/pull/2100) Add support for initContainers. Thanks to [Gunnar Scherf](https://github.com/g10f). +- [1827](https://github.com/nginx/kubernetes-ingress/pull/1827) Add support for wildcard cert in VirtualServer resources. Thanks to [Simon Wachter](https://github.com/svvac). +- [2107](https://github.com/nginx/kubernetes-ingress/pull/2107) Add option to download the NGINX Ingress Controller binary. Introduced a new `TARGET` `download` in the `Makefile` which can be used when building the NGINX Ingress Controller Docker image. With this option the Ingress Controller binary will be downloaded instead of built from source. +- [2044](https://github.com/nginx/kubernetes-ingress/pull/2044) Upload NGINX Ingress Controller binaries to release. +- [2094](https://github.com/nginx/kubernetes-ingress/pull/2094) AP: update appolicies crd. +- [2216](https://github.com/nginx/kubernetes-ingress/pull/2216) Add grpc_status to the logs. +- [2237](https://github.com/nginx/kubernetes-ingress/pull/2237) Unbind app-protect from -preview-policies. +- [2273](https://github.com/nginx/kubernetes-ingress/pull/2273) Make the resource comparison more informative in case of an error. Thanks to [Andrey Karpov](https://github.com/ndk). +- [2124](https://github.com/nginx/kubernetes-ingress/pull/2124) Apply -enable-snippets cli arg to Ingresses. This PR extends the existing -enable-snippets cli argument to apply to Ingress resources. If snippets are not enabled, the Ingress Controller will reject any Ingress resources with snippets annotations. Previously, the argument only applied to VirtualServer, VirtualServerRoute and TransportServer resources. Please Note: this is a breaking change. See the `UPGRADE` instructions below. + +### Fixes + +- [2267](https://github.com/nginx/kubernetes-ingress/pull/2267) Fix URI rewrite in VirtualServers and VirtualServerRoutes. +- [2260](https://github.com/nginx/kubernetes-ingress/pull/2260) Check if refresh token is `undefined` and do not store it in this case. Thanks to [tippexs](https://github.com/tippexs) for the fix. +- [2215](https://github.com/nginx/kubernetes-ingress/pull/2215) enableSnippets should not depend from enableCustomResources. Thanks to [Alessio Casco](https://github.com/AlessioCasco) for the fix. +- [1934](https://github.com/nginx/kubernetes-ingress/pull/1934) AP: fix watch-namespace for NAP resources. +- [2125](https://github.com/nginx/kubernetes-ingress/pull/2125) Allow empty string in server-tokens annotation for NGINX Plus. +- [2042](https://github.com/nginx/kubernetes-ingress/pull/2042) Use release specific repo for NGINX Plus on Debian. + +### Dependencies + +- [2173](https://github.com/nginx/kubernetes-ingress/pull/2173) Update Debian to Bullseye. +- Update NGINX Plus version to R25. +- Update NGINX version to 1.21.5. + +### Upgrade + +- For NGINX, use the 2.1.0 images from our [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=2.1.0), [GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress) or [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress). +- For NGINX Plus, use the 2.1.0 images from the F5 Container registry or build your own image using the 2.1.0 source code. +- For Helm, use version 0.12.0 of the chart. +- We changed the behaviour of snippets in Ingress resources by extending the existing -enable-snippets cli argument to apply to Ingress resources as well as VirtualServer, VirtualServerRoute and TransportServer resources. Because the default value of -enable-snippets is false, if you are using snippets in Ingress resources, you must explicitly set the -enable-snippets to true before upgrading the Ingress Controller, so that the new version of the Ingress Controller doesn't reject Ingresses with snippets annotations. + +### Supported Platforms + +We will provide technical support for NGINX Ingress Controller on any Kubernetes platform that is currently supported by its provider and which passes the Kubernetes conformance tests. This release was fully tested on the following Kubernetes versions: 1.19-1.23. \ No newline at end of file diff --git a/content/nic/changelog/2023.md b/content/nic/changelog/2023.md new file mode 100644 index 000000000..7c80c7eb2 --- /dev/null +++ b/content/nic/changelog/2023.md @@ -0,0 +1,437 @@ +--- +title: "2023 archive" +# Weights are assigned in increments of 100: determines sorting order +weight: 200 +# Creates a table of contents and sidebar, useful for large documents +toc: true +# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this +nd-content-type: reference +nd-product: NIC +--- + +## 3.4.0 + +19 Dec 2023 + +The default_server listeners for ports 80 and 443 can now be fully customized giving you the flexibility to shift the HTTP and HTTPS default listeners to other ports as your needs require. + +Traffic splits now support weights from 0 - 100 giving you the control that you expect when performing canary roll outs of your back end services. + +A new capability of "upstream backup" has been introduced for NGINX Plus customers. This gives you the control to set a backup service for any path. This takes advantage of NGINX health checks and will automatically forward traffic to the backup service when all pods of the primary service stop responding. + +Dynamic reloading of SSL certificates takes advantage of native NGINX functionality to dynamically load updated certificates when they are requested and thus not require a reload when certificates update. + +A number of Helm enhancements have come directly from our community and range from giving greater flexibility for HPA, namespace sharing for custom sidecars, and supporting multiple image pull secrets for greater deployment flexibility. + +To make sure NGINX Ingress Controller follows Helm best practices, we've refactored our helm chart location. You can now find our helm charts under `charts\nginx-ingress`. + +We’ve added the functionality to define F5 WAF for NGINX bundles for VirtualServers by creating policy bundles and putting them on a mounted volume accessible from NGINX Ingress Controller. + +### Features + +- [4574](https://github.com/nginx/kubernetes-ingress/pull/4574) Graduate TransportServer and GlobalConfiguration to v1. +- [4464](https://github.com/nginx/kubernetes-ingress/pull/4464) Allow default_server listeners to be customised. +- [4526](https://github.com/nginx/kubernetes-ingress/pull/4526) Update use of http2 listen directive to align with deprecation. +- [4276](https://github.com/nginx/kubernetes-ingress/pull/4276) Use Lease for leader election. +- [4655](https://github.com/nginx/kubernetes-ingress/pull/4655) Support weights 0 and 100 in traffic splitting. +- [4653](https://github.com/nginx/kubernetes-ingress/pull/4653) Add support for backup directive for VS and TS. +- [4788](https://github.com/nginx/kubernetes-ingress/pull/4788) Dynamic reload of SSL certificates +- [4428](https://github.com/nginx/kubernetes-ingress/pull/4428) Add option for installing CRDs from a single remote yaml. + +### Fixes + +- [4504](https://github.com/nginx/kubernetes-ingress/pull/4504) Delete the DNSEndpoint resource when VS is deleted & Ratelimit requeues on errors. +- [4575](https://github.com/nginx/kubernetes-ingress/pull/4575) update dockerfile for debian NGINX Plus. + +### Helm Chart + +- [4306](https://github.com/nginx/kubernetes-ingress/pull/4306) Refactor Helm Chart location. +- [4391](https://github.com/nginx/kubernetes-ingress/pull/4391) Add HPA Custom Behavior. Thanks to [saedx1](https://github.com/saedx1). +- [4559](https://github.com/nginx/kubernetes-ingress/pull/4559) Add process namespace sharing for ingress controller. Thanks to [panzouh](https://github.com/panzouh). +- [4651](https://github.com/nginx/kubernetes-ingress/pull/4651) Add initContainerResources Helm configuration. +- [4656](https://github.com/nginx/kubernetes-ingress/pull/4656) Allows multiple imagePullSecrets in the helm chart. Thanks to [AlessioCasco](https://github.com/AlessioCasco). + +### Upgrade + +- For NGINX, use the 3.4.0 images from our +[DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=3.4.0), +[GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress), +[Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress). +- For NGINX Plus, use the 3.4.0 images from the F5 Container registry, the AWS Marketplace, the GCP Marketplace or build your own image using the 3.4.0 source code. +- For Helm, use version 1.1.0 of the chart. + +### Supported Platforms + +We will provide technical support for NGINX Ingress Controller on any Kubernetes platform that is currently supported by +its provider and that passes the Kubernetes conformance tests. This release was fully tested on the following Kubernetes +versions: 1.22-1.29. +
+ +## 3.3.2 + +1 Nov 2023 + +### Fixes + +- [4578](https://github.com/nginx/kubernetes-ingress/pull/4578) Update Dockerfile to add user creation for NGINX Plus images. + +### Dependencies + +- [4572](https://github.com/nginx/kubernetes-ingress/pull/4572) Update NGINX version to 1.25.3. +- [4569](https://github.com/nginx/kubernetes-ingress/pull/4569), [4591](https://github.com/nginx/kubernetes-ingress/pull/4591) Bump Go dependencies. + +### Upgrade + +- For NGINX, use the 3.3.2 images from our +[DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=3.3.2), +[GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress), +[Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress). +- For NGINX Plus, use the 3.3.2 images from the F5 Container registry, the AWS Marketplace, the GCP Marketplace or build your own image using the 3.3.2 source code. +- For Helm, use version 1.0.2 of the chart. + +## 3.3.1 + +13 Oct 2023 + +### Overview + +This releases updates NGINX Plus to R30 P1 and dependencies to mitigate HTTP/2 Rapid Reset Attack vulnerability [CVE-2023-44487](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44487). + +### Dependencies + +- [4501](https://github.com/nginx/kubernetes-ingress/pull/4501) Bump Go to 1.21.3 +- [4502](https://github.com/nginx/kubernetes-ingress/pull/4502), [4514](https://github.com/nginx/kubernetes-ingress/pull/4514) Bump Go dependencies. + +### Upgrade + +- For NGINX, use the 3.3.1 images from our [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=3.3.1), [GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress). +- For NGINX Plus, use the 3.3.1 images from the F5 Container registry, the AWS Marketplace, the GCP Marketplace or build your own image using the 3.3.1 source code + +## 3.3.0 + +26 Sep 2023 + +### Overview + +With release 3.3, NGINX Ingress Controller continues to advance capabilities for an ever-demanding set of use cases +that go beyond simple layer 7 routing for services running exclusively in Kubernetes. + +When involved in diagnostic operations and viewing the NGINX Plus console or when viewing the enhanced NGINX Plus +metrics through Prometheus, customers now enjoy the added dimension of the backend service being available to aide in +identification of issues as well as observing performance. + +50% of our users continue to rely heavily on the Ingress resource and its "mergeable Ingress" usage pattern, to enhance +the experience for these customers we have added the path-regex annotation with support for case sensitive, case +insensitive, as well as exact regex match patterns. + +Prometheus continues to be the most popular metrics platform for Kubernetes users. To further enhance ease of setting up +integration with Prometheus we have finalized support for the Prometheus serviceMonitor capability. Providing better +scraping controls for Prometheus admins. + +For our most demanding customers performing a blue / green upgrade of the Ingress Controller itself supports the ability +to provide their business customers an enhanced experience with no loss of session fidelity. Support for this pattern +and others has been added through Helm chart enhancement that allows two deployments to share a single ingressClass +resource and duplicate the same configuration. + +To accommodate these enhancements, several new values have been added to our Helm chart, as well as modifications to +existing values. Due to the potential impacts of these changes we have issued a major release to the Helm chart, +advancing to v1.0.0 + +To better align with the demands of supporting additional protocols such as MQTT and QUIC, NGINX Ingress Controller +is changing how listeners are defined for HTTP traffic. You have always had controls over the ports defined for +TCP/UDP traffic through the GlobalConfiguration and TransportServer objects. That same flexibility has been introduced +for HTTP/S traffic and the VirtualServer. This area will continue to expand to give customers full control over NGINX +listeners so they can tailor to their specific needs and policies. + +### Features + +- [4023](https://github.com/nginx/kubernetes-ingress/pull/4023) Read Prometheus key/cert from memory. +- [4080](https://github.com/nginx/kubernetes-ingress/pull/4080) Expose Location Zones metrics. +- [4127](https://github.com/nginx/kubernetes-ingress/pull/4127), [4200](https://github.com/nginx/kubernetes-ingress/pull/4200), [4223](https://github.com/nginx/kubernetes-ingress/pull/4223) Add path-regex annotation for ingress. +- [4108](https://github.com/nginx/kubernetes-ingress/pull/4108) Add command line argument for custom TLS Passthrough port. +- [4271](https://github.com/nginx/kubernetes-ingress/pull/4271) Add custom listener controls to VirtualServer. + +### Fixes + +- [4160](https://github.com/nginx/kubernetes-ingress/pull/4160) Update JWT/JWKS policy validation. +- [4371](https://github.com/nginx/kubernetes-ingress/pull/4371) Improve runtime batch reloads. + +### Helm Chart + +- [3977](https://github.com/nginx/kubernetes-ingress/pull/3977) Add support for controller.selectorLabels. Thanks to [Youqing Han](https://github.com/hanyouqing). +- [4058](https://github.com/nginx/kubernetes-ingress/pull/4058) Add clusterIP to service if specified in values. Thanks to [EutiziStefano](https://github.com/EutiziStefano). +- [4252](https://github.com/nginx/kubernetes-ingress/pull/4252) Make containerPort and hostPort customizable. +- [4331](https://github.com/nginx/kubernetes-ingress/pull/4331) Expose Prometheus metrics through a headless Service. +- [4351](https://github.com/nginx/kubernetes-ingress/pull/4351) Update helm values file to move controller.serviceMonitor to prometheus.serviceMonitor. +- [4333](https://github.com/nginx/kubernetes-ingress/pull/4333) Allow installing IC without creating a new ingress class. + +### Upgrade + +- For NGINX, use the 3.3.0 images from our [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=3.3.0), [GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress). +- For NGINX Plus, use the 3.3.0 images from the F5 Container registry, the AWS Marketplace, the GCP Marketplace or build your own image using the 3.3.0 source code. +- For Helm, use version 1.0.0 of the chart. + +### Supported Platforms + +We will provide technical support for NGINX Ingress Controller on any Kubernetes platform that is currently supported by its provider and that passes the Kubernetes conformance tests. This release was fully tested on the following Kubernetes versions: 1.22-1.28. + +## 3.2.1 + +17 Aug 2023 + +### Dependencies + +- Update NGINX version to 1.25.2. +- Update NGINX Plus version to R30. +- Update Go to 1.21 and Go dependencies. + +### Upgrade + +- For NGINX, use the 3.2.1 images from our [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=3.2.1), [GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress). +- For NGINX Plus, use the 3.2.1 images from the F5 Container registry, the AWS Marketplace, the GCP Marketplace or build your own image using the 3.2.1 source code. +- For Helm, use version 0.18.1 of the chart. + +## 3.2.0 + +27 June 2023 + +### Features + +- [3790](https://github.com/nginx/kubernetes-ingress/pull/3790) Gunzip for VS +- [3863](https://github.com/nginx/kubernetes-ingress/pull/3863) OIDC - relaxed OIDC scope validation +- [3925](https://github.com/nginx/kubernetes-ingress/pull/3925) Specify runAsNonRoot in daemon-set manifests. Thanks to [Valters Jansons](https://github.com/sigv). +- [3951](https://github.com/nginx/kubernetes-ingress/pull/3951) Add NGINX Plus images to Google Marketplace. +- [3954](https://github.com/nginx/kubernetes-ingress/pull/3954) Add utilization tracking for supported (paid) customers. +- [4001](https://github.com/nginx/kubernetes-ingress/pull/4001) Add support for the SameSite sticky cookie attribute. +- [4022](https://github.com/nginx/kubernetes-ingress/pull/4022) Add document to tutorial section for configuring the default OIDC implementation. +- [4031](https://github.com/nginx/kubernetes-ingress/pull/4031) Add NGINX Plus Alpine image with FIPS inside for supported (paid) customers. + +### Fixes + +- [3737](https://github.com/nginx/kubernetes-ingress/pull/3737) Update VirtualServer to ignore CRL for EgressMTLS. +- [3798](https://github.com/nginx/kubernetes-ingress/pull/3798) Update VirtualServer template to generate an internal jwt auth location per policy applied. +- [3844](https://github.com/nginx/kubernetes-ingress/pull/3844) Fix gunzip support for VS and add python tests. +- [3870](https://github.com/nginx/kubernetes-ingress/pull/3870) Add Funcs() method to UpdateVirtualServerTemplate method. Thanks to [Bryan Hendryx](https://github.com/coolbry95). +- [3933](https://github.com/nginx/kubernetes-ingress/pull/3933) fix --external-service flag when using serviceNameOverride. Thanks to [Tim N](https://github.com/timnee). + +### Dependencies + +- Update NGINX version to 1.25.1. +- Update Debian to 12 for NGINX Plus images (except for images containing the NGINX App Protect modules). +- Update Alpine to 3.18 for NGINX Plus images. + +### Helm Chart + +- [3814](https://github.com/nginx/kubernetes-ingress/pull/3814) Remove semverCompare for allocateLoadBalancerNodePorts. Thanks to [Alex Wied](https://github.com/centromere). +- [3905](https://github.com/nginx/kubernetes-ingress/pull/3905) Reverse order of NAPDOS maxDaemons and maxWorkers in Helm chart. + +### Upgrade + +- For NGINX, use the 3.2.0 images from our [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=3.2.0), [GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress). +- For NGINX Plus, use the 3.2.0 images from the F5 Container registry, the AWS Marketplace, the GCP Marketplace or build your own image using the 3.2.0 source code. +- For Helm, use version 0.18.0 of the chart. + +### Supported Platforms + +We will provide technical support for NGINX Ingress Controller on any Kubernetes platform that is currently supported by its provider and that passes the Kubernetes conformance tests. This release was fully tested on the following Kubernetes versions: 1.22-1.27. + +## 3.1.1 + +04 May 2023 + +### Overview + +This release reverts the changes made in 3.1.0 to use sysctls to bind to lower level ports without the NET_BIND_SERVICE capability. It also adds support for serviceNameOverride in the Helm chart, that can be used to override the service name for NGINX Ingress Controller. This is useful especially during an upgrade from versions prior to 3.1.0, to avoid downtime due to the service name change. To use this feature, set the `serviceNameOverride` value in the Helm chart to the name of the existing service. + +For example, if the existing service name is `my-release-nginx-ingress`, you can use `--set serviceNameOverride=my-release-nginx-ingress` when running the upgrade command. +Here is an example upgrade command that keeps the existing service name `my-release-nginx-ingress` for a deployment named `my-release`: + +```console +helm upgrade my-release oci://ghcr.io/nginx/charts/nginx-ingress --version 0.17.1 --set serviceNameOverride=my-release-nginx-ingress +``` + +### Fixes + +- [3737](https://github.com/nginx/kubernetes-ingress/pull/3737) Update VirtualServer to ignore CRL for EgressMTLS. +- [3722](https://github.com/nginx/kubernetes-ingress/pull/3722) Inherit NET_BIND_SERVICE from IC to Nginx. Thanks to [Valters Jansons](https://github.com/sigv). +- [3798](https://github.com/nginx/kubernetes-ingress/pull/3798) Update VirtualServer template to generate an internal jwt auth location per policy applied. + +### Features + +- [3491](https://github.com/nginx/kubernetes-ingress/pull/3491) Egress via Ingress VirtualServer Resource. + +### Dependencies + +- Update NGINX version to 1.23.4. +- Update NGINX Plus version to R29. + +### Helm Chart + +- [3602](https://github.com/nginx/kubernetes-ingress/pull/3602) Updated NGINX Service Mesh references in Helm templates. Thanks to [Jared Byers](https://github.com/jbyers19). +- [3773](https://github.com/nginx/kubernetes-ingress/pull/3773) Swap cpu and memory in HPA template. Thanks to [Bryan Hendryx](https://github.com/coolbry95). +- [3802](https://github.com/nginx/kubernetes-ingress/pull/3802) Add serviceNameOverride. Thanks to [Tim N](https://github.com/timnee). +- [3815](https://github.com/nginx/kubernetes-ingress/pull/3815) Fix GlobalConfiguration name in Helm Chart. +- [3862](https://github.com/nginx/kubernetes-ingress/pull/3862) Add correct indentation to controller-leader-election configmap helm template. + +### Upgrade + +- For NGINX, use the 3.1.1 images from our [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=3.1.1), [GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress). +- For NGINX Plus, use the 3.1.1 images from the F5 Container registry or build your own image using the 3.1.1 source code. +- For Helm, use version 0.17.1 of the chart. + +## 3.1.0 + +29 Mar 2023 + +### Overview + +- Beginning with release 3.1.0 the NET_BIND_SERVICE capability is no longer used, and instead relies on net.ipv4.ip_unprivileged_port_start sysctl to allow port binding. Kubernetes 1.22 or later is required for this sysctl to be [classified as safe](https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/#safe-and-unsafe-sysctls). **Ensure that you are using the latest updated `deployment` and `daemonset` example yaml files available in the repo.** +- *The minimum supported version of Kubernetes is now 1.22*. NGINX Ingress Controller now uses `sysctls` to [bind to lower level ports without additional privileges](https://github.com/nginx/kubernetes-ingress/pull/3573/). This removes the need to use `NET_BIND_SERVICE` to bind to these ports. Thanks to [Valters Jansons](https://github.com/sigv) for making this feature possible! +- Added support for loading pre-compiled [AppProtect Policy Bundles](https://github.com/nginx/kubernetes-ingress/pull/3560) when using the `-enable-app-protect` cli argument. This feature removes the need for the Ingress Controller to compile NGINX App Protect Policy when NGINX App Protect Policy is updated. +- IngressMTLS policy now supports configuring a Certificate Revocation Lists(CRL). When using this feature requests made using a revoked certificate will be rejected. See [Using a Certificate Revocation List]({{< ref "/nic/configuration/policy-resource.md#using-a-certificate-revocation-list" >}}) for details on configuring this option. +- NGINX Ingress Controller now supports [running with a Read-only Root Filesystem](https://github.com/nginx/kubernetes-ingress/pull/3548). This improves the security posture of NGINX Ingress Controller by protecting the file system from unknown writes. See [Configure root filesystem as read-only]({{< ref "/nic/configuration/security.md#configure-root-filesystem-as-read-only" >}}) for details on configuring this option with both HELM and Manifest. Thanks to [Valters Jansons](https://github.com/sigv) for making this feature possible! +- HELM deployments can now set [custom environment variables with controller.env](https://github.com/nginx/kubernetes-ingress/pull/3326). Thanks to [Aaron Shiels](https://github.com/AaronShiels) for making this possible! +- HELM deployments can now configure a [pod disruption budget](https://github.com/nginx/kubernetes-ingress/pull/3248) allowing deployments to configure either a minimum number or a maximum unavailable number of pods. Thanks to [Bryan Hendryx](https://github.com/coolbry95) for making this possible! +- NGINX Ingress Controller uses the latest OIDC reference implementation which now supports [forwarding access tokens to upstreams / backends](https://github.com/nginx/kubernetes-ingress/pull/3474). Thanks to [Shawn Kim](https://github.com/shawnhankim) for making this possible! +- The default TLS secret is now optional. This improves the security posture of NGINX Ingress Controller through enabling [ssl_reject_handshake](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_reject_handshake). This has the impact of immediately terminating the SSL handshake and not revealing TLS or cypher settings to calls that do not match a configured hostname. + +### Features + +- [3034](https://github.com/nginx/kubernetes-ingress/pull/3034) Allow extra args to be provided to the OIDC auth endpoint. Thanks to [Alan Wilkie](https://github.com/alanwilkie-finocomp). +- [3474](https://github.com/nginx/kubernetes-ingress/pull/3474) Add access token support in the OIDC. Thanks to [Shawn Kim](https://github.com/shawnhankim). +- [3326](https://github.com/nginx/kubernetes-ingress/pull/3326) Add support for custom environment variables on the Nginx Controller container. Thanks to [Aaron Shiels](https://github.com/AaronShiels). +- [3527](https://github.com/nginx/kubernetes-ingress/pull/3527) Change controller.topologySpreadConstraints schema to array. Thanks to [Marco Londero](https://github.com/marcuz). +- [3248](https://github.com/nginx/kubernetes-ingress/pull/3248) Add Pod disruption budget option to HELM based installations. Thanks to [Bryan Hendryx](https://github.com/coolbry95). +- [3462](https://github.com/nginx/kubernetes-ingress/pull/3462) Add initial support for SSL termination for TransportServer. +- [3451](https://github.com/nginx/kubernetes-ingress/pull/3451) Enable keepalive-time for healthchecks in VS and VSR. +- [3560](https://github.com/nginx/kubernetes-ingress/pull/3560) Add support for load a pre-compiles AppProtect Policy Bundle. +- [3632](https://github.com/nginx/kubernetes-ingress/pull/3632) Update nginx.org/ca secret type & crl field to IngressMTLS to support CRL. +- [3629](https://github.com/nginx/kubernetes-ingress/pull/3629) Use the "runtime default" seccomp profile. Thanks to [Valters Jansons](https://github.com/sigv). +- [3573](https://github.com/nginx/kubernetes-ingress/pull/3573) Rework port binding logic without privileges. Thanks to [Valters Jansons](https://github.com/sigv). +- [3646](https://github.com/nginx/kubernetes-ingress/pull/3646) Remove app protect agent. +- [3507](https://github.com/nginx/kubernetes-ingress/pull/3507) Support empty path for ImplementationSpecific pathType. +- [3482](https://github.com/nginx/kubernetes-ingress/pull/3482) Use new NSM Spiffe and Cert rotation library. +- [3442](https://github.com/nginx/kubernetes-ingress/pull/3442) Add websocket protocol option to monitor directive. +- [3674](https://github.com/nginx/kubernetes-ingress/pull/3674) Move NAP DoS chart to new repo. +- [3302](https://github.com/nginx/kubernetes-ingress/pull/3302) Make default-server-secret optional. +- [3586](https://github.com/nginx/kubernetes-ingress/pull/3586) Add new labels and metadata to add version information to pods. + +### Fixes + +- [3463](https://github.com/nginx/kubernetes-ingress/pull/3463) Support non-vs created Challenge Ingress. +- [3475](https://github.com/nginx/kubernetes-ingress/pull/3475) Ensure leader election is correctly disabled when option is set to `false` in helm template. +- [3481](https://github.com/nginx/kubernetes-ingress/pull/3481) Add missing OSS internal routes for integration with NSM. +- [3541](https://github.com/nginx/kubernetes-ingress/pull/3541) Ensure non-ready endpoints are not added to upstreams. +- [3583](https://github.com/nginx/kubernetes-ingress/pull/3583) Update keyCache path for JWKs to avoid conflict with OIDC. +- [3607](https://github.com/nginx/kubernetes-ingress/pull/3607) Clear Content-Length headers for requests processed by internal JWKS routes. +- [3660](https://github.com/nginx/kubernetes-ingress/pull/3660) Remove unwanted chars from label value. + +### Helm Chart + +- [3581](https://github.com/nginx/kubernetes-ingress/pull/3581) Push edge Helm Chart to OCI registries. +- [3449](https://github.com/nginx/kubernetes-ingress/pull/3449) Correct values.schema.json nodeSelector. +- [3448](https://github.com/nginx/kubernetes-ingress/pull/3448) Fix Helm Chart Schema for priorityClassName. +- [3519](https://github.com/nginx/kubernetes-ingress/pull/3519) Add OnDelete to allowed strategy values. +- [3537](https://github.com/nginx/kubernetes-ingress/pull/3537) Update schema references to k8s v1.26.1. +- [3606](https://github.com/nginx/kubernetes-ingress/pull/3606) Fix Helm Chart labels and templates. Move version update to labels. + +### Upgrade + +- Make sure the Kubernetes version is in the supported platforms listed below. +- For NGINX, use the 3.1.0 images from our [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=3.1.0), [GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress). +- For NGINX Plus, use the 3.1.0 images from the F5 Container registry or build your own image using the 3.1.0 source code. +- For Helm, use version 0.17.0 of the chart. + +### Supported Platforms + +We will provide technical support for NGINX Ingress Controller on any Kubernetes platform that is currently supported by its provider and that passes the Kubernetes conformance tests. This release was fully tested on the following Kubernetes versions: 1.22-1.26. + +## 3.0.2 + +13 Feb 2023 + +### Fixes + +- [3519](https://github.com/nginx/kubernetes-ingress/pull/3519) Add OnDelete to allowed strategy values +- [3541](https://github.com/nginx/kubernetes-ingress/pull/3541) Ensure non-ready endpoints are not added to upstreams +- [3527](https://github.com/nginx/kubernetes-ingress/pull/3527) Fix controller.topologySpreadConstraints schema, thanks to [Marco Londero](https://github.com/marcuz) + +### Upgrade + +- For NGINX, use the 3.0.2 images from our [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=3.0.2), [GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress). +- For NGINX Plus, use the 3.0.2 images from the F5 Container registry or build your own image using the 3.0.2 source code. +- For Helm, use version 0.16.2 of the chart. + +## 3.0.1 + +25 Jan 2023 + +### Fixes + +- [3448](https://github.com/nginx/kubernetes-ingress/pull/3448) Fix Helm Chart Schema for priorityClassName +- [3449](https://github.com/nginx/kubernetes-ingress/pull/3449) Correct nodeSelector in the Helm Chart Schema +- [3463](https://github.com/nginx/kubernetes-ingress/pull/3463) Support non-VS created Challenge Ingress +- [3481](https://github.com/nginx/kubernetes-ingress/pull/3481) Add missing OSS internal routes for NGINX Service Mesh + +### Upgrade + +- For NGINX, use the 3.0.1 images from our [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=3.0.1), [GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress). +- For NGINX Plus, use the 3.0.1 images from the F5 Container registry or build your own image using the 3.0.1 source code. +- For Helm, use version 0.16.1 of the chart. + +## 3.0.0 + +12 January 2023 + +### Overview + +- Added support for [Deep Service Insight]({{< ref "/nic/logging-and-monitoring.md#service-insight" >}}) for VirtualServer and TransportServer using the [-enable-service-insight]({{< ref "/nic/configuration/global-configuration/command-line-arguments.md#-enable-service-insight" >}}) cli argument. +- *The minimum supported version of Kubernetes is now 1.21*. NGINX Ingress Controller 3.0.0 removes support for `k8s.io/v1/Endpoints` API in favor of `discovery.k8s.io/v1/EndpointSlices`. For older Kubernetes versions, use the 2.4.x release of the Ingress Controller. +- Added support for [EndpointSlices](https://kubernetes.io/docs/concepts/services-networking/endpoint-slices/). +- Added support to dynamically reconfigure namespace watchers using labels [-watch-namespace-label]({{< ref "/nic/configuration/global-configuration/command-line-arguments.md#-watch-namespace-label-string" >}}) and watching secrets using the [-watch-secret-namespace]({{< ref "/nic/configuration/global-configuration/command-line-arguments.md#-watch-secret-namespace-string" >}}) cli arguments. +- Allow configuration of NGINX directives `map-hash-bucket-size` and `map-hash-max-size` using the [ConfigMap resource]({{< ref "/nic/configuration/global-configuration/configmap-resource.md#general-customization" >}}). +- Added support for [fetching JWKs from a remote URL]({{< ref "/nic/configuration/policy-resource.md#jwt-using-jwks-from-remote-location" >}}) to dynamically validate JWT tokens and optimize performance through caching. +- Beginning with NGINX Service Mesh release 1.7 it will include support for the free version of NGINX Ingress Controller as well as the paid version. +- NGINX Ingress Controller + NGINX App Protect Denial of Service is now available through the AWS Marketplace. + +### Breaking Changes + +- [3260](https://github.com/nginx/kubernetes-ingress/pull/3260) Added support for EndpointSlices. + +### Features + +- [3299](https://github.com/nginx/kubernetes-ingress/pull/3299) Support Dynamic namespaces using Labels. +- [3261](https://github.com/nginx/kubernetes-ingress/pull/3261) Deep service insight endpoint for VirtualServer CR. +- [3361](https://github.com/nginx/kubernetes-ingress/pull/3361) Added healthcheck for TransportServer CR. +- [3347](https://github.com/nginx/kubernetes-ingress/pull/3347) Import JWKS from URL on JWT policy. +- [3274](https://github.com/nginx/kubernetes-ingress/pull/3274) Allow configuration of map-hash-bucket-size and map-hash-max-size directives. +- [3376](https://github.com/nginx/kubernetes-ingress/pull/3376) NGINX Service Mesh will support the free version of NGINX Ingress Controller when using NGINX open source. +- [3170](https://github.com/nginx/kubernetes-ingress/pull/3170) Watch subset of namespaces for secrets. Thanks to [Hans Feldt](https://github.com/hafe). +- [3341](https://github.com/nginx/kubernetes-ingress/pull/3341) Set value of `$remote_addr` to client IP when TLSPassthrough and Proxy Protocol are enabled. +- [3131](https://github.com/nginx/kubernetes-ingress/pull/3131) NAP DoS images are now available in the AWS Marketplace. +- [3231](https://github.com/nginx/kubernetes-ingress/pull/3231) Always print build info and flags used at the start to provide better supportability. +- [2735](https://github.com/nginx/kubernetes-ingress/pull/2735) Support default client proxy headers to be overwritten in VirtualServer. Thanks to [Alex Wied](https://github.com/centromere). +- [3133](https://github.com/nginx/kubernetes-ingress/pull/3133) Added caseSensitiveHttpHeaders to APPolicy CRD. Thanks to [Pavel Galitskiy](https://github.com/galitskiy). + +### Fixes + +- [3139](https://github.com/nginx/kubernetes-ingress/pull/3139) Remove all IPV6 listeners in ingress resources with `-disable-ipv6` command line. + +### Helm Chart + +- [3113](https://github.com/nginx/kubernetes-ingress/pull/3113) Added JSON Schema. +- [3143](https://github.com/nginx/kubernetes-ingress/pull/3143) Added annotations for deployment and daemonset. +- [3136](https://github.com/nginx/kubernetes-ingress/pull/3136) Added controller.dnsPolicy. Thanks to [Dong Wang](https://github.com/wd). +- [3065](https://github.com/nginx/kubernetes-ingress/pull/3065) Added annotations to the service account. Thanks to [0m1xa](https://github.com/0m1xa). +- [3276](https://github.com/nginx/kubernetes-ingress/pull/3276) Added horizontalpodautoscaler. Thanks to [Bryan Hendryx](https://github.com/coolbry95). + +### Upgrade + +- Make sure the Kubernetes version is in the supported platforms listed below. +- For NGINX, use the 3.0.0 images from our [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=3.0.0), [GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress) or [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress). +- For NGINX Plus, use the 3.0.0 images from the F5 Container registry or the AWS Marketplace or build your own image using the 3.0.0 source code. +- For Helm, use version 0.16.0 of the chart. Helm does not upgrade the CRDs. If you're using custom resources like VirtualServer and TransportServer (`controller.enableCustomResources` is set to `true`), after running the `helm upgrade` command, run `kubectl apply -f deployments/helm-chart/crds` to upgrade the CRDs. + +### Supported Platforms + +We will provide technical support for NGINX Ingress Controller on any Kubernetes platform that is currently supported by its provider and that passes the Kubernetes conformance tests. This release was fully tested on the following Kubernetes versions: 1.21-1.26. \ No newline at end of file diff --git a/content/nic/changelog/2024.md b/content/nic/changelog/2024.md new file mode 100644 index 000000000..559593369 --- /dev/null +++ b/content/nic/changelog/2024.md @@ -0,0 +1,530 @@ +--- +title: "2024 archive" +# Weights are assigned in increments of 100: determines sorting order +weight: 100 +# Creates a table of contents and sidebar, useful for large documents +toc: true +# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this +nd-content-type: reference +nd-product: NIC +--- + +## 4.0.0 + +16 Dec 2024 + +With added support for [NGINX R33]({{< ref "/nginx/releases.md#nginxplusrelease-33-r33" >}}), deployments of F5 NGINX Ingress Controller using NGINX Plus now require a valid JSON Web Token to run. +For full details on setting up your license `Secret`, see [Upgrading to v4]({{< ref "/nic/install/upgrade.md#upgrade-from-3x-to-4x" >}}). + +API Version `v1alpha1` of `GlobalConfiguration`, `Policy` and `TransportServer` resources are now deprecated. +For full details on updating your resources, see [Update custom resource apiVersion]({{< ref "/nic/install/upgrade.md#upgrade-from-3x-to-4x" >}}). + +Updates have been made to our logging library. For a while, F5 NGINX Ingress Controller has been using the [golang/glog](https://github.com/golang/glog). For this release, we have moved to the native golang library [log/slog](https://pkg.go.dev/log/slog). +This change was made for these reasons: + +1. By using a standard library, we ensure that updates are more consistent, and any known vulnerabilities are more likely to be addressed in a timely manner. +1. By moving to `log/slog`, we enable support for a wider range of logging formats, as well as allowing log outputs to be displayed in a Structured format, and for faster log parsing. + +Layer 4 applications got some love this release, with added support for SNI based routing with our TransportServer resource! +In scenarios where you have multiple applications hosted on a single node, this feature enables routing to those applications through the host header. +For more details on what this feature does, and how to configure it yourself, please look to our [examples section in Github](https://github.com/nginx/kubernetes-ingress/tree/v4.0.0/examples/custom-resources/transport-server-sni#transportserver-sni) + +### Breaking Changes + +- [6903](https://github.com/nginx/kubernetes-ingress/pull/6903) & [6921](https://github.com/nginx/kubernetes-ingress/pull/6921) Add support for NGINX Plus R33 +- [6800](https://github.com/nginx/kubernetes-ingress/pull/6800) Deprecate v1alpha1 CRDs for GlobalConfiguration, Policy & TransportServer +- [6520](https://github.com/nginx/kubernetes-ingress/pull/6520) & [6474](https://github.com/nginx/kubernetes-ingress/pull/6474) Add structured logging + +### Features + +- [6605](https://github.com/nginx/kubernetes-ingress/pull/6605) TransportServer SNI +- [6819](https://github.com/nginx/kubernetes-ingress/pull/6819) Add events to configmap +- [6878](https://github.com/nginx/kubernetes-ingress/pull/6878) Add events when special secrets update + +### Fixes + +- [6583](https://github.com/nginx/kubernetes-ingress/pull/6583) Generate valid yaml for ReadOnly FS +- [6635](https://github.com/nginx/kubernetes-ingress/pull/6635) UpstreamServer Fields Logs Displayed as Memory Addresses +- [6661](https://github.com/nginx/kubernetes-ingress/pull/6661) Revert to original main-template without pod downtime +- [6733](https://github.com/nginx/kubernetes-ingress/pull/6733) Add nil check to apikey suppliedIn +- [6780](https://github.com/nginx/kubernetes-ingress/pull/6780) Use default VS and TS templates when CfgMap obj is deleted + +### Helm Chart + +- [6667](https://github.com/nginx/kubernetes-ingress/pull/6667) Helm schema examples +- [6998](https://github.com/nginx/kubernetes-ingress/pull/6998) Update kubernetes version to v1.32.0 in helm schema + +### Dependencies + +- [6485](https://github.com/nginx/kubernetes-ingress/pull/6485), [6497](https://github.com/nginx/kubernetes-ingress/pull/6497), [6512](https://github.com/nginx/kubernetes-ingress/pull/6512), [6533](https://github.com/nginx/kubernetes-ingress/pull/6533), [6543](https://github.com/nginx/kubernetes-ingress/pull/6543), [6557](https://github.com/nginx/kubernetes-ingress/pull/6557), [6580](https://github.com/nginx/kubernetes-ingress/pull/6580), [6607](https://github.com/nginx/kubernetes-ingress/pull/6607), [6638](https://github.com/nginx/kubernetes-ingress/pull/6638), [6654](https://github.com/nginx/kubernetes-ingress/pull/6654), [6657](https://github.com/nginx/kubernetes-ingress/pull/6657), [6676](https://github.com/nginx/kubernetes-ingress/pull/6676), [6685](https://github.com/nginx/kubernetes-ingress/pull/6685), [6699](https://github.com/nginx/kubernetes-ingress/pull/6699), [6697](https://github.com/nginx/kubernetes-ingress/pull/6697), [6719](https://github.com/nginx/kubernetes-ingress/pull/6719), [6717](https://github.com/nginx/kubernetes-ingress/pull/6717), [6747](https://github.com/nginx/kubernetes-ingress/pull/6747), [6743](https://github.com/nginx/kubernetes-ingress/pull/6743), [6775](https://github.com/nginx/kubernetes-ingress/pull/6775), [6789](https://github.com/nginx/kubernetes-ingress/pull/6789), [6762](https://github.com/nginx/kubernetes-ingress/pull/6762), [6786](https://github.com/nginx/kubernetes-ingress/pull/6786), [6845](https://github.com/nginx/kubernetes-ingress/pull/6845), [6864](https://github.com/nginx/kubernetes-ingress/pull/6864), [6880](https://github.com/nginx/kubernetes-ingress/pull/6880), [6862](https://github.com/nginx/kubernetes-ingress/pull/6862), [6897](https://github.com/nginx/kubernetes-ingress/pull/6897), [6890](https://github.com/nginx/kubernetes-ingress/pull/6890), [6905](https://github.com/nginx/kubernetes-ingress/pull/6905), [6906](https://github.com/nginx/kubernetes-ingress/pull/6906), [6909](https://github.com/nginx/kubernetes-ingress/pull/6909), [6919](https://github.com/nginx/kubernetes-ingress/pull/6919), [6936](https://github.com/nginx/kubernetes-ingress/pull/6936), [6945](https://github.com/nginx/kubernetes-ingress/pull/6945), [6971](https://github.com/nginx/kubernetes-ingress/pull/6971) & [6982](https://github.com/nginx/kubernetes-ingress/pull/6982) Bump the Docker dependencies +- [6483](https://github.com/nginx/kubernetes-ingress/pull/6483), [6496](https://github.com/nginx/kubernetes-ingress/pull/6496), [6522](https://github.com/nginx/kubernetes-ingress/pull/6522), [6540](https://github.com/nginx/kubernetes-ingress/pull/6540), [6559](https://github.com/nginx/kubernetes-ingress/pull/6559), [6589](https://github.com/nginx/kubernetes-ingress/pull/6589), [6614](https://github.com/nginx/kubernetes-ingress/pull/6614), [6643](https://github.com/nginx/kubernetes-ingress/pull/6643), [6669](https://github.com/nginx/kubernetes-ingress/pull/6669), [6683](https://github.com/nginx/kubernetes-ingress/pull/6683), [6704](https://github.com/nginx/kubernetes-ingress/pull/6704), [6712](https://github.com/nginx/kubernetes-ingress/pull/6712), [6728](https://github.com/nginx/kubernetes-ingress/pull/6728), [6745](https://github.com/nginx/kubernetes-ingress/pull/6745), [6767](https://github.com/nginx/kubernetes-ingress/pull/6767), [6782](https://github.com/nginx/kubernetes-ingress/pull/6782), [6815](https://github.com/nginx/kubernetes-ingress/pull/6815), [6826](https://github.com/nginx/kubernetes-ingress/pull/6826), [6835](https://github.com/nginx/kubernetes-ingress/pull/6835), [6842](https://github.com/nginx/kubernetes-ingress/pull/6842), [6861](https://github.com/nginx/kubernetes-ingress/pull/6861), [6916](https://github.com/nginx/kubernetes-ingress/pull/6916), [6908](https://github.com/nginx/kubernetes-ingress/pull/6908), [6931](https://github.com/nginx/kubernetes-ingress/pull/6931), [6969](https://github.com/nginx/kubernetes-ingress/pull/6969), [6973](https://github.com/nginx/kubernetes-ingress/pull/6973), [6988](https://github.com/nginx/kubernetes-ingress/pull/6988) & [6994](https://github.com/nginx/kubernetes-ingress/pull/6994) Bump the go dependencies + +### Upgrade + +- For NGINX, use the 4.0.0 images from our +[DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=4.0.0), +[GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress), +[Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress). +- For NGINX Plus, use the 4.0.0 images from the F5 Container registry or build your own image using the 4.0.0 source code +- For Helm, use version 2.0.0 of the chart. +- [Upgrading to v4]({{< ref "/nic/install/upgrade.md#upgrade-from-3x-to-4x" >}}) + +### Supported Platforms + +We will provide technical support for NGINX Ingress Controller on any Kubernetes platform that is currently supported by +its provider and that passes the Kubernetes conformance tests. This release was fully tested on the following Kubernetes +versions: 1.25-1.32. + +## 3.7.2 + +25 Nov 2024 + +{{< call-out "note" >}} +In our next major release, `v4.0.0`, the default log library for NGINX Ingress Controller will be changed from `golang/glog` to `log/slog`. +This will mean that logs generated by NGINX Ingress Controller will be in a structured format with the option to choose a `string` or `json` output. +This will not affect logs generated by NGINX. +To ensure backwards compatibility, we will ensure the existing log format, `glog`, will be maintained through a configuration option for the next 3 releases. +{{< /call-out >}} + +{{< call-out "important" >}} +CRD version removal notice. +In our next major release, `v4.0.0`, support for the following apiVersions for these listed CRDs will be dropped: + +1. `k8s.nginx.org/v1alpha` for `GlobalConfiguration` +1. `k8s.nginx.org/v1alpha` for `Policy` +1. `k8s.nginx.org/v1alpha` for `TransportServer` + +Prior to upgrading, **please ensure** that any of these resources deployed as `apiVersion: k8s.nginx.org/v1alpha1` are upgraded to `apiVersion: k8s.nginx.org/v1` +If a resource of `kind: GlobalConfiguration`, `kind: Policy` or `kind: TransportServer` are deployed as `apiVersion: k8s.nginx.org/v1alpha1`, these resources will be **deleted** when upgrading from, at least, `v3.4.0` to `v4.0.0` + +When `v4.0.0` is released, the release notes will contain the required upgrade steps to go from `v3.X.X` to `v4.X.X` +{{< /call-out >}} + +### Fixes + +- [6838](https://github.com/nginx/kubernetes-ingress/pull/6838) Update oidc_template and conf + +### Dependencies + +- [6779](https://github.com/nginx/kubernetes-ingress/pull/6779), [6790](https://github.com/nginx/kubernetes-ingress/pull/6790) & [6851](https://github.com/nginx/kubernetes-ingress/pull/6851) Bump the Docker dependencies +- [6791](https://github.com/nginx/kubernetes-ingress/pull/6791), [6849](https://github.com/nginx/kubernetes-ingress/pull/6849) & [6839](https://github.com/nginx/kubernetes-ingress/pull/6839) Bump the go dependencies + +### Upgrade + +- For NGINX, use the 3.7.2 images from our +[DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=3.7.2), +[GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress), +[Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress). +- For NGINX Plus, use the 3.7.2 images from the F5 Container registry, the AWS Marketplace, the GCP Marketplace or build your own image using the 3.7.2 source code. +- For Helm, use version 1.4.2 of the chart. + +### Supported Platforms + +We will provide technical support for NGINX Ingress Controller on any Kubernetes platform that is currently supported by +its provider and that passes the Kubernetes conformance tests. This release was fully tested on the following Kubernetes +versions: 1.25-1.31. + +## 3.7.1 + +06 Nov 2024 + +### Fixes + +- [6735](https://github.com/nginx/kubernetes-ingress/pull/6735) Add nil check to apikey suppliedIn +- [6761](https://github.com/nginx/kubernetes-ingress/pull/6761) Add OIDC fix for ID token nonce claim validation + +### Dependencies + +- [6545](https://github.com/nginx/kubernetes-ingress/pull/6545), [6560](https://github.com/nginx/kubernetes-ingress/pull/6560), [6560](https://github.com/nginx/kubernetes-ingress/pull/6560), [6619](https://github.com/nginx/kubernetes-ingress/pull/6619), [6640](https://github.com/nginx/kubernetes-ingress/pull/6640), [6664](https://github.com/nginx/kubernetes-ingress/pull/6664), [6686](https://github.com/nginx/kubernetes-ingress/pull/6686), [6703](https://github.com/nginx/kubernetes-ingress/pull/6703), [6720](https://github.com/nginx/kubernetes-ingress/pull/6720), [6755](https://github.com/nginx/kubernetes-ingress/pull/6755) & [6751](https://github.com/nginx/kubernetes-ingress/pull/6751) Bump the Docker dependencies +- [6553](https://github.com/nginx/kubernetes-ingress/pull/6553), [6591](https://github.com/nginx/kubernetes-ingress/pull/6591), [6618](https://github.com/nginx/kubernetes-ingress/pull/6618), [6648](https://github.com/nginx/kubernetes-ingress/pull/6648), [6688](https://github.com/nginx/kubernetes-ingress/pull/6688), [6674](https://github.com/nginx/kubernetes-ingress/pull/6674), [6707](https://github.com/nginx/kubernetes-ingress/pull/6707), [6730](https://github.com/nginx/kubernetes-ingress/pull/6730) & [6751](https://github.com/nginx/kubernetes-ingress/pull/6751) Bump the go dependencies +- [6570](https://github.com/nginx/kubernetes-ingress/pull/6570) & [6549](https://github.com/nginx/kubernetes-ingress/pull/6549) Bump the go version + +### Upgrade + +- For NGINX, use the 3.7.1 images from our +[DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=3.7.1), +[GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress), +[Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress). +- For NGINX Plus, use the 3.7.1 images from the F5 Container registry, the AWS Marketplace, the GCP Marketplace or build your own image using the 3.7.1 source code. +- For Helm, use version 1.4.1 of the chart. + +### Supported Platforms + +We will provide technical support for NGINX Ingress Controller on any Kubernetes platform that is currently supported by +its provider and that passes the Kubernetes conformance tests. This release was fully tested on the following Kubernetes +versions: 1.25-1.31. + +## 3.7.0 + +30 Sept 2024 + +Added support for VirtualServer & TransportServer to listen on a specific IP when configuring a listener, allowing NGINX to bind to a specific interface. This is also useful in for scenarios where pods need to connect to multiple networks i.e. multi-homed. +Allow an End Session Endpoint to be configured for OIDC providers via Policy. This allows a user to be fully logged out from their idp session. This change also adds support for configuring a post-logout redirect URI, allowing a users to be redirected to a custom logout page. + +The `access_log` directive can now be configured to point to a syslog log server. Previously, access logs defaulted to standard out. This change allows for log parsers aggregators to ingest access logs from NGINX. + +When installing NGINX Ingress Controller via Helm, a uniquely named lease object will be created automatically. This allows for multiple deployments of NGINX Ingress Controller in the same namespace when leader election is enabled, without requiring a unique name to be specified manually for each deployment. + +### Features + +- [5968](https://github.com/nginx/kubernetes-ingress/pull/5968) Add BUILD_OS to Telemetry +- [6014](https://github.com/nginx/kubernetes-ingress/pull/6014) Sync oidc repo +- [6092](https://github.com/nginx/kubernetes-ingress/pull/6092) Support End Session Endpoint for OIDC and allow customizable Post-logout Redirect URI +- [5648](https://github.com/nginx/kubernetes-ingress/pull/5648) Make access_log in http context configurable +- [6180](https://github.com/nginx/kubernetes-ingress/pull/6180) Add ip as an option to listeners for VirtualServer +- [6367](https://github.com/nginx/kubernetes-ingress/pull/6367) Add ip as an option to listeners for TransportServer + +### Fixes + +- [5786](https://github.com/nginx/kubernetes-ingress/pull/5786) Change log level, to Info and above, before calling prometheus exporter functions +- [5838](https://github.com/nginx/kubernetes-ingress/pull/5838) Fix api key policy undefined routes +- [5885](https://github.com/nginx/kubernetes-ingress/pull/5885) Add default telemetry endpoint +- [5899](https://github.com/nginx/kubernetes-ingress/pull/5899) GRPC healthcheck should not have keepalive time +- [6125](https://github.com/nginx/kubernetes-ingress/pull/6125) Don't log errors for not implemented grpc metrics +- [6232](https://github.com/nginx/kubernetes-ingress/pull/6232) Fix panic when creating VirtualServer +- [6372](https://github.com/nginx/kubernetes-ingress/pull/6372) Create unique lease obj for each NIC installed via Helm +- [6406](https://github.com/nginx/kubernetes-ingress/pull/6406) Fix udp/http listener validation logic +- [6446](https://github.com/nginx/kubernetes-ingress/pull/6446) Disable batch reload when batch finishes + +### Helm Chart + +- [5817](https://github.com/nginx/kubernetes-ingress/pull/5817) Remove include-year and includeYear flag +- [5335](https://github.com/nginx/kubernetes-ingress/pull/5335) Choose NodePort values for controller.service.type = LoadBalancer +- [6235](https://github.com/nginx/kubernetes-ingress/pull/6235) Update helm docs by @vepatel + +### Dependencies + +- [5789](https://github.com/nginx/kubernetes-ingress/pull/5789), [5804](https://github.com/nginx/kubernetes-ingress/pull/5804), [5821](https://github.com/nginx/kubernetes-ingress/pull/5821), [5870](https://github.com/nginx/kubernetes-ingress/pull/5870), [5880](https://github.com/nginx/kubernetes-ingress/pull/5880), [5907](https://github.com/nginx/kubernetes-ingress/pull/5907), [5949](https://github.com/nginx/kubernetes-ingress/pull/5949), [5959](https://github.com/nginx/kubernetes-ingress/pull/5959), [5993](https://github.com/nginx/kubernetes-ingress/pull/5993), [6010](https://github.com/nginx/kubernetes-ingress/pull/6010), [6071](https://github.com/nginx/kubernetes-ingress/pull/6071), [6105](https://github.com/nginx/kubernetes-ingress/pull/6105), [6132](https://github.com/nginx/kubernetes-ingress/pull/6132), [6186](https://github.com/nginx/kubernetes-ingress/pull/6186), [6195](https://github.com/nginx/kubernetes-ingress/pull/6195), [6200](https://github.com/nginx/kubernetes-ingress/pull/6200), [6215](https://github.com/nginx/kubernetes-ingress/pull/6215), [6229](https://github.com/nginx/kubernetes-ingress/pull/6229), [6266](https://github.com/nginx/kubernetes-ingress/pull/6266), [6283](https://github.com/nginx/kubernetes-ingress/pull/6283), [6287](https://github.com/nginx/kubernetes-ingress/pull/6287), [6299](https://github.com/nginx/kubernetes-ingress/pull/6299), [6310](https://github.com/nginx/kubernetes-ingress/pull/6310), [6358](https://github.com/nginx/kubernetes-ingress/pull/6358), [6364](https://github.com/nginx/kubernetes-ingress/pull/6364), [6397](https://github.com/nginx/kubernetes-ingress/pull/6397), [6412](https://github.com/nginx/kubernetes-ingress/pull/6412), [6459](https://github.com/nginx/kubernetes-ingress/pull/6459) Bump the go dependencies +- [5929](https://github.com/nginx/kubernetes-ingress/pull/5929), [6337](https://github.com/nginx/kubernetes-ingress/pull/6337), [6350](https://github.com/nginx/kubernetes-ingress/pull/6350) & [6368](https://github.com/nginx/kubernetes-ingress/pull/6368) Bump the go version +- [6052](https://github.com/nginx/kubernetes-ingress/pull/6052) Replace promlog with go-kit +- [6205](https://github.com/nginx/kubernetes-ingress/pull/6205) Update Kubernetes version to v1.31.0 +- [5808](https://github.com/nginx/kubernetes-ingress/pull/5808), [5804](https://github.com/nginx/kubernetes-ingress/pull/5804), [5821](https://github.com/nginx/kubernetes-ingress/pull/5821), [5870](https://github.com/nginx/kubernetes-ingress/pull/5870), [5822](https://github.com/nginx/kubernetes-ingress/pull/5822), [5819](https://github.com/nginx/kubernetes-ingress/pull/5819), [5881](https://github.com/nginx/kubernetes-ingress/pull/5881), [5910](https://github.com/nginx/kubernetes-ingress/pull/5910), [5928](https://github.com/nginx/kubernetes-ingress/pull/5928), [5944](https://github.com/nginx/kubernetes-ingress/pull/5944), [5965](https://github.com/nginx/kubernetes-ingress/pull/5965), [5985](https://github.com/nginx/kubernetes-ingress/pull/5985), [6003](https://github.com/nginx/kubernetes-ingress/pull/6003), [6066](https://github.com/nginx/kubernetes-ingress/pull/6066), [6093](https://github.com/nginx/kubernetes-ingress/pull/6093), [6122](https://github.com/nginx/kubernetes-ingress/pull/6122), [6130](https://github.com/nginx/kubernetes-ingress/pull/6130), [6156](https://github.com/nginx/kubernetes-ingress/pull/6156), [6174](https://github.com/nginx/kubernetes-ingress/pull/6174), [6187](https://github.com/nginx/kubernetes-ingress/pull/6187), [6218](https://github.com/nginx/kubernetes-ingress/pull/6218), [6224](https://github.com/nginx/kubernetes-ingress/pull/6224), [6246](https://github.com/nginx/kubernetes-ingress/pull/6246), [6267](https://github.com/nginx/kubernetes-ingress/pull/6267), [6290](https://github.com/nginx/kubernetes-ingress/pull/6290), [6303](https://github.com/nginx/kubernetes-ingress/pull/6303), [6330](https://github.com/nginx/kubernetes-ingress/pull/6330), [6359](https://github.com/nginx/kubernetes-ingress/pull/6359), [6365](https://github.com/nginx/kubernetes-ingress/pull/6365), [6371](https://github.com/nginx/kubernetes-ingress/pull/6371), [6382](https://github.com/nginx/kubernetes-ingress/pull/6382), [6391](https://github.com/nginx/kubernetes-ingress/pull/6391), [6413](https://github.com/nginx/kubernetes-ingress/pull/6413), [6399](https://github.com/nginx/kubernetes-ingress/pull/6399), [6434](https://github.com/nginx/kubernetes-ingress/pull/6434) Bump the Docker dependencies + +### Upgrade + +- For NGINX, use the 3.7.0 images from our +[DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=3.7.0), +[GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress), +[Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress). +- For NGINX Plus, use the 3.7.0 images from the F5 Container registry, the AWS Marketplace, the GCP Marketplace or build your own image using the 3.7.0 source code. +- For Helm, use version 1.4.0 of the chart. + +### Supported Platforms + +We will provide technical support for NGINX Ingress Controller on any Kubernetes platform that is currently supported by +its provider and that passes the Kubernetes conformance tests. This release was fully tested on the following Kubernetes +versions: 1.25-1.31. + +## 3.6.2 + +19 Aug 2024 + +### Fixes + +- [6125](https://github.com/nginx/kubernetes-ingress/pull/6125) Don't log errors for not implemented grpc metrics +- [6223](https://github.com/nginx/kubernetes-ingress/pull/6223) Re-order mounting debian apt source file + +### Dependencies + +- [5974](https://github.com/nginx/kubernetes-ingress/pull/5974), [6021](https://github.com/nginx/kubernetes-ingress/pull/6021), [5998](https://github.com/nginx/kubernetes-ingress/pull/5998), [6081](https://github.com/nginx/kubernetes-ingress/pull/6081), [6120](https://github.com/nginx/kubernetes-ingress/pull/6120), [6141](https://github.com/nginx/kubernetes-ingress/pull/6141), [6196](https://github.com/nginx/kubernetes-ingress/pull/6196), [6204](https://github.com/nginx/kubernetes-ingress/pull/6204), [6211](https://github.com/nginx/kubernetes-ingress/pull/6211), [6222](https://github.com/nginx/kubernetes-ingress/pull/6204) & [6234](https://github.com/nginx/kubernetes-ingress/pull/6234) Go dependencies +- [5967](https://github.com/nginx/kubernetes-ingress/pull/5967), [6013](https://github.com/nginx/kubernetes-ingress/pull/6013), [6070](https://github.com/nginx/kubernetes-ingress/pull/6070), [6098](https://github.com/nginx/kubernetes-ingress/pull/6098), [6126](https://github.com/nginx/kubernetes-ingress/pull/6126), [6158](https://github.com/nginx/kubernetes-ingress/pull/6158), [6179](https://github.com/nginx/kubernetes-ingress/pull/6179), [6191](https://github.com/nginx/kubernetes-ingress/pull/6191), [6226](https://github.com/nginx/kubernetes-ingress/pull/6226) & [6233](https://github.com/nginx/kubernetes-ingress/pull/6233) Docker base image updates + +### Upgrade + +- For NGINX, use the 3.6.2 images from our +[DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=3.6.2), +[GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress), +[Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress). +- For NGINX Plus, use the 3.6.2 images from the F5 Container registry, the AWS Marketplace, the GCP Marketplace, or build your own image using the 3.6.2 source code. +- For Helm, use version 1.3.2 of the chart. + +### Supported Platforms + +We will provide technical support for NGINX Ingress Controller on any Kubernetes platform that is currently supported by +its provider and that passes the Kubernetes conformance tests. This release was fully tested on the following Kubernetes +versions: 1.25-1.31. + +## 3.6.1 + +04 Jul 2024 + +### Fixes + +- [5921](https://github.com/nginx/kubernetes-ingress/pull/5921) GRPC healthcheck should not have keepalive time +- [5889](https://github.com/nginx/kubernetes-ingress/pull/5889) Add default telemetry endpoint + +### Dependencies + +- [5930](https://github.com/nginx/kubernetes-ingress/pull/5930) Bump Go version to 1.22.5 +- [5947](https://github.com/nginx/kubernetes-ingress/pull/5947), [5923](https://github.com/nginx/kubernetes-ingress/pull/5923), [5943](https://github.com/nginx/kubernetes-ingress/pull/5943), [5939](https://github.com/nginx/kubernetes-ingress/pull/5939) and [5882](https://github.com/nginx/kubernetes-ingress/pull/5882) Docker image updates +- [5951](https://github.com/nginx/kubernetes-ingress/pull/5951), [5933](https://github.com/nginx/kubernetes-ingress/pull/5933), [5884](https://github.com/nginx/kubernetes-ingress/pull/5884) and [5877](https://github.com/nginx/kubernetes-ingress/pull/5877) Go dependencies update + +### Upgrade + +- For NGINX, use the 3.6.1 images from our +[DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=3.6.1), +[GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress), +[Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress). +- For NGINX Plus, use the 3.6.1 images from the F5 Container registry, the AWS Marketplace, the GCP Marketplace, the Azure Marketplace or build your own image using the 3.6.1 source code. +- For Helm, use version 1.3.1 of the chart. + +### Supported Platforms + +We will provide technical support for NGINX Ingress Controller on any Kubernetes platform that is currently supported by +its provider and that passes the Kubernetes conformance tests. This release was fully tested on the following Kubernetes +versions: 1.25-1.30. + +## 3.6.0 + +25 Jun 2024 + +Added support for the latest generation of NGINX App Protect Web Application Firewall, v5. NGINX Ingress Controller will continue to support the NGINX App Protect v4 family to allow customers to implement new Policy Bundle workflow at their own pace. +F5 WAF for NGINX v5 does not accept the JSON based policies, instead requiring users to compile a Policy Bundle outside of the NGINX Ingress Controller pod. Policy bundles contain a combination of custom Policy, signatures, and campaigns. Bundles can be compiled using either the F5 WAF for NGINX [compiler]({{< ref "/waf/configure/compiler.md" >}}), or [NGINX Instance Manager]({{< ref "/nim/nginx-app-protect/manage-waf-security-policies.md#list-security-policy-bundles" >}}). Read more in the [F5 WAF for NGINX V5]({{< ref "/nic/integrations/app-protect-waf-v5/" >}}) topic. + +With this release, NGINX Ingress Controller is implementing a new image maintenance policy. Container images for subscribed users will be updated on a regular basis in-between releases to reduce the CVE vulnerabilities. +Customers can observe the 3.6.x tag when listing images in the registry and select the latest image to update to for the current release. + +### Features + +- [5698](https://github.com/nginx/kubernetes-ingress/pull/5698), [5771](https://github.com/nginx/kubernetes-ingress/pull/5771) & [5784](https://github.com/nginx/kubernetes-ingress/pull/5784) Add support for F5 NGINX AppProtect WAF v5 +- [5580](https://github.com/nginx/kubernetes-ingress/pull/5580) & [5752](https://github.com/nginx/kubernetes-ingress/pull/5752) Add APIKey Authentication policy +- [5205](https://github.com/nginx/kubernetes-ingress/pull/5205) Preserve valid listeners when invalid listeners are present in GlobalConfiguration +- [5366](https://github.com/nginx/kubernetes-ingress/pull/5366) Add proxy-set-headers annotation for ingress +- [5406](https://github.com/nginx/kubernetes-ingress/pull/5406), [5408](https://github.com/nginx/kubernetes-ingress/pull/5408), [5418](https://github.com/nginx/kubernetes-ingress/pull/5418), [5404](https://github.com/nginx/kubernetes-ingress/pull/5404) & [5415](https://github.com/nginx/kubernetes-ingress/pull/5415) Add additional telemetry data + +### Fixes + +- [5350](https://github.com/nginx/kubernetes-ingress/pull/5350) Fix ap-waf flag in error message +- [5318](https://github.com/nginx/kubernetes-ingress/pull/5318) Don't reload when `use-cluster-ip` endpoints update, and change the ingress `use-cluster-ip` implementation to use the cluster ip instead of the fqdn +- [5375](https://github.com/nginx/kubernetes-ingress/pull/5375) Fix status for invalid vs and vsr, for weight changes dynamic reload + +### Helm Chart + +- [5313](https://github.com/nginx/kubernetes-ingress/pull/5313) Update helm flag in docs for enableWeightChangesDynamicReload + +### Dependencies + +- [5693](https://github.com/nginx/kubernetes-ingress/pull/5693) Bump Go version to v1.22.4 +- [5368](https://github.com/nginx/kubernetes-ingress/pull/5368), [5331](https://github.com/nginx/kubernetes-ingress/pull/5331) & [5423](https://github.com/nginx/kubernetes-ingress/pull/5423) Bump the go dependencies +- [5298](https://github.com/nginx/kubernetes-ingress/pull/5298), [5344](https://github.com/nginx/kubernetes-ingress/pull/5344), [5345](https://github.com/nginx/kubernetes-ingress/pull/5345),[5371](https://github.com/nginx/kubernetes-ingress/pull/5371), [5378](https://github.com/nginx/kubernetes-ingress/pull/5378), [5379](https://github.com/nginx/kubernetes-ingress/pull/5379), [5398](https://github.com/nginx/kubernetes-ingress/pull/5398), [5397](https://github.com/nginx/kubernetes-ingress/pull/5397), [5399](https://github.com/nginx/kubernetes-ingress/pull/5399) & [5400](https://github.com/nginx/kubernetes-ingress/pull/5400) Bump base Docker images + +### Upgrade + +- For NGINX, use the 3.6.0 images from our +[DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=3.6.0), +[GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress), +[Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress). +- For NGINX Plus, use the 3.6.0 images from the F5 Container registry, the AWS Marketplace, the GCP Marketplace, the Azure Marketplace or build your own image using the 3.6.0 source code. +- For Helm, use version 1.3.0 of the chart. + +### Supported Platforms + +We will provide technical support for NGINX Ingress Controller on any Kubernetes platform that is currently supported by +its provider and that passes the Kubernetes conformance tests. This release was fully tested on the following Kubernetes +versions: 1.25-1.30. + +## 3.5.2 + +31 May 2024 + +### Important + +- Bundles compiled on NAP WAF versions <= v4.8.x are not compatible with NAP WAF versions >= 4.9.x, this release of NIC includes NAP WAF v4.10 so recompilation of policy bundles is required. JSON based [WAF Policies]({{< ref "/nic/integrations/app-protect-waf/configuration.md#waf-policies" >}}) aren't affected with this change. + +### Dependencies + +- [5654](https://github.com/nginx/kubernetes-ingress/pull/5654) NGINX 1.27.0 and [NGINX Plus R32](https://www.f5.com/company/blog/nginx/nginx-plus-r32-released) +- [5590](https://github.com/nginx/kubernetes-ingress/pull/5590), [5631](https://github.com/nginx/kubernetes-ingress/pull/5631), [5638](https://github.com/nginx/kubernetes-ingress/pull/5638), [5662](https://github.com/nginx/kubernetes-ingress/pull/5662), [5623](https://github.com/nginx/kubernetes-ingress/pull/5623) Go updates +- [5579](https://github.com/nginx/kubernetes-ingress/pull/5579), [5642](https://github.com/nginx/kubernetes-ingress/pull/5642), [5573](https://github.com/nginx/kubernetes-ingress/pull/5573), [5630](https://github.com/nginx/kubernetes-ingress/pull/5630), [5665](https://github.com/nginx/kubernetes-ingress/pull/5665), [5673](https://github.com/nginx/kubernetes-ingress/pull/5673) Container base image updates + +### Upgrade + +- For NGINX, use the 3.5.2 images from our +[DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=3.5.2), +[GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress), +[Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress). +- For NGINX Plus, use the 3.5.2 images from the F5 Container registry, the AWS Marketplace, the GCP Marketplace, the Azure Marketplace, or build your own image using the 3.5.2 source code +- For Helm, use version 1.2.2 of the chart. + +### Supported Platforms + +We will provide technical support for NGINX Ingress Controller on any Kubernetes platform that is currently supported by +its provider and that passes the Kubernetes conformance tests. This release was fully tested on the following Kubernetes +versions: 1.25-1.30. + +## 3.5.1 + +08 May 2024 + +### Fixes + +- [5463](https://github.com/nginx/kubernetes-ingress/pull/5463) Don't reload when use-cluster-ip endpoints update +- [5464](https://github.com/nginx/kubernetes-ingress/pull/5464) Fix status for invalid vs and vsr, for weight changes dynamic reload +- [5470](https://github.com/nginx/kubernetes-ingress/pull/5470) Add support for named ports in ingresses which use-cluster-ip + +### Helm Chart + +- [5315](https://github.com/nginx/kubernetes-ingress/pull/5315) Update helm flag in docs for enableWeightChangesDynamicReload + +### Dependencies + +- [5511](https://github.com/nginx/kubernetes-ingress/pull/5511) & [5391](https://github.com/nginx/kubernetes-ingress/pull/5391) Go updates +- [5490](https://github.com/nginx/kubernetes-ingress/pull/5490) Pin app-protect module version to 4.8.1 + +### Upgrade + +- For NGINX, use the 3.5.1 images from our +[DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=3.5.1), +[GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress), +[Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress). +- For NGINX Plus, use the 3.5.1 images from the F5 Container registry, the AWS Marketplace, the GCP Marketplace or build your own image using the 3.5.1 source code. +- For Helm, use version 1.2.1 of the chart. + +### Supported Platforms + +We will provide technical support for NGINX Ingress Controller on any Kubernetes platform that is currently supported by +its provider and that passes the Kubernetes conformance tests. This release was fully tested on the following Kubernetes +versions: 1.23-1.29. + +## 3.5.0 + +26 Mar 2024 + +NGINX Ingress Controller and F5 WAF for NGINX users can can now view violations through NGINX Instance Manager Security Monitor. Security Monitor can be used to build Policy bundles, reducing reload time impacts on NGINX Ingress Controller. Read more information in [F5 WAF for NGINX Bundles]({{< ref "/nic/integrations/app-protect-waf/configuration.md#waf-bundles" >}}) and Security Monitoring. + +When using NGINX Plus for two version [split rollouts]({{ ref "/nic/configuration/virtualserver-and-virtualserverroute-resources.md#split" }}), you can now control progressive rollouts of a new backend version without reloading NGINX using the [**-weight-changes-dynamic-reload**]({{< ref "/nic/configuration/global-configuration/command-line-arguments.md#-weight-changes-dynamic-reload" >}}) command line argument. + +The [**use-cluster-ip**]({{< ref "/nic/configuration/ingress-resources/advanced-configuration-with-annotations.md#backend-services-upstreams" >}}) annotation is now available for the Ingress resource. +**use-cluster-ip** supports service meshes and specific use cases where the backend service should be the target instead of individual backend service pods, bypassing upstream load balancing. + +### Features + +- [5179](https://github.com/nginx/kubernetes-ingress/pull/5179) & [5051](https://github.com/nginx/kubernetes-ingress/pull/5051) Add NIM Security Dashboard integration for F5 WAF for NGINX security violations +- [5212](https://github.com/nginx/kubernetes-ingress/pull/5212) Weight changes Dynamic Reload +- [4862](https://github.com/nginx/kubernetes-ingress/pull/4862) Add use-cluster-ip annotation for ingress resources +- [4660](https://github.com/nginx/kubernetes-ingress/pull/4660) Add annotations for controlling request rate limiting +- [5083](https://github.com/nginx/kubernetes-ingress/pull/5083) Update default values for keepalive-requests and keepalive-timeout +- [5084](https://github.com/nginx/kubernetes-ingress/pull/5084) Allow securityContext and podSecurityContext to be configurable via helm parameters +- [5199](https://github.com/nginx/kubernetes-ingress/pull/5199) Update zone size for transportserver resource +- [4896](https://github.com/nginx/kubernetes-ingress/pull/4896), [5095](https://github.com/nginx/kubernetes-ingress/pull/5095), [5147](https://github.com/nginx/kubernetes-ingress/pull/5147), [5155](https://github.com/nginx/kubernetes-ingress/pull/5155), [5170](https://github.com/nginx/kubernetes-ingress/pull/5170), [5176](https://github.com/nginx/kubernetes-ingress/pull/5176), [5217](https://github.com/nginx/kubernetes-ingress/pull/5217), [5245](https://github.com/nginx/kubernetes-ingress/pull/5245), [5237](https://github.com/nginx/kubernetes-ingress/pull/5237), [5256](https://github.com/nginx/kubernetes-ingress/pull/5256), [5167](https://github.com/nginx/kubernetes-ingress/pull/5167) & [5261](https://github.com/nginx/kubernetes-ingress/pull/5261) Export Telemetry data to XCDF + +### Fixes + +- [5211](https://github.com/nginx/kubernetes-ingress/pull/5211) Move set above rewrite to fix uninitialized variable +- [5175](https://github.com/nginx/kubernetes-ingress/pull/5175) Initialize `stopCh` channel for ExternalDNS +- [5053](https://github.com/nginx/kubernetes-ingress/pull/5053) Ensure `backup` server is removed from upstreams when the Backup Service is deleted + +### Helm Chart + +- [5159](https://github.com/nginx/kubernetes-ingress/pull/5159) Refactor volumes and volumeMounts to common helpers +- [5179](https://github.com/nginx/kubernetes-ingress/pull/5179) Move common pod label definitions to helpers + +### Dependencies + +- [4803](https://github.com/nginx/kubernetes-ingress/pull/4803), [4846](https://github.com/nginx/kubernetes-ingress/pull/4846), [4873](https://github.com/nginx/kubernetes-ingress/pull/4873), [4905](https://github.com/nginx/kubernetes-ingress/pull/4905), [5098](https://github.com/nginx/kubernetes-ingress/pull/5098), [5108](https://github.com/nginx/kubernetes-ingress/pull/5108), [5125](https://github.com/nginx/kubernetes-ingress/pull/5125), [5132](https://github.com/nginx/kubernetes-ingress/pull/5132), [5207](https://github.com/nginx/kubernetes-ingress/pull/5207), [5234](https://github.com/nginx/kubernetes-ingress/pull/5234), [5267](https://github.com/nginx/kubernetes-ingress/pull/5267), [5272](https://github.com/nginx/kubernetes-ingress/pull/5272) & [5218](https://github.com/nginx/kubernetes-ingress/pull/5218) Go Dependency updates +- [5208](https://github.com/nginx/kubernetes-ingress/pull/5208) Bump Go version to 1.22.1 + +### Upgrade + +- For NGINX, use the 3.5.0 images from our +[DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=3.5.0), +[GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress), +[Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress). +- For NGINX Plus, use the 3.5.0 images from the F5 Container registry, the AWS Marketplace, the GCP Marketplace or build your own image using the 3.5.0 source code. +- For Helm, use version 1.2.0 of the chart. + +### Supported Platforms + +We will provide technical support for NGINX Ingress Controller on any Kubernetes platform that is currently supported by +its provider and that passes the Kubernetes conformance tests. This release was fully tested on the following Kubernetes +versions: 1.23-1.29. + +## 3.4.3 + +19 Feb 2024 + +### Fixes + +- [5008](https://github.com/nginx/kubernetes-ingress/pull/5008) Remove redundant Prometheus variable labels +- [4744](https://github.com/nginx/kubernetes-ingress/pull/4744) Fixed validation for VSR exact & regex subroutes. Thanks to [jo-carter](https://github.com/jo-carter). +- [4832](https://github.com/nginx/kubernetes-ingress/pull/4832) Fix new lines in snippets +- [5020](https://github.com/nginx/kubernetes-ingress/pull/5020) Fix template file spacing for `ssl_protocols` directive +- [5041](https://github.com/nginx/kubernetes-ingress/pull/5041) Allow waf users to build without dos repo access + +### Helm Chart + +- [4953](https://github.com/nginx/kubernetes-ingress/pull/4953) Add docs links to helm NOTES.txt + +### Dependencies + +- [5073](https://github.com/nginx/kubernetes-ingress/pull/5073), [5029](https://github.com/nginx/kubernetes-ingress/pull/5029) Bump redhat/ubi8 base image +- [4992](https://github.com/nginx/kubernetes-ingress/pull/4992) Bump ubi base image +- [4994](https://github.com/nginx/kubernetes-ingress/pull/4994) Bump redhat/ubi9-minimal base image +- [5074](https://github.com/nginx/kubernetes-ingress/pull/5074), [4927](https://github.com/nginx/kubernetes-ingress/pull/4927) Bump opentracing/nginx-opentracing +- [5072](https://github.com/nginx/kubernetes-ingress/pull/5072), [5028](https://github.com/nginx/kubernetes-ingress/pull/5028), [5019](https://github.com/nginx/kubernetes-ingress/pull/5019), [5012](https://github.com/nginx/kubernetes-ingress/pull/5012), [5003](https://github.com/nginx/kubernetes-ingress/pull/5003), [4926](https://github.com/nginx/kubernetes-ingress/pull/4926), [5119](https://github.com/nginx/kubernetes-ingress/pull/5119) Bump nginx image +- [4925](https://github.com/nginx/kubernetes-ingress/pull/4925) Bump the debian base image +- [5004](https://github.com/nginx/kubernetes-ingress/pull/5004), [4984](https://github.com/nginx/kubernetes-ingress/pull/4984), [4928](https://github.com/nginx/kubernetes-ingress/pull/4928) Bump golang build image +- [5033](https://github.com/nginx/kubernetes-ingress/pull/5033) Updates `kindest/node` from v1.29.0 to v1.29.1 +- [4909](https://github.com/nginx/kubernetes-ingress/pull/4909), [4924](https://github.com/nginx/kubernetes-ingress/pull/4924), [4939](https://github.com/nginx/kubernetes-ingress/pull/4939), [4949](https://github.com/nginx/kubernetes-ingress/pull/4949), [4971](https://github.com/nginx/kubernetes-ingress/pull/4971), [5022](https://github.com/nginx/kubernetes-ingress/pull/5022), [5034](https://github.com/nginx/kubernetes-ingress/pull/5034), [5055](https://github.com/nginx/kubernetes-ingress/pull/5055) Bump the go dependencies + +### Upgrade + +- For NGINX, use the 3.4.3 images from our +[DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=3.4.3), +[GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress), +[Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress). +- For NGINX Plus, use the 3.4.3 images from the F5 Container registry, the AWS Marketplace, the GCP Marketplace or build your own image using the 3.4.3 source code. +- For Helm, use version 1.1.3 of the chart. + +### Supported Platforms + +We will provide technical support for NGINX Ingress Controller on any Kubernetes platform that is currently supported by +its provider and that passes the Kubernetes conformance tests. This release was fully tested on the following Kubernetes +versions: 1.23-1.29. + +## 3.4.2 + +16 Jan 2024 + +### Fixes + +[4934](https://github.com/nginx/kubernetes-ingress/pull/4934) GCR & AWS Plus image publishing fix + +### Upgrade + +- For NGINX, use the 3.4.2 images from our +[DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=3.4.2), +[GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress), +[Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress). +- For NGINX Plus, use the 3.4.2 images from the F5 Container registry, the AWS Marketplace, the GCP Marketplace or build your own image using the 3.4.2 source code. +- For Helm, use version 1.1.2 of the chart. + +### Supported Platforms + +We will provide technical support for NGINX Ingress Controller on any Kubernetes platform that is currently supported by +its provider and that passes the Kubernetes conformance tests. This release was fully tested on the following Kubernetes +versions: 1.23-1.29. + +## 3.4.1 + +15 Jan 2024 + +### Dependencies + +[4886](https://github.com/nginx/kubernetes-ingress/pull/4886) Update N+ to R31 +[4886](https://github.com/nginx/kubernetes-ingress/pull/4886) Bump Go dependencies. + +### Upgrade + +- For NGINX, use the 3.4.1 images from our +[DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=3.4.1), +[GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress), +[Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress). +- For NGINX Plus, use the 3.4.1 images from the F5 Container registry, the AWS Marketplace, the GCP Marketplace or build your own image using the 3.4.1 source code. +- For Helm, use version 1.1.1 of the chart. + +### Supported Platforms + +We will provide technical support for NGINX Ingress Controller on any Kubernetes platform that is currently supported by +its provider and that passes the Kubernetes conformance tests. This release was fully tested on the following Kubernetes +versions: 1.23-1.29. \ No newline at end of file diff --git a/content/nic/changelog/_index.md b/content/nic/changelog/_index.md new file mode 100644 index 000000000..9d900288a --- /dev/null +++ b/content/nic/changelog/_index.md @@ -0,0 +1,259 @@ +--- +title: Changelog +url: /nginx-ingress-controller/changelog +weight: 10200 +nd-landing-page: true +nd-content-type: reference +nd-product: NIC +nd-docs: DOCS-616 +--- + +This changelog lists all of the information for F5 NGINX Ingress Controller releases in 2025. + +For older releases, check the changelogs for previous years: [2024]({{< ref "/nic/changelog/2024.md" >}}), [2023]({{< ref "/nic/changelog/2023.md" >}}), [2022]({{< ref "/nic/changelog/2022.md" >}}), [2021]({{< ref "/nic/changelog/2021.md" >}}), [2020]({{< ref "/nic/changelog/2020.md" >}}), [2019]({{< ref "/nic/changelog/2019.md" >}}). + +## 5.2.1 + +10 Oct 2025 + +### Fixes + +- [8302](https://github.com/nginx/kubernetes-ingress/pull/8302) Remove type field for objects with schema ref + +### Dependencies + +- [8321](https://github.com/nginx/kubernetes-ingress/pull/8321), [8330](https://github.com/nginx/kubernetes-ingress/pull/8330), [8352](https://github.com/nginx/kubernetes-ingress/pull/8352) & [8358](https://github.com/nginx/kubernetes-ingress/pull/8358) Bump Go dependencies +- [8280](https://github.com/nginx/kubernetes-ingress/pull/8280), [8291](https://github.com/nginx/kubernetes-ingress/pull/8291), [8331](https://github.com/nginx/kubernetes-ingress/pull/8331) & [8320](https://github.com/nginx/kubernetes-ingress/pull/8320) Bump Docker dependencies +- [8348](https://github.com/nginx/kubernetes-ingress/pull/8348) Update F5 WAF for NGINX 5.9.0 +- [8273](https://github.com/nginx/kubernetes-ingress/pull/8273) Update dependencies + +### Upgrade + +- For NGINX, use the 5.2.1 images from our [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=5.2.1), [GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress). +- For NGINX Plus, use the 5.2.1 images from the F5 Container registry or build your own image using the 5.2.1 source code. +- For Helm, use version 2.3.1 of the chart. + +### Supported Platforms + +We will provide technical support for NGINX Ingress Controller on any Kubernetes platform that is currently supported by its provider and that passes the Kubernetes conformance tests. This release was fully tested on the following Kubernetes versions: 1.27-1.34. + +## 5.2.0 + +15 Sept 2025 + +This NGINX Ingress Controller release focuses on enhancing performance, simplifying configurations, and improving security to better support modern application needs. The highlights of this release are as follows: + +- NGINX Content Cache using policies: This new feature introduces policy configurations that enable proxy caching. +- Support for Kubernetes `StatefulSet` Objects: Added support for Kubernetes `StatefulSet` objects, which can also be used to provide persistent storage for cached content. +- Auto-Adjusting incompatible proxy buffer directive values: A new `-enable-directive-autoadjust` parameter has been added. When enabled, this feature automatically resolves common proxy buffer configuration dependencies that could cause issues during NGINX reloads. +- Server Name Indication (SNI) support in JWT Policies: Users can now configure sniName and sniEnabled for scenarios where the remote server requires SNI to present the correct certificate + +### Features + +- [8005](https://github.com/nginx/kubernetes-ingress/pull/8005) Add nginx content cache as NIC cache policy +- [8159](https://github.com/nginx/kubernetes-ingress/pull/8159) Statefulset support +- [8133](https://github.com/nginx/kubernetes-ingress/pull/8133) Add support for automatic adjustment of buffer related directives +- [8011](https://github.com/nginx/kubernetes-ingress/pull/8011) Allow startupprobe to be configured via helm +- [7993](https://github.com/nginx/kubernetes-ingress/pull/7993) Add sni to NIC jwt policy +- [8093](https://github.com/nginx/kubernetes-ingress/pull/8093) Add viol_bot_client and viol_geolocation violations support +- [8229](https://github.com/nginx/kubernetes-ingress/pull/8229) Add N+ license expiry to prometheus metrics +- [8142](https://github.com/nginx/kubernetes-ingress/pull/8142) Add globalconfigurationcustomname parameter +- [8195](https://github.com/nginx/kubernetes-ingress/pull/8195) Add support for fips 140-3 compliance + +### Dependencies + +- [8208](https://github.com/nginx/kubernetes-ingress/pull/8208) Update Nginx agent to 3.3 +- [7959](https://github.com/nginx/kubernetes-ingress/pull/7959), [7983](https://github.com/nginx/kubernetes-ingress/pull/7983), [8037](https://github.com/nginx/kubernetes-ingress/pull/8037), [8057](https://github.com/nginx/kubernetes-ingress/pull/8057), [8083](https://github.com/nginx/kubernetes-ingress/pull/8083), [8096](https://github.com/nginx/kubernetes-ingress/pull/8096), [8126](https://github.com/nginx/kubernetes-ingress/pull/8126), [8143](https://github.com/nginx/kubernetes-ingress/pull/8143), [8183](https://github.com/nginx/kubernetes-ingress/pull/8183), [8186](https://github.com/nginx/kubernetes-ingress/pull/8186), [8200](https://github.com/nginx/kubernetes-ingress/pull/8200), [8231](https://github.com/nginx/kubernetes-ingress/pull/8231) Bump Go dependencies +- [7946](https://github.com/nginx/kubernetes-ingress/pull/7946), [7961](https://github.com/nginx/kubernetes-ingress/pull/7961), [7977](https://github.com/nginx/kubernetes-ingress/pull/7977), [7979](https://github.com/nginx/kubernetes-ingress/pull/7979), [7978](https://github.com/nginx/kubernetes-ingress/pull/7978), [7984](https://github.com/nginx/kubernetes-ingress/pull/7984), [7996](https://github.com/nginx/kubernetes-ingress/pull/7996), [8012](https://github.com/nginx/kubernetes-ingress/pull/8012), [8036](https://github.com/nginx/kubernetes-ingress/pull/8036), [8044](https://github.com/nginx/kubernetes-ingress/pull/8044), [8063](https://github.com/nginx/kubernetes-ingress/pull/8063), [8085](https://github.com/nginx/kubernetes-ingress/pull/8085), [8107](https://github.com/nginx/kubernetes-ingress/pull/8107), [8114](https://github.com/nginx/kubernetes-ingress/pull/8114), [8128](https://github.com/nginx/kubernetes-ingress/pull/8128), [8134](https://github.com/nginx/kubernetes-ingress/pull/8134), [8147](https://github.com/nginx/kubernetes-ingress/pull/8147), [8154](https://github.com/nginx/kubernetes-ingress/pull/8154), [8173](https://github.com/nginx/kubernetes-ingress/pull/8173), [8188](https://github.com/nginx/kubernetes-ingress/pull/8188), [8228](https://github.com/nginx/kubernetes-ingress/pull/8228), [8239](https://github.com/nginx/kubernetes-ingress/pull/8239), [8235](https://github.com/nginx/kubernetes-ingress/pull/8235), [8246](https://github.com/nginx/kubernetes-ingress/pull/8246) Bump Docker dependencies + +### Upgrade + +- For NGINX, use the 5.2.0 images from our [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=5.2.0), [GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress). +- For NGINX Plus, use the 5.2.0 images from the F5 Container registry or build your own image using the 5.2.0 source code. +- For Helm, use version 2.3.0 of the chart. + +### Supported Platforms + +We will provide technical support for NGINX Ingress Controller on any Kubernetes platform that is currently supported by its provider and that passes the Kubernetes conformance tests. This release was fully tested on the following Kubernetes versions: 1.26-1.34. + +## 5.1.1 + +15 Aug 2025 + +### Fixes + +- [8046](https://github.com/nginx/kubernetes-ingress/pull/8046) Update interval checks for mgmt directive +- [8079](https://github.com/nginx/kubernetes-ingress/pull/8079) Status updates for vs endpoints +- [8125](https://github.com/nginx/kubernetes-ingress/pull/8125) Don't send request headers & body to jwks uri + +### Dependencies + +- [8115](https://github.com/nginx/kubernetes-ingress/pull/8115) & [8131](https://github.com/nginx/kubernetes-ingress/pull/8131) Bump Go dependencies +- [8030](https://github.com/nginx/kubernetes-ingress/pull/8030), [8080](https://github.com/nginx/kubernetes-ingress/pull/8080) & [8112](https://github.com/nginx/kubernetes-ingress/pull/8112) Bump Docker dependencies +- [8139](https://github.com/nginx/kubernetes-ingress/pull/8139) Update to NGINX OSS 1.29.1, NGINX Plus r35, NGINX Agent v3.2, NGINX App Protect 4.16.0 & 5.8.0, and Alpine Linux 3.22 + +### Upgrade + +- For NGINX, use the 5.1.1 images from our [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=5.1.1), [GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress). +- For NGINX Plus, use the 5.1.1 images from the F5 Container registry or build your own image using the 5.1.1 source code. +- For Helm, use version 2.2.2 of the chart. + +### Supported Platforms + +We will provide technical support for NGINX Ingress Controller on any Kubernetes platform that is currently supported by its provider and that passes the Kubernetes conformance tests. This release was fully tested on the following Kubernetes versions: 1.25-1.33. + +## 5.1.0 + +08 Jul 2025 + +This NGINX Ingress Controller release brings initial connectivity to the NGINX One Console! You can now use NGINX One Console to monitor NGINX instances that are part of your NGINX Ingress Controller cluster. See [here]({{< ref "/nginx-one/k8s/add-nic.md" >}}) to configure NGINX One Console with NGINX Ingress Controller. + +This release also includes the ability to configure Rate Limiting for your APIs based on a specific NGINX variable and its value. This allows you more granular control over how frequently specific users access your resources. + +Lastly, in our previous v5.0.0 release, we removed support for OpenTracing. This release replaces that observability capability with native [NGINX OpenTelemetry]({{< ref "/nic/logging-and-monitoring/opentelemetry.md" >}}) traces, allowing you to monitor the traffic of your applications. + +### Features + +- [7642](https://github.com/nginx/kubernetes-ingress/pull/7642) Add [OpenTelemetry support]({{< ref "/nic/logging-and-monitoring/opentelemetry.md" >}}) +- [7916](https://github.com/nginx/kubernetes-ingress/pull/7916) Add support for NGINX Agent version 3 and NGINX One Console +- [7884](https://github.com/nginx/kubernetes-ingress/pull/7884) Tiered rate limits with variables +- [7765](https://github.com/nginx/kubernetes-ingress/pull/7765) Add OIDC PKCE configuration through Policy +- [7832](https://github.com/nginx/kubernetes-ingress/pull/7832) Add request_method to rate-limit Policy +- [7695](https://github.com/nginx/kubernetes-ingress/pull/7695) Add ConfigMapKeys & MGMTConfigMapKeys to Telemetry +- [7705](https://github.com/nginx/kubernetes-ingress/pull/7705) Add Context to logging for JSON and TEXT formats + +### Fixes + +- [7651](https://github.com/nginx/kubernetes-ingress/pull/7651) Use pod labels as headless selector labels +- [7691](https://github.com/nginx/kubernetes-ingress/pull/7691) Avoid applying updates on Ingress Controller shutdown +- [7748](https://github.com/nginx/kubernetes-ingress/pull/7748) Add ; in oidc files +- [7786](https://github.com/nginx/kubernetes-ingress/pull/7786) Correct namespace for mgmt secrets +- [7853](https://github.com/nginx/kubernetes-ingress/pull/7853) Update template for custom redirect URI +- [7865](https://github.com/nginx/kubernetes-ingress/pull/7865) Maintain HeadlessService on upgrade + +### Dependencies + +- [7647](https://github.com/nginx/kubernetes-ingress/pull/7647), [7666](https://github.com/nginx/kubernetes-ingress/pull/7666), [7711](https://github.com/nginx/kubernetes-ingress/pull/7711), [7767](https://github.com/nginx/kubernetes-ingress/pull/7767), [7798](https://github.com/nginx/kubernetes-ingress/pull/7798), [7824](https://github.com/nginx/kubernetes-ingress/pull/7824), [7854](https://github.com/nginx/kubernetes-ingress/pull/7854), [7900](https://github.com/nginx/kubernetes-ingress/pull/7900), [7918](https://github.com/nginx/kubernetes-ingress/pull/7918), [7926](https://github.com/nginx/kubernetes-ingress/pull/7926) Bump Go dependancies +- [7714](https://github.com/nginx/kubernetes-ingress/pull/7714), [7788](https://github.com/nginx/kubernetes-ingress/pull/7788), [7825](https://github.com/nginx/kubernetes-ingress/pull/7825), [7855](https://github.com/nginx/kubernetes-ingress/pull/7855), [7890](https://github.com/nginx/kubernetes-ingress/pull/7890), [7888](https://github.com/nginx/kubernetes-ingress/pull/7888), [7893](https://github.com/nginx/kubernetes-ingress/pull/7893), [7903](https://github.com/nginx/kubernetes-ingress/pull/7903) Bump Docker dependencies +- [7808](https://github.com/nginx/kubernetes-ingress/pull/7808) Update kubernetes version to v1.33.1 in helm schema +- [7896](https://github.com/nginx/kubernetes-ingress/pull/7896) Update go version to 1.24.4 + +### Upgrade + +- For NGINX, use the 5.1.0 images from our +[DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=5.1.0), +[GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress), +[Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress). +- For NGINX Plus, use the 5.1.0 images from the F5 Container registry or build your own image using the 5.1.0 source code +- For Helm, use version 2.2.1 of the chart. + +### Supported Platforms + +We will provide technical support for NGINX Ingress Controller on any Kubernetes platform that is currently supported by +its provider and that passes the Kubernetes conformance tests. This release was fully tested on the following Kubernetes +versions: 1.25-1.33. + +## 5.0.0 + +16 Apr 2025 + +Added support for [NGINX Plus R34]({{< ref "/nginx/releases.md#nginxplusrelease-34-r34" >}}), users needing to use a forward proxy for license verification are now able to make use of the [`proxy`](https://nginx.org/en/docs/ngx_mgmt_module.html#proxy) directives available in F5 NGINX Plus. + +{{< call-out "warning" >}} + +With the removal of the OpenTracing dynamic module from [NGINX Plus R34]({{< ref "/nginx/releases.md#nginxplusrelease-34-r34" >}}), NGINX Ingress Controller also removes full OpenTracing support. This will affect users making use of OpenTracing with the ConfigMap, `server-snippets` & `location-snippets` parameters. Support for tracing with [OpenTelemetry]({{< ref "/nginx/admin-guide/dynamic-modules/opentelemetry.md" >}}) will come in a future release. + +{{< /call-out >}} + +We have extended the rate-limit Policy to allow tiered rate limit groups with JWT claims. This will also allow users to apply different rate limits to their `VirtualServer` or `VirtualServerRoutes` with the value of a JWT claim. See [here](https://github.com/nginx/kubernetes-ingress/tree/v5.0.0/examples/custom-resources/rate-limit-tiered-jwt-claim/) for a working example. + +We introduced NGINX Plus Zone Sync as a managed service within NGINX Ingress Controller in this release. In previous releases, we had examples using `stream-snippets` for OIDC support, users can now enable `zone-sync` without the need for `snippets`. NGINX Plus Zone Sync is available when utilising two or more replicas, it supports OIDC & rate limiting. + +{{< call-out "note" >}} + +For users who have previously installed OIDC or used the `zone_sync` directive with `stream-snippets`, please see the note in the [Configmap resources]({{< ref "/nic/configuration/global-configuration/configmap-resource.md#zone-sync" >}}) topic to use the new `zone-sync` ConfigMap option. + +{{< /call-out >}} + +Open Source NGINX Ingress Controller architectures `armv7`, `s390x` & `ppc64le` are deprecated and will be removed in the next minor release. + +### Breaking Changes + +- [7633](https://github.com/nginx/kubernetes-ingress/pull/7633) & [7567](https://github.com/nginx/kubernetes-ingress/pull/7567) Remove OpenTracing support + +### Features + +- [7054](https://github.com/nginx/kubernetes-ingress/pull/7054) Increase port number range +- [7175](https://github.com/nginx/kubernetes-ingress/pull/7175) Ratelimit based on JWT claim +- [7205](https://github.com/nginx/kubernetes-ingress/pull/7205), [7238](https://github.com/nginx/kubernetes-ingress/pull/7238), [7390](https://github.com/nginx/kubernetes-ingress/pull/7390) & [7393](https://github.com/nginx/kubernetes-ingress/pull/7393) Tiered Rate limit groups with JWT claim +- [7239](https://github.com/nginx/kubernetes-ingress/pull/7239), [7347](https://github.com/nginx/kubernetes-ingress/pull/7347), [7445](https://github.com/nginx/kubernetes-ingress/pull/7445), [7468](https://github.com/nginx/kubernetes-ingress/pull/7468), [7521](https://github.com/nginx/kubernetes-ingress/pull/7521) & [7654](https://github.com/nginx/kubernetes-ingress/pull/7654) Zone Sync support +- [7560](https://github.com/nginx/kubernetes-ingress/pull/7560) Add forward proxy support for NGINX Plus licensing connectivity +- [7299](https://github.com/nginx/kubernetes-ingress/pull/7299) & [7597](https://github.com/nginx/kubernetes-ingress/pull/7597) Add support for NGINX OSS 1.27.4, NGINX Plus R34 & F5 WAF for NGINX 4.13 & 5.6 + +### Fixes + +- [7121](https://github.com/nginx/kubernetes-ingress/pull/7121) Clean up and fix for NIC Pod failing to bind when NGINX exits unexpectedly +- [7185](https://github.com/nginx/kubernetes-ingress/pull/7185) Correct typo in helm lease annotations template +- [7400](https://github.com/nginx/kubernetes-ingress/pull/7400) Add tracking.info and copy into plus images +- [7519](https://github.com/nginx/kubernetes-ingress/pull/7519) Add NGINX state directory for ReadOnlyRootFilesystem + +### Helm Chart + +- [7318](https://github.com/nginx/kubernetes-ingress/pull/7318) Allow customization of service http and https port names through helm + +### Dependencies + +- [6964](https://github.com/nginx/kubernetes-ingress/pull/6964), [6970](https://github.com/nginx/kubernetes-ingress/pull/6970), [6978](https://github.com/nginx/kubernetes-ingress/pull/6978), [6992](https://github.com/nginx/kubernetes-ingress/pull/6992), [7017](https://github.com/nginx/kubernetes-ingress/pull/7017), [7052](https://github.com/nginx/kubernetes-ingress/pull/7052), [7105](https://github.com/nginx/kubernetes-ingress/pull/7105), [7131](https://github.com/nginx/kubernetes-ingress/pull/7131), [7122](https://github.com/nginx/kubernetes-ingress/pull/7122), [7138](https://github.com/nginx/kubernetes-ingress/pull/7138), [7149](https://github.com/nginx/kubernetes-ingress/pull/7149), [7162](https://github.com/nginx/kubernetes-ingress/pull/7162), [7225](https://github.com/nginx/kubernetes-ingress/pull/7225), [7240](https://github.com/nginx/kubernetes-ingress/pull/7240), [7262](https://github.com/nginx/kubernetes-ingress/pull/7262), [7290](https://github.com/nginx/kubernetes-ingress/pull/7290), [7312](https://github.com/nginx/kubernetes-ingress/pull/7312), [7345](https://github.com/nginx/kubernetes-ingress/pull/7345), [7362](https://github.com/nginx/kubernetes-ingress/pull/7362), [7375](https://github.com/nginx/kubernetes-ingress/pull/7375), [7385](https://github.com/nginx/kubernetes-ingress/pull/7385), [7415](https://github.com/nginx/kubernetes-ingress/pull/7415), [7403](https://github.com/nginx/kubernetes-ingress/pull/7403), [7435](https://github.com/nginx/kubernetes-ingress/pull/7435), [7459](https://github.com/nginx/kubernetes-ingress/pull/7459), [7472](https://github.com/nginx/kubernetes-ingress/pull/7472), [7483](https://github.com/nginx/kubernetes-ingress/pull/7483), [7505](https://github.com/nginx/kubernetes-ingress/pull/7505), [7501](https://github.com/nginx/kubernetes-ingress/pull/7501), [7522](https://github.com/nginx/kubernetes-ingress/pull/7522), [7543](https://github.com/nginx/kubernetes-ingress/pull/7543), [7594](https://github.com/nginx/kubernetes-ingress/pull/7594), [7619](https://github.com/nginx/kubernetes-ingress/pull/7619), [7635](https://github.com/nginx/kubernetes-ingress/pull/7635) & [7650](https://github.com/nginx/kubernetes-ingress/pull/7650) Bump Go dependencies +- [7607](https://github.com/nginx/kubernetes-ingress/pull/7607) Bump Go version to 1.24.2 +- [7006](https://github.com/nginx/kubernetes-ingress/pull/7006), [7016](https://github.com/nginx/kubernetes-ingress/pull/7016), [7020](https://github.com/nginx/kubernetes-ingress/pull/7020), [7045](https://github.com/nginx/kubernetes-ingress/pull/7045), [7069](https://github.com/nginx/kubernetes-ingress/pull/7069), [7080](https://github.com/nginx/kubernetes-ingress/pull/7080), [7099](https://github.com/nginx/kubernetes-ingress/pull/7099), [7115](https://github.com/nginx/kubernetes-ingress/pull/7115), [7132](https://github.com/nginx/kubernetes-ingress/pull/7132), [7140](https://github.com/nginx/kubernetes-ingress/pull/7140), [7150](https://github.com/nginx/kubernetes-ingress/pull/7150), [7173](https://github.com/nginx/kubernetes-ingress/pull/7173), [7243](https://github.com/nginx/kubernetes-ingress/pull/7243), [7256](https://github.com/nginx/kubernetes-ingress/pull/7256), [7288](https://github.com/nginx/kubernetes-ingress/pull/7288), [7293](https://github.com/nginx/kubernetes-ingress/pull/7293), [7306](https://github.com/nginx/kubernetes-ingress/pull/7306), [7309](https://github.com/nginx/kubernetes-ingress/pull/7309), [7319](https://github.com/nginx/kubernetes-ingress/pull/7319), [7376](https://github.com/nginx/kubernetes-ingress/pull/7376), [7409](https://github.com/nginx/kubernetes-ingress/pull/7409), [7404](https://github.com/nginx/kubernetes-ingress/pull/7404), [7452](https://github.com/nginx/kubernetes-ingress/pull/7452), [7454](https://github.com/nginx/kubernetes-ingress/pull/7454), [7461](https://github.com/nginx/kubernetes-ingress/pull/7461), [7474](https://github.com/nginx/kubernetes-ingress/pull/7474), [7490](https://github.com/nginx/kubernetes-ingress/pull/7490), [7511](https://github.com/nginx/kubernetes-ingress/pull/7511), [7523](https://github.com/nginx/kubernetes-ingress/pull/7523), [7527](https://github.com/nginx/kubernetes-ingress/pull/7527), [7534](https://github.com/nginx/kubernetes-ingress/pull/7534), [7539](https://github.com/nginx/kubernetes-ingress/pull/7539), [7551](https://github.com/nginx/kubernetes-ingress/pull/7551), [7564](https://github.com/nginx/kubernetes-ingress/pull/7564), [7590](https://github.com/nginx/kubernetes-ingress/pull/7590), [7631](https://github.com/nginx/kubernetes-ingress/pull/7631) & [7467](https://github.com/nginx/kubernetes-ingress/pull/7467) Bump Docker dependencies + +### Upgrade + +- For NGINX Open Source, use the 5.0.0 images from our +[DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=5.0.0), +[GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress), +[Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress). +- For NGINX Plus, use the 5.0.0 images from the F5 Container registry or build your own image using the 5.0.0 source code +- For Helm, use version 2.1.0 of the chart. + +### Supported Platforms + +We will provide technical support for NGINX Ingress Controller on any Kubernetes platform that is currently supported by +its provider and that passes the Kubernetes conformance tests. This release was fully tested on the following Kubernetes +versions: 1.25-1.32. + +## 4.0.1 + +07 Feb 2025 + +### Fixes + +- [7295](https://github.com/nginx/kubernetes-ingress/pull/7295) Clean up and fix for NIC Pod failing to bind when NGINX exits unexpectedly + +### Helm Chart + +{{< call-out "warning" >}} From this release onwards, the Helm chart location has changed from `oci://ghcr.io/nginxinc/charts/nginx-ingress` to `oci://ghcr.io/nginx/charts/nginx-ingress`. {{< /call-out >}} + +- [7188](https://github.com/nginx/kubernetes-ingress/pull/7188) Correct typo in helm lease annotations template + +### Dependencies + +- [7301](https://github.com/nginx/kubernetes-ingress/pull/7301), [7307](https://github.com/nginx/kubernetes-ingress/pull/7307) & [7310](https://github.com/nginx/kubernetes-ingress/pull/7310) Update to nginx 1.27.4 +- [7163](https://github.com/nginx/kubernetes-ingress/pull/7163) Bump Go version to 1.23.5 +- [7024](https://github.com/nginx/kubernetes-ingress/pull/7024), [7061](https://github.com/nginx/kubernetes-ingress/pull/7061), [7113](https://github.com/nginx/kubernetes-ingress/pull/7113), [7145](https://github.com/nginx/kubernetes-ingress/pull/7145), [7148](https://github.com/nginx/kubernetes-ingress/pull/7148), [7154](https://github.com/nginx/kubernetes-ingress/pull/7154), [7164](https://github.com/nginx/kubernetes-ingress/pull/7164), [7229](https://github.com/nginx/kubernetes-ingress/pull/7229), [7265](https://github.com/nginx/kubernetes-ingress/pull/7265), [7250](https://github.com/nginx/kubernetes-ingress/pull/7250), [7296](https://github.com/nginx/kubernetes-ingress/pull/7296) & [7321](https://github.com/nginx/kubernetes-ingress/pull/7321) Bump Go dependencies +- [7012](https://github.com/nginx/kubernetes-ingress/pull/7012), [7022](https://github.com/nginx/kubernetes-ingress/pull/7022), [7028](https://github.com/nginx/kubernetes-ingress/pull/7028), [7144](https://github.com/nginx/kubernetes-ingress/pull/7144), [7152](https://github.com/nginx/kubernetes-ingress/pull/7152), [7155](https://github.com/nginx/kubernetes-ingress/pull/7155), [7181](https://github.com/nginx/kubernetes-ingress/pull/7181), [7267](https://github.com/nginx/kubernetes-ingress/pull/7267), [7302](https://github.com/nginx/kubernetes-ingress/pull/7302), [7304](https://github.com/nginx/kubernetes-ingress/pull/7304) & [7320](https://github.com/nginx/kubernetes-ingress/pull/7320) Bump Docker dependencies + +### Upgrade + +- For NGINX, use the 4.0.1 images from our +[DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=4.0.1), +[GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress), +[Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress). +- For NGINX Plus, use the 4.0.1 images from the F5 Container registry or build your own image using the 4.0.1 source code +- For Helm, use version 2.0.1 of the chart. + +### Supported Platforms + +We will provide technical support for NGINX Ingress Controller on any Kubernetes platform that is currently supported by +its provider and that passes the Kubernetes conformance tests. This release was fully tested on the following Kubernetes +versions: 1.25-1.32. \ No newline at end of file diff --git a/content/nic/community.md b/content/nic/community.md index 4a10a6083..0c291dabe 100644 --- a/content/nic/community.md +++ b/content/nic/community.md @@ -1,6 +1,6 @@ --- title: Community and contributing -weight: 2200 +weight: 10000 nd-content-type: reference nd-product: NIC nd-docs: DOCS-1447 diff --git a/content/nic/configuration/_index.md b/content/nic/configuration/_index.md index 2d146c07f..ff059832e 100644 --- a/content/nic/configuration/_index.md +++ b/content/nic/configuration/_index.md @@ -1,5 +1,5 @@ --- title: Configuration -weight: 1400 +weight: 500 url: /nginx-ingress-controller/configuration --- diff --git a/content/nic/configuration/access-control.md b/content/nic/configuration/access-control.md index 4af2ecb27..232949b1d 100644 --- a/content/nic/configuration/access-control.md +++ b/content/nic/configuration/access-control.md @@ -2,6 +2,8 @@ title: Deploy a Policy for access control weight: 900 toc: true +nd-content-type: how-to +nd-product: NIC nd-docs: DOCS-1858 --- @@ -11,7 +13,7 @@ This topic describes how to use F5 NGINX Ingress Controller to apply and update ## Before you begin -You should have a [working NGINX Ingress Controller]({{< ref "/nic/installation/installing-nic/installation-with-helm.md" >}}) instance. +You should have a [working NGINX Ingress Controller]({{< ref "/nic/install/helm.md" >}}) instance. For ease of use in shell commands, set two shell variables: @@ -78,6 +80,7 @@ Use `curl` to attempt to access the application: ```shell curl --resolve webapp.example.com:$IC_HTTP_PORT:$IC_IP http://webapp.example.com:$IC_HTTP_PORT ``` + ```text 403 Forbidden @@ -112,6 +115,7 @@ Attempt to access the application again: ```shell curl --resolve webapp.example.com:$IC_HTTP_PORT:$IC_IP http://webapp.example.com:$IC_HTTP_PORT ``` + ```text Server address: 10.64.0.13:8080 Server name: webapp-5cbbc7bd78-wf85w diff --git a/content/nic/configuration/global-configuration/command-line-arguments.md b/content/nic/configuration/global-configuration/command-line-arguments.md index 4d61e44b7..398761b18 100644 --- a/content/nic/configuration/global-configuration/command-line-arguments.md +++ b/content/nic/configuration/global-configuration/command-line-arguments.md @@ -1,16 +1,16 @@ --- -nd-docs: DOCS-585 -doctypes: -- '' title: Command-line arguments toc: true weight: 100 +nd-content-type: reference +nd-product: NIC +nd-docs: DOCS-585 --- F5 NGINX Ingress Controller supports several command-line arguments, which are set based on installation method: -- If you're using *Kubernetes Manifests* to install NGINX Ingress Controller, modify the Manifests to set the command-line arguments. View the [Installation with Manifests]({{}}) topic for more information. -- If you're using *Helm* to install NGINX Ingress Controller, modify the parameters of the Helm chart to set the command-line arguments. View the [Installation with Helm]({{}}) topic for more information. +- If you're using *Kubernetes Manifests* to install NGINX Ingress Controller, modify the Manifests to set the command-line arguments. View the [Installation with Manifests]({{< ref "/nic/install/manifests.md" >}}) topic for more information. +- If you're using *Helm* to install NGINX Ingress Controller, modify the parameters of the Helm chart to set the command-line arguments. View the [Installation with Helm]({{< ref "/nic/install/helm.md" >}}) topic for more information. @@ -22,8 +22,6 @@ Default `false`. ---- - ### -default-server-tls-secret `` Secret with a TLS certificate and key for TLS termination of the default server. @@ -36,8 +34,6 @@ Format: `/` ---- - ### -wildcard-tls-secret `` A Secret with a TLS certificate and key for TLS termination of every Ingress/VirtualServer host for which TLS termination is enabled but the Secret is not specified. @@ -49,19 +45,14 @@ Format: `/` ---- - ### -enable-custom-resources Enables custom resources. Default `true`. - ---- - ### -enable-oidc Enables OIDC policies. @@ -70,8 +61,6 @@ Default `false`. ---- - ### -enable-leader-election Enables Leader election to avoid multiple replicas of the controller reporting the status of Ingress, VirtualServer and VirtualServerRoute resources -- only one replica will report status. @@ -81,8 +70,6 @@ See [-report-ingress-status](#cmdoption-report-ingress-status) flag. ---- - ### -enable-tls-passthrough Enable TLS Passthrough on port 443. @@ -91,8 +78,6 @@ Requires [-enable-custom-resources](#cmdoption-enable-custom-resources). ---- - ### -tls-passthrough-port `` Set the port for TLS Passthrough. @@ -102,8 +87,6 @@ Requires [-enable-custom-resources](#cmdoption-enable-custom-resources). ---- - ### -enable-cert-manager Enable x509 automated certificate management for VirtualServer resources using cert-manager (cert-manager.io). @@ -112,8 +95,6 @@ Requires [-enable-custom-resources](#cmdoption-enable-custom-resources). ---- - ### -enable-external-dns Enable integration with ExternalDNS for configuring public DNS entries for VirtualServer resources using [ExternalDNS](https://github.com/kubernetes-sigs/external-dns). @@ -121,8 +102,6 @@ Enable integration with ExternalDNS for configuring public DNS entries for Virtu Requires [-enable-custom-resources](#cmdoption-enable-custom-resources). ---- - ### -external-service `` Specifies the name of the service with the type LoadBalancer through which the NGINX Ingress Controller pods are exposed externally. The external address of the service is used when reporting the status of Ingress, VirtualServer and VirtualServerRoute resources. @@ -131,8 +110,6 @@ For Ingress resources only: Requires [-report-ingress-status](#cmdoption-report- ---- - ### -ingresslink `` Specifies the name of the IngressLink resource, which exposes the NGINX Ingress Controller pods via a BIG-IP system. The IP of the BIG-IP system is used when reporting the status of Ingress, VirtualServer and VirtualServerRoute resources. @@ -141,8 +118,6 @@ For Ingress resources only: Requires [-report-ingress-status](#cmdoption-report- ---- - ### -global-configuration `` A GlobalConfiguration resource for global configuration of NGINX Ingress Controller. @@ -153,8 +128,6 @@ Requires [-enable-custom-resources](#cmdoption-enable-custom-resources). ---- - ### -health-status Adds a location "/nginx-health" to the default server. The location responds with the 200 status code for any request. @@ -163,16 +136,12 @@ Useful for external health-checking of NGINX Ingress Controller. ---- - ### -health-status-uri `` Sets the URI of health status location in the default server. Requires [-health-status](#cmdoption-health-status). (default `/nginx-health`) ---- - ### -ingress-class `` The `-ingress-class` argument refers to the name of the resource `kind: IngressClass`. An IngressClass resource with a name equal to the class must be deployed. Otherwise, NGINX Ingress Controller will fail to start. @@ -182,16 +151,12 @@ Default `nginx`. ---- - ### -ingress-template-path `` Path to the ingress NGINX configuration template for an ingress resource. Default for NGINX is `nginx.ingress.tmpl`; default for NGINX Plus is `nginx-plus.ingress.tmpl`. ---- - ### -leader-election-lock-name `` Specifies the name of the ConfigMap, within the same namespace as the controller, used as the lock for leader election. @@ -200,16 +165,12 @@ Requires [-enable-leader-election](#cmdoption-enable-leader-election). ---- - ### -log_backtrace_at `` When logging hits line `file:N`, emit a stack trace. ---- - ### -main-template-path `` Path to the main NGINX configuration template. @@ -219,8 +180,6 @@ Path to the main NGINX configuration template. ---- - ### -nginx-configmaps `` A ConfigMap resource for customizing NGINX configuration. If a ConfigMap is set, but NGINX Ingress Controller is not able to fetch it from Kubernetes API, NGINX Ingress Controller will fail to start. @@ -229,8 +188,6 @@ Format: `/` ---- - ### -mgmt-configmap `` The Management ConfigMap resource is used for customizing the NGINX mgmt block. If using NGINX Plus, a Management ConfigMap must be set. If NGINX Ingress Controller is not able to fetch it from Kubernetes API, NGINX Ingress Controller will fail to start. @@ -239,24 +196,18 @@ Format: `/` ---- - ### -nginx-debug Enable debugging for NGINX. Uses the nginx-debug binary. Requires 'error-log-level: debug' in the ConfigMap. ---- - ### -nginx-plus Enable support for NGINX Plus. ---- - ### -nginx-reload-timeout `` Timeout in milliseconds which NGINX Ingress Controller will wait for a successful NGINX reload after a change or at the initial start. @@ -265,8 +216,6 @@ Default is 60000. ---- - ### -nginx-status Enable the NGINX stub_status, or the NGINX Plus API. @@ -275,8 +224,6 @@ Default `true`. ---- - ### -nginx-status-allow-cidrs `` Add IP/CIDR blocks to the allow list for NGINX stub_status or the NGINX Plus API. @@ -285,8 +232,6 @@ Separate multiple IP/CIDR by commas. (default `127.0.0.1,::1`) ---- - ### -nginx-status-port `` Set the port where the NGINX stub_status or the NGINX Plus API is exposed. @@ -295,8 +240,6 @@ Format: `[1024 - 65535]` (default `8080`) ---- - ### -proxy `` {{< call-out "warning" >}} This argument is intended for testing purposes only. {{< /call-out >}} @@ -307,8 +250,6 @@ NGINX Ingress Controller does not start NGINX and does not write any generated N ---- - ### -report-ingress-status Updates the address field in the status of Ingress resources. @@ -317,8 +258,6 @@ Requires the [-external-service](#cmdoption-external-service) or [-ingresslink]( ---- - ### -transportserver-template-path `` Path to the TransportServer NGINX configuration template for a TransportServer resource. @@ -328,8 +267,6 @@ Path to the TransportServer NGINX configuration template for a TransportServer r ---- - ### -log-level `` Log level for Ingress Controller logs. Allowed values: fatal, error, warn, info, debug, trace. @@ -338,8 +275,6 @@ Log level for Ingress Controller logs. Allowed values: fatal, error, warn, info, ---- - ### -log-format `` Log format for Ingress Controller logs. Allowed values: glog, json, text. @@ -348,16 +283,12 @@ Log format for Ingress Controller logs. Allowed values: glog, json, text. ---- - ### -version Print the version, git-commit hash and build date and exit. ---- - ### -virtualserver-template-path `` Path to the VirtualServer NGINX configuration template for a VirtualServer resource. @@ -365,51 +296,38 @@ Path to the VirtualServer NGINX configuration template for a VirtualServer resou - Default for NGINX is `nginx.virtualserver.tmpl`. - Default for NGINX Plus is `nginx-plus.virtualserver.tmpl`. - ---- - ### -vmodule `` A comma-separated list of pattern=N settings for file-filtered logging. ---- - ### -watch-namespace `` Comma separated list of namespaces NGINX Ingress Controller should watch for resources. By default NGINX Ingress Controller watches all namespaces. Mutually exclusive with "watch-namespace-label". ---- - ### -watch-namespace-label `` Configures NGINX Ingress Controller to watch only those namespaces with label foo=bar. By default NGINX Ingress Controller watches all namespaces. Mutually exclusive with "watch-namespace". ---- - ### -watch-secret-namespace `` Comma separated list of namespaces NGINX Ingress Controller should watch for secrets. If this arg is not configured, NGINX Ingress Controller watches the same namespaces for all resources, see "watch-namespace" and "watch-namespace-label". All namespaces included with this argument must be part of either `-watch-namespace` or `-watch-namespace-label`. ---- - ### -enable-prometheus-metrics Enables exposing NGINX or NGINX Plus metrics in the Prometheus format. ---- - ### -prometheus-metrics-listen-port `` Sets the port where the Prometheus metrics are exposed. @@ -418,8 +336,6 @@ Format: `[1024 - 65535]` (default `9113`) ---- - ### -prometheus-tls-secret `` A Secret with a TLS certificate and key for TLS termination of the Prometheus metrics endpoint. @@ -429,16 +345,12 @@ A Secret with a TLS certificate and key for TLS termination of the Prometheus me ---- - ### -enable-service-insight Exposes the Service Insight endpoint for Ingress Controller. ---- - ### -service-insight-listen-port `` Sets the port where the Service Insight is exposed. @@ -447,8 +359,6 @@ Format: `[1024 - 65535]` (default `9114`) ---- - ### -service-insight-tls-secret `` A Secret with a TLS certificate and key for TLS termination of the Service Insight endpoint. @@ -460,19 +370,14 @@ Format: `/` ---- - ### -spire-agent-address `` Specifies the address of a running Spire agent. **For use with NGINX Service Mesh only**. - If the argument is set, but NGINX Ingress Controller is unable to connect to the Spire Agent, NGINX Ingress Controller will fail to start. - ---- - ### -enable-internal-routes Enable support for internal routes with NGINX Service Mesh. **For use with NGINX Service Mesh only**. @@ -483,8 +388,6 @@ Requires [-spire-agent-address](#cmdoption-spire-agent-address). ---- - ### -enable-latency-metrics Enable collection of latency metrics for upstreams. @@ -492,8 +395,6 @@ Requires [-enable-prometheus-metrics](#cmdoption-enable-prometheus-metrics). ---- - ### -enable-app-protect Enables support for App Protect. @@ -504,8 +405,6 @@ Requires [-nginx-plus](#cmdoption-nginx-plus). ---- - ### -app-protect-log-level `` Sets log level for App Protect. Allowed values: fatal, error, warn, info, debug, trace. @@ -516,8 +415,6 @@ Requires [-nginx-plus](#cmdoption-nginx-plus) and [-enable-app-protect](#cmdopti ---- - ### -enable-app-protect-dos Enables support for App Protect DoS. @@ -528,8 +425,6 @@ Requires [-nginx-plus](#cmdoption-nginx-plus). ---- - ### -app-protect-dos-debug Enable debugging for App Protect DoS. @@ -540,8 +435,6 @@ Requires [-nginx-plus](#cmdoption-nginx-plus) and [-enable-app-protect-dos](#cmd ---- - ### -app-protect-dos-max-daemons Max number of ADMD instances. @@ -554,8 +447,6 @@ Requires [-nginx-plus](#cmdoption-nginx-plus) and [-enable-app-protect-dos](#cmd ---- - ### -app-protect-dos-max-workers Max number of nginx processes to support. @@ -568,8 +459,6 @@ Requires [-nginx-plus](#cmdoption-nginx-plus) and [-enable-app-protect-dos](#cmd ---- - ### -app-protect-dos-memory RAM memory size to consume in MB @@ -582,8 +471,6 @@ Requires [-nginx-plus](#cmdoption-nginx-plus) and [-enable-app-protect-dos](#cmd ---- - ### -ready-status Enables the readiness endpoint `/nginx-ready`. The endpoint returns a success code when NGINX has loaded all the config after the startup. @@ -592,16 +479,12 @@ Default `true`. ---- - ### -ready-status-port The HTTP port for the readiness endpoint. Format: `[1024 - 65535]` (default `8081`) ---- - ### -disable-ipv6 Disable IPV6 listeners explicitly for nodes that do not support the IPV6 stack. @@ -610,8 +493,6 @@ Default `false`. ---- - ### -default-http-listener-port Sets the port for the HTTP `default_server` listener. @@ -620,8 +501,6 @@ Default `80`. ---- - ### -default-https-listener-port Sets the port for the HTTPS `default_server` listener. @@ -630,8 +509,6 @@ Default `443`. ---- - ### -ssl-dynamic-reload Used to activate or deactivate lazy loading for SSL Certificates. @@ -640,8 +517,6 @@ The default value is `true`. ---- - ### -weight-changes-dynamic-reload Enables the ability to change the weight distribution of two-way split clients without reloading NGINX. @@ -656,8 +531,6 @@ The default value is `false`. ---- - ### -enable-directive-autoadjust Automatically adjusts NGINX buffer directives to prevent configuration errors. @@ -670,8 +543,6 @@ More explanation about this feature can be found in the guide [here]({{< ref "/n ---- - ### -enable-telemetry-reporting Enable gathering and reporting of software telemetry. @@ -680,8 +551,6 @@ The default value is `true`. ---- - ### -agent Enable NGINX Agent which can used with `-enable-app-protect` to send events to Security Monitoring. @@ -690,10 +559,8 @@ The default value is `false`. ---- - ### -agent-instance-group Specify the instance group name to use for the NGINX Ingress Controller deployment when using `-agent`. - + \ No newline at end of file diff --git a/content/nic/configuration/global-configuration/configmap-resource.md b/content/nic/configuration/global-configuration/configmap-resource.md index 4910a66d2..65f025611 100644 --- a/content/nic/configuration/global-configuration/configmap-resource.md +++ b/content/nic/configuration/global-configuration/configmap-resource.md @@ -11,7 +11,7 @@ When using F5 NGINX Ingress Controller, you can customize or fine tune NGINX beh ## Using ConfigMap -1. The [Installation with Manifests]({{< ref "/nic/installation/installing-nic/installation-with-manifests.md" >}}) documentation deploy an empty ConfigMap while the default installation manifests specify it in the command-line arguments of the Ingress Controller. However, if you customized the manifests, to use ConfigMap, make sure to specify the ConfigMap resource to use the [command-line arguments]({{< ref "/nic/configuration/global-configuration/command-line-arguments" >}}) of NGINX Ingress Controller. +1. The [Installation with Manifests]({{< ref "/nic/install/manifests.md" >}}) documentation deploy an empty ConfigMap while the default installation manifests specify it in the command-line arguments of the Ingress Controller. However, if you customized the manifests, to use ConfigMap, make sure to specify the ConfigMap resource to use the [command-line arguments]({{< ref "/nic/configuration/global-configuration/command-line-arguments" >}}) of NGINX Ingress Controller. 1. Create a ConfigMap file with the name *nginx-config.yaml* and set the values that make sense for your setup: @@ -46,16 +46,12 @@ ConfigMap applies globally, meaning that it affects every Ingress resource. In c For more information, view the [Advanced configuration with annotations]({{< ref "/nic/configuration/ingress-resources/advanced-configuration-with-annotations" >}}) topic. ---- - ## ConfigMap and VirtualServer/VirtualServerRoute resources The ConfigMap affects every VirtualServer and VirtualServerRoute resources. However, the fields of those resources allow overriding some ConfigMap keys. For example, the `connect-timeout` field of the `upstream` overrides the `proxy-connect-timeout` ConfigMap key. For more information, view the [VirtualServer and VirtualServerRoute resources]({{< ref "/nic/configuration/virtualserver-and-virtualserverroute-resources" >}}) topic. ---- - ## ConfigMap keys ### Ingress Controller (Unrelated to NGINX Configuration) @@ -100,7 +96,6 @@ For more information, view the [VirtualServer and VirtualServerRoute resources]( |*variables-hash-bucket-size* | Sets the value of the [variables_hash_bucket_size](https://nginx.org/en/docs/http/ngx_http_core_module.html#variables_hash_bucket_size) directive. | *256* | | |*variables-hash-max-size* | Sets the value of the [variables-hash-max-size](https://nginx.org/en/docs/http/ngx_http_core_module.html#variables_hash_max_size) directive. | *1024* | | - ### Logging |ConfigMap Key | Description | Default | Example | @@ -122,7 +117,6 @@ For more information, view the [VirtualServer and VirtualServerRoute resources]( |*proxy-hide-headers* | Sets the value of one or more [proxy_hide_header](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_hide_header) directives. Example: *"nginx.org/proxy-hide-headers": "header-a,header-b"* | N/A | |*proxy-pass-headers* | Sets the value of one or more [proxy_pass_header](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass_header) directives. Example: *"nginx.org/proxy-pass-headers": "header-a,header-b"* | N/A | - ### Auth and SSL/TLS |ConfigMap Key | Description | Default | @@ -169,7 +163,6 @@ If you previously installed OIDC or used the `zone_sync` directive with `stream- If you encounter the error `error [emerg] 13#13: "zone_sync" directive is duplicate in /etc/nginx/nginx.conf:164` it is likely due to `zone_sync` being enabled in both `stream-snippets` and the ConfigMap. Once upgraded, remove the [old headless service](https://github.com/nginx/kubernetes-ingress/blob/v4.0.1/examples/custom-resources/oidc/nginx-ingress-headless.yaml) deployed for OIDC. {{< /call-out >}} - |ConfigMap Key | Description | Default | | ---| ---| ---| |*zone-sync* | Enables zone synchronization between NGINX Ingress Controller Pods. This autogenerates a [zone_sync_server](https://nginx.org/en/docs/stream/ngx_stream_zone_sync_module.html#zone_sync_server) and a headless service using the `ReplicaSet`, `DaemonSet` or `StatefulSet` name. Please note that this headless service will be automatically cleaned up when uninstalling via Helm or by removing the value from the ConfigMap. The headless service will need to be manually removed if the `controller.customConfigMap` value is set via Helm or the deployment is uninstalled via Manifests. Each Ingress Controller manages its own headless service. NGINX Plus Required. | *False* | @@ -178,7 +171,6 @@ If you encounter the error `error [emerg] 13#13: "zone_sync" directive is duplic |*zone-sync-resolver-ipv6* | Configures whether the optional [resolver](https://nginx.org/en/docs/http/ngx_http_core_module.html#resolver) directive for zone-sync will look up IPv6 addresses. NGINX Plus & `zone-sync` Required | `true` | |*zone-sync-resolver-valid* | Configures an [NGINX time](https://nginx.org/en/docs/syntax.html) that the optional [resolver](https://nginx.org/en/docs/http/ngx_http_core_module.html#resolver) directive for zone-sync will override the TTL value of responses from nameservers with. NGINX Plus & `zone-sync` Required | `5s` | - ### Snippets and custom templates |ConfigMap Key | Description | Default | Example | @@ -196,6 +188,7 @@ If you encounter the error `error [emerg] 13#13: "zone_sync" directive is duplic ### Modules {{< table >}} + |ConfigMap Key | Description | Default | Example | | ---| ---| ---| --- | |*otel-exporter-endpoint* | OTLP/gRPC endpoint that will accept [OpenTelemetry](https://opentelemetry.io) data. Set `otel-trace-in-http` to *"true"* to enable OpenTelemetry at the global level. | N/A | *"https://otel-collector:4317"* | @@ -215,4 +208,5 @@ If you encounter the error `error [emerg] 13#13: "zone_sync" directive is duplic |*app-protect-dos-log-format* | Sets the custom [log format](https://nginx.org/en/docs/http/ngx_http_log_module.html#log_format) for Dos Access log traffic. For convenience, it is possible to define the log format across multiple lines (each line separated by *\n*). In that case, the Ingress Controller will replace every *\n* character with a space character. All *'* characters must be escaped. | `, vs_name_al=$app_protect_dos_vs_name, ip=$remote_addr, tls_fp=$app_protect_dos_tls_fp, outcome=$app_protect_dos_outcome, reason=$app_protect_dos_outcome_reason, policy_name=$app_protect_dos_policy_name, dos_version=$app_protect_dos_version, ip_tls=$remote_addr:$app_protect_dos_tls_fp,` | | |*app-protect-dos-log-format-escaping* | Sets the characters escaping for the variables of the stream log format. Supported values: *json* (JSON escaping), *default* (the default escaping) *none* (disables escaping). | *default* | | |*app-protect-dos-arb-fqdn* | Sets the *app-protect-dos-arb-fqdn* [directive](/nginx-app-protect-dos/directives-and-policy/learn-about-directives-and-policy/#arbitrator-fqdn-directive-app_protect_dos_arb_fqdn). | *svc-appprotect-dos-arb* | | + {{< /table >}} diff --git a/content/nic/configuration/global-configuration/globalconfiguration-resource.md b/content/nic/configuration/global-configuration/globalconfiguration-resource.md index e7ba17b59..3fa4ae583 100644 --- a/content/nic/configuration/global-configuration/globalconfiguration-resource.md +++ b/content/nic/configuration/global-configuration/globalconfiguration-resource.md @@ -1,10 +1,10 @@ --- -nd-docs: DOCS-588 -doctypes: -- '' title: GlobalConfiguration resource toc: true weight: 200 +nd-content-type: reference +nd-product: NIC +nd-docs: DOCS-588 --- This page explains how to use the GlobalConfiguration resource to define the global configuration parameters of F5 NGINX Ingress Controller. @@ -15,7 +15,7 @@ Listeners are required by [TransportServer resources]({{< ref "/nic/configuratio ## Prerequisites -When [installing NGINX Ingress Controller using Manifests]({{< ref "/nic/installation/installing-nic/installation-with-manifests.md" >}}), you need to reference a GlobalConfiguration resource in the [`-global-configuration`]({{< ref "/nic/configuration/global-configuration/command-line-arguments.md#cmdoption-global-configuration" >}}) command-line argument. NGINX Ingress Controller only needs one GlobalConfiguration resource. +When [installing NGINX Ingress Controller using Manifests]({{< ref "/nic/install/manifests.md" >}}), you need to reference a GlobalConfiguration resource in the [`-global-configuration`]({{< ref "/nic/configuration/global-configuration/command-line-arguments.md#cmdoption-global-configuration" >}}) command-line argument. NGINX Ingress Controller only needs one GlobalConfiguration resource. ## GlobalConfiguration specification @@ -79,6 +79,7 @@ For example, the following command creates a GlobalConfiguration resource define ```shell kubectl apply -f global-configuration.yaml ``` + ```shell globalconfiguration.k8s.nginx.org/nginx-configuration created ``` @@ -88,6 +89,7 @@ Assuming the namespace of the resource is `nginx-ingress`, you can get the resou ```shell kubectl get globalconfiguration nginx-configuration -n nginx-ingress ``` + ```shell NAME AGE nginx-configuration 13s @@ -104,7 +106,6 @@ Two types of validation are available for the GlobalConfiguration resource: - *Structural validation* by `kubectl` and Kubernetes API server. - *Comprehensive validation* by NGINX Ingress Controller. - #### Structural validation The custom resource definition for the GlobalConfiguration includes structural OpenAPI schema which describes the type of every field of the resource. @@ -116,6 +117,7 @@ If you try to create (or update) a resource that violates the structural schema ```shell kubectl apply -f global-configuration.yaml ``` + ```text error: error validating "global-configuration.yaml": error validating data: ValidationError(GlobalConfiguration.spec.listeners[0].port): invalid type for org.nginx.k8s.v1.GlobalConfiguration.spec.listeners.port: got "string", expected "integer"; if you choose to ignore these errors, turn validation off with --validate=false ``` @@ -125,6 +127,7 @@ If you try to create (or update) a resource that violates the structural schema ```shell kubectl apply -f global-configuration.yaml --validate=false ``` + ```text The GlobalConfiguration "nginx-configuration" is invalid: []: Invalid value: map[string]interface {}{ ... }: validation failure list: spec.listeners.port in body must be of type integer: "string" @@ -141,6 +144,7 @@ You can check if the Ingress Controller successfully applied the configuration f ```shell kubectl describe gc nginx-configuration -n nginx-ingress ``` + ```text ... Events: @@ -156,6 +160,7 @@ If you create a GlobalConfiguration `nginx-configuration` with two or more liste ```shell kubectl describe gc nginx-configuration -n nginx-ingress ``` + ```text Events: Type Reason Age From Message @@ -166,7 +171,6 @@ Events: The events section includes a Warning event with the AddedOrUpdatedWithError reason. - ## Using IPV4 and IPV6 Addresses with GlobalConfiguration You can customize the IPv4 and IPv6 Address listeners in the global configuration and apply them to your VirtualServer resources. See the corresponding example [here](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/custom-resources/custom-ip-listeners/virtualserver/) diff --git a/content/nic/configuration/ingress-resources/advanced-configuration-with-annotations.md b/content/nic/configuration/ingress-resources/advanced-configuration-with-annotations.md index 8fb2b4d3c..d85e547ad 100644 --- a/content/nic/configuration/ingress-resources/advanced-configuration-with-annotations.md +++ b/content/nic/configuration/ingress-resources/advanced-configuration-with-annotations.md @@ -62,6 +62,7 @@ You can check if NGINX Ingress Controller successfully applied the configuration ```shell kubectl describe ing cafe-ingress-with-annotations ``` + ```text ... Events: @@ -77,6 +78,7 @@ If you create an invalid Ingress, NGINX Ingress Controller will reject it and em ```shell kubectl describe ing cafe-ingress-with-annotations ``` + ```text Events: Type Reason Age From Message @@ -99,6 +101,7 @@ The table below summarizes the available annotations. ### General customization {{< table >}} + |Annotation | ConfigMap Key | Description | Default | Example | | ---| ---| ---| ---| --- | | *nginx.org/proxy-connect-timeout* | *proxy-connect-timeout* | Sets the value of the [proxy_connect_timeout](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_connect_timeout) and [grpc_connect_timeout](https://nginx.org/en/docs/http/ngx_http_grpc_module.html#grpc_connect_timeout) directive. | *60s* | | @@ -112,23 +115,26 @@ The table below summarizes the available annotations. | *nginx.org/proxy-max-temp-file-size* | *proxy-max-temp-file-size* | Sets the value of the [proxy_max_temp_file_size](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_max_temp_file_size) directive. | *1024m* | | | *nginx.org/server-tokens* | *server-tokens* | Enables or disables the [server_tokens](https://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens) directive. Additionally, with the NGINX Plus, you can specify a custom string value, including the empty string value, which disables the emission of the “Server” field. | *True* | | | *nginx.org/path-regex* | N/A | Enables regular expression modifiers for Ingress path parameter. This translates to the NGINX [location](https://nginx.org/en/docs/http/ngx_http_core_module.html#location) directive. You can specify one of these values: "case_sensitive", "case_insensitive", or "exact". The annotation is applied to the entire Ingress resource and its paths. While using Master and Minion Ingresses i.e. Mergeable Ingresses, this annotation can be specified on Minion types. The `path-regex` annotation specified on Master is ignored, and has no effect on paths defined on Minions. | N/A | [path-regex](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/path-regex) | -{{< /table >}} +{{< /table >}} ### Request URI/Header Manipulation {{< table >}} + |Annotation | ConfigMap Key | Description | Default | Example | | ---| ---| ---| ---| --- | | *nginx.org/proxy-hide-headers* | *proxy-hide-headers* | Sets the value of one or more [proxy_hide_header](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_hide_header) directives. Example: `"nginx.org/proxy-hide-headers": "header-a,header-b"` | N/A | | | *nginx.org/proxy-pass-headers* | *proxy-pass-headers* | Sets the value of one or more [proxy_pass_header](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass_header) directives. Example: `"nginx.org/proxy-pass-headers": "header-a,header-b"` | N/A | | | *nginx.org/rewrites* | N/A | Configures URI rewriting using [proxy_pass](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass) directive. | N/A | [rewrites](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/rewrites) | |*nginx.org/proxy-set-headers* | N/A | Enables customization of proxy headers and values using the [proxy_set_header](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_set_header) directive. Example: `"nginx.org/proxy-set-headers": "header-a: valueA,header-b: valueB,header-c: valueC"` | N/A | [Proxy Set Headers](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/proxy-set-headers). | + {{< /table >}} ### Auth and SSL/TLS {{< table >}} + |Annotation | ConfigMap Key | Description | Default | Example | | ---| ---| ---| ---| --- | | *nginx.org/redirect-to-https* | *redirect-to-https* | Sets the 301 redirect rule based on the value of the `http_x_forwarded_proto` header on the server block to force incoming traffic to be over HTTPS. Useful when terminating SSL in a load balancer in front of NGINX Ingress Controller — see [115](https://github.com/nginx/kubernetes-ingress/issues/115) | *False* | | @@ -143,11 +149,12 @@ The table below summarizes the available annotations. | *nginx.com/jwt-realm* | N/A | Specifies a realm. | N/A | [Support for JSON Web Tokens (JWTs)](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/jwt). | | *nginx.com/jwt-token* | N/A | Specifies a variable that contains a JSON Web Token. | By default, a JWT is expected in the `Authorization` header as a Bearer Token. | [Support for JSON Web Tokens (JWTs)](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/jwt). | | *nginx.com/jwt-login-url* | N/A | Specifies a URL to which a client is redirected in case of an invalid or missing JWT. | N/A | [Support for JSON Web Tokens (JWTs)](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/jwt). | + {{< /table >}} ### Listeners -|Annotation | ConfigMap Key | Description | Default | +| Annotation | ConfigMap Key | Description | Default | | ---| ---| ---| ---| | *nginx.org/listen-ports* | N/A | Configures HTTP ports that NGINX will listen on. | *[80]* | | *nginx.org/listen-ports-ssl* | N/A | Configures HTTPS ports that NGINX will listen on. | *[443]* | @@ -155,6 +162,7 @@ The table below summarizes the available annotations. ### Backend services (Upstreams) {{< table >}} + |Annotation | ConfigMap Key | Description | Default | Example | | ---| ---| ---| ---| --- | | *nginx.org/lb-method* | *lb-method* | Sets the [load balancing method]({{< ref "/nginx/admin-guide/load-balancer/http-load-balancer.md#choosing-a-load-balancing-method" >}}). To use the round-robin method, specify `"round_robin"`. | `"random two least_conn"` | | @@ -172,11 +180,13 @@ The table below summarizes the available annotations. | *nginx.com/health-checks-mandatory-queue* | N/A | When active health checks are mandatory, creates a queue where incoming requests are temporarily stored while NGINX Plus is checking the health of the endpoints after a configuration reload. | *0* | [health-checks](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/health-checks) | | *nginx.com/slow-start* | N/A | Sets the upstream server [slow-start period]({{< ref "/nginx/admin-guide/load-balancer/http-load-balancer.md#server-slow-start" >}}). By default, slow-start is activated after a server becomes [available]({{< ref "/nginx/admin-guide/load-balancer/http-health-check.md#passive-health-checks" >}}) or [healthy]({{< ref "/nginx/admin-guide/load-balancer/http-health-check.md#active-health-checks" >}}). To enable slow-start for newly-added servers, configure [mandatory active health checks](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/health-checks). | *"0s"* | | | *nginx.org/use-cluster-ip* | N/A | Enables using the Cluster IP and port of the service instead of the default behavior of using the IP and port of the pods. When this field is enabled, the fields that configure NGINX behavior related to multiple upstream servers (like `lb-method` and `next-upstream`) will have no effect, as NGINX Ingress Controller will configure NGINX with only one upstream server that will match the service Cluster IP. | *False* | | + {{< /table >}} ### Rate limiting {{< table >}} + |Annotation | ConfigMap Key | Description | Default | Example | | ---| ---| ---| ---| --- | | *nginx.org/limit-req-rate* | N/A | Enables request-rate-limiting for this ingress by creating a [limit_req_zone](https://nginx.org/en/docs/http/ngx_http_limit_req_module.html#limit_req_zone) and matching [limit_req](https://nginx.org/en/docs/http/ngx_http_limit_req_module.html#limit_req) for each location. All servers/locations of one ingress share the same zone. Must have unit r/s or r/m. | N/A | 200r/s | @@ -189,20 +199,22 @@ The table below summarizes the available annotations. | *nginx.org/limit-req-log-level* | N/A | Sets the desired logging level for cases when the server refuses to process requests due to rate exceeding, or delays request processing. Allowed values are info, notice, warn or error. | error | info | | *nginx.org/limit-req-reject-code* | N/A | Sets the status code to return in response to rejected requests. Must fall into the range 400..599. | 429 | 503 | | *nginx.org/limit-req-scale* | N/A | Enables a constant rate-limit by dividing the configured rate by the number of nginx-ingress pods currently serving traffic. This adjustment ensures that the rate-limit remains consistent, even as the number of nginx-pods fluctuates due to autoscaling. Note: This will not work properly if requests from a client are not evenly distributed accross all ingress pods (sticky sessions, long lived TCP-Connections with many requests etc.). In such cases using [zone-sync]({{< ref "/nic/configuration/global-configuration/configmap-resource.md#zone-sync" >}}) instead would give better results. Enabling `zone-sync` will suppress this setting. | false | true | + {{< /table >}} ### Snippets and custom templates -|Annotation | ConfigMap Key | Description | Default | +| Annotation | ConfigMap Key | Description | Default | | ---| ---| ---| ---| | *nginx.org/location-snippets* | *location-snippets* | Sets a custom snippet in location context. | N/A | | *nginx.org/server-snippets* | *server-snippets* | Sets a custom snippet in server context. | N/A | ### F5 WAF for NGINX {#app-protect} -{{< call-out "note" >}} The App Protect annotations only work if the F5 WAF for NGINX module is [installed]({{< ref "/nic/installation/integrations/app-protect-waf/installation.md" >}}). {{< /call-out >}} +{{< call-out "note" >}} The App Protect annotations only work if the F5 WAF for NGINX module is [installed]({{< ref "/nic/integrations/app-protect-waf/installation.md" >}}). {{< /call-out >}} {{< table >}} + |Annotation | ConfigMap Key | Description | Default | Example | | ---| ---| ---| ---| --- | | *appprotect.f5.com/app-protect-policy* | N/A | The name of the App Protect Policy for the Ingress Resource. Format is `namespace/name`. If no namespace is specified, the same namespace of the Ingress Resource is used. If not specified but `appprotect.f5.com/app-protect-enable` is true, a default policy id applied. If the referenced policy resource does not exist, or policy is invalid, this annotation will be ignored, and the default policy will be applied. | N/A | [app-protect-waf](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/app-protect-waf) | @@ -210,12 +222,13 @@ The table below summarizes the available annotations. | *appprotect.f5.com/app-protect-security-log-enable* | N/A | Enable the [security log](/nginx-app-protect/troubleshooting/#app-protect-logging-overview) for App Protect. | *False* | [app-protect-waf](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/app-protect-waf) | | *appprotect.f5.com/app-protect-security-log* | N/A | The App Protect log configuration for the Ingress Resource. Format is `namespace/name`. If no namespace is specified, the same namespace as the Ingress Resource is used. If not specified the default is used which is: filter: `illegal`, format: `default`. Multiple configurations can be specified in a comma separated list. Both log configurations and destinations list (see below) must be of equal length. Configs and destinations are paired by the list indices. | N/A | [app-protect-waf](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/app-protect-waf) | | *appprotect.f5.com/app-protect-security-log-destination* | N/A | The destination of the security log. For more information check the [DESTINATION argument](/nginx-app-protect/troubleshooting/#app-protect-logging-overview). Multiple destinations can be specified in a comma-separated list. Both log configurations and destinations list (see above) must be of equal length. Configs and destinations are paired by the list indices. | *syslog:server=localhost:514* | [app-protect-waf](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/app-protect-waf) | + {{< /table >}} ### App Protect DoS -{{< call-out "note" >}} The App Protect DoS annotations only work if the App Protect DoS module is [installed]({{< ref "/nic/installation/integrations/app-protect-dos/installation.md" >}}). {{< /call-out >}} +{{< call-out "note" >}} The App Protect DoS annotations only work if the App Protect DoS module is [installed]({{< ref "/nic/integrations/app-protect-dos/installation.md" >}}). {{< /call-out >}} |Annotation | ConfigMap Key | Description | Default | Example | | ---| ---| ---| ---| --- | -| *appprotectdos.f5.com/app-protect-dos-resource* | N/A | Enable App Protect DoS for the Ingress Resource by specifying a [DosProtectedResource]({{< ref "/nic/installation/integrations/app-protect-dos/dos-protected.md" >}}). | N/A | [app-protect-dos](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/app-protect-dos) | +| *appprotectdos.f5.com/app-protect-dos-resource* | N/A | Enable App Protect DoS for the Ingress Resource by specifying a [DosProtectedResource]({{< ref "/nic/integrations/app-protect-dos/dos-protected.md" >}}). | N/A | [app-protect-dos](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/app-protect-dos) | diff --git a/content/nic/configuration/ingress-resources/basic-configuration.md b/content/nic/configuration/ingress-resources/basic-configuration.md index 5e71a73a9..75d371ae5 100644 --- a/content/nic/configuration/ingress-resources/basic-configuration.md +++ b/content/nic/configuration/ingress-resources/basic-configuration.md @@ -2,8 +2,8 @@ title: Basic configuration weight: 100 toc: true -type: reference -product: NIC +nd-content-type: reference +nd-product: NIC nd-docs: DOCS-593 --- @@ -27,8 +27,6 @@ To learn more about the Ingress resource, view [the official Kubernetes document {{< call-out "note" >}} For complete instructions on deploying Ingress and Secret resources in the cluster, see the [complete example](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/complete-example) in the GitHub repository. {{< /call-out >}} ---- - ## New features available in Kubernetes 1.18 Starting from Kubernetes 1.18, you can use the following new features: @@ -76,9 +74,7 @@ Starting from Kubernetes 1.18, you can use the following new features: . . . ``` - When using this field you need to create the `IngressClass` resource with the corresponding `name`. View the [Create common resources]({{< ref "/nic/installation/installing-nic/installation-with-manifests.md#create-common-resources" >}}) section of the Installation with Manifests topic for more information. - ---- + When using this field you need to create the `IngressClass` resource with the corresponding `name`. View the [Create common resources]({{< ref "/nic/install/manifests.md#create-common-resources" >}}) section of the Installation with Manifests topic for more information. ## Restrictions @@ -89,8 +85,6 @@ NGINX Ingress Controller imposes the following restrictions on Ingress resources - The `path` field in `spec.rules[].http.paths[]` is required for `Exact` and `Prefix` `pathTypes`. - The ImplementationSpecific `pathType` is treated as equivalent to `Prefix` `pathType`, with the exception that when this `pathType` is configured, the `path` field in `spec.rules[].http.paths[]` is not mandatory. `path` defaults to `/` if not set but the `pathType` is set to ImplementationSpecific. ---- - ## Advanced configuration NGINX Ingress Controller generates NGINX configuration by executing a template file that contains the configuration options. diff --git a/content/nic/configuration/policy-resource.md b/content/nic/configuration/policy-resource.md index b3c5d9865..2f46c94a7 100644 --- a/content/nic/configuration/policy-resource.md +++ b/content/nic/configuration/policy-resource.md @@ -13,7 +13,7 @@ The resource is implemented as a [Custom Resource](https://kubernetes.io/docs/co This document is the reference documentation for the Policy resource. An example of a Policy for access control is available in our [GitHub repository](https://github.com/nginx/kubernetes-ingress/blob/v{{< nic-version >}}/examples/custom-resources/access-control). -## Prerequisites +## Before you begin Policies work together with [VirtualServer and VirtualServerRoute resources]({{< ref "/nic/configuration/virtualserver-and-virtualserverroute-resources.md" >}}), which you need to create separately. @@ -44,7 +44,7 @@ spec: |``jwt`` | The JWT policy configures NGINX Plus to authenticate client requests using JSON Web Tokens. | [jwt](#jwt) | No | |``ingressMTLS`` | The IngressMTLS policy configures client certificate verification. | [ingressMTLS](#ingressmtls) | No | |``egressMTLS`` | The EgressMTLS policy configures upstreams authentication and certificate verification. | [egressMTLS](#egressmtls) | No | -|``waf`` | The WAF policy configures WAF and log configuration policies for [NGINX AppProtect]({{< ref "/nic/installation/integrations/app-protect-waf/configuration.md" >}}) | [WAF](#waf) | No | +|``waf`` | The WAF policy configures WAF and log configuration policies for [NGINX AppProtect]({{< ref "/nic/integrations/app-protect-waf/configuration.md" >}}) | [WAF](#waf) | No | |``cache`` | The cache policy configures proxy caching for serving cached content. | [cache](#cache) | No | {{% /table %}} @@ -854,11 +854,11 @@ waf: |Field | Description | Type | Required | | ---| ---| ---| --- | |``enable`` | Enables F5 WAF for NGINX. | ``bool`` | Yes | -|``apPolicy`` | The [F5 WAF for NGINX policy]({{< ref "/nic/installation/integrations/app-protect-waf/configuration.md#waf-policies" >}}) of the WAF. Accepts an optional namespace. Mutually exclusive with ``apBundle``. | ``string`` | No | -|``apBundle`` | The [F5 WAF for NGINX policy bundle]({{< ref "/nic/installation/integrations/app-protect-waf/configuration.md#waf-bundles" >}}). Mutually exclusive with ``apPolicy``. | ``string`` | No | +|``apPolicy`` | The [F5 WAF for NGINX policy]({{< ref "/nic/integrations/app-protect-waf/configuration.md#waf-policies" >}}) of the WAF. Accepts an optional namespace. Mutually exclusive with ``apBundle``. | ``string`` | No | +|``apBundle`` | The [F5 WAF for NGINX policy bundle]({{< ref "/nic/integrations/app-protect-waf/configuration.md#waf-bundles" >}}). Mutually exclusive with ``apPolicy``. | ``string`` | No | |``securityLog.enable`` | **Deprecated:** Enables security log. | ``bool`` | No | -|``securityLog.apLogConf`` | **Deprecated:** The [F5 WAF for NGINX log conf]({{< ref "/nic/installation/integrations/app-protect-waf/configuration.md#waf-logs" >}}) resource. Accepts an optional namespace. Only works with ``apPolicy``. | ``string`` | No | -|``securityLog.apLogBundle`` | **Deprecated:** The [F5 WAF for NGINX log bundle]({{< ref "/nic/installation/integrations/app-protect-waf/configuration.md#waf-bundles" >}}) resource. Only works with ``apBundle``. | ``string`` | No | +|``securityLog.apLogConf`` | **Deprecated:** The [F5 WAF for NGINX log conf]({{< ref "/nic/integrations/app-protect-waf/configuration.md#waf-logs" >}}) resource. Accepts an optional namespace. Only works with ``apPolicy``. | ``string`` | No | +|``securityLog.apLogBundle`` | **Deprecated:** The [F5 WAF for NGINX log bundle]({{< ref "/nic/integrations/app-protect-waf/configuration.md#waf-bundles" >}}) resource. Only works with ``apBundle``. | ``string`` | No | |``securityLog.logDest`` | **Deprecated:** The log destination for the security log. Only accepted variables are ``syslog:server=; localhost; :``, ``stderr``, ````. | ``string`` | No | |``securityLogs`` | Config for security log destinations. | [waf.securityLogs](#wafsecurityLogs) | No | @@ -871,8 +871,8 @@ waf: |Field | Description | Type | Required | | ---| ---| ---| --- | |``enable`` | Enables security log. | ``bool`` | No | -|``apLogConf`` | The [App Protect WAF log conf]({{< ref "/nic/installation/integrations/app-protect-waf/configuration.md#waf-logs" >}}) resource. Accepts an optional namespace. Only works with ``apPolicy``. | ``string`` | No | -|``apLogBundle`` | The [App Protect WAF log bundle]({{< ref "/nic/installation/integrations/app-protect-waf/configuration.md#waf-bundles" >}}) resource. Only works with ``apBundle``. | ``string`` | No | +|``apLogConf`` | The [App Protect WAF log conf]({{< ref "/nic/integrations/app-protect-waf/configuration.md#waf-logs" >}}) resource. Accepts an optional namespace. Only works with ``apPolicy``. | ``string`` | No | +|``apLogBundle`` | The [App Protect WAF log bundle]({{< ref "/nic/integrations/app-protect-waf/configuration.md#waf-bundles" >}}) resource. Only works with ``apBundle``. | ``string`` | No | |``logDest`` | The log destination for the security log. Only accepted variables are ``syslog:server=; localhost; :``, ``stderr``, ````. | ``string`` | No | {{% /table %}} diff --git a/content/nic/configuration/security.md b/content/nic/configuration/security.md index a09f091be..aadc7e800 100644 --- a/content/nic/configuration/security.md +++ b/content/nic/configuration/security.md @@ -42,7 +42,7 @@ It is compatible with a Kubernetes deployment: it **is not** compatible with [F5 NGINX Ingress Controller is designed to be resilient against attacks in various ways, such as running the service as non-root to avoid changes to files. We recommend setting filesystems on all containers to read-only, this includes `nginx-ingress-controller`, though also includes `waf-enforcer` and `waf-config-mgr` when F5 WAF for NGINXv5 is in use. This is so that the attack surface is further reduced by limiting changes to binaries and libraries. -This is not enabled by default, but can be enabled with **Helm** using the [**readOnlyRootFilesystem**]({{< ref "/nic/installation/installing-nic/installation-with-helm.md#configuration" >}}) argument in security contexts on all containers: `nginx-ingress-controller`, `waf_enforcer` and `waf_config_mgr`. +This is not enabled by default, but can be enabled with **Helm** using the [**readOnlyRootFilesystem**]({{< ref "/nic/install/helm.md#configuration" >}}) argument in security contexts on all containers: `nginx-ingress-controller`, `waf_enforcer` and `waf_config_mgr`. For **Manifests**, uncomment the following sections of the deployment and add sections for `waf-enforcer` and `waf-config-mgr` containers: diff --git a/content/nic/glossary.md b/content/nic/glossary.md index 3985d7857..80cb997f3 100644 --- a/content/nic/glossary.md +++ b/content/nic/glossary.md @@ -2,7 +2,7 @@ description: null nd-docs: DOCS-1446 title: Glossary -weight: 10000 +weight: 10100 --- This is a glossary of terms related to F5 NGINX Ingress Controller and Kubernetes as a whole. diff --git a/content/nic/installation/_index.md b/content/nic/install/_index.md similarity index 70% rename from content/nic/installation/_index.md rename to content/nic/install/_index.md index ce047dd5a..a82b8f0d7 100644 --- a/content/nic/installation/_index.md +++ b/content/nic/install/_index.md @@ -2,7 +2,7 @@ title: Installation description: weight: 400 -url: /nginx-ingress-controller/installation +url: /nginx-ingress-controller/install menu: docs: parent: NGINX Ingress Controller diff --git a/content/nic/installation/build-nginx-ingress-controller.md b/content/nic/install/build.md similarity index 96% rename from content/nic/installation/build-nginx-ingress-controller.md rename to content/nic/install/build.md index c043f58a2..aec43077f 100644 --- a/content/nic/installation/build-nginx-ingress-controller.md +++ b/content/nic/install/build.md @@ -1,9 +1,9 @@ --- title: Build NGINX Ingress Controller toc: true -weight: 400 -type: how-to -product: NIC +weight: 700 +nd-content-type: how-to +nd-product: NIC nd-docs: DOCS-1453 --- @@ -11,7 +11,7 @@ This document describes how to build an F5 NGINX Ingress Controller image from s It also includes information on the Makefile targets and variables. -{{}} If you do not need to build a custom image, see the [pre-built image options](#pre-built-images) at the end of this guide. {{}} +{{< call-out "tip" "Pre-built image alternatives" >}} If you do not need to build a custom image, see the [pre-built image options](#pre-built-images) at the end of this guide. {{< /call-out >}} ## Before you begin @@ -27,8 +27,6 @@ Although NGINX Ingress Controller is written in Golang, you don't need to have G You can download the precompiled binary file or build NGINX Ingress Controller in a Docker container. ---- - ## Prepare the environment {#prepare-environment} Get your system ready for building and pushing the NGINX Ingress Controller image. @@ -53,8 +51,6 @@ Get your system ready for building and pushing the NGINX Ingress Controller imag cd kubernetes-ingress ``` ---- - ## Build the NGINX Ingress Controller image {#build-image} After setting up your environment, follow these steps to build the NGINX Ingress Controller image. @@ -99,14 +95,10 @@ Build the image. Replace `` with your private registry's pat make debian-image-plus PREFIX=/nginx-plus-ingress TARGET=download ``` -
- **What to expect**: The image is built and tagged with a version number, which is derived from the `VERSION` variable in the [_Makefile_](#makefile-details). This version number is used for tracking and deployment purposes. {{< call-out "note" >}} If a patch for NGINX Plus is released, make sure to rebuild your image to get the latest version. If your system is caching the Docker layers and not updating the packages, add `DOCKER_BUILD_OPTIONS="--pull --no-cache"` to the make command. {{< /call-out >}} ---- - ## Push the image to your private registry {#push-image} Once you've successfully built the NGINX or NGINX Plus Ingress Controller image, the next step is to upload it to your private Docker registry. This makes the image available for deployment to your Kubernetes cluster. @@ -127,8 +119,6 @@ Upload the NGINX Plus image. Like with the NGINX image, if you're using a custom make push PREFIX=/nginx-plus-ingress ``` ---- - ## Makefile details {#makefile-details} This section provides comprehensive information on the targets and variables available in the _Makefile_. These targets and variables allow you to customize how you build, tag, and push your NGINX or NGINX Plus images. @@ -198,5 +188,5 @@ If you prefer not to build your own NGINX Ingress Controller image, you can use **NGINX Plus Ingress Controller**: You have two options for this: -- Download the image using your NGINX Ingress Controller subscription certificate and key. View the [Download NGINX Ingress Controller from the F5 Registry]({{< ref "/nic/installation/nic-images/registry-download.md" >}}) topic. -- Use your NGINX Ingress Controller subscription JWT token to get the image. View the [Add an NGINX Ingress Controller image to your cluster]({{< ref "/nic/installation/nic-images/add-image-to-cluster.md" >}}) topic. +- Download the image using your NGINX Ingress Controller subscription certificate and key. View the [Download NGINX Ingress Controller from the F5 Registry]({{< ref "/nic/install/images/registry-download.md" >}}) topic. +- Use your NGINX Ingress Controller subscription JWT token to get the image. View the [Add an NGINX Ingress Controller image to your cluster]({{< ref "/nic/install/images/add-image-to-cluster.md" >}}) topic. diff --git a/content/nic/installation/installing-nic/installation-with-helm.md b/content/nic/install/helm.md similarity index 97% rename from content/nic/installation/installing-nic/installation-with-helm.md rename to content/nic/install/helm.md index a8a4c4eec..e094258ae 100644 --- a/content/nic/installation/installing-nic/installation-with-helm.md +++ b/content/nic/install/helm.md @@ -1,5 +1,5 @@ --- -title: Installation with Helm +title: Install NGINX Ingress Controller with Helm toc: true weight: 100 nd-content-type: how-to @@ -15,7 +15,7 @@ The [Helm chart parameters](#helm-chart-parameters) lists the parameters that ca ## Before you begin -{{< call-out "note" >}} All documentation should only be used with the latest stable release, indicated on [the releases page]({{< ref "/nic/releases.md" >}}) of the GitHub repository. {{< /call-out >}} +{{< call-out "note" >}} We recommend the most recent stable version of NGINX Ingress Controller, available on the GitHub repository's [releases page](https://github.com/nginx/kubernetes-ingress/releases). {{< /call-out >}} - A [Kubernetes Version Supported by NGINX Ingress Controller]({{< ref "/nic/technical-specifications.md#supported-kubernetes-versions" >}}) - Helm 3.0+. @@ -24,8 +24,8 @@ The [Helm chart parameters](#helm-chart-parameters) lists the parameters that ca If you would like to use NGINX Plus, there are few options: you will need to update the `controller.image.repository` field of `values-plus.yaml` accordingly. -- [Download NGINX Ingress Controller from the F5 Registry]({{< ref "/nic/installation/nic-images/registry-download.md" >}}) -- [Add an NGINX Ingress Controller image to your cluster]({{< ref "/nic/installation/nic-images/add-image-to-cluster.md" >}}) +- [Download NGINX Ingress Controller from the F5 Registry]({{< ref "/nic/install/images/registry-download.md" >}}) +- [Add an NGINX Ingress Controller image to your cluster]({{< ref "/nic/install/images/add-image-to-cluster.md" >}}) ## Install the Helm chart using the OCI Registry @@ -53,7 +53,6 @@ helm install my-release oci://ghcr.io/nginx/charts/nginx-ingress --version {{< n {{< /tabs >}} - If you'd like to test the latest changes in NGINX Ingress Controller before a new release, you can install the `edge` version, which is built from the `main` branch of the [NGINX Ingress Controller repository](https://github.com/nginx/kubernetes-ingress). You can install the `edge` version by specifying the `--version` flag with the value `0.0.0-edge`: @@ -118,15 +117,24 @@ If you are running multiple NGINX Ingress Controller releases in your cluster wi Ensure the NGINX Ingress Controller versions match the version of the CRDs. When uninstalling a release, ensure that you don’t remove the CRDs until there are no other NGINX Ingress Controller releases running in the cluster. -The [Run multiple NGINX Ingress Controllers]({{< ref "/nic/installation/run-multiple-ingress-controllers.md" >}}) topic has more details. +The [Run multiple NGINX Ingress Controllers]({{< ref "/nic/install/multiple-controllers.md" >}}) topic has more details. {{< /call-out >}} ## Helm chart parameters -The following tables lists the configurable parameters of the NGINX Ingress Controller chart and their default values. +The following table lists the configurable parameters of the NGINX Ingress Controller chart and their default values. + +{{< call-out "note" >}} + +The [values.yaml](https://github.com/nginx/kubernetes-ingress/blob/main/charts/nginx-ingress/values.yaml) file of the Helm chart is a single source of truth and includes parameter descriptions: the table may become outdated. + +The [values.schema.json](https://github.com/nginx/kubernetes-ingress/blob/main/charts/nginx-ingress/values.schema.json) file can be used to inspect the formatting of values. + +{{< /call-out >}} {{< table >}} + |Parameter | Description | Default | | --- | --- | --- | | **controller.name** | The name of the Ingress Controller deployment, daemonset, or statefulset. | Autogenerated | @@ -252,6 +260,7 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont | **controller.appprotect.configManager.image.digest** | The digest of the F5 WAF for NGINX v5 Configuration Manager. Takes precedence over tag if set. | "" | | **controller.appprotect.configManager.image.pullPolicy** | The pull policy for the F5 WAF for NGINX v5 Configuration Manager image. | IfNotPresent | | **controller.appprotect.configManager.securityContext** | The security context for F5 WAF for NGINX v5 Configuration Manager container. | {"allowPrivilegeEscalation":false,"runAsUser":101,"runAsNonRoot":true,"capabilities":{"drop":["all"]}} | +| **controller.appprotect.logLevel** | Sets the log level for F5 WAF for NGINX | N/A | | **controller.appprotectdos.enable** | Enables the App Protect DoS module in the NGINX Ingress Controller. | false | | **controller.appprotectdos.enable** | Enables the App Protect DoS module in the NGINX Ingress Controller. | false | | **controller.appprotectdos.debug** | Enable debugging for App Protect DoS. | false | @@ -296,25 +305,6 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont | **controller.enableSSLDynamicReload** | Enable lazy loading for SSL Certificates. | true | | **controller.telemetryReporting.enable** | Enable telemetry reporting. | true | | **controller.enableWeightChangesDynamicReload** | Enable weight changes without reloading the NGINX configuration. May require increasing `map_hash_bucket_size`, `map_hash_max_size`, `variable_hash_bucket_size`, and `variable_hash_max_size` in the [ConfigMap]({{< ref "/nic/configuration/global-configuration/configmap-resource.md" >}}) if there are many two-way splits. Requires `controller.nginxplus` | false | -| **rbac.create** | Configures RBAC. | true | -| **rbac.clusterrole.create** | Configures creation of ClusterRole. Creation can be disabled when more fine-grained control over RBAC is required. For example when controller.watchNamespace is used. | true | -| **prometheus.create** | Expose NGINX or NGINX Plus metrics in the Prometheus format. | true | -| **prometheus.port** | Configures the port to scrape the metrics. | 9113 | -| **prometheus.scheme** | Configures the HTTP scheme to use for connections to the Prometheus endpoint. | http | -| **prometheus.secret** | The namespace / name of a Kubernetes TLS Secret. If specified, this secret is used to secure the Prometheus endpoint with TLS connections. | "" | -| **prometheus.service.create** | Create a Headless service to expose prometheus metrics. Requires `prometheus.create`. | false | -| **prometheus.service.labels** | Kubernetes object labels to attach to the service object. | {service: "nginx-ingress-prometheus-service"} | -| **prometheus.serviceMonitor.create** | Create a ServiceMonitor custom resource. Requires ServiceMonitor CRD to be installed. For the latest CRD, check the latest release on the [prometheus-operator](https://github.com/prometheus-operator/prometheus-operator) GitHub repo under `example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml` | false | -| **prometheus.serviceMonitor.labels** | Kubernetes object labels to attach to the serviceMonitor object. | {} | -| **prometheus.serviceMonitor.selectorMatchLabels** | A set of labels to allow the selection of endpoints for the ServiceMonitor. | {service: "nginx-ingress-prometheus-service"} | -| **prometheus.serviceMonitor.endpoints** | A list of endpoints allowed as part of this ServiceMonitor. | [port: prometheus] | -| **serviceInsight.create** | Expose NGINX Plus Service Insight endpoint. | false | -| **serviceInsight.port** | Configures the port to expose endpoints. | 9114 | -| **serviceInsight.scheme** | Configures the HTTP scheme to use for connections to the Service Insight endpoint. | http | -| **serviceInsight.secret** | The namespace / name of a Kubernetes TLS Secret. If specified, this secret is used to secure the Service Insight endpoint with TLS connections. | "" | -| **serviceNameOverride** | Used to prevent cloud load balancers from being replaced due to service name change during helm upgrades. | "" | -| **nginxServiceMesh.enable** | Enable integration with NGINX Service Mesh. See the NGINX Service Mesh docs for more details. Requires `controller.nginxplus`. | false | -| **nginxServiceMesh.enableEgress** | Enable NGINX Service Mesh workloads to route egress traffic through the NGINX Ingress Controller. See the NGINX Service Mesh docs for more details. Requires `nginxServiceMesh.enable`. | false | |**nginxAgent.enable** | Enable NGINX Agent 3.x to allow [connecting to NGINX One Console]({{< ref "/nginx-one/k8s/add-nic.md" >}}) or to integrate NGINX Agent 2.x for [Security Monitoring]({{< ref "/nic/tutorials/security-monitoring.md" >}}) . | false | |**nginxAgent.logLevel** | Log level for NGINX Agent. | "error" | |**nginxAgent.dataplaneKeySecretName** | Name of the Kubernetes Secret containing the Data Plane key used to authenticate to NGINX One Console. Learn more [here]({{< ref "/nginx-one/k8s/add-nic.md" >}}). Required when `nginxAgent.enable` is set to `true`. Requires NGINX Agent 3.x. | "" | @@ -334,6 +324,26 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont |**nginxAgent.napMonitoring.collectorBufferSize** | Buffer size for collector. Will contain log lines and parsed log lines. Requires NGINX Agent 2.x. | 50000 | |**nginxAgent.napMonitoring.processorBufferSize** | Buffer size for processor. Will contain log lines and parsed log lines. Requires NGINX Agent 2.x. | 50000 | |**nginxAgent.customConfigMap** | The name of a custom ConfigMap to use instead of the one provided by default. Requires NGINX Agent 2.x.| "" | +| **nginxServiceMesh.enable** | Enable integration with NGINX Service Mesh. See the NGINX Service Mesh docs for more details. Requires `controller.nginxplus`. | false | +| **nginxServiceMesh.enableEgress** | Enable NGINX Service Mesh workloads to route egress traffic through the NGINX Ingress Controller. See the NGINX Service Mesh docs for more details. Requires `nginxServiceMesh.enable`. | false | +| **prometheus.create** | Expose NGINX or NGINX Plus metrics in the Prometheus format. | true | +| **prometheus.port** | Configures the port to scrape the metrics. | 9113 | +| **prometheus.scheme** | Configures the HTTP scheme to use for connections to the Prometheus endpoint. | http | +| **prometheus.secret** | The namespace / name of a Kubernetes TLS Secret. If specified, this secret is used to secure the Prometheus endpoint with TLS connections. | "" | +| **prometheus.service.create** | Create a Headless service to expose prometheus metrics. Requires `prometheus.create`. | false | +| **prometheus.service.labels** | Kubernetes object labels to attach to the service object. | {service: "nginx-ingress-prometheus-service"} | +| **prometheus.serviceMonitor.create** | Create a ServiceMonitor custom resource. Requires ServiceMonitor CRD to be installed. For the latest CRD, check the latest release on the [prometheus-operator](https://github.com/prometheus-operator/prometheus-operator) GitHub repo under `example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml` | false | +| **prometheus.serviceMonitor.labels** | Kubernetes object labels to attach to the serviceMonitor object. | {} | +| **prometheus.serviceMonitor.selectorMatchLabels** | A set of labels to allow the selection of endpoints for the ServiceMonitor. | {service: "nginx-ingress-prometheus-service"} | +| **prometheus.serviceMonitor.endpoints** | A list of endpoints allowed as part of this ServiceMonitor. | [port: prometheus] | +| **rbac.create** | Configures RBAC. | true | +| **rbac.clusterrole.create** | Configures creation of ClusterRole. Creation can be disabled when more fine-grained control over RBAC is required. For example when controller.watchNamespace is used. | true | +| **serviceInsight.create** | Expose NGINX Plus Service Insight endpoint. | false | +| **serviceInsight.port** | Configures the port to expose endpoints. | 9114 | +| **serviceInsight.scheme** | Configures the HTTP scheme to use for connections to the Service Insight endpoint. | http | +| **serviceInsight.secret** | The namespace / name of a Kubernetes TLS Secret. If specified, this secret is used to secure the Service Insight endpoint with TLS connections. | "" | +| **serviceNameOverride** | Used to prevent cloud load balancers from being replaced due to service name change during helm upgrades. | "" | + {{< /table >}} ## Uninstall NGINX Ingress Controller diff --git a/content/nic/install/images/_index.md b/content/nic/install/images/_index.md new file mode 100644 index 000000000..0f515a8b8 --- /dev/null +++ b/content/nic/install/images/_index.md @@ -0,0 +1,5 @@ +--- +title: Container images +weight: 600 +url: /nginx-ingress-controller/install/images +--- diff --git a/content/nic/installation/nic-images/add-image-to-cluster.md b/content/nic/install/images/add-image-to-cluster.md similarity index 88% rename from content/nic/installation/nic-images/add-image-to-cluster.md rename to content/nic/install/images/add-image-to-cluster.md index f07d77ff4..3aa61f0bf 100644 --- a/content/nic/installation/nic-images/add-image-to-cluster.md +++ b/content/nic/install/images/add-image-to-cluster.md @@ -13,12 +13,12 @@ This document describes how to add an F5 NGINX Plus Ingress Controller image fro To follow these steps, you will need the following pre-requisite: -- [Create a license Secret]({{< ref "/nic/installation/create-license-secret.md" >}}) +- [Create a license Secret]({{< ref "/nic/install/license-secret.md" >}}) You can also get the NGINX Ingress Controller image using the following alternate methods: -- [Download NGINX Ingress Controller from the F5 Registry]({{< ref "/nic/installation/nic-images/registry-download.md" >}}) -- [Build NGINX Ingress Controller]({{< ref "/nic/installation/build-nginx-ingress-controller.md" >}}) +- [Download NGINX Ingress Controller from the F5 Registry]({{< ref "/nic/install/images/registry-download.md" >}}) +- [Build NGINX Ingress Controller]({{< ref "/nic/install/build.md" >}}) - For NGINX Open Source, you can pull the [nginx/nginx-ingress image](https://hub.docker.com/r/nginx/nginx-ingress/) from DockerHub ## Helm deployments @@ -38,6 +38,7 @@ You can also use the certificate and key from the MyF5 portal and the Docker reg ```shell curl https://private-registry.nginx.com/v2/nginx-ic/nginx-plus-ingress/tags/list --key --cert ``` + ```json { "name": "nginx-ic/nginx-plus-ingress", @@ -53,6 +54,7 @@ curl https://private-registry.nginx.com/v2/nginx-ic/nginx-plus-ingress/tags/list ```shell curl https://private-registry.nginx.com/v2/nginx-ic-nap/nginx-plus-ingress/tags/list --key --cert ``` + ```json { "name": "nginx-ic-nap/nginx-plus-ingress", @@ -67,6 +69,7 @@ curl https://private-registry.nginx.com/v2/nginx-ic-nap/nginx-plus-ingress/tags/ ```shell curl https://private-registry.nginx.com/v2/nginx-ic-dos/nginx-plus-ingress/tags/list --key --cert ``` + ```json { "name": "nginx-ic-dos/nginx-plus-ingress", @@ -81,7 +84,7 @@ The `jq` command was used in these examples to make the JSON output easier to re ### Add the image from source -The [Installation with Helm]({{< ref "/nic/installation/installing-nic/installation-with-helm.md#install-the-helm-chart-from-source" >}}) documentation has a section describing how to use sources: these are the unique steps for Docker secrets using JWT tokens. +The [Installation with Helm]({{< ref "/nic/install/helm.md#install-the-helm-chart-from-source" >}}) documentation has a section describing how to use sources: these are the unique steps for Docker secrets using JWT tokens. 1. Clone the NGINX [`kubernetes-ingress` repository](https://github.com/nginx/kubernetes-ingress). 1. Navigate to the `charts/nginx-ingress` folder of your local clone. @@ -134,7 +137,7 @@ If the namespace does not exist, `--create-namespace` will create it. Using `-f ## Manifest deployment -The page ["Installation with Manifests"]({{< ref "/nic/installation/installing-nic/installation-with-manifests.md" >}}) explains how to install NGINX Ingress Controller using manifests. The following snippet is an example of a deployment: +The page ["Installation with Manifests"]({{< ref "/nic/install/manifests.md" >}}) explains how to install NGINX Ingress Controller using manifests. The following snippet is an example of a deployment: ```yaml spec: diff --git a/content/nic/installation/nic-images/registry-download.md b/content/nic/install/images/registry-download.md similarity index 97% rename from content/nic/installation/nic-images/registry-download.md rename to content/nic/install/images/registry-download.md index 6c63e8d1d..aa11fc887 100644 --- a/content/nic/installation/nic-images/registry-download.md +++ b/content/nic/install/images/registry-download.md @@ -19,8 +19,8 @@ To follow these steps, you will need the following pre-requisites: You can also get the NGINX Ingress Controller image using the following alternate methods: -- [Add an NGINX Ingress Controller image to your cluster]({{< ref "/nic/installation/nic-images/add-image-to-cluster.md" >}}) -- [Build NGINX Ingress Controller]({{< ref "/nic/installation/build-nginx-ingress-controller.md" >}}) +- [Add an NGINX Ingress Controller image to your cluster]({{< ref "/nic/install/images/add-image-to-cluster.md" >}}) +- [Build NGINX Ingress Controller]({{< ref "/nic/install/build.md" >}}) - For NGINX Open Source, you can pull [an image from DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/) ### Download your subscription credential files @@ -84,6 +84,7 @@ The `jq` command was used in these examples to make the JSON output easier to re ```shell curl https://private-registry.nginx.com/v2/nginx-ic/nginx-plus-ingress/tags/list --key --cert ``` + ```json { "name": "nginx-ic/nginx-plus-ingress", @@ -99,6 +100,7 @@ curl https://private-registry.nginx.com/v2/nginx-ic/nginx-plus-ingress/tags/list ```shell curl https://private-registry.nginx.com/v2/nginx-ic-nap/nginx-plus-ingress/tags/list --key --cert ``` + ```json { "name": "nginx-ic-nap/nginx-plus-ingress", @@ -113,6 +115,7 @@ curl https://private-registry.nginx.com/v2/nginx-ic-nap/nginx-plus-ingress/tags/ ```shell curl https://private-registry.nginx.com/v2/nginx-ic-dos/nginx-plus-ingress/tags/list --key --cert ``` + ```json { "name": "nginx-ic-dos/nginx-plus-ingress", diff --git a/content/nic/installation/nic-images/use-aws-image.md b/content/nic/install/images/use-aws-image.md similarity index 99% rename from content/nic/installation/nic-images/use-aws-image.md rename to content/nic/install/images/use-aws-image.md index 291a988ba..4cf516be7 100644 --- a/content/nic/installation/nic-images/use-aws-image.md +++ b/content/nic/install/images/use-aws-image.md @@ -29,6 +29,7 @@ Follow this guide to set up NGINX Ingress Controller using AWS Marketplace. This {{< call-out "important" >}}Associating your AWS EKS cluster with an OIDC provider is a prerequisite for creating your IAM service account.{{< /call-out >}} ## Use eksctl + {{< call-out "note" >}}Make sure you have an operational EKS cluster and that the namespace for your NGINX Ingress Controller is set up. If you don't have an EKS cluster yet, you'll need to create one.{{< /call-out >}} {{}} @@ -105,10 +106,9 @@ Follow this guide to set up NGINX Ingress Controller using AWS Marketplace. This This step creates the IAM role with the required policy, which we will later refer to in the helm values. For additional details, consult the [AWS documentation](https://docs.aws.amazon.com/eks/latest/userguide/create-service-account-iam-policy-and-role.html). -
- Ensure the service account name matches the one in your _values.yaml_ file for helm deployment. Ensure the EKS `role-arn` matches the service account annotation in your _values.yaml_ file for helm deployment. You can use this command to retrieve the `role-arn` + ``` shell aws iam list-roles | jq -r --arg role "my-cluster-sa" '.Roles[] | select(.RoleName==$role) | .Arn' ``` diff --git a/content/nic/installation/nic-images/use-gcp-image.md b/content/nic/install/images/use-gcp-image.md similarity index 100% rename from content/nic/installation/nic-images/use-gcp-image.md rename to content/nic/install/images/use-gcp-image.md diff --git a/content/nic/installation/create-license-secret.md b/content/nic/install/license-secret.md similarity index 95% rename from content/nic/installation/create-license-secret.md rename to content/nic/install/license-secret.md index abb72c50b..85bb5c5ee 100644 --- a/content/nic/installation/create-license-secret.md +++ b/content/nic/install/license-secret.md @@ -1,7 +1,7 @@ --- title: Create a license Secret toc: true -weight: 300 +weight: 200 nd-content-type: how-to nd-product: NIC nd-docs: DOCS-1860 @@ -51,7 +51,7 @@ If using a name other than the default `license-token`, provide the name of this Specify the Secret name using the `controller.mgmt.licenseTokenSecretName` Helm value. -For detailed guidance on creating the Management block with Helm, refer to the [Helm configuration documentation]({{< ref "/nic/installation/installing-nic/installation-with-helm/#configuration" >}}). +For detailed guidance on creating the Management block with Helm, refer to the [Helm configuration documentation]({{< ref "/nic/install/helm.md#configuration" >}}). {{% /tab %}} @@ -65,7 +65,7 @@ For detailed guidance on creating the Management ConfigMap, refer to the [Manage {{}} -If you are reporting to the default licensing endpoint, then you can now proceed with [installing NGINX Ingress Controller]({{< ref "nic/installation/installing-nic/" >}}). Otherwise, follow the steps below to configure reporting to NGINX Instance Manager +If you are reporting to the default licensing endpoint, then you can now proceed with [installing NGINX Ingress Controller]({{< ref "/nic/install/" >}}). Otherwise, follow the steps below to configure reporting to NGINX Instance Manager ### Create report for NGINX Instance Manager {#nim} @@ -130,7 +130,7 @@ Specify the SSL trusted certificate Secret name in the `ssl-trusted-certificate- {{}} -Once these Secrets are created and configured, you can now [install NGINX Ingress Controller ]({{< ref "/nic/installation/installing-nic/" >}}). +Once these Secrets are created and configured, you can now [install NGINX Ingress Controller ]({{< ref "/nic/install/" >}}). ## What’s reported and how it’s protected {#telemetry} diff --git a/content/nic/installation/installing-nic/installation-with-manifests.md b/content/nic/install/manifests.md similarity index 85% rename from content/nic/installation/installing-nic/installation-with-manifests.md rename to content/nic/install/manifests.md index a7c24c4f7..a0773cba3 100644 --- a/content/nic/installation/installing-nic/installation-with-manifests.md +++ b/content/nic/install/manifests.md @@ -1,5 +1,5 @@ --- -title: Installation with Manifests +title: Install NGINX Ingress Controller with Manifests toc: true weight: 200 nd-content-type: how-to @@ -11,19 +11,19 @@ This guide explains how to use Manifests to install F5 NGINX Ingress Controller, ## Before you begin -If you are using NGINX Plus, get the NGINX Ingress Controller JWT and [create a license secret]({{< ref "/nic/installation/create-license-secret.md" >}}). +If you are using NGINX Plus, get the NGINX Ingress Controller JWT and [create a license secret]({{< ref "/nic/install/license-secret.md" >}}). ### Get the NGINX Controller Image -{{< call-out "note" >}} Always use the latest stable release listed on the [releases page]({{< ref "/nic/releases.md" >}}). {{< /call-out >}} +{{< call-out "note" >}} We recommend the most recent stable version of NGINX Ingress Controller, available on the GitHub repository's [releases page](https://github.com/nginx/kubernetes-ingress/releases). {{< /call-out >}} Choose one of the following methods to get the NGINX Ingress Controller image: - **NGINX Ingress Controller**: Download the image `nginx/nginx-ingress` from [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress). - **NGINX Plus Ingress Controller**: You have two options for this, both requiring an NGINX Ingress Controller subscription. -- - [Download NGINX Ingress Controller from the F5 Registry]({{< ref "/nic/installation/nic-images/registry-download.md" >}}) topic. -- - [Add an NGINX Ingress Controller image to your cluster]({{< ref "/nic/installation/nic-images/add-image-to-cluster.md" >}}) -- **Build your own image**: To build your own image, follow the [Build NGINX Ingress Controller]({{< ref "/nic/installation/build-nginx-ingress-controller.md" >}}) topic. +- - [Download NGINX Ingress Controller from the F5 Registry]({{< ref "/nic/install/images/registry-download.md" >}}) topic. +- - [Add an NGINX Ingress Controller image to your cluster]({{< ref "/nic/install/images/add-image-to-cluster.md" >}}) +- **Build your own image**: To build your own image, follow the [Build NGINX Ingress Controller]({{< ref "/nic/install/build.md" >}}) topic. ### Clone the repository @@ -51,20 +51,14 @@ cd kubernetes-ingress To use App Protect DoS, install the App Protect DoS Arbitrator using the provided manifests in the same namespace as the NGINX Ingress Controller. If you install multiple NGINX Ingress Controllers in the same namespace, they will need to share the same Arbitrator because there can only be one Arbitrator in a single namespace. ---- - ## Set up role-based access control (RBAC) {#configure-rbac} {{< include "/nic/rbac/set-up-rbac.md" >}} ---- - ## Create common resources {#create-common-resources} {{< include "/nic/installation/create-common-resources.md" >}} ---- - ## Create core custom resources {#create-custom-resources} {{< include "/nic/installation/create-custom-resources.md" >}} @@ -73,12 +67,14 @@ To use App Protect DoS, install the App Protect DoS Arbitrator using the provide There are optional CRDs that are necessary if you want to use F5 WAF for NGINX or F5 DoS for NGINX. -**F5 WAF for NGINX**: +_F5 WAF for NGINX_: + - `APPolicy` - `APLogConf` - `APUserSig` -**F5 DoS for NGINX**: +_F5 DoS for NGINX_: + - `APDosPolicy` - `APDosLogConf` - `DosProtectedResource` @@ -87,8 +83,7 @@ There are optional CRDs that are necessary if you want to use F5 WAF for NGINX o {{%tab name="Install CRDs from single YAML"%}} - -**F5 WAF for NGINX** +_F5 WAF for NGINX_: {{< call-out "note" >}} This step can be skipped if you are using F5 WAF for NGINX module with policy bundles. {{< /call-out >}} @@ -96,7 +91,7 @@ There are optional CRDs that are necessary if you want to use F5 WAF for NGINX o kubectl apply -f https://raw.githubusercontent.com/nginx/kubernetes-ingress/v{{< nic-version >}}/deploy/crds-nap-waf.yaml ``` -**F5 DoS for NGINX**: +_F5 DoS for NGINX_: ```shell kubectl apply -f https://raw.githubusercontent.com/nginx/kubernetes-ingress/v{{< nic-version >}}/deploy/crds-nap-dos.yaml @@ -106,7 +101,7 @@ kubectl apply -f https://raw.githubusercontent.com/nginx/kubernetes-ingress/v{{< {{%tab name="Install CRDs after cloning the repo"%}} -**F5 WAF for NGINX** +_F5 WAF for NGINX_: {{< call-out "note" >}} This step can be skipped if you are using F5 WAF for NGINX module with policy bundles. {{< /call-out >}} @@ -116,7 +111,7 @@ kubectl apply -f config/crd/bases/appprotect.f5.com_appolicies.yaml kubectl apply -f config/crd/bases/appprotect.f5.com_apusersigs.yaml ``` -**F5 DoS for NGINX**: +_F5 DoS for NGINX_: ```shell kubectl apply -f config/crd/bases/appprotectdos.f5.com_apdoslogconfs.yaml @@ -128,8 +123,6 @@ kubectl apply -f config/crd/bases/appprotectdos.f5.com_dosprotectedresources.yam {{}} ---- - ## Deploy NGINX Ingress Controller {#deploy-ingress-controller} You have three options for deploying NGINX Ingress Controller: @@ -152,14 +145,10 @@ Before you start, update the [command-line arguments]({{< ref "/nic/configuratio {{< include "/nic/installation/manifests/statefulset.md" >}} ---- - ## Confirm NGINX Ingress Controller is running {{< include "/nic/installation/manifests/verify-pods-are-running.md" >}} ---- - ## How to access NGINX Ingress Controller ### Using a Deployment or StatefulSet @@ -242,8 +231,6 @@ For more information about the _LoadBalancer_ service, refer to the [Kubernetes Connect to ports 80 and 443 using the IP address of any node in the cluster where NGINX Ingress Controller is running. ---- - ## Uninstall NGINX Ingress Controller {{< call-out "warning" >}}Proceed with caution when performing these steps, as they will remove NGINX Ingress Controller and all related resources, potentially affecting your running services.{{< /call-out >}} @@ -265,37 +252,44 @@ Connect to ports 80 and 443 using the IP address of any node in the cluster wher {{}} -{{%tab name="Deleting CRDs from single YAML"%}} +{{% tab name="Deleting CRDs from single YAML" %}} - 1. Delete core custom resource definitions: - ```shell - kubectl delete -f https://raw.githubusercontent.com/nginx/kubernetes-ingress/v{{< nic-version >}}/deploy/crds.yaml - ``` - 2. Delete custom resource definitions for the F5 WAF for NGINX module: +Delete core custom resource definitions: - ```shell - kubectl apply -f https://raw.githubusercontent.com/nginx/kubernetes-ingress/v{{< nic-version >}}/deploy/crds-nap-waf.yaml - ``` +```shell +kubectl delete -f https://raw.githubusercontent.com/nginx/kubernetes-ingress/v{{< nic-version >}}/deploy/crds.yaml +``` - 3. Delete custom resource definitions for the F5 DoS for NGINX module: - ```shell - kubectl apply -f https://raw.githubusercontent.com/nginx/kubernetes-ingress/v{{< nic-version >}}/deploy/crds-nap-dos.yaml - ``` - {{%/tab%}} +Delete custom resource definitions for the F5 WAF for NGINX module: + +```shell +kubectl apply -f https://raw.githubusercontent.com/nginx/kubernetes-ingress/v{{< nic-version >}}/deploy/crds-nap-waf.yaml +``` + +Delete custom resource definitions for the F5 DoS for NGINX module: + +```shell +kubectl apply -f https://raw.githubusercontent.com/nginx/kubernetes-ingress/v{{< nic-version >}}/deploy/crds-nap-dos.yaml +``` + +{{% /tab %}} {{%tab name="Deleting CRDs after cloning the repo"%}} -1. Delete core custom resource definitions: +Delete core custom resource definitions: + ```shell kubectl delete -f config/crd/bases/crds.yaml ``` -2. Delete custom resource definitions for the F5 WAF for NGINX module: + +Delete custom resource definitions for the F5 WAF for NGINX module: ```shell kubectl apply -f config/crd/bases/crds-nap-waf.yaml ``` -3. Delete custom resource definitions for the F5 DoS for NGINX module: +Delete custom resource definitions for the F5 DoS for NGINX module: + ```shell kubectl apply -f config/crd/bases/crds-nap-dos.yaml ``` diff --git a/content/nic/installation/ingress-nginx.md b/content/nic/install/migrate-ingress-nginx.md similarity index 90% rename from content/nic/installation/ingress-nginx.md rename to content/nic/install/migrate-ingress-nginx.md index eef53a97d..f939c7244 100644 --- a/content/nic/installation/ingress-nginx.md +++ b/content/nic/install/migrate-ingress-nginx.md @@ -1,7 +1,7 @@ --- title: Migrate from Ingress-NGINX Controller to NGINX Ingress Controller toc: true -weight: 700 +weight: 1000 nd-content-type: how-to nd-product: NIC nd-docs: DOCS-1469 @@ -11,7 +11,7 @@ This document describes how to migrate from the community-maintained Ingress-NGI ## Overview -This page explains two different ways to migrate from the community-maintained [Ingress-NGINX Controller](https://github.com/kubernetes/ingress-nginx) project to NGINX Ingress Controller: using NGINX's Ingress Resources or with Kubernetes's built-in Ingress Resources. This is typically because of implementation differences, and to take advantage of features such as [NGINX Plus integration]({{}}). +This page explains two different ways to migrate from the community-maintained [Ingress-NGINX Controller](https://github.com/kubernetes/ingress-nginx) project to NGINX Ingress Controller: using NGINX's Ingress Resources or with Kubernetes's built-in Ingress Resources. This is typically because of implementation differences, and to take advantage of features such as [NGINX Plus integration]({{< ref "/nic/overview/nginx-plus" >}}). The information in this guide is extracted from a free eBook called "_Kubernetes Ingress Controller Deployment and Security with NGINX_", which can be downloaded from the [NGINX Library](https://www.nginx.com/resources/library/kubernetes-ingress-controller-deployment-security-nginx/). @@ -19,8 +19,8 @@ The information in this guide is extracted from a free eBook called "_Kubernetes To complete the instructions in this guide, you need the following: -- A working knowledge of [Ingress Controllers]({{}}). -- An [NGINX Ingress Controller installation]({{}}) on the same host as an existing Ingress-NGINX Controller. +- A working knowledge of [Ingress Controllers]({{< ref "/nic/glossary.md#ingress-controller-ingress-controller" >}}). +- An [NGINX Ingress Controller installation]({{< ref "/nic/install/" >}}) on the same host as an existing Ingress-NGINX Controller. There are two primary paths for migrating between the community Ingress-NGINX Controller to NGINX Ingress Controller: @@ -28,17 +28,20 @@ There are two primary paths for migrating between the community Ingress-NGINX Co - Using Kubernetes Ingress Resources. ## Migration with NGINX Ingress resources + This path uses Kubernetes Ingress Resources to set root permissions, then NGINX Ingress Resources for configuration using custom resource definitions (CRDs): -* [VirtualServer and VirtualServerRoute]({{}}) -* [TransportServer]({{}}) -* [GlobalConfiguration]({{}}) -* [Policy]({{}}) +* [VirtualServer and VirtualServerRoute]({{< ref "/nic/configuration/virtualserver-and-virtualserverroute-resources" >}}) +* [TransportServer]({{< ref "/nic/configuration/transportserver-resource" >}}) +* [GlobalConfiguration]({{< ref "/nic/configuration/global-configuration/globalconfiguration-resource" >}}) +* [Policy]({{< ref "/nic/configuration/policy-resource" >}}) ### Configuring SSL termination and HTTP path-based routing -The following two code examples correspond to a Kubernetes Ingress Resource and an [NGINX VirtualServer Resource]({{}}). Although the syntax and indentation is different, they accomplish the same basic Ingress functions, used for SSL termination and Layer 7 path-based routing. -**Kubernetes Ingress Resource** +The following two code examples correspond to a Kubernetes Ingress Resource and an [NGINX VirtualServer Resource]({{< ref "/nic/configuration/virtualserver-and-virtualserverroute-resources" >}}). Although the syntax and indentation is different, they accomplish the same basic Ingress functions, used for SSL termination and Layer 7 path-based routing. + +Kubernetes Ingress Resource: + ```yaml apiVersion: networking.k8s.io/v1 kind: Ingress @@ -62,7 +65,8 @@ spec: servicePort: 80 ``` -**NGINX VirtualServer Resource** +NGINX VirtualServer Resource: + ```yaml apiVersion: networking.k8s.io/v1 kind: VirtualServer @@ -89,18 +93,17 @@ spec: ``` ### Configuring TCP/UDP load balancing and TLS passthrough -NGINX Ingress Controller exposes TCP and UDP services using [TransportServer]({{}}) and [GlobalConfiguration]({{}}) resources. These resources provide a broad range of options for TCP/UDP and TLS Passthrough load balancing. By contrast, the community Ingress-NGINX Controller exposes TCP/UDP services by using a Kubernetes ConfigMap object. ---- +NGINX Ingress Controller exposes TCP and UDP services using [TransportServer]({{< ref "/nic/configuration/transportserver-resource" >}}) and [GlobalConfiguration]({{< ref "/nic/configuration/global-configuration/globalconfiguration-resource" >}}) resources. These resources provide a broad range of options for TCP/UDP and TLS Passthrough load balancing. By contrast, the community Ingress-NGINX Controller exposes TCP/UDP services by using a Kubernetes ConfigMap object. ### Convert Ingress-NGINX Controller annotations to NGINX Ingress resources + Kubernetes deployments often need to extend basic Ingress rules for advanced use cases such as canary and blue-green deployments, traffic throttling, and ingress-egress traffic manipulation. The community Ingress-NGINX Controller implements many of these using Kubernetes annotations with custom Lua extensions. These custom Lua extensions are intended for specific NGINX Ingress resource definitions and may not be as granular as required for advanced use cases. The following examples show how to convert these annotations into NGINX Ingress Controller Resources. ---- - #### Canary deployments + Canary and blue-green deployments allow you to push code changes to production environments without disrupting existing users. NGINX Ingress Controller runs them on the data plane: to migrate from the community Ingress-NGINX Controller, you must map the latter's annotations to [VirtualServer and VirtualServerRoute resources]({{}}). The Ingress-NGINX Controller evaluates canary annotations in the following order: @@ -111,13 +114,15 @@ The Ingress-NGINX Controller evaluates canary annotations in the following order For NGINX Ingress Controller to evalute them the same way, they must appear in the same order in the VirtualServer or VirtualServerRoute Manifest. -**Ingress-NGINX Controller** +Ingress-NGINX Controller: + ```yaml nginx.ingress.kubernetes.io/canary: "true" nginx.ingress.kubernetes.io/canary-by-header: "httpHeader" ``` -**NGINX Ingress Controller** +NGINX Ingress Controller: + ```yaml matches: - conditions: @@ -133,16 +138,16 @@ action: pass: echo ``` ---- +Ingress-NGINX Controller: -**Ingress-NGINX Controller** ```yaml nginx.ingress.kubernetes.io/canary: "true" nginx.ingress.kubernetes.io/canary-by-header: "httpHeader" nginx.ingress.kubernetes.io/canary-by-header-value: "my-value" ``` -**NGINX Ingress Controller** +NGINX Ingress Controller: + ```yaml matches: - conditions: @@ -154,15 +159,15 @@ action: pass: echo ``` ---- +Ingress-NGINX Controller: -**Ingress-NGINX Controller** ```yaml nginx.ingress.kubernetes.io/canary: "true" nginx.ingress.kubernetes.io/canary-by-cookie: "cookieName" ``` -**NGINX Ingress Controller** +NGINX Ingress Controller: + ```yaml matches: - conditions: @@ -178,21 +183,22 @@ action: pass: echo ``` ---- - #### Traffic control + Environments using microservices tend to use extensive traffic-control policies to manage ephemeral applications using circuit breaking and rate and connection limiting to prevent error conditions due to unhealthy states or abnormal behavior. The following examples map Ingress-NGINX Controller annotations to NGINX [VirtualServer and VirtualServerRoute resources]({{}}) for rate limiting, custom HTTP errors, custom default backend and URI rewriting. -**Ingress-NGINX Controller** +Ingress-NGINX Controller: + ```yaml nginx.ingress.kubernetes.io/custom-http-errors: "code" nginx.ingress.kubernetes.io/default-backend: "default-svc" ``` -**NGINX Ingress Controller** +NGINX Ingress Controller: + ```yaml errorPages: - codes: [code] @@ -201,14 +207,14 @@ errorPages: url: default-svc ``` ---- +Ingress-NGINX Controller: -**Ingress-NGINX Controller** ```yaml nginx.ingress.kubernetes.io/limit-connections: "number" ``` -**NGINX Ingress Controller** +NGINX Ingress Controller: + ```yaml http-snippets: | limit_conn_zone $binary_remote_addr zone=zone_name:size; @@ -218,15 +224,15 @@ routes: limit_conn zone_name number; ``` ---- +Ingress-NGINX Controller: -**Ingress-NGINX Controller** ```yaml nginx.ingress.kubernetes.io/limit-rate: "number" nginx.ingress.kubernetes.io/limit-rate-after: "number" ``` -**NGINX Ingress Controller** +NGINX Ingress Controller: + ```yaml location-snippets: | limit_rate number; @@ -234,15 +240,15 @@ location-snippets: | limit_rate_after number; ``` ---- +Ingress-NGINX Controller: -**Ingress-NGINX Controller** ```yaml nginx.ingress.kubernetes.io/limit-rpm: "number" nginx.ingress.kubernetes.io/limit-burst-multiplier: "multiplier" ``` -**NGINX Ingress Controller** +NGINX Ingress Controller: + ```yaml rateLimit: rate: number/m @@ -252,15 +258,15 @@ rateLimit: zoneSize: size ``` ---- +Ingress-NGINX Controller: -**Ingress-NGINX Controller** ```yaml nginx.ingress.kubernetes.io/limit-rps: "number" nginx.ingress.kubernetes.io/limit-burst-multiplier: "multiplier" ``` -**NGINX Ingress Controller** +NGINX Ingress Controller: + ```yaml rateLimit: rate: number/s @@ -270,27 +276,27 @@ rateLimit: zoneSize: size ``` ---- +Ingress-NGINX Controller: -**Ingress-NGINX Controller** ```yaml nginx.ingress.kubernetes.io/limit-whitelist: "CIDR" ``` -**NGINX Ingress Controller** +NGINX Ingress Controller: + ```yaml http-snippets: | server-snippets: | ``` ---- +Ingress-NGINX Controller: -**Ingress-NGINX Controller** ```yaml nginx.ingress.kubernetes.io/rewrite-target: "URI" ``` -**NGINX Ingress Controller** +NGINX Ingress Controller: + ```yaml rewritePath: "URI" ``` @@ -302,14 +308,14 @@ There are four Ingress-NGINX Controller annotations without NGINX Ingress resour - _nginx.ingress.kubernetes.io/limit-rate-after_ - _nginx.ingress.kubernetes.io/limit-whitelist_ ---- - #### Header manipulation + Manipulating HTTP headers is useful in many cases, as they contain information that is important and relevant to systems involved in HTTP transactions. The community Ingress-NGINX Controller supports enabling and configuring cross-origin resource sharing (CORS) headings used by AJAX applications, where front-end Javascript code interacts with backend applications or web servers. These code blocks show how the Ingress-NGINX annotations correspond to NGINX Ingress Controller [VirtualServer and VirtualServerRoute resources]({{}}). -**Ingress-NGINX Controller** +Ingress-NGINX Controller: + ```yaml nginx.ingress.kubernetes.io/enable-cors: "true" nginx.ingress.kubernetes.io/cors-allow-credentials: "true" @@ -323,7 +329,8 @@ nginx.ingress.kubernetes.io/cors-allow-origin: "*" nginx.ingress.kubernetes.io/cors-max-age: "seconds" ``` -**NGINX Ingress Controller** +NGINX Ingress Controller: + ```yaml responseHeaders: add: @@ -339,9 +346,8 @@ responseHeaders: value: "seconds" ``` ---- - #### Proxying and load balancing + NGINX Ingress Controller has multiple proxy and load balancing functionalities you may want to configure based on the use case, such as configuring the load balancing algorithm and the timeout and buffering settings for proxied connections. This table shows how Ingress-NGINX Controller annotations map to statements in the upstream field for [VirtualServer and VirtualServerRoute resources]({{}}), covering load balancing, proxy timeout, proxy buffering and connection routing for a services' ClusterIP address and port. @@ -363,16 +369,18 @@ This table shows how Ingress-NGINX Controller annotations map to statements in t mTLS authentication is a way of enforcing mutual authentication on traffic entering and exiting a cluster (north-sourth traffic). This secure form of communication is common within a service mesh, commonly used in strict zero-trust environments. -NGINX Ingress Controller layer can handle mTLS authentication for end systems through the presentation of valid certificates for external connections. It accomplishes this through [Policy]({{}}) resources, which correspond to Ingress-NGINX Controller annotations for [client certificate authentication](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#client-certificate-authentication) and [backend certificate authentication](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#backend-certificate-authentication). +NGINX Ingress Controller layer can handle mTLS authentication for end systems through the presentation of valid certificates for external connections. It accomplishes this through [Policy]({{< ref "/nic/configuration/policy-resource" >}}) resources, which correspond to Ingress-NGINX Controller annotations for [client certificate authentication](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#client-certificate-authentication) and [backend certificate authentication](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#backend-certificate-authentication). + +Ingress-NGINX Controller: -**Ingress-NGINX Controller** ```yaml nginx.ingress.kubernetes.io/auth-tls-secret: secretName nginx.ingress.kubernetes.io/auth-tls-verify-client: "on" nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1" ``` -**NGINX Ingress Controller** +NGINX Ingress Controller: + ```yaml ingressMTLS: clientCertSecret: secretName @@ -381,9 +389,8 @@ ingressMTLS: verifyDepth: 1 ``` ---- +Ingress-NGINX Controller: -**Ingress-NGINX Controller** ```yaml nginx.ingress.kubernetes.io/proxy-ssl-secret: "secretName" nginx.ingress.kubernetes.io/proxy-ssl-verify: "on|off" @@ -394,7 +401,8 @@ nginx.ingress.kubernetes.io/proxy-ssl-name: "server-name" nginx.ingress.kubernetes.io/proxy-ssl-server-name: "on|off" ``` -**NGINX Ingress Controller** +NGINX Ingress Controller: + ```yaml egressMTLS: tlsSecret: secretName @@ -412,12 +420,12 @@ egressMTLS: serverName: true|false ``` ---- - #### Session persistence with NGINX Plus -With [NGINX Plus]({{}}), you can use [Policy]({{}}) resources for session persistence, which have corresponding annotations for the community Ingress-NGINX Controller. -**Ingress-NGINX Controller** +With [NGINX Plus]({{< ref "/nic/overview/nginx-plus" >}}), you can use [Policy]({{< ref "/nic/configuration/policy-resource" >}}) resources for session persistence, which have corresponding annotations for the community Ingress-NGINX Controller. + +Ingress-NGINX Controller: + ```yaml nginx.ingress.kubernetes.io/affinity: "cookie" nginx.ingress.kubernetes.io/session-cookie-name: "cookieName" @@ -426,7 +434,8 @@ nginx.ingress.kubernetes.io/session-cookie-path: "/route" nginx.ingress.kubernetes.io/session-cookie-secure: "true" ``` -**NGINX Ingress Controller** +NGINX Ingress Controller: + ```yaml sessionCookie: enable: true @@ -441,6 +450,7 @@ sessionCookie: ``` ## Migration with Kubernetes Ingress resources + The other option for migrating from the community Ingress-NGINX Controller to NGINX Ingress Controller is using only [annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/) and [ConfigMaps](https://kubernetes.io/docs/concepts/configuration/configmap/) from standard Kubernetes resources, potentially relying on [mergeable Ingress types](https://github.com/nginx/kubernetes-ingress/tree/main/examples/ingress-resources/mergeable-ingress-types). This ensures that all configuration is kept in the Ingress object. @@ -450,6 +460,7 @@ You should avoid altering the `spec` field of the Ingress resource when taking t {{< /call-out >}} ### Advanced configuration with annotations + This table maps the Ingress-NGINX Controller annotations to NGINX Ingress Controller's equivalent annotations, and the respective NGINX Directive. | Ingress-NGINX Controller | NGINX Ingress Controller | NGINX Directive | @@ -472,7 +483,8 @@ This table maps the Ingress-NGINX Controller annotations to NGINX Ingress Contro The following two snippets outline Ingress-NGINX Controller annotations that correspond to annotations for NGINX Ingress Controller with NGINX Plus. -**Ingress-NGINX Controller** +Ingress-NGINX Controller: + ```yaml nginx.ingress.kubernetes.io/affinity: "cookie" nginx.ingress.kubernetes.io/session-cookie-name: "cookie_name" @@ -480,7 +492,8 @@ nginx.ingress.kubernetes.io/session-cookie-expires: "seconds" nginx.ingress.kubernetes.io/session-cookie-path: "/route" ``` -**NGINX Ingress Controller (with NGINX Plus)** +NGINX Ingress Controller (with NGINX Plus): + ```yaml nginx.com/sticky-cookie-services: "serviceName=example-svc cookie_name expires=time path=/route" ``` diff --git a/content/nic/installation/run-multiple-ingress-controllers.md b/content/nic/install/multiple-controllers.md similarity index 85% rename from content/nic/installation/run-multiple-ingress-controllers.md rename to content/nic/install/multiple-controllers.md index 676332fb4..568916d55 100644 --- a/content/nic/installation/run-multiple-ingress-controllers.md +++ b/content/nic/install/multiple-controllers.md @@ -1,7 +1,7 @@ --- title: Run multiple NGINX Ingress Controllers toc: true -weight: 600 +weight: 800 nd-content-type: how-to nd-product: NIC nd-docs: DOCS-606 @@ -30,8 +30,13 @@ The IngressClass has the following characteristics: The default Ingress class of NGINX Ingress Controller is `nginx`, which means that it only handles configuration resources with the Ingress class set to `nginx`. You can customize the class through the `-ingress-class` command-line argument. -{{< call-out "note" >}}- If the class of an Ingress resource is not set, Kubernetes will set it to the class of the default Ingress Controller. To make the Ingress Controller the default one, the `ingressclass.kubernetes.io/is-default-class` property must be set on the IngressClass resource. To learn more, see Step 3 *Create an IngressClass resource* of the [Create Common Resources]({{< ref "/nic/installation/installing-nic/installation-with-manifests.md#create-common-resources" >}}) section. -- For VirtualServer, VirtualServerRoute, Policy and TransportServer resources, NGINX Ingress Controller will always handle resources with an empty class.{{< /call-out >}} +{{< call-out "note" >}} + +If the class of an Ingress resource is not set, Kubernetes will set it to the class of the default Ingress Controller. To make the Ingress Controller the default one, the `ingressclass.kubernetes.io/is-default-class` property must be set on the IngressClass resource. To learn more, see Step 3 *Create an IngressClass resource* of the [Create Common Resources]({{< ref "/nic/install/manifests.md#create-common-resources" >}}) section. + +For VirtualServer, VirtualServerRoute, Policy and TransportServer resources, NGINX Ingress Controller will always handle resources with an empty class. + +{{< /call-out >}} ## Run NGINX Ingress Controller and another Ingress Controller @@ -51,4 +56,4 @@ These options allow you to run multiple NGINX Ingress Controllers, each handling {{< call-out "note" >}}[Command-line arguments]({{< ref "/nic/configuration/global-configuration/command-line-arguments" >}}){{< /call-out>}} -{{< call-out "note" >}}All the mentioned command-line arguments are also available as parameters in the [Helm chart]({{< ref "/nic/installation/installing-nic/installation-with-helm" >}}).{{< /call-out >}} +{{< call-out "note" >}}All the mentioned command-line arguments are also available as parameters in the [Helm chart]({{< ref "/nic/install/helm" >}}).{{< /call-out >}} diff --git a/content/nic/installation/installing-nic/installation-with-operator.md b/content/nic/install/operator.md similarity index 64% rename from content/nic/installation/installing-nic/installation-with-operator.md rename to content/nic/install/operator.md index e6100ab33..95e5ed1f7 100644 --- a/content/nic/installation/installing-nic/installation-with-operator.md +++ b/content/nic/install/operator.md @@ -1,9 +1,9 @@ --- -title: Installation with NGINX Ingress Operator +title: Install NGINX Ingress Controller with NGINX Ingress Operator toc: true -weight: 300 -type: how-to -product: NIC +weight: 500 +nd-content-type: how-to +nd-product: NIC nd-docs: DOCS-604 --- @@ -11,17 +11,20 @@ This document explains how to install F5 NGINX Ingress Controller using NGINX In ## Before you begin -If you're using NGINX Plus, get the NGINX Ingress Controller JWT and [create a license secret]({{< ref "/nic/installation/create-license-secret.md" >}}). +If you're using NGINX Plus, get the NGINX Ingress Controller JWT and [create a license secret]({{< ref "/nic/install/license-secret.md" >}}). -{{< call-out "note" >}} We recommend the most recent stable version of NGINX Ingress Controller, available on the GitHub repository's [releases page]({{< ref "/nic/releases.md" >}}). {{< /call-out >}} +{{< call-out "note" >}} We recommend the most recent stable version of NGINX Ingress Controller, available on the GitHub repository's [releases page](https://github.com/nginx/kubernetes-ingress/releases). {{< /call-out >}} -1. Make sure you have access to the NGINX Ingress Controller image: -- - For NGINX Ingress Controller, use the image `nginx/nginx-ingress` from [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress). -- - For NGINX Plus Ingress Controller, view the [Download NGINX Ingress Controller from the F5 Registry]({{< ref "/nic/installation/nic-images/registry-download" >}}) topic for details on how to pull the image from the F5 Docker registry. -- - The [Add an NGINX Ingress Controller image to your cluster]({{< ref "/nic/installation/nic-images/add-image-to-cluster.md" >}}) topic describes how to use your subscription JWT token to get the image. -- - The [Build NGINX Ingress Controller]({{< ref "/nic/installation/build-nginx-ingress-controller.md" >}}) topic explains how to push an image to a private Docker registry. -1. Install the NGINX Ingress Operator following the [instructions](https://github.com/nginx/nginx-ingress-helm-operator/blob/main/docs/installation.md). -1. Create the SecurityContextConstraint as outlined in the ["Getting Started" instructions](https://github.com/nginx/nginx-ingress-helm-operator/blob/main/README.md#getting-started). + Make sure you have access to the NGINX Ingress Controller image: + +- For NGINX Ingress Controller, use the image `nginx/nginx-ingress` from [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress). +- For NGINX Plus Ingress Controller, view the [Download NGINX Ingress Controller from the F5 Registry]({{< ref "/nic/install/images/registry-download" >}}) topic for details on how to pull the image from the F5 Docker registry. +- The [Add an NGINX Ingress Controller image to your cluster]({{< ref "/nic/install/images/add-image-to-cluster.md" >}}) topic describes how to use your subscription JWT token to get the image. + - The [Build NGINX Ingress Controller]({{< ref "/nic/install/build.md" >}}) topic explains how to push an image to a private Docker registry. + +Install the NGINX Ingress Operator following the [instructions](https://github.com/nginx/nginx-ingress-helm-operator/blob/main/docs/installation.md). + +Create the SecurityContextConstraint as outlined in the ["Getting Started" instructions](https://github.com/nginx/nginx-ingress-helm-operator/blob/main/README.md#getting-started). {{< call-out "note" >}} If you're upgrading your operator installation to a later release, navigate [here](https://github.com/nginx/nginx-ingress-helm-operator/blob/main/helm-charts/nginx-ingress) and run `kubectl apply -f crds/` or `oc apply -f crds/` as a prerequisite {{< /call-out >}} diff --git a/content/nic/installation/upgrade-version.md b/content/nic/install/upgrade.md similarity index 95% rename from content/nic/installation/upgrade-version.md rename to content/nic/install/upgrade.md index bacb9fe72..3cfde6acd 100644 --- a/content/nic/installation/upgrade-version.md +++ b/content/nic/install/upgrade.md @@ -2,7 +2,7 @@ # We use sentence case and present imperative tone title: "Upgrade NGINX Ingress Controller" # Weights are assigned in increments of 100: determines sorting order -weight: 500 +weight: 900 # Creates a table of contents and sidebar, useful for large documents toc: true # Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this @@ -22,7 +22,7 @@ Many of the nuances in upgrade paths relate to how custom resource definitions ( ### Upgrade NGINX Ingress Controller CRDs -{{< call-out "note" >}} If you are running NGINX Ingress Controller v3.x, you should read [Upgrade from NGINX Ingress Controller v3.x to v4.0.0]({{< ref "/nic/installation/upgrade-version.md#upgrade-from-3x-to-4x" >}}) before continuing. {{< /call-out >}} +{{< call-out "note" >}} If you are running NGINX Ingress Controller v3.x, you should read [Upgrade from NGINX Ingress Controller v3.x to v4.0.0]({{< ref "/nic/install/upgrade.md#upgrade-from-3x-to-4x" >}}) before continuing. {{< /call-out >}} To upgrade the CRDs, pull the Helm chart source, then use _kubectl apply_: @@ -87,7 +87,7 @@ There are two necessary steps required - Update the `apiVersion` value of custom resources - Configure structured logging. -If you want to use NGINX Plus, you will also need to follow the [Create a license Secret]({{< ref "/nic/installation/create-license-secret.md" >}}) topic. +If you want to use NGINX Plus, you will also need to follow the [Create a license Secret]({{< ref "/nic/install/license-secret.md" >}}) topic. ### Update custom resource apiVersion @@ -177,6 +177,7 @@ controller: logLevel: info logFormat: json ``` + {{% /tab %}} {{% tab name="Manifests" %}} @@ -190,15 +191,16 @@ args: - -log-level=info - -log-format=json ``` + {{% /tab %}} {{< /tabs >}} ### Create License secret -If you're using [NGINX Plus]({{< ref "/nic/overview/nginx-plus.md" >}}) with NGINX Ingress Controller, you should read the [Create a license Secret]({{< ref "/nic/installation/create-license-secret.md" >}}) topic to set up your NGINX Plus license. +If you're using [NGINX Plus]({{< ref "/nic/overview/nginx-plus.md" >}}) with NGINX Ingress Controller, you should read the [Create a license Secret]({{< ref "/nic/install/license-secret.md" >}}) topic to set up your NGINX Plus license. -The topic also contains guidance for [sending reports to NGINX Instance Manager]({{< ref "/nic/installation/create-license-secret.md#nim">}}), which is necessary for air-gapped environments. +The topic also contains guidance for [sending reports to NGINX Instance Manager]({{< ref "/nic/install/license-secret.md#nim">}}), which is necessary for air-gapped environments. Earlier versions required usage reporting through the cluster connector. This is no longer needed because it's now built into NGINX Plus. diff --git a/content/nic/installation/installing-nic/deploy-with-nap-using-helm.md b/content/nic/install/waf-helm.md similarity index 99% rename from content/nic/installation/installing-nic/deploy-with-nap-using-helm.md rename to content/nic/install/waf-helm.md index 231bc2e2c..09101075d 100644 --- a/content/nic/installation/installing-nic/deploy-with-nap-using-helm.md +++ b/content/nic/install/waf-helm.md @@ -1,7 +1,7 @@ --- title: Install NGINX Ingress Controller and F5 WAF for NGINX with Docker and Helm toc: true -weight: 500 +weight: 400 nd-content-type: how-to nd-product: NIC nd-docs: DOCS-1861 @@ -18,8 +18,6 @@ This is accomplished with the following steps: - Deploy NGINX Plus Ingress Controller with NGINX App Protect - Test example services to validate that the WAF policies work ---- - ## Prepare Secrets and credentials 1. Download your NGINX Ingress Controller subscription's JSON Web Token, SSL Certificate, and Private Key from MyF5. @@ -29,12 +27,11 @@ This is accomplished with the following steps: - `nginx-repo.key` - `nginx-repo.jwt` 1. Log in to the Docker registry using the contents of the JSON Web Token file: + ```shell docker login private-registry.nginx.com --username=$(cat nginx-repo.jwt) --password=none ``` ---- - ## Check compatibility between NGINX Ingress Controller and F5 WAF for NGINX versions {{< include "nic/compatibility-tables/nic-nap.md" >}} @@ -145,6 +142,7 @@ helm repo update ``` Create Kubernetes Docker and licensing secrets: + ```shell kubectl create secret \ docker-registry regcred \ @@ -287,6 +285,7 @@ spec: ``` Create the services with + ```shell kubectl apply -f webapp.yaml ``` diff --git a/content/nic/installation/installing-nic/_index.md b/content/nic/installation/installing-nic/_index.md deleted file mode 100644 index 52e4300bf..000000000 --- a/content/nic/installation/installing-nic/_index.md +++ /dev/null @@ -1,6 +0,0 @@ ---- -title: Install NGINX Ingress Controller -description: -weight: 100 -url: /nginx-ingress-controller/installation/installing-nic ---- diff --git a/content/nic/installation/integrations/_index.md b/content/nic/installation/integrations/_index.md deleted file mode 100644 index 1690f4888..000000000 --- a/content/nic/installation/integrations/_index.md +++ /dev/null @@ -1,6 +0,0 @@ ---- -title: Integrations -description: -weight: 800 -url: /nginx-ingress-controller/installation/integrations ---- diff --git a/content/nic/installation/nic-images/_index.md b/content/nic/installation/nic-images/_index.md deleted file mode 100644 index 526b52588..000000000 --- a/content/nic/installation/nic-images/_index.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: NGINX Ingress Controller images -weight: 200 -url: /nginx-ingress-controller/installation/nic-images ---- diff --git a/content/nic/integrations/_index.md b/content/nic/integrations/_index.md new file mode 100644 index 000000000..98142b589 --- /dev/null +++ b/content/nic/integrations/_index.md @@ -0,0 +1,6 @@ +--- +title: Integrations +description: +weight: 400 +url: /nginx-ingress-controller/integrations +--- diff --git a/content/nic/installation/integrations/app-protect-dos/_index.md b/content/nic/integrations/app-protect-dos/_index.md similarity index 100% rename from content/nic/installation/integrations/app-protect-dos/_index.md rename to content/nic/integrations/app-protect-dos/_index.md diff --git a/content/nic/installation/integrations/app-protect-dos/configuration.md b/content/nic/integrations/app-protect-dos/configuration.md similarity index 100% rename from content/nic/installation/integrations/app-protect-dos/configuration.md rename to content/nic/integrations/app-protect-dos/configuration.md diff --git a/content/nic/installation/integrations/app-protect-dos/dos-protected.md b/content/nic/integrations/app-protect-dos/dos-protected.md similarity index 97% rename from content/nic/installation/integrations/app-protect-dos/dos-protected.md rename to content/nic/integrations/app-protect-dos/dos-protected.md index 771b84533..24cdb78af 100644 --- a/content/nic/installation/integrations/app-protect-dos/dos-protected.md +++ b/content/nic/integrations/app-protect-dos/dos-protected.md @@ -28,6 +28,7 @@ spec: ``` {{% table %}} + |Field | Description | Type | Required | | ---| ---| ---| --- | |``enable`` | Enables F5 DoS for NGINX, Default value: false. | ``bool`` | No | @@ -38,9 +39,10 @@ spec: |``apDosMonitor.timeout`` | Determines how long (in seconds) should F5 DoS for NGINX wait for a response. [App Protect DoS monitor](#dosprotectedresourceapdosmonitor) Default value: 10 seconds for http1/http2 and 5 seconds for grpc. | ``int64`` | No | |``apDosPolicy`` | The [App Protect DoS policy](#dosprotectedresourceapdospolicy) of the dos. Accepts an optional namespace. | ``string`` | No | |``dosSecurityLog.enable`` | Enables security log. | ``bool`` | No | -|``dosSecurityLog.apDosLogConf`` | The [App Protect DoS log conf]({{< ref "/nic/installation/integrations/app-protect-dos/configuration.md#app-protect-dos-logs" >}}) resource. Accepts an optional namespace. | ``string`` | No | +|``dosSecurityLog.apDosLogConf`` | The [App Protect DoS log conf]({{< ref "/nic/integrations/app-protect-dos/configuration.md#app-protect-dos-logs" >}}) resource. Accepts an optional namespace. | ``string`` | No | |``dosSecurityLog.dosLogDest`` | The log destination for the security log. Accepted variables are ``:`` or ``stderr``. Default is ``127.0.0.1:514``. | ``string`` | No | |``allowList`` | List of allowed IP addresses and subnet masks. Each entry is represented by an `IPWithMask` string. | ``[]AllowListEntry`` | No | + {{% /table %}} ### DosProtectedResource.apDosPolicy @@ -76,6 +78,7 @@ If you try to create (or update) a resource that violates the structural schema ```shell kubectl apply -f apdos-protected.yaml ``` + ```shell error: error validating "examples/app-protect-dos/apdos-protected.yaml": error validating data: ValidationError(DosProtectedResource.spec.enable): invalid type for com.f5.appprotectdos.v1beta1.DosProtectedResource.spec.enable: got "string", expected "boolean"; if you choose to ignore these errors, turn validation off with --validate=false ``` @@ -85,6 +88,7 @@ If you try to create (or update) a resource that violates the structural schema ```shell kubectl apply -f access-control-policy-allow.yaml --validate=false ``` + ```shell The DosProtectedResource "dos-protected" is invalid: spec.enable: Invalid value: "string": spec.enable in body must be of type boolean: "string" ``` @@ -100,6 +104,7 @@ You can use `kubectl` to check if NGINX Ingress Controller successfully applied ```shell kubectl describe dosprotectedresource dos-protected ``` + ```shell Events: Type Reason Age From Message @@ -114,6 +119,7 @@ If you create an invalid resource, NGINX Ingress Controller will reject it and e ```shell kubectl describe policy webapp-policy ``` + ```shell Events: Type Reason Age From Message diff --git a/content/nic/installation/integrations/app-protect-dos/installation.md b/content/nic/integrations/app-protect-dos/installation.md similarity index 88% rename from content/nic/installation/integrations/app-protect-dos/installation.md rename to content/nic/integrations/app-protect-dos/installation.md index 5d5be72d8..0d6a90e11 100644 --- a/content/nic/installation/integrations/app-protect-dos/installation.md +++ b/content/nic/integrations/app-protect-dos/installation.md @@ -2,8 +2,8 @@ title: Build NGINX Ingress Controller with F5 DoS for NGINX weight: 100 toc: true -type: how-to -product: NIC +nd-content-type: how-to +nd-product: NIC nd-docs: DOCS-583 --- @@ -15,8 +15,6 @@ This document explains how to build an image for F5 NGINX Ingress Controller wit - To use F5 DoS for NGINX with NGINX Ingress Controller, you must have NGINX Plus. ---- - ## Prepare the environment {#prepare-environment} Get your system ready for building and pushing the NGINX Ingress Controller image with F5 DoS for NGINX. @@ -41,8 +39,6 @@ Get your system ready for building and pushing the NGINX Ingress Controller imag cd kubernetes-ingress/deployments ``` ---- - ## Build the image {#build-docker-image} Follow these steps to build the NGINX Controller Image with F5 DoS for NGINX. @@ -71,7 +67,7 @@ Follow these steps to build the NGINX Controller Image with F5 DoS for NGINX. make debian-image-dos-plus PREFIX=/nginx-plus-ingress TARGET=download ``` - **What to expect**: The image is built and tagged with a version number, which is derived from the `VERSION` variable in the [_Makefile_]({{< ref "/nic/installation/build-nginx-ingress-controller.md#makefile-details" >}}). This version number is used for tracking and deployment purposes. + **What to expect**: The image is built and tagged with a version number, which is derived from the `VERSION` variable in the [_Makefile_]({{< ref "/nic/install/build.md#makefile-details" >}}). This version number is used for tracking and deployment purposes. {{< call-out "note" >}}In the event a patch version of NGINX Plus is released, make sure to rebuild your image to get the latest version. If your system is caching the Docker layers and not updating the packages, add `DOCKER_BUILD_OPTIONS="--pull --no-cache"` to the make command.{{< /call-out >}} @@ -84,8 +80,7 @@ Follow these steps to build the NGINX Controller Image with F5 DoS for NGINX. | **ubi-image-dos-plus** | Builds a UBI-based image with NGINX Plus and the [F5 DoS for NGINX](/nginx-app-protect-dos/) module. | OpenShift | | **ubi-image-nap-dos-plus** | Builds a UBI-based image with NGINX Plus, [F5 DoS for NGINX](/nginx-app-protect-dos/), and [F5 WAF for NGINX](/nginx-app-protect/). | OpenShift | - -{{< call-out "note" >}} For the complete list of _Makefile_ targets and customizable variables, see the [Build NGINX Ingress Controller]({{< ref "/nic/installation/build-nginx-ingress-controller.md#makefile-details" >}}) topic. {{< /call-out>}} +{{< call-out "note" >}} For the complete list of _Makefile_ targets and customizable variables, see the [Build NGINX Ingress Controller]({{< ref "/nic/install/build.md#makefile-details" >}}) topic. {{< /call-out>}} ## Push the image to your private registry @@ -97,26 +92,18 @@ To upload the image, run the following command. If you're using a custom tag, ad make push PREFIX=/nginx-plus-ingress ``` ---- - ## Set up role-based access control (RBAC) {#set-up-rbac} {{< include "/nic/rbac/set-up-rbac.md" >}} ---- - ## Create common resources {#create-common-resources} {{< include "/nic/installation/create-common-resources.md" >}} ---- - ## Create custom resources {#create-custom-resources} {{< include "/nic/installation/create-custom-resources.md" >}} ---- - ## Create App Protect DoS custom resources {{}} @@ -153,8 +140,6 @@ kubectl apply -f config/crd/bases/appprotectdos.f5.com_dosprotectedresources.yam {{}} ---- - ## Deploy NGINX Ingress Controller {#deploy-ingress-controller} {{< include "/nic/installation/deploy-controller.md" >}} @@ -171,8 +156,6 @@ kubectl apply -f config/crd/bases/appprotectdos.f5.com_dosprotectedresources.yam {{< include "/nic/installation/manifests/statefulset.md" >}} ---- - ## Install the App Protect DoS Arbitrator {{< call-out "note" >}} If you install multiple NGINX Ingress Controllers in the same namespace, they will need to share the same Arbitrator because there can only be one Arbitrator in a single namespace. {{< /call-out >}} @@ -203,27 +186,21 @@ Alternatively, you can install the App Protect DoS Arbitrator using the YAML man kubectl apply -f service/appprotect-dos-arb-svc.yaml ``` ---- - ## Enable F5 DoS for NGINX module To enable the F5 DoS for NGINX Module: - Add the `enable-app-protect-dos` [command-line argument]({{< ref "/nic/configuration/global-configuration/command-line-arguments.md#cmdoption-enable-app-protect-dos" >}}) to your Deployment, DaemonSet, or StatefulSet file. ---- - ## Confirm NGINX Ingress Controller is running {{< include "/nic/installation/manifests/verify-pods-are-running.md" >}} -For more information, see the [Configuration guide]({{< ref "/nic/installation/integrations/app-protect-dos/configuration.md" >}}),the [NGINX Ingress Controller with App Protect DoS example for VirtualServer](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/custom-resources/app-protect-dos) and the [NGINX Ingress Controller with App Protect DoS example for Ingress](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/app-protect-dos). - ---- +For more information, see the [Configuration guide]({{< ref "/nic/integrations/app-protect-dos/configuration.md" >}}),the [NGINX Ingress Controller with App Protect DoS example for VirtualServer](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/custom-resources/app-protect-dos) and the [NGINX Ingress Controller with App Protect DoS example for Ingress](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/app-protect-dos). ## Alternatives to building your own image {#pre-built-images} If you prefer not to build your own NGINX Ingress Controller image, you can use pre-built images. Here are your options: -- Download the image using your NGINX Ingress Controller subscription certificate and key. View the [Download NGINX Ingress Controller from the F5 Registry]({{< ref "/nic/installation/nic-images/registry-download.md" >}}) topic. - - The [Add an NGINX Ingress Controller image to your cluster]({{< ref "/nic/installation/nic-images/add-image-to-cluster.md" >}}) topic describes how to use your subscription JWT token to get the image. +- Download the image using your NGINX Ingress Controller subscription certificate and key. View the [Download NGINX Ingress Controller from the F5 Registry]({{< ref "/nic/install/images/registry-download.md" >}}) topic. + - The [Add an NGINX Ingress Controller image to your cluster]({{< ref "/nic/install/images/add-image-to-cluster.md" >}}) topic describes how to use your subscription JWT token to get the image. diff --git a/content/nic/installation/integrations/app-protect-dos/troubleshoot-app-protect-dos.md b/content/nic/integrations/app-protect-dos/troubleshoot-app-protect-dos.md similarity index 99% rename from content/nic/installation/integrations/app-protect-dos/troubleshoot-app-protect-dos.md rename to content/nic/integrations/app-protect-dos/troubleshoot-app-protect-dos.md index 4d23b1a44..1a7af9625 100644 --- a/content/nic/installation/integrations/app-protect-dos/troubleshoot-app-protect-dos.md +++ b/content/nic/integrations/app-protect-dos/troubleshoot-app-protect-dos.md @@ -16,10 +16,12 @@ To troubleshoot other parts of NGINX Ingress Controller, check the [troubleshoot The table below outlines potential problems with NGINX Ingress Controller when the App Protect DoS module is enabled. It suggests how to troubleshoot those problems with methods explained in the next section. {{% table %}} + |Problem area | Symptom | Troubleshooting method | Common cause | | ---| ---| ---| --- | |Start | NGINX Ingress Controller fails to start. | Check the NGINX Ingress Controller logs. | Misconfigured DosProtectedResource, APDosLogConf or APDosPolicy. | |DosProtectedResource, APDosLogConf, APDosPolicy or Ingress Resource. | The configuration is not applied. | Check the events of the DosProtectedResource, APDosLogConf, APDosPolicy and Ingress Resource, check the Ingress Controller logs. | DosProtectedResource, APDosLogConf or APDosPolicy is invalid. | + {{% /table %}} ## Troubleshooting ethods diff --git a/content/nic/installation/integrations/app-protect-waf-v5/_index.md b/content/nic/integrations/app-protect-waf-v5/_index.md similarity index 100% rename from content/nic/installation/integrations/app-protect-waf-v5/_index.md rename to content/nic/integrations/app-protect-waf-v5/_index.md diff --git a/content/nic/installation/integrations/app-protect-waf-v5/compile-waf-policies.md b/content/nic/integrations/app-protect-waf-v5/compile-waf-policies.md similarity index 99% rename from content/nic/installation/integrations/app-protect-waf-v5/compile-waf-policies.md rename to content/nic/integrations/app-protect-waf-v5/compile-waf-policies.md index fdb8b7233..1ba91a429 100644 --- a/content/nic/installation/integrations/app-protect-waf-v5/compile-waf-policies.md +++ b/content/nic/integrations/app-protect-waf-v5/compile-waf-policies.md @@ -17,16 +17,11 @@ By using NGINX Instance Manager to compile WAF policies, the policy bundle can a The following steps describe how to use the NGINX Instance Manager API to create a new security policy, compile a bundle, then add it to NGINX Ingress Controller. ---- - -## Before you start +## Before you begin -### Requirements - A working [NGINX Instance Manager]({{< ref "/nim/deploy/" >}}) instance. - An [NGINX Instance Manager user]({{< ref "/nim/admin-guide/rbac/overview-rbac.md" >}}) for API requests. -- A NGINX Ingress Controller [deployment with F5 WAF for NGINX]({{< ref "/nic/installation/integrations/app-protect-waf/installation.md" >}}). - ---- +- A NGINX Ingress Controller [deployment with F5 WAF for NGINX]({{< ref "/nic/integrations/app-protect-waf/installation.md" >}}). ## Create a new security policy @@ -159,6 +154,7 @@ You can use the API to list the security bundles, verifying the new addition: curl --location 'https://127.0.0.1/api/platform/v1/security/policies/bundles' \ -H "Authorization: Bearer " ``` + ```json { "items": [ diff --git a/content/nic/installation/integrations/app-protect-waf-v5/configuration.md b/content/nic/integrations/app-protect-waf-v5/configuration.md similarity index 96% rename from content/nic/installation/integrations/app-protect-waf-v5/configuration.md rename to content/nic/integrations/app-protect-waf-v5/configuration.md index 84880f565..a489ebcc4 100644 --- a/content/nic/installation/integrations/app-protect-waf-v5/configuration.md +++ b/content/nic/integrations/app-protect-waf-v5/configuration.md @@ -71,7 +71,7 @@ This example shows how to deploy NGINX Ingress Controller with NGINX Plus and F5 ### Prerequisites -1. Follow the installation [instructions]({{< ref "/nic/installation/integrations/app-protect-waf-v5/installation.md" >}}) to deploy NGINX Ingress Controller with NGINX Plus and F5 WAF for NGINX version 5. +1. Follow the installation [instructions]({{< ref "/nic/integrations/app-protect-waf-v5/installation.md" >}}) to deploy NGINX Ingress Controller with NGINX Plus and F5 WAF for NGINX version 5. 2. Save the public IP address of NGINX Ingress Controller into a shell variable: diff --git a/content/nic/installation/integrations/app-protect-waf-v5/installation.md b/content/nic/integrations/app-protect-waf-v5/installation.md similarity index 91% rename from content/nic/installation/integrations/app-protect-waf-v5/installation.md rename to content/nic/integrations/app-protect-waf-v5/installation.md index 959c9dc91..bfb08ca54 100644 --- a/content/nic/installation/integrations/app-protect-waf-v5/installation.md +++ b/content/nic/integrations/app-protect-waf-v5/installation.md @@ -2,8 +2,8 @@ title: Build NGINX Ingress Controller with F5 WAF for NGINX weight: 100 toc: true -type: how-to -product: NIC +nd-content-type: how-to +nd-product: NIC nd-docs: DOCS-1865 --- @@ -17,8 +17,6 @@ This document explains how to build a F5 NGINX Ingress Controller image with F5 {{< include "/nic/compatibility-tables/nic-nap.md" >}} ---- - ## Prepare the environment Get your system ready for building and pushing the NGINX Ingress Controller image with F5 WAF for NGINX v5. @@ -48,8 +46,6 @@ Get your system ready for building and pushing the NGINX Ingress Controller imag cd kubernetes-ingress ``` ---- - ## Build the image Follow these steps to build the NGINX Controller Image with F5 WAF for NGINX v5. @@ -78,7 +74,7 @@ Follow these steps to build the NGINX Controller Image with F5 WAF for NGINX v5. make debian-image-nap-v5-plus PREFIX=/nginx-plus-ingress TARGET=download ``` - **What to expect**: The image is built and tagged with a version number, which is derived from the `VERSION` variable in the [_Makefile_]({{< ref "/nic/installation/build-nginx-ingress-controller.md#makefile-details" >}}). This version number is used for tracking and deployment purposes. + **What to expect**: The image is built and tagged with a version number, which is derived from the `VERSION` variable in the [_Makefile_]({{< ref "/nic/install/build.md#makefile-details" >}}). This version number is used for tracking and deployment purposes. {{< call-out "note" >}} In the event a patch of NGINX Plus is released, make sure to rebuild your image to get the latest version. If your system is caching the Docker layers and not updating the packages, add `DOCKER_BUILD_OPTIONS="--pull --no-cache"` to the make command. {{< /call-out >}} @@ -93,8 +89,7 @@ Create Docker image for NGINX Ingress Controller (Alpine with NGINX Plus, F5 WAF | **ubi-image-nap-v5-plus** | Builds a UBI-based image with NGINX Plus and the [F5 WAF for NGINX v5](/nginx-app-protect-waf/v5/) module. | OpenShift | | **ubi-image-nap-dos-v5-plus** | Builds a UBI-based image with NGINX Plus, [F5 WAF for NGINX v5](/nginx-app-protect-waf/v5/), and [F5 DoS for NGINX](/nginx-app-protect-dos/). | OpenShift | - -{{< call-out "note" >}} For the complete list of _Makefile_ targets and customizable variables, see the [Build NGINX Ingress Controller]({{< ref "/nic/installation/build-nginx-ingress-controller.md#makefile-details" >}}) guide. {{< /call-out>}} +{{< call-out "note" >}} For the complete list of _Makefile_ targets and customizable variables, see the [Build NGINX Ingress Controller]({{< ref "/nic/install/build.md#makefile-details" >}}) guide. {{< /call-out>}} If you intend to use [external references](/nginx-app-protect-waf/v5/configuration-guide/configuration/#external-references) in F5 WAF for NGINX policies, you may want to provide a custom CA certificate to authenticate with the hosting server. @@ -103,8 +98,6 @@ To do so, place the `*.crt` file in the build folder and uncomment the lines fol {{< call-out "warning" >}} External references are deprecated in NGINX Ingress Controller and will not be supported in future releases. {{< /call-out >}} ---- - ## Push the images to your private registry Once you've successfully pulled the WAF v5 manager and enforcer images and built the NGINX Ingress Controller image with F5 WAF for NGINX v5, the next step is to upload them to your private Docker registry. This makes the image available for deployment to your Kubernetes cluster. @@ -125,11 +118,8 @@ docker push /waf-config-mgr: docker push /waf-enforcer: ``` ---- - {{< include "/nic/installation/create-custom-resources.md" >}} - ## Deploy NGINX Ingress Controller {#deploy-ingress-controller} {{< important >}} NGINX Ingress Controller with the AppProtect WAF v5 module works only with policy bundles. You need to modify the Deployment, DaemonSet, or StatefulSet file to include volumes, volume mounts and two WAF 5 docker images: `waf-config-mgr` and `waf-enforcer`. @@ -181,7 +171,6 @@ controller: v5: true ``` - ### Configuring volumes Whether you have created a new `PersistentVolume` and `PersistentVolumeClaim`, or you are referencing an existing `PersistentVolumeClaim`, update the `app-protect-bundles` volume to reference your `PersistentVolumeClaim`. @@ -206,6 +195,7 @@ By default, `emptyDir` mounts are used. Bundles that are added to these kind of volume mounts will **NOT** persist across pod restarts. Example default volumes: + ```yaml ... controller: @@ -217,6 +207,7 @@ controller: emptyDir: {} ... ``` + {{< /call-out >}} ### Configuring `readOnlyRootFilesystem` @@ -293,11 +284,9 @@ You have two options for deploying NGINX Ingress Controller: - **DaemonSet**. Choose this method if you want NGINX Ingress Controller to run on all nodes or a subset of nodes. - **StatefulSet**. Choose this method when you need stable, persistent storage and ordered deployment/scaling for your NGINX Ingress Controller pods. ---- - ### Set up role-based access control (RBAC) {#set-up-rbac} -{{}}To complete these steps you need admin access to your cluster. Refer to to your Kubernetes platform's documentation to set up admin access. For Google Kubernetes Engine (GKE), you can refer to their [Role-Based Access Control guide](https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control).{{}} +{{< call-out "important" "Admin access required" >}}To complete these steps you need admin access to your cluster. Refer to to your Kubernetes platform's documentation to set up admin access. For Google Kubernetes Engine (GKE), you can refer to their [Role-Based Access Control guide](https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control).{{}} 1. Create a namespace and a service account: @@ -311,8 +300,6 @@ You have two options for deploying NGINX Ingress Controller: kubectl apply -f deployments/rbac/rbac.yaml ``` ---- - ### Volumes and VolumeMounts Add a `volumes` section to deployment template spec: @@ -481,8 +468,6 @@ Add `readOnlyRootFilesystem` to the `waf-enforcer` container and set value to `t {{< include "/nic/installation/manifests/statefulset.md" >}} ---- - ### Enable F5 WAF for NGINX module To enable the F5 DoS for NGINX Module: @@ -493,19 +478,15 @@ To enable the F5 DoS for NGINX Module: {{}} ---- - ## Confirm NGINX Ingress Controller is running {{< include "/nic/installation/manifests/verify-pods-are-running.md" >}} -For more information, see the [Configuration guide]({{< ref "/nic/installation/integrations/app-protect-waf-v5/configuration.md" >}}) and the NGINX Ingress Controller with App Protect version 5 example resources on GitHub [for VirtualServer resources](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/custom-resources/app-protect-waf-v5). - ---- +For more information, see the [Configuration guide]({{< ref "/nic/integrations/app-protect-waf-v5/configuration.md" >}}) and the NGINX Ingress Controller with App Protect version 5 example resources on GitHub [for VirtualServer resources](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/custom-resources/app-protect-waf-v5). ## Alternatives to building your own image {#pre-built-images} If you prefer not to build your own NGINX Ingress Controller image, you can use pre-built images. Here are your options: -- Download the image using your NGINX Ingress Controller subscription certificate and key. View the [Download NGINX Ingress Controller from the F5 Registry]({{< ref "/nic/installation/nic-images/registry-download.md" >}}) topic. -- The [Add an NGINX Ingress Controller image to your cluster]({{< ref "/nic/installation/nic-images/add-image-to-cluster.md" >}}) topic describes how to use your subscription JWT token to get the image. +- Download the image using your NGINX Ingress Controller subscription certificate and key. View the [Download NGINX Ingress Controller from the F5 Registry]({{< ref "/nic/install/images/registry-download.md" >}}) topic. +- The [Add an NGINX Ingress Controller image to your cluster]({{< ref "/nic/install/images/add-image-to-cluster.md" >}}) topic describes how to use your subscription JWT token to get the image. diff --git a/content/nic/installation/integrations/app-protect-waf-v5/troubleshoot-app-protect-waf.md b/content/nic/integrations/app-protect-waf-v5/troubleshoot-app-protect-waf.md similarity index 100% rename from content/nic/installation/integrations/app-protect-waf-v5/troubleshoot-app-protect-waf.md rename to content/nic/integrations/app-protect-waf-v5/troubleshoot-app-protect-waf.md diff --git a/content/nic/installation/integrations/app-protect-waf/_index.md b/content/nic/integrations/app-protect-waf/_index.md similarity index 78% rename from content/nic/installation/integrations/app-protect-waf/_index.md rename to content/nic/integrations/app-protect-waf/_index.md index b7e20d618..999fcc9a2 100644 --- a/content/nic/installation/integrations/app-protect-waf/_index.md +++ b/content/nic/integrations/app-protect-waf/_index.md @@ -2,7 +2,6 @@ title: F5 WAF for NGINX description: Learn how to use NGINX Ingress Controller for Kubernetes with NGINX App Protect. weight: 100 -aliases: ["/nginx-ingress-controller/app-protect/"] menu: docs: parent: NGINX Ingress Controller diff --git a/content/nic/installation/integrations/app-protect-waf/configuration.md b/content/nic/integrations/app-protect-waf/configuration.md similarity index 98% rename from content/nic/installation/integrations/app-protect-waf/configuration.md rename to content/nic/integrations/app-protect-waf/configuration.md index f35bffbc2..6d10930ff 100644 --- a/content/nic/installation/integrations/app-protect-waf/configuration.md +++ b/content/nic/integrations/app-protect-waf/configuration.md @@ -11,7 +11,6 @@ This document explains how to use F5 NGINX Ingress Controller to configure F5 WA {{< call-out "note" >}} Check out the complete NGINX Ingress Controller with F5 WAF for NGINX example resources on GitHub [for VirtualServer resources](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/custom-resources/app-protect-waf) and [for Ingress resources](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/app-protect-waf).{{< /call-out >}} - ## Global Configuration NGINX Ingress Controller has global configuration parameters that match those in F5 WAF for NGINX. They are found in the [ConfigMap resource]({{< ref "/nic/configuration/global-configuration/configmap-resource.md#modules" >}}): the F5 WAF for NGINX parameters are prefixed with `app-protect*`. @@ -23,7 +22,6 @@ F5 WAF for NGINX can be enabled and configured for custom resources (VirtualServ - For custom resources, you need to create a Policy Custom Resource referencing the `APPolicy` custom resource or bundle, then add it to the VirtualServer definition. Additional detail can be found in the [Policy Resource documentation]({{< ref "/nic/configuration/policy-resource.md#waf" >}}). - For Ingress resources, apply the [`app-protect` annotations]({{< ref "/nic/configuration/ingress-resources/advanced-configuration-with-annotations.md#app-protect" >}}) to each desired resource. - ## F5 WAF for NGINX Policies {#waf-policies} F5 WAF for NGINX Policies can be created for VirtualServer, VirtualServerRoute, or Ingress resources by creating an `APPolicy` [custom resource](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/). There are some caveats: @@ -158,7 +156,7 @@ You can define F5 WAF for NGINX [User-Defined Signatures](/nginx-app-protect-waf The field `revisionDatetime` is not currently supported. -`APUserSig` resources increase the reload time of NGINX Plus compared with `APPolicy` and `APLogConf` resources. Read [NGINX fails to start or reload]({{< ref "/nic/installation/integrations/app-protect-waf-v5/troubleshoot-app-protect-waf.md#nginx-fails-to-start-or-reload" >}}) for more information. +`APUserSig` resources increase the reload time of NGINX Plus compared with `APPolicy` and `APLogConf` resources. Read [NGINX fails to start or reload]({{< ref "/nic/integrations/app-protect-waf-v5/troubleshoot-app-protect-waf.md#nginx-fails-to-start-or-reload" >}}) for more information. {{< /call-out >}} @@ -234,7 +232,6 @@ Before applying a policy, a WAF policy bundle must be created, then copied to a This example shows how a policy is configured by referencing a generated WAF Policy Bundle: - ```yaml apiVersion: k8s.nginx.org/v1 kind: Policy @@ -248,7 +245,6 @@ spec: This example shows the same policy as above but with a log bundle used for security log configuration: - ```yaml apiVersion: k8s.nginx.org/v1 kind: Policy @@ -442,7 +438,7 @@ In this example we deploy NGINX Ingress Controller with NGINX Plus and F5 WAF fo ## Prerequisites -1. Follow the installation [instructions]({{< ref "/nic/installation/integrations/app-protect-waf/installation.md" >}}) to deploy NGINX Ingress Controller with NGINX Plus and F5 WAF for NGINX. +1. Follow the installation [instructions]({{< ref "/nic/integrations/app-protect-waf/installation.md" >}}) to deploy NGINX Ingress Controller with NGINX Plus and F5 WAF for NGINX. 2. Save the public IP address of NGINX Ingress Controller into a shell variable: ```shell @@ -508,6 +504,7 @@ To access the application, curl the coffee and the tea services. We'll use the - ```shell curl --resolve webapp.example.com:$IC_HTTP_PORT:$IC_IP http://webapp.example.com:$IC_HTTP_PORT/ ``` + ```shell Server address: 10.12.0.18:80 Server name: webapp-7586895968-r26zn @@ -518,6 +515,7 @@ To access the application, curl the coffee and the tea services. We'll use the - ```shell curl --resolve webapp.example.com:$IC_HTTP_PORT:$IC_IP "http://webapp.example.com:$IC_HTTP_PORT/