From d014b72eea967159e07298b4b8aaf871673aa390 Mon Sep 17 00:00:00 2001 From: Venktesh Shivam Patel Date: Tue, 30 Sep 2025 16:38:00 +0100 Subject: [PATCH 01/23] nic: add docs for sslVerify in JWT policy (#1198) --- content/nic/configuration/policy-resource.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/content/nic/configuration/policy-resource.md b/content/nic/configuration/policy-resource.md index 8efcc0064..d803f4207 100644 --- a/content/nic/configuration/policy-resource.md +++ b/content/nic/configuration/policy-resource.md @@ -456,6 +456,9 @@ This feature is implemented using the NGINX Plus directive [auth_jwt_key_request |``token`` | The token specifies a variable that contains the JSON Web Token. By default the JWT is passed in the ``Authorization`` header as a Bearer Token. JWT may be also passed as a cookie or a part of a query string, for example: ``$cookie_auth_token``. Accepted variables are ``$http_``, ``$arg_``, ``$cookie_``. | ``string`` | No | -- | |``sniEnabled`` | Enables SNI (Server Name Indication) for the JWT policy. This is useful when the remote server requires SNI to serve the correct certificate. | ``bool`` | No | `false` | |``sniName`` | The SNI name to use when connecting to the remote server. If not set, the hostname from the ``jwksURI`` will be used. | ``string`` | No | -- | +|``sslVerify`` | Enables verification of the JWKS server SSL certificate. | ``bool`` | No | `false` | +|``sslVerifyDepth`` | Sets the verification depth in the JWKS server certificates chain. | ``int`` | No | `1` | +|``trustedCertSecret`` | The name of the Kubernetes secret that stores the CA certificate for JWKS server verification. It must be in the same namespace as the Policy resource. The secret must be of the type ``nginx.org/ca``, and the certificate must be stored in the secret under the key ``ca.crt``. | ``string`` | No | -- | {{% /table %}} {{< call-out "note" >}} From d718d30e8c02af227d3779f534d125263bd07e8a Mon Sep 17 00:00:00 2001 From: Venktesh Shivam Patel Date: Thu, 23 Oct 2025 09:57:02 +0100 Subject: [PATCH 02/23] nic: add ssl cipher annotations (#1353) --- .../advanced-configuration-with-annotations.md | 2 ++ .../advanced-configuration-with-annotations.md | 2 ++ 2 files changed, 4 insertions(+) diff --git a/content/includes/nic/configuration/ingress-resources/advanced-configuration-with-annotations.md b/content/includes/nic/configuration/ingress-resources/advanced-configuration-with-annotations.md index 0cda88373..a7a130da6 100644 --- a/content/includes/nic/configuration/ingress-resources/advanced-configuration-with-annotations.md +++ b/content/includes/nic/configuration/ingress-resources/advanced-configuration-with-annotations.md @@ -138,6 +138,8 @@ The table below summarizes the available annotations. | *nginx.org/hsts-behind-proxy* | *hsts-behind-proxy* | Enables HSTS based on the value of the ``http_x_forwarded_proto* request header. Should only be used when TLS termination is configured in a load balancer (proxy) in front of NGINX Ingress Controller. Note: to control redirection from HTTP to HTTPS configure the ``nginx.org/redirect-to-https* annotation. | *False* | | | *nginx.org/basic-auth-secret* | N/A | Specifies a Secret resource with a user list for HTTP Basic authentication. | N/A | | | *nginx.org/basic-auth-realm* | N/A | Specifies a realm. | N/A | | +| *nginx.org/ssl-ciphers* | *ssl-ciphers* | Sets the value of the [ssl_ciphers](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers) directive. | N/A | *HIGH:!aNULL:!MD5* | +| *nginx.org/ssl-prefer-server-ciphers* | *ssl-prefer-server-ciphers* | Enables or disables the [ssl_prefer_server_ciphers](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_prefer_server_ciphers) directive. | *False* | | | *nginx.com/jwt-key* | N/A | Specifies a Secret resource with keys for validating JSON Web Tokens (JWTs). | N/A | [Support for JSON Web Tokens (JWTs)](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/jwt). | | *nginx.com/jwt-realm* | N/A | Specifies a realm. | N/A | [Support for JSON Web Tokens (JWTs)](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/jwt). | | *nginx.com/jwt-token* | N/A | Specifies a variable that contains a JSON Web Token. | By default, a JWT is expected in the ``Authorization* header as a Bearer Token. | [Support for JSON Web Tokens (JWTs)](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/jwt). | diff --git a/content/nic/configuration/ingress-resources/advanced-configuration-with-annotations.md b/content/nic/configuration/ingress-resources/advanced-configuration-with-annotations.md index 8fb2b4d3c..380f21581 100644 --- a/content/nic/configuration/ingress-resources/advanced-configuration-with-annotations.md +++ b/content/nic/configuration/ingress-resources/advanced-configuration-with-annotations.md @@ -139,6 +139,8 @@ The table below summarizes the available annotations. | *nginx.org/hsts-behind-proxy* | *hsts-behind-proxy* | Enables HSTS based on the value of the `http_x_forwarded_proto` request header. Should only be used when TLS termination is configured in a load balancer (proxy) in front of NGINX Ingress Controller. Note: to control redirection from HTTP to HTTPS configure the `nginx.org/redirect-to-https` annotation. | *False* | | | *nginx.org/basic-auth-secret* | N/A | Specifies a Secret resource with a user list for HTTP Basic authentication. | N/A | | | *nginx.org/basic-auth-realm* | N/A | Specifies a realm. | N/A | | +| *nginx.org/ssl-ciphers* | *ssl-ciphers* | Sets the value of the [ssl_ciphers](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers) directive. | N/A | *HIGH:!aNULL:!MD5* | +| *nginx.org/ssl-prefer-server-ciphers* | *ssl-prefer-server-ciphers* | Enables or disables the [ssl_prefer_server_ciphers](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_prefer_server_ciphers) directive. | *False* | | | *nginx.com/jwt-key* | N/A | Specifies a Secret resource with keys for validating JSON Web Tokens (JWTs). | N/A | [Support for JSON Web Tokens (JWTs)](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/jwt). | | *nginx.com/jwt-realm* | N/A | Specifies a realm. | N/A | [Support for JSON Web Tokens (JWTs)](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/jwt). | | *nginx.com/jwt-token* | N/A | Specifies a variable that contains a JSON Web Token. | By default, a JWT is expected in the `Authorization` header as a Bearer Token. | [Support for JSON Web Tokens (JWTs)](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/jwt). | From 30991bc9867d30b2cca9c563eea406c278074441 Mon Sep 17 00:00:00 2001 From: Paul Abel <128620221+pdabelf5@users.noreply.github.com> Date: Mon, 3 Nov 2025 11:18:21 +0000 Subject: [PATCH 03/23] feat: helm HorizontalPodAutoscaler creation flag (#1355) --- .../nic/installation/installing-nic/installation-with-helm.md | 1 + 1 file changed, 1 insertion(+) diff --git a/content/nic/installation/installing-nic/installation-with-helm.md b/content/nic/installation/installing-nic/installation-with-helm.md index a8a4c4eec..2f131c15c 100644 --- a/content/nic/installation/installing-nic/installation-with-helm.md +++ b/content/nic/installation/installing-nic/installation-with-helm.md @@ -272,6 +272,7 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont | **controller.enableLatencyMetrics** | Enable collection of latency metrics for upstreams. Requires `prometheus.create`. | false | | **controller.minReadySeconds** | Specifies the minimum number of seconds for which a newly created Pod should be ready without any of its containers crashing, for it to be considered available. [docs](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#min-ready-seconds) | 0 | | **controller.autoscaling.enabled** | Enables HorizontalPodAutoscaling. | false | +| **controller.autoscaling.create** | Create the HorizontalPodAutoscaler resource. This can be set to false to manage the HPA externally. | true | | **controller.autoscaling.annotations** | The annotations of the NGINX Ingress Controller HorizontalPodAutoscaler. | {} | | **controller.autoscaling.behavior** | Behavior configuration for the HPA. | {} | | **controller.autoscaling.minReplicas** | Minimum number of replicas for the HPA. | 1 | From 3735ffb70dc8617b38e4c133348f20016433cad8 Mon Sep 17 00:00:00 2001 From: AlexFenlon Date: Fri, 7 Nov 2025 11:55:29 +0000 Subject: [PATCH 04/23] feat: add OIDC timeout config options to NIC ConfigMap (#1413) feat: Add OIDC Timeout to NIC ConfigMap --- .../global-configuration/configmap-resource.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/content/nic/configuration/global-configuration/configmap-resource.md b/content/nic/configuration/global-configuration/configmap-resource.md index 4910a66d2..0e56b828b 100644 --- a/content/nic/configuration/global-configuration/configmap-resource.md +++ b/content/nic/configuration/global-configuration/configmap-resource.md @@ -178,6 +178,17 @@ If you encounter the error `error [emerg] 13#13: "zone_sync" directive is duplic |*zone-sync-resolver-ipv6* | Configures whether the optional [resolver](https://nginx.org/en/docs/http/ngx_http_core_module.html#resolver) directive for zone-sync will look up IPv6 addresses. NGINX Plus & `zone-sync` Required | `true` | |*zone-sync-resolver-valid* | Configures an [NGINX time](https://nginx.org/en/docs/syntax.html) that the optional [resolver](https://nginx.org/en/docs/http/ngx_http_core_module.html#resolver) directive for zone-sync will override the TTL value of responses from nameservers with. NGINX Plus & `zone-sync` Required | `5s` | +### OIDC (OpenID Connect) Timeouts + +For more information on timeouts, see [here](https://github.com/nginxinc/nginx-openid-connect?tab=readme-ov-file#configuring-the-key-value-store) + +|ConfigMap Key | Description | Default | +| ---| ---| ---| +| *oidc-pkce-timeout* | Sets the timeout for PKCE (Proof Key for Code Exchange) in OIDC. | `90s` | +| *oidc-id-tokens-timeout* | Sets the timeout for ID tokens in OIDC. | `1h` | +| *oidc-access-tokens-timeout* | Sets the timeout for access tokens in OIDC. | `1h` | +| *oidc-refresh-tokens-timeout* | Sets the timeout for refresh tokens in OIDC. | `24h` | +| *oidc-sids-timeout* | Sets the timeout for session IDs in OIDC. | `24h` | ### Snippets and custom templates From 8853b37736fab3191dad6218ff48e1beb9a01f76 Mon Sep 17 00:00:00 2001 From: Venktesh Shivam Patel Date: Fri, 7 Nov 2025 15:20:43 +0000 Subject: [PATCH 05/23] feat: add documentation for new ingress annotation(#1415) --- .../ingress-resources/advanced-configuration-with-annotations.md | 1 + 1 file changed, 1 insertion(+) diff --git a/content/nic/configuration/ingress-resources/advanced-configuration-with-annotations.md b/content/nic/configuration/ingress-resources/advanced-configuration-with-annotations.md index 380f21581..8746ff11b 100644 --- a/content/nic/configuration/ingress-resources/advanced-configuration-with-annotations.md +++ b/content/nic/configuration/ingress-resources/advanced-configuration-with-annotations.md @@ -123,6 +123,7 @@ The table below summarizes the available annotations. | *nginx.org/proxy-hide-headers* | *proxy-hide-headers* | Sets the value of one or more [proxy_hide_header](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_hide_header) directives. Example: `"nginx.org/proxy-hide-headers": "header-a,header-b"` | N/A | | | *nginx.org/proxy-pass-headers* | *proxy-pass-headers* | Sets the value of one or more [proxy_pass_header](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass_header) directives. Example: `"nginx.org/proxy-pass-headers": "header-a,header-b"` | N/A | | | *nginx.org/rewrites* | N/A | Configures URI rewriting using [proxy_pass](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass) directive. | N/A | [rewrites](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/rewrites) | +| *nginx.org/rewrite-target* | N/A | Configures URI rewriting using the [rewrite](https://nginx.org/en/docs/http/ngx_http_rewrite_module.html#rewrite) directive. The annotation value specifies the target path that requests should be rewritten to. Supports regex capture groups (`$1`, `$2`, etc.) when used with `nginx.org/path-regex`. Mutually exclusive with `nginx.org/rewrites`. | N/A | [rewrite-target](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/rewrite-target) | |*nginx.org/proxy-set-headers* | N/A | Enables customization of proxy headers and values using the [proxy_set_header](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_set_header) directive. Example: `"nginx.org/proxy-set-headers": "header-a: valueA,header-b: valueB,header-c: valueC"` | N/A | [Proxy Set Headers](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/proxy-set-headers). | {{< /table >}} From ec13f849b694834ed61e018d1a67f527a74c46d6 Mon Sep 17 00:00:00 2001 From: Haywood Shannon <5781935+haywoodsh@users.noreply.github.com> Date: Mon, 17 Nov 2025 13:51:06 +0000 Subject: [PATCH 06/23] update docs for upstream service in foreign namespace (#1419) --- .../virtualserver-and-virtualserverroute-resources.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/nic/configuration/virtualserver-and-virtualserverroute-resources.md b/content/nic/configuration/virtualserver-and-virtualserverroute-resources.md index 761929b9e..d6ad63edc 100644 --- a/content/nic/configuration/virtualserver-and-virtualserverroute-resources.md +++ b/content/nic/configuration/virtualserver-and-virtualserverroute-resources.md @@ -333,7 +333,7 @@ tls: |Field | Description | Type | Required | | ---| ---| ---| --- | |``name`` | The name of the upstream. Must be a valid DNS label as defined in RFC 1035. For example, ``hello`` and ``upstream-123`` are valid. The name must be unique among all upstreams of the resource. | ``string`` | Yes | -|``service`` | The name of a [service](https://kubernetes.io/docs/concepts/services-networking/service/). The service must belong to the same namespace as the resource. If the service doesn't exist, NGINX will assume the service has zero endpoints and return a ``502`` response for requests for this upstream. For NGINX Plus only, services of type [ExternalName](https://kubernetes.io/docs/concepts/services-networking/service/#externalname) are also supported (check the [prerequisites](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/externalname-services#prerequisites) ). | ``string`` | Yes | +|``service`` | The name of a [service](https://kubernetes.io/docs/concepts/services-networking/service/). If the Service belongs to a different namespace than the VirtualServer or VirtualServerRoute, you need to include the namespace. For example, ``tea-namespace/tea``. If the service doesn't exist, NGINX will assume the service has zero endpoints and return a ``502`` response for requests for this upstream. For NGINX Plus only, services of type [ExternalName](https://kubernetes.io/docs/concepts/services-networking/service/#externalname) are also supported in the same namespace (check the [prerequisites](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/externalname-services#prerequisites) ). | ``string`` | Yes | |``subselector`` | Selects the pods within the service using label keys and values. By default, all pods of the service are selected. Note: the specified labels are expected to be present in the pods when they are created. If the pod labels are updated, NGINX Ingress Controller will not see that change until the number of the pods is changed. | ``map[string]string`` | No | |``use-cluster-ip`` | Enables using the Cluster IP and port of the service instead of the default behavior of using the IP and port of the pods. When this field is enabled, the fields that configure NGINX behavior related to multiple upstream servers (like ``lb-method`` and ``next-upstream``) will have no effect, as NGINX Ingress Controller will configure NGINX with only one upstream server that will match the service Cluster IP. | ``boolean`` | No | |``port`` | The port of the service. If the service doesn't define that port, NGINX will assume the service has zero endpoints and return a ``502`` response for requests for this upstream. The port must fall into the range ``1..65535``. | ``uint16`` | Yes | From 5348a6e3ad3973e7bfb2626aef9dd7c8674ded1c Mon Sep 17 00:00:00 2001 From: AlexFenlon Date: Tue, 25 Nov 2025 13:17:50 +0000 Subject: [PATCH 07/23] feat: Add client-body-buffer-size directive to NIC Ingress Annotations, Configmap, VirtualServer (#1468) * feat: Add client-body-buffer-size directive to NIC Ingress Annotations, Configmap, VirtualServer * update descriptions based off pr changes --- .../nic/configuration/global-configuration/configmap-resource.md | 1 + .../ingress-resources/advanced-configuration-with-annotations.md | 1 + .../virtualserver-and-virtualserverroute-resources.md | 1 + .../nic/configuration/global-configuration/configmap-resource.md | 1 + .../ingress-resources/advanced-configuration-with-annotations.md | 1 + .../virtualserver-and-virtualserverroute-resources.md | 1 + content/nic/install/migrate-ingress-nginx.md | 1 + 7 files changed, 7 insertions(+) diff --git a/content/includes/nic/configuration/global-configuration/configmap-resource.md b/content/includes/nic/configuration/global-configuration/configmap-resource.md index b4c8ad7e3..0f2cde069 100644 --- a/content/includes/nic/configuration/global-configuration/configmap-resource.md +++ b/content/includes/nic/configuration/global-configuration/configmap-resource.md @@ -77,6 +77,7 @@ For more information, view the [VirtualServer and VirtualServerRoute resources]( |*proxy-read-timeout* | Sets the value of the [proxy_read_timeout](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_read_timeout) and [grpc_read_timeout](https://nginx.org/en/docs/http/ngx_http_grpc_module.html#grpc_read_timeout) directive. | *60s* | | |*proxy-send-timeout* | Sets the value of the [proxy_send_timeout](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_send_timeout) and [grpc_send_timeout](https://nginx.org/en/docs/http/ngx_http_grpc_module.html#grpc_send_timeout) directive. | *60s* | | |*client-max-body-size* | Sets the value of the [client_max_body_size](https://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size) directive. | *1m* | | +|*client-body-buffer-size* | Sets the value of the [client_body_buffer_size](https://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_buffer_size) directive. | N/A | | |*proxy-buffering* | Enables or disables [buffering of responses](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffering) from the proxied server. | *True* | | |*proxy-buffers* | Sets the value of the [proxy_buffers](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffers) directive. | Depends on the platform. | | |*proxy-buffer-size* | Sets the value of the [proxy_buffer_size](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size) and [grpc_buffer_size](https://nginx.org/en/docs/http/ngx_http_grpc_module.html#grpc_buffer_size) directives. | Depends on the platform. | | diff --git a/content/includes/nic/configuration/ingress-resources/advanced-configuration-with-annotations.md b/content/includes/nic/configuration/ingress-resources/advanced-configuration-with-annotations.md index a7a130da6..57ddffa7c 100644 --- a/content/includes/nic/configuration/ingress-resources/advanced-configuration-with-annotations.md +++ b/content/includes/nic/configuration/ingress-resources/advanced-configuration-with-annotations.md @@ -105,6 +105,7 @@ The table below summarizes the available annotations. | *nginx.org/proxy-read-timeout* | *proxy-read-timeout* | Sets the value of the [proxy_read_timeout](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_read_timeout) and [grpc_read_timeout](https://nginx.org/en/docs/http/ngx_http_grpc_module.html#grpc_read_timeout) directive. | *60s* | | | *nginx.org/proxy-send-timeout* | *proxy-send-timeout* | Sets the value of the [proxy_send_timeout](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_send_timeout) and [grpc_send_timeout](https://nginx.org/en/docs/http/ngx_http_grpc_module.html#grpc_send_timeout) directive. | *60s* | | | *nginx.org/client-max-body-size* | *client-max-body-size* | Sets the value of the [client_max_body_size](https://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size) directive. | *1m* | | +| *nginx.org/client-body-buffer-size* | *client-body-buffer-size* | Sets the value of the [client_body_buffer_size](https://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_buffer_size) directive. | N/A | | | *nginx.org/proxy-buffering* | *proxy-buffering* | Enables or disables [buffering of responses](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffering) from the proxied server. | *True* | | | *nginx.org/proxy-buffers* | *proxy-buffers* | Sets the value of the [proxy_buffers](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffers) directive. | Depends on the platform. | | | *nginx.org/proxy-buffer-size* | *proxy-buffer-size* | Sets the value of the [proxy_buffer_size](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size) and [grpc_buffer_size](https://nginx.org/en/docs/http/ngx_http_grpc_module.html#grpc_buffer_size) directives. | Depends on the platform. | | diff --git a/content/includes/nic/configuration/virtualserver-and-virtualserverroute-resources.md b/content/includes/nic/configuration/virtualserver-and-virtualserverroute-resources.md index 0bfc1f97e..437a2b13d 100644 --- a/content/includes/nic/configuration/virtualserver-and-virtualserverroute-resources.md +++ b/content/includes/nic/configuration/virtualserver-and-virtualserverroute-resources.md @@ -364,6 +364,7 @@ tls: |``next-upstream-timeout`` | The time during which a request can be passed to the next upstream server. See the [proxy_next_upstream_timeout](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_next_upstream_timeout) directive. The ``0`` value turns off the time limit. The default is ``0``. | ``string`` | No | |``next-upstream-tries`` | The number of possible tries for passing a request to the next upstream server. See the [proxy_next_upstream_tries](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_next_upstream_tries) directive. The ``0`` value turns off this limit. The default is ``0``. | ``int`` | No | |``client-max-body-size`` | Sets the maximum allowed size of the client request body. See the [client_max_body_size](https://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size) directive. The default is set in the ``client-max-body-size`` ConfigMap key. | ``string`` | No | +|``client-body-buffer-size`` | Sets the value of the [client_body_buffer_size](https://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_buffer_size) directive. | ``string`` | No | |``tls`` | The TLS configuration for the Upstream. | [tls](#upstreamtls) | No | |``healthCheck`` | The health check configuration for the Upstream. See the [health_check](https://nginx.org/en/docs/http/ngx_http_upstream_hc_module.html#health_check) directive. Note: this feature is supported only in NGINX Plus. | [healthcheck](#upstreamhealthcheck) | No | |``slow-start`` | The slow start allows an upstream server to gradually recover its weight from 0 to its nominal value after it has been recovered or became available or when the server becomes available after a period of time it was considered unavailable. By default, the slow start is disabled. See the [slow_start](https://nginx.org/en/docs/http/ngx_http_upstream_module.html#slow_start) parameter of the server directive. Note: The parameter cannot be used along with the ``random`` , ``hash`` or ``ip_hash`` load balancing methods and will be ignored. | ``string`` | No | diff --git a/content/nic/configuration/global-configuration/configmap-resource.md b/content/nic/configuration/global-configuration/configmap-resource.md index 255d6e873..c611da85d 100644 --- a/content/nic/configuration/global-configuration/configmap-resource.md +++ b/content/nic/configuration/global-configuration/configmap-resource.md @@ -68,6 +68,7 @@ For more information, view the [VirtualServer and VirtualServerRoute resources]( |*proxy-read-timeout* | Sets the value of the [proxy_read_timeout](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_read_timeout) and [grpc_read_timeout](https://nginx.org/en/docs/http/ngx_http_grpc_module.html#grpc_read_timeout) directive. | *60s* | | |*proxy-send-timeout* | Sets the value of the [proxy_send_timeout](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_send_timeout) and [grpc_send_timeout](https://nginx.org/en/docs/http/ngx_http_grpc_module.html#grpc_send_timeout) directive. | *60s* | | |*client-max-body-size* | Sets the value of the [client_max_body_size](https://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size) directive. | *1m* | | +|*client-body-buffer-size* | Sets the value of the [client_body_buffer_size](https://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_buffer_size) directive. | N/A | | |*proxy-buffering* | Enables or disables [buffering of responses](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffering) from the proxied server. | *True* | | |*proxy-buffers* | Sets the value of the [proxy_buffers](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffers) directive. | Depends on the platform. | | |*proxy-buffer-size* | Sets the value of the [proxy_buffer_size](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size) and [grpc_buffer_size](https://nginx.org/en/docs/http/ngx_http_grpc_module.html#grpc_buffer_size) directives. | Depends on the platform. | | diff --git a/content/nic/configuration/ingress-resources/advanced-configuration-with-annotations.md b/content/nic/configuration/ingress-resources/advanced-configuration-with-annotations.md index c69ffed40..c83d5eda1 100644 --- a/content/nic/configuration/ingress-resources/advanced-configuration-with-annotations.md +++ b/content/nic/configuration/ingress-resources/advanced-configuration-with-annotations.md @@ -108,6 +108,7 @@ The table below summarizes the available annotations. | *nginx.org/proxy-read-timeout* | *proxy-read-timeout* | Sets the value of the [proxy_read_timeout](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_read_timeout) and [grpc_read_timeout](https://nginx.org/en/docs/http/ngx_http_grpc_module.html#grpc_read_timeout) directive. | *60s* | | | *nginx.org/proxy-send-timeout* | *proxy-send-timeout* | Sets the value of the [proxy_send_timeout](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_send_timeout) and [grpc_send_timeout](https://nginx.org/en/docs/http/ngx_http_grpc_module.html#grpc_send_timeout) directive. | *60s* | | | *nginx.org/client-max-body-size* | *client-max-body-size* | Sets the value of the [client_max_body_size](https://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size) directive. | *1m* | | +| *nginx.org/client-body-buffer-size* | *client-body-buffer-size* | Sets the value of the [client_body_buffer_size](https://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_buffer_size) directive. | N/A | | | *nginx.org/proxy-buffering* | *proxy-buffering* | Enables or disables [buffering of responses](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffering) from the proxied server. | *True* | | | *nginx.org/proxy-buffers* | *proxy-buffers* | Sets the value of the [proxy_buffers](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffers) directive. | Depends on the platform. | | | *nginx.org/proxy-buffer-size* | *proxy-buffer-size* | Sets the value of the [proxy_buffer_size](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size) and [grpc_buffer_size](https://nginx.org/en/docs/http/ngx_http_grpc_module.html#grpc_buffer_size) directives. | Depends on the platform. | | diff --git a/content/nic/configuration/virtualserver-and-virtualserverroute-resources.md b/content/nic/configuration/virtualserver-and-virtualserverroute-resources.md index d6ad63edc..8b861dd46 100644 --- a/content/nic/configuration/virtualserver-and-virtualserverroute-resources.md +++ b/content/nic/configuration/virtualserver-and-virtualserverroute-resources.md @@ -349,6 +349,7 @@ tls: |``next-upstream-timeout`` | The time during which a request can be passed to the next upstream server. See the [proxy_next_upstream_timeout](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_next_upstream_timeout) directive. The ``0`` value turns off the time limit. The default is ``0``. | ``string`` | No | |``next-upstream-tries`` | The number of possible tries for passing a request to the next upstream server. See the [proxy_next_upstream_tries](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_next_upstream_tries) directive. The ``0`` value turns off this limit. The default is ``0``. | ``int`` | No | |``client-max-body-size`` | Sets the maximum allowed size of the client request body. See the [client_max_body_size](https://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size) directive. The default is set in the ``client-max-body-size`` ConfigMap key. | ``string`` | No | +|``client-body-buffer-size`` | Sets the value of the [client_body_buffer_size](https://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_buffer_size) directive. The default is set in the ``client-body-buffer-size`` ConfigMap key. | ``string`` | No | |``tls`` | The TLS configuration for the Upstream. | [tls](#upstreamtls) | No | |``healthCheck`` | The health check configuration for the Upstream. See the [health_check](https://nginx.org/en/docs/http/ngx_http_upstream_hc_module.html#health_check) directive. Note: this feature is supported only in NGINX Plus. | [healthcheck](#upstreamhealthcheck) | No | |``slow-start`` | The slow start allows an upstream server to gradually recover its weight from 0 to its nominal value after it has been recovered or became available or when the server becomes available after a period of time it was considered unavailable. By default, the slow start is disabled. See the [slow_start](https://nginx.org/en/docs/http/ngx_http_upstream_module.html#slow_start) parameter of the server directive. Note: The parameter cannot be used along with the ``random`` , ``hash`` or ``ip_hash`` load balancing methods and will be ignored. | ``string`` | No | diff --git a/content/nic/install/migrate-ingress-nginx.md b/content/nic/install/migrate-ingress-nginx.md index 58bf97cbe..671657cb4 100644 --- a/content/nic/install/migrate-ingress-nginx.md +++ b/content/nic/install/migrate-ingress-nginx.md @@ -542,6 +542,7 @@ Some of the key names are identical, and each Ingress Controller has ConfigMap k | [_max-worker-connections_](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#max-worker-connections) | [_worker-connections_]({{< ref "/nic/configuration/global-configuration/configmap-resource.md#general-customization" >}}) | | [_max-worker-open-files_](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#max-worker-open-files) | [_worker-rlimit-nofile_]({{< ref "/nic/configuration/global-configuration/configmap-resource.md#general-customization" >}}) | | [_proxy-body-size_](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#proxy-body-size) | [_client-max-body-size_]({{< ref "/nic/configuration/global-configuration/configmap-resource.md#general-customization" >}}) | +| [_client-body-buffer-size_](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#client-body-buffer-size) | [_client-body-buffer-size_]({{< ref "/nic/configuration/global-configuration/configmap-resource.md#general-customization" >}}) | | [_proxy-buffering_](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#proxy-buffering) | [_proxy-buffering_]({{< ref "/nic/configuration/global-configuration/configmap-resource.md#general-customization" >}}) | | [_proxy-buffers-number_](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#proxy-buffers-number) | [_proxy-buffers: number size_]({{< ref "/nic/configuration/global-configuration/configmap-resource.md#general-customization" >}}) | | [_proxy-buffer-size_](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#proxy-buffer-size) | [_proxy-buffers: number size_]({{< ref "/nic/configuration/global-configuration/configmap-resource.md#general-customization" >}}) | From 6f0ad963ea09f67abb9c7bdc994af2113936a252 Mon Sep 17 00:00:00 2001 From: Paul Abel <128620221+pdabelf5@users.noreply.github.com> Date: Wed, 26 Nov 2025 18:20:54 +0000 Subject: [PATCH 08/23] feat: Add OIDC Policy sslVerify parameters (#1479) --- content/nic/configuration/policy-resource.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/content/nic/configuration/policy-resource.md b/content/nic/configuration/policy-resource.md index 94c0e3522..d9facf2cb 100644 --- a/content/nic/configuration/policy-resource.md +++ b/content/nic/configuration/policy-resource.md @@ -755,6 +755,9 @@ The OIDC policy defines a few internal locations that can't be customized: `/_jw |``zoneSyncLeeway`` | Specifies the maximum timeout in milliseconds for synchronizing ID/access tokens and shared values between Ingress Controller pods. The default is ``200``. | ``int`` | No | |``accessTokenEnable`` | Option of whether Bearer token is used to authorize NGINX to access protected backend. | ``boolean`` | No | |``pkceEnable`` | Switches Proof Key for Code Exchange on. The OpenID client needs to be in public mode. `clientSecret` is not used in this mode. | ``boolean`` | No | +|``sslVerify`` | Use this option to enable TLS verification when calls are made to the IDP endpoints. | ``boolean`` | No | +|``verifyDepth`` | Sets the verification depth in the proxied HTTPS server certificates chain. The default is ``1``. | ``int`` | No | +|``trustedCertSecret`` | The name of the Kubernetes secret that stores the CA certificate. It must be in the same namespace as the Policy resource. The secret must be of the type ``nginx.org/ca``, and the certificate must be stored in the secret under the key ``ca.crt``, otherwise the secret will be rejected as invalid. | ``string`` | No | {{% /table %}} From 94d397c3cc9c2e21f009ecf50a8b4e1cab6acdf2 Mon Sep 17 00:00:00 2001 From: Venktesh Shivam Patel Date: Fri, 28 Nov 2025 09:53:13 +0000 Subject: [PATCH 09/23] nic: update policy resource with new fields (#1495) --- ...server-and-virtualserverroute-resources.md | 6 +-- content/nic/configuration/policy-resource.md | 42 ++++++++++++++++++- 2 files changed, 44 insertions(+), 4 deletions(-) diff --git a/content/includes/nic/configuration/virtualserver-and-virtualserverroute-resources.md b/content/includes/nic/configuration/virtualserver-and-virtualserverroute-resources.md index a15b7ce9b..c5720335f 100644 --- a/content/includes/nic/configuration/virtualserver-and-virtualserverroute-resources.md +++ b/content/includes/nic/configuration/virtualserver-and-virtualserverroute-resources.md @@ -421,7 +421,7 @@ timeout: 60s See [`queue`](https://nginx.org/en/docs/http/ngx_http_upstream_module.html#queue) directive for additional information. -{{< call-out "note" >}} This feature is only supported with NGINX Plus. {{ /call-out }} +{{< call-out "note" >}} This feature is only supported with NGINX Plus. {{< /call-out >}} {{< table >}} @@ -463,7 +463,7 @@ healthCheck: keepalive-time: 60s ``` -{{< call-out "note" >}} This feature is only supported with NGINX Plus. {{ /call-out }} +{{< call-out "note" >}} This feature is only supported with NGINX Plus. {{< /call-out >}} {{< table >}} @@ -513,7 +513,7 @@ sessionCookie: See the [`sticky`](https://nginx.org/en/docs/http/ngx_http_upstream_module.html?#sticky) directive for additional information. The session cookie corresponds to the `sticky cookie` method. -{{< call-out "note" >}} This feature is only supported with NGINX Plus. {{ /call-out }} +{{< call-out "note" >}} This feature is only supported with NGINX Plus. {{< /call-out >}} |Field | Description | Type | Required | | ---| ---| ---| --- | diff --git a/content/nic/configuration/policy-resource.md b/content/nic/configuration/policy-resource.md index d9facf2cb..9a6f1f11d 100644 --- a/content/nic/configuration/policy-resource.md +++ b/content/nic/configuration/policy-resource.md @@ -805,6 +805,26 @@ cache: time: "5m" levels: "1:2" overrideUpstreamCache: true + inactive: "60m" + useTempPath: false + maxSize: "10g" + minFree: "1g" + manager: + files: 100 + sleep: "50ms" + threshold: "200ms" + cacheKey: "$scheme$host$request_uri" + cacheUseStale: [ "error", "timeout", "updating", "http_500" ] + cacheRevalidate: true + cacheBackgroundUpdate: true + cacheMinUses: 1 + lock: + enable: true + timeout: "5s" + age: "30s" + conditions: + noCache: [ "$cookie_nocache", "$arg_nocache" ] + bypass: [ "$http_authorization" ] ``` {{< call-out "note" >}} @@ -817,7 +837,7 @@ The feature is implemented using the NGINX [ngx_http_proxy_module](https://nginx |Field | Description | Type | Required | | --- | ---| ---| --- | -| ``cacheZoneName`` | CacheZoneName defines the name of the cache zone. Must start with a lowercase letter,followed by alphanumeric characters or underscores, and end with an alphanumeric character. Single lowercase letters are also allowed. Examples: "cache", "my_cache", "cache1". | ``string`` | Yes | +|``cacheZoneName`` | CacheZoneName defines the name of the cache zone. Must start with a lowercase letter,followed by alphanumeric characters or underscores, and end with an alphanumeric character. Single lowercase letters are also allowed. Examples: "cache", "my_cache", "cache1". | ``string`` | Yes | |``cacheZoneSize`` | CacheZoneSize defines the size of the cache zone. Must be a number followed by a size unit: 'k' for kilobytes, 'm' for megabytes, or 'g' for gigabytes. Examples: "10m", "1g", "512k". | ``string`` | Yes | |``allowedCodes`` | AllowedCodes defines which HTTP response codes should be cached. Accepts either: - The string "any" to cache all response codes (must be the only element) - A list of HTTP status codes as integers (100-599) Examples: ["any"], [200, 301, 404], [200]. Invalid: ["any", 200] (cannot mix "any" with specific codes). | ``[]IntOrString`` | No | |``time`` | The default cache time for responses. Required when allowedCodes is specified. Must be a number followed by a time unit: 's' for seconds, 'm' for minutes, 'h' for hours, 'd' for days. Examples: "30s", "5m", "1h", "2d". | ``string`` | No | @@ -825,6 +845,26 @@ The feature is implemented using the NGINX [ngx_http_proxy_module](https://nginx |``levels`` | Levels defines the cache directory hierarchy levels for storing cached files. Must be in format "X:Y" or "X:Y:Z" where X, Y, Z are either 1 or 2. This controls the number of subdirectory levels and their name lengths. Examples: "1:2", "2:2", "1:2:2". Invalid: "3:1", "1:3", "1:2:3". | ``string`` | No | |``overrideUpstreamCache`` | OverrideUpstreamCache controls whether to override upstream cache headers (using proxy_ignore_headers directive). When true, NGINX will ignore cache-related headers from upstream servers like Cache-Control, Expires etc, Default: false. | ``bool`` | No | |``cachePurgeAllow`` | CachePurgeAllow defines IP addresses or CIDR blocks allowed to purge cache. This feature is only available in NGINX Plus. Examples: ["192.168.1.100", "10.0.0.0/8", "::1"]. | ``[]string`` | No | +|``cacheKey`` | CacheKey defines a key for caching (proxy_cache_key). By default, "$scheme$proxy_host$uri". Must not contain command execution patterns: $(, `, ;, &&, || | ``string`` | No | +|``cacheUseStale`` | CacheUseStale determines in which cases a stale cached response can be used (proxy_cache_use_stale). Valid parameters: error, timeout, invalid_header, updating, http_500, http_502, http_503, http_504, http_403, http_404, http_429, off. | ``[]string`` | No | +|``cacheRevalidate`` | CacheRevalidate enables revalidation of expired cache items using conditional requests (proxy_cache_revalidate). Uses "If-Modified-Since" and "If-None-Match" header fields. | ``bool`` | No | +|``cacheBackgroundUpdate`` | CacheBackgroundUpdate allows starting a background subrequest to update an expired cache item (proxy_cache_background_update). A stale cached response is returned to the client while the cache is being updated. | ``bool`` | No | +|``cacheMinUses`` | CacheMinUses sets the number of requests after which the response will be cached (proxy_cache_min_uses). | ``integer`` | No | +|``inactive`` | Inactive sets the time after which cached data that are not accessed get removed from the cache (inactive parameter). By default, inactive is set to 10 minutes. | ``string`` | No | +|``maxSize`` | MaxSize sets the maximum cache size (max_size parameter). When the size is exceeded, the cache manager removes the least recently used data. | ``string`` | No | +|``minFree`` | MinFree sets the minimum amount of free space required on the file system with cache (min_free parameter). When there is not enough free space, the cache manager removes the least recently used data. | ``string`` | No | +|``useTempPath`` | UseTempPath controls whether temporary files and the cache are put on different file systems (use_temp_path parameter). If set to false, temporary files will be put directly in the cache directory (use_temp_path=off). Default: false (use_temp_path=off, which puts temp files directly in cache directory for better performance). | ``bool`` | No | +|``manager`` | Manager configures the cache manager process parameters (manager_files, manager_sleep, manager_threshold). | ``object`` | No | +|``manager.files`` | Files sets the maximum number of files that will be deleted in one iteration by the cache manager. During one iteration no more than manager_files items are deleted (by default, 100). | ``integer`` | No | +|``manager.sleep`` | Sleep sets the pause between cache manager iterations. Between iterations, a pause configured by manager_sleep (by default, 50 milliseconds) is made. | ``string`` | No | +|``manager.threshold`` | Threshold sets the maximum duration of one cache manager iteration. The duration of one iteration is limited by manager_threshold (by default, 200 milliseconds). | ``string`` | No | +|``lock`` | Lock configures cache locking to prevent multiple identical requests from populating the same cache element simultaneously. | ``object`` | No | +|``lock.enable`` | Enable sets whether cache locking is enabled (proxy_cache_lock). When enabled, only one request at a time will be allowed to populate a new cache element according to the proxy_cache_key. | ``bool`` | No | +|``lock.timeout`` | Timeout sets a timeout for proxy_cache_lock. When the time expires, the request will be passed to the proxied server, however, the response will not be cached. | ``string`` | No | +|``lock.age`` | Age sets the maximum time a cache lock can be held (proxy_cache_lock_age). If the last request passed to the proxied server for populating a new cache element has not completed for the specified time, one more request may be passed. | ``string`` | No | +|``conditions`` | Conditions defines when responses should not be cached or taken from cache. | ``object`` | No | +|``conditions.noCache`` | NoCache defines conditions under which the response will not be saved to a cache (proxy_no_cache). If at least one value of the string parameters is not empty and is not equal to "0" then the response will not be saved. | ``[]string`` | No | +|``conditions.bypass`` | Bypass defines conditions under which the response will not be taken from a cache (proxy_cache_bypass). If at least one value of the string parameters is not empty and is not equal to "0" then the response will not be taken from the cache. | ``[]string`` | No | {{% /table %}} From 47c7076a2fd466bfe67c17d1d4dc7470e669ca80 Mon Sep 17 00:00:00 2001 From: Gabor Javorszky Date: Thu, 4 Dec 2025 14:23:23 +0000 Subject: [PATCH 10/23] Update release notes for 5.3.0 --- content/nic/changelog/_index.md | 109 +++++++++++++++++++ layouts/shortcodes/nic-helm-version.html | 2 +- layouts/shortcodes/nic-operator-version.html | 2 +- layouts/shortcodes/nic-version.html | 2 +- 4 files changed, 112 insertions(+), 3 deletions(-) diff --git a/content/nic/changelog/_index.md b/content/nic/changelog/_index.md index e92c197cf..16c8a8ede 100644 --- a/content/nic/changelog/_index.md +++ b/content/nic/changelog/_index.md @@ -24,6 +24,115 @@ For older releases, check the changelogs for previous years: [2024]({{< ref "/ni {{< /details >}} + +## 5.3.0 + +08 Dec 2025 + +### {{% icon rocket %}} Features +- [8292](https://github.com/nginx/kubernetes-ingress/pull/8292) Add sslverify for jwksuri +- [8447](https://github.com/nginx/kubernetes-ingress/pull/8447) Add support for ssl ciphers related annotations +- [8340](https://github.com/nginx/kubernetes-ingress/pull/8340) Implement oidc front channel logout nginx directives +- [8495](https://github.com/nginx/kubernetes-ingress/pull/8495) Add oidc timeout customization to configmap +- [8453](https://github.com/nginx/kubernetes-ingress/pull/8453) Support namespaced upstream service reference in virtualserver +- [8508](https://github.com/nginx/kubernetes-ingress/pull/8508) Add rewrite-target annotation +- [8548](https://github.com/nginx/kubernetes-ingress/pull/8548) Add `client-body-buffer-size` directive to ingress annotations & configmap +- [8557](https://github.com/nginx/kubernetes-ingress/pull/8557) Add client-body-buffer-size directive to virtualserver +- [8556](https://github.com/nginx/kubernetes-ingress/pull/8556) Add oidc policy idp tls validation +- [8533](https://github.com/nginx/kubernetes-ingress/pull/8533) Extend cache policy for more configurable parameters + +### {{% icon bug %}} Fixes +- [8299](https://github.com/nginx/kubernetes-ingress/pull/8299) Remove type field for objects with schema ref +- [8455](https://github.com/nginx/kubernetes-ingress/pull/8455) Cleanup stale socket files on startup +- [8460](https://github.com/nginx/kubernetes-ingress/pull/8460) Wrap oidc fclo initiated test in a while loop + +### {{% icon arrow-up %}} Dependencies +- [8553](https://github.com/nginx/kubernetes-ingress/pull/8553) Bump Go dependencies +- [8244](https://github.com/nginx/kubernetes-ingress/pull/8244), [8279](https://github.com/nginx/kubernetes-ingress/pull/8279), [8284](https://github.com/nginx/kubernetes-ingress/pull/8284), [8315](https://github.com/nginx/kubernetes-ingress/pull/8315), [8324](https://github.com/nginx/kubernetes-ingress/pull/8324), [8334](https://github.com/nginx/kubernetes-ingress/pull/8334) & [8384](https://github.com/nginx/kubernetes-ingress/pull/8384) Bump Docker dependencies +- [8581](https://github.com/nginx/kubernetes-ingress/pull/8581) Update python:3.14-trixie docker digest to d88b120 (main) +- [8577](https://github.com/nginx/kubernetes-ingress/pull/8577) Update module golang.org/x/tools to v0.39.0 (main) +- [8578](https://github.com/nginx/kubernetes-ingress/pull/8578) Update module mvdan.cc/gofumpt to v0.9.2 (main) +- [8569](https://github.com/nginx/kubernetes-ingress/pull/8569) Update aws-sdk-go-v2 monorepo (main) +- [8560](https://github.com/nginx/kubernetes-ingress/pull/8560) Update pre-commit hook rhysd/actionlint to v1.7.9 (main) +- [8552](https://github.com/nginx/kubernetes-ingress/pull/8552) Update kubernetes packages to v0.34.2 (main) +- [8544](https://github.com/nginx/kubernetes-ingress/pull/8544) Update aws-sdk-go-v2 monorepo (main) +- [8524](https://github.com/nginx/kubernetes-ingress/pull/8524) Update module github.com/aws/aws-sdk-go-v2/config to v1.31.18 (main) +- [8526](https://github.com/nginx/kubernetes-ingress/pull/8526) Update pre-commit hook psf/black-pre-commit-mirror to v25.11.0 (main) +- [8511](https://github.com/nginx/kubernetes-ingress/pull/8511) Update docker-registry.nginx.com/nap-dos/app_protect_dos_arb docker tag to v1.2.0 (main) +- [8514](https://github.com/nginx/kubernetes-ingress/pull/8514) Update test containers to v0.2.6 +- [8596](https://github.com/nginx/kubernetes-ingress/pull/8513, https://github.com/nginx/kubernetes-ingress/pull/8596) Update registry.k8s.io/external-dns/external-dns docker tag to v0.20.0 (main) +- [8492](https://github.com/nginx/kubernetes-ingress/pull/8492) Update dependency clusterrole to rbac.authorization.k8s.io/v1 (main) +- [8499](https://github.com/nginx/kubernetes-ingress/pull/8499) Update quay.io/jetstack/cert-manager-webhook docker tag to v1.19.1 (main) +- [8498](https://github.com/nginx/kubernetes-ingress/pull/8498) Update quay.io/jetstack/cert-manager-controller docker tag to v1.19.1 (main) +- [8497](https://github.com/nginx/kubernetes-ingress/pull/8497) Update quay.io/jetstack/cert-manager-cainjector docker tag to v1.19.1 (main) +- [8503](https://github.com/nginx/kubernetes-ingress/pull/8493, https://github.com/nginx/kubernetes-ingress/pull/8503) Update dependency go to v1.25.4 (main) +- [8475](https://github.com/nginx/kubernetes-ingress/pull/8475) Update kindest/node docker tag to v1.34.0 (main) +- [8484](https://github.com/nginx/kubernetes-ingress/pull/8484) Update coredns/coredns docker tag to v1.13.1 (main) +- [8483](https://github.com/nginx/kubernetes-ingress/pull/8483) Update aws-sdk-go-v2 monorepo (main) +- [8486](https://github.com/nginx/kubernetes-ingress/pull/8486) Update renovate to bump minor go versions +- [8465](https://github.com/nginx/kubernetes-ingress/pull/8465) Update module github.com/nginx/nginx-prometheus-exporter to v1.5.1 (main) +- [8551](https://github.com/nginx/kubernetes-ingress/pull/8474, https://github.com/nginx/kubernetes-ingress/pull/8551) Update golangci/golangci-lint docker tag to v2.6.2 (main) +- [8464](https://github.com/nginx/kubernetes-ingress/pull/8464) Update aws-sdk-go-v2 monorepo (main) +- [8599](https://github.com/nginx/kubernetes-ingress/pull/8436, https://github.com/nginx/kubernetes-ingress/pull/8490, https://github.com/nginx/kubernetes-ingress/pull/8549, https://github.com/nginx/kubernetes-ingress/pull/8562, https://github.com/nginx/kubernetes-ingress/pull/8579, https://github.com/nginx/kubernetes-ingress/pull/8587, https://github.com/nginx/kubernetes-ingress/pull/8599) Update ghcr.io/nginx/dependencies/nginx-ubi:ubi8 docker digest to fa931e9 (main) +- [8445](https://github.com/nginx/kubernetes-ingress/pull/8445) Use renovate to monitor test data yaml files +- [8543](https://github.com/nginx/kubernetes-ingress/pull/8450, https://github.com/nginx/kubernetes-ingress/pull/8462, https://github.com/nginx/kubernetes-ingress/pull/8482, https://github.com/nginx/kubernetes-ingress/pull/8543) Update python:3.14-bookworm docker digest to 407cd1c (main) +- [8542](https://github.com/nginx/kubernetes-ingress/pull/8448, https://github.com/nginx/kubernetes-ingress/pull/8471, https://github.com/nginx/kubernetes-ingress/pull/8542) Update debian:12-slim docker digest to 936abff (main) +- [8428](https://github.com/nginx/kubernetes-ingress/pull/8428) Update module github.com/cert-manager/cert-manager to v1.19.1 (main) +- [8575](https://github.com/nginx/kubernetes-ingress/pull/8439, https://github.com/nginx/kubernetes-ingress/pull/8451, https://github.com/nginx/kubernetes-ingress/pull/8558, https://github.com/nginx/kubernetes-ingress/pull/8575) Update redhat/ubi8 docker digest to a444712 (main) +- [8440](https://github.com/nginx/kubernetes-ingress/pull/8440) Update aws-sdk-go-v2 monorepo (main) +- [8401](https://github.com/nginx/kubernetes-ingress/pull/8401) Upgrade github.com/nginx/nginx-plus-go-client/v3 to v3.0.1 +- [8598](https://github.com/nginx/kubernetes-ingress/pull/8437, https://github.com/nginx/kubernetes-ingress/pull/8449, https://github.com/nginx/kubernetes-ingress/pull/8461, https://github.com/nginx/kubernetes-ingress/pull/8491, https://github.com/nginx/kubernetes-ingress/pull/8501, https://github.com/nginx/kubernetes-ingress/pull/8550, https://github.com/nginx/kubernetes-ingress/pull/8563, https://github.com/nginx/kubernetes-ingress/pull/8580, https://github.com/nginx/kubernetes-ingress/pull/8598) Update ghcr.io/nginx/dependencies/nginx-ubi:ubi9 docker digest to aa99558 (main) +- [8589](https://github.com/nginx/kubernetes-ingress/pull/8432, https://github.com/nginx/kubernetes-ingress/pull/8589) Update redhat/ubi9-minimal docker tag to v9.7-1764578379 (main) +- [8572](https://github.com/nginx/kubernetes-ingress/pull/8396, https://github.com/nginx/kubernetes-ingress/pull/8476, https://github.com/nginx/kubernetes-ingress/pull/8572) Update module github.com/gruntwork-io/terratest to v0.54.0 (main) +- [8588](https://github.com/nginx/kubernetes-ingress/pull/8431, https://github.com/nginx/kubernetes-ingress/pull/8588) Update redhat/ubi9 docker tag to v9.7-1764578509 (main) +- [8429](https://github.com/nginx/kubernetes-ingress/pull/8429) Update module github.com/cert-manager/cert-manager to v1.19.0 (main) +- [8427](https://github.com/nginx/kubernetes-ingress/pull/8427) Update renovate pr's in github workflow +- [8424](https://github.com/nginx/kubernetes-ingress/pull/8424) Allow renovate to run postupgradetasks +- [8397](https://github.com/nginx/kubernetes-ingress/pull/8397) Correct space in github actions, update renovate syntax +- [8406](https://github.com/nginx/kubernetes-ingress/pull/8406) Update python docker tag to v3.14 (main) +- [8559](https://github.com/nginx/kubernetes-ingress/pull/8405, https://github.com/nginx/kubernetes-ingress/pull/8525, https://github.com/nginx/kubernetes-ingress/pull/8559) Update pre-commit hook asottile/pyupgrade to v3.21.2 (main) +- [8502](https://github.com/nginx/kubernetes-ingress/pull/8389, https://github.com/nginx/kubernetes-ingress/pull/8438, https://github.com/nginx/kubernetes-ingress/pull/8502) Update golang:1.25-alpine docker digest to 182059d (main) +- [8387](https://github.com/nginx/kubernetes-ingress/pull/8387) Update dependency pyyaml to v6.0.3 (main) +- [8388](https://github.com/nginx/kubernetes-ingress/pull/8388) Update dependency wrapt to v1.17.3 (main) +- [8381](https://github.com/nginx/kubernetes-ingress/pull/8381) Update renovate configuration +- [8375](https://github.com/nginx/kubernetes-ingress/pull/8375) Update docker/login-action action to v3.6.0 +- [8466](https://github.com/nginx/kubernetes-ingress/pull/8366, https://github.com/nginx/kubernetes-ingress/pull/8443, https://github.com/nginx/kubernetes-ingress/pull/8466) Update balabit/syslog-ng docker tag to v4.10.2 (main) +- [8362](https://github.com/nginx/kubernetes-ingress/pull/8362) Update examples with keycloak 26.x +- [8350](https://github.com/nginx/kubernetes-ingress/pull/8350) Update dependency cffi to v2 +- [8356](https://github.com/nginx/kubernetes-ingress/pull/8356) Update peter-evans/dockerhub-description action to v5 +- [8355](https://github.com/nginx/kubernetes-ingress/pull/8355) Update dependency grpcio to v1.75.1 +- [8349](https://github.com/nginx/kubernetes-ingress/pull/8349) Update k8s.io/utils digest to bc988d5 +- [8337](https://github.com/nginx/kubernetes-ingress/pull/8337) Update module github.com/golang-jwt/jwt/v4 to v5 +- [8343](https://github.com/nginx/kubernetes-ingress/pull/8343) Update actions/cache action to v4.3.0 +- [8344](https://github.com/nginx/kubernetes-ingress/pull/8344) Update dependency certifi to v2025.8.3 +- [8332](https://github.com/nginx/kubernetes-ingress/pull/8332) Update ossf/scorecard-action action to v2.4.3 +- [8333](https://github.com/nginx/kubernetes-ingress/pull/8333) Update dependency pycparser to v2.23 +- [8582](https://github.com/nginx/kubernetes-ingress/pull/8326, https://github.com/nginx/kubernetes-ingress/pull/8564, https://github.com/nginx/kubernetes-ingress/pull/8582) Update module github.com/gkampitakis/go-snaps to v0.5.17 (main) +- [8323](https://github.com/nginx/kubernetes-ingress/pull/8323) Update dependency cryptography to v46.0.2 +- [8309](https://github.com/nginx/kubernetes-ingress/pull/8309) Update aws-sdk-go-v2 monorepo +- [8312](https://github.com/nginx/kubernetes-ingress/pull/8312) Update dependency requests to v2.32.5 +- [8584](https://github.com/nginx/kubernetes-ingress/pull/8307, https://github.com/nginx/kubernetes-ingress/pull/8374, https://github.com/nginx/kubernetes-ingress/pull/8570, https://github.com/nginx/kubernetes-ingress/pull/8584) Update docker/dockerfile docker tag to v1.20 (main) +- [8595](https://github.com/nginx/kubernetes-ingress/pull/8308, https://github.com/nginx/kubernetes-ingress/pull/8459, https://github.com/nginx/kubernetes-ingress/pull/8510, https://github.com/nginx/kubernetes-ingress/pull/8565, https://github.com/nginx/kubernetes-ingress/pull/8576, https://github.com/nginx/kubernetes-ingress/pull/8595) Update quay.io/keycloak/keycloak docker tag to v26.4.7 (main) +- [8300](https://github.com/nginx/kubernetes-ingress/pull/8300) Chore(deps): bump the actions group across 1 directory with 5 updates +- [8298](https://github.com/nginx/kubernetes-ingress/pull/8298) Chore: configure renovate +- [8566](https://github.com/nginx/kubernetes-ingress/pull/8286, https://github.com/nginx/kubernetes-ingress/pull/8369, https://github.com/nginx/kubernetes-ingress/pull/8423, https://github.com/nginx/kubernetes-ingress/pull/8539, https://github.com/nginx/kubernetes-ingress/pull/8566) [pre-commit.ci] pre-commit autoupdate +- [8287](https://github.com/nginx/kubernetes-ingress/pull/8287) Chore(deps): bump the python group with 5 updates +- [8275](https://github.com/nginx/kubernetes-ingress/pull/8275) Chore(deps): bump anchore/sbom-action from 0.20.5 to 0.20.6 in the actions group +- [8270](https://github.com/nginx/kubernetes-ingress/pull/8270) Chore(deps): bump the python group with 5 updates +- [8269](https://github.com/nginx/kubernetes-ingress/pull/8269) Chore(deps): bump the actions group with 2 updates +- [8252](https://github.com/nginx/kubernetes-ingress/pull/8252) Bump preflight version to v1.14.1 +- [8254](https://github.com/nginx/kubernetes-ingress/pull/8248, https://github.com/nginx/kubernetes-ingress/pull/8254) Chore(deps): bump python from `d99178e` to `a805109` in /tests +- [8263](https://github.com/nginx/kubernetes-ingress/pull/8249, https://github.com/nginx/kubernetes-ingress/pull/8263) Chore(deps): bump github/codeql-action from 3.30.1 to 3.30.3 in the actions group +- [8243](https://github.com/nginx/kubernetes-ingress/pull/8243) Chore(deps): bump the python group with 2 updates + +### {{% icon download %}} Upgrade +- For NGINX, use the 5.3.0 images from our [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=5.3.0), [GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress). +- For NGINX Plus, use the 5.3.0 images from the F5 Container registry or build your own image using the 5.3.0 source code. +- For Helm, use version 2.4.0 of the chart. + +### {{% icon life-buoy %}} Supported Platforms +We will provide technical support for NGINX Ingress Controller on any Kubernetes platform that is currently supported by its provider and that passes the Kubernetes conformance tests. This release was fully tested on the following Kubernetes versions: 1.27-1.34. + ## 5.2.1 10 Oct 2025 diff --git a/layouts/shortcodes/nic-helm-version.html b/layouts/shortcodes/nic-helm-version.html index a6254504e..9183195ac 100644 --- a/layouts/shortcodes/nic-helm-version.html +++ b/layouts/shortcodes/nic-helm-version.html @@ -1 +1 @@ -2.3.1 \ No newline at end of file +2.4.0 \ No newline at end of file diff --git a/layouts/shortcodes/nic-operator-version.html b/layouts/shortcodes/nic-operator-version.html index 712bd5a68..fbcbf7380 100644 --- a/layouts/shortcodes/nic-operator-version.html +++ b/layouts/shortcodes/nic-operator-version.html @@ -1 +1 @@ -3.3.1 \ No newline at end of file +3.4.0 \ No newline at end of file diff --git a/layouts/shortcodes/nic-version.html b/layouts/shortcodes/nic-version.html index 804440660..e230c8396 100644 --- a/layouts/shortcodes/nic-version.html +++ b/layouts/shortcodes/nic-version.html @@ -1 +1 @@ -5.2.1 \ No newline at end of file +5.3.0 \ No newline at end of file From 7a466d378909993bdd1e7530b6701f42024e449a Mon Sep 17 00:00:00 2001 From: AlexFenlon Date: Fri, 5 Dec 2025 09:55:10 +0000 Subject: [PATCH 11/23] Delete content/includes/nic/configuration/virtualserver-and-virtualserverroute-resources.md --- ...server-and-virtualserverroute-resources.md | 1083 ----------------- 1 file changed, 1083 deletions(-) delete mode 100644 content/includes/nic/configuration/virtualserver-and-virtualserverroute-resources.md diff --git a/content/includes/nic/configuration/virtualserver-and-virtualserverroute-resources.md b/content/includes/nic/configuration/virtualserver-and-virtualserverroute-resources.md deleted file mode 100644 index c5720335f..000000000 --- a/content/includes/nic/configuration/virtualserver-and-virtualserverroute-resources.md +++ /dev/null @@ -1,1083 +0,0 @@ ---- -title: VirtualServer and VirtualServerRoute resources -toc: true -weight: 700 -nd-content-type: reference -nd-product: INGRESS -nd-docs: DOCS-599 ---- - -This document is reference material for the VirtualServer and VirtualServerRoute resources used by F5 NGINX Ingress Controller. - -VirtualServer and VirtualServerRoute resources are load balancing configurations recommended as an alternative to the Ingress resource. - -They enable use cases not supported with the Ingress resource, such as traffic splitting and advanced content-based routing. The resources are implemented as [Custom Resources](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/). - -The GitHub repository has [examples of the resources](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/custom-resources) for specific use cases. - ---- - -## VirtualServer specification - -The VirtualServer resource defines load balancing configuration for a domain name, such as `example.com`. Below is an example of such configuration: - -```yaml -apiVersion: k8s.nginx.org/v1 -kind: VirtualServer -metadata: - name: cafe -spec: - host: cafe.example.com - listener: - http: http-8083 - https: https-8443 - tls: - secret: cafe-secret - gunzip: on - upstreams: - - name: tea - service: tea-svc - port: 80 - - name: coffee - service: coffee-svc - port: 80 - routes: - - path: /tea - action: - pass: tea - - path: /coffee - action: - pass: coffee - - path: ~ ^/decaf/.*\\.jpg$ - action: - pass: coffee - - path: = /green/tea - action: - pass: tea -``` - -|Field | Description | Type | Required | -| ---| ---| ---| --- | -|``host`` | The host (domain name) of the server. Must be a valid subdomain as defined in RFC 1123, such as ``my-app`` or ``hello.example.com``. When using a wildcard domain like ``*.example.com`` the domain must be contained in double quotes. The ``host`` value needs to be unique among all Ingress and VirtualServer resources. See also [Handling Host and Listener Collisions](/nginx-ingress-controller/configuration/host-and-listener-collisions). | ``string`` | Yes | -|``listener`` | Sets a custom HTTP and/or HTTPS listener. Valid fields are `listener.http` and `listener.https`. Each field must reference the name of a valid listener defined in a GlobalConfiguration resource | [listener](#virtualserverlistener) | No | -|``tls`` | The TLS termination configuration. | [tls](#virtualservertls) | No | -|``gunzip`` | Enables or disables [decompression](https://docs.nginx.com/nginx/admin-guide/web-server/compression/) of gzipped responses for clients. Allowed values “on”/“off”, “true”/“false” or “yes”/“no”. If the ``gunzip`` value is not set, it defaults to ``off``. | ``boolean`` | No | -|``externalDNS`` | The externalDNS configuration for a VirtualServer. | [externalDNS](#virtualserverexternaldns) | No | -|``dos`` | A reference to a DosProtectedResource, setting this enables DOS protection of the VirtualServer. | ``string`` | No | -|``policies`` | A list of policies. | [[]policy](#virtualserverpolicy) | No | -|``upstreams`` | A list of upstreams. | [[]upstream](#upstream) | No | -|``routes`` | A list of routes. | [[]route](#virtualserverroute) | No | -|``ingressClassName`` | Specifies which Ingress Controller must handle the VirtualServer resource. | ``string`` | No | -|``internalRoute`` | Specifies if the VirtualServer resource is an internal route or not. | ``boolean`` | No | -|``http-snippets`` | Sets a custom snippet in the http context. | ``string`` | No | -|``server-snippets`` | Sets a custom snippet in server context. Overrides the ``server-snippets`` ConfigMap key. | ``string`` | No | - -### VirtualServer.TLS - -The tls field defines TLS configuration for a VirtualServer. For example: - -```yaml -secret: cafe-secret -redirect: - enable: true -``` - -|Field | Description | Type | Required | -| ---| ---| ---| --- | -|``secret`` | The name of a secret with a TLS certificate and key. The secret must belong to the same namespace as the VirtualServer. The secret must be of the type ``kubernetes.io/tls`` and contain keys named ``tls.crt`` and ``tls.key`` that contain the certificate and private key as described [here](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls). If the secret doesn't exist or is invalid, NGINX will break any attempt to establish a TLS connection to the host of the VirtualServer. If the secret is not specified but [wildcard TLS secret](/nginx-ingress-controller/configuration/global-configuration/command-line-arguments#cmdoption-wildcard-tls-secret) is configured, NGINX will use the wildcard secret for TLS termination. | ``string`` | No | -|``redirect`` | The redirect configuration of the TLS for a VirtualServer. | [tls.redirect](#virtualservertlsredirect) | No | ### VirtualServer.TLS.Redirect | -|``cert-manager`` | The cert-manager configuration of the TLS for a VirtualServer. | [tls.cert-manager](#virtualservertlscertmanager) | No | ### VirtualServer.TLS.CertManager | - -### VirtualServer.TLS.Redirect - -The redirect field configures a TLS redirect for a VirtualServer: - -```yaml -enable: true -code: 301 -basedOn: scheme -``` - -|Field | Description | Type | Required | -| ---| ---| ---| --- | -|``enable`` | Enables a TLS redirect for a VirtualServer. The default is ``False``. | ``boolean`` | No | -|``code`` | The status code of a redirect. The allowed values are: ``301`` , ``302`` , ``307`` , ``308``. The default is ``301``. | ``int`` | No | -|``basedOn`` | The attribute of a request that NGINX will evaluate to send a redirect. The allowed values are ``scheme`` (the scheme of the request) or ``x-forwarded-proto`` (the ``X-Forwarded-Proto`` header of the request). The default is ``scheme``. | ``string`` | No | ### VirtualServer.Policy | - -### VirtualServer.TLS.CertManager - -The cert-manager field configures x509 automated Certificate management for VirtualServer resources using cert-manager (cert-manager.io). Please see the [cert-manager configuration documentation](https://cert-manager.io/docs/configuration/) for more information on deploying and configuring Issuers. Example: - -```yaml -cert-manager: - cluster-issuer: "my-issuer-name" -``` - -{{< table >}} - -|Field | Description | Type | Required | -| ---| ---| ---| --- | -|``issuer`` | the name of an Issuer. An Issuer is a cert-manager resource which describes the certificate authority capable of signing certificates. The Issuer must be in the same namespace as the VirtualServer resource. Please note that one of `issuer` and `cluster-issuer` are required, but they are mutually exclusive - one and only one must be defined. | ``string`` | No | -|``cluster-issuer`` | the name of a ClusterIssuer. A ClusterIssuer is a cert-manager resource which describes the certificate authority capable of signing certificates. It does not matter which namespace your VirtualServer resides, as ClusterIssuers are non-namespaced resources. Please note that one of `issuer` and `cluster-issuer` are required, but they are mutually exclusive - one and only one must be defined. | ``string`` | No | -|``issuer-kind`` | The kind of the external issuer resource, for example AWSPCAIssuer. This is only necessary for out-of-tree issuers. This cannot be defined if `cluster-issuer` is also defined. | ``string`` | No | -|``issuer-group`` | The API group of the external issuer controller, for example awspca.cert-manager.io. This is only necessary for out-of-tree issuers. This cannot be defined if `cluster-issuer` is also defined. | ``string`` | No | -|``common-name`` | This field allows you to configure spec.commonName for the Certificate to be generated. This configuration adds a CN to the x509 certificate. | ``string`` | No | -|``duration`` | This field allows you to configure spec.duration field for the Certificate to be generated. Must be specified using a [Go time.Duration](https://pkg.go.dev/time#ParseDuration) string format, which does not allow the d (days) suffix. You must specify these values using s, m, and h suffixes instead. | ``string`` | No | -|``renew-before`` | this annotation allows you to configure spec.renewBefore field for the Certificate to be generated. Must be specified using a [Go time.Duration](https://pkg.go.dev/time#ParseDuration) string format, which does not allow the d (days) suffix. You must specify these values using s, m, and h suffixes instead. | ``string`` | No | -|``usages`` | This field allows you to configure spec.usages field for the Certificate to be generated. Pass a string with comma-separated values i.e. ``key agreement,digital signature, server auth``. An exhaustive list of supported key usages can be found in the [the cert-manager api documentation](https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.KeyUsage). | ``string`` | No | -|``issue-temp-cert`` | When ``true``, ask cert-manager for a [temporary self-signed certificate](https://cert-manager.io/docs/usage/certificate/#temporary-certificates-while-issuing) pending the issuance of the Certificate. This allows HTTPS-only servers to use ACME HTTP01 challenges when the TLS secret does not exist yet. | ``boolean`` | No | - -{{< /table >}} - -### VirtualServer.Listener - -The listener field defines a custom HTTP and/or HTTPS listener. -The respective listeners used must reference the name of a listener defined using a [GlobalConfiguration](/nginx-ingress-controller/configuration/global-configuration/globalconfiguration-resource/) resource. - -For example: - -```yaml -http: http-8083 -https: https-8443 -``` - -|Field | Description | Type | Required | -| ---| ---| ---| --- | -|``http`` | The name of am HTTP listener defined in a [GlobalConfiguration](/nginx-ingress-controller/configuration/global-configuration/globalconfiguration-resource/) resource. | ``string`` | No | -|``https`` | The name of an HTTPS listener defined in a [GlobalConfiguration](/nginx-ingress-controller/configuration/global-configuration/globalconfiguration-resource/) resource. | ``string`` | No | - -### VirtualServer.ExternalDNS - -The externalDNS field configures controlling DNS records dynamically for VirtualServer resources using [ExternalDNS](https://github.com/kubernetes-sigs/external-dns). Please see the [ExternalDNS configuration documentation](https://kubernetes-sigs.github.io/external-dns/) for more information on deploying and configuring ExternalDNS and Providers. Example: - -```yaml -enable: true -``` - -|Field | Description | Type | Required | -| ---| ---| ---| --- | -|``enable`` | Enables ExternalDNS integration for a VirtualServer resource. The default is ``false``. | ``string`` | No | -|``labels`` | Configure labels to be applied to the Endpoint resources that will be consumed by ExternalDNS. | ``map[string]string`` | No | -|``providerSpecific`` | Configure provider specific properties which holds the name and value of a configuration which is specific to individual DNS providers. | [[]ProviderSpecific](#virtualserverexternaldnsproviderspecific) | No | -|``recordTTL`` | TTL for the DNS record. This defaults to 0 if not defined. See [the ExternalDNS TTL documentation for provider-specific defaults](https://kubernetes-sigs.github.io/external-dns/v0.14.2/ttl/#providers) | ``int64`` | No | -|``recordType`` | The record Type that should be created, e.g. "A", "AAAA", "CNAME". This is automatically computed based on the external endpoints if not defined. | ``string`` | No | - -### VirtualServer.ExternalDNS.ProviderSpecific - -The providerSpecific field of the externalDNS block allows the specification of provider specific properties which is a list of key value pairs of configurations which are specific to individual DNS providers. Example: - -```yaml -- name: my-name - value: my-value -- name: my-name2 - value: my-value2 -``` - -|Field | Description | Type | Required | -| ---| ---| ---| --- | -|``name`` | The name of the key value pair. | ``string`` | Yes | -|``value`` | The value of the key value pair. | ``string`` | Yes | - -### VirtualServer.Policy - -The policy field references a [Policy resource](/nginx-ingress-controller/configuration/policy-resource/) by its name and optional namespace. For example: - -```yaml -name: access-control -``` - -|Field | Description | Type | Required | -| ---| ---| ---| --- | -|``name`` | The name of a policy. If the policy doesn't exist or invalid, NGINX will respond with an error response with the `500` status code. | ``string`` | Yes | -|``namespace`` | The namespace of a policy. If not specified, the namespace of the VirtualServer resource is used. | ``string`` | No | - -### VirtualServer.Route - -The route defines rules for matching client requests to actions like passing a request to an upstream. For example: - -```yaml - path: /tea - action: - pass: tea -``` - -{{< table >}} - -|Field | Description | Type | Required | -| ---| ---| ---| --- | -|``path`` | The path of the route. NGINX will match it against the URI of a request. Possible values are: a prefix ( ``/`` , ``/path`` ), an exact match ( ``=/exact/match`` ), a case insensitive regular expression ( ``~*^/Bar.*\.jpg`` ) or a case sensitive regular expression ( ``~^/foo.*\.jpg`` ). In the case of a prefix (must start with ``/`` ) or an exact match (must start with ``=`` ), the path must not include any whitespace characters, ``{`` , ``}`` or ``;``. In the case of the regex matches, all double quotes ``"`` must be escaped and the match can't end in an unescaped backslash ``\``. The path must be unique among the paths of all routes of the VirtualServer. Check the [location](https://nginx.org/en/docs/http/ngx_http_core_module.html#location) directive for more information. | ``string`` | Yes | -|``policies`` | A list of policies. The policies override the policies of the same type defined in the ``spec`` of the VirtualServer. See [Applying Policies](/nginx-ingress-controller/configuration/policy-resource/#applying-policies) for more details. | [[]policy](#virtualserverpolicy) | No | -|``action`` | The default action to perform for a request. | [action](#action) | No | -|``dos`` | A reference to a DosProtectedResource, setting this enables DOS protection of the VirtualServer route. | ``string`` | No | -|``splits`` | The default splits configuration for traffic splitting. Must include at least 2 splits. | [[]split](#split) | No | -|``matches`` | The matching rules for advanced content-based routing. Requires the default ``action`` or ``splits``. Unmatched requests will be handled by the default ``action`` or ``splits``. | [matches](#match) | No | -|``route`` | The name of a VirtualServerRoute resource that defines this route. If the VirtualServerRoute belongs to a different namespace than the VirtualServer, you need to include the namespace. For example, ``tea-namespace/tea``. | ``string`` | No | -|``errorPages`` | The custom responses for error codes. NGINX will use those responses instead of returning the error responses from the upstream servers or the default responses generated by NGINX. A custom response can be a redirect or a canned response. For example, a redirect to another URL if an upstream server responded with a 404 status code. | [[]errorPage](#errorpage) | No | -|``location-snippets`` | Sets a custom snippet in the location context. Overrides the ``location-snippets`` ConfigMap key. | ``string`` | No | - -{{< /table >}} - -\* -- a route must include exactly one of the following: `action`, `splits`, or `route`. - -## VirtualServerRoute specification - -The VirtualServerRoute resource defines a route for a VirtualServer. It can consist of one or multiple subroutes. The VirtualServerRoute is an alternative to [Mergeable Ingress types](/nginx-ingress-controller/configuration/ingress-resources/cross-namespace-configuration). - -In the example below, the VirtualServer `cafe` from the namespace `cafe-ns` defines a route with the path `/coffee`, which is further defined in the VirtualServerRoute `coffee` from the namespace `coffee-ns`. - -VirtualServer: - -```yaml -apiVersion: k8s.nginx.org/v1 -kind: VirtualServer -metadata: - name: cafe - namespace: cafe-ns -spec: - host: cafe.example.com - upstreams: - - name: tea - service: tea-svc - port: 80 - routes: - - path: /tea - action: - pass: tea - - path: /coffee - route: coffee-ns/coffee -``` - -VirtualServerRoute: - -```yaml -apiVersion: k8s.nginx.org/v1 -kind: VirtualServerRoute -metadata: - name: coffee - namespace: coffee-ns -spec: - host: cafe.example.com - upstreams: - - name: latte - service: latte-svc - port: 80 - - name: espresso - service: espresso-svc - port: 80 - subroutes: - - path: /coffee/latte - action: - pass: latte - - path: /coffee/espresso - action: - pass: espresso -``` - -Note that each subroute must have a `path` that starts with the same prefix (here `/coffee`), which is defined in the route of the VirtualServer. Additionally, the `host` in the VirtualServerRoute must be the same as the `host` of the VirtualServer. - -{{< table >}} - -|Field | Description | Type | Required | -| ---| ---| ---| --- | -|``host`` | The host (domain name) of the server. Must be a valid subdomain as defined in RFC 1123, such as ``my-app`` or ``hello.example.com``. When using a wildcard domain like ``*.example.com`` the domain must be contained in double quotes. Must be the same as the ``host`` of the VirtualServer that references this resource. | ``string`` | Yes | -|``upstreams`` | A list of upstreams. | [[]upstream](#upstream) | No | -|``subroutes`` | A list of subroutes. | [[]subroute](#virtualserverroutesubroute) | No | -|``ingressClassName`` | Specifies which Ingress Controller must handle the VirtualServerRoute resource. Must be the same as the ``ingressClassName`` of the VirtualServer that references this resource. | ``string`` | No | - -{{< /table >}} - -### VirtualServerRoute.Subroute - -The subroute defines rules for matching client requests to actions like passing a request to an upstream. For example: - -```yaml -path: /coffee -action: - pass: coffee -``` - -{{< table >}} - -|Field | Description | Type | Required | -| ---| ---| ---| --- | -|``path`` | The path of the subroute. NGINX will match it against the URI of a request. Possible values are: a prefix ( ``/`` , ``/path`` ), an exact match ( ``=/exact/match`` ), a case insensitive regular expression ( ``~*^/Bar.*\.jpg`` ) or a case sensitive regular expression ( ``~^/foo.*\.jpg`` ). In the case of a prefix, the path must start with the same path as the path of the route of the VirtualServer that references this resource. In the case of an exact or regex match, the path must be the same as the path of the route of the VirtualServer that references this resource. A matching path of the route of the VirtualServer but in different type is not accepted, e.g. a regex path (`~/match`) cannot be used with a prefix path in VirtualServer (`/match`) In the case of a prefix or an exact match, the path must not include any whitespace characters, ``{`` , ``}`` or ``;``. In the case of the regex matches, all double quotes ``"`` must be escaped and the match can't end in an unescaped backslash ``\``. The path must be unique among the paths of all subroutes of the VirtualServerRoute. | ``string`` | Yes | -|``policies`` | A list of policies. The policies override *all* policies defined in the route of the VirtualServer that references this resource. The policies also override the policies of the same type defined in the ``spec`` of the VirtualServer. See [Applying Policies](/nginx-ingress-controller/configuration/policy-resource/#applying-policies) for more details. | [[]policy](#virtualserverpolicy) | No | -|``action`` | The default action to perform for a request. | [action](#action) | No | -|``dos`` | A reference to a DosProtectedResource, setting this enables DOS protection of the VirtualServerRoute subroute. | ``string`` | No | -|``splits`` | The default splits configuration for traffic splitting. Must include at least 2 splits. | [[]split](#split) | No | -|``matches`` | The matching rules for advanced content-based routing. Requires the default ``action`` or ``splits``. Unmatched requests will be handled by the default ``action`` or ``splits``. | [matches](#match) | No | -|``errorPages`` | The custom responses for error codes. NGINX will use those responses instead of returning the error responses from the upstream servers or the default responses generated by NGINX. A custom response can be a redirect or a canned response. For example, a redirect to another URL if an upstream server responded with a 404 status code. | [[]errorPage](#errorpage) | No | -|``location-snippets`` | Sets a custom snippet in the location context. Overrides the ``location-snippets`` of the VirtualServer (if set) or the ``location-snippets`` ConfigMap key. | ``string`` | No | - -{{< /table >}} - -\* -- a subroute must include exactly one of the following: `action` or `splits`. - -## Common VirtualServer and VirtualServerRoute specifications - -### Upstream - -The upstream defines a destination for the routing configuration. For example: - -```yaml -name: tea -service: tea-svc -subselector: - version: canary -port: 80 -lb-method: round_robin -fail-timeout: 10s -max-fails: 1 -max-conns: 32 -keepalive: 32 -connect-timeout: 30s -read-timeout: 30s -send-timeout: 30s -next-upstream: "error timeout non_idempotent" -next-upstream-timeout: 5s -next-upstream-tries: 10 -client-max-body-size: 2m -tls: - enable: true -``` - -{{< call-out "note" >}} The WebSocket protocol is supported without any additional configuration. {{< /call-out >}} - -{{< table >}} - -|Field | Description | Type | Required | -| ---| ---| ---| --- | -|``name`` | The name of the upstream. Must be a valid DNS label as defined in RFC 1035. For example, ``hello`` and ``upstream-123`` are valid. The name must be unique among all upstreams of the resource. | ``string`` | Yes | -|``service`` | The name of a [service](https://kubernetes.io/docs/concepts/services-networking/service/). The service must belong to the same namespace as the resource. If the service doesn't exist, NGINX will assume the service has zero endpoints and return a ``502`` response for requests for this upstream. For NGINX Plus only, services of type [ExternalName](https://kubernetes.io/docs/concepts/services-networking/service/#externalname) are also supported (check the [prerequisites](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/externalname-services#prerequisites) ). | ``string`` | Yes | -|``subselector`` | Selects the pods within the service using label keys and values. By default, all pods of the service are selected. Note: the specified labels are expected to be present in the pods when they are created. If the pod labels are updated, NGINX Ingress Controller will not see that change until the number of the pods is changed. | ``map[string]string`` | No | -|``use-cluster-ip`` | Enables using the Cluster IP and port of the service instead of the default behavior of using the IP and port of the pods. When this field is enabled, the fields that configure NGINX behavior related to multiple upstream servers (like ``lb-method`` and ``next-upstream``) will have no effect, as NGINX Ingress Controller will configure NGINX with only one upstream server that will match the service Cluster IP. | ``boolean`` | No | -|``port`` | The port of the service. If the service doesn't define that port, NGINX will assume the service has zero endpoints and return a ``502`` response for requests for this upstream. The port must fall into the range ``1..65535``. | ``uint16`` | Yes | -|``lb-method`` | The load [balancing method](https://docs.nginx.com/nginx/admin-guide/load-balancer/http-load-balancer/#choosing-a-load-balancing-method). To use the round-robin method, specify ``round_robin``. The default is specified in the ``lb-method`` ConfigMap key. | ``string`` | No | -|``fail-timeout`` | The time during which the specified number of unsuccessful attempts to communicate with an upstream server should happen to consider the server unavailable. See the [fail_timeout](https://nginx.org/en/docs/http/ngx_http_upstream_module.html#fail_timeout) parameter of the server directive. The default is set in the ``fail-timeout`` ConfigMap key. | ``string`` | No | -|``max-fails`` | The number of unsuccessful attempts to communicate with an upstream server that should happen in the duration set by the ``fail-timeout`` to consider the server unavailable. See the [max_fails](https://nginx.org/en/docs/http/ngx_http_upstream_module.html#max_fails) parameter of the server directive. The default is set in the ``max-fails`` ConfigMap key. | ``int`` | No | -|``max-conns`` | The maximum number of simultaneous active connections to an upstream server. See the [max_conns](https://nginx.org/en/docs/http/ngx_http_upstream_module.html#max_conns) parameter of the server directive. By default there is no limit. Note: if keepalive connections are enabled, the total number of active and idle keepalive connections to an upstream server may exceed the ``max_conns`` value. | ``int`` | No | -|``keepalive`` | Configures the cache for connections to upstream servers. The value ``0`` disables the cache. See the [keepalive](https://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive) directive. The default is set in the ``keepalive`` ConfigMap key. | ``int`` | No | -|``connect-timeout`` | The timeout for establishing a connection with an upstream server. See the [proxy_connect_timeout](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_connect_timeout) directive. The default is specified in the ``proxy-connect-timeout`` ConfigMap key. | ``string`` | No | -|``read-timeout`` | The timeout for reading a response from an upstream server. See the [proxy_read_timeout](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_read_timeout) directive. The default is specified in the ``proxy-read-timeout`` ConfigMap key. | ``string`` | No | -|``send-timeout`` | The timeout for transmitting a request to an upstream server. See the [proxy_send_timeout](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_send_timeout) directive. The default is specified in the ``proxy-send-timeout`` ConfigMap key. | ``string`` | No | -|``next-upstream`` | Specifies in which cases a request should be passed to the next upstream server. See the [proxy_next_upstream](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_next_upstream) directive. The default is ``error timeout``. | ``string`` | No | -|``next-upstream-timeout`` | The time during which a request can be passed to the next upstream server. See the [proxy_next_upstream_timeout](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_next_upstream_timeout) directive. The ``0`` value turns off the time limit. The default is ``0``. | ``string`` | No | -|``next-upstream-tries`` | The number of possible tries for passing a request to the next upstream server. See the [proxy_next_upstream_tries](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_next_upstream_tries) directive. The ``0`` value turns off this limit. The default is ``0``. | ``int`` | No | -|``client-max-body-size`` | Sets the maximum allowed size of the client request body. See the [client_max_body_size](https://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size) directive. The default is set in the ``client-max-body-size`` ConfigMap key. | ``string`` | No | -|``client-body-buffer-size`` | Sets the value of the [client_body_buffer_size](https://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_buffer_size) directive. | ``string`` | No | -|``tls`` | The TLS configuration for the Upstream. | [tls](#upstreamtls) | No | -|``healthCheck`` | The health check configuration for the Upstream. See the [health_check](https://nginx.org/en/docs/http/ngx_http_upstream_hc_module.html#health_check) directive. Note: this feature is supported only in NGINX Plus. | [healthcheck](#upstreamhealthcheck) | No | -|``slow-start`` | The slow start allows an upstream server to gradually recover its weight from 0 to its nominal value after it has been recovered or became available or when the server becomes available after a period of time it was considered unavailable. By default, the slow start is disabled. See the [slow_start](https://nginx.org/en/docs/http/ngx_http_upstream_module.html#slow_start) parameter of the server directive. Note: The parameter cannot be used along with the ``random`` , ``hash`` or ``ip_hash`` load balancing methods and will be ignored. | ``string`` | No | -|``queue`` | Configures a queue for an upstream. A client request will be placed into the queue if an upstream server cannot be selected immediately while processing the request. By default, no queue is configured. Note: this feature is supported only in NGINX Plus. | [queue](#upstreamqueue) | No | -|``buffering`` | Enables buffering of responses from the upstream server. See the [proxy_buffering](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffering) directive. The default is set in the ``proxy-buffering`` ConfigMap key. | ``boolean`` | No | -|``buffers`` | Configures the buffers used for reading a response from the upstream server for a single connection. | [buffers](#upstreambuffers) | No | -|``buffer-size`` | Sets the size of the buffer used for reading the first part of a response received from the upstream server. See the [proxy_buffer_size](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size) directive. The default is set in the ``proxy-buffer-size`` ConfigMap key. | ``string`` | No | -|``busy-buffer-size`` | Sets the size of the buffer used for reading a response from the upstream server when the response is larger than the ``buffer-size``. See the [proxy_busy_buffers_size](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_busy_buffers_size) directive. The default is set in the ``proxy-busy-buffers-size`` ConfigMap key. | ``string`` | No | -|``ntlm`` | Allows proxying requests with NTLM Authentication. See the [ntlm](https://nginx.org/en/docs/http/ngx_http_upstream_module.html#ntlm) directive. In order for NTLM authentication to work, it is necessary to enable keepalive connections to upstream servers using the ``keepalive`` field. Note: this feature is supported only in NGINX Plus.| ``boolean`` | No | -|``type`` |The type of the upstream. Supported values are ``http`` and ``grpc``. The default is ``http``. For gRPC, it is necessary to enable HTTP/2 in the [ConfigMap](/nginx-ingress-controller/configuration/global-configuration/configmap-resource/#listeners) and configure TLS termination in the VirtualServer. | ``string`` | No | -|``backup`` | The name of the backup service of type [ExternalName](https://kubernetes.io/docs/concepts/services-networking/service/#externalname). This will be used when the primary servers are unavailable. Note: The parameter cannot be used along with the ``random`` , ``hash`` or ``ip_hash`` load balancing methods. | ``string`` | No | -|``backupPort`` | The port of the backup service. The backup port is required if the backup service name is provided. The port must fall into the range ``1..65535``. | ``uint16`` | No | - -{{< /table >}} - -### Upstream.Buffers - -The buffers field configures the buffers used for reading a response from the upstream server for a single connection: - -```yaml -number: 4 -size: 8K -``` - -See the [proxy_buffers](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffers) directive for additional information. - -{{< table >}} - -|Field | Description | Type | Required | -| ---| ---| ---| --- | -|``number`` | Configures the number of buffers. The default is set in the ``proxy-buffers`` ConfigMap key. | ``int`` | Yes | -|``size`` | Configures the size of a buffer. The default is set in the ``proxy-buffers`` ConfigMap key. | ``string`` | Yes | - -{{< /table >}} - -### Upstream.TLS - -{{< table >}} - -|Field | Description | Type | Required | -| ---| ---| ---| --- | -|``enable`` | Enables HTTPS for requests to upstream servers. The default is ``False`` , meaning that HTTP will be used. Note: by default, NGINX will not verify the upstream server certificate. To enable the verification, configure an [EgressMTLS Policy](/nginx-ingress-controller/configuration/policy-resource/#egressmtls). | ``boolean`` | No | - -{{< /table >}} - -### Upstream.Queue - -The queue field configures a queue. A client request will be placed into the queue if an upstream server cannot be selected immediately while processing the request: - -```yaml -size: 10 -timeout: 60s -``` - -See [`queue`](https://nginx.org/en/docs/http/ngx_http_upstream_module.html#queue) directive for additional information. - -{{< call-out "note" >}} This feature is only supported with NGINX Plus. {{< /call-out >}} - -{{< table >}} - -|Field | Description | Type | Required | -| ---| ---| ---| --- | -|``size`` | The size of the queue. | ``int`` | Yes | -|``timeout`` | The timeout of the queue. A request cannot be queued for a period longer than the timeout. The default is ``60s``. | ``string`` | No | - -{{< /table >}} - -### Upstream.Healthcheck - -The Healthcheck defines an [active health check](https://docs.nginx.com/nginx/admin-guide/load-balancer/http-health-check/). In the example below we enable a health check for an upstream and configure all the available parameters, including the `slow-start` parameter combined with [`mandatory` and `persistent`](https://docs.nginx.com/nginx/admin-guide/load-balancer/http-health-check/#mandatory-health-checks): - -```yaml -name: tea -service: tea-svc -port: 80 -slow-start: 30s -healthCheck: - enable: true - path: /healthz - interval: 20s - jitter: 3s - fails: 5 - passes: 5 - port: 8080 - tls: - enable: true - connect-timeout: 10s - read-timeout: 10s - send-timeout: 10s - headers: - - name: Host - value: my.service - statusMatch: "! 500" - mandatory: true - persistent: true - keepalive-time: 60s -``` - -{{< call-out "note" >}} This feature is only supported with NGINX Plus. {{< /call-out >}} - -{{< table >}} - -|Field | Description | Type | Required | -| ---| ---| ---| --- | -|``enable`` | Enables a health check for an upstream server. The default is ``false``. | ``boolean`` | No | -|``path`` | The path used for health check requests. The default is ``/``. This not configurable for gRPC type upstreams. | ``string`` | No | -|``interval`` | The interval between two consecutive health checks. The default is ``5s``. | ``string`` | No | -|``jitter`` | The time within which each health check will be randomly delayed. By default, there is no delay. | ``string`` | No | -|``fails`` | The number of consecutive failed health checks of a particular upstream server after which this server will be considered unhealthy. The default is ``1``. | ``integer`` | No | -|``passes`` | The number of consecutive passed health checks of a particular upstream server after which the server will be considered healthy. The default is ``1``. | ``integer`` | No | -|``port`` | The port used for health check requests. By default, the [server port is used](https://nginx.org/en/docs/http/ngx_http_upstream_hc_module.html#health_check_port). Note: in contrast with the port of the upstream, this port is not a service port, but a port of a pod. | ``integer`` | No | -|``tls`` | The TLS configuration used for health check requests. By default, the ``tls`` field of the upstream is used. | [upstream.tls](#upstreamtls) | No | -|``connect-timeout`` | The timeout for establishing a connection with an upstream server. By default, the ``connect-timeout`` of the upstream is used. | ``string`` | No | -|``read-timeout`` | The timeout for reading a response from an upstream server. By default, the ``read-timeout`` of the upstream is used. | ``string`` | No | -|``send-timeout`` | The timeout for transmitting a request to an upstream server. By default, the ``send-timeout`` of the upstream is used. | ``string`` | No | -|``headers`` | The request headers used for health check requests. NGINX Plus always sets the ``Host`` , ``User-Agent`` and ``Connection`` headers for health check requests. | [[]header](#header) | No | -|``statusMatch`` | The expected response status codes of a health check. By default, the response should have status code 2xx or 3xx. Examples: ``"200"`` , ``"! 500"`` , ``"301-303 307"``. See the documentation of the [match](https://nginx.org/en/docs/http/ngx_http_upstream_hc_module.html?#match) directive. This not supported for gRPC type upstreams. | ``string`` | No | -|``grpcStatus`` | The expected [gRPC status code](https://github.com/grpc/grpc/blob/master/doc/statuscodes.md#status-codes-and-their-use-in-grpc) of the upstream server response to the [Check method](https://github.com/grpc/grpc/blob/master/doc/health-checking.md). Configure this field only if your gRPC services do not implement the gRPC health checking protocol. For example, configure ``12`` if the upstream server responds with `12 (UNIMPLEMENTED)` status code. Only valid on gRPC type upstreams. | ``int`` | No | -|``grpcService`` | The gRPC service to be monitored on the upstream server. Only valid on gRPC type upstreams. | ``string`` | No | -|``mandatory`` | Require every newly added server to pass all configured health checks before NGINX Plus sends traffic to it. If this is not specified, or is set to false, the server will be initially considered healthy. When combined with [slow-start](https://nginx.org/en/docs/http/ngx_http_upstream_module.html#slow_start), it gives a new server more time to connect to databases and “warm up” before being asked to handle their full share of traffic. | ``bool`` | No | -|``persistent`` | Set the initial “up” state for a server after reload if the server was considered healthy before reload. Enabling persistent requires that the mandatory parameter is also set to `true`. | ``bool`` | No | -|``keepalive-time`` | Enables [keepalive](https://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive) connections for health checks and specifies the time during which requests can be processed through one keepalive connection. The default is ``60s``. | ``string`` | No | - -{{< /table >}} - -### Upstream.SessionCookie - -The SessionCookie field configures session persistence which allows requests from the same client to be passed to the same upstream server. The information about the designated upstream server is passed in a session cookie generated by NGINX Plus. - -In the example below, we configure session persistence with a session cookie for an upstream and configure all the available parameters: - -```yaml -name: tea -service: tea-svc -port: 80 -sessionCookie: - enable: true - name: srv_id - path: / - expires: 1h - domain: .example.com - httpOnly: false - secure: true - samesite: strict -``` - -See the [`sticky`](https://nginx.org/en/docs/http/ngx_http_upstream_module.html?#sticky) directive for additional information. The session cookie corresponds to the `sticky cookie` method. - -{{< call-out "note" >}} This feature is only supported with NGINX Plus. {{< /call-out >}} - -|Field | Description | Type | Required | -| ---| ---| ---| --- | -|``enable`` | Enables session persistence with a session cookie for an upstream server. The default is ``false``. | ``boolean`` | No | -|``name`` | The name of the cookie. | ``string`` | Yes | -|``path`` | The path for which the cookie is set. | ``string`` | No | -|``expires`` | The time for which a browser should keep the cookie. Can be set to the special value ``max`` , which will cause the cookie to expire on ``31 Dec 2037 23:55:55 GMT``. | ``string`` | No | -|``domain`` | The domain for which the cookie is set. | ``string`` | No | -|``httpOnly`` | Adds the ``HttpOnly`` attribute to the cookie. | ``boolean`` | No | -|``secure`` | Adds the ``Secure`` attribute to the cookie. | ``boolean`` | No | -|``samesite`` | Adds the ``SameSite`` attribute to the cookie. The allowed values are: ``strict``, ``lax``, ``none`` | ``string`` | No | - -### Header - -The header defines an HTTP Header: - -```yaml -name: Host -value: example.com -``` - -|Field | Description | Type | Required | -| ---| ---| ---| --- | -|``name`` | The name of the header. | ``string`` | Yes | -|``value`` | The value of the header. | ``string`` | No | - -### Action - -The action defines an action to perform for a request. - -In the example below, client requests are passed to an upstream `coffee`: - -```yaml - path: /coffee - action: - pass: coffee -``` - -|Field | Description | Type | Required | -| ---| ---| ---| --- | -|``pass`` | Passes requests to an upstream. The upstream with that name must be defined in the resource. | ``string`` | No | -|``redirect`` | Redirects requests to a provided URL. | [action.redirect](#actionredirect) | No | -|``return`` | Returns a preconfigured response. | [action.return](#actionreturn) | No | -|``proxy`` | Passes requests to an upstream with the ability to modify the request/response (for example, rewrite the URI or modify the headers). | [action.proxy](#actionproxy) | No | - -\* -- an action must include exactly one of the following: `pass`, `redirect`, `return` or `proxy`. - -### Action.Redirect - -The redirect action defines a redirect to return for a request. - -In the example below, client requests are passed to a url `http://www.nginx.com`: - -```yaml -redirect: - url: http://www.nginx.com - code: 301 -``` - -|Field | Description | Type | Required | -| ---| ---| ---| --- | -|``url`` | The URL to redirect the request to. Supported NGINX variables: ``$scheme`` , ``$http_x_forwarded_proto`` , ``$request_uri`` , ``$host``. Variables must be enclosed in curly braces. For example: ``${host}${request_uri}``. | ``string`` | Yes | -|``code`` | The status code of a redirect. The allowed values are: ``301`` , ``302`` , ``307`` , ``308``. The default is ``301``. | ``int`` | No | - -### Action.Return - -The return action defines a preconfigured response for a request. - -In the example below, NGINX will respond with the preconfigured response for every request: - -```yaml -return: - code: 200 - type: text/plain - body: "Hello World\n" - headers: - - name: x-coffee - value: espresso -``` - -|Field | Description | Type | Required | -| ---| ---| ---| --- | -|``code`` | The status code of the response. The allowed values are: ``2XX``, ``4XX`` or ``5XX``. The default is ``200``. | ``int`` | No | -|``type`` | The MIME type of the response. The default is ``text/plain``. | ``string`` | No | -|``body`` | The body of the response. Supports NGINX variables*. Variables must be enclosed in curly brackets. For example: ``Request is ${request_uri}\n``. | ``string`` | Yes | -|``headers`` | The custom headers of the response. | [[]Action.Return.Header](#actionreturnheader) | No | - -\* -- Supported NGINX variables: `$request_uri`, `$request_method`, `$request_body`, `$scheme`, `$http_`, `$args`, `$arg_`, `$cookie_`, `$host`, `$request_time`, `$request_length`, `$nginx_version`, `$pid`, `$connection`, `$remote_addr`, `$remote_port`, `$time_iso8601`, `$time_local`, `$server_addr`, `$server_port`, `$server_name`, `$server_protocol`, `$connections_active`, `$connections_reading`, `$connections_writing` and `$connections_waiting`. - -### Action.Return.Header - -The header defines an HTTP Header for a canned response in an actionReturn: - -```yaml -name: x-coffee -value: espresso -``` - -|Field | Description | Type | Required | -| ---| ---| ---| --- | -|``name`` | The name of the header. | ``string`` | Yes | -|``value`` | The value of the header. | ``string`` | Yes | - -### Action.Proxy - -The proxy action passes requests to an upstream with the ability to modify the request/response (for example, rewrite the URI or modify the headers). - -In the example below, the request URI is rewritten to `/`, and the request and the response headers are modified: - -```yaml -proxy: - upstream: coffee - requestHeaders: - pass: true - set: - - name: My-Header - value: Value - - name: Client-Cert - value: ${ssl_client_escaped_cert} - responseHeaders: - add: - - name: My-Header - value: Value - - name: IC-Nginx-Version - value: ${nginx_version} - always: true - hide: - - x-internal-version - ignore: - - Expires - - Set-Cookie - pass: - - Server - rewritePath: / -``` - -|Field | Description | Type | Required | -| ---| ---| ---| --- | -|``upstream`` | The name of the upstream which the requests will be proxied to. The upstream with that name must be defined in the resource. | ``string`` | Yes | -|``requestHeaders`` | The request headers modifications. | [action.Proxy.RequestHeaders](#actionproxyrequestheaders) | No | -|``responseHeaders`` | The response headers modifications. | [action.Proxy.ResponseHeaders](#actionproxyresponseheaders) | No | -|``rewritePath`` | The rewritten URI. If the route path is a regular expression -- starts with `~` -- the `rewritePath` can include capture groups with ``$1-9``. For example `$1` for the first group, and so on. For more information, check the [rewrite](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/custom-resources/rewrites) example. | ``string`` | No | - -### Action.Proxy.RequestHeaders - -The RequestHeaders field modifies the headers of the request to the proxied upstream server. - -|Field | Description | Type | Required | -| ---| ---| ---| --- | -|``pass`` | Passes the original request headers to the proxied upstream server. See the [proxy_pass_request_header](http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass_request_headers) directive for more information. Default is true. | ``bool`` | No | -|``set`` | Allows redefining or appending fields to present request headers passed to the proxied upstream servers. See the [proxy_set_header](http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_set_header) directive for more information. | [[]header](#actionproxyrequestheaderssetheader) | No | - -### Action.Proxy.RequestHeaders.Set.Header - -The header defines an HTTP Header: - -```yaml -name: My-Header -value: My-Value -``` - -It is possible to override the default value of the `Host` header, which NGINX Ingress Controller sets to [`$host`](https://nginx.org/en/docs/http/ngx_http_core_module.html#var_host): - -```yaml -name: Host -value: example.com -``` - -|Field | Description | Type | Required | -| ---| ---| ---| --- | -|``name`` | The name of the header. | ``string`` | Yes | -|``value`` | The value of the header. Supports NGINX variables*. Variables must be enclosed in curly brackets. For example: ``${scheme}``. | ``string`` | No | - -\* -- Supported NGINX variables: `$request_uri`, `$request_method`, `$request_body`, `$scheme`, `$http_`, `$args`, `$arg_`, `$cookie_`, `$host`, `$request_time`, `$request_length`, `$nginx_version`, `$pid`, `$connection`, `$remote_addr`, `$remote_port`, `$time_iso8601`, `$time_local`, `$server_addr`, `$server_port`, `$server_name`, `$server_protocol`, `$connections_active`, `$connections_reading`, `$connections_writing`, `$connections_waiting`, `$ssl_cipher`, `$ssl_ciphers`, `$ssl_client_cert`, `$ssl_client_escaped_cert`, `$ssl_client_fingerprint`, `$ssl_client_i_dn`, `$ssl_client_i_dn_legacy`, `$ssl_client_raw_cert`, `$ssl_client_s_dn`, `$ssl_client_s_dn_legacy`, `$ssl_client_serial`, `$ssl_client_v_end`, `$ssl_client_v_remain`, `$ssl_client_v_start`, `$ssl_client_verify`, `$ssl_curves`, `$ssl_early_data`, `$ssl_protocol`, `$ssl_server_name`, `$ssl_session_id`, `$ssl_session_reused`, `$jwt_claim_` (NGINX Plus only) and `$jwt_header_` (NGINX Plus only). - -### Action.Proxy.ResponseHeaders - -The ResponseHeaders field modifies the headers of the response to the client. - -|Field | Description | Type | Required | -| ---| ---| ---| --- | -|``hide`` | The headers that will not be passed* in the response to the client from a proxied upstream server. See the [proxy_hide_header](http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_hide_header) directive for more information. | ``[]string`` | No | -|``pass`` | Allows passing the hidden header fields* to the client from a proxied upstream server. See the [proxy_pass_header](http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass_header) directive for more information. | ``[]string`` | No | -|``ignore`` | Disables processing of certain headers** to the client from a proxied upstream server. See the [proxy_ignore_headers](http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_ignore_headers) directive for more information. | ``[]string`` | No | -|``add`` | Adds headers to the response to the client. | [[]addHeader](#addheader) | No | - -\* -- Default hidden headers are: `Date`, `Server`, `X-Pad` and `X-Accel-...`. - -\** -- The following fields can be ignored: `X-Accel-Redirect`, `X-Accel-Expires`, `X-Accel-Limit-Rate`, `X-Accel-Buffering`, `X-Accel-Charset`, `Expires`, `Cache-Control`, `Set-Cookie` and `Vary`. - -### AddHeader - -The addHeader defines an HTTP Header with an optional `always` field: - -```yaml -name: My-Header -value: My-Value -always: true -``` - -|Field | Description | Type | Required | -| ---| ---| ---| --- | -|``name`` | The name of the header. | ``string`` | Yes | -|``value`` | The value of the header. Supports NGINX variables*. Variables must be enclosed in curly brackets. For example: ``${scheme}``. | ``string`` | No | -|``always`` | If set to true, add the header regardless of the response status code**. Default is false. See the [add_header](http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header) directive for more information. | ``bool`` | No | - -\* -- Supported NGINX variables: `$request_uri`, `$request_method`, `$request_body`, `$scheme`, `$http_`, `$args`, `$arg_`, `$cookie_`, `$host`, `$request_time`, `$request_length`, `$nginx_version`, `$pid`, `$connection`, `$remote_addr`, `$remote_port`, `$time_iso8601`, `$time_local`, `$server_addr`, `$server_port`, `$server_name`, `$server_protocol`, `$connections_active`, `$connections_reading`, `$connections_writing`, `$connections_waiting`, `$ssl_cipher`, `$ssl_ciphers`, `$ssl_client_cert`, `$ssl_client_escaped_cert`, `$ssl_client_fingerprint`, `$ssl_client_i_dn`, `$ssl_client_i_dn_legacy`, `$ssl_client_raw_cert`, `$ssl_client_s_dn`, `$ssl_client_s_dn_legacy`, `$ssl_client_serial`, `$ssl_client_v_end`, `$ssl_client_v_remain`, `$ssl_client_v_start`, `$ssl_client_verify`, `$ssl_curves`, `$ssl_early_data`, `$ssl_protocol`, `$ssl_server_name`, `$ssl_session_id`, `$ssl_session_reused`, `$jwt_claim_` (NGINX Plus only) and `$jwt_header_` (NGINX Plus only). - -{{< call-out "note" >}} If `always` is false, the response header is added only if the response status code is any of `200`, `201`, `204`, `206`, `301`, `302`, `303`, `304`, `307` or `308`. {{< /call-out >}} - -### Split - -The split defines a weight for an action as part of the splits configuration. - -In the example below NGINX passes 80% of requests to the upstream `coffee-v1` and the remaining 20% to `coffee-v2`: - -```yaml -splits: -- weight: 80 - action: - pass: coffee-v1 -- weight: 20 - action: - pass: coffee-v2 -``` - -|Field | Description | Type | Required | -| ---| ---| ---| --- | -|``weight`` | The weight of an action. Must fall into the range ``0..100``. The sum of the weights of all splits must be equal to ``100``. | ``int`` | Yes | -|``action`` | The action to perform for a request. | [action](#action) | Yes | - -### Match - -The match defines a match between conditions and an action or splits. - -In the example below, NGINX routes requests with the path `/coffee` to different upstreams based on the value of the cookie `user`: - -- `user=john` -> `coffee-future` -- `user=bob` -> `coffee-deprecated` -- If the cookie is not set or not equal to either `john` or `bob`, NGINX routes to `coffee-stable` - -```yaml -path: /coffee -matches: -- conditions: - - cookie: user - value: john - action: - pass: coffee-future -- conditions: - - cookie: user - value: bob - action: - pass: coffee-deprecated -action: - pass: coffee-stable -``` - -In the next example, NGINX routes requests based on the value of the built-in [`$request_method` variable](https://nginx.org/en/docs/http/ngx_http_core_module.html#var_request_method), which represents the HTTP method of a request: - -- all POST requests -> `coffee-post` -- all non-POST requests -> `coffee` - -```yaml -path: /coffee -matches: -- conditions: - - variable: $request_method - value: POST - action: - pass: coffee-post -action: - pass: coffee -``` - -|Field | Description | Type | Required | -| ---| ---| ---| --- | -|``conditions`` | A list of conditions. Must include at least 1 condition. | [[]condition](#condition) | Yes | -|``action`` | The action to perform for a request. | [action](#action) | No | -|``splits`` | The splits configuration for traffic splitting. Must include at least 2 splits. | [[]split](#split) | No | - -{{< call-out "note" >}} A match must include exactly one of the following: `action` or `splits`. {{< /call-out >}} - -### Condition - -The condition defines a condition in a match. - -|Field | Description | Type | Required | -| ---| ---| ---| --- | -|``header`` | The name of a header. Must consist of alphanumeric characters or ``-``. | ``string`` | No | -|``cookie`` | The name of a cookie. Must consist of alphanumeric characters or ``_``. | ``string`` | No | -|``argument`` | The name of an argument. Must consist of alphanumeric characters or ``_``. | ``string`` | No | -|``variable`` | The name of an NGINX variable. Must start with ``$``. See the list of the supported variables below the table. | ``string`` | No | -|``value`` | The value to match the condition against. How to define a value is shown below the table. | ``string`` | Yes | - -{{< call-out "note" >}} a condition must include exactly one of the following: `header`, `cookie`, `argument` or `variable`. {{< /call-out >}} - -Supported NGINX variables: `$args`, `$http2`, `$https`, `$remote_addr`, `$remote_port`, `$query_string`, `$request`, `$request_body`, `$request_uri`, `$request_method`, `$scheme`. Find the documentation for each variable [here](https://nginx.org/en/docs/varindex.html). - -The value supports two kinds of matching: - -- *Case-insensitive string comparison*. For example: - - `john` -- case-insensitive matching that succeeds for strings, such as `john`, `John`, `JOHN`. - - `!john` -- negation of the case-insensitive matching for john that succeeds for strings, such as `bob`, `anything`, `''` (empty string). -- *Matching with a regular expression*. Note that NGINX supports regular expressions compatible with those used by the Perl programming language (PCRE). For example: - - `~^yes` -- a case-sensitive regular expression that matches any string that starts with `yes`. For example: `yes`, `yes123`. - - `!~^yes` -- negation of the previous regular expression that succeeds for strings like `YES`, `Yes123`, `noyes`. (The negation mechanism is not part of the PCRE syntax). - - `~*no$` -- a case-insensitive regular expression that matches any string that ends with `no`. For example: `no`, `123no`, `123NO`. - -{{< call-out "note" >}} A value must not include any unescaped double quotes (`"`) and must not end with an unescaped backslash (`\`). For example, the following are invalid values: `some"value`, `somevalue\`. {{< /call-out >}} - -### ErrorPage - -The errorPage defines a custom response for a route for the case when either an upstream server responds with (or NGINX generates) an error status code. The custom response can be a redirect or a canned response. See the [error_page](https://nginx.org/en/docs/http/ngx_http_core_module.html#error_page) directive for more information. - -```yaml -path: /coffee -errorPages: -- codes: [502, 503] - redirect: - code: 301 - url: https://nginx.org -- codes: [404] - return: - code: 200 - body: "Original resource not found, but success!" -``` - -|Field | Description | Type | Required | -| ---| ---| ---| --- | -|``codes`` | A list of error status codes. | ``[]int`` | Yes | -|``redirect`` | The redirect action for the given status codes. | [errorPage.Redirect](#errorpageredirect) | No | -|``return`` | The canned response action for the given status codes. | [errorPage.Return](#errorpagereturn) | No | - -{{< call-out "note" >}} An errorPage must include exactly one of the following: `return` or `redirect`. {{< /call-out >}} - -### ErrorPage.Redirect - -The redirect defines a redirect for an errorPage. - -In the example below, NGINX responds with a redirect when a response from an upstream server has a 404 status code. - -```yaml -codes: [404] -redirect: - code: 301 - url: ${scheme}://cafe.example.com/error.html -``` - -|Field | Description | Type | Required | -| ---| ---| ---| --- | -|``code`` | The status code of a redirect. The allowed values are: ``301`` , ``302`` , ``307`` , ``308``. The default is ``301``. | ``int`` | No | -|``url`` | The URL to redirect the request to. Supported NGINX variables: ``$scheme`` and ``$http_x_forwarded_proto``. Variables must be enclosed in curly braces. For example: ``${scheme}``. | ``string`` | Yes | - -### ErrorPage.Return - -The return defines a canned response for an errorPage. - -In the example below, NGINX responds with a canned response when a response from an upstream server has either 401 or 403 status code. - -```yaml -codes: [401, 403] -return: - code: 200 - type: application/json - body: | - {\"msg\": \"You don't have permission to do this\"} - headers: - - name: x-debug-original-statuses - value: ${upstream_status} -``` - -|Field | Description | Type | Required | -| ---| ---| ---| --- | -|``code`` | The status code of the response. The default is the status code of the original response. | ``int`` | No | -|``type`` | The MIME type of the response. The default is ``text/html``. | ``string`` | No | -|``body`` | The body of the response. Supported NGINX variable: ``$upstream_status`` . Variables must be enclosed in curly braces. For example: ``${upstream_status}``. | ``string`` | Yes | -|``headers`` | The custom headers of the response. | [[]errorPage.Return.Header](#errorpagereturnheader) | No | - -### ErrorPage.Return.Header - -The header defines an HTTP Header for a canned response in an errorPage: - -```yaml -name: x-debug-original-statuses -value: ${upstream_status} -``` - -|Field | Description | Type | Required | -| ---| ---| ---| --- | -|``name`` | The name of the header. | ``string`` | Yes | -|``value`` | The value of the header. Supported NGINX variable: ``$upstream_status`` . Variables must be enclosed in curly braces. For example: ``${upstream_status}``. | ``string`` | No | - -## Using VirtualServer and VirtualServerRoute - -You can use the usual `kubectl` commands to work with VirtualServer and VirtualServerRoute resources, similar to Ingress resources. - -For example, the following command creates a VirtualServer resource defined in `cafe-virtual-server.yaml` with the name `cafe`: - -```shell -kubectl apply -f cafe-virtual-server.yaml -``` - -```text -virtualserver.k8s.nginx.org "cafe" created -``` - -You can get the resource by running: - -```shell -kubectl get virtualserver cafe -``` - -```text -NAME STATE HOST IP PORTS AGE -cafe Valid cafe.example.com 12.13.23.123 [80,443] 3m -``` - -In `kubectl get` and similar commands, you can use the short name `vs` instead of `virtualserver`. - -Similarly, for VirtualServerRoute you can use `virtualserverroute` or the short name `vsr`. - -### Using Snippets - -Snippets allow you to insert raw NGINX config into different contexts of NGINX configuration. In the example below, we use snippets to configure several NGINX features in a VirtualServer: - -```yaml -apiVersion: k8s.nginx.org/v1 -kind: VirtualServer -metadata: - name: cafe - namespace: cafe -spec: - http-snippets: | - limit_req_zone $binary_remote_addr zone=mylimit:10m rate=1r/s; - proxy_cache_path /tmp keys_zone=one:10m; - host: cafe.example.com - tls: - secret: cafe-secret - server-snippets: | - limit_req zone=mylimit burst=20; - upstreams: - - name: tea - service: tea-svc - port: 80 - - name: coffee - service: coffee-svc - port: 80 - routes: - - path: /tea - location-snippets: | - proxy_cache one; - proxy_cache_valid 200 10m; - action: - pass: tea - - path: /coffee - action: - pass: coffee -``` - -For additional information, view the [Advanced configuration with Snippets]({{< ref "/nic/configuration/ingress-resources/advanced-configuration-with-snippets.md" >}}) topic. - -### Validation - -Two types of validation are available for VirtualServer and VirtualServerRoute resources: - -- *Structural validation* by the `kubectl` and Kubernetes API server. -- *Comprehensive validation* by NGINX Ingress Controller. - -#### Structural Validation - -The custom resource definitions for VirtualServer and VirtualServerRoute include structural OpenAPI schema which describes the type of every field of those resources. - -If you try to create (or update) a resource that violates the structural schema (for example, you use a string value for the port field of an upstream), `kubectl` and Kubernetes API server will reject such a resource: - -- Example of `kubectl` validation: - - ```shell - kubectl apply -f cafe-virtual-server.yaml - ``` - - ```text - error: error validating "cafe-virtual-server.yaml": error validating data: ValidationError(VirtualServer.spec.upstreams[0].port): invalid type for org.nginx.k8s.v1.VirtualServer.spec.upstreams.port: got "string", expected "integer"; if you choose to ignore these errors, turn validation off with --validate=false - ``` - -- Example of Kubernetes API server validation: - - ```shell - kubectl apply -f cafe-virtual-server.yaml --validate=false - ``` - - ```text - The VirtualServer "cafe" is invalid: []: Invalid value: map[string]interface {}{ ... }: validation failure list: - spec.upstreams.port in body must be of type integer: "string" - ``` - -If a resource is not rejected (it doesn't violate the structural schema), NGINX Ingress Controller will validate it further. - -#### Comprehensive Validation - -NGINX Ingress Controller validates the fields of the VirtualServer and VirtualServerRoute resources. If a resource is invalid, NGINX Ingress Controller will reject it: the resource will continue to exist in the cluster, but NGINX Ingress Controller will ignore it. - -You can check if NGINX Ingress Controller successfully applied the configuration for a VirtualServer. For our example `cafe` VirtualServer, we can run: - -```shell -kubectl describe vs cafe -``` - -```text -... -Events: - Type Reason Age From Message - ---- ------ ---- ---- ------- - Normal AddedOrUpdated 16s nginx-ingress-controller Configuration for default/cafe was added or updated -``` - -Note how the events section includes a Normal event with the AddedOrUpdated reason that informs us that the configuration was successfully applied. - -If you create an invalid resource, NGINX Ingress Controller will reject it and emit a Rejected event. For example, if you create a VirtualServer `cafe` with two upstream with the same name `tea`, you will get: - -```shell -kubectl describe vs cafe -``` - -```text -... -Events: - Type Reason Age From Message - ---- ------ ---- ---- ------- - Warning Rejected 12s nginx-ingress-controller VirtualServer default/cafe is invalid and was rejected: spec.upstreams[1].name: Duplicate value: "tea" -``` - -Note how the events section includes a Warning event with the Rejected reason. - -Additionally, this information is also available in the `status` field of the VirtualServer resource. Note the Status section of the VirtualServer: - -```shell -kubectl describe vs cafe -``` - -```text -... -Status: - External Endpoints: - Ip: 12.13.23.123 - Ports: [80,443] - Message: VirtualServer default/cafe is invalid and was rejected: spec.upstreams[1].name: Duplicate value: "tea" - Reason: Rejected - State: Invalid -``` - -NGINX Ingress Controller validates VirtualServerRoute resources in a similar way. - -**Note**: If you make an existing resource invalid, NGINX Ingress Controller will reject it and remove the corresponding configuration from NGINX. - -## Customization using ConfigMap - -You can customize the NGINX configuration for VirtualServer and VirtualServerRoutes resources using the [ConfigMap](/nginx-ingress-controller/configuration/global-configuration/configmap-resource). Most of the ConfigMap keys are supported, with the following exceptions: - -- `proxy-hide-headers` -- `proxy-pass-headers` -- `hsts` -- `hsts-max-age` -- `hsts-include-subdomains` -- `hsts-behind-proxy` -- `redirect-to-https` -- `ssl-redirect` From 51c9fda98c894dc9a5d2b7b4b0b3fec3bf1696e3 Mon Sep 17 00:00:00 2001 From: AlexFenlon Date: Fri, 5 Dec 2025 09:55:27 +0000 Subject: [PATCH 12/23] Delete content/includes/nic/configuration/ingress-resources/advanced-configuration-with-annotations.md --- ...advanced-configuration-with-annotations.md | 249 ------------------ 1 file changed, 249 deletions(-) delete mode 100644 content/includes/nic/configuration/ingress-resources/advanced-configuration-with-annotations.md diff --git a/content/includes/nic/configuration/ingress-resources/advanced-configuration-with-annotations.md b/content/includes/nic/configuration/ingress-resources/advanced-configuration-with-annotations.md deleted file mode 100644 index 99caae078..000000000 --- a/content/includes/nic/configuration/ingress-resources/advanced-configuration-with-annotations.md +++ /dev/null @@ -1,249 +0,0 @@ ---- -title: Advanced configuration with Annotations -toc: true -weight: 200 -nd-content-type: how-to -nd-product: INGRESS -nd-docs: DOCS-591 ---- - -This topic explains how to enable advanced features in F5 NGINX Ingress Controller with Annotations. - -The Ingress resource can use basic NGINX features such as host or path-based routing and TLS termination. Advanced features like rewriting the request URI or inserting additional response headers can be enabled with Annotations. - -Outside of advanced features, Annotations are necessary for customizing NGINX behavior such as setting the value of connection timeouts. - -Customization is also available through the [ConfigMap]({{< relref "/configuration/global-configuration/configmap-resource.md" >}}) resources: Annotations take priority. - -## Using Annotations - -This example uses Annotations to customize the configuration for an Ingress resource: - -```yaml -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: cafe-ingress-with-annotations - annotations: - nginx.org/proxy-connect-timeout: "30s" - nginx.org/proxy-read-timeout: "20s" - nginx.org/client-max-body-size: "4m" - nginx.org/server-snippets: | - location / { - return 302 /coffee; - } -spec: - rules: - - host: cafe.example.com - http: - paths: - - path: /tea - pathType: Prefix - backend: - service: - name: tea-svc - port: - number: 80 - - path: /coffee - pathType: Prefix - backend: - service: - name: coffee-svc - port: - number: 80 -``` - -## Validation - -NGINX Ingress Controller validates the annotations of Ingress resources. If an Ingress is invalid, NGINX Ingress Controller will reject it: the Ingress will continue to exist in the cluster, but NGINX Ingress Controller will ignore it. - -You can check if NGINX Ingress Controller successfully applied the configuration for an Ingress resource. For the example `cafe-ingress-with-annotations` Ingress, you can run: - -```shell -kubectl describe ing cafe-ingress-with-annotations -``` - -```text -... -Events: - Type Reason Age From Message - ---- ------ ---- ---- ------- - Normal AddedOrUpdated 3s nginx-ingress-controller Configuration for default/cafe-ingress-with-annotations was added or updated -``` - -The events section includes a Normal event with the AddedOrUpdated reason that informs us that the configuration was successfully applied. - -If you create an invalid Ingress, NGINX Ingress Controller will reject it and emit a Rejected event. For example, if you create an Ingress `cafe-ingress-with-annotations`, with an annotation `nginx.org/redirect-to-https` set to `yes please` instead of `true`, you will get: - -```shell -kubectl describe ing cafe-ingress-with-annotations -``` - -```text -Events: - Type Reason Age From Message - ---- ------ ---- ---- ------- - Warning Rejected 13s nginx-ingress-controller annotations.nginx.org/redirect-to-https: Invalid value: "yes please": must be a boolean -``` - -Note how the events section includes a Warning event with the Rejected reason. - -{{< call-out "note" >}} If you make an existing Ingress invalid, NGINX Ingress Controller will reject it and remove the corresponding configuration from NGINX. {{< /call-out >}} - -The `nginx.com/jwt-token` Ingress annotation has limited validation. - -## Summary of Annotations - -The table below summarizes the available annotations. - -{{< call-out "note" >}} Annotations that start with `nginx.com` are only supported with NGINX Plus. {{< /call-out >}} - -### General customization - -{{< table >}} - -|Annotation | ConfigMap Key | Description | Default | Example | -| ---| ---| ---| ---| --- | -| *nginx.org/proxy-connect-timeout* | *proxy-connect-timeout* | Sets the value of the [proxy_connect_timeout](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_connect_timeout) and [grpc_connect_timeout](https://nginx.org/en/docs/http/ngx_http_grpc_module.html#grpc_connect_timeout) directive. | *60s* | | -| *nginx.org/proxy-read-timeout* | *proxy-read-timeout* | Sets the value of the [proxy_read_timeout](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_read_timeout) and [grpc_read_timeout](https://nginx.org/en/docs/http/ngx_http_grpc_module.html#grpc_read_timeout) directive. | *60s* | | -| *nginx.org/proxy-send-timeout* | *proxy-send-timeout* | Sets the value of the [proxy_send_timeout](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_send_timeout) and [grpc_send_timeout](https://nginx.org/en/docs/http/ngx_http_grpc_module.html#grpc_send_timeout) directive. | *60s* | | -| *nginx.org/client-max-body-size* | *client-max-body-size* | Sets the value of the [client_max_body_size](https://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size) directive. | *1m* | | -| *nginx.org/client-body-buffer-size* | *client-body-buffer-size* | Sets the value of the [client_body_buffer_size](https://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_buffer_size) directive. | N/A | | -| *nginx.org/proxy-buffering* | *proxy-buffering* | Enables or disables [buffering of responses](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffering) from the proxied server. | *True* | | -| *nginx.org/proxy-buffers* | *proxy-buffers* | Sets the value of the [proxy_buffers](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffers) directive. | Depends on the platform. | | -| *nginx.org/proxy-buffer-size* | *proxy-buffer-size* | Sets the value of the [proxy_buffer_size](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size) and [grpc_buffer_size](https://nginx.org/en/docs/http/ngx_http_grpc_module.html#grpc_buffer_size) directives. | Depends on the platform. | | -| *nginx.org/proxy-busy-buffers-size* | *proxy-busy-buffers-size* | Sets the value of the [proxy_busy_buffers_size](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_busy_buffers_size) directive. | Depends on the platform. | | -| *nginx.org/proxy-max-temp-file-size* | *proxy-max-temp-file-size* | Sets the value of the [proxy_max_temp_file_size](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_max_temp_file_size) directive. | *1024m* | | -| *nginx.org/server-tokens* | *server-tokens* | Enables or disables the [server_tokens](https://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens) directive. Additionally, with the NGINX Plus, you can specify a custom string value, including the empty string value, which disables the emission of the “Server” field. | *True* | | -| *nginx.org/path-regex* | N/A | Enables regular expression modifiers for Ingress path parameter. This translates to the NGINX [location](https://nginx.org/en/docs/http/ngx_http_core_module.html#location) directive. You can specify one of these values: "case_sensitive", "case_insensitive", or "exact". The annotation is applied to the entire Ingress resource and its paths. While using Master and Minion Ingresses i.e. Mergeable Ingresses, this annotation can be specified on Minion types. The `path-regex` annotation specified on Master is ignored, and has no effect on paths defined on Minions. | N/A | [path-regex](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/path-regex) | - -{{< /table >}} - -### Request URI/Header Manipulation - -{{< table >}} - -|Annotation | ConfigMap Key | Description | Default | Example | -| ---| ---| ---| ---| --- | -| *nginx.org/proxy-hide-headers* | *proxy-hide-headers* | Sets the value of one or more [proxy_hide_header](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_hide_header) directives. Example: ``"nginx.org/proxy-hide-headers": "header-a,header-b"* | N/A | | -| *nginx.org/proxy-pass-headers* | *proxy-pass-headers* | Sets the value of one or more [proxy_pass_header](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass_header) directives. Example: ``"nginx.org/proxy-pass-headers": "header-a,header-b"* | N/A | | -| *nginx.org/rewrites* | N/A | Configures URI rewriting using [proxy_pass](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass) directive. | N/A | [rewrites](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/rewrites) | -|*nginx.org/proxy-set-headers* | N/A | Enables customization of proxy headers and values using the [proxy_set_header](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_set_header) directive. Example: ``"nginx.org/proxy-set-headers": "header-a: valueA,header-b: valueB,header-c: valueC"`` | N/A | [Proxy Set Headers](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/proxy-set-headers). | - -{{< /table >}} - -### Auth and SSL/TLS - -{{< table >}} - -|Annotation | ConfigMap Key | Description | Default | Example | -| ---| ---| ---| ---| --- | -| *nginx.org/redirect-to-https* | *redirect-to-https* | Sets the 301 redirect rule based on the value of the ``http_x_forwarded_proto* header on the server block to force incoming traffic to be over HTTPS. Useful when terminating SSL in a load balancer in front of NGINX Ingress Controller — see [115](https://github.com/nginx/kubernetes-ingress/issues/115) | *False* | | -| *ingress.kubernetes.io/ssl-redirect* | *ssl-redirect* | Sets an unconditional 301 redirect rule for all incoming HTTP traffic to force incoming traffic over HTTPS. | *True* | | -| *nginx.org/hsts* | *hsts* | Enables [HTTP Strict Transport Security (HSTS)](https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/)\ : the HSTS header is added to the responses from backends. The ``preload* directive is included in the header. | *False* | | -| *nginx.org/hsts-max-age* | *hsts-max-age* | Sets the value of the ``max-age* directive of the HSTS header. | *2592000* (1 month) | | -| *nginx.org/hsts-include-subdomains* | *hsts-include-subdomains* | Adds the ``includeSubDomains* directive to the HSTS header. | *False* | | -| *nginx.org/hsts-behind-proxy* | *hsts-behind-proxy* | Enables HSTS based on the value of the ``http_x_forwarded_proto* request header. Should only be used when TLS termination is configured in a load balancer (proxy) in front of NGINX Ingress Controller. Note: to control redirection from HTTP to HTTPS configure the ``nginx.org/redirect-to-https* annotation. | *False* | | -| *nginx.org/basic-auth-secret* | N/A | Specifies a Secret resource with a user list for HTTP Basic authentication. | N/A | | -| *nginx.org/basic-auth-realm* | N/A | Specifies a realm. | N/A | | -| *nginx.org/ssl-ciphers* | *ssl-ciphers* | Sets the value of the [ssl_ciphers](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers) directive. | N/A | *HIGH:!aNULL:!MD5* | -| *nginx.org/ssl-prefer-server-ciphers* | *ssl-prefer-server-ciphers* | Enables or disables the [ssl_prefer_server_ciphers](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_prefer_server_ciphers) directive. | *False* | | -| *nginx.com/jwt-key* | N/A | Specifies a Secret resource with keys for validating JSON Web Tokens (JWTs). | N/A | [Support for JSON Web Tokens (JWTs)](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/jwt). | -| *nginx.com/jwt-realm* | N/A | Specifies a realm. | N/A | [Support for JSON Web Tokens (JWTs)](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/jwt). | -| *nginx.com/jwt-token* | N/A | Specifies a variable that contains a JSON Web Token. | By default, a JWT is expected in the ``Authorization* header as a Bearer Token. | [Support for JSON Web Tokens (JWTs)](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/jwt). | -| *nginx.com/jwt-login-url* | N/A | Specifies a URL to which a client is redirected in case of an invalid or missing JWT. | N/A | [Support for JSON Web Tokens (JWTs)](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/jwt). | - -{{< /table >}} - -### Listeners - -{{< table >}} - -|Annotation | ConfigMap Key | Description | Default | Example | -| ---| ---| ---| ---| --- | -| *nginx.org/listen-ports* | N/A | Configures HTTP ports that NGINX will listen on. | *[80]* | | -| *nginx.org/listen-ports-ssl* | N/A | Configures HTTPS ports that NGINX will listen on. | *[443]* | | - -{{< /table >}} - -### Backend services (Upstreams) - -{{< table >}} - -|Annotation | ConfigMap Key | Description | Default | Example | -| ---| ---| ---| ---| --- | -| *nginx.org/lb-method* | *lb-method* | Sets the [load balancing method](https://docs.nginx.com/nginx/admin-guide/load-balancer/http-load-balancer/#choosing-a-load-balancing-method). To use the round-robin method, specify ``"round_robin"``. | *"random two least_conn"* | | -| *nginx.org/ssl-services* | N/A | Enables HTTPS or gRPC over SSL when connecting to the endpoints of services. | N/A | [ssl-services](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/ssl-services) | -| *nginx.org/grpc-services* | N/A | Enables gRPC for services. Note: requires HTTP/2 (see ``http2* ConfigMap key); only works for Ingresses with TLS termination enabled. | N/A | [grpc-services](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/grpc-services) | -| *nginx.org/websocket-services* | N/A | Enables WebSocket for services. | N/A | [websocket](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/websocket) | -| *nginx.org/max-fails* | *max-fails* | Sets the value of the [max_fails](https://nginx.org/en/docs/http/ngx_http_upstream_module.html#max_fails) parameter of the ``server* directive. | *1* | | -| *nginx.org/max-conns* | N\A | Sets the value of the [max_conns](https://nginx.org/en/docs/http/ngx_http_upstream_module.html#max_conns) parameter of the ``server* directive. | *0* | | -| *nginx.org/upstream-zone-size* | *upstream-zone-size* | Sets the size of the shared memory [zone](https://nginx.org/en/docs/http/ngx_http_upstream_module.html#zone) for upstreams. For NGINX, the special value 0 disables the shared memory zones. For NGINX Plus, shared memory zones are required and cannot be disabled. The special value 0 will be ignored. | *256K* | | -| *nginx.org/fail-timeout* | *fail-timeout* | Sets the value of the [fail_timeout](https://nginx.org/en/docs/http/ngx_http_upstream_module.html#fail_timeout) parameter of the ``server* directive. | *10s* | | -| *nginx.com/sticky-cookie-services* | N/A | Configures session persistence. | N/A | [session-persistence](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/session-persistence) | -| *nginx.org/keepalive* | *keepalive* | Sets the value of the [keepalive](https://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive) directive. Note that ``proxy_set_header Connection "";* is added to the generated configuration when the value > 0. | *0* | | -| *nginx.com/health-checks* | N/A | Enables active health checks. | *False* | [health-checks](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/health-checks) | -| *nginx.com/health-checks-mandatory* | N/A | Configures active health checks as mandatory. | *False* | [health-checks](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/health-checks) | -| *nginx.com/health-checks-mandatory-queue* | N/A | When active health checks are mandatory, creates a queue where incoming requests are temporarily stored while NGINX Plus is checking the health of the endpoints after a configuration reload. | *0* | [health-checks](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/health-checks) | -| *nginx.com/slow-start* | N/A | Sets the upstream server [slow-start period](https://docs.nginx.com/nginx/admin-guide/load-balancer/http-load-balancer/#server-slow-start). By default, slow-start is activated after a server becomes [available](https://docs.nginx.com/nginx/admin-guide/load-balancer/http-health-check/#passive-health-checks) or [healthy](https://docs.nginx.com/nginx/admin-guide/load-balancer/http-health-check/#active-health-checks). To enable slow-start for newly-added servers, configure [mandatory active health checks](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/health-checks). | *"0s"* | | -| *nginx.org/use-cluster-ip* | N/A | Enables using the Cluster IP and port of the service instead of the default behavior of using the IP and port of the pods. When this field is enabled, the fields that configure NGINX behavior related to multiple upstream servers (like ``lb-method* and ``next-upstream``) will have no effect, as NGINX Ingress Controller will configure NGINX with only one upstream server that will match the service Cluster IP. | *False* | | - -{{< /table >}} - -### Rate limiting - -{{< table >}} - -|Annotation | ConfigMap Key | Description | Default | Example | -| ---| ---| ---| ---| --- | -| *nginx.org/limit-req-rate* | N/A | Enables request-rate-limiting for this ingress by creating a [limit_req_zone](https://nginx.org/en/docs/http/ngx_http_limit_req_module.html#limit_req_zone) and matching [limit_req](https://nginx.org/en/docs/http/ngx_http_limit_req_module.html#limit_req) for each location. All servers/locations of one ingress share the same zone. Must have unit r/s or r/m. | N/A | 200r/s | -| *nginx.org/limit-req-key* | N/A | The key to which the rate limit is applied. Can contain text, variables, or a combination of them. Variables must be surrounded by ${}. | ${binary_remote_addr} | ${binary_remote_addr} | -| *nginx.org/limit-req-zone-size* | N/A | Configures the size of the created [limit_req_zone](https://nginx.org/en/docs/http/ngx_http_limit_req_module.html#limit_req_zone). | 10m | 20m | -| *nginx.org/limit-req-delay* | N/A | Configures the delay-parameter of the [limit_req](https://nginx.org/en/docs/http/ngx_http_limit_req_module.html#limit_req) directive. | 0 | 100 | -| *nginx.org/limit-req-no-delay* | N/A | Configures the nodelay-parameter of the [limit_req](https://nginx.org/en/docs/http/ngx_http_limit_req_module.html#limit_req) directive. | false | true | -| *nginx.org/limit-req-burst* | N/A | Configures the burst-parameter of the [limit_req](https://nginx.org/en/docs/http/ngx_http_limit_req_module.html#limit_req) directive. | N/A | 100 | -| *nginx.org/limit-req-dry-run* | N/A | Enables the dry run mode. In this mode, the rate limit is not actually applied, but the number of excessive requests is accounted as usual in the shared memory zone. | false | true | -| *nginx.org/limit-req-log-level* | N/A | Sets the desired logging level for cases when the server refuses to process requests due to rate exceeding, or delays request processing. Allowed values are info, notice, warn or error. | error | info | -| *nginx.org/limit-req-reject-code* | N/A | Sets the status code to return in response to rejected requests. Must fall into the range 400..599. | 429 | 503 | -| *nginx.org/limit-req-scale* | N/A | Enables a constant rate-limit by dividing the configured rate by the number of nginx-ingress pods currently serving traffic. This adjustment ensures that the rate-limit remains consistent, even as the number of nginx-pods fluctuates due to autoscaling. Note: This will not work properly if requests from a client are not evenly distributed accross all ingress pods (sticky sessions, long lived TCP-Connections with many requests etc.). In such cases using [zone-sync]({{< ref "/configuration/global-configuration/configmap-resource.md#zone-sync" >}}) instead would give better results. Enabling `zone-sync` will suppress this setting. | false | true | - -{{< /table >}} - -### Snippets and custom templates - -{{< table >}} - -|Annotation | ConfigMap Key | Description | Default | Example | -| ---| ---| ---| ---| --- | -| *nginx.org/location-snippets* | *location-snippets* | Sets a custom snippet in location context. | N/A | | -| *nginx.org/server-snippets* | *server-snippets* | Sets a custom snippet in server context. | N/A | | - -{{< /table >}} - -### F5 WAF for NGINX - -{{< call-out "note" >}} The App Protect annotations only work if the F5 WAF for NGINX module is [installed]({{< relref "installation/integrations/app-protect-waf/installation.md" >}}). {{< /call-out >}} - -{{< table >}} - -|Annotation | ConfigMap Key | Description | Default | Example | -| ---| ---| ---| ---| --- | -| *appprotect.f5.com/app-protect-policy* | N/A | The name of the App Protect Policy for the Ingress Resource. Format is ``namespace/name``. If no namespace is specified, the same namespace of the Ingress Resource is used. If not specified but ``appprotect.f5.com/app-protect-enable* is true, a default policy id applied. If the referenced policy resource does not exist, or policy is invalid, this annotation will be ignored, and the default policy will be applied. | N/A | [app-protect-waf](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/app-protect-waf) | -| *appprotect.f5.com/app-protect-enable* | N/A | Enable App Protect for the Ingress Resource. | *False* | [app-protect-waf](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/app-protect-waf) | -| *appprotect.f5.com/app-protect-security-log-enable* | N/A | Enable the [security log](/nginx-app-protect/troubleshooting/#app-protect-logging-overview) for App Protect. | *False* | [app-protect-waf](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/app-protect-waf) | -| *appprotect.f5.com/app-protect-security-log* | N/A | The App Protect log configuration for the Ingress Resource. Format is ``namespace/name``. If no namespace is specified, the same namespace as the Ingress Resource is used. If not specified the default is used which is: filter: ``illegal``, format: ``default``. Multiple configurations can be specified in a comma separated list. Both log configurations and destinations list (see below) must be of equal length. Configs and destinations are paired by the list indices. | N/A | [app-protect-waf](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/app-protect-waf) | -| *appprotect.f5.com/app-protect-security-log-destination* | N/A | The destination of the security log. For more information check the [DESTINATION argument](/nginx-app-protect/troubleshooting/#app-protect-logging-overview). Multiple destinations can be specified in a comma-separated list. Both log configurations and destinations list (see above) must be of equal length. Configs and destinations are paired by the list indices. | *syslog:server=localhost:514* | [app-protect-waf](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/app-protect-waf) | - -{{< /table >}} - -### F5 DoS for NGINX - -{{< call-out "note" >}} F5 DoS for NGINX annotations only work if the F5 DoS for NGINX module is [installed]({{< relref "installation/integrations/app-protect-dos/installation.md" >}}). {{< /call-out >}} - -{{< table >}} - -|Annotation | ConfigMap Key | Description | Default | Example | -| ---| ---| ---| ---| --- | -| *appprotectdos.f5.com/app-protect-dos-resource* | N/A | Enable F5 DoS for NGINX for the Ingress Resource by specifying a [DosProtectedResource]({{< relref "installation/integrations/app-protect-dos/dos-protected.md" >}}). | N/A | [app-protect-dos](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/app-protect-dos) | - -{{< /table >}} \ No newline at end of file From b1fe0afd5a92796644b0c1b9eaa83e786ae0f934 Mon Sep 17 00:00:00 2001 From: AlexFenlon Date: Fri, 5 Dec 2025 09:56:04 +0000 Subject: [PATCH 13/23] fix: remove includes/ files that were previously removed. --- .../configmap-resource.md | 247 ------------------ 1 file changed, 247 deletions(-) delete mode 100644 content/includes/nic/configuration/global-configuration/configmap-resource.md diff --git a/content/includes/nic/configuration/global-configuration/configmap-resource.md b/content/includes/nic/configuration/global-configuration/configmap-resource.md deleted file mode 100644 index daf9b6710..000000000 --- a/content/includes/nic/configuration/global-configuration/configmap-resource.md +++ /dev/null @@ -1,247 +0,0 @@ ---- -title: ConfigMap resources -weight: 300 -toc: true -type: how-to -product: NIC -nd-docs: DOCS-586 ---- - -When using F5 NGINX Ingress Controller, you can customize or fine tune NGINX behavior using ConfigMap resources. Examples include setting the number of worker processes or customizing the access log format. - -## Using ConfigMap - -1. The [Installation with Manifests]({{< relref "installation/installing-nic/installation-with-manifests.md" >}}) documentation deploy an empty ConfigMap while the default installation manifests specify it in the command-line arguments of the Ingress Controller. However, if you customized the manifests, to use ConfigMap, make sure to specify the ConfigMap resource to use the [command-line arguments]({{< ref "/nic/configuration/global-configuration/command-line-arguments" >}}) of NGINX Ingress Controller. - -1. Create a ConfigMap file with the name *nginx-config.yaml* and set the values -that make sense for your setup: - - ```yaml - kind: ConfigMap - apiVersion: v1 - metadata: - name: nginx-config - namespace: nginx-ingress - data: - proxy-connect-timeout: "10s" - proxy-read-timeout: "10s" - client-max-body-size: "2m" - ``` - - See the section [Summary of ConfigMap Keys](#summary-of-configmap-keys) for the explanation of the available ConfigMap keys (such as `proxy-connect-timeout` in this example). - -1. Create a new (or update the existing) ConfigMap resource: - - ```shell - kubectl apply -f nginx-config.yaml - ``` - - The NGINX configuration will be updated. - -## ConfigMap and Ingress annotations - -ConfigMap applies globally, meaning that it affects every Ingress resource. In contrast, annotations always apply to their Ingress resource. Annotations can override some ConfigMap keys: an example is that the `nginx.org/proxy-connect-timeout` annotations overrides the `proxy-connect-timeout` ConfigMap key. - -For more information, view the [Advanced configuration with annotations]({{< ref "/nic/configuration/ingress-resources/advanced-configuration-with-annotations" >}}) topic. - -## ConfigMap and VirtualServer/VirtualServerRoute resources - -The ConfigMap affects every VirtualServer and VirtualServerRoute resources. However, the fields of those resources allow overriding some ConfigMap keys. For example, the `connect-timeout` field of the `upstream` overrides the `proxy-connect-timeout` ConfigMap key. - -For more information, view the [VirtualServer and VirtualServerRoute resources]({{< ref "/nic/configuration/virtualserver-and-virtualserverroute-resources" >}}) topic. - -## ConfigMap keys - -### Ingress Controller (Unrelated to NGINX Configuration) - -{{< table >}} - -|ConfigMap Key | Description | Default | Example | -| ---| ---| ---| --- | -|*external-status-address* | Sets the address to be reported in the status of Ingress resources. Requires the *-report-status* command-line argument. Overrides the *-external-service* argument. | N/A | [Reporting resource status]({{< ref "/nic/configuration/global-configuration/reporting-resources-status" >}}) | - -{{< /table >}} - -### General customization - -{{< table >}} - -|ConfigMap Key | Description | Default | Example | -| ---| ---| ---| --- | -|*proxy-connect-timeout* | Sets the value of the [proxy_connect_timeout](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_connect_timeout) and [grpc_connect_timeout](https://nginx.org/en/docs/http/ngx_http_grpc_module.html#grpc_connect_timeout) directive. | *60s* | | -|*proxy-read-timeout* | Sets the value of the [proxy_read_timeout](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_read_timeout) and [grpc_read_timeout](https://nginx.org/en/docs/http/ngx_http_grpc_module.html#grpc_read_timeout) directive. | *60s* | | -|*proxy-send-timeout* | Sets the value of the [proxy_send_timeout](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_send_timeout) and [grpc_send_timeout](https://nginx.org/en/docs/http/ngx_http_grpc_module.html#grpc_send_timeout) directive. | *60s* | | -|*client-max-body-size* | Sets the value of the [client_max_body_size](https://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size) directive. | *1m* | | -|*client-body-buffer-size* | Sets the value of the [client_body_buffer_size](https://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_buffer_size) directive. | N/A | | -|*proxy-buffering* | Enables or disables [buffering of responses](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffering) from the proxied server. | *True* | | -|*proxy-buffers* | Sets the value of the [proxy_buffers](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffers) directive. | Depends on the platform. | | -|*proxy-buffer-size* | Sets the value of the [proxy_buffer_size](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size) and [grpc_buffer_size](https://nginx.org/en/docs/http/ngx_http_grpc_module.html#grpc_buffer_size) directives. | Depends on the platform. | | -|*proxy-busy-buffers-size* | Sets the value of the [proxy_busy_buffers_size](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_busy_buffers_size) directive. | Depends on the platform. | | -|*proxy-max-temp-file-size* | Sets the value of the [proxy_max_temp_file_size](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_max_temp_file_size) directive. | *1024m* | | -|*set-real-ip-from* | Sets the value of the [set_real_ip_from](https://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from) directive. | N/A | | -|*real-ip-header* | Sets the value of the [real_ip_header](https://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header) directive. | *X-Real-IP* | | -|*real-ip-recursive* | Enables or disables the [real_ip_recursive](https://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_recursive) directive. | *False* | | -|*default-server-return* | Configures the [return](https://nginx.org/en/docs/http/ngx_http_rewrite_module.html#return) directive in the default server, which handles a client request if none of the hosts of Ingress or VirtualServer resources match. The default value configures NGINX to return a 404 error page. You can configure a fixed response or a redirect. For example, *default-server-return: 302 https://nginx.org* will redirect a client to *https://nginx.org*. | *404* | | -|*server-tokens* | Enables or disables the [server_tokens](https://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens) directive. Additionally, with the NGINX Plus, you can specify a custom string value, including the empty string value, which disables the emission of the “Server” field. | *True* | | -|*worker-processes* | Sets the value of the [worker_processes](https://nginx.org/en/docs/ngx_core_module.html#worker_processes) directive. | *auto* | | -|*worker-rlimit-nofile* | Sets the value of the [worker_rlimit_nofile](https://nginx.org/en/docs/ngx_core_module.html#worker_rlimit_nofile) directive. | N/A | | -|*worker-connections* | Sets the value of the [worker_connections](https://nginx.org/en/docs/ngx_core_module.html#worker_connections) directive. | *1024* | | -|*worker-cpu-affinity* | Sets the value of the [worker_cpu_affinity](https://nginx.org/en/docs/ngx_core_module.html#worker_cpu_affinity) directive. | N/A | | -|*worker-shutdown-timeout* | Sets the value of the [worker_shutdown_timeout](https://nginx.org/en/docs/ngx_core_module.html#worker_shutdown_timeout) directive. | N/A | | -|*server-names-hash-bucket-size* | Sets the value of the [server_names_hash_bucket_size](https://nginx.org/en/docs/http/ngx_http_core_module.html#server_names_hash_bucket_size) directive. | *256* | | -|*server-names-hash-max-size* | Sets the value of the [server_names_hash_max_size](https://nginx.org/en/docs/http/ngx_http_core_module.html#server_names_hash_max_size) directive. | *1024* | | -|*map-hash-bucket-size* | Sets the value of the [map_hash_bucket_size](http://nginx.org/en/docs/http/ngx_http_map_module.html#map_hash_bucket_size) directive.| *256* | | -|*map-hash-max-size* | Sets the value of the [map_hash_max_size](http://nginx.org/en/docs/http/ngx_http_map_module.html#map_hash_max_size) directive. | *2048* | | -|*resolver-addresses* | Sets the value of the [resolver](https://nginx.org/en/docs/http/ngx_http_core_module.html#resolver) addresses. Note: If you use a DNS name (for example, *kube-dns.kube-system.svc.cluster.local* ) as a resolver address, NGINX Plus will resolve it using the system resolver during the start and on every configuration reload. If the name cannot be resolved or the DNS server doesn't respond, NGINX Plus will fail to start or reload. To avoid this, we recommend using IP addresses as resolver addresses instead of DNS names. Supported in NGINX Plus only. | N/A | [Support for Type ExternalName Services](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/externalname-services). | -|*resolver-ipv6* | Enables IPv6 resolution in the resolver. Supported in NGINX Plus only. | *True* | [Support for Type ExternalName Services](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/externalname-services). | -|*resolver-valid* | Sets the time NGINX caches the resolved DNS records. Supported in NGINX Plus only. | TTL value of a DNS record | [Support for Type ExternalName Services](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/externalname-services). | -|*resolver-timeout* | Sets the [resolver_timeout](https://nginx.org/en/docs/http/ngx_http_core_module.html#resolver_timeout) for name resolution. Supported in NGINX Plus only. | *30s* | [Support for Type ExternalName Services](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/externalname-services). | -|*keepalive-timeout* | Sets the value of the [keepalive_timeout](https://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout) directive. | *75s* | | -|*keepalive-requests* | Sets the value of the [keepalive_requests](https://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_requests) directive. | *1000* | | -|*variables-hash-bucket-size* | Sets the value of the [variables_hash_bucket_size](https://nginx.org/en/docs/http/ngx_http_core_module.html#variables_hash_bucket_size) directive. | *256* | | -|*variables-hash-max-size* | Sets the value of the [variables-hash-max-size](https://nginx.org/en/docs/http/ngx_http_core_module.html#variables_hash_max_size) directive. | *1024* | | - -{{< /table >}} - -### Logging - -{{< table >}} - -|ConfigMap Key | Description | Default | Example | -| ---| ---| ---| --- | -|*error-log-level* | Sets the global [error log level](https://nginx.org/en/docs/ngx_core_module.html#error_log) for NGINX. | *notice* | | -|*access-log* | Sets the directive [access log](https://nginx.org/en/docs/http/ngx_http_log_module.html#access_log). A syslog destination is the only valid value. The value will be set to its default in-case user tries to configure it with location other than a syslog. -| ``/dev/stdout main`` | ``syslog:server=localhost:514`` | -|*access-log-off* | Disables the [access log](https://nginx.org/en/docs/http/ngx_http_log_module.html#access_log). | *False* | | -|*default-server-access-log-off* | Disables the [access log](https://nginx.org/en/docs/http/ngx_http_log_module.html#access_log) for the default server. If access log is disabled globally (*access-log-off: "True"*), then the default server access log is always disabled. | *False* | | -|*log-format* | Sets the custom [log format](https://nginx.org/en/docs/http/ngx_http_log_module.html#log_format) for HTTP and HTTPS traffic. For convenience, it is possible to define the log format across multiple lines (each line separated by *\n*). In that case, the Ingress Controller will replace every *\n* character with a space character. All *'* characters must be escaped. | See the [template file](https://github.com/nginx/kubernetes-ingress/blob/v{{< nic-version >}}/internal/configs/version1/nginx.tmpl) for the access log. | [Custom Log Format](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/shared-examples/custom-log-format). | -|*log-format-escaping* | Sets the characters escaping for the variables of the log format. Supported values: *json* (JSON escaping), *default* (the default escaping) *none* (disables escaping). | *default* | | -|*stream-log-format* | Sets the custom [log format](https://nginx.org/en/docs/stream/ngx_stream_log_module.html#log_format) for TCP, UDP, and TLS Passthrough traffic. For convenience, it is possible to define the log format across multiple lines (each line separated by *\n*). In that case, the Ingress Controller will replace every *\n* character with a space character. All *'* characters must be escaped. | See the [template file](https://github.com/nginx/kubernetes-ingress/blob/v{{< nic-version >}}/internal/configs/version1/nginx.tmpl). | | -|*stream-log-format-escaping* | Sets the characters escaping for the variables of the stream log format. Supported values: *json* (JSON escaping), *default* (the default escaping) *none* (disables escaping). | *default* | | - -{{< /table >}} - -### Request URI/Header manipulation - -{{< table >}} - -|ConfigMap Key | Description | Default | Example | -| ---| ---| ---| --- | -|*proxy-hide-headers* | Sets the value of one or more [proxy_hide_header](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_hide_header) directives. Example: *"nginx.org/proxy-hide-headers": "header-a,header-b"* | N/A | | -|*proxy-pass-headers* | Sets the value of one or more [proxy_pass_header](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass_header) directives. Example: *"nginx.org/proxy-pass-headers": "header-a,header-b"* | N/A | | - -{{< /table >}} - -### Auth and SSL/TLS - -{{< table >}} - -|ConfigMap Key | Description | Default | Example | -| ---| ---| ---| --- | -|*redirect-to-https* | Sets the 301 redirect rule based on the value of the *http_x_forwarded_proto* header on the server block to force incoming traffic to be over HTTPS. Useful when terminating SSL in a load balancer in front of the Ingress Controller — see [115](https://github.com/nginx/kubernetes-ingress/issues/115) | *False* | | -|*ssl-redirect* | Sets an unconditional 301 redirect rule for all incoming HTTP traffic to force incoming traffic over HTTPS. | *True* | | -|*hsts* | Enables [HTTP Strict Transport Security (HSTS)](https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/) : the HSTS header is added to the responses from backends. The *preload* directive is included in the header. | *False* | | -|*hsts-max-age* | Sets the value of the *max-age* directive of the HSTS header. | *2592000* (1 month) | | -|*hsts-include-subdomains* | Adds the *includeSubDomains* directive to the HSTS header. | *False* | | -|*hsts-behind-proxy* | Enables HSTS based on the value of the *http_x_forwarded_proto* request header. Should only be used when TLS termination is configured in a load balancer (proxy) in front of the Ingress Controller. Note: to control redirection from HTTP to HTTPS configure the *nginx.org/redirect-to-https* annotation. | *False* | | -|*ssl-protocols* | Sets the value of the [ssl_protocols](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols) directive. | *TLSv1 TLSv1.1 TLSv1.2* | | -|*ssl-prefer-server-ciphers* | Enables or disables the [ssl_prefer_server_ciphers](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_prefer_server_ciphers) directive. | *False* | | -|*ssl-ciphers* | Sets the value of the [ssl_ciphers](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers) directive. | *HIGH:!aNULL:!MD5* | | -|*ssl-dhparam-file* | Sets the content of the dhparam file. The controller will create the file and set the value of the [ssl_dhparam](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam) directive with the path of the file. | N/A | | - -{{< /table >}} - -### Listeners - -{{< table >}} - -|ConfigMap Key | Description | Default | Example | -| ---| ---| ---| --- | -|*http2* | Enables HTTP/2 in servers with SSL enabled. | *False* | | -|*proxy-protocol* | Enables PROXY Protocol for incoming connections. | *False* | [Proxy Protocol](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/shared-examples/proxy-protocol). | - -{{< /table >}} - -### Backend services (Upstreams) - -{{< table >}} - -|ConfigMap Key | Description | Default | Example | -| ---| ---| ---| --- | -|*lb-method* | Sets the [load balancing method](https://docs.nginx.com/nginx/admin-guide/load-balancer/http-load-balancer/#choosing-a-load-balancing-method). To use the round-robin method, specify *"round_robin"*. | *"random two least_conn"* | | -|*max-fails* | Sets the value of the [max_fails](https://nginx.org/en/docs/http/ngx_http_upstream_module.html#max_fails) parameter of the *server* directive. | *1* | | -|*upstream-zone-size* | Sets the size of the shared memory [zone](https://nginx.org/en/docs/http/ngx_http_upstream_module.html#zone) for upstreams. For NGINX, the special value 0 disables the shared memory zones. For NGINX Plus, shared memory zones are required and cannot be disabled. The special value 0 will be ignored. | *256k* for NGINX, *512k* for NGINX Plus | | -|*fail-timeout* | Sets the value of the [fail_timeout](https://nginx.org/en/docs/http/ngx_http_upstream_module.html#fail_timeout) parameter of the *server* directive. | *10s* | | -|*keepalive* | Sets the value of the [keepalive](https://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive) directive. Note that *proxy_set_header Connection "";* is added to the generated configuration when the value > 0. | *0* | | - -{{< /table >}} - -### Zone Sync - -Zone Sync enables the [ngx_stream_zone_sync_module](https://nginx.org/en/docs/stream/ngx_stream_zone_sync_module.html) in NGINX Ingress Controller when NGINX Plus is used. Multiple replicas are required to effectively utililise this functionality. More information is available in the [How NGINX Plus Performs Zone Synchronization](https://docs.nginx.com/nginx/admin-guide/high-availability/zone_sync_details/) topic. - -Zone synchronization with TLS for NGINX Ingress Controller is not yet available with ConfigMap. If you would like to enable Zone Sync with TLS, please remove `zone-sync` from ConfigMap and add Zone Sync parameters via [`stream-snippets`]({{< ref "/configuration/ingress-resources/advanced-configuration-with-snippets.md" >}}) similar to [this example](https://github.com/nginx/kubernetes-ingress/blob/v4.0.1/examples/custom-resources/oidc/nginx-config.yaml) and adding the [zone_sync_ssl directive](https://nginx.org/en/docs/stream/ngx_stream_zone_sync_module.html#zone_sync_ssl) along with any other TLS parameters to the `stream-snippets`. - -You will also need to manually add the headless service, such as in [this example](https://github.com/nginx/kubernetes-ingress/blob/v4.0.1/examples/custom-resources/oidc/nginx-ingress-headless.yaml). - -{{< call-out "caution" >}} -If you previously installed OIDC or used the `zone_sync` directive with `stream-snippets` in [v4.0.1](https://github.com/nginx/kubernetes-ingress/tree/v4.0.1) or earlier, and you plan to enable the `zone-sync` ConfigMap key, the `zone_sync` directive should be removed from `stream-snippets`. - -If you encounter the error `error [emerg] 13#13: "zone_sync" directive is duplicate in /etc/nginx/nginx.conf:164` it is likely due to `zone_sync` being enabled in both `stream-snippets` and the ConfigMap. Once upgraded, remove the [old headless service](https://github.com/nginx/kubernetes-ingress/blob/v4.0.1/examples/custom-resources/oidc/nginx-ingress-headless.yaml) deployed for OIDC. -{{< /call-out >}} - -{{< table >}} - -|ConfigMap Key | Description | Default | Example | -| ---| ---| ---| --- | -|*zone-sync* | Enables zone synchronization between NGINX Ingress Controller Pods. This autogenerates a [zone_sync_server](https://nginx.org/en/docs/stream/ngx_stream_zone_sync_module.html#zone_sync_server) and a headless service using the `ReplicaSet`, `DaemonSet` or `StatefulSet` name. Please note that this headless service will be automatically cleaned up when uninstalling via Helm or by removing the value from the ConfigMap. The headless service will need to be manually removed if the `controller.customConfigMap` value is set via Helm or the deployment is uninstalled via Manifests. Each Ingress Controller manages its own headless service. NGINX Plus Required. | *False* | | -|*zone-sync-port* | Specifies the optional port on which NGINX Ingress Controller listens for zone sync traffic. NGINX Plus & `zone-sync` Required. | *12345* | | -|*zone-sync-resolver-addresses* | Configures optional addresses used in the [resolver](https://nginx.org/en/docs/http/ngx_http_core_module.html#resolver) directive for zone-sync. This field takes a comma separated list of addresses. NGINX Plus & `zone-sync` Required | `kube-dns.kube-system.svc.cluster.local` | | -|*zone-sync-resolver-ipv6* | Configures whether the optional [resolver](https://nginx.org/en/docs/http/ngx_http_core_module.html#resolver) directive for zone-sync will look up IPv6 addresses. NGINX Plus & `zone-sync` Required | `true` | | -|*zone-sync-resolver-valid* | Configures an [NGINX time](https://nginx.org/en/docs/syntax.html) that the optional [resolver](https://nginx.org/en/docs/http/ngx_http_core_module.html#resolver) directive for zone-sync will override the TTL value of responses from nameservers with. NGINX Plus & `zone-sync` Required | `5s` | | - -{{< /table >}} - -### Snippets and custom templates - -{{< table >}} - -|ConfigMap Key | Description | Default | Example | -| ---| ---| ---| --- | -|*main-snippets* | Sets a custom snippet in main context. | N/A | | -|*http-snippets* | Sets a custom snippet in http context. | N/A | | -|*location-snippets* | Sets a custom snippet in location context. | N/A | | -|*server-snippets* | Sets a custom snippet in server context. | N/A | | -|*stream-snippets* | Sets a custom snippet in stream context. | N/A | [Support for TCP/UDP Load Balancing](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/tcp-udp). | -|*main-template* | Sets the main NGINX configuration template. | By default the template is read from the file in the container. | [Custom Templates](/nginx-ingress-controller/configuration/global-configuration/custom-templates). | -|*ingress-template* | Sets the NGINX configuration template for an Ingress resource. | By default the template is read from the file on the container. | [Custom Templates](/nginx-ingress-controller/configuration/global-configuration/custom-templates). | -|*virtualserver-template* | Sets the NGINX configuration template for an VirtualServer resource. | By default the template is read from the file on the container. | [Custom Templates](/nginx-ingress-controller/configuration/global-configuration/custom-templates). | -|*transportserver-template* | Sets the NGINX configuration template for a TransportServer resource. | By default the template is read from the file on the container. | [Custom Templates](/nginx-ingress-controller/configuration/global-configuration/custom-templates). | - -{{< /table >}} - -### Modules - -{{< table >}} - -|ConfigMap Key | Description | Default | Example | -| ---| ---| ---| --- | -|*otel-exporter-endpoint* | OTLP/gRPC endpoint that will accept [OpenTelemetry](https://opentelemetry.io) data. Set `otel-trace-in-http` to *"true"* to enable OpenTelemetry at the global level. | N/A | *"https://otel-collector:4317"* | -|*otel-exporter-header-name* | The name of a custom HTTP header to add to telemetry export request. `otel-exporter-endpoint` and `otel-exporter-header-value` required. | N/A | *"X-custom-header"* | -|*otel-exporter-header-value* | The value of a custom HTTP header to add to telemetry export request. `otel-exporter-endpoint` and `otel-exporter-header-name` required. | N/A | *"custom-value"* | -|*otel-service-name* | Sets the `service.name` attribute of the OTel resource. `otel-exporter-endpoint` required. | N/A | *"nginx-ingress-controller:nginx"* | -| *otel-trace-in-http* | Enables [OpenTelemetry](https://opentelemetry.io) globally (for all Ingress, VirtualServer and VirtualServerRoute resources). Set this to *"false"* to enable OpenTelemetry for individual routes with snippets. `otel-exporter-endpoint` required. | *"false"* | *"true"* | -|*opentracing* | Removed in v5.0.0. Enables [OpenTracing](https://opentracing.io) globally (for all Ingress, VirtualServer and VirtualServerRoute resources). Note: requires the Ingress Controller image with OpenTracing module and a tracer. See the [docs]({{< relref "/installation/integrations/opentracing.md" >}}) for more information. | *False* | | -|*opentracing-tracer* | Removed in v5.0.0. Sets the path to the vendor tracer binary plugin. | N/A | | -|*opentracing-tracer-config* | Removed in v5.0.0. Sets the tracer configuration in JSON format. | N/A | | -|*app-protect-compressed-requests-action* | Sets the *app_protect_compressed_requests_action* [global directive](/nginx-app-protect/configuration/#global-directives). | *drop* | | -|*app-protect-cookie-seed* | Sets the *app_protect_cookie_seed* [global directive](/nginx-app-protect/configuration/#global-directives). | Random automatically generated string | | -|*app-protect-failure-mode-action* | Sets the *app_protect_failure_mode_action* [global directive](/nginx-app-protect/configuration/#global-directives). | *pass* | | -|*app-protect-cpu-thresholds* | Sets the *app_protect_cpu_thresholds* [global directive](/nginx-app-protect/configuration/#global-directives). | *high=100 low=100* | | -|*app-protect-physical-memory-util-thresholds* | Sets the *app_protect_physical_memory_util_thresholds* [global directive](/nginx-app-protect/configuration/#global-directives). | *high=100 low=100* | | -|`app-protect-reconnect-period-seconds` | Sets the `app_protect_reconnect_period_seconds` [global directive](/nginx-app-protect/configuration/#global-directives). | `5` | | -|*app-protect-dos-log-format* | Sets the custom [log format](https://nginx.org/en/docs/http/ngx_http_log_module.html#log_format) for Dos Access log traffic. For convenience, it is possible to define the log format across multiple lines (each line separated by *\n*). In that case, the Ingress Controller will replace every *\n* character with a space character. All *'* characters must be escaped. | `, vs_name_al=$app_protect_dos_vs_name, ip=$remote_addr, tls_fp=$app_protect_dos_tls_fp, outcome=$app_protect_dos_outcome, reason=$app_protect_dos_outcome_reason, policy_name=$app_protect_dos_policy_name, dos_version=$app_protect_dos_version, ip_tls=$remote_addr:$app_protect_dos_tls_fp,` | | -|*app-protect-dos-log-format-escaping* | Sets the characters escaping for the variables of the stream log format. Supported values: *json* (JSON escaping), *default* (the default escaping) *none* (disables escaping). | *default* | | -|*app-protect-dos-arb-fqdn* | Sets the *app-protect-dos-arb-fqdn* [directive](/nginx-app-protect-dos/directives-and-policy/learn-about-directives-and-policy/#arbitrator-fqdn-directive-app_protect_dos_arb_fqdn). | *svc-appprotect-dos-arb* | | - -{{< /table >}} \ No newline at end of file From 399725c1339713280c04653564fed91a243a4046 Mon Sep 17 00:00:00 2001 From: Gabor Javorszky Date: Fri, 5 Dec 2025 11:30:04 +0000 Subject: [PATCH 14/23] Update release notes for 5.3.0 --- content/nic/changelog/_index.md | 109 ++++++++++++++++++++++++++++++++ 1 file changed, 109 insertions(+) diff --git a/content/nic/changelog/_index.md b/content/nic/changelog/_index.md index 16c8a8ede..29eb718a0 100644 --- a/content/nic/changelog/_index.md +++ b/content/nic/changelog/_index.md @@ -25,6 +25,115 @@ For older releases, check the changelogs for previous years: [2024]({{< ref "/ni {{< /details >}} + +## 5.3.0 + +08 Dec 2025 + +### {{% icon rocket %}} Features +- [8292](https://github.com/nginx/kubernetes-ingress/pull/8292) Add sslverify for jwksuri +- [8447](https://github.com/nginx/kubernetes-ingress/pull/8447) Add support for ssl ciphers related annotations +- [8340](https://github.com/nginx/kubernetes-ingress/pull/8340) Implement oidc front channel logout nginx directives +- [8495](https://github.com/nginx/kubernetes-ingress/pull/8495) Add oidc timeout customization to configmap +- [8453](https://github.com/nginx/kubernetes-ingress/pull/8453) Support namespaced upstream service reference in virtualserver +- [8508](https://github.com/nginx/kubernetes-ingress/pull/8508) Add rewrite-target annotation +- [8548](https://github.com/nginx/kubernetes-ingress/pull/8548) Add `client-body-buffer-size` directive to ingress annotations & configmap +- [8557](https://github.com/nginx/kubernetes-ingress/pull/8557) Add client-body-buffer-size directive to virtualserver +- [8556](https://github.com/nginx/kubernetes-ingress/pull/8556) Add oidc policy idp tls validation +- [8533](https://github.com/nginx/kubernetes-ingress/pull/8533) Extend cache policy for more configurable parameters + +### {{% icon bug %}} Fixes +- [8299](https://github.com/nginx/kubernetes-ingress/pull/8299) Remove type field for objects with schema ref +- [8455](https://github.com/nginx/kubernetes-ingress/pull/8455) Cleanup stale socket files on startup +- [8460](https://github.com/nginx/kubernetes-ingress/pull/8460) Wrap oidc fclo initiated test in a while loop + +### {{% icon arrow-up %}} Dependencies +- [8553](https://github.com/nginx/kubernetes-ingress/pull/8553) Bump Go dependencies +- [8244](https://github.com/nginx/kubernetes-ingress/pull/8244), [8279](https://github.com/nginx/kubernetes-ingress/pull/8279), [8284](https://github.com/nginx/kubernetes-ingress/pull/8284), [8315](https://github.com/nginx/kubernetes-ingress/pull/8315), [8324](https://github.com/nginx/kubernetes-ingress/pull/8324), [8334](https://github.com/nginx/kubernetes-ingress/pull/8334) & [8384](https://github.com/nginx/kubernetes-ingress/pull/8384) Bump Docker dependencies +- [8581](https://github.com/nginx/kubernetes-ingress/pull/8581) Update python:3.14-trixie docker digest to d88b120 (main) +- [8577](https://github.com/nginx/kubernetes-ingress/pull/8577) Update module golang.org/x/tools to v0.39.0 (main) +- [8578](https://github.com/nginx/kubernetes-ingress/pull/8578) Update module mvdan.cc/gofumpt to v0.9.2 (main) +- [8569](https://github.com/nginx/kubernetes-ingress/pull/8569) Update aws-sdk-go-v2 monorepo (main) +- [8560](https://github.com/nginx/kubernetes-ingress/pull/8560) Update pre-commit hook rhysd/actionlint to v1.7.9 (main) +- [8552](https://github.com/nginx/kubernetes-ingress/pull/8552) Update kubernetes packages to v0.34.2 (main) +- [8544](https://github.com/nginx/kubernetes-ingress/pull/8544) Update aws-sdk-go-v2 monorepo (main) +- [8524](https://github.com/nginx/kubernetes-ingress/pull/8524) Update module github.com/aws/aws-sdk-go-v2/config to v1.31.18 (main) +- [8526](https://github.com/nginx/kubernetes-ingress/pull/8526) Update pre-commit hook psf/black-pre-commit-mirror to v25.11.0 (main) +- [8511](https://github.com/nginx/kubernetes-ingress/pull/8511) Update docker-registry.nginx.com/nap-dos/app_protect_dos_arb docker tag to v1.2.0 (main) +- [8514](https://github.com/nginx/kubernetes-ingress/pull/8514) Update test containers to v0.2.6 +- [8596](https://github.com/nginx/kubernetes-ingress/pull/8513, https://github.com/nginx/kubernetes-ingress/pull/8596) Update registry.k8s.io/external-dns/external-dns docker tag to v0.20.0 (main) +- [8492](https://github.com/nginx/kubernetes-ingress/pull/8492) Update dependency clusterrole to rbac.authorization.k8s.io/v1 (main) +- [8499](https://github.com/nginx/kubernetes-ingress/pull/8499) Update quay.io/jetstack/cert-manager-webhook docker tag to v1.19.1 (main) +- [8498](https://github.com/nginx/kubernetes-ingress/pull/8498) Update quay.io/jetstack/cert-manager-controller docker tag to v1.19.1 (main) +- [8497](https://github.com/nginx/kubernetes-ingress/pull/8497) Update quay.io/jetstack/cert-manager-cainjector docker tag to v1.19.1 (main) +- [8503](https://github.com/nginx/kubernetes-ingress/pull/8493, https://github.com/nginx/kubernetes-ingress/pull/8503) Update dependency go to v1.25.4 (main) +- [8475](https://github.com/nginx/kubernetes-ingress/pull/8475) Update kindest/node docker tag to v1.34.0 (main) +- [8484](https://github.com/nginx/kubernetes-ingress/pull/8484) Update coredns/coredns docker tag to v1.13.1 (main) +- [8483](https://github.com/nginx/kubernetes-ingress/pull/8483) Update aws-sdk-go-v2 monorepo (main) +- [8486](https://github.com/nginx/kubernetes-ingress/pull/8486) Update renovate to bump minor go versions +- [8465](https://github.com/nginx/kubernetes-ingress/pull/8465) Update module github.com/nginx/nginx-prometheus-exporter to v1.5.1 (main) +- [8551](https://github.com/nginx/kubernetes-ingress/pull/8474, https://github.com/nginx/kubernetes-ingress/pull/8551) Update golangci/golangci-lint docker tag to v2.6.2 (main) +- [8464](https://github.com/nginx/kubernetes-ingress/pull/8464) Update aws-sdk-go-v2 monorepo (main) +- [8599](https://github.com/nginx/kubernetes-ingress/pull/8436, https://github.com/nginx/kubernetes-ingress/pull/8490, https://github.com/nginx/kubernetes-ingress/pull/8549, https://github.com/nginx/kubernetes-ingress/pull/8562, https://github.com/nginx/kubernetes-ingress/pull/8579, https://github.com/nginx/kubernetes-ingress/pull/8587, https://github.com/nginx/kubernetes-ingress/pull/8599) Update ghcr.io/nginx/dependencies/nginx-ubi:ubi8 docker digest to fa931e9 (main) +- [8445](https://github.com/nginx/kubernetes-ingress/pull/8445) Use renovate to monitor test data yaml files +- [8543](https://github.com/nginx/kubernetes-ingress/pull/8450, https://github.com/nginx/kubernetes-ingress/pull/8462, https://github.com/nginx/kubernetes-ingress/pull/8482, https://github.com/nginx/kubernetes-ingress/pull/8543) Update python:3.14-bookworm docker digest to 407cd1c (main) +- [8542](https://github.com/nginx/kubernetes-ingress/pull/8448, https://github.com/nginx/kubernetes-ingress/pull/8471, https://github.com/nginx/kubernetes-ingress/pull/8542) Update debian:12-slim docker digest to 936abff (main) +- [8428](https://github.com/nginx/kubernetes-ingress/pull/8428) Update module github.com/cert-manager/cert-manager to v1.19.1 (main) +- [8575](https://github.com/nginx/kubernetes-ingress/pull/8439, https://github.com/nginx/kubernetes-ingress/pull/8451, https://github.com/nginx/kubernetes-ingress/pull/8558, https://github.com/nginx/kubernetes-ingress/pull/8575) Update redhat/ubi8 docker digest to a444712 (main) +- [8440](https://github.com/nginx/kubernetes-ingress/pull/8440) Update aws-sdk-go-v2 monorepo (main) +- [8401](https://github.com/nginx/kubernetes-ingress/pull/8401) Upgrade github.com/nginx/nginx-plus-go-client/v3 to v3.0.1 +- [8598](https://github.com/nginx/kubernetes-ingress/pull/8437, https://github.com/nginx/kubernetes-ingress/pull/8449, https://github.com/nginx/kubernetes-ingress/pull/8461, https://github.com/nginx/kubernetes-ingress/pull/8491, https://github.com/nginx/kubernetes-ingress/pull/8501, https://github.com/nginx/kubernetes-ingress/pull/8550, https://github.com/nginx/kubernetes-ingress/pull/8563, https://github.com/nginx/kubernetes-ingress/pull/8580, https://github.com/nginx/kubernetes-ingress/pull/8598) Update ghcr.io/nginx/dependencies/nginx-ubi:ubi9 docker digest to aa99558 (main) +- [8589](https://github.com/nginx/kubernetes-ingress/pull/8432, https://github.com/nginx/kubernetes-ingress/pull/8589) Update redhat/ubi9-minimal docker tag to v9.7-1764578379 (main) +- [8572](https://github.com/nginx/kubernetes-ingress/pull/8396, https://github.com/nginx/kubernetes-ingress/pull/8476, https://github.com/nginx/kubernetes-ingress/pull/8572) Update module github.com/gruntwork-io/terratest to v0.54.0 (main) +- [8588](https://github.com/nginx/kubernetes-ingress/pull/8431, https://github.com/nginx/kubernetes-ingress/pull/8588) Update redhat/ubi9 docker tag to v9.7-1764578509 (main) +- [8429](https://github.com/nginx/kubernetes-ingress/pull/8429) Update module github.com/cert-manager/cert-manager to v1.19.0 (main) +- [8427](https://github.com/nginx/kubernetes-ingress/pull/8427) Update renovate pr's in github workflow +- [8424](https://github.com/nginx/kubernetes-ingress/pull/8424) Allow renovate to run postupgradetasks +- [8397](https://github.com/nginx/kubernetes-ingress/pull/8397) Correct space in github actions, update renovate syntax +- [8406](https://github.com/nginx/kubernetes-ingress/pull/8406) Update python docker tag to v3.14 (main) +- [8559](https://github.com/nginx/kubernetes-ingress/pull/8405, https://github.com/nginx/kubernetes-ingress/pull/8525, https://github.com/nginx/kubernetes-ingress/pull/8559) Update pre-commit hook asottile/pyupgrade to v3.21.2 (main) +- [8502](https://github.com/nginx/kubernetes-ingress/pull/8389, https://github.com/nginx/kubernetes-ingress/pull/8438, https://github.com/nginx/kubernetes-ingress/pull/8502) Update golang:1.25-alpine docker digest to 182059d (main) +- [8387](https://github.com/nginx/kubernetes-ingress/pull/8387) Update dependency pyyaml to v6.0.3 (main) +- [8388](https://github.com/nginx/kubernetes-ingress/pull/8388) Update dependency wrapt to v1.17.3 (main) +- [8381](https://github.com/nginx/kubernetes-ingress/pull/8381) Update renovate configuration +- [8375](https://github.com/nginx/kubernetes-ingress/pull/8375) Update docker/login-action action to v3.6.0 +- [8466](https://github.com/nginx/kubernetes-ingress/pull/8366, https://github.com/nginx/kubernetes-ingress/pull/8443, https://github.com/nginx/kubernetes-ingress/pull/8466) Update balabit/syslog-ng docker tag to v4.10.2 (main) +- [8362](https://github.com/nginx/kubernetes-ingress/pull/8362) Update examples with keycloak 26.x +- [8350](https://github.com/nginx/kubernetes-ingress/pull/8350) Update dependency cffi to v2 +- [8356](https://github.com/nginx/kubernetes-ingress/pull/8356) Update peter-evans/dockerhub-description action to v5 +- [8355](https://github.com/nginx/kubernetes-ingress/pull/8355) Update dependency grpcio to v1.75.1 +- [8349](https://github.com/nginx/kubernetes-ingress/pull/8349) Update k8s.io/utils digest to bc988d5 +- [8337](https://github.com/nginx/kubernetes-ingress/pull/8337) Update module github.com/golang-jwt/jwt/v4 to v5 +- [8343](https://github.com/nginx/kubernetes-ingress/pull/8343) Update actions/cache action to v4.3.0 +- [8344](https://github.com/nginx/kubernetes-ingress/pull/8344) Update dependency certifi to v2025.8.3 +- [8332](https://github.com/nginx/kubernetes-ingress/pull/8332) Update ossf/scorecard-action action to v2.4.3 +- [8333](https://github.com/nginx/kubernetes-ingress/pull/8333) Update dependency pycparser to v2.23 +- [8582](https://github.com/nginx/kubernetes-ingress/pull/8326, https://github.com/nginx/kubernetes-ingress/pull/8564, https://github.com/nginx/kubernetes-ingress/pull/8582) Update module github.com/gkampitakis/go-snaps to v0.5.17 (main) +- [8323](https://github.com/nginx/kubernetes-ingress/pull/8323) Update dependency cryptography to v46.0.2 +- [8309](https://github.com/nginx/kubernetes-ingress/pull/8309) Update aws-sdk-go-v2 monorepo +- [8312](https://github.com/nginx/kubernetes-ingress/pull/8312) Update dependency requests to v2.32.5 +- [8584](https://github.com/nginx/kubernetes-ingress/pull/8307, https://github.com/nginx/kubernetes-ingress/pull/8374, https://github.com/nginx/kubernetes-ingress/pull/8570, https://github.com/nginx/kubernetes-ingress/pull/8584) Update docker/dockerfile docker tag to v1.20 (main) +- [8595](https://github.com/nginx/kubernetes-ingress/pull/8308, https://github.com/nginx/kubernetes-ingress/pull/8459, https://github.com/nginx/kubernetes-ingress/pull/8510, https://github.com/nginx/kubernetes-ingress/pull/8565, https://github.com/nginx/kubernetes-ingress/pull/8576, https://github.com/nginx/kubernetes-ingress/pull/8595) Update quay.io/keycloak/keycloak docker tag to v26.4.7 (main) +- [8300](https://github.com/nginx/kubernetes-ingress/pull/8300) Chore(deps): bump the actions group across 1 directory with 5 updates +- [8298](https://github.com/nginx/kubernetes-ingress/pull/8298) Chore: configure renovate +- [8566](https://github.com/nginx/kubernetes-ingress/pull/8286, https://github.com/nginx/kubernetes-ingress/pull/8369, https://github.com/nginx/kubernetes-ingress/pull/8423, https://github.com/nginx/kubernetes-ingress/pull/8539, https://github.com/nginx/kubernetes-ingress/pull/8566) [pre-commit.ci] pre-commit autoupdate +- [8287](https://github.com/nginx/kubernetes-ingress/pull/8287) Chore(deps): bump the python group with 5 updates +- [8275](https://github.com/nginx/kubernetes-ingress/pull/8275) Chore(deps): bump anchore/sbom-action from 0.20.5 to 0.20.6 in the actions group +- [8270](https://github.com/nginx/kubernetes-ingress/pull/8270) Chore(deps): bump the python group with 5 updates +- [8269](https://github.com/nginx/kubernetes-ingress/pull/8269) Chore(deps): bump the actions group with 2 updates +- [8252](https://github.com/nginx/kubernetes-ingress/pull/8252) Bump preflight version to v1.14.1 +- [8254](https://github.com/nginx/kubernetes-ingress/pull/8248, https://github.com/nginx/kubernetes-ingress/pull/8254) Chore(deps): bump python from `d99178e` to `a805109` in /tests +- [8263](https://github.com/nginx/kubernetes-ingress/pull/8249, https://github.com/nginx/kubernetes-ingress/pull/8263) Chore(deps): bump github/codeql-action from 3.30.1 to 3.30.3 in the actions group +- [8243](https://github.com/nginx/kubernetes-ingress/pull/8243) Chore(deps): bump the python group with 2 updates + +### {{% icon download %}} Upgrade +- For NGINX, use the 5.3.0 images from our [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=5.3.0), [GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress). +- For NGINX Plus, use the 5.3.0 images from the F5 Container registry or build your own image using the 5.3.0 source code. +- For Helm, use version 2.4.0 of the chart. + +### {{% icon life-buoy %}} Supported Platforms +We will provide technical support for NGINX Ingress Controller on any Kubernetes platform that is currently supported by its provider and that passes the Kubernetes conformance tests. This release was fully tested on the following Kubernetes versions: 1.27-1.34. + ## 5.3.0 08 Dec 2025 From 2bf24ec5efc8cad5179063f34e94033773f65d53 Mon Sep 17 00:00:00 2001 From: Gabor Javorszky Date: Fri, 5 Dec 2025 11:36:07 +0000 Subject: [PATCH 15/23] Update release notes for 5.3.0 --- content/nic/changelog/_index.md | 109 ++++++++++++++++++++++++++++++++ 1 file changed, 109 insertions(+) diff --git a/content/nic/changelog/_index.md b/content/nic/changelog/_index.md index 29eb718a0..5ea5af459 100644 --- a/content/nic/changelog/_index.md +++ b/content/nic/changelog/_index.md @@ -26,6 +26,115 @@ For older releases, check the changelogs for previous years: [2024]({{< ref "/ni + +## 5.3.0 + +08 Dec 2025 + +### {{% icon rocket %}} Features +- [8292](https://github.com/nginx/kubernetes-ingress/pull/8292) Add sslverify for jwksuri +- [8447](https://github.com/nginx/kubernetes-ingress/pull/8447) Add support for ssl ciphers related annotations +- [8340](https://github.com/nginx/kubernetes-ingress/pull/8340) Implement oidc front channel logout nginx directives +- [8495](https://github.com/nginx/kubernetes-ingress/pull/8495) Add oidc timeout customization to configmap +- [8453](https://github.com/nginx/kubernetes-ingress/pull/8453) Support namespaced upstream service reference in virtualserver +- [8508](https://github.com/nginx/kubernetes-ingress/pull/8508) Add rewrite-target annotation +- [8548](https://github.com/nginx/kubernetes-ingress/pull/8548) Add `client-body-buffer-size` directive to ingress annotations & configmap +- [8557](https://github.com/nginx/kubernetes-ingress/pull/8557) Add client-body-buffer-size directive to virtualserver +- [8556](https://github.com/nginx/kubernetes-ingress/pull/8556) Add oidc policy idp tls validation +- [8533](https://github.com/nginx/kubernetes-ingress/pull/8533) Extend cache policy for more configurable parameters + +### {{% icon bug %}} Fixes +- [8299](https://github.com/nginx/kubernetes-ingress/pull/8299) Remove type field for objects with schema ref +- [8455](https://github.com/nginx/kubernetes-ingress/pull/8455) Cleanup stale socket files on startup +- [8460](https://github.com/nginx/kubernetes-ingress/pull/8460) Wrap oidc fclo initiated test in a while loop + +### {{% icon arrow-up %}} Dependencies +- [8553](https://github.com/nginx/kubernetes-ingress/pull/8553) Bump Go dependencies +- [8244](https://github.com/nginx/kubernetes-ingress/pull/8244), [8279](https://github.com/nginx/kubernetes-ingress/pull/8279), [8284](https://github.com/nginx/kubernetes-ingress/pull/8284), [8315](https://github.com/nginx/kubernetes-ingress/pull/8315), [8324](https://github.com/nginx/kubernetes-ingress/pull/8324), [8334](https://github.com/nginx/kubernetes-ingress/pull/8334) & [8384](https://github.com/nginx/kubernetes-ingress/pull/8384) Bump Docker dependencies +- [8581](https://github.com/nginx/kubernetes-ingress/pull/8581) Update python:3.14-trixie docker digest to d88b120 (main) +- [8577](https://github.com/nginx/kubernetes-ingress/pull/8577) Update module golang.org/x/tools to v0.39.0 (main) +- [8578](https://github.com/nginx/kubernetes-ingress/pull/8578) Update module mvdan.cc/gofumpt to v0.9.2 (main) +- [8569](https://github.com/nginx/kubernetes-ingress/pull/8569) Update aws-sdk-go-v2 monorepo (main) +- [8560](https://github.com/nginx/kubernetes-ingress/pull/8560) Update pre-commit hook rhysd/actionlint to v1.7.9 (main) +- [8552](https://github.com/nginx/kubernetes-ingress/pull/8552) Update kubernetes packages to v0.34.2 (main) +- [8544](https://github.com/nginx/kubernetes-ingress/pull/8544) Update aws-sdk-go-v2 monorepo (main) +- [8524](https://github.com/nginx/kubernetes-ingress/pull/8524) Update module github.com/aws/aws-sdk-go-v2/config to v1.31.18 (main) +- [8526](https://github.com/nginx/kubernetes-ingress/pull/8526) Update pre-commit hook psf/black-pre-commit-mirror to v25.11.0 (main) +- [8511](https://github.com/nginx/kubernetes-ingress/pull/8511) Update docker-registry.nginx.com/nap-dos/app_protect_dos_arb docker tag to v1.2.0 (main) +- [8514](https://github.com/nginx/kubernetes-ingress/pull/8514) Update test containers to v0.2.6 +- [8596](https://github.com/nginx/kubernetes-ingress/pull/8513, https://github.com/nginx/kubernetes-ingress/pull/8596) Update registry.k8s.io/external-dns/external-dns docker tag to v0.20.0 (main) +- [8492](https://github.com/nginx/kubernetes-ingress/pull/8492) Update dependency clusterrole to rbac.authorization.k8s.io/v1 (main) +- [8499](https://github.com/nginx/kubernetes-ingress/pull/8499) Update quay.io/jetstack/cert-manager-webhook docker tag to v1.19.1 (main) +- [8498](https://github.com/nginx/kubernetes-ingress/pull/8498) Update quay.io/jetstack/cert-manager-controller docker tag to v1.19.1 (main) +- [8497](https://github.com/nginx/kubernetes-ingress/pull/8497) Update quay.io/jetstack/cert-manager-cainjector docker tag to v1.19.1 (main) +- [8503](https://github.com/nginx/kubernetes-ingress/pull/8493, https://github.com/nginx/kubernetes-ingress/pull/8503) Update dependency go to v1.25.4 (main) +- [8475](https://github.com/nginx/kubernetes-ingress/pull/8475) Update kindest/node docker tag to v1.34.0 (main) +- [8484](https://github.com/nginx/kubernetes-ingress/pull/8484) Update coredns/coredns docker tag to v1.13.1 (main) +- [8483](https://github.com/nginx/kubernetes-ingress/pull/8483) Update aws-sdk-go-v2 monorepo (main) +- [8486](https://github.com/nginx/kubernetes-ingress/pull/8486) Update renovate to bump minor go versions +- [8465](https://github.com/nginx/kubernetes-ingress/pull/8465) Update module github.com/nginx/nginx-prometheus-exporter to v1.5.1 (main) +- [8551](https://github.com/nginx/kubernetes-ingress/pull/8474, https://github.com/nginx/kubernetes-ingress/pull/8551) Update golangci/golangci-lint docker tag to v2.6.2 (main) +- [8464](https://github.com/nginx/kubernetes-ingress/pull/8464) Update aws-sdk-go-v2 monorepo (main) +- [8599](https://github.com/nginx/kubernetes-ingress/pull/8436, https://github.com/nginx/kubernetes-ingress/pull/8490, https://github.com/nginx/kubernetes-ingress/pull/8549, https://github.com/nginx/kubernetes-ingress/pull/8562, https://github.com/nginx/kubernetes-ingress/pull/8579, https://github.com/nginx/kubernetes-ingress/pull/8587, https://github.com/nginx/kubernetes-ingress/pull/8599) Update ghcr.io/nginx/dependencies/nginx-ubi:ubi8 docker digest to fa931e9 (main) +- [8445](https://github.com/nginx/kubernetes-ingress/pull/8445) Use renovate to monitor test data yaml files +- [8543](https://github.com/nginx/kubernetes-ingress/pull/8450, https://github.com/nginx/kubernetes-ingress/pull/8462, https://github.com/nginx/kubernetes-ingress/pull/8482, https://github.com/nginx/kubernetes-ingress/pull/8543) Update python:3.14-bookworm docker digest to 407cd1c (main) +- [8542](https://github.com/nginx/kubernetes-ingress/pull/8448, https://github.com/nginx/kubernetes-ingress/pull/8471, https://github.com/nginx/kubernetes-ingress/pull/8542) Update debian:12-slim docker digest to 936abff (main) +- [8428](https://github.com/nginx/kubernetes-ingress/pull/8428) Update module github.com/cert-manager/cert-manager to v1.19.1 (main) +- [8575](https://github.com/nginx/kubernetes-ingress/pull/8439, https://github.com/nginx/kubernetes-ingress/pull/8451, https://github.com/nginx/kubernetes-ingress/pull/8558, https://github.com/nginx/kubernetes-ingress/pull/8575) Update redhat/ubi8 docker digest to a444712 (main) +- [8440](https://github.com/nginx/kubernetes-ingress/pull/8440) Update aws-sdk-go-v2 monorepo (main) +- [8401](https://github.com/nginx/kubernetes-ingress/pull/8401) Upgrade github.com/nginx/nginx-plus-go-client/v3 to v3.0.1 +- [8598](https://github.com/nginx/kubernetes-ingress/pull/8437, https://github.com/nginx/kubernetes-ingress/pull/8449, https://github.com/nginx/kubernetes-ingress/pull/8461, https://github.com/nginx/kubernetes-ingress/pull/8491, https://github.com/nginx/kubernetes-ingress/pull/8501, https://github.com/nginx/kubernetes-ingress/pull/8550, https://github.com/nginx/kubernetes-ingress/pull/8563, https://github.com/nginx/kubernetes-ingress/pull/8580, https://github.com/nginx/kubernetes-ingress/pull/8598) Update ghcr.io/nginx/dependencies/nginx-ubi:ubi9 docker digest to aa99558 (main) +- [8589](https://github.com/nginx/kubernetes-ingress/pull/8432, https://github.com/nginx/kubernetes-ingress/pull/8589) Update redhat/ubi9-minimal docker tag to v9.7-1764578379 (main) +- [8572](https://github.com/nginx/kubernetes-ingress/pull/8396, https://github.com/nginx/kubernetes-ingress/pull/8476, https://github.com/nginx/kubernetes-ingress/pull/8572) Update module github.com/gruntwork-io/terratest to v0.54.0 (main) +- [8588](https://github.com/nginx/kubernetes-ingress/pull/8431, https://github.com/nginx/kubernetes-ingress/pull/8588) Update redhat/ubi9 docker tag to v9.7-1764578509 (main) +- [8429](https://github.com/nginx/kubernetes-ingress/pull/8429) Update module github.com/cert-manager/cert-manager to v1.19.0 (main) +- [8427](https://github.com/nginx/kubernetes-ingress/pull/8427) Update renovate pr's in github workflow +- [8424](https://github.com/nginx/kubernetes-ingress/pull/8424) Allow renovate to run postupgradetasks +- [8397](https://github.com/nginx/kubernetes-ingress/pull/8397) Correct space in github actions, update renovate syntax +- [8406](https://github.com/nginx/kubernetes-ingress/pull/8406) Update python docker tag to v3.14 (main) +- [8559](https://github.com/nginx/kubernetes-ingress/pull/8405, https://github.com/nginx/kubernetes-ingress/pull/8525, https://github.com/nginx/kubernetes-ingress/pull/8559) Update pre-commit hook asottile/pyupgrade to v3.21.2 (main) +- [8502](https://github.com/nginx/kubernetes-ingress/pull/8389, https://github.com/nginx/kubernetes-ingress/pull/8438, https://github.com/nginx/kubernetes-ingress/pull/8502) Update golang:1.25-alpine docker digest to 182059d (main) +- [8387](https://github.com/nginx/kubernetes-ingress/pull/8387) Update dependency pyyaml to v6.0.3 (main) +- [8388](https://github.com/nginx/kubernetes-ingress/pull/8388) Update dependency wrapt to v1.17.3 (main) +- [8381](https://github.com/nginx/kubernetes-ingress/pull/8381) Update renovate configuration +- [8375](https://github.com/nginx/kubernetes-ingress/pull/8375) Update docker/login-action action to v3.6.0 +- [8466](https://github.com/nginx/kubernetes-ingress/pull/8366, https://github.com/nginx/kubernetes-ingress/pull/8443, https://github.com/nginx/kubernetes-ingress/pull/8466) Update balabit/syslog-ng docker tag to v4.10.2 (main) +- [8362](https://github.com/nginx/kubernetes-ingress/pull/8362) Update examples with keycloak 26.x +- [8350](https://github.com/nginx/kubernetes-ingress/pull/8350) Update dependency cffi to v2 +- [8356](https://github.com/nginx/kubernetes-ingress/pull/8356) Update peter-evans/dockerhub-description action to v5 +- [8355](https://github.com/nginx/kubernetes-ingress/pull/8355) Update dependency grpcio to v1.75.1 +- [8349](https://github.com/nginx/kubernetes-ingress/pull/8349) Update k8s.io/utils digest to bc988d5 +- [8337](https://github.com/nginx/kubernetes-ingress/pull/8337) Update module github.com/golang-jwt/jwt/v4 to v5 +- [8343](https://github.com/nginx/kubernetes-ingress/pull/8343) Update actions/cache action to v4.3.0 +- [8344](https://github.com/nginx/kubernetes-ingress/pull/8344) Update dependency certifi to v2025.8.3 +- [8332](https://github.com/nginx/kubernetes-ingress/pull/8332) Update ossf/scorecard-action action to v2.4.3 +- [8333](https://github.com/nginx/kubernetes-ingress/pull/8333) Update dependency pycparser to v2.23 +- [8582](https://github.com/nginx/kubernetes-ingress/pull/8326, https://github.com/nginx/kubernetes-ingress/pull/8564, https://github.com/nginx/kubernetes-ingress/pull/8582) Update module github.com/gkampitakis/go-snaps to v0.5.17 (main) +- [8323](https://github.com/nginx/kubernetes-ingress/pull/8323) Update dependency cryptography to v46.0.2 +- [8309](https://github.com/nginx/kubernetes-ingress/pull/8309) Update aws-sdk-go-v2 monorepo +- [8312](https://github.com/nginx/kubernetes-ingress/pull/8312) Update dependency requests to v2.32.5 +- [8584](https://github.com/nginx/kubernetes-ingress/pull/8307, https://github.com/nginx/kubernetes-ingress/pull/8374, https://github.com/nginx/kubernetes-ingress/pull/8570, https://github.com/nginx/kubernetes-ingress/pull/8584) Update docker/dockerfile docker tag to v1.20 (main) +- [8595](https://github.com/nginx/kubernetes-ingress/pull/8308, https://github.com/nginx/kubernetes-ingress/pull/8459, https://github.com/nginx/kubernetes-ingress/pull/8510, https://github.com/nginx/kubernetes-ingress/pull/8565, https://github.com/nginx/kubernetes-ingress/pull/8576, https://github.com/nginx/kubernetes-ingress/pull/8595) Update quay.io/keycloak/keycloak docker tag to v26.4.7 (main) +- [8300](https://github.com/nginx/kubernetes-ingress/pull/8300) Chore(deps): bump the actions group across 1 directory with 5 updates +- [8298](https://github.com/nginx/kubernetes-ingress/pull/8298) Chore: configure renovate +- [8566](https://github.com/nginx/kubernetes-ingress/pull/8286, https://github.com/nginx/kubernetes-ingress/pull/8369, https://github.com/nginx/kubernetes-ingress/pull/8423, https://github.com/nginx/kubernetes-ingress/pull/8539, https://github.com/nginx/kubernetes-ingress/pull/8566) [pre-commit.ci] pre-commit autoupdate +- [8287](https://github.com/nginx/kubernetes-ingress/pull/8287) Chore(deps): bump the python group with 5 updates +- [8275](https://github.com/nginx/kubernetes-ingress/pull/8275) Chore(deps): bump anchore/sbom-action from 0.20.5 to 0.20.6 in the actions group +- [8270](https://github.com/nginx/kubernetes-ingress/pull/8270) Chore(deps): bump the python group with 5 updates +- [8269](https://github.com/nginx/kubernetes-ingress/pull/8269) Chore(deps): bump the actions group with 2 updates +- [8252](https://github.com/nginx/kubernetes-ingress/pull/8252) Bump preflight version to v1.14.1 +- [8254](https://github.com/nginx/kubernetes-ingress/pull/8248, https://github.com/nginx/kubernetes-ingress/pull/8254) Chore(deps): bump python from `d99178e` to `a805109` in /tests +- [8263](https://github.com/nginx/kubernetes-ingress/pull/8249, https://github.com/nginx/kubernetes-ingress/pull/8263) Chore(deps): bump github/codeql-action from 3.30.1 to 3.30.3 in the actions group +- [8243](https://github.com/nginx/kubernetes-ingress/pull/8243) Chore(deps): bump the python group with 2 updates + +### {{% icon download %}} Upgrade +- For NGINX, use the 5.3.0 images from our [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=5.3.0), [GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress). +- For NGINX Plus, use the 5.3.0 images from the F5 Container registry or build your own image using the 5.3.0 source code. +- For Helm, use version 2.4.0 of the chart. + +### {{% icon life-buoy %}} Supported Platforms +We will provide technical support for NGINX Ingress Controller on any Kubernetes platform that is currently supported by its provider and that passes the Kubernetes conformance tests. This release was fully tested on the following Kubernetes versions: 1.27-1.34. + ## 5.3.0 08 Dec 2025 From 1e2d75156ab073f62d3d47e975123df14a19dc96 Mon Sep 17 00:00:00 2001 From: Gabor Javorszky Date: Fri, 5 Dec 2025 12:10:03 +0000 Subject: [PATCH 16/23] Update release notes for 5.3.0 --- content/nic/changelog/_index.md | 88 +++++++++++++++++++++++++++++++++ 1 file changed, 88 insertions(+) diff --git a/content/nic/changelog/_index.md b/content/nic/changelog/_index.md index 5ea5af459..d5ab12b02 100644 --- a/content/nic/changelog/_index.md +++ b/content/nic/changelog/_index.md @@ -27,6 +27,94 @@ For older releases, check the changelogs for previous years: [2024]({{< ref "/ni + +## 5.3.0 + +08 Dec 2025 + +### {{% icon rocket %}} Features +- [8292](https://github.com/nginx/kubernetes-ingress/pull/8292) Add sslverify for jwksuri +- [8447](https://github.com/nginx/kubernetes-ingress/pull/8447) Add support for ssl ciphers related annotations +- [8340](https://github.com/nginx/kubernetes-ingress/pull/8340) Implement oidc front channel logout nginx directives +- [8495](https://github.com/nginx/kubernetes-ingress/pull/8495) Add oidc timeout customization to configmap +- [8453](https://github.com/nginx/kubernetes-ingress/pull/8453) Support namespaced upstream service reference in virtualserver +- [8508](https://github.com/nginx/kubernetes-ingress/pull/8508) Add rewrite-target annotation +- [8548](https://github.com/nginx/kubernetes-ingress/pull/8548) Add `client-body-buffer-size` directive to ingress annotations & configmap +- [8557](https://github.com/nginx/kubernetes-ingress/pull/8557) Add client-body-buffer-size directive to virtualserver +- [8556](https://github.com/nginx/kubernetes-ingress/pull/8556) Add oidc policy idp tls validation +- [8533](https://github.com/nginx/kubernetes-ingress/pull/8533) Extend cache policy for more configurable parameters + +### {{% icon bug %}} Fixes +- [8299](https://github.com/nginx/kubernetes-ingress/pull/8299) Remove type field for objects with schema ref +- [8455](https://github.com/nginx/kubernetes-ingress/pull/8455) Cleanup stale socket files on startup +- [8460](https://github.com/nginx/kubernetes-ingress/pull/8460) Wrap oidc fclo initiated test in a while loop + +### {{% icon arrow-up %}} Dependencies +- [8553](https://github.com/nginx/kubernetes-ingress/pull/8553) Bump Go dependencies +- [8244](https://github.com/nginx/kubernetes-ingress/pull/8244), [8279](https://github.com/nginx/kubernetes-ingress/pull/8279), [8284](https://github.com/nginx/kubernetes-ingress/pull/8284), [8595](https://github.com/nginx/kubernetes-ingress/pull/8308, https://github.com/nginx/kubernetes-ingress/pull/8459, https://github.com/nginx/kubernetes-ingress/pull/8510, https://github.com/nginx/kubernetes-ingress/pull/8565, https://github.com/nginx/kubernetes-ingress/pull/8576, https://github.com/nginx/kubernetes-ingress/pull/8595), [8584](https://github.com/nginx/kubernetes-ingress/pull/8307, https://github.com/nginx/kubernetes-ingress/pull/8374, https://github.com/nginx/kubernetes-ingress/pull/8570, https://github.com/nginx/kubernetes-ingress/pull/8584), [8315](https://github.com/nginx/kubernetes-ingress/pull/8315), [8324](https://github.com/nginx/kubernetes-ingress/pull/8324), [8334](https://github.com/nginx/kubernetes-ingress/pull/8334), [8466](https://github.com/nginx/kubernetes-ingress/pull/8366, https://github.com/nginx/kubernetes-ingress/pull/8443, https://github.com/nginx/kubernetes-ingress/pull/8466), [8384](https://github.com/nginx/kubernetes-ingress/pull/8384), [8502](https://github.com/nginx/kubernetes-ingress/pull/8389, https://github.com/nginx/kubernetes-ingress/pull/8438, https://github.com/nginx/kubernetes-ingress/pull/8502), [8406](https://github.com/nginx/kubernetes-ingress/pull/8406), [8588](https://github.com/nginx/kubernetes-ingress/pull/8431, https://github.com/nginx/kubernetes-ingress/pull/8588), [8589](https://github.com/nginx/kubernetes-ingress/pull/8432, https://github.com/nginx/kubernetes-ingress/pull/8589), [8598](https://github.com/nginx/kubernetes-ingress/pull/8437, https://github.com/nginx/kubernetes-ingress/pull/8449, https://github.com/nginx/kubernetes-ingress/pull/8461, https://github.com/nginx/kubernetes-ingress/pull/8491, https://github.com/nginx/kubernetes-ingress/pull/8501, https://github.com/nginx/kubernetes-ingress/pull/8550, https://github.com/nginx/kubernetes-ingress/pull/8563, https://github.com/nginx/kubernetes-ingress/pull/8580, https://github.com/nginx/kubernetes-ingress/pull/8598), [8575](https://github.com/nginx/kubernetes-ingress/pull/8439, https://github.com/nginx/kubernetes-ingress/pull/8451, https://github.com/nginx/kubernetes-ingress/pull/8558, https://github.com/nginx/kubernetes-ingress/pull/8575), [8542](https://github.com/nginx/kubernetes-ingress/pull/8448, https://github.com/nginx/kubernetes-ingress/pull/8471, https://github.com/nginx/kubernetes-ingress/pull/8542), [8543](https://github.com/nginx/kubernetes-ingress/pull/8450, https://github.com/nginx/kubernetes-ingress/pull/8462, https://github.com/nginx/kubernetes-ingress/pull/8482, https://github.com/nginx/kubernetes-ingress/pull/8543), [8599](https://github.com/nginx/kubernetes-ingress/pull/8436, https://github.com/nginx/kubernetes-ingress/pull/8490, https://github.com/nginx/kubernetes-ingress/pull/8549, https://github.com/nginx/kubernetes-ingress/pull/8562, https://github.com/nginx/kubernetes-ingress/pull/8579, https://github.com/nginx/kubernetes-ingress/pull/8587, https://github.com/nginx/kubernetes-ingress/pull/8599), [8551](https://github.com/nginx/kubernetes-ingress/pull/8474, https://github.com/nginx/kubernetes-ingress/pull/8551), [8484](https://github.com/nginx/kubernetes-ingress/pull/8484), [8475](https://github.com/nginx/kubernetes-ingress/pull/8475), [8497](https://github.com/nginx/kubernetes-ingress/pull/8497), [8498](https://github.com/nginx/kubernetes-ingress/pull/8498), [8499](https://github.com/nginx/kubernetes-ingress/pull/8499), [8596](https://github.com/nginx/kubernetes-ingress/pull/8513, https://github.com/nginx/kubernetes-ingress/pull/8596), [8511](https://github.com/nginx/kubernetes-ingress/pull/8511) & [8581](https://github.com/nginx/kubernetes-ingress/pull/8581) Bump Docker dependencies +- [8577](https://github.com/nginx/kubernetes-ingress/pull/8577) Update module golang.org/x/tools to v0.39.0 (main) +- [8578](https://github.com/nginx/kubernetes-ingress/pull/8578) Update module mvdan.cc/gofumpt to v0.9.2 (main) +- [8569](https://github.com/nginx/kubernetes-ingress/pull/8569) Update aws-sdk-go-v2 monorepo (main) +- [8560](https://github.com/nginx/kubernetes-ingress/pull/8560) Update pre-commit hook rhysd/actionlint to v1.7.9 (main) +- [8552](https://github.com/nginx/kubernetes-ingress/pull/8552) Update kubernetes packages to v0.34.2 (main) +- [8544](https://github.com/nginx/kubernetes-ingress/pull/8544) Update aws-sdk-go-v2 monorepo (main) +- [8524](https://github.com/nginx/kubernetes-ingress/pull/8524) Update module github.com/aws/aws-sdk-go-v2/config to v1.31.18 (main) +- [8526](https://github.com/nginx/kubernetes-ingress/pull/8526) Update pre-commit hook psf/black-pre-commit-mirror to v25.11.0 (main) +- [8514](https://github.com/nginx/kubernetes-ingress/pull/8514) Update test containers to v0.2.6 +- [8492](https://github.com/nginx/kubernetes-ingress/pull/8492) Update dependency clusterrole to rbac.authorization.k8s.io/v1 (main) +- [8503](https://github.com/nginx/kubernetes-ingress/pull/8493, https://github.com/nginx/kubernetes-ingress/pull/8503) Update dependency go to v1.25.4 (main) +- [8483](https://github.com/nginx/kubernetes-ingress/pull/8483) Update aws-sdk-go-v2 monorepo (main) +- [8486](https://github.com/nginx/kubernetes-ingress/pull/8486) Update renovate to bump minor go versions +- [8465](https://github.com/nginx/kubernetes-ingress/pull/8465) Update module github.com/nginx/nginx-prometheus-exporter to v1.5.1 (main) +- [8464](https://github.com/nginx/kubernetes-ingress/pull/8464) Update aws-sdk-go-v2 monorepo (main) +- [8445](https://github.com/nginx/kubernetes-ingress/pull/8445) Use renovate to monitor test data yaml files +- [8428](https://github.com/nginx/kubernetes-ingress/pull/8428) Update module github.com/cert-manager/cert-manager to v1.19.1 (main) +- [8440](https://github.com/nginx/kubernetes-ingress/pull/8440) Update aws-sdk-go-v2 monorepo (main) +- [8401](https://github.com/nginx/kubernetes-ingress/pull/8401) Upgrade github.com/nginx/nginx-plus-go-client/v3 to v3.0.1 +- [8572](https://github.com/nginx/kubernetes-ingress/pull/8396, https://github.com/nginx/kubernetes-ingress/pull/8476, https://github.com/nginx/kubernetes-ingress/pull/8572) Update module github.com/gruntwork-io/terratest to v0.54.0 (main) +- [8429](https://github.com/nginx/kubernetes-ingress/pull/8429) Update module github.com/cert-manager/cert-manager to v1.19.0 (main) +- [8427](https://github.com/nginx/kubernetes-ingress/pull/8427) Update renovate pr's in github workflow +- [8424](https://github.com/nginx/kubernetes-ingress/pull/8424) Allow renovate to run postupgradetasks +- [8397](https://github.com/nginx/kubernetes-ingress/pull/8397) Correct space in github actions, update renovate syntax +- [8559](https://github.com/nginx/kubernetes-ingress/pull/8405, https://github.com/nginx/kubernetes-ingress/pull/8525, https://github.com/nginx/kubernetes-ingress/pull/8559) Update pre-commit hook asottile/pyupgrade to v3.21.2 (main) +- [8387](https://github.com/nginx/kubernetes-ingress/pull/8387) Update dependency pyyaml to v6.0.3 (main) +- [8388](https://github.com/nginx/kubernetes-ingress/pull/8388) Update dependency wrapt to v1.17.3 (main) +- [8381](https://github.com/nginx/kubernetes-ingress/pull/8381) Update renovate configuration +- [8375](https://github.com/nginx/kubernetes-ingress/pull/8375) Update docker/login-action action to v3.6.0 +- [8362](https://github.com/nginx/kubernetes-ingress/pull/8362) Update examples with keycloak 26.x +- [8350](https://github.com/nginx/kubernetes-ingress/pull/8350) Update dependency cffi to v2 +- [8356](https://github.com/nginx/kubernetes-ingress/pull/8356) Update peter-evans/dockerhub-description action to v5 +- [8355](https://github.com/nginx/kubernetes-ingress/pull/8355) Update dependency grpcio to v1.75.1 +- [8349](https://github.com/nginx/kubernetes-ingress/pull/8349) Update k8s.io/utils digest to bc988d5 +- [8337](https://github.com/nginx/kubernetes-ingress/pull/8337) Update module github.com/golang-jwt/jwt/v4 to v5 +- [8343](https://github.com/nginx/kubernetes-ingress/pull/8343) Update actions/cache action to v4.3.0 +- [8344](https://github.com/nginx/kubernetes-ingress/pull/8344) Update dependency certifi to v2025.8.3 +- [8332](https://github.com/nginx/kubernetes-ingress/pull/8332) Update ossf/scorecard-action action to v2.4.3 +- [8333](https://github.com/nginx/kubernetes-ingress/pull/8333) Update dependency pycparser to v2.23 +- [8582](https://github.com/nginx/kubernetes-ingress/pull/8326, https://github.com/nginx/kubernetes-ingress/pull/8564, https://github.com/nginx/kubernetes-ingress/pull/8582) Update module github.com/gkampitakis/go-snaps to v0.5.17 (main) +- [8323](https://github.com/nginx/kubernetes-ingress/pull/8323) Update dependency cryptography to v46.0.2 +- [8309](https://github.com/nginx/kubernetes-ingress/pull/8309) Update aws-sdk-go-v2 monorepo +- [8312](https://github.com/nginx/kubernetes-ingress/pull/8312) Update dependency requests to v2.32.5 +- [8300](https://github.com/nginx/kubernetes-ingress/pull/8300) Chore(deps): bump the actions group across 1 directory with 5 updates +- [8298](https://github.com/nginx/kubernetes-ingress/pull/8298) Chore: configure renovate +- [8566](https://github.com/nginx/kubernetes-ingress/pull/8286, https://github.com/nginx/kubernetes-ingress/pull/8369, https://github.com/nginx/kubernetes-ingress/pull/8423, https://github.com/nginx/kubernetes-ingress/pull/8539, https://github.com/nginx/kubernetes-ingress/pull/8566) [pre-commit.ci] pre-commit autoupdate +- [8287](https://github.com/nginx/kubernetes-ingress/pull/8287) Chore(deps): bump the python group with 5 updates +- [8275](https://github.com/nginx/kubernetes-ingress/pull/8275) Chore(deps): bump anchore/sbom-action from 0.20.5 to 0.20.6 in the actions group +- [8270](https://github.com/nginx/kubernetes-ingress/pull/8270) Chore(deps): bump the python group with 5 updates +- [8269](https://github.com/nginx/kubernetes-ingress/pull/8269) Chore(deps): bump the actions group with 2 updates +- [8252](https://github.com/nginx/kubernetes-ingress/pull/8252) Bump preflight version to v1.14.1 +- [8254](https://github.com/nginx/kubernetes-ingress/pull/8248, https://github.com/nginx/kubernetes-ingress/pull/8254) Chore(deps): bump python from `d99178e` to `a805109` in /tests +- [8263](https://github.com/nginx/kubernetes-ingress/pull/8249, https://github.com/nginx/kubernetes-ingress/pull/8263) Chore(deps): bump github/codeql-action from 3.30.1 to 3.30.3 in the actions group +- [8243](https://github.com/nginx/kubernetes-ingress/pull/8243) Chore(deps): bump the python group with 2 updates + +### {{% icon download %}} Upgrade +- For NGINX, use the 5.3.0 images from our [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=5.3.0), [GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress). +- For NGINX Plus, use the 5.3.0 images from the F5 Container registry or build your own image using the 5.3.0 source code. +- For Helm, use version 2.4.0 of the chart. + +### {{% icon life-buoy %}} Supported Platforms +We will provide technical support for NGINX Ingress Controller on any Kubernetes platform that is currently supported by its provider and that passes the Kubernetes conformance tests. This release was fully tested on the following Kubernetes versions: 1.27-1.34. + ## 5.3.0 08 Dec 2025 From 550ebda5fe40a32b4866a3e85f016304f5894ba6 Mon Sep 17 00:00:00 2001 From: Gabor Javorszky Date: Fri, 5 Dec 2025 12:26:57 +0000 Subject: [PATCH 17/23] Manually fix up nic release 5.3 docs --- .../nic/compatibility-tables/nic-k8s.md | 23 +- .../nic/compatibility-tables/nic-nap.md | 17 +- content/nic/changelog/_index.md | 344 +----------------- content/nic/technical-specifications.md | 50 ++- 4 files changed, 52 insertions(+), 382 deletions(-) diff --git a/content/includes/nic/compatibility-tables/nic-k8s.md b/content/includes/nic/compatibility-tables/nic-k8s.md index 0f33f373e..25f28c0f4 100644 --- a/content/includes/nic/compatibility-tables/nic-k8s.md +++ b/content/includes/nic/compatibility-tables/nic-k8s.md @@ -8,16 +8,17 @@ NGINX Ingress Controller supports the following versions of [NGINX Plus]({{< ref {{< table >}} -| NIC version | Kubernetes versions tested | NIC Helm Chart version | NIC Operator version | NGINX / NGINX Plus version | End of Technical Support | -| --- | --- | --- | --- | --- | --- | -| {{< nic-version >}} | 1.27 - 1.34 | {{< nic-helm-version >}} | {{< nic-operator-version >}} | 1.29.1 / R35 | - | -| 5.1.1 | 1.25 - 1.33 | 2.2.2 | 3.2.3 | 1.29.1 / R35 | Aug 15, 2027 | -| 5.0.0 | 1.25 - 1.32 | 2.1.0 | 3.1.0 | 1.27.4 / R34 | Apr 16, 2027 | -| 4.0.1 | 1.25 - 1.32 | 2.0.1 | 3.0.1 | 1.27.4 / R33 P2 | Feb 7, 2027 | -| 3.7.2 | 1.25 - 1.31 | 1.4.2 | 2.4.2 | 1.27.2 / R32 P1 | Nov 25, 2026 | -| 3.6.2 | 1.25 - 1.31 | 1.3.2 | 2.3.2 | 1.27.1 / R32 P1 | Aug 19, 2026 | -| 3.5.2 | 1.23 - 1.30 | 1.2.2 | 2.2.2 | 1.27.0 / R32 | May 31, 2026 | -| 3.4.3 | 1.23 - 1.29 | 1.1.3 | 2.1.2 | 1.25.4 / R31 P1 | Feb 19, 2026 | -| 3.3.2 | 1.22 - 1.28 | 1.0.2 | 2.0.2 | 1.25.3 / R30 | Nov 1, 2025 | +| NIC version | Kubernetes versions tested | NIC Helm Chart version | NIC Operator version | NGINX / NGINX Plus version | End of Technical Support | +|---------------------|----------------------------|--------------------------|------------------------------|----------------------------|--------------------------| +| {{< nic-version >}} | 1.27 - 1.34 | {{< nic-helm-version >}} | {{< nic-operator-version >}} | 1.29.3 / R36 | - | +| 5.2.1 | 1.27 - 1.34 | 2.3.1 | 3.3.1 | 1.29.1 / R35 | Oct 10, 2027 | +| 5.1.1 | 1.25 - 1.33 | 2.2.2 | 3.2.3 | 1.29.1 / R35 | Aug 15, 2027 | +| 5.0.0 | 1.25 - 1.32 | 2.1.0 | 3.1.0 | 1.27.4 / R34 | Apr 16, 2027 | +| 4.0.1 | 1.25 - 1.32 | 2.0.1 | 3.0.1 | 1.27.4 / R33 P2 | Feb 7, 2027 | +| 3.7.2 | 1.25 - 1.31 | 1.4.2 | 2.4.2 | 1.27.2 / R32 P1 | Nov 25, 2026 | +| 3.6.2 | 1.25 - 1.31 | 1.3.2 | 2.3.2 | 1.27.1 / R32 P1 | Aug 19, 2026 | +| 3.5.2 | 1.23 - 1.30 | 1.2.2 | 2.2.2 | 1.27.0 / R32 | May 31, 2026 | +| 3.4.3 | 1.23 - 1.29 | 1.1.3 | 2.1.2 | 1.25.4 / R31 P1 | Feb 19, 2026 | +| 3.3.2 | 1.22 - 1.28 | 1.0.2 | 2.0.2 | 1.25.3 / R30 | Nov 1, 2025 | {{< /table >}} \ No newline at end of file diff --git a/content/includes/nic/compatibility-tables/nic-nap.md b/content/includes/nic/compatibility-tables/nic-nap.md index 99309a8a5..1714526b1 100644 --- a/content/includes/nic/compatibility-tables/nic-nap.md +++ b/content/includes/nic/compatibility-tables/nic-nap.md @@ -10,13 +10,14 @@ NGINX Ingress Controller supports the following versions of [F5 WAF for NGINX](h {{< table >}} -| NIC Version | NAP-WAF Version | Config Manager | Enforcer | -| ------------------- | --------------- | -------------- | -------- | -| {{< nic-version >}} | 35+{{< appprotect-compiler-version>}} | {{< nic-waf-release-version >}} | {{< nic-waf-release-version >}} | -| 5.1.1 | 35+5.498 | 5.8.0 | 5.8.0 | -| 5.0.0 | 34+5.342 | 5.6.0 | 5.6.0 | -| 4.0.1 | 33+5.264 | 5.5.0 | 5.5.0 | -| 3.7.2 | 32+5.1 | 5.3.0 | 5.3.0 | -| 3.6.2 | 32+5.48 | 5.2.0 | 5.2.0 | +| NIC Version | NAP-WAF Version | Config Manager | Enforcer | +|---------------------|---------------------------------------|---------------------------------|---------------------------------| +| {{< nic-version >}} | 36+{{< appprotect-compiler-version>}} | {{< nic-waf-release-version >}} | {{< nic-waf-release-version >}} | +| 5.2.1 | 35+5.527.0 | 5.9.0 | 5.9.0 | +| 5.1.1 | 35+5.498 | 5.8.0 | 5.8.0 | +| 5.0.0 | 34+5.342 | 5.6.0 | 5.6.0 | +| 4.0.1 | 33+5.264 | 5.5.0 | 5.5.0 | +| 3.7.2 | 32+5.1 | 5.3.0 | 5.3.0 | +| 3.6.2 | 32+5.48 | 5.2.0 | 5.2.0 | {{< /table >}} diff --git a/content/nic/changelog/_index.md b/content/nic/changelog/_index.md index d5ab12b02..e22d657b4 100644 --- a/content/nic/changelog/_index.md +++ b/content/nic/changelog/_index.md @@ -24,313 +24,6 @@ For older releases, check the changelogs for previous years: [2024]({{< ref "/ni {{< /details >}} - - - - -## 5.3.0 - -08 Dec 2025 - -### {{% icon rocket %}} Features -- [8292](https://github.com/nginx/kubernetes-ingress/pull/8292) Add sslverify for jwksuri -- [8447](https://github.com/nginx/kubernetes-ingress/pull/8447) Add support for ssl ciphers related annotations -- [8340](https://github.com/nginx/kubernetes-ingress/pull/8340) Implement oidc front channel logout nginx directives -- [8495](https://github.com/nginx/kubernetes-ingress/pull/8495) Add oidc timeout customization to configmap -- [8453](https://github.com/nginx/kubernetes-ingress/pull/8453) Support namespaced upstream service reference in virtualserver -- [8508](https://github.com/nginx/kubernetes-ingress/pull/8508) Add rewrite-target annotation -- [8548](https://github.com/nginx/kubernetes-ingress/pull/8548) Add `client-body-buffer-size` directive to ingress annotations & configmap -- [8557](https://github.com/nginx/kubernetes-ingress/pull/8557) Add client-body-buffer-size directive to virtualserver -- [8556](https://github.com/nginx/kubernetes-ingress/pull/8556) Add oidc policy idp tls validation -- [8533](https://github.com/nginx/kubernetes-ingress/pull/8533) Extend cache policy for more configurable parameters - -### {{% icon bug %}} Fixes -- [8299](https://github.com/nginx/kubernetes-ingress/pull/8299) Remove type field for objects with schema ref -- [8455](https://github.com/nginx/kubernetes-ingress/pull/8455) Cleanup stale socket files on startup -- [8460](https://github.com/nginx/kubernetes-ingress/pull/8460) Wrap oidc fclo initiated test in a while loop - -### {{% icon arrow-up %}} Dependencies -- [8553](https://github.com/nginx/kubernetes-ingress/pull/8553) Bump Go dependencies -- [8244](https://github.com/nginx/kubernetes-ingress/pull/8244), [8279](https://github.com/nginx/kubernetes-ingress/pull/8279), [8284](https://github.com/nginx/kubernetes-ingress/pull/8284), [8595](https://github.com/nginx/kubernetes-ingress/pull/8308, https://github.com/nginx/kubernetes-ingress/pull/8459, https://github.com/nginx/kubernetes-ingress/pull/8510, https://github.com/nginx/kubernetes-ingress/pull/8565, https://github.com/nginx/kubernetes-ingress/pull/8576, https://github.com/nginx/kubernetes-ingress/pull/8595), [8584](https://github.com/nginx/kubernetes-ingress/pull/8307, https://github.com/nginx/kubernetes-ingress/pull/8374, https://github.com/nginx/kubernetes-ingress/pull/8570, https://github.com/nginx/kubernetes-ingress/pull/8584), [8315](https://github.com/nginx/kubernetes-ingress/pull/8315), [8324](https://github.com/nginx/kubernetes-ingress/pull/8324), [8334](https://github.com/nginx/kubernetes-ingress/pull/8334), [8466](https://github.com/nginx/kubernetes-ingress/pull/8366, https://github.com/nginx/kubernetes-ingress/pull/8443, https://github.com/nginx/kubernetes-ingress/pull/8466), [8384](https://github.com/nginx/kubernetes-ingress/pull/8384), [8502](https://github.com/nginx/kubernetes-ingress/pull/8389, https://github.com/nginx/kubernetes-ingress/pull/8438, https://github.com/nginx/kubernetes-ingress/pull/8502), [8406](https://github.com/nginx/kubernetes-ingress/pull/8406), [8588](https://github.com/nginx/kubernetes-ingress/pull/8431, https://github.com/nginx/kubernetes-ingress/pull/8588), [8589](https://github.com/nginx/kubernetes-ingress/pull/8432, https://github.com/nginx/kubernetes-ingress/pull/8589), [8598](https://github.com/nginx/kubernetes-ingress/pull/8437, https://github.com/nginx/kubernetes-ingress/pull/8449, https://github.com/nginx/kubernetes-ingress/pull/8461, https://github.com/nginx/kubernetes-ingress/pull/8491, https://github.com/nginx/kubernetes-ingress/pull/8501, https://github.com/nginx/kubernetes-ingress/pull/8550, https://github.com/nginx/kubernetes-ingress/pull/8563, https://github.com/nginx/kubernetes-ingress/pull/8580, https://github.com/nginx/kubernetes-ingress/pull/8598), [8575](https://github.com/nginx/kubernetes-ingress/pull/8439, https://github.com/nginx/kubernetes-ingress/pull/8451, https://github.com/nginx/kubernetes-ingress/pull/8558, https://github.com/nginx/kubernetes-ingress/pull/8575), [8542](https://github.com/nginx/kubernetes-ingress/pull/8448, https://github.com/nginx/kubernetes-ingress/pull/8471, https://github.com/nginx/kubernetes-ingress/pull/8542), [8543](https://github.com/nginx/kubernetes-ingress/pull/8450, https://github.com/nginx/kubernetes-ingress/pull/8462, https://github.com/nginx/kubernetes-ingress/pull/8482, https://github.com/nginx/kubernetes-ingress/pull/8543), [8599](https://github.com/nginx/kubernetes-ingress/pull/8436, https://github.com/nginx/kubernetes-ingress/pull/8490, https://github.com/nginx/kubernetes-ingress/pull/8549, https://github.com/nginx/kubernetes-ingress/pull/8562, https://github.com/nginx/kubernetes-ingress/pull/8579, https://github.com/nginx/kubernetes-ingress/pull/8587, https://github.com/nginx/kubernetes-ingress/pull/8599), [8551](https://github.com/nginx/kubernetes-ingress/pull/8474, https://github.com/nginx/kubernetes-ingress/pull/8551), [8484](https://github.com/nginx/kubernetes-ingress/pull/8484), [8475](https://github.com/nginx/kubernetes-ingress/pull/8475), [8497](https://github.com/nginx/kubernetes-ingress/pull/8497), [8498](https://github.com/nginx/kubernetes-ingress/pull/8498), [8499](https://github.com/nginx/kubernetes-ingress/pull/8499), [8596](https://github.com/nginx/kubernetes-ingress/pull/8513, https://github.com/nginx/kubernetes-ingress/pull/8596), [8511](https://github.com/nginx/kubernetes-ingress/pull/8511) & [8581](https://github.com/nginx/kubernetes-ingress/pull/8581) Bump Docker dependencies -- [8577](https://github.com/nginx/kubernetes-ingress/pull/8577) Update module golang.org/x/tools to v0.39.0 (main) -- [8578](https://github.com/nginx/kubernetes-ingress/pull/8578) Update module mvdan.cc/gofumpt to v0.9.2 (main) -- [8569](https://github.com/nginx/kubernetes-ingress/pull/8569) Update aws-sdk-go-v2 monorepo (main) -- [8560](https://github.com/nginx/kubernetes-ingress/pull/8560) Update pre-commit hook rhysd/actionlint to v1.7.9 (main) -- [8552](https://github.com/nginx/kubernetes-ingress/pull/8552) Update kubernetes packages to v0.34.2 (main) -- [8544](https://github.com/nginx/kubernetes-ingress/pull/8544) Update aws-sdk-go-v2 monorepo (main) -- [8524](https://github.com/nginx/kubernetes-ingress/pull/8524) Update module github.com/aws/aws-sdk-go-v2/config to v1.31.18 (main) -- [8526](https://github.com/nginx/kubernetes-ingress/pull/8526) Update pre-commit hook psf/black-pre-commit-mirror to v25.11.0 (main) -- [8514](https://github.com/nginx/kubernetes-ingress/pull/8514) Update test containers to v0.2.6 -- [8492](https://github.com/nginx/kubernetes-ingress/pull/8492) Update dependency clusterrole to rbac.authorization.k8s.io/v1 (main) -- [8503](https://github.com/nginx/kubernetes-ingress/pull/8493, https://github.com/nginx/kubernetes-ingress/pull/8503) Update dependency go to v1.25.4 (main) -- [8483](https://github.com/nginx/kubernetes-ingress/pull/8483) Update aws-sdk-go-v2 monorepo (main) -- [8486](https://github.com/nginx/kubernetes-ingress/pull/8486) Update renovate to bump minor go versions -- [8465](https://github.com/nginx/kubernetes-ingress/pull/8465) Update module github.com/nginx/nginx-prometheus-exporter to v1.5.1 (main) -- [8464](https://github.com/nginx/kubernetes-ingress/pull/8464) Update aws-sdk-go-v2 monorepo (main) -- [8445](https://github.com/nginx/kubernetes-ingress/pull/8445) Use renovate to monitor test data yaml files -- [8428](https://github.com/nginx/kubernetes-ingress/pull/8428) Update module github.com/cert-manager/cert-manager to v1.19.1 (main) -- [8440](https://github.com/nginx/kubernetes-ingress/pull/8440) Update aws-sdk-go-v2 monorepo (main) -- [8401](https://github.com/nginx/kubernetes-ingress/pull/8401) Upgrade github.com/nginx/nginx-plus-go-client/v3 to v3.0.1 -- [8572](https://github.com/nginx/kubernetes-ingress/pull/8396, https://github.com/nginx/kubernetes-ingress/pull/8476, https://github.com/nginx/kubernetes-ingress/pull/8572) Update module github.com/gruntwork-io/terratest to v0.54.0 (main) -- [8429](https://github.com/nginx/kubernetes-ingress/pull/8429) Update module github.com/cert-manager/cert-manager to v1.19.0 (main) -- [8427](https://github.com/nginx/kubernetes-ingress/pull/8427) Update renovate pr's in github workflow -- [8424](https://github.com/nginx/kubernetes-ingress/pull/8424) Allow renovate to run postupgradetasks -- [8397](https://github.com/nginx/kubernetes-ingress/pull/8397) Correct space in github actions, update renovate syntax -- [8559](https://github.com/nginx/kubernetes-ingress/pull/8405, https://github.com/nginx/kubernetes-ingress/pull/8525, https://github.com/nginx/kubernetes-ingress/pull/8559) Update pre-commit hook asottile/pyupgrade to v3.21.2 (main) -- [8387](https://github.com/nginx/kubernetes-ingress/pull/8387) Update dependency pyyaml to v6.0.3 (main) -- [8388](https://github.com/nginx/kubernetes-ingress/pull/8388) Update dependency wrapt to v1.17.3 (main) -- [8381](https://github.com/nginx/kubernetes-ingress/pull/8381) Update renovate configuration -- [8375](https://github.com/nginx/kubernetes-ingress/pull/8375) Update docker/login-action action to v3.6.0 -- [8362](https://github.com/nginx/kubernetes-ingress/pull/8362) Update examples with keycloak 26.x -- [8350](https://github.com/nginx/kubernetes-ingress/pull/8350) Update dependency cffi to v2 -- [8356](https://github.com/nginx/kubernetes-ingress/pull/8356) Update peter-evans/dockerhub-description action to v5 -- [8355](https://github.com/nginx/kubernetes-ingress/pull/8355) Update dependency grpcio to v1.75.1 -- [8349](https://github.com/nginx/kubernetes-ingress/pull/8349) Update k8s.io/utils digest to bc988d5 -- [8337](https://github.com/nginx/kubernetes-ingress/pull/8337) Update module github.com/golang-jwt/jwt/v4 to v5 -- [8343](https://github.com/nginx/kubernetes-ingress/pull/8343) Update actions/cache action to v4.3.0 -- [8344](https://github.com/nginx/kubernetes-ingress/pull/8344) Update dependency certifi to v2025.8.3 -- [8332](https://github.com/nginx/kubernetes-ingress/pull/8332) Update ossf/scorecard-action action to v2.4.3 -- [8333](https://github.com/nginx/kubernetes-ingress/pull/8333) Update dependency pycparser to v2.23 -- [8582](https://github.com/nginx/kubernetes-ingress/pull/8326, https://github.com/nginx/kubernetes-ingress/pull/8564, https://github.com/nginx/kubernetes-ingress/pull/8582) Update module github.com/gkampitakis/go-snaps to v0.5.17 (main) -- [8323](https://github.com/nginx/kubernetes-ingress/pull/8323) Update dependency cryptography to v46.0.2 -- [8309](https://github.com/nginx/kubernetes-ingress/pull/8309) Update aws-sdk-go-v2 monorepo -- [8312](https://github.com/nginx/kubernetes-ingress/pull/8312) Update dependency requests to v2.32.5 -- [8300](https://github.com/nginx/kubernetes-ingress/pull/8300) Chore(deps): bump the actions group across 1 directory with 5 updates -- [8298](https://github.com/nginx/kubernetes-ingress/pull/8298) Chore: configure renovate -- [8566](https://github.com/nginx/kubernetes-ingress/pull/8286, https://github.com/nginx/kubernetes-ingress/pull/8369, https://github.com/nginx/kubernetes-ingress/pull/8423, https://github.com/nginx/kubernetes-ingress/pull/8539, https://github.com/nginx/kubernetes-ingress/pull/8566) [pre-commit.ci] pre-commit autoupdate -- [8287](https://github.com/nginx/kubernetes-ingress/pull/8287) Chore(deps): bump the python group with 5 updates -- [8275](https://github.com/nginx/kubernetes-ingress/pull/8275) Chore(deps): bump anchore/sbom-action from 0.20.5 to 0.20.6 in the actions group -- [8270](https://github.com/nginx/kubernetes-ingress/pull/8270) Chore(deps): bump the python group with 5 updates -- [8269](https://github.com/nginx/kubernetes-ingress/pull/8269) Chore(deps): bump the actions group with 2 updates -- [8252](https://github.com/nginx/kubernetes-ingress/pull/8252) Bump preflight version to v1.14.1 -- [8254](https://github.com/nginx/kubernetes-ingress/pull/8248, https://github.com/nginx/kubernetes-ingress/pull/8254) Chore(deps): bump python from `d99178e` to `a805109` in /tests -- [8263](https://github.com/nginx/kubernetes-ingress/pull/8249, https://github.com/nginx/kubernetes-ingress/pull/8263) Chore(deps): bump github/codeql-action from 3.30.1 to 3.30.3 in the actions group -- [8243](https://github.com/nginx/kubernetes-ingress/pull/8243) Chore(deps): bump the python group with 2 updates - -### {{% icon download %}} Upgrade -- For NGINX, use the 5.3.0 images from our [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=5.3.0), [GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress). -- For NGINX Plus, use the 5.3.0 images from the F5 Container registry or build your own image using the 5.3.0 source code. -- For Helm, use version 2.4.0 of the chart. - -### {{% icon life-buoy %}} Supported Platforms -We will provide technical support for NGINX Ingress Controller on any Kubernetes platform that is currently supported by its provider and that passes the Kubernetes conformance tests. This release was fully tested on the following Kubernetes versions: 1.27-1.34. - -## 5.3.0 - -08 Dec 2025 - -### {{% icon rocket %}} Features -- [8292](https://github.com/nginx/kubernetes-ingress/pull/8292) Add sslverify for jwksuri -- [8447](https://github.com/nginx/kubernetes-ingress/pull/8447) Add support for ssl ciphers related annotations -- [8340](https://github.com/nginx/kubernetes-ingress/pull/8340) Implement oidc front channel logout nginx directives -- [8495](https://github.com/nginx/kubernetes-ingress/pull/8495) Add oidc timeout customization to configmap -- [8453](https://github.com/nginx/kubernetes-ingress/pull/8453) Support namespaced upstream service reference in virtualserver -- [8508](https://github.com/nginx/kubernetes-ingress/pull/8508) Add rewrite-target annotation -- [8548](https://github.com/nginx/kubernetes-ingress/pull/8548) Add `client-body-buffer-size` directive to ingress annotations & configmap -- [8557](https://github.com/nginx/kubernetes-ingress/pull/8557) Add client-body-buffer-size directive to virtualserver -- [8556](https://github.com/nginx/kubernetes-ingress/pull/8556) Add oidc policy idp tls validation -- [8533](https://github.com/nginx/kubernetes-ingress/pull/8533) Extend cache policy for more configurable parameters - -### {{% icon bug %}} Fixes -- [8299](https://github.com/nginx/kubernetes-ingress/pull/8299) Remove type field for objects with schema ref -- [8455](https://github.com/nginx/kubernetes-ingress/pull/8455) Cleanup stale socket files on startup -- [8460](https://github.com/nginx/kubernetes-ingress/pull/8460) Wrap oidc fclo initiated test in a while loop - -### {{% icon arrow-up %}} Dependencies -- [8553](https://github.com/nginx/kubernetes-ingress/pull/8553) Bump Go dependencies -- [8244](https://github.com/nginx/kubernetes-ingress/pull/8244), [8279](https://github.com/nginx/kubernetes-ingress/pull/8279), [8284](https://github.com/nginx/kubernetes-ingress/pull/8284), [8315](https://github.com/nginx/kubernetes-ingress/pull/8315), [8324](https://github.com/nginx/kubernetes-ingress/pull/8324), [8334](https://github.com/nginx/kubernetes-ingress/pull/8334) & [8384](https://github.com/nginx/kubernetes-ingress/pull/8384) Bump Docker dependencies -- [8581](https://github.com/nginx/kubernetes-ingress/pull/8581) Update python:3.14-trixie docker digest to d88b120 (main) -- [8577](https://github.com/nginx/kubernetes-ingress/pull/8577) Update module golang.org/x/tools to v0.39.0 (main) -- [8578](https://github.com/nginx/kubernetes-ingress/pull/8578) Update module mvdan.cc/gofumpt to v0.9.2 (main) -- [8569](https://github.com/nginx/kubernetes-ingress/pull/8569) Update aws-sdk-go-v2 monorepo (main) -- [8560](https://github.com/nginx/kubernetes-ingress/pull/8560) Update pre-commit hook rhysd/actionlint to v1.7.9 (main) -- [8552](https://github.com/nginx/kubernetes-ingress/pull/8552) Update kubernetes packages to v0.34.2 (main) -- [8544](https://github.com/nginx/kubernetes-ingress/pull/8544) Update aws-sdk-go-v2 monorepo (main) -- [8524](https://github.com/nginx/kubernetes-ingress/pull/8524) Update module github.com/aws/aws-sdk-go-v2/config to v1.31.18 (main) -- [8526](https://github.com/nginx/kubernetes-ingress/pull/8526) Update pre-commit hook psf/black-pre-commit-mirror to v25.11.0 (main) -- [8511](https://github.com/nginx/kubernetes-ingress/pull/8511) Update docker-registry.nginx.com/nap-dos/app_protect_dos_arb docker tag to v1.2.0 (main) -- [8514](https://github.com/nginx/kubernetes-ingress/pull/8514) Update test containers to v0.2.6 -- [8596](https://github.com/nginx/kubernetes-ingress/pull/8513, https://github.com/nginx/kubernetes-ingress/pull/8596) Update registry.k8s.io/external-dns/external-dns docker tag to v0.20.0 (main) -- [8492](https://github.com/nginx/kubernetes-ingress/pull/8492) Update dependency clusterrole to rbac.authorization.k8s.io/v1 (main) -- [8499](https://github.com/nginx/kubernetes-ingress/pull/8499) Update quay.io/jetstack/cert-manager-webhook docker tag to v1.19.1 (main) -- [8498](https://github.com/nginx/kubernetes-ingress/pull/8498) Update quay.io/jetstack/cert-manager-controller docker tag to v1.19.1 (main) -- [8497](https://github.com/nginx/kubernetes-ingress/pull/8497) Update quay.io/jetstack/cert-manager-cainjector docker tag to v1.19.1 (main) -- [8503](https://github.com/nginx/kubernetes-ingress/pull/8493, https://github.com/nginx/kubernetes-ingress/pull/8503) Update dependency go to v1.25.4 (main) -- [8475](https://github.com/nginx/kubernetes-ingress/pull/8475) Update kindest/node docker tag to v1.34.0 (main) -- [8484](https://github.com/nginx/kubernetes-ingress/pull/8484) Update coredns/coredns docker tag to v1.13.1 (main) -- [8483](https://github.com/nginx/kubernetes-ingress/pull/8483) Update aws-sdk-go-v2 monorepo (main) -- [8486](https://github.com/nginx/kubernetes-ingress/pull/8486) Update renovate to bump minor go versions -- [8465](https://github.com/nginx/kubernetes-ingress/pull/8465) Update module github.com/nginx/nginx-prometheus-exporter to v1.5.1 (main) -- [8551](https://github.com/nginx/kubernetes-ingress/pull/8474, https://github.com/nginx/kubernetes-ingress/pull/8551) Update golangci/golangci-lint docker tag to v2.6.2 (main) -- [8464](https://github.com/nginx/kubernetes-ingress/pull/8464) Update aws-sdk-go-v2 monorepo (main) -- [8599](https://github.com/nginx/kubernetes-ingress/pull/8436, https://github.com/nginx/kubernetes-ingress/pull/8490, https://github.com/nginx/kubernetes-ingress/pull/8549, https://github.com/nginx/kubernetes-ingress/pull/8562, https://github.com/nginx/kubernetes-ingress/pull/8579, https://github.com/nginx/kubernetes-ingress/pull/8587, https://github.com/nginx/kubernetes-ingress/pull/8599) Update ghcr.io/nginx/dependencies/nginx-ubi:ubi8 docker digest to fa931e9 (main) -- [8445](https://github.com/nginx/kubernetes-ingress/pull/8445) Use renovate to monitor test data yaml files -- [8543](https://github.com/nginx/kubernetes-ingress/pull/8450, https://github.com/nginx/kubernetes-ingress/pull/8462, https://github.com/nginx/kubernetes-ingress/pull/8482, https://github.com/nginx/kubernetes-ingress/pull/8543) Update python:3.14-bookworm docker digest to 407cd1c (main) -- [8542](https://github.com/nginx/kubernetes-ingress/pull/8448, https://github.com/nginx/kubernetes-ingress/pull/8471, https://github.com/nginx/kubernetes-ingress/pull/8542) Update debian:12-slim docker digest to 936abff (main) -- [8428](https://github.com/nginx/kubernetes-ingress/pull/8428) Update module github.com/cert-manager/cert-manager to v1.19.1 (main) -- [8575](https://github.com/nginx/kubernetes-ingress/pull/8439, https://github.com/nginx/kubernetes-ingress/pull/8451, https://github.com/nginx/kubernetes-ingress/pull/8558, https://github.com/nginx/kubernetes-ingress/pull/8575) Update redhat/ubi8 docker digest to a444712 (main) -- [8440](https://github.com/nginx/kubernetes-ingress/pull/8440) Update aws-sdk-go-v2 monorepo (main) -- [8401](https://github.com/nginx/kubernetes-ingress/pull/8401) Upgrade github.com/nginx/nginx-plus-go-client/v3 to v3.0.1 -- [8598](https://github.com/nginx/kubernetes-ingress/pull/8437, https://github.com/nginx/kubernetes-ingress/pull/8449, https://github.com/nginx/kubernetes-ingress/pull/8461, https://github.com/nginx/kubernetes-ingress/pull/8491, https://github.com/nginx/kubernetes-ingress/pull/8501, https://github.com/nginx/kubernetes-ingress/pull/8550, https://github.com/nginx/kubernetes-ingress/pull/8563, https://github.com/nginx/kubernetes-ingress/pull/8580, https://github.com/nginx/kubernetes-ingress/pull/8598) Update ghcr.io/nginx/dependencies/nginx-ubi:ubi9 docker digest to aa99558 (main) -- [8589](https://github.com/nginx/kubernetes-ingress/pull/8432, https://github.com/nginx/kubernetes-ingress/pull/8589) Update redhat/ubi9-minimal docker tag to v9.7-1764578379 (main) -- [8572](https://github.com/nginx/kubernetes-ingress/pull/8396, https://github.com/nginx/kubernetes-ingress/pull/8476, https://github.com/nginx/kubernetes-ingress/pull/8572) Update module github.com/gruntwork-io/terratest to v0.54.0 (main) -- [8588](https://github.com/nginx/kubernetes-ingress/pull/8431, https://github.com/nginx/kubernetes-ingress/pull/8588) Update redhat/ubi9 docker tag to v9.7-1764578509 (main) -- [8429](https://github.com/nginx/kubernetes-ingress/pull/8429) Update module github.com/cert-manager/cert-manager to v1.19.0 (main) -- [8427](https://github.com/nginx/kubernetes-ingress/pull/8427) Update renovate pr's in github workflow -- [8424](https://github.com/nginx/kubernetes-ingress/pull/8424) Allow renovate to run postupgradetasks -- [8397](https://github.com/nginx/kubernetes-ingress/pull/8397) Correct space in github actions, update renovate syntax -- [8406](https://github.com/nginx/kubernetes-ingress/pull/8406) Update python docker tag to v3.14 (main) -- [8559](https://github.com/nginx/kubernetes-ingress/pull/8405, https://github.com/nginx/kubernetes-ingress/pull/8525, https://github.com/nginx/kubernetes-ingress/pull/8559) Update pre-commit hook asottile/pyupgrade to v3.21.2 (main) -- [8502](https://github.com/nginx/kubernetes-ingress/pull/8389, https://github.com/nginx/kubernetes-ingress/pull/8438, https://github.com/nginx/kubernetes-ingress/pull/8502) Update golang:1.25-alpine docker digest to 182059d (main) -- [8387](https://github.com/nginx/kubernetes-ingress/pull/8387) Update dependency pyyaml to v6.0.3 (main) -- [8388](https://github.com/nginx/kubernetes-ingress/pull/8388) Update dependency wrapt to v1.17.3 (main) -- [8381](https://github.com/nginx/kubernetes-ingress/pull/8381) Update renovate configuration -- [8375](https://github.com/nginx/kubernetes-ingress/pull/8375) Update docker/login-action action to v3.6.0 -- [8466](https://github.com/nginx/kubernetes-ingress/pull/8366, https://github.com/nginx/kubernetes-ingress/pull/8443, https://github.com/nginx/kubernetes-ingress/pull/8466) Update balabit/syslog-ng docker tag to v4.10.2 (main) -- [8362](https://github.com/nginx/kubernetes-ingress/pull/8362) Update examples with keycloak 26.x -- [8350](https://github.com/nginx/kubernetes-ingress/pull/8350) Update dependency cffi to v2 -- [8356](https://github.com/nginx/kubernetes-ingress/pull/8356) Update peter-evans/dockerhub-description action to v5 -- [8355](https://github.com/nginx/kubernetes-ingress/pull/8355) Update dependency grpcio to v1.75.1 -- [8349](https://github.com/nginx/kubernetes-ingress/pull/8349) Update k8s.io/utils digest to bc988d5 -- [8337](https://github.com/nginx/kubernetes-ingress/pull/8337) Update module github.com/golang-jwt/jwt/v4 to v5 -- [8343](https://github.com/nginx/kubernetes-ingress/pull/8343) Update actions/cache action to v4.3.0 -- [8344](https://github.com/nginx/kubernetes-ingress/pull/8344) Update dependency certifi to v2025.8.3 -- [8332](https://github.com/nginx/kubernetes-ingress/pull/8332) Update ossf/scorecard-action action to v2.4.3 -- [8333](https://github.com/nginx/kubernetes-ingress/pull/8333) Update dependency pycparser to v2.23 -- [8582](https://github.com/nginx/kubernetes-ingress/pull/8326, https://github.com/nginx/kubernetes-ingress/pull/8564, https://github.com/nginx/kubernetes-ingress/pull/8582) Update module github.com/gkampitakis/go-snaps to v0.5.17 (main) -- [8323](https://github.com/nginx/kubernetes-ingress/pull/8323) Update dependency cryptography to v46.0.2 -- [8309](https://github.com/nginx/kubernetes-ingress/pull/8309) Update aws-sdk-go-v2 monorepo -- [8312](https://github.com/nginx/kubernetes-ingress/pull/8312) Update dependency requests to v2.32.5 -- [8584](https://github.com/nginx/kubernetes-ingress/pull/8307, https://github.com/nginx/kubernetes-ingress/pull/8374, https://github.com/nginx/kubernetes-ingress/pull/8570, https://github.com/nginx/kubernetes-ingress/pull/8584) Update docker/dockerfile docker tag to v1.20 (main) -- [8595](https://github.com/nginx/kubernetes-ingress/pull/8308, https://github.com/nginx/kubernetes-ingress/pull/8459, https://github.com/nginx/kubernetes-ingress/pull/8510, https://github.com/nginx/kubernetes-ingress/pull/8565, https://github.com/nginx/kubernetes-ingress/pull/8576, https://github.com/nginx/kubernetes-ingress/pull/8595) Update quay.io/keycloak/keycloak docker tag to v26.4.7 (main) -- [8300](https://github.com/nginx/kubernetes-ingress/pull/8300) Chore(deps): bump the actions group across 1 directory with 5 updates -- [8298](https://github.com/nginx/kubernetes-ingress/pull/8298) Chore: configure renovate -- [8566](https://github.com/nginx/kubernetes-ingress/pull/8286, https://github.com/nginx/kubernetes-ingress/pull/8369, https://github.com/nginx/kubernetes-ingress/pull/8423, https://github.com/nginx/kubernetes-ingress/pull/8539, https://github.com/nginx/kubernetes-ingress/pull/8566) [pre-commit.ci] pre-commit autoupdate -- [8287](https://github.com/nginx/kubernetes-ingress/pull/8287) Chore(deps): bump the python group with 5 updates -- [8275](https://github.com/nginx/kubernetes-ingress/pull/8275) Chore(deps): bump anchore/sbom-action from 0.20.5 to 0.20.6 in the actions group -- [8270](https://github.com/nginx/kubernetes-ingress/pull/8270) Chore(deps): bump the python group with 5 updates -- [8269](https://github.com/nginx/kubernetes-ingress/pull/8269) Chore(deps): bump the actions group with 2 updates -- [8252](https://github.com/nginx/kubernetes-ingress/pull/8252) Bump preflight version to v1.14.1 -- [8254](https://github.com/nginx/kubernetes-ingress/pull/8248, https://github.com/nginx/kubernetes-ingress/pull/8254) Chore(deps): bump python from `d99178e` to `a805109` in /tests -- [8263](https://github.com/nginx/kubernetes-ingress/pull/8249, https://github.com/nginx/kubernetes-ingress/pull/8263) Chore(deps): bump github/codeql-action from 3.30.1 to 3.30.3 in the actions group -- [8243](https://github.com/nginx/kubernetes-ingress/pull/8243) Chore(deps): bump the python group with 2 updates - -### {{% icon download %}} Upgrade -- For NGINX, use the 5.3.0 images from our [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=5.3.0), [GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress). -- For NGINX Plus, use the 5.3.0 images from the F5 Container registry or build your own image using the 5.3.0 source code. -- For Helm, use version 2.4.0 of the chart. - -### {{% icon life-buoy %}} Supported Platforms -We will provide technical support for NGINX Ingress Controller on any Kubernetes platform that is currently supported by its provider and that passes the Kubernetes conformance tests. This release was fully tested on the following Kubernetes versions: 1.27-1.34. - -## 5.3.0 - -08 Dec 2025 - -### {{% icon rocket %}} Features -- [8292](https://github.com/nginx/kubernetes-ingress/pull/8292) Add sslverify for jwksuri -- [8447](https://github.com/nginx/kubernetes-ingress/pull/8447) Add support for ssl ciphers related annotations -- [8340](https://github.com/nginx/kubernetes-ingress/pull/8340) Implement oidc front channel logout nginx directives -- [8495](https://github.com/nginx/kubernetes-ingress/pull/8495) Add oidc timeout customization to configmap -- [8453](https://github.com/nginx/kubernetes-ingress/pull/8453) Support namespaced upstream service reference in virtualserver -- [8508](https://github.com/nginx/kubernetes-ingress/pull/8508) Add rewrite-target annotation -- [8548](https://github.com/nginx/kubernetes-ingress/pull/8548) Add `client-body-buffer-size` directive to ingress annotations & configmap -- [8557](https://github.com/nginx/kubernetes-ingress/pull/8557) Add client-body-buffer-size directive to virtualserver -- [8556](https://github.com/nginx/kubernetes-ingress/pull/8556) Add oidc policy idp tls validation -- [8533](https://github.com/nginx/kubernetes-ingress/pull/8533) Extend cache policy for more configurable parameters - -### {{% icon bug %}} Fixes -- [8299](https://github.com/nginx/kubernetes-ingress/pull/8299) Remove type field for objects with schema ref -- [8455](https://github.com/nginx/kubernetes-ingress/pull/8455) Cleanup stale socket files on startup -- [8460](https://github.com/nginx/kubernetes-ingress/pull/8460) Wrap oidc fclo initiated test in a while loop - -### {{% icon arrow-up %}} Dependencies -- [8553](https://github.com/nginx/kubernetes-ingress/pull/8553) Bump Go dependencies -- [8244](https://github.com/nginx/kubernetes-ingress/pull/8244), [8279](https://github.com/nginx/kubernetes-ingress/pull/8279), [8284](https://github.com/nginx/kubernetes-ingress/pull/8284), [8315](https://github.com/nginx/kubernetes-ingress/pull/8315), [8324](https://github.com/nginx/kubernetes-ingress/pull/8324), [8334](https://github.com/nginx/kubernetes-ingress/pull/8334) & [8384](https://github.com/nginx/kubernetes-ingress/pull/8384) Bump Docker dependencies -- [8581](https://github.com/nginx/kubernetes-ingress/pull/8581) Update python:3.14-trixie docker digest to d88b120 (main) -- [8577](https://github.com/nginx/kubernetes-ingress/pull/8577) Update module golang.org/x/tools to v0.39.0 (main) -- [8578](https://github.com/nginx/kubernetes-ingress/pull/8578) Update module mvdan.cc/gofumpt to v0.9.2 (main) -- [8569](https://github.com/nginx/kubernetes-ingress/pull/8569) Update aws-sdk-go-v2 monorepo (main) -- [8560](https://github.com/nginx/kubernetes-ingress/pull/8560) Update pre-commit hook rhysd/actionlint to v1.7.9 (main) -- [8552](https://github.com/nginx/kubernetes-ingress/pull/8552) Update kubernetes packages to v0.34.2 (main) -- [8544](https://github.com/nginx/kubernetes-ingress/pull/8544) Update aws-sdk-go-v2 monorepo (main) -- [8524](https://github.com/nginx/kubernetes-ingress/pull/8524) Update module github.com/aws/aws-sdk-go-v2/config to v1.31.18 (main) -- [8526](https://github.com/nginx/kubernetes-ingress/pull/8526) Update pre-commit hook psf/black-pre-commit-mirror to v25.11.0 (main) -- [8511](https://github.com/nginx/kubernetes-ingress/pull/8511) Update docker-registry.nginx.com/nap-dos/app_protect_dos_arb docker tag to v1.2.0 (main) -- [8514](https://github.com/nginx/kubernetes-ingress/pull/8514) Update test containers to v0.2.6 -- [8596](https://github.com/nginx/kubernetes-ingress/pull/8513, https://github.com/nginx/kubernetes-ingress/pull/8596) Update registry.k8s.io/external-dns/external-dns docker tag to v0.20.0 (main) -- [8492](https://github.com/nginx/kubernetes-ingress/pull/8492) Update dependency clusterrole to rbac.authorization.k8s.io/v1 (main) -- [8499](https://github.com/nginx/kubernetes-ingress/pull/8499) Update quay.io/jetstack/cert-manager-webhook docker tag to v1.19.1 (main) -- [8498](https://github.com/nginx/kubernetes-ingress/pull/8498) Update quay.io/jetstack/cert-manager-controller docker tag to v1.19.1 (main) -- [8497](https://github.com/nginx/kubernetes-ingress/pull/8497) Update quay.io/jetstack/cert-manager-cainjector docker tag to v1.19.1 (main) -- [8503](https://github.com/nginx/kubernetes-ingress/pull/8493, https://github.com/nginx/kubernetes-ingress/pull/8503) Update dependency go to v1.25.4 (main) -- [8475](https://github.com/nginx/kubernetes-ingress/pull/8475) Update kindest/node docker tag to v1.34.0 (main) -- [8484](https://github.com/nginx/kubernetes-ingress/pull/8484) Update coredns/coredns docker tag to v1.13.1 (main) -- [8483](https://github.com/nginx/kubernetes-ingress/pull/8483) Update aws-sdk-go-v2 monorepo (main) -- [8486](https://github.com/nginx/kubernetes-ingress/pull/8486) Update renovate to bump minor go versions -- [8465](https://github.com/nginx/kubernetes-ingress/pull/8465) Update module github.com/nginx/nginx-prometheus-exporter to v1.5.1 (main) -- [8551](https://github.com/nginx/kubernetes-ingress/pull/8474, https://github.com/nginx/kubernetes-ingress/pull/8551) Update golangci/golangci-lint docker tag to v2.6.2 (main) -- [8464](https://github.com/nginx/kubernetes-ingress/pull/8464) Update aws-sdk-go-v2 monorepo (main) -- [8599](https://github.com/nginx/kubernetes-ingress/pull/8436, https://github.com/nginx/kubernetes-ingress/pull/8490, https://github.com/nginx/kubernetes-ingress/pull/8549, https://github.com/nginx/kubernetes-ingress/pull/8562, https://github.com/nginx/kubernetes-ingress/pull/8579, https://github.com/nginx/kubernetes-ingress/pull/8587, https://github.com/nginx/kubernetes-ingress/pull/8599) Update ghcr.io/nginx/dependencies/nginx-ubi:ubi8 docker digest to fa931e9 (main) -- [8445](https://github.com/nginx/kubernetes-ingress/pull/8445) Use renovate to monitor test data yaml files -- [8543](https://github.com/nginx/kubernetes-ingress/pull/8450, https://github.com/nginx/kubernetes-ingress/pull/8462, https://github.com/nginx/kubernetes-ingress/pull/8482, https://github.com/nginx/kubernetes-ingress/pull/8543) Update python:3.14-bookworm docker digest to 407cd1c (main) -- [8542](https://github.com/nginx/kubernetes-ingress/pull/8448, https://github.com/nginx/kubernetes-ingress/pull/8471, https://github.com/nginx/kubernetes-ingress/pull/8542) Update debian:12-slim docker digest to 936abff (main) -- [8428](https://github.com/nginx/kubernetes-ingress/pull/8428) Update module github.com/cert-manager/cert-manager to v1.19.1 (main) -- [8575](https://github.com/nginx/kubernetes-ingress/pull/8439, https://github.com/nginx/kubernetes-ingress/pull/8451, https://github.com/nginx/kubernetes-ingress/pull/8558, https://github.com/nginx/kubernetes-ingress/pull/8575) Update redhat/ubi8 docker digest to a444712 (main) -- [8440](https://github.com/nginx/kubernetes-ingress/pull/8440) Update aws-sdk-go-v2 monorepo (main) -- [8401](https://github.com/nginx/kubernetes-ingress/pull/8401) Upgrade github.com/nginx/nginx-plus-go-client/v3 to v3.0.1 -- [8598](https://github.com/nginx/kubernetes-ingress/pull/8437, https://github.com/nginx/kubernetes-ingress/pull/8449, https://github.com/nginx/kubernetes-ingress/pull/8461, https://github.com/nginx/kubernetes-ingress/pull/8491, https://github.com/nginx/kubernetes-ingress/pull/8501, https://github.com/nginx/kubernetes-ingress/pull/8550, https://github.com/nginx/kubernetes-ingress/pull/8563, https://github.com/nginx/kubernetes-ingress/pull/8580, https://github.com/nginx/kubernetes-ingress/pull/8598) Update ghcr.io/nginx/dependencies/nginx-ubi:ubi9 docker digest to aa99558 (main) -- [8589](https://github.com/nginx/kubernetes-ingress/pull/8432, https://github.com/nginx/kubernetes-ingress/pull/8589) Update redhat/ubi9-minimal docker tag to v9.7-1764578379 (main) -- [8572](https://github.com/nginx/kubernetes-ingress/pull/8396, https://github.com/nginx/kubernetes-ingress/pull/8476, https://github.com/nginx/kubernetes-ingress/pull/8572) Update module github.com/gruntwork-io/terratest to v0.54.0 (main) -- [8588](https://github.com/nginx/kubernetes-ingress/pull/8431, https://github.com/nginx/kubernetes-ingress/pull/8588) Update redhat/ubi9 docker tag to v9.7-1764578509 (main) -- [8429](https://github.com/nginx/kubernetes-ingress/pull/8429) Update module github.com/cert-manager/cert-manager to v1.19.0 (main) -- [8427](https://github.com/nginx/kubernetes-ingress/pull/8427) Update renovate pr's in github workflow -- [8424](https://github.com/nginx/kubernetes-ingress/pull/8424) Allow renovate to run postupgradetasks -- [8397](https://github.com/nginx/kubernetes-ingress/pull/8397) Correct space in github actions, update renovate syntax -- [8406](https://github.com/nginx/kubernetes-ingress/pull/8406) Update python docker tag to v3.14 (main) -- [8559](https://github.com/nginx/kubernetes-ingress/pull/8405, https://github.com/nginx/kubernetes-ingress/pull/8525, https://github.com/nginx/kubernetes-ingress/pull/8559) Update pre-commit hook asottile/pyupgrade to v3.21.2 (main) -- [8502](https://github.com/nginx/kubernetes-ingress/pull/8389, https://github.com/nginx/kubernetes-ingress/pull/8438, https://github.com/nginx/kubernetes-ingress/pull/8502) Update golang:1.25-alpine docker digest to 182059d (main) -- [8387](https://github.com/nginx/kubernetes-ingress/pull/8387) Update dependency pyyaml to v6.0.3 (main) -- [8388](https://github.com/nginx/kubernetes-ingress/pull/8388) Update dependency wrapt to v1.17.3 (main) -- [8381](https://github.com/nginx/kubernetes-ingress/pull/8381) Update renovate configuration -- [8375](https://github.com/nginx/kubernetes-ingress/pull/8375) Update docker/login-action action to v3.6.0 -- [8466](https://github.com/nginx/kubernetes-ingress/pull/8366, https://github.com/nginx/kubernetes-ingress/pull/8443, https://github.com/nginx/kubernetes-ingress/pull/8466) Update balabit/syslog-ng docker tag to v4.10.2 (main) -- [8362](https://github.com/nginx/kubernetes-ingress/pull/8362) Update examples with keycloak 26.x -- [8350](https://github.com/nginx/kubernetes-ingress/pull/8350) Update dependency cffi to v2 -- [8356](https://github.com/nginx/kubernetes-ingress/pull/8356) Update peter-evans/dockerhub-description action to v5 -- [8355](https://github.com/nginx/kubernetes-ingress/pull/8355) Update dependency grpcio to v1.75.1 -- [8349](https://github.com/nginx/kubernetes-ingress/pull/8349) Update k8s.io/utils digest to bc988d5 -- [8337](https://github.com/nginx/kubernetes-ingress/pull/8337) Update module github.com/golang-jwt/jwt/v4 to v5 -- [8343](https://github.com/nginx/kubernetes-ingress/pull/8343) Update actions/cache action to v4.3.0 -- [8344](https://github.com/nginx/kubernetes-ingress/pull/8344) Update dependency certifi to v2025.8.3 -- [8332](https://github.com/nginx/kubernetes-ingress/pull/8332) Update ossf/scorecard-action action to v2.4.3 -- [8333](https://github.com/nginx/kubernetes-ingress/pull/8333) Update dependency pycparser to v2.23 -- [8582](https://github.com/nginx/kubernetes-ingress/pull/8326, https://github.com/nginx/kubernetes-ingress/pull/8564, https://github.com/nginx/kubernetes-ingress/pull/8582) Update module github.com/gkampitakis/go-snaps to v0.5.17 (main) -- [8323](https://github.com/nginx/kubernetes-ingress/pull/8323) Update dependency cryptography to v46.0.2 -- [8309](https://github.com/nginx/kubernetes-ingress/pull/8309) Update aws-sdk-go-v2 monorepo -- [8312](https://github.com/nginx/kubernetes-ingress/pull/8312) Update dependency requests to v2.32.5 -- [8584](https://github.com/nginx/kubernetes-ingress/pull/8307, https://github.com/nginx/kubernetes-ingress/pull/8374, https://github.com/nginx/kubernetes-ingress/pull/8570, https://github.com/nginx/kubernetes-ingress/pull/8584) Update docker/dockerfile docker tag to v1.20 (main) -- [8595](https://github.com/nginx/kubernetes-ingress/pull/8308, https://github.com/nginx/kubernetes-ingress/pull/8459, https://github.com/nginx/kubernetes-ingress/pull/8510, https://github.com/nginx/kubernetes-ingress/pull/8565, https://github.com/nginx/kubernetes-ingress/pull/8576, https://github.com/nginx/kubernetes-ingress/pull/8595) Update quay.io/keycloak/keycloak docker tag to v26.4.7 (main) -- [8300](https://github.com/nginx/kubernetes-ingress/pull/8300) Chore(deps): bump the actions group across 1 directory with 5 updates -- [8298](https://github.com/nginx/kubernetes-ingress/pull/8298) Chore: configure renovate -- [8566](https://github.com/nginx/kubernetes-ingress/pull/8286, https://github.com/nginx/kubernetes-ingress/pull/8369, https://github.com/nginx/kubernetes-ingress/pull/8423, https://github.com/nginx/kubernetes-ingress/pull/8539, https://github.com/nginx/kubernetes-ingress/pull/8566) [pre-commit.ci] pre-commit autoupdate -- [8287](https://github.com/nginx/kubernetes-ingress/pull/8287) Chore(deps): bump the python group with 5 updates -- [8275](https://github.com/nginx/kubernetes-ingress/pull/8275) Chore(deps): bump anchore/sbom-action from 0.20.5 to 0.20.6 in the actions group -- [8270](https://github.com/nginx/kubernetes-ingress/pull/8270) Chore(deps): bump the python group with 5 updates -- [8269](https://github.com/nginx/kubernetes-ingress/pull/8269) Chore(deps): bump the actions group with 2 updates -- [8252](https://github.com/nginx/kubernetes-ingress/pull/8252) Bump preflight version to v1.14.1 -- [8254](https://github.com/nginx/kubernetes-ingress/pull/8248, https://github.com/nginx/kubernetes-ingress/pull/8254) Chore(deps): bump python from `d99178e` to `a805109` in /tests -- [8263](https://github.com/nginx/kubernetes-ingress/pull/8249, https://github.com/nginx/kubernetes-ingress/pull/8263) Chore(deps): bump github/codeql-action from 3.30.1 to 3.30.3 in the actions group -- [8243](https://github.com/nginx/kubernetes-ingress/pull/8243) Chore(deps): bump the python group with 2 updates - -### {{% icon download %}} Upgrade -- For NGINX, use the 5.3.0 images from our [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=5.3.0), [GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress). -- For NGINX Plus, use the 5.3.0 images from the F5 Container registry or build your own image using the 5.3.0 source code. -- For Helm, use version 2.4.0 of the chart. - -### {{% icon life-buoy %}} Supported Platforms -We will provide technical support for NGINX Ingress Controller on any Kubernetes platform that is currently supported by its provider and that passes the Kubernetes conformance tests. This release was fully tested on the following Kubernetes versions: 1.27-1.34. - ## 5.3.0 08 Dec 2025 @@ -354,8 +47,7 @@ We will provide technical support for NGINX Ingress Controller on any Kubernetes ### {{% icon arrow-up %}} Dependencies - [8553](https://github.com/nginx/kubernetes-ingress/pull/8553) Bump Go dependencies -- [8244](https://github.com/nginx/kubernetes-ingress/pull/8244), [8279](https://github.com/nginx/kubernetes-ingress/pull/8279), [8284](https://github.com/nginx/kubernetes-ingress/pull/8284), [8315](https://github.com/nginx/kubernetes-ingress/pull/8315), [8324](https://github.com/nginx/kubernetes-ingress/pull/8324), [8334](https://github.com/nginx/kubernetes-ingress/pull/8334) & [8384](https://github.com/nginx/kubernetes-ingress/pull/8384) Bump Docker dependencies -- [8581](https://github.com/nginx/kubernetes-ingress/pull/8581) Update python:3.14-trixie docker digest to d88b120 (main) +- [8244](https://github.com/nginx/kubernetes-ingress/pull/8244), [8279](https://github.com/nginx/kubernetes-ingress/pull/8279), [8284](https://github.com/nginx/kubernetes-ingress/pull/8284), [8595](https://github.com/nginx/kubernetes-ingress/pull/8595), [8584](https://github.com/nginx/kubernetes-ingress/pull/8584), [8315](https://github.com/nginx/kubernetes-ingress/pull/8315), [8324](https://github.com/nginx/kubernetes-ingress/pull/8324), [8334](https://github.com/nginx/kubernetes-ingress/pull/8334), [8466](https://github.com/nginx/kubernetes-ingress/pull/8466), [8384](https://github.com/nginx/kubernetes-ingress/pull/8384), [8502](https://github.com/nginx/kubernetes-ingress/pull/8502), [8406](https://github.com/nginx/kubernetes-ingress/pull/8406), [8588](https://github.com/nginx/kubernetes-ingress/pull/8588), [8589](https://github.com/nginx/kubernetes-ingress/pull/8589), [8598](https://github.com/nginx/kubernetes-ingress/pull/8598), [8575](https://github.com/nginx/kubernetes-ingress/pull/8575), [8542](https://github.com/nginx/kubernetes-ingress/pull/8542), [8543](https://github.com/nginx/kubernetes-ingress/pull/8543), [8599](https://github.com/nginx/kubernetes-ingress/pull/8599), [8551](https://github.com/nginx/kubernetes-ingress/pull/8551), [8484](https://github.com/nginx/kubernetes-ingress/pull/8484), [8475](https://github.com/nginx/kubernetes-ingress/pull/8475), [8497](https://github.com/nginx/kubernetes-ingress/pull/8497), [8498](https://github.com/nginx/kubernetes-ingress/pull/8498), [8499](https://github.com/nginx/kubernetes-ingress/pull/8499), [8596](https://github.com/nginx/kubernetes-ingress/pull/8596), [8511](https://github.com/nginx/kubernetes-ingress/pull/8511) & [8581](https://github.com/nginx/kubernetes-ingress/pull/8581) Bump Docker dependencies - [8577](https://github.com/nginx/kubernetes-ingress/pull/8577) Update module golang.org/x/tools to v0.39.0 (main) - [8578](https://github.com/nginx/kubernetes-ingress/pull/8578) Update module mvdan.cc/gofumpt to v0.9.2 (main) - [8569](https://github.com/nginx/kubernetes-ingress/pull/8569) Update aws-sdk-go-v2 monorepo (main) @@ -364,45 +56,27 @@ We will provide technical support for NGINX Ingress Controller on any Kubernetes - [8544](https://github.com/nginx/kubernetes-ingress/pull/8544) Update aws-sdk-go-v2 monorepo (main) - [8524](https://github.com/nginx/kubernetes-ingress/pull/8524) Update module github.com/aws/aws-sdk-go-v2/config to v1.31.18 (main) - [8526](https://github.com/nginx/kubernetes-ingress/pull/8526) Update pre-commit hook psf/black-pre-commit-mirror to v25.11.0 (main) -- [8511](https://github.com/nginx/kubernetes-ingress/pull/8511) Update docker-registry.nginx.com/nap-dos/app_protect_dos_arb docker tag to v1.2.0 (main) - [8514](https://github.com/nginx/kubernetes-ingress/pull/8514) Update test containers to v0.2.6 -- [8596](https://github.com/nginx/kubernetes-ingress/pull/8513, https://github.com/nginx/kubernetes-ingress/pull/8596) Update registry.k8s.io/external-dns/external-dns docker tag to v0.20.0 (main) - [8492](https://github.com/nginx/kubernetes-ingress/pull/8492) Update dependency clusterrole to rbac.authorization.k8s.io/v1 (main) -- [8499](https://github.com/nginx/kubernetes-ingress/pull/8499) Update quay.io/jetstack/cert-manager-webhook docker tag to v1.19.1 (main) -- [8498](https://github.com/nginx/kubernetes-ingress/pull/8498) Update quay.io/jetstack/cert-manager-controller docker tag to v1.19.1 (main) -- [8497](https://github.com/nginx/kubernetes-ingress/pull/8497) Update quay.io/jetstack/cert-manager-cainjector docker tag to v1.19.1 (main) -- [8503](https://github.com/nginx/kubernetes-ingress/pull/8493, https://github.com/nginx/kubernetes-ingress/pull/8503) Update dependency go to v1.25.4 (main) -- [8475](https://github.com/nginx/kubernetes-ingress/pull/8475) Update kindest/node docker tag to v1.34.0 (main) -- [8484](https://github.com/nginx/kubernetes-ingress/pull/8484) Update coredns/coredns docker tag to v1.13.1 (main) +- [8503](https://github.com/nginx/kubernetes-ingress/pull/8503) Update dependency go to v1.25.4 (main) - [8483](https://github.com/nginx/kubernetes-ingress/pull/8483) Update aws-sdk-go-v2 monorepo (main) - [8486](https://github.com/nginx/kubernetes-ingress/pull/8486) Update renovate to bump minor go versions - [8465](https://github.com/nginx/kubernetes-ingress/pull/8465) Update module github.com/nginx/nginx-prometheus-exporter to v1.5.1 (main) -- [8551](https://github.com/nginx/kubernetes-ingress/pull/8474, https://github.com/nginx/kubernetes-ingress/pull/8551) Update golangci/golangci-lint docker tag to v2.6.2 (main) - [8464](https://github.com/nginx/kubernetes-ingress/pull/8464) Update aws-sdk-go-v2 monorepo (main) -- [8599](https://github.com/nginx/kubernetes-ingress/pull/8436, https://github.com/nginx/kubernetes-ingress/pull/8490, https://github.com/nginx/kubernetes-ingress/pull/8549, https://github.com/nginx/kubernetes-ingress/pull/8562, https://github.com/nginx/kubernetes-ingress/pull/8579, https://github.com/nginx/kubernetes-ingress/pull/8587, https://github.com/nginx/kubernetes-ingress/pull/8599) Update ghcr.io/nginx/dependencies/nginx-ubi:ubi8 docker digest to fa931e9 (main) - [8445](https://github.com/nginx/kubernetes-ingress/pull/8445) Use renovate to monitor test data yaml files -- [8543](https://github.com/nginx/kubernetes-ingress/pull/8450, https://github.com/nginx/kubernetes-ingress/pull/8462, https://github.com/nginx/kubernetes-ingress/pull/8482, https://github.com/nginx/kubernetes-ingress/pull/8543) Update python:3.14-bookworm docker digest to 407cd1c (main) -- [8542](https://github.com/nginx/kubernetes-ingress/pull/8448, https://github.com/nginx/kubernetes-ingress/pull/8471, https://github.com/nginx/kubernetes-ingress/pull/8542) Update debian:12-slim docker digest to 936abff (main) - [8428](https://github.com/nginx/kubernetes-ingress/pull/8428) Update module github.com/cert-manager/cert-manager to v1.19.1 (main) -- [8575](https://github.com/nginx/kubernetes-ingress/pull/8439, https://github.com/nginx/kubernetes-ingress/pull/8451, https://github.com/nginx/kubernetes-ingress/pull/8558, https://github.com/nginx/kubernetes-ingress/pull/8575) Update redhat/ubi8 docker digest to a444712 (main) - [8440](https://github.com/nginx/kubernetes-ingress/pull/8440) Update aws-sdk-go-v2 monorepo (main) - [8401](https://github.com/nginx/kubernetes-ingress/pull/8401) Upgrade github.com/nginx/nginx-plus-go-client/v3 to v3.0.1 -- [8598](https://github.com/nginx/kubernetes-ingress/pull/8437, https://github.com/nginx/kubernetes-ingress/pull/8449, https://github.com/nginx/kubernetes-ingress/pull/8461, https://github.com/nginx/kubernetes-ingress/pull/8491, https://github.com/nginx/kubernetes-ingress/pull/8501, https://github.com/nginx/kubernetes-ingress/pull/8550, https://github.com/nginx/kubernetes-ingress/pull/8563, https://github.com/nginx/kubernetes-ingress/pull/8580, https://github.com/nginx/kubernetes-ingress/pull/8598) Update ghcr.io/nginx/dependencies/nginx-ubi:ubi9 docker digest to aa99558 (main) -- [8589](https://github.com/nginx/kubernetes-ingress/pull/8432, https://github.com/nginx/kubernetes-ingress/pull/8589) Update redhat/ubi9-minimal docker tag to v9.7-1764578379 (main) -- [8572](https://github.com/nginx/kubernetes-ingress/pull/8396, https://github.com/nginx/kubernetes-ingress/pull/8476, https://github.com/nginx/kubernetes-ingress/pull/8572) Update module github.com/gruntwork-io/terratest to v0.54.0 (main) -- [8588](https://github.com/nginx/kubernetes-ingress/pull/8431, https://github.com/nginx/kubernetes-ingress/pull/8588) Update redhat/ubi9 docker tag to v9.7-1764578509 (main) +- [8572](https://github.com/nginx/kubernetes-ingress/pull/8572) Update module github.com/gruntwork-io/terratest to v0.54.0 (main) - [8429](https://github.com/nginx/kubernetes-ingress/pull/8429) Update module github.com/cert-manager/cert-manager to v1.19.0 (main) - [8427](https://github.com/nginx/kubernetes-ingress/pull/8427) Update renovate pr's in github workflow - [8424](https://github.com/nginx/kubernetes-ingress/pull/8424) Allow renovate to run postupgradetasks - [8397](https://github.com/nginx/kubernetes-ingress/pull/8397) Correct space in github actions, update renovate syntax -- [8406](https://github.com/nginx/kubernetes-ingress/pull/8406) Update python docker tag to v3.14 (main) -- [8559](https://github.com/nginx/kubernetes-ingress/pull/8405, https://github.com/nginx/kubernetes-ingress/pull/8525, https://github.com/nginx/kubernetes-ingress/pull/8559) Update pre-commit hook asottile/pyupgrade to v3.21.2 (main) -- [8502](https://github.com/nginx/kubernetes-ingress/pull/8389, https://github.com/nginx/kubernetes-ingress/pull/8438, https://github.com/nginx/kubernetes-ingress/pull/8502) Update golang:1.25-alpine docker digest to 182059d (main) +- [8559](https://github.com/nginx/kubernetes-ingress/pull/8559) Update pre-commit hook asottile/pyupgrade to v3.21.2 (main) - [8387](https://github.com/nginx/kubernetes-ingress/pull/8387) Update dependency pyyaml to v6.0.3 (main) - [8388](https://github.com/nginx/kubernetes-ingress/pull/8388) Update dependency wrapt to v1.17.3 (main) - [8381](https://github.com/nginx/kubernetes-ingress/pull/8381) Update renovate configuration - [8375](https://github.com/nginx/kubernetes-ingress/pull/8375) Update docker/login-action action to v3.6.0 -- [8466](https://github.com/nginx/kubernetes-ingress/pull/8366, https://github.com/nginx/kubernetes-ingress/pull/8443, https://github.com/nginx/kubernetes-ingress/pull/8466) Update balabit/syslog-ng docker tag to v4.10.2 (main) - [8362](https://github.com/nginx/kubernetes-ingress/pull/8362) Update examples with keycloak 26.x - [8350](https://github.com/nginx/kubernetes-ingress/pull/8350) Update dependency cffi to v2 - [8356](https://github.com/nginx/kubernetes-ingress/pull/8356) Update peter-evans/dockerhub-description action to v5 @@ -413,22 +87,20 @@ We will provide technical support for NGINX Ingress Controller on any Kubernetes - [8344](https://github.com/nginx/kubernetes-ingress/pull/8344) Update dependency certifi to v2025.8.3 - [8332](https://github.com/nginx/kubernetes-ingress/pull/8332) Update ossf/scorecard-action action to v2.4.3 - [8333](https://github.com/nginx/kubernetes-ingress/pull/8333) Update dependency pycparser to v2.23 -- [8582](https://github.com/nginx/kubernetes-ingress/pull/8326, https://github.com/nginx/kubernetes-ingress/pull/8564, https://github.com/nginx/kubernetes-ingress/pull/8582) Update module github.com/gkampitakis/go-snaps to v0.5.17 (main) +- [8582](https://github.com/nginx/kubernetes-ingress/pull/8582) Update module github.com/gkampitakis/go-snaps to v0.5.17 (main) - [8323](https://github.com/nginx/kubernetes-ingress/pull/8323) Update dependency cryptography to v46.0.2 - [8309](https://github.com/nginx/kubernetes-ingress/pull/8309) Update aws-sdk-go-v2 monorepo - [8312](https://github.com/nginx/kubernetes-ingress/pull/8312) Update dependency requests to v2.32.5 -- [8584](https://github.com/nginx/kubernetes-ingress/pull/8307, https://github.com/nginx/kubernetes-ingress/pull/8374, https://github.com/nginx/kubernetes-ingress/pull/8570, https://github.com/nginx/kubernetes-ingress/pull/8584) Update docker/dockerfile docker tag to v1.20 (main) -- [8595](https://github.com/nginx/kubernetes-ingress/pull/8308, https://github.com/nginx/kubernetes-ingress/pull/8459, https://github.com/nginx/kubernetes-ingress/pull/8510, https://github.com/nginx/kubernetes-ingress/pull/8565, https://github.com/nginx/kubernetes-ingress/pull/8576, https://github.com/nginx/kubernetes-ingress/pull/8595) Update quay.io/keycloak/keycloak docker tag to v26.4.7 (main) - [8300](https://github.com/nginx/kubernetes-ingress/pull/8300) Chore(deps): bump the actions group across 1 directory with 5 updates - [8298](https://github.com/nginx/kubernetes-ingress/pull/8298) Chore: configure renovate -- [8566](https://github.com/nginx/kubernetes-ingress/pull/8286, https://github.com/nginx/kubernetes-ingress/pull/8369, https://github.com/nginx/kubernetes-ingress/pull/8423, https://github.com/nginx/kubernetes-ingress/pull/8539, https://github.com/nginx/kubernetes-ingress/pull/8566) [pre-commit.ci] pre-commit autoupdate +- [8566](https://github.com/nginx/kubernetes-ingress/pull/8566) [pre-commit.ci] pre-commit autoupdate - [8287](https://github.com/nginx/kubernetes-ingress/pull/8287) Chore(deps): bump the python group with 5 updates - [8275](https://github.com/nginx/kubernetes-ingress/pull/8275) Chore(deps): bump anchore/sbom-action from 0.20.5 to 0.20.6 in the actions group - [8270](https://github.com/nginx/kubernetes-ingress/pull/8270) Chore(deps): bump the python group with 5 updates - [8269](https://github.com/nginx/kubernetes-ingress/pull/8269) Chore(deps): bump the actions group with 2 updates - [8252](https://github.com/nginx/kubernetes-ingress/pull/8252) Bump preflight version to v1.14.1 -- [8254](https://github.com/nginx/kubernetes-ingress/pull/8248, https://github.com/nginx/kubernetes-ingress/pull/8254) Chore(deps): bump python from `d99178e` to `a805109` in /tests -- [8263](https://github.com/nginx/kubernetes-ingress/pull/8249, https://github.com/nginx/kubernetes-ingress/pull/8263) Chore(deps): bump github/codeql-action from 3.30.1 to 3.30.3 in the actions group +- [8254](https://github.com/nginx/kubernetes-ingress/pull/8254) Chore(deps): bump python from `d99178e` to `a805109` in /tests +- [8263](https://github.com/nginx/kubernetes-ingress/pull/8263) Chore(deps): bump github/codeql-action from 3.30.1 to 3.30.3 in the actions group - [8243](https://github.com/nginx/kubernetes-ingress/pull/8243) Chore(deps): bump the python group with 2 updates ### {{% icon download %}} Upgrade diff --git a/content/nic/technical-specifications.md b/content/nic/technical-specifications.md index cf2890a04..7b4d6d8c9 100644 --- a/content/nic/technical-specifications.md +++ b/content/nic/technical-specifications.md @@ -27,21 +27,17 @@ We provide the following Docker images, which include NGINX or NGINX Plus bundle ### Images with NGINX -{{< call-out "important" >}} -From release `v5.1.0` onwards, NGINX Ingress Controller will no longer provide binaries for the `armv7`, `s390x` & `ppc64le` architectures. -{{< /call-out >}} +_All images include NGINX 1.29.3._ -_All images include NGINX 1.29.1._ - -|
Name
|
Base image
| DockerHub image | Architectures | -| ---| --- | --- | --- | -|Alpine-based image | ``nginx:1.29.1-alpine``,
based on on ``alpine:3.22`` | ``nginx/nginx-ingress:{{< nic-version >}}-alpine`` | arm64
amd64 | -|Debian-based image | ``nginx:1.29.1``,
based on on ``debian:12-slim`` | ``nginx/nginx-ingress:{{< nic-version >}}`` | arm64
amd64 | -|Ubi-based image | ``redhat/ubi9-minimal`` | ``nginx/nginx-ingress:{{< nic-version >}}-ubi`` | arm64
amd64 | +|
Name
|
Base image
| DockerHub image | Architectures | +|-------------------------------------|---------------------------------------------------------|----------------------------------------------------|----------------| +| Alpine-based image | ``nginx:1.29.3-alpine``,
based on on ``alpine:3.22`` | ``nginx/nginx-ingress:{{< nic-version >}}-alpine`` | arm64
amd64 | +| Debian-based image | ``nginx:1.29.3``,
based on on ``debian:13-slim`` | ``nginx/nginx-ingress:{{< nic-version >}}`` | arm64
amd64 | +| Ubi-based image | ``redhat/ubi9-minimal`` | ``nginx/nginx-ingress:{{< nic-version >}}-ubi`` | arm64
amd64 | ### Images with NGINX Plus -NGINX Plus images include NGINX Plus R35. +NGINX Plus images include NGINX Plus R36. #### F5 Container registry @@ -49,22 +45,22 @@ NGINX Plus images are available through the F5 Container registry `private-regis {{< table >}} -| Name | Base image |
Additional modules
| F5 Container Registry Image | Architectures | -| ---| ---| --- | --- | --- | -|Alpine-based image | ``alpine:3.22`` | NJS (NGINX JavaScript)
OpenTelemetry | `nginx-ic/nginx-plus-ingress:{{< nic-version >}}-alpine` | arm64
amd64 | -|Alpine-based image with FIPS inside | ``alpine:3.22`` | NJS (NGINX JavaScript)
OpenTelemetry
FIPS module and OpenSSL configuration | `nginx-ic/nginx-plus-ingress:{{< nic-version >}}-alpine-fips` | arm64
amd64 | -|Alpine-based image with F5 WAF for NGINX & FIPS inside | ``alpine:3.19`` | F5 WAF for NGINX
NJS (NGINX JavaScript)
OpenTelemetry
FIPS module and OpenSSL configuration | `nginx-ic-nap/nginx-plus-ingress:{{< nic-version >}}-alpine-fips` | amd64 | -|Alpine-based image with F5 WAF for NGINX v5 & FIPS inside | ``alpine:3.19`` | F5 WAF for NGINX v5
NJS (NGINX JavaScript)
OpenTelemetry
FIPS module and OpenSSL configuration | `nginx-ic-nap-v5/nginx-plus-ingress:{{< nic-version >}}-alpine-fips` | amd64 | -|Debian-based image | ``debian:12-slim`` | NJS (NGINX JavaScript)
OpenTelemetry | `nginx-ic/nginx-plus-ingress:{{< nic-version >}}` | arm64
amd64 | -|Debian-based image with F5 WAF for NGINX | ``debian:12-slim`` | F5 WAF for NGINX
NJS (NGINX JavaScript)
OpenTelemetry | `nginx-ic-nap/nginx-plus-ingress:{{< nic-version >}}` | amd64 | -|Debian-based image with F5 WAF for NGINX v5 | ``debian:12-slim`` | F5 WAF for NGINX v5
NJS (NGINX JavaScript)
OpenTelemetry | `nginx-ic-nap-v5/nginx-plus-ingress:{{< nic-version >}}` | amd64 | -|Debian-based image with F5 DoS for NGINX | ``debian:12-slim`` | F5 DoS for NGINX
NJS (NGINX JavaScript)
OpenTelemetry | `nginx-ic-dos/nginx-plus-ingress:{{< nic-version >}}` | amd64 | -|Debian-based image with F5 WAF for NGINX and DoS | ``debian:12-slim`` | F5 WAF for NGINX and DoS
NJS (NGINX JavaScript)
OpenTelemetry | `nginx-ic-nap-dos/nginx-plus-ingress:{{< nic-version >}}` | amd64 | -|Ubi-based image | ``redhat/ubi9-minimal`` | NJS (NGINX JavaScript)
OpenTelemetry | `nginx-ic/nginx-plus-ingress:{{< nic-version >}}-ubi` | arm64
amd64 | -|Ubi-based image with F5 WAF for NGINX | ``redhat/ubi9`` | F5 WAF for NGINX
NJS (NGINX JavaScript)
OpenTelemetry | `nginx-ic-nap/nginx-plus-ingress:{{< nic-version >}}-ubi` | amd64 | -|Ubi-based image with F5 WAF for NGINX v5 | ``redhat/ubi9`` | F5 WAF for NGINX v5
NJS (NGINX JavaScript)
OpenTelemetry | `nginx-ic-nap-v5/nginx-plus-ingress:{{< nic-version >}}-ubi` | amd64 | -|Ubi-based image with F5 DoS for NGINX | ``redhat/ubi8`` | F5 DoS for NGINX
NJS (NGINX JavaScript)
OpenTelemetry | `nginx-ic-dos/nginx-plus-ingress:{{< nic-version >}}-ubi` | amd64 | -|Ubi-based image with F5 WAF for NGINX and DoS | ``redhat/ubi8`` | F5 WAF for NGINX and DoS
NJS (NGINX JavaScript)
OpenTelemetry | `nginx-ic-nap-dos/nginx-plus-ingress:{{< nic-version >}}-ubi` | amd64 | +| Name | Base image |
Additional modules
| F5 Container Registry Image | Architectures | +|-----------------------------------------------------------|-------------------------|---------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------|----------------| +| Alpine-based image | ``alpine:3.22`` | NJS (NGINX JavaScript)
OpenTelemetry | `nginx-ic/nginx-plus-ingress:{{< nic-version >}}-alpine` | arm64
amd64 | +| Alpine-based image with FIPS inside | ``alpine:3.22`` | NJS (NGINX JavaScript)
OpenTelemetry
FIPS module and OpenSSL configuration | `nginx-ic/nginx-plus-ingress:{{< nic-version >}}-alpine-fips` | arm64
amd64 | +| Alpine-based image with F5 WAF for NGINX & FIPS inside | ``alpine:3.22`` | F5 WAF for NGINX
NJS (NGINX JavaScript)
OpenTelemetry
FIPS module and OpenSSL configuration | `nginx-ic-nap/nginx-plus-ingress:{{< nic-version >}}-alpine-fips` | amd64 | +| Alpine-based image with F5 WAF for NGINX v5 & FIPS inside | ``alpine:3.22`` | F5 WAF for NGINX v5
NJS (NGINX JavaScript)
OpenTelemetry
FIPS module and OpenSSL configuration | `nginx-ic-nap-v5/nginx-plus-ingress:{{< nic-version >}}-alpine-fips` | amd64 | +| Debian-based image | ``debian:12-slim`` | NJS (NGINX JavaScript)
OpenTelemetry | `nginx-ic/nginx-plus-ingress:{{< nic-version >}}` | arm64
amd64 | +| Debian-based image with F5 WAF for NGINX | ``debian:12-slim`` | F5 WAF for NGINX
NJS (NGINX JavaScript)
OpenTelemetry | `nginx-ic-nap/nginx-plus-ingress:{{< nic-version >}}` | amd64 | +| Debian-based image with F5 WAF for NGINX v5 | ``debian:12-slim`` | F5 WAF for NGINX v5
NJS (NGINX JavaScript)
OpenTelemetry | `nginx-ic-nap-v5/nginx-plus-ingress:{{< nic-version >}}` | amd64 | +| Debian-based image with F5 DoS for NGINX | ``debian:12-slim`` | F5 DoS for NGINX
NJS (NGINX JavaScript)
OpenTelemetry | `nginx-ic-dos/nginx-plus-ingress:{{< nic-version >}}` | amd64 | +| Debian-based image with F5 WAF for NGINX and DoS | ``debian:12-slim`` | F5 WAF for NGINX and DoS
NJS (NGINX JavaScript)
OpenTelemetry | `nginx-ic-nap-dos/nginx-plus-ingress:{{< nic-version >}}` | amd64 | +| Ubi-based image | ``redhat/ubi9-minimal`` | NJS (NGINX JavaScript)
OpenTelemetry | `nginx-ic/nginx-plus-ingress:{{< nic-version >}}-ubi` | arm64
amd64 | +| Ubi-based image with F5 WAF for NGINX | ``redhat/ubi9`` | F5 WAF for NGINX
NJS (NGINX JavaScript)
OpenTelemetry | `nginx-ic-nap/nginx-plus-ingress:{{< nic-version >}}-ubi` | amd64 | +| Ubi-based image with F5 WAF for NGINX v5 | ``redhat/ubi9`` | F5 WAF for NGINX v5
NJS (NGINX JavaScript)
OpenTelemetry | `nginx-ic-nap-v5/nginx-plus-ingress:{{< nic-version >}}-ubi` | amd64 | +| Ubi-based image with F5 DoS for NGINX | ``redhat/ubi8`` | F5 DoS for NGINX
NJS (NGINX JavaScript)
OpenTelemetry | `nginx-ic-dos/nginx-plus-ingress:{{< nic-version >}}-ubi` | amd64 | +| Ubi-based image with F5 WAF for NGINX and DoS | ``redhat/ubi8`` | F5 WAF for NGINX and DoS
NJS (NGINX JavaScript)
OpenTelemetry | `nginx-ic-nap-dos/nginx-plus-ingress:{{< nic-version >}}-ubi` | amd64 | {{< /table >}} From 6ad0aebfc0e728f3db561bf5982729b08f51e9da Mon Sep 17 00:00:00 2001 From: Gabor Javorszky Date: Fri, 5 Dec 2025 12:32:55 +0000 Subject: [PATCH 18/23] Undo table formatting --- .../nic/compatibility-tables/nic-k8s.md | 24 +++++------ .../nic/compatibility-tables/nic-nap.md | 16 +++---- content/nic/technical-specifications.md | 42 +++++++++---------- 3 files changed, 41 insertions(+), 41 deletions(-) diff --git a/content/includes/nic/compatibility-tables/nic-k8s.md b/content/includes/nic/compatibility-tables/nic-k8s.md index 25f28c0f4..414a52ffd 100644 --- a/content/includes/nic/compatibility-tables/nic-k8s.md +++ b/content/includes/nic/compatibility-tables/nic-k8s.md @@ -8,17 +8,17 @@ NGINX Ingress Controller supports the following versions of [NGINX Plus]({{< ref {{< table >}} -| NIC version | Kubernetes versions tested | NIC Helm Chart version | NIC Operator version | NGINX / NGINX Plus version | End of Technical Support | -|---------------------|----------------------------|--------------------------|------------------------------|----------------------------|--------------------------| -| {{< nic-version >}} | 1.27 - 1.34 | {{< nic-helm-version >}} | {{< nic-operator-version >}} | 1.29.3 / R36 | - | -| 5.2.1 | 1.27 - 1.34 | 2.3.1 | 3.3.1 | 1.29.1 / R35 | Oct 10, 2027 | -| 5.1.1 | 1.25 - 1.33 | 2.2.2 | 3.2.3 | 1.29.1 / R35 | Aug 15, 2027 | -| 5.0.0 | 1.25 - 1.32 | 2.1.0 | 3.1.0 | 1.27.4 / R34 | Apr 16, 2027 | -| 4.0.1 | 1.25 - 1.32 | 2.0.1 | 3.0.1 | 1.27.4 / R33 P2 | Feb 7, 2027 | -| 3.7.2 | 1.25 - 1.31 | 1.4.2 | 2.4.2 | 1.27.2 / R32 P1 | Nov 25, 2026 | -| 3.6.2 | 1.25 - 1.31 | 1.3.2 | 2.3.2 | 1.27.1 / R32 P1 | Aug 19, 2026 | -| 3.5.2 | 1.23 - 1.30 | 1.2.2 | 2.2.2 | 1.27.0 / R32 | May 31, 2026 | -| 3.4.3 | 1.23 - 1.29 | 1.1.3 | 2.1.2 | 1.25.4 / R31 P1 | Feb 19, 2026 | -| 3.3.2 | 1.22 - 1.28 | 1.0.2 | 2.0.2 | 1.25.3 / R30 | Nov 1, 2025 | +| NIC version | Kubernetes versions tested | NIC Helm Chart version | NIC Operator version | NGINX / NGINX Plus version | End of Technical Support | +| --- | --- | --- | --- | --- | --- | +| {{< nic-version >}} | 1.27 - 1.34 | {{< nic-helm-version >}} | {{< nic-operator-version >}} | 1.29.3 / R36 | - | +| 5.2.1 | 1.27 - 1.34 | 2.3.1 | 3.3.1 | 1.29.1 / R35 | Oct 10, 2027 | +| 5.1.1 | 1.25 - 1.33 | 2.2.2 | 3.2.3 | 1.29.1 / R35 | Aug 15, 2027 | +| 5.0.0 | 1.25 - 1.32 | 2.1.0 | 3.1.0 | 1.27.4 / R34 | Apr 16, 2027 | +| 4.0.1 | 1.25 - 1.32 | 2.0.1 | 3.0.1 | 1.27.4 / R33 P2 | Feb 7, 2027 | +| 3.7.2 | 1.25 - 1.31 | 1.4.2 | 2.4.2 | 1.27.2 / R32 P1 | Nov 25, 2026 | +| 3.6.2 | 1.25 - 1.31 | 1.3.2 | 2.3.2 | 1.27.1 / R32 P1 | Aug 19, 2026 | +| 3.5.2 | 1.23 - 1.30 | 1.2.2 | 2.2.2 | 1.27.0 / R32 | May 31, 2026 | +| 3.4.3 | 1.23 - 1.29 | 1.1.3 | 2.1.2 | 1.25.4 / R31 P1 | Feb 19, 2026 | +| 3.3.2 | 1.22 - 1.28 | 1.0.2 | 2.0.2 | 1.25.3 / R30 | Nov 1, 2025 | {{< /table >}} \ No newline at end of file diff --git a/content/includes/nic/compatibility-tables/nic-nap.md b/content/includes/nic/compatibility-tables/nic-nap.md index 1714526b1..fa7744a0e 100644 --- a/content/includes/nic/compatibility-tables/nic-nap.md +++ b/content/includes/nic/compatibility-tables/nic-nap.md @@ -10,14 +10,14 @@ NGINX Ingress Controller supports the following versions of [F5 WAF for NGINX](h {{< table >}} -| NIC Version | NAP-WAF Version | Config Manager | Enforcer | -|---------------------|---------------------------------------|---------------------------------|---------------------------------| +| NIC Version | NAP-WAF Version | Config Manager | Enforcer | +| ------------------- | --------------- | -------------- | -------- | | {{< nic-version >}} | 36+{{< appprotect-compiler-version>}} | {{< nic-waf-release-version >}} | {{< nic-waf-release-version >}} | -| 5.2.1 | 35+5.527.0 | 5.9.0 | 5.9.0 | -| 5.1.1 | 35+5.498 | 5.8.0 | 5.8.0 | -| 5.0.0 | 34+5.342 | 5.6.0 | 5.6.0 | -| 4.0.1 | 33+5.264 | 5.5.0 | 5.5.0 | -| 3.7.2 | 32+5.1 | 5.3.0 | 5.3.0 | -| 3.6.2 | 32+5.48 | 5.2.0 | 5.2.0 | +| 5.2.1 | 35+5.527.0 | 5.9.0 | 5.9.0 | +| 5.1.1 | 35+5.498 | 5.8.0 | 5.8.0 | +| 5.0.0 | 34+5.342 | 5.6.0 | 5.6.0 | +| 4.0.1 | 33+5.264 | 5.5.0 | 5.5.0 | +| 3.7.2 | 32+5.1 | 5.3.0 | 5.3.0 | +| 3.6.2 | 32+5.48 | 5.2.0 | 5.2.0 | {{< /table >}} diff --git a/content/nic/technical-specifications.md b/content/nic/technical-specifications.md index 7b4d6d8c9..b6a27510f 100644 --- a/content/nic/technical-specifications.md +++ b/content/nic/technical-specifications.md @@ -29,11 +29,11 @@ We provide the following Docker images, which include NGINX or NGINX Plus bundle _All images include NGINX 1.29.3._ -|
Name
|
Base image
| DockerHub image | Architectures | -|-------------------------------------|---------------------------------------------------------|----------------------------------------------------|----------------| -| Alpine-based image | ``nginx:1.29.3-alpine``,
based on on ``alpine:3.22`` | ``nginx/nginx-ingress:{{< nic-version >}}-alpine`` | arm64
amd64 | -| Debian-based image | ``nginx:1.29.3``,
based on on ``debian:13-slim`` | ``nginx/nginx-ingress:{{< nic-version >}}`` | arm64
amd64 | -| Ubi-based image | ``redhat/ubi9-minimal`` | ``nginx/nginx-ingress:{{< nic-version >}}-ubi`` | arm64
amd64 | +|
Name
|
Base image
| DockerHub image | Architectures | +| ---| --- | --- | --- | +|Alpine-based image | ``nginx:1.29.3-alpine``,
based on on ``alpine:3.22`` | ``nginx/nginx-ingress:{{< nic-version >}}-alpine`` | arm64
amd64 | +|Debian-based image | ``nginx:1.29.3``,
based on on ``debian:12-slim`` | ``nginx/nginx-ingress:{{< nic-version >}}`` | arm64
amd64 | +|Ubi-based image | ``redhat/ubi9-minimal`` | ``nginx/nginx-ingress:{{< nic-version >}}-ubi`` | arm64
amd64 | ### Images with NGINX Plus @@ -45,22 +45,22 @@ NGINX Plus images are available through the F5 Container registry `private-regis {{< table >}} -| Name | Base image |
Additional modules
| F5 Container Registry Image | Architectures | -|-----------------------------------------------------------|-------------------------|---------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------|----------------| -| Alpine-based image | ``alpine:3.22`` | NJS (NGINX JavaScript)
OpenTelemetry | `nginx-ic/nginx-plus-ingress:{{< nic-version >}}-alpine` | arm64
amd64 | -| Alpine-based image with FIPS inside | ``alpine:3.22`` | NJS (NGINX JavaScript)
OpenTelemetry
FIPS module and OpenSSL configuration | `nginx-ic/nginx-plus-ingress:{{< nic-version >}}-alpine-fips` | arm64
amd64 | -| Alpine-based image with F5 WAF for NGINX & FIPS inside | ``alpine:3.22`` | F5 WAF for NGINX
NJS (NGINX JavaScript)
OpenTelemetry
FIPS module and OpenSSL configuration | `nginx-ic-nap/nginx-plus-ingress:{{< nic-version >}}-alpine-fips` | amd64 | -| Alpine-based image with F5 WAF for NGINX v5 & FIPS inside | ``alpine:3.22`` | F5 WAF for NGINX v5
NJS (NGINX JavaScript)
OpenTelemetry
FIPS module and OpenSSL configuration | `nginx-ic-nap-v5/nginx-plus-ingress:{{< nic-version >}}-alpine-fips` | amd64 | -| Debian-based image | ``debian:12-slim`` | NJS (NGINX JavaScript)
OpenTelemetry | `nginx-ic/nginx-plus-ingress:{{< nic-version >}}` | arm64
amd64 | -| Debian-based image with F5 WAF for NGINX | ``debian:12-slim`` | F5 WAF for NGINX
NJS (NGINX JavaScript)
OpenTelemetry | `nginx-ic-nap/nginx-plus-ingress:{{< nic-version >}}` | amd64 | -| Debian-based image with F5 WAF for NGINX v5 | ``debian:12-slim`` | F5 WAF for NGINX v5
NJS (NGINX JavaScript)
OpenTelemetry | `nginx-ic-nap-v5/nginx-plus-ingress:{{< nic-version >}}` | amd64 | -| Debian-based image with F5 DoS for NGINX | ``debian:12-slim`` | F5 DoS for NGINX
NJS (NGINX JavaScript)
OpenTelemetry | `nginx-ic-dos/nginx-plus-ingress:{{< nic-version >}}` | amd64 | -| Debian-based image with F5 WAF for NGINX and DoS | ``debian:12-slim`` | F5 WAF for NGINX and DoS
NJS (NGINX JavaScript)
OpenTelemetry | `nginx-ic-nap-dos/nginx-plus-ingress:{{< nic-version >}}` | amd64 | -| Ubi-based image | ``redhat/ubi9-minimal`` | NJS (NGINX JavaScript)
OpenTelemetry | `nginx-ic/nginx-plus-ingress:{{< nic-version >}}-ubi` | arm64
amd64 | -| Ubi-based image with F5 WAF for NGINX | ``redhat/ubi9`` | F5 WAF for NGINX
NJS (NGINX JavaScript)
OpenTelemetry | `nginx-ic-nap/nginx-plus-ingress:{{< nic-version >}}-ubi` | amd64 | -| Ubi-based image with F5 WAF for NGINX v5 | ``redhat/ubi9`` | F5 WAF for NGINX v5
NJS (NGINX JavaScript)
OpenTelemetry | `nginx-ic-nap-v5/nginx-plus-ingress:{{< nic-version >}}-ubi` | amd64 | -| Ubi-based image with F5 DoS for NGINX | ``redhat/ubi8`` | F5 DoS for NGINX
NJS (NGINX JavaScript)
OpenTelemetry | `nginx-ic-dos/nginx-plus-ingress:{{< nic-version >}}-ubi` | amd64 | -| Ubi-based image with F5 WAF for NGINX and DoS | ``redhat/ubi8`` | F5 WAF for NGINX and DoS
NJS (NGINX JavaScript)
OpenTelemetry | `nginx-ic-nap-dos/nginx-plus-ingress:{{< nic-version >}}-ubi` | amd64 | +| Name | Base image |
Additional modules
| F5 Container Registry Image | Architectures | +| ---| ---| --- | --- | --- | +|Alpine-based image | ``alpine:3.22`` | NJS (NGINX JavaScript)
OpenTelemetry | `nginx-ic/nginx-plus-ingress:{{< nic-version >}}-alpine` | arm64
amd64 | +|Alpine-based image with FIPS inside | ``alpine:3.22`` | NJS (NGINX JavaScript)
OpenTelemetry
FIPS module and OpenSSL configuration | `nginx-ic/nginx-plus-ingress:{{< nic-version >}}-alpine-fips` | arm64
amd64 | +|Alpine-based image with F5 WAF for NGINX & FIPS inside | ``alpine:3.22`` | F5 WAF for NGINX
NJS (NGINX JavaScript)
OpenTelemetry
FIPS module and OpenSSL configuration | `nginx-ic-nap/nginx-plus-ingress:{{< nic-version >}}-alpine-fips` | amd64 | +|Alpine-based image with F5 WAF for NGINX v5 & FIPS inside | ``alpine:3.22`` | F5 WAF for NGINX v5
NJS (NGINX JavaScript)
OpenTelemetry
FIPS module and OpenSSL configuration | `nginx-ic-nap-v5/nginx-plus-ingress:{{< nic-version >}}-alpine-fips` | amd64 | +|Debian-based image | ``debian:12-slim`` | NJS (NGINX JavaScript)
OpenTelemetry | `nginx-ic/nginx-plus-ingress:{{< nic-version >}}` | arm64
amd64 | +|Debian-based image with F5 WAF for NGINX | ``debian:12-slim`` | F5 WAF for NGINX
NJS (NGINX JavaScript)
OpenTelemetry | `nginx-ic-nap/nginx-plus-ingress:{{< nic-version >}}` | amd64 | +|Debian-based image with F5 WAF for NGINX v5 | ``debian:12-slim`` | F5 WAF for NGINX v5
NJS (NGINX JavaScript)
OpenTelemetry | `nginx-ic-nap-v5/nginx-plus-ingress:{{< nic-version >}}` | amd64 | +|Debian-based image with F5 DoS for NGINX | ``debian:12-slim`` | F5 DoS for NGINX
NJS (NGINX JavaScript)
OpenTelemetry | `nginx-ic-dos/nginx-plus-ingress:{{< nic-version >}}` | amd64 | +|Debian-based image with F5 WAF for NGINX and DoS | ``debian:12-slim`` | F5 WAF for NGINX and DoS
NJS (NGINX JavaScript)
OpenTelemetry | `nginx-ic-nap-dos/nginx-plus-ingress:{{< nic-version >}}` | amd64 | +|Ubi-based image | ``redhat/ubi9-minimal`` | NJS (NGINX JavaScript)
OpenTelemetry | `nginx-ic/nginx-plus-ingress:{{< nic-version >}}-ubi` | arm64
amd64 | +|Ubi-based image with F5 WAF for NGINX | ``redhat/ubi9`` | F5 WAF for NGINX
NJS (NGINX JavaScript)
OpenTelemetry | `nginx-ic-nap/nginx-plus-ingress:{{< nic-version >}}-ubi` | amd64 | +|Ubi-based image with F5 WAF for NGINX v5 | ``redhat/ubi9`` | F5 WAF for NGINX v5
NJS (NGINX JavaScript)
OpenTelemetry | `nginx-ic-nap-v5/nginx-plus-ingress:{{< nic-version >}}-ubi` | amd64 | +|Ubi-based image with F5 DoS for NGINX | ``redhat/ubi8`` | F5 DoS for NGINX
NJS (NGINX JavaScript)
OpenTelemetry | `nginx-ic-dos/nginx-plus-ingress:{{< nic-version >}}-ubi` | amd64 | +|Ubi-based image with F5 WAF for NGINX and DoS | ``redhat/ubi8`` | F5 WAF for NGINX and DoS
NJS (NGINX JavaScript)
OpenTelemetry | `nginx-ic-nap-dos/nginx-plus-ingress:{{< nic-version >}}-ubi` | amd64 | {{< /table >}} From 13af17f7adbe7c86696b26eaf9f67df1c4962af2 Mon Sep 17 00:00:00 2001 From: Gabor Javorszky Date: Fri, 5 Dec 2025 12:37:29 +0000 Subject: [PATCH 19/23] Undo empty line fixes --- .../includes/nic/compatibility-tables/nic-nap.md | 2 +- ...rtualserver-and-virtualserverroute-resources.md | 14 -------------- content/nic/install/migrate-ingress-nginx.md | 3 --- 3 files changed, 1 insertion(+), 18 deletions(-) diff --git a/content/includes/nic/compatibility-tables/nic-nap.md b/content/includes/nic/compatibility-tables/nic-nap.md index fa7744a0e..b1ec4979b 100644 --- a/content/includes/nic/compatibility-tables/nic-nap.md +++ b/content/includes/nic/compatibility-tables/nic-nap.md @@ -12,7 +12,7 @@ NGINX Ingress Controller supports the following versions of [F5 WAF for NGINX](h | NIC Version | NAP-WAF Version | Config Manager | Enforcer | | ------------------- | --------------- | -------------- | -------- | -| {{< nic-version >}} | 36+{{< appprotect-compiler-version>}} | {{< nic-waf-release-version >}} | {{< nic-waf-release-version >}} | +| {{< nic-version >}} | 36+{{< appprotect-compiler-version>}} | {{< nic-waf-release-version >}} | {{< nic-waf-release-version >}} | | 5.2.1 | 35+5.527.0 | 5.9.0 | 5.9.0 | | 5.1.1 | 35+5.498 | 5.8.0 | 5.8.0 | | 5.0.0 | 34+5.342 | 5.6.0 | 5.6.0 | diff --git a/content/nic/configuration/virtualserver-and-virtualserverroute-resources.md b/content/nic/configuration/virtualserver-and-virtualserverroute-resources.md index d7dc3088b..f5009bc7f 100644 --- a/content/nic/configuration/virtualserver-and-virtualserverroute-resources.md +++ b/content/nic/configuration/virtualserver-and-virtualserverroute-resources.md @@ -126,7 +126,6 @@ cert-manager: |``issue-temp-cert`` | When ``true``, ask cert-manager for a [temporary self-signed certificate](https://cert-manager.io/docs/usage/certificate/#temporary-certificates-while-issuing) pending the issuance of the Certificate. This allows HTTPS-only servers to use ACME HTTP01 challenges when the TLS secret does not exist yet. | ``boolean`` | No | ### VirtualServer.Listener - The listener field defines a custom HTTP and/or HTTPS listener. The respective listeners used must reference the name of a listener defined using a [GlobalConfiguration]({{< ref "/nic/configuration/global-configuration/globalconfiguration-resource.md" >}}) resource. For example: @@ -197,7 +196,6 @@ The route defines rules for matching client requests to actions like passing a r ``` {{< table >}} - |Field | Description | Type | Required | | ---| ---| ---| --- | |``path`` | The path of the route. NGINX will match it against the URI of a request. Possible values are: a prefix ( ``/`` , ``/path`` ), an exact match ( ``=/exact/match`` ), a case insensitive regular expression ( ``~*^/Bar.*\.jpg`` ) or a case sensitive regular expression ( ``~^/foo.*\.jpg`` ). In the case of a prefix (must start with ``/`` ) or an exact match (must start with ``=`` ), the path must not include any whitespace characters, ``{`` , ``}`` or ``;``. In the case of the regex matches, all double quotes ``"`` must be escaped and the match can't end in an unescaped backslash ``\``. The path must be unique among the paths of all routes of the VirtualServer. Check the [location](https://nginx.org/en/docs/http/ngx_http_core_module.html#location) directive for more information. | ``string`` | Yes | @@ -209,7 +207,6 @@ The route defines rules for matching client requests to actions like passing a r |``route`` | The name of a VirtualServerRoute resource that defines this route. If the VirtualServerRoute belongs to a different namespace than the VirtualServer, you need to include the namespace. For example, ``tea-namespace/tea``. | ``string`` | No | |``errorPages`` | The custom responses for error codes. NGINX will use those responses instead of returning the error responses from the upstream servers or the default responses generated by NGINX. A custom response can be a redirect or a canned response. For example, a redirect to another URL if an upstream server responded with a 404 status code. | [[]errorPage](#errorpage) | No | |``location-snippets`` | Sets a custom snippet in the location context. Overrides the ``location-snippets`` ConfigMap key. | ``string`` | No | - {{< /table >}} \* -- a route must include exactly one of the following: `action`, `splits`, or `route`. @@ -288,7 +285,6 @@ action: ``` {{< table >}} - |Field | Description | Type | Required | | ---| ---| ---| --- | |``path`` | The path of the subroute. NGINX will match it against the URI of a request. Possible values are: a prefix ( ``/`` , ``/path`` ), an exact match ( ``=/exact/match`` ), a case insensitive regular expression ( ``~*^/Bar.*\.jpg`` ) or a case sensitive regular expression ( ``~^/foo.*\.jpg`` ). In the case of a prefix, the path must start with the same path as the path of the route of the VirtualServer that references this resource. In the case of an exact or regex match, the path must be the same as the path of the route of the VirtualServer that references this resource. A matching path of the route of the VirtualServer but in different type is not accepted, e.g. a regex path (`~/match`) cannot be used with a prefix path in VirtualServer (`/match`) In the case of a prefix or an exact match, the path must not include any whitespace characters, ``{`` , ``}`` or ``;``. In the case of the regex matches, all double quotes ``"`` must be escaped and the match can't end in an unescaped backslash ``\``. The path must be unique among the paths of all subroutes of the VirtualServerRoute. | ``string`` | Yes | @@ -299,7 +295,6 @@ action: |``matches`` | The matching rules for advanced content-based routing. Requires the default ``action`` or ``splits``. Unmatched requests will be handled by the default ``action`` or ``splits``. | [matches](#match) | No | |``errorPages`` | The custom responses for error codes. NGINX will use those responses instead of returning the error responses from the upstream servers or the default responses generated by NGINX. A custom response can be a redirect or a canned response. For example, a redirect to another URL if an upstream server responded with a 404 status code. | [[]errorPage](#errorpage) | No | |``location-snippets`` | Sets a custom snippet in the location context. Overrides the ``location-snippets`` of the VirtualServer (if set) or the ``location-snippets`` ConfigMap key. | ``string`` | No | - {{< /table >}} \* -- a subroute must include exactly one of the following: `action` or `splits`. @@ -335,7 +330,6 @@ tls: **Note**: The WebSocket protocol is supported without any additional configuration. {{< table >}} - |Field | Description | Type | Required | | ---| ---| ---| --- | |``name`` | The name of the upstream. Must be a valid DNS label as defined in RFC 1035. For example, ``hello`` and ``upstream-123`` are valid. The name must be unique among all upstreams of the resource. | ``string`` | Yes | @@ -368,7 +362,6 @@ tls: |``type`` |The type of the upstream. Supported values are ``http`` and ``grpc``. The default is ``http``. For gRPC, it is necessary to enable HTTP/2 in the [ConfigMap]({{< ref "/nic/configuration/global-configuration/configmap-resource.md#listeners" >}}) and configure TLS termination in the VirtualServer. | ``string`` | No | |``backup`` | The name of the backup service of type [ExternalName](https://kubernetes.io/docs/concepts/services-networking/service/#externalname). This will be used when the primary servers are unavailable. Note: The parameter cannot be used along with the ``random`` , ``hash`` or ``ip_hash`` load balancing methods. | ``string`` | No | |``backupPort`` | The port of the backup service. The backup port is required if the backup service name is provided. The port must fall into the range ``1..65535``. | ``uint16`` | No | - {{< /table >}} ### Upstream.Buffers @@ -877,7 +870,6 @@ For example, the following command creates a VirtualServer resource defined in ` ```shell kubectl apply -f cafe-virtual-server.yaml ``` - ```text virtualserver.k8s.nginx.org "cafe" created ``` @@ -887,7 +879,6 @@ You can get the resource by running: ```shell kubectl get virtualserver cafe ``` - ```text NAME STATE HOST IP PORTS AGE cafe Valid cafe.example.com 12.13.23.123 [80,443] 3m @@ -955,7 +946,6 @@ If you try to create (or update) a resource that violates the structural schema ```shell kubectl apply -f cafe-virtual-server.yaml ``` - ```text error: error validating "cafe-virtual-server.yaml": error validating data: ValidationError(VirtualServer.spec.upstreams[0].port): invalid type for org.nginx.k8s.v1.VirtualServer.spec.upstreams.port: got "string", expected "integer"; if you choose to ignore these errors, turn validation off with --validate=false ``` @@ -965,7 +955,6 @@ If you try to create (or update) a resource that violates the structural schema ```shell kubectl apply -f cafe-virtual-server.yaml --validate=false ``` - ```text The VirtualServer "cafe" is invalid: []: Invalid value: map[string]interface {}{ ... }: validation failure list: spec.upstreams.port in body must be of type integer: "string" @@ -982,7 +971,6 @@ You can check if NGINX Ingress Controller successfully applied the configuration ```shell kubectl describe vs cafe ``` - ```text ... Events: @@ -998,7 +986,6 @@ If you create an invalid resource, NGINX Ingress Controller will reject it and e ```shell kubectl describe vs cafe ``` - ```text ... Events: @@ -1014,7 +1001,6 @@ Additionally, this information is also available in the `status` field of the Vi ```shell kubectl describe vs cafe ``` - ```text ... Status: diff --git a/content/nic/install/migrate-ingress-nginx.md b/content/nic/install/migrate-ingress-nginx.md index ab3eaccba..5c6143b75 100644 --- a/content/nic/install/migrate-ingress-nginx.md +++ b/content/nic/install/migrate-ingress-nginx.md @@ -505,15 +505,12 @@ NGINX Ingress Controller has additional annotations for features using NGINX Plu The following table outlines annotation conversions for enabling TLS and gRPC protocols to backend (upstream) services. {{< table >}} - | Ingress-NGINX Controller | NGINX Ingress Controller | | ------------------------ | ------------------------ | | [_nginx.ingress.kubernetes.io/backend-protocol_](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#backend-protocol): "HTTPS" | [_nginx.org/ssl-services_]({{< ref "/nic/configuration/ingress-resources/advanced-configuration-with-annotations.md#backend-services-upstreams" >}}): "ssl_service_name" | | [_nginx.ingress.kubernetes.io/backend-protocol_](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#backend-protocol): "GRPC" | [_nginx.org/grpc-services_]({{< ref "/nic/configuration/ingress-resources/advanced-configuration-with-annotations.md#backend-services-upstreams" >}}): "grpc_service_name" | | [_nginx.ingress.kubernetes.io/backend-protocol_](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#backend-protocol): "GRPCS" | [_nginx.org/ssl-services_]({{< ref "/nic/configuration/ingress-resources/advanced-configuration-with-annotations.md#backend-services-upstreams" >}}): "grpc_service_name"
[_nginx.org/grpc-services_]({{< ref "/nic/configuration/ingress-resources/advanced-configuration-with-annotations.md#backend-services-upstreams" >}}): "grpc_service_name" | - {{< /table >}} - {{< call-out "important" >}} GRPC services require Ingresses with TLS termination and HTTP/2 enabled (see [_http2 ConfigMap key_]({{< ref "/nic/configuration/global-configuration/configmap-resource.md#listeners" >}})). {{< /call-out >}} From e4e742531ae73d6e68eb9564ae0aa8a17dee1580 Mon Sep 17 00:00:00 2001 From: Gabor Javorszky Date: Fri, 5 Dec 2025 14:14:01 +0000 Subject: [PATCH 20/23] Update release notes for 5.3.0 --- content/nic/changelog/_index.md | 91 +++++++++++++++++++++++++++++++++ 1 file changed, 91 insertions(+) diff --git a/content/nic/changelog/_index.md b/content/nic/changelog/_index.md index e22d657b4..0647d78be 100644 --- a/content/nic/changelog/_index.md +++ b/content/nic/changelog/_index.md @@ -24,6 +24,97 @@ For older releases, check the changelogs for previous years: [2024]({{< ref "/ni {{< /details >}} + +## 5.3.0 + +08 Dec 2025 + +### {{% icon rocket %}} Features +- [8292](https://github.com/nginx/kubernetes-ingress/pull/8292) Add sslverify for jwksuri +- [8447](https://github.com/nginx/kubernetes-ingress/pull/8447) Add support for ssl ciphers related annotations +- [8340](https://github.com/nginx/kubernetes-ingress/pull/8340) Implement oidc front channel logout nginx directives +- [8495](https://github.com/nginx/kubernetes-ingress/pull/8495) Add oidc timeout customization to configmap +- [8453](https://github.com/nginx/kubernetes-ingress/pull/8453) Support namespaced upstream service reference in virtualserver +- [8508](https://github.com/nginx/kubernetes-ingress/pull/8508) Add rewrite-target annotation +- [8548](https://github.com/nginx/kubernetes-ingress/pull/8548) Add `client-body-buffer-size` directive to ingress annotations & configmap +- [8557](https://github.com/nginx/kubernetes-ingress/pull/8557) Add client-body-buffer-size directive to virtualserver +- [8556](https://github.com/nginx/kubernetes-ingress/pull/8556) Add oidc policy idp tls validation +- [8533](https://github.com/nginx/kubernetes-ingress/pull/8533) Extend cache policy for more configurable parameters + +### {{% icon bug %}} Fixes +- [8299](https://github.com/nginx/kubernetes-ingress/pull/8299) Remove type field for objects with schema ref +- [8455](https://github.com/nginx/kubernetes-ingress/pull/8455) Cleanup stale socket files on startup + +### {{% icon arrow-up %}} Dependencies +- [8553](https://github.com/nginx/kubernetes-ingress/pull/8553) Bump Go dependencies +- [8244](https://github.com/nginx/kubernetes-ingress/pull/8244), [8279](https://github.com/nginx/kubernetes-ingress/pull/8279), [8284](https://github.com/nginx/kubernetes-ingress/pull/8284), [8595](https://github.com/nginx/kubernetes-ingress/pull/8308, https://github.com/nginx/kubernetes-ingress/pull/8459, https://github.com/nginx/kubernetes-ingress/pull/8510, https://github.com/nginx/kubernetes-ingress/pull/8565, https://github.com/nginx/kubernetes-ingress/pull/8576, https://github.com/nginx/kubernetes-ingress/pull/8595), [8584](https://github.com/nginx/kubernetes-ingress/pull/8307, https://github.com/nginx/kubernetes-ingress/pull/8374, https://github.com/nginx/kubernetes-ingress/pull/8570, https://github.com/nginx/kubernetes-ingress/pull/8584), [8315](https://github.com/nginx/kubernetes-ingress/pull/8315), [8324](https://github.com/nginx/kubernetes-ingress/pull/8324), [8334](https://github.com/nginx/kubernetes-ingress/pull/8334), [8466](https://github.com/nginx/kubernetes-ingress/pull/8366, https://github.com/nginx/kubernetes-ingress/pull/8443, https://github.com/nginx/kubernetes-ingress/pull/8466), [8384](https://github.com/nginx/kubernetes-ingress/pull/8384), [8502](https://github.com/nginx/kubernetes-ingress/pull/8389, https://github.com/nginx/kubernetes-ingress/pull/8438, https://github.com/nginx/kubernetes-ingress/pull/8502), [8406](https://github.com/nginx/kubernetes-ingress/pull/8406), [8588](https://github.com/nginx/kubernetes-ingress/pull/8431, https://github.com/nginx/kubernetes-ingress/pull/8588), [8589](https://github.com/nginx/kubernetes-ingress/pull/8432, https://github.com/nginx/kubernetes-ingress/pull/8589), [8598](https://github.com/nginx/kubernetes-ingress/pull/8437, https://github.com/nginx/kubernetes-ingress/pull/8449, https://github.com/nginx/kubernetes-ingress/pull/8461, https://github.com/nginx/kubernetes-ingress/pull/8491, https://github.com/nginx/kubernetes-ingress/pull/8501, https://github.com/nginx/kubernetes-ingress/pull/8550, https://github.com/nginx/kubernetes-ingress/pull/8563, https://github.com/nginx/kubernetes-ingress/pull/8580, https://github.com/nginx/kubernetes-ingress/pull/8598), [8575](https://github.com/nginx/kubernetes-ingress/pull/8439, https://github.com/nginx/kubernetes-ingress/pull/8451, https://github.com/nginx/kubernetes-ingress/pull/8558, https://github.com/nginx/kubernetes-ingress/pull/8575), [8542](https://github.com/nginx/kubernetes-ingress/pull/8448, https://github.com/nginx/kubernetes-ingress/pull/8471, https://github.com/nginx/kubernetes-ingress/pull/8542), [8543](https://github.com/nginx/kubernetes-ingress/pull/8450, https://github.com/nginx/kubernetes-ingress/pull/8462, https://github.com/nginx/kubernetes-ingress/pull/8482, https://github.com/nginx/kubernetes-ingress/pull/8543), [8599](https://github.com/nginx/kubernetes-ingress/pull/8436, https://github.com/nginx/kubernetes-ingress/pull/8490, https://github.com/nginx/kubernetes-ingress/pull/8549, https://github.com/nginx/kubernetes-ingress/pull/8562, https://github.com/nginx/kubernetes-ingress/pull/8579, https://github.com/nginx/kubernetes-ingress/pull/8587, https://github.com/nginx/kubernetes-ingress/pull/8599), [8551](https://github.com/nginx/kubernetes-ingress/pull/8474, https://github.com/nginx/kubernetes-ingress/pull/8551), [8484](https://github.com/nginx/kubernetes-ingress/pull/8484), [8475](https://github.com/nginx/kubernetes-ingress/pull/8475), [8497](https://github.com/nginx/kubernetes-ingress/pull/8497), [8498](https://github.com/nginx/kubernetes-ingress/pull/8498), [8499](https://github.com/nginx/kubernetes-ingress/pull/8499), [8596](https://github.com/nginx/kubernetes-ingress/pull/8513, https://github.com/nginx/kubernetes-ingress/pull/8596), [8511](https://github.com/nginx/kubernetes-ingress/pull/8511), [8581](https://github.com/nginx/kubernetes-ingress/pull/8581) & [8615](https://github.com/nginx/kubernetes-ingress/pull/8615) Bump Docker dependencies +- [8616](https://github.com/nginx/kubernetes-ingress/pull/8616) Update dependency go to v1.25.5 (main) +- [8611](https://github.com/nginx/kubernetes-ingress/pull/8611) Bump waf version to 5.10.0 +- [8494](https://github.com/nginx/kubernetes-ingress/pull/8494) Update nginx to 1.29.3, nginx agent to 3.5 +- [8577](https://github.com/nginx/kubernetes-ingress/pull/8577) Update module golang.org/x/tools to v0.39.0 (main) +- [8578](https://github.com/nginx/kubernetes-ingress/pull/8578) Update module mvdan.cc/gofumpt to v0.9.2 (main) +- [8569](https://github.com/nginx/kubernetes-ingress/pull/8569) Update aws-sdk-go-v2 monorepo (main) +- [8560](https://github.com/nginx/kubernetes-ingress/pull/8560) Update pre-commit hook rhysd/actionlint to v1.7.9 (main) +- [8552](https://github.com/nginx/kubernetes-ingress/pull/8552) Update kubernetes packages to v0.34.2 (main) +- [8544](https://github.com/nginx/kubernetes-ingress/pull/8544) Update aws-sdk-go-v2 monorepo (main) +- [8524](https://github.com/nginx/kubernetes-ingress/pull/8524) Update module github.com/aws/aws-sdk-go-v2/config to v1.31.18 (main) +- [8526](https://github.com/nginx/kubernetes-ingress/pull/8526) Update pre-commit hook psf/black-pre-commit-mirror to v25.11.0 (main) +- [8514](https://github.com/nginx/kubernetes-ingress/pull/8514) Update test containers to v0.2.6 +- [8492](https://github.com/nginx/kubernetes-ingress/pull/8492) Update dependency clusterrole to rbac.authorization.k8s.io/v1 (main) +- [8503](https://github.com/nginx/kubernetes-ingress/pull/8493, https://github.com/nginx/kubernetes-ingress/pull/8503) Update dependency go to v1.25.4 (main) +- [8483](https://github.com/nginx/kubernetes-ingress/pull/8483) Update aws-sdk-go-v2 monorepo (main) +- [8486](https://github.com/nginx/kubernetes-ingress/pull/8486) Update renovate to bump minor go versions +- [8465](https://github.com/nginx/kubernetes-ingress/pull/8465) Update module github.com/nginx/nginx-prometheus-exporter to v1.5.1 (main) +- [8464](https://github.com/nginx/kubernetes-ingress/pull/8464) Update aws-sdk-go-v2 monorepo (main) +- [8445](https://github.com/nginx/kubernetes-ingress/pull/8445) Use renovate to monitor test data yaml files +- [8428](https://github.com/nginx/kubernetes-ingress/pull/8428) Update module github.com/cert-manager/cert-manager to v1.19.1 (main) +- [8440](https://github.com/nginx/kubernetes-ingress/pull/8440) Update aws-sdk-go-v2 monorepo (main) +- [8401](https://github.com/nginx/kubernetes-ingress/pull/8401) Upgrade github.com/nginx/nginx-plus-go-client/v3 to v3.0.1 +- [8572](https://github.com/nginx/kubernetes-ingress/pull/8396, https://github.com/nginx/kubernetes-ingress/pull/8476, https://github.com/nginx/kubernetes-ingress/pull/8572) Update module github.com/gruntwork-io/terratest to v0.54.0 (main) +- [8429](https://github.com/nginx/kubernetes-ingress/pull/8429) Update module github.com/cert-manager/cert-manager to v1.19.0 (main) +- [8427](https://github.com/nginx/kubernetes-ingress/pull/8427) Update renovate pr's in github workflow +- [8424](https://github.com/nginx/kubernetes-ingress/pull/8424) Allow renovate to run postupgradetasks +- [8397](https://github.com/nginx/kubernetes-ingress/pull/8397) Correct space in github actions, update renovate syntax +- [8559](https://github.com/nginx/kubernetes-ingress/pull/8405, https://github.com/nginx/kubernetes-ingress/pull/8525, https://github.com/nginx/kubernetes-ingress/pull/8559) Update pre-commit hook asottile/pyupgrade to v3.21.2 (main) +- [8387](https://github.com/nginx/kubernetes-ingress/pull/8387) Update dependency pyyaml to v6.0.3 (main) +- [8388](https://github.com/nginx/kubernetes-ingress/pull/8388) Update dependency wrapt to v1.17.3 (main) +- [8381](https://github.com/nginx/kubernetes-ingress/pull/8381) Update renovate configuration +- [8375](https://github.com/nginx/kubernetes-ingress/pull/8375) Update docker/login-action action to v3.6.0 +- [8362](https://github.com/nginx/kubernetes-ingress/pull/8362) Update examples with keycloak 26.x +- [8350](https://github.com/nginx/kubernetes-ingress/pull/8350) Update dependency cffi to v2 +- [8356](https://github.com/nginx/kubernetes-ingress/pull/8356) Update peter-evans/dockerhub-description action to v5 +- [8355](https://github.com/nginx/kubernetes-ingress/pull/8355) Update dependency grpcio to v1.75.1 +- [8349](https://github.com/nginx/kubernetes-ingress/pull/8349) Update k8s.io/utils digest to bc988d5 +- [8337](https://github.com/nginx/kubernetes-ingress/pull/8337) Update module github.com/golang-jwt/jwt/v4 to v5 +- [8339](https://github.com/nginx/kubernetes-ingress/pull/8339) Update waf to 5.9.0 +- [8343](https://github.com/nginx/kubernetes-ingress/pull/8343) Update actions/cache action to v4.3.0 +- [8344](https://github.com/nginx/kubernetes-ingress/pull/8344) Update dependency certifi to v2025.8.3 +- [8332](https://github.com/nginx/kubernetes-ingress/pull/8332) Update ossf/scorecard-action action to v2.4.3 +- [8333](https://github.com/nginx/kubernetes-ingress/pull/8333) Update dependency pycparser to v2.23 +- [8582](https://github.com/nginx/kubernetes-ingress/pull/8326, https://github.com/nginx/kubernetes-ingress/pull/8564, https://github.com/nginx/kubernetes-ingress/pull/8582) Update module github.com/gkampitakis/go-snaps to v0.5.17 (main) +- [8323](https://github.com/nginx/kubernetes-ingress/pull/8323) Update dependency cryptography to v46.0.2 +- [8309](https://github.com/nginx/kubernetes-ingress/pull/8309) Update aws-sdk-go-v2 monorepo +- [8312](https://github.com/nginx/kubernetes-ingress/pull/8312) Update dependency requests to v2.32.5 +- [8300](https://github.com/nginx/kubernetes-ingress/pull/8300) Chore(deps): bump the actions group across 1 directory with 5 updates +- [8298](https://github.com/nginx/kubernetes-ingress/pull/8298) Chore: configure renovate +- [8566](https://github.com/nginx/kubernetes-ingress/pull/8286, https://github.com/nginx/kubernetes-ingress/pull/8369, https://github.com/nginx/kubernetes-ingress/pull/8423, https://github.com/nginx/kubernetes-ingress/pull/8539, https://github.com/nginx/kubernetes-ingress/pull/8566) [pre-commit.ci] pre-commit autoupdate +- [8287](https://github.com/nginx/kubernetes-ingress/pull/8287) Chore(deps): bump the python group with 5 updates +- [8275](https://github.com/nginx/kubernetes-ingress/pull/8275) Chore(deps): bump anchore/sbom-action from 0.20.5 to 0.20.6 in the actions group +- [8270](https://github.com/nginx/kubernetes-ingress/pull/8270) Chore(deps): bump the python group with 5 updates +- [8269](https://github.com/nginx/kubernetes-ingress/pull/8269) Chore(deps): bump the actions group with 2 updates +- [8252](https://github.com/nginx/kubernetes-ingress/pull/8252) Bump preflight version to v1.14.1 +- [8254](https://github.com/nginx/kubernetes-ingress/pull/8248, https://github.com/nginx/kubernetes-ingress/pull/8254) Chore(deps): bump python from `d99178e` to `a805109` in /tests +- [8263](https://github.com/nginx/kubernetes-ingress/pull/8249, https://github.com/nginx/kubernetes-ingress/pull/8263) Chore(deps): bump github/codeql-action from 3.30.1 to 3.30.3 in the actions group +- [8243](https://github.com/nginx/kubernetes-ingress/pull/8243) Chore(deps): bump the python group with 2 updates + +### {{% icon download %}} Upgrade +- For NGINX, use the 5.3.0 images from our [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=5.3.0), [GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress). +- For NGINX Plus, use the 5.3.0 images from the F5 Container registry or build your own image using the 5.3.0 source code. +- For Helm, use version 2.4.0 of the chart. + +### {{% icon life-buoy %}} Supported Platforms +We will provide technical support for NGINX Ingress Controller on any Kubernetes platform that is currently supported by its provider and that passes the Kubernetes conformance tests. This release was fully tested on the following Kubernetes versions: 1.27-1.34. + ## 5.3.0 08 Dec 2025 From a4d101c68f835fbd520022c264dc753856f51eb0 Mon Sep 17 00:00:00 2001 From: Gabor Javorszky Date: Fri, 5 Dec 2025 14:32:27 +0000 Subject: [PATCH 21/23] Tweak changelog for 5.3.0 --- content/nic/changelog/_index.md | 143 +------------------------------- 1 file changed, 2 insertions(+), 141 deletions(-) diff --git a/content/nic/changelog/_index.md b/content/nic/changelog/_index.md index 0647d78be..9b7970e9a 100644 --- a/content/nic/changelog/_index.md +++ b/content/nic/changelog/_index.md @@ -47,152 +47,13 @@ For older releases, check the changelogs for previous years: [2024]({{< ref "/ni ### {{% icon arrow-up %}} Dependencies - [8553](https://github.com/nginx/kubernetes-ingress/pull/8553) Bump Go dependencies -- [8244](https://github.com/nginx/kubernetes-ingress/pull/8244), [8279](https://github.com/nginx/kubernetes-ingress/pull/8279), [8284](https://github.com/nginx/kubernetes-ingress/pull/8284), [8595](https://github.com/nginx/kubernetes-ingress/pull/8308, https://github.com/nginx/kubernetes-ingress/pull/8459, https://github.com/nginx/kubernetes-ingress/pull/8510, https://github.com/nginx/kubernetes-ingress/pull/8565, https://github.com/nginx/kubernetes-ingress/pull/8576, https://github.com/nginx/kubernetes-ingress/pull/8595), [8584](https://github.com/nginx/kubernetes-ingress/pull/8307, https://github.com/nginx/kubernetes-ingress/pull/8374, https://github.com/nginx/kubernetes-ingress/pull/8570, https://github.com/nginx/kubernetes-ingress/pull/8584), [8315](https://github.com/nginx/kubernetes-ingress/pull/8315), [8324](https://github.com/nginx/kubernetes-ingress/pull/8324), [8334](https://github.com/nginx/kubernetes-ingress/pull/8334), [8466](https://github.com/nginx/kubernetes-ingress/pull/8366, https://github.com/nginx/kubernetes-ingress/pull/8443, https://github.com/nginx/kubernetes-ingress/pull/8466), [8384](https://github.com/nginx/kubernetes-ingress/pull/8384), [8502](https://github.com/nginx/kubernetes-ingress/pull/8389, https://github.com/nginx/kubernetes-ingress/pull/8438, https://github.com/nginx/kubernetes-ingress/pull/8502), [8406](https://github.com/nginx/kubernetes-ingress/pull/8406), [8588](https://github.com/nginx/kubernetes-ingress/pull/8431, https://github.com/nginx/kubernetes-ingress/pull/8588), [8589](https://github.com/nginx/kubernetes-ingress/pull/8432, https://github.com/nginx/kubernetes-ingress/pull/8589), [8598](https://github.com/nginx/kubernetes-ingress/pull/8437, https://github.com/nginx/kubernetes-ingress/pull/8449, https://github.com/nginx/kubernetes-ingress/pull/8461, https://github.com/nginx/kubernetes-ingress/pull/8491, https://github.com/nginx/kubernetes-ingress/pull/8501, https://github.com/nginx/kubernetes-ingress/pull/8550, https://github.com/nginx/kubernetes-ingress/pull/8563, https://github.com/nginx/kubernetes-ingress/pull/8580, https://github.com/nginx/kubernetes-ingress/pull/8598), [8575](https://github.com/nginx/kubernetes-ingress/pull/8439, https://github.com/nginx/kubernetes-ingress/pull/8451, https://github.com/nginx/kubernetes-ingress/pull/8558, https://github.com/nginx/kubernetes-ingress/pull/8575), [8542](https://github.com/nginx/kubernetes-ingress/pull/8448, https://github.com/nginx/kubernetes-ingress/pull/8471, https://github.com/nginx/kubernetes-ingress/pull/8542), [8543](https://github.com/nginx/kubernetes-ingress/pull/8450, https://github.com/nginx/kubernetes-ingress/pull/8462, https://github.com/nginx/kubernetes-ingress/pull/8482, https://github.com/nginx/kubernetes-ingress/pull/8543), [8599](https://github.com/nginx/kubernetes-ingress/pull/8436, https://github.com/nginx/kubernetes-ingress/pull/8490, https://github.com/nginx/kubernetes-ingress/pull/8549, https://github.com/nginx/kubernetes-ingress/pull/8562, https://github.com/nginx/kubernetes-ingress/pull/8579, https://github.com/nginx/kubernetes-ingress/pull/8587, https://github.com/nginx/kubernetes-ingress/pull/8599), [8551](https://github.com/nginx/kubernetes-ingress/pull/8474, https://github.com/nginx/kubernetes-ingress/pull/8551), [8484](https://github.com/nginx/kubernetes-ingress/pull/8484), [8475](https://github.com/nginx/kubernetes-ingress/pull/8475), [8497](https://github.com/nginx/kubernetes-ingress/pull/8497), [8498](https://github.com/nginx/kubernetes-ingress/pull/8498), [8499](https://github.com/nginx/kubernetes-ingress/pull/8499), [8596](https://github.com/nginx/kubernetes-ingress/pull/8513, https://github.com/nginx/kubernetes-ingress/pull/8596), [8511](https://github.com/nginx/kubernetes-ingress/pull/8511), [8581](https://github.com/nginx/kubernetes-ingress/pull/8581) & [8615](https://github.com/nginx/kubernetes-ingress/pull/8615) Bump Docker dependencies +- [8244](https://github.com/nginx/kubernetes-ingress/pull/8244), [8279](https://github.com/nginx/kubernetes-ingress/pull/8279), [8284](https://github.com/nginx/kubernetes-ingress/pull/8284), [8595](https://github.com/nginx/kubernetes-ingress/pull/8595), [8584](https://github.com/nginx/kubernetes-ingress/pull/8584), [8315](https://github.com/nginx/kubernetes-ingress/pull/8315), [8324](https://github.com/nginx/kubernetes-ingress/pull/8324), [8334](https://github.com/nginx/kubernetes-ingress/pull/8334), [8466](https://github.com/nginx/kubernetes-ingress/pull/8466), [8384](https://github.com/nginx/kubernetes-ingress/pull/8384), [8502](https://github.com/nginx/kubernetes-ingress/pull/8502), [8406](https://github.com/nginx/kubernetes-ingress/pull/8406), [8588](https://github.com/nginx/kubernetes-ingress/pull/8588), [8589](https://github.com/nginx/kubernetes-ingress/pull/8589), [8598](https://github.com/nginx/kubernetes-ingress/pull/8598), [8575](https://github.com/nginx/kubernetes-ingress/pull/8575), [8542](https://github.com/nginx/kubernetes-ingress/pull/8542), [8543](https://github.com/nginx/kubernetes-ingress/pull/8543), [8599](https://github.com/nginx/kubernetes-ingress/pull/8599), [8551](https://github.com/nginx/kubernetes-ingress/pull/8551), [8484](https://github.com/nginx/kubernetes-ingress/pull/8484), [8475](https://github.com/nginx/kubernetes-ingress/pull/8475), [8497](https://github.com/nginx/kubernetes-ingress/pull/8497), [8498](https://github.com/nginx/kubernetes-ingress/pull/8498), [8499](https://github.com/nginx/kubernetes-ingress/pull/8499), [8596](https://github.com/nginx/kubernetes-ingress/pull/8596), [8511](https://github.com/nginx/kubernetes-ingress/pull/8511) & [8581](https://github.com/nginx/kubernetes-ingress/pull/8581), [8581](https://github.com/nginx/kubernetes-ingress/pull/8581) Bump Docker dependencies - [8616](https://github.com/nginx/kubernetes-ingress/pull/8616) Update dependency go to v1.25.5 (main) - [8611](https://github.com/nginx/kubernetes-ingress/pull/8611) Bump waf version to 5.10.0 - [8494](https://github.com/nginx/kubernetes-ingress/pull/8494) Update nginx to 1.29.3, nginx agent to 3.5 -- [8577](https://github.com/nginx/kubernetes-ingress/pull/8577) Update module golang.org/x/tools to v0.39.0 (main) -- [8578](https://github.com/nginx/kubernetes-ingress/pull/8578) Update module mvdan.cc/gofumpt to v0.9.2 (main) -- [8569](https://github.com/nginx/kubernetes-ingress/pull/8569) Update aws-sdk-go-v2 monorepo (main) -- [8560](https://github.com/nginx/kubernetes-ingress/pull/8560) Update pre-commit hook rhysd/actionlint to v1.7.9 (main) -- [8552](https://github.com/nginx/kubernetes-ingress/pull/8552) Update kubernetes packages to v0.34.2 (main) -- [8544](https://github.com/nginx/kubernetes-ingress/pull/8544) Update aws-sdk-go-v2 monorepo (main) -- [8524](https://github.com/nginx/kubernetes-ingress/pull/8524) Update module github.com/aws/aws-sdk-go-v2/config to v1.31.18 (main) -- [8526](https://github.com/nginx/kubernetes-ingress/pull/8526) Update pre-commit hook psf/black-pre-commit-mirror to v25.11.0 (main) -- [8514](https://github.com/nginx/kubernetes-ingress/pull/8514) Update test containers to v0.2.6 -- [8492](https://github.com/nginx/kubernetes-ingress/pull/8492) Update dependency clusterrole to rbac.authorization.k8s.io/v1 (main) -- [8503](https://github.com/nginx/kubernetes-ingress/pull/8493, https://github.com/nginx/kubernetes-ingress/pull/8503) Update dependency go to v1.25.4 (main) -- [8483](https://github.com/nginx/kubernetes-ingress/pull/8483) Update aws-sdk-go-v2 monorepo (main) -- [8486](https://github.com/nginx/kubernetes-ingress/pull/8486) Update renovate to bump minor go versions -- [8465](https://github.com/nginx/kubernetes-ingress/pull/8465) Update module github.com/nginx/nginx-prometheus-exporter to v1.5.1 (main) -- [8464](https://github.com/nginx/kubernetes-ingress/pull/8464) Update aws-sdk-go-v2 monorepo (main) -- [8445](https://github.com/nginx/kubernetes-ingress/pull/8445) Use renovate to monitor test data yaml files -- [8428](https://github.com/nginx/kubernetes-ingress/pull/8428) Update module github.com/cert-manager/cert-manager to v1.19.1 (main) -- [8440](https://github.com/nginx/kubernetes-ingress/pull/8440) Update aws-sdk-go-v2 monorepo (main) -- [8401](https://github.com/nginx/kubernetes-ingress/pull/8401) Upgrade github.com/nginx/nginx-plus-go-client/v3 to v3.0.1 -- [8572](https://github.com/nginx/kubernetes-ingress/pull/8396, https://github.com/nginx/kubernetes-ingress/pull/8476, https://github.com/nginx/kubernetes-ingress/pull/8572) Update module github.com/gruntwork-io/terratest to v0.54.0 (main) -- [8429](https://github.com/nginx/kubernetes-ingress/pull/8429) Update module github.com/cert-manager/cert-manager to v1.19.0 (main) -- [8427](https://github.com/nginx/kubernetes-ingress/pull/8427) Update renovate pr's in github workflow -- [8424](https://github.com/nginx/kubernetes-ingress/pull/8424) Allow renovate to run postupgradetasks -- [8397](https://github.com/nginx/kubernetes-ingress/pull/8397) Correct space in github actions, update renovate syntax -- [8559](https://github.com/nginx/kubernetes-ingress/pull/8405, https://github.com/nginx/kubernetes-ingress/pull/8525, https://github.com/nginx/kubernetes-ingress/pull/8559) Update pre-commit hook asottile/pyupgrade to v3.21.2 (main) -- [8387](https://github.com/nginx/kubernetes-ingress/pull/8387) Update dependency pyyaml to v6.0.3 (main) -- [8388](https://github.com/nginx/kubernetes-ingress/pull/8388) Update dependency wrapt to v1.17.3 (main) -- [8381](https://github.com/nginx/kubernetes-ingress/pull/8381) Update renovate configuration -- [8375](https://github.com/nginx/kubernetes-ingress/pull/8375) Update docker/login-action action to v3.6.0 -- [8362](https://github.com/nginx/kubernetes-ingress/pull/8362) Update examples with keycloak 26.x -- [8350](https://github.com/nginx/kubernetes-ingress/pull/8350) Update dependency cffi to v2 -- [8356](https://github.com/nginx/kubernetes-ingress/pull/8356) Update peter-evans/dockerhub-description action to v5 -- [8355](https://github.com/nginx/kubernetes-ingress/pull/8355) Update dependency grpcio to v1.75.1 -- [8349](https://github.com/nginx/kubernetes-ingress/pull/8349) Update k8s.io/utils digest to bc988d5 -- [8337](https://github.com/nginx/kubernetes-ingress/pull/8337) Update module github.com/golang-jwt/jwt/v4 to v5 -- [8339](https://github.com/nginx/kubernetes-ingress/pull/8339) Update waf to 5.9.0 -- [8343](https://github.com/nginx/kubernetes-ingress/pull/8343) Update actions/cache action to v4.3.0 -- [8344](https://github.com/nginx/kubernetes-ingress/pull/8344) Update dependency certifi to v2025.8.3 -- [8332](https://github.com/nginx/kubernetes-ingress/pull/8332) Update ossf/scorecard-action action to v2.4.3 -- [8333](https://github.com/nginx/kubernetes-ingress/pull/8333) Update dependency pycparser to v2.23 -- [8582](https://github.com/nginx/kubernetes-ingress/pull/8326, https://github.com/nginx/kubernetes-ingress/pull/8564, https://github.com/nginx/kubernetes-ingress/pull/8582) Update module github.com/gkampitakis/go-snaps to v0.5.17 (main) -- [8323](https://github.com/nginx/kubernetes-ingress/pull/8323) Update dependency cryptography to v46.0.2 -- [8309](https://github.com/nginx/kubernetes-ingress/pull/8309) Update aws-sdk-go-v2 monorepo -- [8312](https://github.com/nginx/kubernetes-ingress/pull/8312) Update dependency requests to v2.32.5 -- [8300](https://github.com/nginx/kubernetes-ingress/pull/8300) Chore(deps): bump the actions group across 1 directory with 5 updates -- [8298](https://github.com/nginx/kubernetes-ingress/pull/8298) Chore: configure renovate -- [8566](https://github.com/nginx/kubernetes-ingress/pull/8286, https://github.com/nginx/kubernetes-ingress/pull/8369, https://github.com/nginx/kubernetes-ingress/pull/8423, https://github.com/nginx/kubernetes-ingress/pull/8539, https://github.com/nginx/kubernetes-ingress/pull/8566) [pre-commit.ci] pre-commit autoupdate -- [8287](https://github.com/nginx/kubernetes-ingress/pull/8287) Chore(deps): bump the python group with 5 updates -- [8275](https://github.com/nginx/kubernetes-ingress/pull/8275) Chore(deps): bump anchore/sbom-action from 0.20.5 to 0.20.6 in the actions group -- [8270](https://github.com/nginx/kubernetes-ingress/pull/8270) Chore(deps): bump the python group with 5 updates -- [8269](https://github.com/nginx/kubernetes-ingress/pull/8269) Chore(deps): bump the actions group with 2 updates -- [8252](https://github.com/nginx/kubernetes-ingress/pull/8252) Bump preflight version to v1.14.1 -- [8254](https://github.com/nginx/kubernetes-ingress/pull/8248, https://github.com/nginx/kubernetes-ingress/pull/8254) Chore(deps): bump python from `d99178e` to `a805109` in /tests -- [8263](https://github.com/nginx/kubernetes-ingress/pull/8249, https://github.com/nginx/kubernetes-ingress/pull/8263) Chore(deps): bump github/codeql-action from 3.30.1 to 3.30.3 in the actions group -- [8243](https://github.com/nginx/kubernetes-ingress/pull/8243) Chore(deps): bump the python group with 2 updates +- [8600](https://github.com/nginx/kubernetes-ingress/pull/8600) Update nginx plus waf pkg and alpine base version -### {{% icon download %}} Upgrade -- For NGINX, use the 5.3.0 images from our [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=5.3.0), [GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress). -- For NGINX Plus, use the 5.3.0 images from the F5 Container registry or build your own image using the 5.3.0 source code. -- For Helm, use version 2.4.0 of the chart. -### {{% icon life-buoy %}} Supported Platforms -We will provide technical support for NGINX Ingress Controller on any Kubernetes platform that is currently supported by its provider and that passes the Kubernetes conformance tests. This release was fully tested on the following Kubernetes versions: 1.27-1.34. - -## 5.3.0 - -08 Dec 2025 - -### {{% icon rocket %}} Features -- [8292](https://github.com/nginx/kubernetes-ingress/pull/8292) Add sslverify for jwksuri -- [8447](https://github.com/nginx/kubernetes-ingress/pull/8447) Add support for ssl ciphers related annotations -- [8340](https://github.com/nginx/kubernetes-ingress/pull/8340) Implement oidc front channel logout nginx directives -- [8495](https://github.com/nginx/kubernetes-ingress/pull/8495) Add oidc timeout customization to configmap -- [8453](https://github.com/nginx/kubernetes-ingress/pull/8453) Support namespaced upstream service reference in virtualserver -- [8508](https://github.com/nginx/kubernetes-ingress/pull/8508) Add rewrite-target annotation -- [8548](https://github.com/nginx/kubernetes-ingress/pull/8548) Add `client-body-buffer-size` directive to ingress annotations & configmap -- [8557](https://github.com/nginx/kubernetes-ingress/pull/8557) Add client-body-buffer-size directive to virtualserver -- [8556](https://github.com/nginx/kubernetes-ingress/pull/8556) Add oidc policy idp tls validation -- [8533](https://github.com/nginx/kubernetes-ingress/pull/8533) Extend cache policy for more configurable parameters - -### {{% icon bug %}} Fixes -- [8299](https://github.com/nginx/kubernetes-ingress/pull/8299) Remove type field for objects with schema ref -- [8455](https://github.com/nginx/kubernetes-ingress/pull/8455) Cleanup stale socket files on startup -- [8460](https://github.com/nginx/kubernetes-ingress/pull/8460) Wrap oidc fclo initiated test in a while loop - -### {{% icon arrow-up %}} Dependencies -- [8553](https://github.com/nginx/kubernetes-ingress/pull/8553) Bump Go dependencies -- [8244](https://github.com/nginx/kubernetes-ingress/pull/8244), [8279](https://github.com/nginx/kubernetes-ingress/pull/8279), [8284](https://github.com/nginx/kubernetes-ingress/pull/8284), [8595](https://github.com/nginx/kubernetes-ingress/pull/8595), [8584](https://github.com/nginx/kubernetes-ingress/pull/8584), [8315](https://github.com/nginx/kubernetes-ingress/pull/8315), [8324](https://github.com/nginx/kubernetes-ingress/pull/8324), [8334](https://github.com/nginx/kubernetes-ingress/pull/8334), [8466](https://github.com/nginx/kubernetes-ingress/pull/8466), [8384](https://github.com/nginx/kubernetes-ingress/pull/8384), [8502](https://github.com/nginx/kubernetes-ingress/pull/8502), [8406](https://github.com/nginx/kubernetes-ingress/pull/8406), [8588](https://github.com/nginx/kubernetes-ingress/pull/8588), [8589](https://github.com/nginx/kubernetes-ingress/pull/8589), [8598](https://github.com/nginx/kubernetes-ingress/pull/8598), [8575](https://github.com/nginx/kubernetes-ingress/pull/8575), [8542](https://github.com/nginx/kubernetes-ingress/pull/8542), [8543](https://github.com/nginx/kubernetes-ingress/pull/8543), [8599](https://github.com/nginx/kubernetes-ingress/pull/8599), [8551](https://github.com/nginx/kubernetes-ingress/pull/8551), [8484](https://github.com/nginx/kubernetes-ingress/pull/8484), [8475](https://github.com/nginx/kubernetes-ingress/pull/8475), [8497](https://github.com/nginx/kubernetes-ingress/pull/8497), [8498](https://github.com/nginx/kubernetes-ingress/pull/8498), [8499](https://github.com/nginx/kubernetes-ingress/pull/8499), [8596](https://github.com/nginx/kubernetes-ingress/pull/8596), [8511](https://github.com/nginx/kubernetes-ingress/pull/8511) & [8581](https://github.com/nginx/kubernetes-ingress/pull/8581) Bump Docker dependencies -- [8577](https://github.com/nginx/kubernetes-ingress/pull/8577) Update module golang.org/x/tools to v0.39.0 (main) -- [8578](https://github.com/nginx/kubernetes-ingress/pull/8578) Update module mvdan.cc/gofumpt to v0.9.2 (main) -- [8569](https://github.com/nginx/kubernetes-ingress/pull/8569) Update aws-sdk-go-v2 monorepo (main) -- [8560](https://github.com/nginx/kubernetes-ingress/pull/8560) Update pre-commit hook rhysd/actionlint to v1.7.9 (main) -- [8552](https://github.com/nginx/kubernetes-ingress/pull/8552) Update kubernetes packages to v0.34.2 (main) -- [8544](https://github.com/nginx/kubernetes-ingress/pull/8544) Update aws-sdk-go-v2 monorepo (main) -- [8524](https://github.com/nginx/kubernetes-ingress/pull/8524) Update module github.com/aws/aws-sdk-go-v2/config to v1.31.18 (main) -- [8526](https://github.com/nginx/kubernetes-ingress/pull/8526) Update pre-commit hook psf/black-pre-commit-mirror to v25.11.0 (main) -- [8514](https://github.com/nginx/kubernetes-ingress/pull/8514) Update test containers to v0.2.6 -- [8492](https://github.com/nginx/kubernetes-ingress/pull/8492) Update dependency clusterrole to rbac.authorization.k8s.io/v1 (main) -- [8503](https://github.com/nginx/kubernetes-ingress/pull/8503) Update dependency go to v1.25.4 (main) -- [8483](https://github.com/nginx/kubernetes-ingress/pull/8483) Update aws-sdk-go-v2 monorepo (main) -- [8486](https://github.com/nginx/kubernetes-ingress/pull/8486) Update renovate to bump minor go versions -- [8465](https://github.com/nginx/kubernetes-ingress/pull/8465) Update module github.com/nginx/nginx-prometheus-exporter to v1.5.1 (main) -- [8464](https://github.com/nginx/kubernetes-ingress/pull/8464) Update aws-sdk-go-v2 monorepo (main) -- [8445](https://github.com/nginx/kubernetes-ingress/pull/8445) Use renovate to monitor test data yaml files -- [8428](https://github.com/nginx/kubernetes-ingress/pull/8428) Update module github.com/cert-manager/cert-manager to v1.19.1 (main) -- [8440](https://github.com/nginx/kubernetes-ingress/pull/8440) Update aws-sdk-go-v2 monorepo (main) -- [8401](https://github.com/nginx/kubernetes-ingress/pull/8401) Upgrade github.com/nginx/nginx-plus-go-client/v3 to v3.0.1 -- [8572](https://github.com/nginx/kubernetes-ingress/pull/8572) Update module github.com/gruntwork-io/terratest to v0.54.0 (main) -- [8429](https://github.com/nginx/kubernetes-ingress/pull/8429) Update module github.com/cert-manager/cert-manager to v1.19.0 (main) -- [8427](https://github.com/nginx/kubernetes-ingress/pull/8427) Update renovate pr's in github workflow -- [8424](https://github.com/nginx/kubernetes-ingress/pull/8424) Allow renovate to run postupgradetasks -- [8397](https://github.com/nginx/kubernetes-ingress/pull/8397) Correct space in github actions, update renovate syntax -- [8559](https://github.com/nginx/kubernetes-ingress/pull/8559) Update pre-commit hook asottile/pyupgrade to v3.21.2 (main) -- [8387](https://github.com/nginx/kubernetes-ingress/pull/8387) Update dependency pyyaml to v6.0.3 (main) -- [8388](https://github.com/nginx/kubernetes-ingress/pull/8388) Update dependency wrapt to v1.17.3 (main) -- [8381](https://github.com/nginx/kubernetes-ingress/pull/8381) Update renovate configuration -- [8375](https://github.com/nginx/kubernetes-ingress/pull/8375) Update docker/login-action action to v3.6.0 -- [8362](https://github.com/nginx/kubernetes-ingress/pull/8362) Update examples with keycloak 26.x -- [8350](https://github.com/nginx/kubernetes-ingress/pull/8350) Update dependency cffi to v2 -- [8356](https://github.com/nginx/kubernetes-ingress/pull/8356) Update peter-evans/dockerhub-description action to v5 -- [8355](https://github.com/nginx/kubernetes-ingress/pull/8355) Update dependency grpcio to v1.75.1 -- [8349](https://github.com/nginx/kubernetes-ingress/pull/8349) Update k8s.io/utils digest to bc988d5 -- [8337](https://github.com/nginx/kubernetes-ingress/pull/8337) Update module github.com/golang-jwt/jwt/v4 to v5 -- [8343](https://github.com/nginx/kubernetes-ingress/pull/8343) Update actions/cache action to v4.3.0 -- [8344](https://github.com/nginx/kubernetes-ingress/pull/8344) Update dependency certifi to v2025.8.3 -- [8332](https://github.com/nginx/kubernetes-ingress/pull/8332) Update ossf/scorecard-action action to v2.4.3 -- [8333](https://github.com/nginx/kubernetes-ingress/pull/8333) Update dependency pycparser to v2.23 -- [8582](https://github.com/nginx/kubernetes-ingress/pull/8582) Update module github.com/gkampitakis/go-snaps to v0.5.17 (main) -- [8323](https://github.com/nginx/kubernetes-ingress/pull/8323) Update dependency cryptography to v46.0.2 -- [8309](https://github.com/nginx/kubernetes-ingress/pull/8309) Update aws-sdk-go-v2 monorepo -- [8312](https://github.com/nginx/kubernetes-ingress/pull/8312) Update dependency requests to v2.32.5 -- [8300](https://github.com/nginx/kubernetes-ingress/pull/8300) Chore(deps): bump the actions group across 1 directory with 5 updates -- [8298](https://github.com/nginx/kubernetes-ingress/pull/8298) Chore: configure renovate -- [8566](https://github.com/nginx/kubernetes-ingress/pull/8566) [pre-commit.ci] pre-commit autoupdate -- [8287](https://github.com/nginx/kubernetes-ingress/pull/8287) Chore(deps): bump the python group with 5 updates -- [8275](https://github.com/nginx/kubernetes-ingress/pull/8275) Chore(deps): bump anchore/sbom-action from 0.20.5 to 0.20.6 in the actions group -- [8270](https://github.com/nginx/kubernetes-ingress/pull/8270) Chore(deps): bump the python group with 5 updates -- [8269](https://github.com/nginx/kubernetes-ingress/pull/8269) Chore(deps): bump the actions group with 2 updates -- [8252](https://github.com/nginx/kubernetes-ingress/pull/8252) Bump preflight version to v1.14.1 -- [8254](https://github.com/nginx/kubernetes-ingress/pull/8254) Chore(deps): bump python from `d99178e` to `a805109` in /tests -- [8263](https://github.com/nginx/kubernetes-ingress/pull/8263) Chore(deps): bump github/codeql-action from 3.30.1 to 3.30.3 in the actions group -- [8243](https://github.com/nginx/kubernetes-ingress/pull/8243) Chore(deps): bump the python group with 2 updates ### {{% icon download %}} Upgrade - For NGINX, use the 5.3.0 images from our [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=5.3.0), [GitHub Container](https://github.com/nginx/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress). From 8a23cde235fff93c400071d0e3350bbe1f5ba97e Mon Sep 17 00:00:00 2001 From: Venktesh Shivam Patel Date: Mon, 8 Dec 2025 16:02:28 +0000 Subject: [PATCH 22/23] remove duplicate PR Co-authored-by: AlexFenlon --- content/nic/changelog/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/nic/changelog/_index.md b/content/nic/changelog/_index.md index 9b7970e9a..1d14dda5c 100644 --- a/content/nic/changelog/_index.md +++ b/content/nic/changelog/_index.md @@ -47,7 +47,7 @@ For older releases, check the changelogs for previous years: [2024]({{< ref "/ni ### {{% icon arrow-up %}} Dependencies - [8553](https://github.com/nginx/kubernetes-ingress/pull/8553) Bump Go dependencies -- [8244](https://github.com/nginx/kubernetes-ingress/pull/8244), [8279](https://github.com/nginx/kubernetes-ingress/pull/8279), [8284](https://github.com/nginx/kubernetes-ingress/pull/8284), [8595](https://github.com/nginx/kubernetes-ingress/pull/8595), [8584](https://github.com/nginx/kubernetes-ingress/pull/8584), [8315](https://github.com/nginx/kubernetes-ingress/pull/8315), [8324](https://github.com/nginx/kubernetes-ingress/pull/8324), [8334](https://github.com/nginx/kubernetes-ingress/pull/8334), [8466](https://github.com/nginx/kubernetes-ingress/pull/8466), [8384](https://github.com/nginx/kubernetes-ingress/pull/8384), [8502](https://github.com/nginx/kubernetes-ingress/pull/8502), [8406](https://github.com/nginx/kubernetes-ingress/pull/8406), [8588](https://github.com/nginx/kubernetes-ingress/pull/8588), [8589](https://github.com/nginx/kubernetes-ingress/pull/8589), [8598](https://github.com/nginx/kubernetes-ingress/pull/8598), [8575](https://github.com/nginx/kubernetes-ingress/pull/8575), [8542](https://github.com/nginx/kubernetes-ingress/pull/8542), [8543](https://github.com/nginx/kubernetes-ingress/pull/8543), [8599](https://github.com/nginx/kubernetes-ingress/pull/8599), [8551](https://github.com/nginx/kubernetes-ingress/pull/8551), [8484](https://github.com/nginx/kubernetes-ingress/pull/8484), [8475](https://github.com/nginx/kubernetes-ingress/pull/8475), [8497](https://github.com/nginx/kubernetes-ingress/pull/8497), [8498](https://github.com/nginx/kubernetes-ingress/pull/8498), [8499](https://github.com/nginx/kubernetes-ingress/pull/8499), [8596](https://github.com/nginx/kubernetes-ingress/pull/8596), [8511](https://github.com/nginx/kubernetes-ingress/pull/8511) & [8581](https://github.com/nginx/kubernetes-ingress/pull/8581), [8581](https://github.com/nginx/kubernetes-ingress/pull/8581) Bump Docker dependencies +- [8244](https://github.com/nginx/kubernetes-ingress/pull/8244), [8279](https://github.com/nginx/kubernetes-ingress/pull/8279), [8284](https://github.com/nginx/kubernetes-ingress/pull/8284), [8595](https://github.com/nginx/kubernetes-ingress/pull/8595), [8584](https://github.com/nginx/kubernetes-ingress/pull/8584), [8315](https://github.com/nginx/kubernetes-ingress/pull/8315), [8324](https://github.com/nginx/kubernetes-ingress/pull/8324), [8334](https://github.com/nginx/kubernetes-ingress/pull/8334), [8466](https://github.com/nginx/kubernetes-ingress/pull/8466), [8384](https://github.com/nginx/kubernetes-ingress/pull/8384), [8502](https://github.com/nginx/kubernetes-ingress/pull/8502), [8406](https://github.com/nginx/kubernetes-ingress/pull/8406), [8588](https://github.com/nginx/kubernetes-ingress/pull/8588), [8589](https://github.com/nginx/kubernetes-ingress/pull/8589), [8598](https://github.com/nginx/kubernetes-ingress/pull/8598), [8575](https://github.com/nginx/kubernetes-ingress/pull/8575), [8542](https://github.com/nginx/kubernetes-ingress/pull/8542), [8543](https://github.com/nginx/kubernetes-ingress/pull/8543), [8599](https://github.com/nginx/kubernetes-ingress/pull/8599), [8551](https://github.com/nginx/kubernetes-ingress/pull/8551), [8484](https://github.com/nginx/kubernetes-ingress/pull/8484), [8475](https://github.com/nginx/kubernetes-ingress/pull/8475), [8497](https://github.com/nginx/kubernetes-ingress/pull/8497), [8498](https://github.com/nginx/kubernetes-ingress/pull/8498), [8499](https://github.com/nginx/kubernetes-ingress/pull/8499), [8596](https://github.com/nginx/kubernetes-ingress/pull/8596), [8511](https://github.com/nginx/kubernetes-ingress/pull/8511) & [8581](https://github.com/nginx/kubernetes-ingress/pull/8581) Bump Docker dependencies - [8616](https://github.com/nginx/kubernetes-ingress/pull/8616) Update dependency go to v1.25.5 (main) - [8611](https://github.com/nginx/kubernetes-ingress/pull/8611) Bump waf version to 5.10.0 - [8494](https://github.com/nginx/kubernetes-ingress/pull/8494) Update nginx to 1.29.3, nginx agent to 3.5 From 3eb3b642e789b8d0698f82218a77e69ecb5551f2 Mon Sep 17 00:00:00 2001 From: AlexFenlon Date: Tue, 9 Dec 2025 09:41:58 +0000 Subject: [PATCH 23/23] Update Release Date --- content/nic/changelog/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/nic/changelog/_index.md b/content/nic/changelog/_index.md index 1d14dda5c..73c1592e1 100644 --- a/content/nic/changelog/_index.md +++ b/content/nic/changelog/_index.md @@ -27,7 +27,7 @@ For older releases, check the changelogs for previous years: [2024]({{< ref "/ni ## 5.3.0 -08 Dec 2025 +09 Dec 2025 ### {{% icon rocket %}} Features - [8292](https://github.com/nginx/kubernetes-ingress/pull/8292) Add sslverify for jwksuri