2022 archive

2.4.2

30 Nov 2022

Dependencies

Update NGINX Plus version to R28.
Update F5 WAF for NGINX version to 4.0.
Update F5 DoS for NGINX version to 3.1.

Upgrade

For NGINX, use the 2.4.2 images from our DockerHub, GitHub Container, Amazon ECR Public Gallery or Quay.io.
For NGINX Plus, use the 2.4.2 images from the F5 Container registry or build your own image using the 2.4.2 source code.
For Helm, use version 0.15.2 of the chart.

2.4.1

19 October 2022

Dependencies

3183 Update NGINX version to 1.23.2.
3175 Update Go dependencies.
Update NGINX Plus version to R27 P1.

Fixes

3139 Remove all IPV6 listeners in ingress resources with -disable-ipv6 command line.

Upgrade

For NGINX, use the 2.4.1 images from our DockerHub, GitHub Container, Amazon ECR Public Gallery or Quay.io.
For NGINX Plus, use the 2.4.1 images from the F5 Container registry or the AWS Marketplace or build your own image using the 2.4.1 source code.
For Helm, use version 0.15.1 of the chart.

1.12.5

19 October 2022

Dependencies

Update NGINX version to 1.23.2.
Update NGINX Plus version to R27 P1.
Update Alpine to 3.16.
Update Go to 1.19 and Go dependencies.

Upgrade

For NGINX, use the 1.12.5 image from our DockerHub: nginx/nginx-ingress:1.12.5, nginx/nginx-ingress:1.12.5-alpine or nginx/nginx-ingress:1.12.5-ubi
For NGINX Plus, please build your own image using the 1.12.5 source code.
For Helm, use version 0.10.5 of the chart.

2.4.0

04 October 2022

Overview

Added support for enabling proxy_protocol when port 443 is being used for both HTTPS traffic and TLS Passthrough traffic.
Updates to the TransportServer resource to support using ExternalName services. For examples, see externalname-services.
VirtualServer resource now supports wildcard hostname.
NGINX Ingress Controller images including the combined NGINX AppProtect WAF and NGINX AppProtect DoS solutions are now published to our registry. See Images with NGINX Plus for a detailed list of images in our registry.
Added support for watching multiple namespaces using the -watch-namespace cli argument. This can configured by passing a comma-separated list of namespaces to the -watch-namespace CLI argument (e.g. -watch-namespace=ns-1,ns-2).
A new cli argument has been added: -include-year. This appends the current year to the log output from the Ingress Controller. Example output: I20220512 09:20:42.345457.
Post-startup configuration reloads have been optimized to reduce traffic impacts. When many resources are modified at the same time, changes are combined to reduce the number of data plane reloads.

Features

2986 Batch reloads at runtime.
2914 Support watching multiple namespaces.
2884 Include year in logs.
2993 Accept proxy protocol when TLS passthrough enabled.
3041 Support external name service for TransportServer.
2939 Add support for wildcard hostname in VirtualServer.
3040 Add command line argument to manually disable IPV6 listeners for unsupported clusters.
3088 Filter secrets of type helm.sh/release.v1.

Fixes

2971 fix: Correct error message on missing path in path validation. Thanks to Zachary Seguin.
3095 do not create configmap if customConfigMap is used. Thanks to Bryan Hendryx.

Helm Chart

3087 Allow omitting the default server secret from Helm installs.
2831 Add ServiceMonitor to Helm Chart. Thanks to araineUnity.
2855 Add initialDelaySeconds to helm charts. Thanks to Daniel Edgar.
2979 Allow to specify image with digest in helm chart. Thanks to Hans Feldt.
3031 Adding automountServiceAccountToken to helm chart.

Upgrade

For NGINX, use the 2.4.0 images from our DockerHub, GitHub Container or Amazon ECR Public Gallery.
For NGINX Plus, use the 2.4.0 images from the F5 Container registry or the AWS Marketplace or build your own image using the 2.4.0 source code.
For Helm, use version 0.15.0 of the chart. If you’re using custom resources like VirtualServer and TransportServer (controller.enableCustomResources is set to true), after you run the helm upgrade command, the CRDs will not be upgraded. After running the helm upgrade command, run kubectl apply -f deployments/helm-chart/crds to upgrade the CRDs.

We will provide technical support for NGINX Ingress Controller on any Kubernetes platform that is currently supported by its provider and that passes the Kubernetes conformance tests. This release was fully tested on the following Kubernetes versions: 1.19-1.25.

2.3.1

16 September 2022

Dependencies

3048 Bump NGINX to 1.23.1
3049 Update Go dependencies.

Helm Chart

3031 Add automountServiceAccountToken to helm chart

Upgrade

For NGINX, use the 2.3.1 images from our DockerHub, GitHub Container, Amazon ECR Public Gallery or Quay.io.
For NGINX Plus, use the 2.3.1 images from the F5 Container registry or build your own image using the 2.3.1 source code.
For Helm, use version 0.14.1 of the chart.

2.3.0

12 July 2022

Overview

Support making VirtualServer resources discoverable via public DNS servers using external-dns. Examples for configuring external-dns with NGINX Ingress Controller can be found here.
Resolves CVE-2022-30535. This vulnerability impacted the visibility of secrets accessible by NGINX Ingress Controller. In some cases, secrets visible to NGINX Ingress Controller could be exposed to any authenticated user with permission to create and update Ingress objects. This vulnerability affected Ingress objects only - our Custom Resources (VirtualServer and TransportServer) were not affected. Customers unable to upgrade should migrate any Ingress resources to VirtualServer resources where possible, and use RBAC to restrict write access for users for Ingress objects.
Support using HTTP basic authentication with VirtualServer and Ingress resources. Special thanks to Simon Wachter.
Support HTTP01 type ACME Issuers for use with VirtualServer resources with cert-manager.

Features

2581 Add OpenTracing to all Debian and Alpine based images.
2328 Add handling of multiple log destinations.
2691 AP: log-conf escaping chars.
2759 Add support for HTTP01 Challenges on VirtualServer resources.
2762 Add DNSEndpoint CRD for integration with ExternalDNS.
2801 Add SBOMs to release.
2269 HTTP basic auth support. Thanks to Simon Wachter.
2800 Integrate external-dns with VirtualServer resources.
2583 Add runAsNonRoot in deployments.
2484 Add container resource requests.
2627 Update InternalRoute server_name.
2742 Add additional unit tests to confirm special characters can’t be used in the lb-method annotation.
2730 Add string sanitisation for proxy-pass-headers & proxy-hide-headers.
2733 Add string validation to server-tokens annotation.
2734 Validate rewrite annotation.
2754 Validate JWT key, realm and login url for ingress resources annotations.
2751 Add string validation to sticky-cookie-services annotation.
2775 Add validation to Ingress path.
2774 Sanitize nginx.com/jwt-token.
2783 Update validation regex for path spec.
2781 Report Hostname in ExternalEndpoint for VS and VSR resources.

Fixes

2617 Fix Dockerfile for amd64 microarchitectures.
2637 Add terminationGracePeriodSeconds to deployment. Thanks to Maksym Iv.
2654 Sync changes from OIDC repo, add field in policy.
2673 Fix status.loadbalancer.hostname deletion on OOMKill. Thanks to Heiko Voigt.
2718 Fix cases where CM enabled but no TLS block specified in VS.

Helm Chart

2418 Add support for allocateLoadBalancerNodePorts, ipFamilyPolicy and ipFamilies. Thanks to centromere.
2672 Add minReadySeconds & strategy support. Thanks to Ciaran.
2625 allow configuring topologySpreadConstraints in Helm chart. Thanks to Kamil Domański.

Upgrade

For NGINX, use the 2.3.0 images from our DockerHub, GitHub Container or Amazon ECR Public Gallery.
For NGINX Plus, use the 2.3.0 images from the F5 Container registry or the AWS Marketplace or build your own image using the 2.3.0 source code.
For Helm, use version 0.14.0 of the chart. If you’re using custom resources like VirtualServer and TransportServer (controller.enableCustomResources is set to true), after you run the helm upgrade command, the CRDs will not be upgraded. After running the helm upgrade command, run kubectl apply -f deployments/helm-chart/crds to upgrade the CRDs.
When upgrading using Manifests, make sure to update the ClusterRole. This is required to enable the ExternalDNS for VirtualServer resources integration.

Supported Platforms

We will provide technical support for NGINX Ingress Controller on any Kubernetes platform that is currently supported by its provider and which passes the Kubernetes conformance tests. This release was fully tested on the following Kubernetes versions: 1.19-1.24.

2.2.2

23 May 2022

Fixes

2627 Update InternalRoute server_name.

Upgrade

For NGINX, use the 2.2.2 images from our DockerHub, GitHub Container or Amazon ECR Public Gallery.
For NGINX Plus, use the 2.2.2 images from the F5 Container registry or build your own image using the 2.2.2 source code.
For Helm, use version 0.13.2 of the chart.

2.2.1

17 May 2022

Dependencies

Update Go dependencies.

Fixes

2654 Sync changes from nginx-openid-connect repo, add zoneSyncLeeway field in policy. For more information on the fixes, see pull request 52.

Upgrade

For NGINX, use the 2.2.1 images from our DockerHub, GitHub Container or Amazon ECR Public Gallery.
For NGINX Plus, use the 2.2.1 images from the F5 Container registry or build your own image using the 2.2.1 source code.
For Helm, use version 0.13.1 of the chart.

2.2.0

12 April 2022

Overview

Support for automatic provisioning and management of Certificate resources for VirtualServer resources using cert-manager. Examples for configuring cert-manager with NGINX Ingress Controller can be found here. Please note that HTTP01 type ACME Issuers are not yet supported for use with VirtualServer resources.
Full support for IPv6 using the NGINX Ingress Controller VirtualServer and VirtualServerRoute custom resources, and Ingress resources.
The -enable-preview-policies cli argument has been deprecated and is no longer required for the usage of any Policy resource type. This argument will be removed completely in v2.6.0.
A new -enable-oidc cli argument has been added to enable OIDC policies. Previously, this behaviour was achieved through the usage of the -enable-preview-policies cli argument.

Features

2576 Add support for IPv6.
2572 Automate provisioning of Certificate resources for VirtualServer resources using cert-manager.
2346 Use os.ReadDir for lightweight directory reading. Thanks to Eng Zer Jun.
2360 Add NGINX App Protect reconnect period directive.
2479 Add cli argument to configure NGINX App Protect log level.
2455 Increase memory available for NGINX App Protect xml parser.
2580 Create -enable-oidc command line argument for OIDC policy.
2566 Unbind policy from preview policies.
2582 Rename Make targets from openshift to ubi.

Fixes

2378 Fix healthcheck ports.
2404 Start nginx with -e stderr parameter.
2414 Fix in file nginx-plus.virtualserver.tmpl ApDosMonitor->ApDosMonitorURI.

Helm Chart

2525 Extend helm chart to include NGINX Service Mesh fields.
2294 Add extra containers to helm chart. Thanks to Márk Sági-Kazár.

Upgrade

For NGINX, use the 2.2.0 images from our DockerHub, GitHub Container or Amazon ECR Public Gallery.
For NGINX Plus, use the 2.2.0 images from the F5 Container registry or the AWS Marketplace or build your own image using the 2.2.0 source code.
For Helm, use version 0.13.0 of the chart. If you’re using custom resources like VirtualServer and TransportServer (controller.enableCustomResources is set to true), after you run the helm upgrade command, the CRDs will not be upgraded. After running the helm upgrade command, run kubectl apply -f deployments/helm-chart/crds to upgrade the CRDs.
When upgrading using Manifests, make sure to update the ClusterRole. This is required to enable the cert-manager for VirtualServer resources integration.
The -enable-preview-policies cli argument has been deprecated, and is no longer required for any Policy resources.
Enabling OIDC Policies now requires the use of -enable-oidc cli argument instead of the -enable-preview-policies cli argument.

Update UBI based images to 8.

Upgrade

For NGINX, use the 2.1.2 images from our DockerHub, GitHub Container or Amazon ECR Public Gallery.
For NGINX Plus, use the 2.1.2 images from the F5 Container registry or the AWS Marketplace or build your own image using the 2.1.2 source code.
For Helm, use version 0.12.2 of the chart.

1.12.4

23 March 2022

Dependencies

Update NGINX version to 1.21.6.
Update NGINX Plus version to R26.
Update Debian to Bullseye.
Update Alpine to 3.15.
Update UBI to 8.
Update Go to 1.17 and Go dependencies.

Fixes

Fix OpenTracing not working with NGINX Plus.

Upgrade

For NGINX, use the 1.12.4 image from our DockerHub: nginx/nginx-ingress:1.12.4, nginx/nginx-ingress:1.12.4-alpine or nginx/nginx-ingress:1.12.4-ubi
For NGINX Plus, please build your own image using the 1.12.4 source code.
For Helm, use version 0.10.4 of the chart.

2.1.1

17 February 2022

Dependencies

Update NGINX version to 1.21.6.
Update NGINX Plus version to R26.

Upgrade

For NGINX, use the 2.1.1 images from our DockerHub, GitHub Container or Amazon ECR Public Gallery.
For NGINX Plus, use the 2.1.1 images from the F5 Container registry or build your own image using the 2.1.1 source code.
For Helm, use version 0.12.1 of the chart.

2.1.0

06 January 2022

Overview

Support for NGINX App Protect Denial of Service protection with NGINX Ingress Controller. More information about F5 DoS for NGINX. Examples for configuring F5 DoS for NGINX with NGINX Ingress Controller can be found here.
Full support for gRPC services using the NGINX Ingress Controller VirtualServer and VirtualServerRoute custom resource definitions. This makes configuring and supporting gRPC services much easier, giving a simple YAML configuration and removing the need for snippets. Resource definition examples for gRPC can be found here.
Implementation of NGINX mandatory and persistent health checks in VirtualServer and VirtualServerRoute to further reduce interruptions to your service traffic as configuration changes continuously happen in your dynamic Kubernetes environment(s). Health checks have been extended to include mandatory and persistent fields. Mandatory health checks ensures that a new upstream server starts receiving traffic only after the health check passes. Mandatory health checks can be marked as persistent, so that the previous state is remembered when the Ingress Controller reloads NGINX Plus configuration. When combined with the slow-start parameter, the mandatory health check give a new upstream server more time to connect to databases and “warm up” before being asked to handle their full share of traffic. See the settings here. More about the NGINX Plus mandatory and persistent health check features. Mandatory health checks can be marked as persistent, so that the previous state is remembered when reloading configuration. When combined with the slow-start parameter, it gives a new service pod more time to connect to databases and “warm up” before being asked to handle their full share of traffic. See the settings here. More about the NGINX Plus mandatory and persistent health check features

Features

2251 Enable setting mandatory and persistent in upstream healthchecks in VS and VSR.
2241 Add support for F5 DoS for NGINX.
2200 Add Alpine image with OpenTracing.
2178 Support healthchecks in gRPC upstreams.
2110 Support gRPC in the Upstreams of the virtual server resources. Particular thanks to Chiyu Zhong for all their work.
2149 Add metric about total number of TransportServers.
2100 Add support for initContainers. Thanks to Gunnar Scherf.
1827 Add support for wildcard cert in VirtualServer resources. Thanks to Simon Wachter.
2107 Add option to download the NGINX Ingress Controller binary. Introduced a new TARGET download in the Makefile which can be used when building the NGINX Ingress Controller Docker image. With this option the Ingress Controller binary will be downloaded instead of built from source.
2044 Upload NGINX Ingress Controller binaries to release.
2094 AP: update appolicies crd.
2216 Add grpc_status to the logs.
2237 Unbind app-protect from -preview-policies.
2273 Make the resource comparison more informative in case of an error. Thanks to Andrey Karpov.
2124 Apply -enable-snippets cli arg to Ingresses. This PR extends the existing -enable-snippets cli argument to apply to Ingress resources. If snippets are not enabled, the Ingress Controller will reject any Ingress resources with snippets annotations. Previously, the argument only applied to VirtualServer, VirtualServerRoute and TransportServer resources. Please Note: this is a breaking change. See the UPGRADE instructions below.

Fixes

2267 Fix URI rewrite in VirtualServers and VirtualServerRoutes.
2260 Check if refresh token is undefined and do not store it in this case. Thanks to tippexs for the fix.
2215 enableSnippets should not depend from enableCustomResources. Thanks to Alessio Casco for the fix.
1934 AP: fix watch-namespace for NAP resources.
2125 Allow empty string in server-tokens annotation for NGINX Plus.
2042 Use release specific repo for NGINX Plus on Debian.

Dependencies

2173 Update Debian to Bullseye.
Update NGINX Plus version to R25.
Update NGINX version to 1.21.5.

Upgrade

For NGINX, use the 2.1.0 images from our DockerHub, GitHub Container or Amazon ECR Public Gallery.
For NGINX Plus, use the 2.1.0 images from the F5 Container registry or build your own image using the 2.1.0 source code.
For Helm, use version 0.12.0 of the chart.
We changed the behaviour of snippets in Ingress resources by extending the existing -enable-snippets cli argument to apply to Ingress resources as well as VirtualServer, VirtualServerRoute and TransportServer resources. Because the default value of -enable-snippets is false, if you are using snippets in Ingress resources, you must explicitly set the -enable-snippets to true before upgrading the Ingress Controller, so that the new version of the Ingress Controller doesn’t reject Ingresses with snippets annotations.

Supported Platforms

View source

Edit this page

Create a new issue