2023 archive

3.4.0

19 Dec 2023

The default_server listeners for ports 80 and 443 can now be fully customized giving you the flexibility to shift the HTTP and HTTPS default listeners to other ports as your needs require.

Traffic splits now support weights from 0 - 100 giving you the control that you expect when performing canary roll outs of your back end services.

A new capability of "upstream backup" has been introduced for NGINX Plus customers. This gives you the control to set a backup service for any path. This takes advantage of NGINX health checks and will automatically forward traffic to the backup service when all pods of the primary service stop responding.

Dynamic reloading of SSL certificates takes advantage of native NGINX functionality to dynamically load updated certificates when they are requested and thus not require a reload when certificates update.

A number of Helm enhancements have come directly from our community and range from giving greater flexibility for HPA, namespace sharing for custom sidecars, and supporting multiple image pull secrets for greater deployment flexibility.

To make sure NGINX Ingress Controller follows Helm best practices, we’ve refactored our helm chart location. You can now find our helm charts under charts\nginx-ingress.

We’ve added the functionality to define F5 WAF for NGINX bundles for VirtualServers by creating policy bundles and putting them on a mounted volume accessible from NGINX Ingress Controller.

Features

4574 Graduate TransportServer and GlobalConfiguration to v1.
4464 Allow default_server listeners to be customised.
4526 Update use of http2 listen directive to align with deprecation.
4276 Use Lease for leader election.
4655 Support weights 0 and 100 in traffic splitting.
4653 Add support for backup directive for VS and TS.
4788 Dynamic reload of SSL certificates
4428 Add option for installing CRDs from a single remote yaml.

Fixes

4504 Delete the DNSEndpoint resource when VS is deleted & Ratelimit requeues on errors.
4575 update dockerfile for debian NGINX Plus.

Helm Chart

4306 Refactor Helm Chart location.
4391 Add HPA Custom Behavior. Thanks to saedx1.
4559 Add process namespace sharing for ingress controller. Thanks to panzouh.
4651 Add initContainerResources Helm configuration.
4656 Allows multiple imagePullSecrets in the helm chart. Thanks to AlessioCasco.

Upgrade

For NGINX, use the 3.4.0 images from our DockerHub, GitHub Container, Amazon ECR Public Gallery or Quay.io.
For NGINX Plus, use the 3.4.0 images from the F5 Container registry, the AWS Marketplace, the GCP Marketplace or build your own image using the 3.4.0 source code.
For Helm, use version 1.1.0 of the chart.

Supported Platforms

We will provide technical support for NGINX Ingress Controller on any Kubernetes platform that is currently supported by its provider and that passes the Kubernetes conformance tests. This release was fully tested on the following Kubernetes versions: 1.22-1.29.

3.3.2

1 Nov 2023

Fixes

4578 Update Dockerfile to add user creation for NGINX Plus images.

Dependencies

4572 Update NGINX version to 1.25.3.
4569, 4591 Bump Go dependencies.

Upgrade

For NGINX, use the 3.3.2 images from our DockerHub, GitHub Container, Amazon ECR Public Gallery or Quay.io.
For NGINX Plus, use the 3.3.2 images from the F5 Container registry, the AWS Marketplace, the GCP Marketplace or build your own image using the 3.3.2 source code.
For Helm, use version 1.0.2 of the chart.

3.3.1

13 Oct 2023

Overview

This releases updates NGINX Plus to R30 P1 and dependencies to mitigate HTTP/2 Rapid Reset Attack vulnerability CVE-2023-44487.

Dependencies

4501 Bump Go to 1.21.3
4502, 4514 Bump Go dependencies.

Upgrade

For NGINX, use the 3.3.1 images from our DockerHub, GitHub Container, Amazon ECR Public Gallery or Quay.io.
For NGINX Plus, use the 3.3.1 images from the F5 Container registry, the AWS Marketplace, the GCP Marketplace or build your own image using the 3.3.1 source code

3.3.0

26 Sep 2023

Overview

With release 3.3, NGINX Ingress Controller continues to advance capabilities for an ever-demanding set of use cases that go beyond simple layer 7 routing for services running exclusively in Kubernetes.

When involved in diagnostic operations and viewing the NGINX Plus console or when viewing the enhanced NGINX Plus metrics through Prometheus, customers now enjoy the added dimension of the backend service being available to aide in identification of issues as well as observing performance.

50% of our users continue to rely heavily on the Ingress resource and its "mergeable Ingress" usage pattern, to enhance the experience for these customers we have added the path-regex annotation with support for case sensitive, case insensitive, as well as exact regex match patterns.

Prometheus continues to be the most popular metrics platform for Kubernetes users. To further enhance ease of setting up integration with Prometheus we have finalized support for the Prometheus serviceMonitor capability. Providing better scraping controls for Prometheus admins.

For our most demanding customers performing a blue / green upgrade of the Ingress Controller itself supports the ability to provide their business customers an enhanced experience with no loss of session fidelity. Support for this pattern and others has been added through Helm chart enhancement that allows two deployments to share a single ingressClass resource and duplicate the same configuration.

To accommodate these enhancements, several new values have been added to our Helm chart, as well as modifications to existing values. Due to the potential impacts of these changes we have issued a major release to the Helm chart, advancing to v1.0.0

To better align with the demands of supporting additional protocols such as MQTT and QUIC, NGINX Ingress Controller is changing how listeners are defined for HTTP traffic. You have always had controls over the ports defined for TCP/UDP traffic through the GlobalConfiguration and TransportServer objects. That same flexibility has been introduced for HTTP/S traffic and the VirtualServer. This area will continue to expand to give customers full control over NGINX listeners so they can tailor to their specific needs and policies.

Features

4023 Read Prometheus key/cert from memory.
4080 Expose Location Zones metrics.
4127, 4200, 4223 Add path-regex annotation for ingress.
4108 Add command line argument for custom TLS Passthrough port.
4271 Add custom listener controls to VirtualServer.

Fixes

4160 Update JWT/JWKS policy validation.
4371 Improve runtime batch reloads.

Helm Chart

3977 Add support for controller.selectorLabels. Thanks to Youqing Han.
4058 Add clusterIP to service if specified in values. Thanks to EutiziStefano.
4252 Make containerPort and hostPort customizable.
4331 Expose Prometheus metrics through a headless Service.
4351 Update helm values file to move controller.serviceMonitor to prometheus.serviceMonitor.
4333 Allow installing IC without creating a new ingress class.

Upgrade

For NGINX, use the 3.3.0 images from our DockerHub, GitHub Container, Amazon ECR Public Gallery or Quay.io.
For NGINX Plus, use the 3.3.0 images from the F5 Container registry, the AWS Marketplace, the GCP Marketplace or build your own image using the 3.3.0 source code.
For Helm, use version 1.0.0 of the chart.

Supported Platforms

3.2.1

17 Aug 2023

Dependencies

Update NGINX version to 1.25.2.
Update NGINX Plus version to R30.
Update Go to 1.21 and Go dependencies.

Upgrade

For NGINX, use the 3.2.1 images from our DockerHub, GitHub Container, Amazon ECR Public Gallery or Quay.io.
For NGINX Plus, use the 3.2.1 images from the F5 Container registry, the AWS Marketplace, the GCP Marketplace or build your own image using the 3.2.1 source code.
For Helm, use version 0.18.1 of the chart.

3.2.0

27 June 2023

Features

3790 Gunzip for VS
3863 OIDC - relaxed OIDC scope validation
3925 Specify runAsNonRoot in daemon-set manifests. Thanks to Valters Jansons.
3951 Add NGINX Plus images to Google Marketplace.
3954 Add utilization tracking for supported (paid) customers.
4001 Add support for the SameSite sticky cookie attribute.
4022 Add document to tutorial section for configuring the default OIDC implementation.
4031 Add NGINX Plus Alpine image with FIPS inside for supported (paid) customers.

Fixes

3737 Update VirtualServer to ignore CRL for EgressMTLS.
3798 Update VirtualServer template to generate an internal jwt auth location per policy applied.
3844 Fix gunzip support for VS and add python tests.
3870 Add Funcs() method to UpdateVirtualServerTemplate method. Thanks to Bryan Hendryx.
3933 fix –external-service flag when using serviceNameOverride. Thanks to Tim N.

Dependencies

Update NGINX version to 1.25.1.
Update Debian to 12 for NGINX Plus images (except for images containing the NGINX App Protect modules).
Update Alpine to 3.18 for NGINX Plus images.

Helm Chart

3814 Remove semverCompare for allocateLoadBalancerNodePorts. Thanks to Alex Wied.
3905 Reverse order of NAPDOS maxDaemons and maxWorkers in Helm chart.

Upgrade

For NGINX, use the 3.2.0 images from our DockerHub, GitHub Container, Amazon ECR Public Gallery or Quay.io.
For NGINX Plus, use the 3.2.0 images from the F5 Container registry, the AWS Marketplace, the GCP Marketplace or build your own image using the 3.2.0 source code.
For Helm, use version 0.18.0 of the chart.

Supported Platforms

3.1.1

04 May 2023

Overview

This release reverts the changes made in 3.1.0 to use sysctls to bind to lower level ports without the NET_BIND_SERVICE capability. It also adds support for serviceNameOverride in the Helm chart, that can be used to override the service name for NGINX Ingress Controller. This is useful especially during an upgrade from versions prior to 3.1.0, to avoid downtime due to the service name change. To use this feature, set the serviceNameOverride value in the Helm chart to the name of the existing service.

For example, if the existing service name is my-release-nginx-ingress, you can use --set serviceNameOverride=my-release-nginx-ingress when running the upgrade command. Here is an example upgrade command that keeps the existing service name my-release-nginx-ingress for a deployment named my-release:

console

helm upgrade my-release oci://ghcr.io/nginx/charts/nginx-ingress --version 0.17.1 --set serviceNameOverride=my-release-nginx-ingress

Fixes

3737 Update VirtualServer to ignore CRL for EgressMTLS.
3722 Inherit NET_BIND_SERVICE from IC to Nginx. Thanks to Valters Jansons.
3798 Update VirtualServer template to generate an internal jwt auth location per policy applied.

Features

3491 Egress via Ingress VirtualServer Resource.

Dependencies

Update NGINX version to 1.23.4.
Update NGINX Plus version to R29.

Helm Chart

3602 Updated NGINX Service Mesh references in Helm templates. Thanks to Jared Byers.
3773 Swap cpu and memory in HPA template. Thanks to Bryan Hendryx.
3802 Add serviceNameOverride. Thanks to Tim N.
3815 Fix GlobalConfiguration name in Helm Chart.
3862 Add correct indentation to controller-leader-election configmap helm template.

Upgrade

For NGINX, use the 3.1.1 images from our DockerHub, GitHub Container, Amazon ECR Public Gallery or Quay.io.
For NGINX Plus, use the 3.1.1 images from the F5 Container registry or build your own image using the 3.1.1 source code.
For Helm, use version 0.17.1 of the chart.

3.1.0

29 Mar 2023

Overview

Beginning with release 3.1.0 the NET_BIND_SERVICE capability is no longer used, and instead relies on net.ipv4.ip_unprivileged_port_start sysctl to allow port binding. Kubernetes 1.22 or later is required for this sysctl to be classified as safe. Ensure that you are using the latest updated deployment and daemonset example yaml files available in the repo.
The minimum supported version of Kubernetes is now 1.22. NGINX Ingress Controller now uses sysctls to bind to lower level ports without additional privileges. This removes the need to use NET_BIND_SERVICE to bind to these ports. Thanks to Valters Jansons for making this feature possible!
Added support for loading pre-compiled AppProtect Policy Bundles when using the -enable-app-protect cli argument. This feature removes the need for the Ingress Controller to compile NGINX App Protect Policy when NGINX App Protect Policy is updated.
IngressMTLS policy now supports configuring a Certificate Revocation Lists(CRL). When using this feature requests made using a revoked certificate will be rejected. See Using a Certificate Revocation List for details on configuring this option.
NGINX Ingress Controller now supports running with a Read-only Root Filesystem. This improves the security posture of NGINX Ingress Controller by protecting the file system from unknown writes. See Configure root filesystem as read-only for details on configuring this option with both HELM and Manifest. Thanks to Valters Jansons for making this feature possible!
HELM deployments can now set custom environment variables with controller.env. Thanks to Aaron Shiels for making this possible!
HELM deployments can now configure a pod disruption budget allowing deployments to configure either a minimum number or a maximum unavailable number of pods. Thanks to Bryan Hendryx for making this possible!
NGINX Ingress Controller uses the latest OIDC reference implementation which now supports forwarding access tokens to upstreams / backends. Thanks to Shawn Kim for making this possible!
The default TLS secret is now optional. This improves the security posture of NGINX Ingress Controller through enabling ssl_reject_handshake. This has the impact of immediately terminating the SSL handshake and not revealing TLS or cypher settings to calls that do not match a configured hostname.

Features

3034 Allow extra args to be provided to the OIDC auth endpoint. Thanks to Alan Wilkie.
3474 Add access token support in the OIDC. Thanks to Shawn Kim.
3326 Add support for custom environment variables on the Nginx Controller container. Thanks to Aaron Shiels.
3527 Change controller.topologySpreadConstraints schema to array. Thanks to Marco Londero.
3248 Add Pod disruption budget option to HELM based installations. Thanks to Bryan Hendryx.
3462 Add initial support for SSL termination for TransportServer.
3451 Enable keepalive-time for healthchecks in VS and VSR.
3560 Add support for load a pre-compiles AppProtect Policy Bundle.
3632 Update nginx.org/ca secret type & crl field to IngressMTLS to support CRL.
3629 Use the "runtime default" seccomp profile. Thanks to Valters Jansons.
3573 Rework port binding logic without privileges. Thanks to Valters Jansons.
3646 Remove app protect agent.
3507 Support empty path for ImplementationSpecific pathType.
3482 Use new NSM Spiffe and Cert rotation library.
3442 Add websocket protocol option to monitor directive.
3674 Move NAP DoS chart to new repo.
3302 Make default-server-secret optional.
3586 Add new labels and metadata to add version information to pods.

Fixes

3463 Support non-vs created Challenge Ingress.
3475 Ensure leader election is correctly disabled when option is set to false in helm template.
3481 Add missing OSS internal routes for integration with NSM.
3541 Ensure non-ready endpoints are not added to upstreams.
3583 Update keyCache path for JWKs to avoid conflict with OIDC.
3607 Clear Content-Length headers for requests processed by internal JWKS routes.
3660 Remove unwanted chars from label value.

Helm Chart

3581 Push edge Helm Chart to OCI registries.
3449 Correct values.schema.json nodeSelector.
3448 Fix Helm Chart Schema for priorityClassName.
3519 Add OnDelete to allowed strategy values.
3537 Update schema references to k8s v1.26.1.
3606 Fix Helm Chart labels and templates. Move version update to labels.

Upgrade

Make sure the Kubernetes version is in the supported platforms listed below.
For NGINX, use the 3.1.0 images from our DockerHub, GitHub Container, Amazon ECR Public Gallery or Quay.io.
For NGINX Plus, use the 3.1.0 images from the F5 Container registry or build your own image using the 3.1.0 source code.
For Helm, use version 0.17.0 of the chart.

3519 Add OnDelete to allowed strategy values
3541 Ensure non-ready endpoints are not added to upstreams
3527 Fix controller.topologySpreadConstraints schema, thanks to Marco Londero

Upgrade

For NGINX, use the 3.0.2 images from our DockerHub, GitHub Container, Amazon ECR Public Gallery or Quay.io.
For NGINX Plus, use the 3.0.2 images from the F5 Container registry or build your own image using the 3.0.2 source code.
For Helm, use version 0.16.2 of the chart.

3.0.1

25 Jan 2023

Fixes

3448 Fix Helm Chart Schema for priorityClassName
3449 Correct nodeSelector in the Helm Chart Schema
3463 Support non-VS created Challenge Ingress
3481 Add missing OSS internal routes for NGINX Service Mesh

Upgrade

For NGINX, use the 3.0.1 images from our DockerHub, GitHub Container, Amazon ECR Public Gallery or Quay.io.
For NGINX Plus, use the 3.0.1 images from the F5 Container registry or build your own image using the 3.0.1 source code.
For Helm, use version 0.16.1 of the chart.

3.0.0

12 January 2023

Overview

Added support for Deep Service Insight for VirtualServer and TransportServer using the -enable-service-insight cli argument.
The minimum supported version of Kubernetes is now 1.21. NGINX Ingress Controller 3.0.0 removes support for k8s.io/v1/Endpoints API in favor of discovery.k8s.io/v1/EndpointSlices. For older Kubernetes versions, use the 2.4.x release of the Ingress Controller.
Added support for EndpointSlices.
Added support to dynamically reconfigure namespace watchers using labels -watch-namespace-label and watching secrets using the -watch-secret-namespace cli arguments.
Allow configuration of NGINX directives map-hash-bucket-size and map-hash-max-size using the ConfigMap resource.
Added support for fetching JWKs from a remote URL to dynamically validate JWT tokens and optimize performance through caching.
Beginning with NGINX Service Mesh release 1.7 it will include support for the free version of NGINX Ingress Controller as well as the paid version.
NGINX Ingress Controller + NGINX App Protect Denial of Service is now available through the AWS Marketplace.

Breaking Changes

3260 Added support for EndpointSlices.

Features

3299 Support Dynamic namespaces using Labels.
3261 Deep service insight endpoint for VirtualServer CR.
3361 Added healthcheck for TransportServer CR.
3347 Import JWKS from URL on JWT policy.
3274 Allow configuration of map-hash-bucket-size and map-hash-max-size directives.
3376 NGINX Service Mesh will support the free version of NGINX Ingress Controller when using NGINX open source.
3170 Watch subset of namespaces for secrets. Thanks to Hans Feldt.
3341 Set value of $remote_addr to client IP when TLSPassthrough and Proxy Protocol are enabled.
3131 NAP DoS images are now available in the AWS Marketplace.
3231 Always print build info and flags used at the start to provide better supportability.
2735 Support default client proxy headers to be overwritten in VirtualServer. Thanks to Alex Wied.
3133 Added caseSensitiveHttpHeaders to APPolicy CRD. Thanks to Pavel Galitskiy.

Fixes

3139 Remove all IPV6 listeners in ingress resources with -disable-ipv6 command line.

Helm Chart

3113 Added JSON Schema.
3143 Added annotations for deployment and daemonset.
3136 Added controller.dnsPolicy. Thanks to Dong Wang.
3065 Added annotations to the service account. Thanks to 0m1xa.
3276 Added horizontalpodautoscaler. Thanks to Bryan Hendryx.

Upgrade

Make sure the Kubernetes version is in the supported platforms listed below.
For NGINX, use the 3.0.0 images from our DockerHub, GitHub Container or Amazon ECR Public Gallery.
For NGINX Plus, use the 3.0.0 images from the F5 Container registry or the AWS Marketplace or build your own image using the 3.0.0 source code.
For Helm, use version 0.16.0 of the chart. Helm does not upgrade the CRDs. If you’re using custom resources like VirtualServer and TransportServer (controller.enableCustomResources is set to true), after running the helm upgrade command, run kubectl apply -f deployments/helm-chart/crds to upgrade the CRDs.

Supported Platforms

View source

Edit this page

Create a new issue