2024 archive
16 Dec 2024
With added support for NGINX R33, deployments of F5 NGINX Ingress Controller using NGINX Plus now require a valid JSON Web Token to run.
For full details on setting up your license Secret, see Upgrading to v4.
API Version v1alpha1 of GlobalConfiguration, Policy and TransportServer resources are now deprecated.
For full details on updating your resources, see Update custom resource apiVersion.
Updates have been made to our logging library. For a while, F5 NGINX Ingress Controller has been using the golang/glog. For this release, we have moved to the native golang library log/slog. This change was made for these reasons:
- By using a standard library, we ensure that updates are more consistent, and any known vulnerabilities are more likely to be addressed in a timely manner.
- By moving to
log/slog, we enable support for a wider range of logging formats, as well as allowing log outputs to be displayed in a Structured format, and for faster log parsing.
Layer 4 applications got some love this release, with added support for SNI based routing with our TransportServer resource! In scenarios where you have multiple applications hosted on a single node, this feature enables routing to those applications through the host header. For more details on what this feature does, and how to configure it yourself, please look to our examples section in Github
- 6903 & 6921 Add support for NGINX Plus R33
- 6800 Deprecate v1alpha1 CRDs for GlobalConfiguration, Policy & TransportServer
- 6520 & 6474 Add structured logging
- 6583 Generate valid yaml for ReadOnly FS
- 6635 UpstreamServer Fields Logs Displayed as Memory Addresses
- 6661 Revert to original main-template without pod downtime
- 6733 Add nil check to apikey suppliedIn
- 6780 Use default VS and TS templates when CfgMap obj is deleted
- 6485, 6497, 6512, 6533, 6543, 6557, 6580, 6607, 6638, 6654, 6657, 6676, 6685, 6699, 6697, 6719, 6717, 6747, 6743, 6775, 6789, 6762, 6786, 6845, 6864, 6880, 6862, 6897, 6890, 6905, 6906, 6909, 6919, 6936, 6945, 6971 & 6982 Bump the Docker dependencies
- 6483, 6496, 6522, 6540, 6559, 6589, 6614, 6643, 6669, 6683, 6704, 6712, 6728, 6745, 6767, 6782, 6815, 6826, 6835, 6842, 6861, 6916, 6908, 6931, 6969, 6973, 6988 & 6994 Bump the go dependencies
- For NGINX, use the 4.0.0 images from our DockerHub, GitHub Container, Amazon ECR Public Gallery or Quay.io.
- For NGINX Plus, use the 4.0.0 images from the F5 Container registry or build your own image using the 4.0.0 source code
- For Helm, use version 2.0.0 of the chart.
- Upgrading to v4
We will provide technical support for NGINX Ingress Controller on any Kubernetes platform that is currently supported by its provider and that passes the Kubernetes conformance tests. This release was fully tested on the following Kubernetes versions: 1.25-1.32.
25 Nov 2024
In our next major release,v4.0.0, the default log library for NGINX Ingress Controller will be changed fromgolang/glogtolog/slog. This will mean that logs generated by NGINX Ingress Controller will be in a structured format with the option to choose astringorjsonoutput. This will not affect logs generated by NGINX. To ensure backwards compatibility, we will ensure the existing log format,glog, will be maintained through a configuration option for the next 3 releases.
ImportantCRD version removal notice. In our next major release,
v4.0.0, support for the following apiVersions for these listed CRDs will be dropped:
k8s.nginx.org/v1alphaforGlobalConfigurationk8s.nginx.org/v1alphaforPolicyk8s.nginx.org/v1alphaforTransportServerPrior to upgrading, please ensure that any of these resources deployed as
apiVersion: k8s.nginx.org/v1alpha1are upgraded toapiVersion: k8s.nginx.org/v1If a resource ofkind: GlobalConfiguration,kind: Policyorkind: TransportServerare deployed asapiVersion: k8s.nginx.org/v1alpha1, these resources will be deleted when upgrading from, at least,v3.4.0tov4.0.0When
v4.0.0is released, the release notes will contain the required upgrade steps to go fromv3.X.Xtov4.X.X
- 6838 Update oidc_template and conf
- For NGINX, use the 3.7.2 images from our DockerHub, GitHub Container, Amazon ECR Public Gallery or Quay.io.
- For NGINX Plus, use the 3.7.2 images from the F5 Container registry, the AWS Marketplace, the GCP Marketplace or build your own image using the 3.7.2 source code.
- For Helm, use version 1.4.2 of the chart.
We will provide technical support for NGINX Ingress Controller on any Kubernetes platform that is currently supported by its provider and that passes the Kubernetes conformance tests. This release was fully tested on the following Kubernetes versions: 1.25-1.31.
06 Nov 2024
- 6545, 6560, 6560, 6619, 6640, 6664, 6686, 6703, 6720, 6755 & 6751 Bump the Docker dependencies
- 6553, 6591, 6618, 6648, 6688, 6674, 6707, 6730 & 6751 Bump the go dependencies
- 6570 & 6549 Bump the go version
- For NGINX, use the 3.7.1 images from our DockerHub, GitHub Container, Amazon ECR Public Gallery or Quay.io.
- For NGINX Plus, use the 3.7.1 images from the F5 Container registry, the AWS Marketplace, the GCP Marketplace or build your own image using the 3.7.1 source code.
- For Helm, use version 1.4.1 of the chart.
We will provide technical support for NGINX Ingress Controller on any Kubernetes platform that is currently supported by its provider and that passes the Kubernetes conformance tests. This release was fully tested on the following Kubernetes versions: 1.25-1.31.
30 Sept 2024
Added support for VirtualServer & TransportServer to listen on a specific IP when configuring a listener, allowing NGINX to bind to a specific interface. This is also useful in for scenarios where pods need to connect to multiple networks i.e. multi-homed. Allow an End Session Endpoint to be configured for OIDC providers via Policy. This allows a user to be fully logged out from their idp session. This change also adds support for configuring a post-logout redirect URI, allowing a users to be redirected to a custom logout page.
The access_log directive can now be configured to point to a syslog log server. Previously, access logs defaulted to standard out. This change allows for log parsers aggregators to ingest access logs from NGINX.
When installing NGINX Ingress Controller via Helm, a uniquely named lease object will be created automatically. This allows for multiple deployments of NGINX Ingress Controller in the same namespace when leader election is enabled, without requiring a unique name to be specified manually for each deployment.
- 5968 Add BUILD_OS to Telemetry
- 6014 Sync oidc repo
- 6092 Support End Session Endpoint for OIDC and allow customizable Post-logout Redirect URI
- 5648 Make access_log in http context configurable
- 6180 Add ip as an option to listeners for VirtualServer
- 6367 Add ip as an option to listeners for TransportServer
- 5786 Change log level, to Info and above, before calling prometheus exporter functions
- 5838 Fix api key policy undefined routes
- 5885 Add default telemetry endpoint
- 5899 GRPC healthcheck should not have keepalive time
- 6125 Don’t log errors for not implemented grpc metrics
- 6232 Fix panic when creating VirtualServer
- 6372 Create unique lease obj for each NIC installed via Helm
- 6406 Fix udp/http listener validation logic
- 6446 Disable batch reload when batch finishes
- 5817 Remove include-year and includeYear flag
- 5335 Choose NodePort values for controller.service.type = LoadBalancer
- 6235 Update helm docs by @vepatel
- 5789, 5804, 5821, 5870, 5880, 5907, 5949, 5959, 5993, 6010, 6071, 6105, 6132, 6186, 6195, 6200, 6215, 6229, 6266, 6283, 6287, 6299, 6310, 6358, 6364, 6397, 6412, 6459 Bump the go dependencies
- 5929, 6337, 6350 & 6368 Bump the go version
- 6052 Replace promlog with go-kit
- 6205 Update Kubernetes version to v1.31.0
- 5808, 5804, 5821, 5870, 5822, 5819, 5881, 5910, 5928, 5944, 5965, 5985, 6003, 6066, 6093, 6122, 6130, 6156, 6174, 6187, 6218, 6224, 6246, 6267, 6290, 6303, 6330, 6359, 6365, 6371, 6382, 6391, 6413, 6399, 6434 Bump the Docker dependencies
- For NGINX, use the 3.7.0 images from our DockerHub, GitHub Container, Amazon ECR Public Gallery or Quay.io.
- For NGINX Plus, use the 3.7.0 images from the F5 Container registry, the AWS Marketplace, the GCP Marketplace or build your own image using the 3.7.0 source code.
- For Helm, use version 1.4.0 of the chart.
We will provide technical support for NGINX Ingress Controller on any Kubernetes platform that is currently supported by its provider and that passes the Kubernetes conformance tests. This release was fully tested on the following Kubernetes versions: 1.25-1.31.
19 Aug 2024
- 6125 Don’t log errors for not implemented grpc metrics
- 6223 Re-order mounting debian apt source file
- 5974, 6021, 5998, 6081, 6120, 6141, 6196, 6204, 6211, 6222 & 6234 Go dependencies
- 5967, 6013, 6070, 6098, 6126, 6158, 6179, 6191, 6226 & 6233 Docker base image updates
- For NGINX, use the 3.6.2 images from our DockerHub, GitHub Container, Amazon ECR Public Gallery or Quay.io.
- For NGINX Plus, use the 3.6.2 images from the F5 Container registry, the AWS Marketplace, the GCP Marketplace, or build your own image using the 3.6.2 source code.
- For Helm, use version 1.3.2 of the chart.
We will provide technical support for NGINX Ingress Controller on any Kubernetes platform that is currently supported by its provider and that passes the Kubernetes conformance tests. This release was fully tested on the following Kubernetes versions: 1.25-1.31.
04 Jul 2024
- 5930 Bump Go version to 1.22.5
- 5947, 5923, 5943, 5939 and 5882 Docker image updates
- 5951, 5933, 5884 and 5877 Go dependencies update
- For NGINX, use the 3.6.1 images from our DockerHub, GitHub Container, Amazon ECR Public Gallery or Quay.io.
- For NGINX Plus, use the 3.6.1 images from the F5 Container registry, the AWS Marketplace, the GCP Marketplace, the Azure Marketplace or build your own image using the 3.6.1 source code.
- For Helm, use version 1.3.1 of the chart.
We will provide technical support for NGINX Ingress Controller on any Kubernetes platform that is currently supported by its provider and that passes the Kubernetes conformance tests. This release was fully tested on the following Kubernetes versions: 1.25-1.30.
25 Jun 2024
Added support for the latest generation of NGINX App Protect Web Application Firewall, v5. NGINX Ingress Controller will continue to support the NGINX App Protect v4 family to allow customers to implement new Policy Bundle workflow at their own pace. F5 WAF for NGINX v5 does not accept the JSON based policies, instead requiring users to compile a Policy Bundle outside of the NGINX Ingress Controller pod. Policy bundles contain a combination of custom Policy, signatures, and campaigns. Bundles can be compiled using either the F5 WAF for NGINX compiler, or NGINX Instance Manager. Read more in the F5 WAF for NGINX V5 topic.
With this release, NGINX Ingress Controller is implementing a new image maintenance policy. Container images for subscribed users will be updated on a regular basis in-between releases to reduce the CVE vulnerabilities. Customers can observe the 3.6.x tag when listing images in the registry and select the latest image to update to for the current release.
- 5698, 5771 & 5784 Add support for F5 NGINX AppProtect WAF v5
- 5580 & 5752 Add APIKey Authentication policy
- 5205 Preserve valid listeners when invalid listeners are present in GlobalConfiguration
- 5366 Add proxy-set-headers annotation for ingress
- 5406, 5408, 5418, 5404 & 5415 Add additional telemetry data
- 5350 Fix ap-waf flag in error message
- 5318 Don’t reload when
use-cluster-ipendpoints update, and change the ingressuse-cluster-ipimplementation to use the cluster ip instead of the fqdn - 5375 Fix status for invalid vs and vsr, for weight changes dynamic reload
- 5313 Update helm flag in docs for enableWeightChangesDynamicReload
- 5693 Bump Go version to v1.22.4
- 5368, 5331 & 5423 Bump the go dependencies
- 5298, 5344, 5345,5371, 5378, 5379, 5398, 5397, 5399 & 5400 Bump base Docker images
- For NGINX, use the 3.6.0 images from our DockerHub, GitHub Container, Amazon ECR Public Gallery or Quay.io.
- For NGINX Plus, use the 3.6.0 images from the F5 Container registry, the AWS Marketplace, the GCP Marketplace, the Azure Marketplace or build your own image using the 3.6.0 source code.
- For Helm, use version 1.3.0 of the chart.
We will provide technical support for NGINX Ingress Controller on any Kubernetes platform that is currently supported by its provider and that passes the Kubernetes conformance tests. This release was fully tested on the following Kubernetes versions: 1.25-1.30.
31 May 2024
- Bundles compiled on NAP WAF versions <= v4.8.x are not compatible with NAP WAF versions >= 4.9.x, this release of NIC includes NAP WAF v4.10 so recompilation of policy bundles is required. JSON based WAF Policies aren’t affected with this change.
- 5654 NGINX 1.27.0 and NGINX Plus R32
- 5590, 5631, 5638, 5662, 5623 Go updates
- 5579, 5642, 5573, 5630, 5665, 5673 Container base image updates
- For NGINX, use the 3.5.2 images from our DockerHub, GitHub Container, Amazon ECR Public Gallery or Quay.io.
- For NGINX Plus, use the 3.5.2 images from the F5 Container registry, the AWS Marketplace, the GCP Marketplace, the Azure Marketplace, or build your own image using the 3.5.2 source code
- For Helm, use version 1.2.2 of the chart.
We will provide technical support for NGINX Ingress Controller on any Kubernetes platform that is currently supported by its provider and that passes the Kubernetes conformance tests. This release was fully tested on the following Kubernetes versions: 1.25-1.30.
08 May 2024
- 5463 Don’t reload when use-cluster-ip endpoints update
- 5464 Fix status for invalid vs and vsr, for weight changes dynamic reload
- 5470 Add support for named ports in ingresses which use-cluster-ip
- 5315 Update helm flag in docs for enableWeightChangesDynamicReload
- For NGINX, use the 3.5.1 images from our DockerHub, GitHub Container, Amazon ECR Public Gallery or Quay.io.
- For NGINX Plus, use the 3.5.1 images from the F5 Container registry, the AWS Marketplace, the GCP Marketplace or build your own image using the 3.5.1 source code.
- For Helm, use version 1.2.1 of the chart.
We will provide technical support for NGINX Ingress Controller on any Kubernetes platform that is currently supported by its provider and that passes the Kubernetes conformance tests. This release was fully tested on the following Kubernetes versions: 1.23-1.29.
26 Mar 2024
NGINX Ingress Controller and F5 WAF for NGINX users can can now view violations through NGINX Instance Manager Security Monitor. Security Monitor can be used to build Policy bundles, reducing reload time impacts on NGINX Ingress Controller. Read more information in F5 WAF for NGINX Bundles and Security Monitoring.
When using NGINX Plus for two version [split rollouts]({{ ref "/nic/configuration/virtualserver-and-virtualserverroute-resources.md#split" }}), you can now control progressive rollouts of a new backend version without reloading NGINX using the -weight-changes-dynamic-reload command line argument.
The use-cluster-ip annotation is now available for the Ingress resource. use-cluster-ip supports service meshes and specific use cases where the backend service should be the target instead of individual backend service pods, bypassing upstream load balancing.
- 5179 & 5051 Add NIM Security Dashboard integration for F5 WAF for NGINX security violations
- 5212 Weight changes Dynamic Reload
- 4862 Add use-cluster-ip annotation for ingress resources
- 4660 Add annotations for controlling request rate limiting
- 5083 Update default values for keepalive-requests and keepalive-timeout
- 5084 Allow securityContext and podSecurityContext to be configurable via helm parameters
- 5199 Update zone size for transportserver resource
- 4896, 5095, 5147, 5155, 5170, 5176, 5217, 5245, 5237, 5256, 5167 & 5261 Export Telemetry data to XCDF
- 5211 Move set above rewrite to fix uninitialized variable
- 5175 Initialize
stopChchannel for ExternalDNS - 5053 Ensure
backupserver is removed from upstreams when the Backup Service is deleted
- 5159 Refactor volumes and volumeMounts to common helpers
- 5179 Move common pod label definitions to helpers
- 4803, 4846, 4873, 4905, 5098, 5108, 5125, 5132, 5207, 5234, 5267, 5272 & 5218 Go Dependency updates
- 5208 Bump Go version to 1.22.1
- For NGINX, use the 3.5.0 images from our DockerHub, GitHub Container, Amazon ECR Public Gallery or Quay.io.
- For NGINX Plus, use the 3.5.0 images from the F5 Container registry, the AWS Marketplace, the GCP Marketplace or build your own image using the 3.5.0 source code.
- For Helm, use version 1.2.0 of the chart.
We will provide technical support for NGINX Ingress Controller on any Kubernetes platform that is currently supported by its provider and that passes the Kubernetes conformance tests. This release was fully tested on the following Kubernetes versions: 1.23-1.29.
19 Feb 2024
- 5008 Remove redundant Prometheus variable labels
- 4744 Fixed validation for VSR exact & regex subroutes. Thanks to jo-carter.
- 4832 Fix new lines in snippets
- 5020 Fix template file spacing for
ssl_protocolsdirective - 5041 Allow waf users to build without dos repo access
- 4953 Add docs links to helm NOTES.txt
- 5073, 5029 Bump redhat/ubi8 base image
- 4992 Bump ubi base image
- 4994 Bump redhat/ubi9-minimal base image
- 5074, 4927 Bump opentracing/nginx-opentracing
- 5072, 5028, 5019, 5012, 5003, 4926, 5119 Bump nginx image
- 4925 Bump the debian base image
- 5004, 4984, 4928 Bump golang build image
- 5033 Updates
kindest/nodefrom v1.29.0 to v1.29.1 - 4909, 4924, 4939, 4949, 4971, 5022, 5034, 5055 Bump the go dependencies
- For NGINX, use the 3.4.3 images from our DockerHub, GitHub Container, Amazon ECR Public Gallery or Quay.io.
- For NGINX Plus, use the 3.4.3 images from the F5 Container registry, the AWS Marketplace, the GCP Marketplace or build your own image using the 3.4.3 source code.
- For Helm, use version 1.1.3 of the chart.
We will provide technical support for NGINX Ingress Controller on any Kubernetes platform that is currently supported by its provider and that passes the Kubernetes conformance tests. This release was fully tested on the following Kubernetes versions: 1.23-1.29.
16 Jan 2024
4934 GCR & AWS Plus image publishing fix
- For NGINX, use the 3.4.2 images from our DockerHub, GitHub Container, Amazon ECR Public Gallery or Quay.io.
- For NGINX Plus, use the 3.4.2 images from the F5 Container registry, the AWS Marketplace, the GCP Marketplace or build your own image using the 3.4.2 source code.
- For Helm, use version 1.1.2 of the chart.
We will provide technical support for NGINX Ingress Controller on any Kubernetes platform that is currently supported by its provider and that passes the Kubernetes conformance tests. This release was fully tested on the following Kubernetes versions: 1.23-1.29.
15 Jan 2024
4886 Update N+ to R31 4886 Bump Go dependencies.
- For NGINX, use the 3.4.1 images from our DockerHub, GitHub Container, Amazon ECR Public Gallery or Quay.io.
- For NGINX Plus, use the 3.4.1 images from the F5 Container registry, the AWS Marketplace, the GCP Marketplace or build your own image using the 3.4.1 source code.
- For Helm, use version 1.1.1 of the chart.
We will provide technical support for NGINX Ingress Controller on any Kubernetes platform that is currently supported by its provider and that passes the Kubernetes conformance tests. This release was fully tested on the following Kubernetes versions: 1.23-1.29.