Releases: nginxinc/kubernetes-ingress
NGINX Ingress Controller 1.10.0
🚀 Help make the NGINX Ingress Controller better by participating in our survey! 🚀
OVERVIEW:
Release 1.10.0 includes:
- Open ID Connect authentication policy.
- Improved handling of Secret resources with extended validation and error reporting.
- Improved visibility with Prometheus metrics for the configuration workqueue and the ability to annotate NGINX logs with the metadata of Kubernetes resources.
- NGINX App Protect User-Defined signatures support.
- Improved validation of Ingress annotations.
You will find the complete changelog for release 1.10.0, including bug fixes, improvements, and changes below.
FEATURES FOR POLICY RESOURCE:
- 1304 Add Open ID Connect policy.
FEATURES FOR NGINX APP PROTECT:
- 1281 Add support for App Protect User Defined Signatures.
FEATURES:
- 1266 Add workqueue metrics to Prometheus metrics.
- 1233 Annotate tcp metrics with k8s object labels.
- 1231 Support k8s objects variables in log format.
IMPROVEMENTS:
- 1270 and 1277 Improve validation of Ingress annotations.
- 1265 Report warnings for misconfigured TLS and JWK secrets.
- 1262 Use setcap(8) only once. 1263 Use chown(8) only once. 1264 Use mkdir(1) only once. Thanks to Sergey A. Osokin.
- 1256 and 1260 Improve handling of secret resources.
- 1240 Validate TLS and CA secrets.
- 1235 Use buildkit secret flag for NGINX plus images.
- Documentation improvements: 1282, 1293, 1303, 1315.
HELM CHART:
- The version of the helm chart is now 0.8.0.
- 1290 Add new preview policies parameter to chart.
controller.enablePreviewPolicies
was added. - 1232 Replace deprecated imagePullSecrets helm setting.
controller.serviceAccount.imagePullSecrets
was removed.controller.serviceAccount.imagePullSecretName
was added. - 1228 Fix installation of ingressclass on Kubernetes versions
v1.18.x-*
CHANGES:
- 1299 Update NGINX App Protect version to 2.3 and debian distribution to
debian:buster-slim
. - 1291 Update NGINX OSS to
1.19.6
. Update NGINX Plus toR23
. - 1290 Graduate policy resource and accessControl policy to generally available.
- 1225 Require secrets to have types.
- 1237 Deprecate support for helm2 clients.
UPGRADE:
-
For NGINX, use the 1.10.0 image from our DockerHub:
nginx/nginx-ingress:1.10.0
,nginx/nginx-ingress:1.10.0-alpine
ornginx-ingress:1.10.0-ubi
-
For NGINX Plus, please build your own image using the 1.10.0 source code.
-
For Helm, use version 0.8.0 of the chart.
-
As a result of 1270 and 1277, the Ingress Controller improved validation of Ingress annotations: more annotations are validated and validation errors are reported via events for Ingress resources. Additionally, the default behavior for invalid annotation values was changed: instead of using the default values, the Ingress Controller will reject a resource with an invalid annotation value, which will make clients see
404
responses from NGINX. See this document to learn more. Before upgrading, ensure the Ingress resources don't have annotations with invalid values. Otherwise, after the upgrade, the Ingress Controller will reject such resources. -
In 1232
controller.serviceAccount.imagePullSecrets
was removed. Use the newcontroller.serviceAccount.imagePullSecretName
instead. -
The Policy resource was promoted to
v1
. If you used thealpha1
version, the policies are needed to be recreated with thev1
version. Before upgrading the Ingress Controller, run the following command to remove thealpha1
policies CRD (that will also remove all existingalpha1
policies):kubectl delete crd policies.k8s.nginx.org
As part of the upgrade, make sure to create the
v1
policies CRD. See the corresponding instructions for the manifests and Helm installations.Also note that all policies except for
accessControl
are still in preview. To enable them, run the Ingress Controller with- -enable-preview-policies
command-line argument (controller.enablePreviewPolicies
Helm parameter). -
It is necessary to update secret resources. See the section UPDATING SECRETS below.
UPDATING SECRETS:
In 1225, as part of improving how the Ingress Controller handles secret resources, we added a requirement for secrets to be of one of the following types:
kubernetes.io/tls
for TLS secrets.nginx.org/jwk
for JWK secrets.nginx.org/ca
for CA secrets.
The Ingress Controller now ignores secrets that are not of a supported type. As a consequence, special upgrade steps are required.
Before upgrading, ensure that the secrets referenced in Ingress, VirtualServer or Policies resources are of a supported type, which is configured via the type
field. Because that field is immutable, it is necessary to either:
- Recreate the secrets. Note that in this case, the client traffic for the affected resources will be rejected for the period during which a secret doesn't exist in the cluster.
- Create copies of the secrets and update the affected resources to reference the copies. The copies need to be of a supported type. In contrast with the previous options, this will not make NGINX reject the client traffic.
It is also necessary to update the default server secret and the wildcard secret (if it was configured) in case their type is not kubernetes.io/tls
. The steps depend on how you installed the Ingress Controller: via manifests or Helm. Performing the steps will not lead to a disruption of the client traffic, as the Ingress Controller retains the default and wildcard secrets if they are removed.
For manifests installation:
- Recreate the default server secret and the wildcard secret with the type
kubernetes.io/tls
. - Upgrade the Ingress Controller.
For Helm installation, there two cases:
- If Helm created the secrets (you configured
controller.defaultTLS.cert
andcontroller.defaultTLS.key
for the default secret andcontroller.wildcardTLS.cert
andcontroller.wildcardTLS.key
for the wildcard secret), then no special upgrade steps are required: during the upgrade, the Helm will remove the existing default and wildcard secrets and create new ones with different names with the typekubernetes.io/tls
. - If you created the secrets separately from Helm (you configured
controller.defaultTLS.secret
for the default secret andcontroller.wildcardTLS.secret
for the wildcard secret):- Recreate the secrets with the type
kubernetes.io/tls
. - Upgrade to the new Helm release.
- Recreate the secrets with the type
NOTES:
- Helm 2 clients are no longer supported due to reaching End of Life: https://helm.sh/blog/helm-2-becomes-unsupported/
RESOURCES:
- Documentation -- https://docs.nginx.com/nginx-ingress-controller/
- Configuration examples -- https://github.com/nginxinc/kubernetes-ingress/tree/v1.10.0/examples and https://github.com/nginxinc/kubernetes-ingress/tree/v1.10.0/examples-of-custom-resources
- Helm Chart -- https://github.com/nginxinc/kubernetes-ingress/tree/v1.10.0/deployments/helm-chart
- Operator -- a compatible Operator version for this release will be published shortly.
NGINX Ingress Controller 1.9.1
CHANGES:
- Fix deployment of ingressclass resource via helm on some versions of Kubernetes.
- Update the base ubi images to 8.3.
- Renew CA cert for egress-mtls example.
- Add
controller.serviceAccount.imagePullSecretName
parameter to the helm chart. Note:controller.serviceAccount.imagePullSecrets
is deprecated and will be removed in the future1.10.0
release.
HELM CHART:
- The version of the Helm chart is now 0.7.1.
UPGRADE:
- For NGINX, use the 1.9.1 image from our DockerHub:
nginx/nginx-ingress:1.9.1
,nginx/nginx-ingress:1.9.1-alpine
ornginx/nginx-ingress:1.9.1-ubi
- For NGINX Plus, please build your own image using the 1.9.1 source code.
- For Helm, use version 0.7.1 of the chart.
RESOURCES:
- Documentation -- https://docs.nginx.com/nginx-ingress-controller/
- Configuration examples -- https://github.com/nginxinc/kubernetes-ingress/tree/v1.9.1/examples and https://github.com/nginxinc/kubernetes-ingress/tree/v1.9.1/examples-of-custom-resources
- Helm Chart -- https://github.com/nginxinc/kubernetes-ingress/tree/v1.9.1/deployments/helm-chart
- Operator -- https://github.com/nginxinc/nginx-ingress-operator/
NGINX Ingress Controller 1.9.0
🚀 Help make the NGINX Ingress Controller better by participating in our survey! 🚀
OVERVIEW:
Release 1.9.0 includes:
- Support for new Prometheus metrics and enhancements of the existing ones, including configuration reload reason, NGINX worker processes count, upstream latency, and more.
- Support for rate limiting, JWT authentication, ingress(client) and egress(upstream) mutual TLS via the Policy resource.
- Support for the latest Ingress resource features and the IngressClass resource.
- Support for NGINX Service Mesh.
You will find the complete changelog for release 1.9.0, including bug fixes, improvements, and changes below.
FEATURES FOR POLICY RESOURCE:
- 1180 Add support for EgressMTLS.
- 1166 Add IngressMTLS policy support.
- 1154 Add JWT policy support.
- 1120 Add RateLimit policy support.
- 1058 Support policies in VS routes and VSR subroutes.
FEATURES FOR NGINX APP PROTECT:
- 1147 Add option to specify other log destinations in AppProtect.
- 1131 Update packages and CRDs to AppProtect 2.0. This update includes features such as: JSON Schema Validation, User-Defined URLs and User-Defined Parameters. See the release notes for a complete feature list.
- 1100 Add external references to AppProtect.
- 1085 Add installation of threat campaigns package.
FEATURES:
- 1133 Add support for IngressClass resources.
- 1130 Add prometheus latency collector.
- 1076 Add prometheus worker process metrics.
- 1075 Add support for NGINX Service Mesh internal routes.
IMPROVEMENTS:
- 1178 Resolve host collisions in VirtualServer and Ingresses.
- 1158 Support variables in action proxy headers.
- 1137 Add pod_owner label to metrics when -spire-agent-address is set.
- 1107 Extend Upstream Servers with pod_name label.
- 1099 Add reason label to total_reload metrics.
- 1088 Extend Upstream Servers and Server Zones metrics, thanks to Raúl.
- 1080 Support pathType field in the Ingress resource.
- 1078 Remove trailing blank lines in vs/vsr snippets.
- Documentation improvements: 1083, 1092, 1089, 1174, 1175, 1171.
BUGFIXES:
- 1179 Fix TransportServers in debian AppProtect image.
- 1129 Support real-ip in default server.
- 1110 Add missing threat campaigns key to AppProtect CRD.
HELM CHART:
- The version of the helm chart is now 0.7.0
- 1105 Fix GlobalConfiguration support in helm chart.
- Add new parameters to the Chart:
controller.setAsDefaultIngress
,controller.enableLatencyMetrics
. Added in 1133 and 1148.
CHANGES:
- 1182 Update NGINX version to 1.19.3.
UPGRADE:
- For NGINX, use the 1.9.0 image from our DockerHub:
nginx/nginx-ingress:1.9.0
,nginx/nginx-ingress:1.9.0-alpine
ornginx-ingress:1.9.0-ubi
- For NGINX Plus, please build your own image using the 1.9.0 source code.
- For Helm, use version 0.7.0 of the chart.
For Kubernetes >= 1.18, when upgrading using the manifests, make sure to update the ClusterRole and create the IngressClass resource, which is required for Kubernetes >= 1.18. Otherwise, the Ingress Controller will fail to start. If you run multiple NGINX Ingress Controllers in the cluster, each Ingress Controller has to have its own IngressClass resource. As the -use-ingress-class-only
argument is now ignored (see NOTES), make sure your Ingress resources have the ingressClassName
field or the kubernetes.io/ingress.class
annotation set to the name of the IngressClass resource. Otherwise, the Ingress Controller will ignore them.
HELM UPGRADE:
- If you're using custom resources like VirtualServer and TransportServer (
controller.enableCustomResources
is set totrue
), after you run thehelm upgrade
command, the CRDs will not be upgraded. After running thehelm upgrade
command, runkubectl apply -f deployments/helm-chart/crds
to upgrade the CRDs. - For Kubernetes >= 1.18, a dedicated IngressClass resource, which is configured by
controller.ingressClass
, is required per helm release. Ensurecontroller.ingressClass
is not set to the name of the IngressClass of other releases or Ingress Controllers. As thecontroller.useIngressClassOnly
parameter is now ignored (see NOTES), make sure your Ingress resources have theingressClassName
field or thekubernetes.io/ingress.class
annotation set to the value ofcontroller.ingressClass
. Otherwise, the Ingress Controller will ignore them.
NOTES:
- When using Kubernetes >= 1.18, the
-use-ingress-class-only
command-line argument is now ignored, and the Ingress Controller will only process resources that belong to its class. See IngressClass doc to learn more. - For Kubernetes >= 1.18, a dedicated IngressClass resource, which is configured by
controller.ingressClass
, is required per helm release. When upgrading or installing releases, ensurecontroller.ingressClass
is not set to the name of the IngressClass of other releases or Ingress Controllers.
RESOURCES:
- Documentation -- https://docs.nginx.com/nginx-ingress-controller/
- Configuration examples -- https://github.com/nginxinc/kubernetes-ingress/tree/v1.9.0/examples and https://github.com/nginxinc/kubernetes-ingress/tree/v1.9.0/examples-of-custom-resources
- Helm Chart -- https://github.com/nginxinc/kubernetes-ingress/tree/v1.9.0/deployments/helm-chart
- Operator -- https://github.com/nginxinc/nginx-ingress-operator/
NGINX Ingress Controller 1.8.1
CHANGES:
- Update NGINX version to 1.19.2.
HELM CHART:
- The version of the Helm chart is now 0.6.1.
UPGRADE:
- For NGINX, use the 1.8.1 image from our DockerHub:
nginx/nginx-ingress:1.8.1
,nginx/nginx-ingress:1.8.1-alpine
ornginx/nginx-ingress:1.8.1-ubi
- For NGINX Plus, please build your own image using the 1.8.1 source code.
- For Helm, use version 0.6.1 of the chart.
KNOWN ISSUES:
- Ingress Controller pods fails to start when deployed using Helm with
controller.globalConfiguration.create
set totrue
. A workaround is described here.
RESOURCES:
- Documentation -- https://docs.nginx.com/nginx-ingress-controller/
- Configuration examples -- https://github.com/nginxinc/kubernetes-ingress/tree/v1.8.1/examples and https://github.com/nginxinc/kubernetes-ingress/tree/v1.8.1/examples-of-custom-resources
- Helm Chart -- https://github.com/nginxinc/kubernetes-ingress/tree/v1.8.1/deployments/helm-chart
- Operator -- https://github.com/nginxinc/nginx-ingress-operator/
NGINX Ingress Controller 1.8.0
🚀 Help make the NGINX Ingress Controller better by participating in our survey! 🚀
OVERVIEW:
Release 1.8.0 includes:
- Support for NGINX App Protect Web Application Firewall.
- Support for configuration snippets and custom template for VirtualServer and VirtualServerRoute resources.
- Support for request/response header manipulation and request URI rewriting for VirtualServer/VirtualServerRoute.
- Introducing a new configuration resource - Policy - with the first policy for IP-based access control.
You will find the complete changelog for release 1.8.0, including bug fixes, improvements, and changes below.
FEATURES FOR VIRTUALSERVER AND VIRTUALSERVERROUTE RESOURCES:
- 1036: Add VirtualServer custom template support.
- 1028: Add access control policy.
- 1019: Add VirtualServer/VirtualServerRoute snippets support.
- 1006: Add request/response modifiers to VS and VSR.
- 994: Support Class Field in VS/VSR.
- 973: Add status to VirtualServer and VirtualServerRoute.
FEATURES:
IMPROVEMENTS:
- 995: Emit event for orphaned VirtualServerRoutes.
- Documentation improvements: 946 thanks to 谭九鼎, 948, 972, 965.
BUGFIXES:
- 1030: Fix port range validation in cli arguments.
- 953: Fix error logging of master/minion ingresses.
HELM CHART:
- The version of the helm chart is now 0.6.0.
- Add new parameters to the Chart:
controller.appprotect.enable
,controller.globalConfiguration.create
,controller.globalConfiguration.spec
,controller.readyStatus.enable
,controller.readyStatus.port
,controller.config.annotations
,controller.reportIngressStatus.annotations
. Added in 1035, 1034, 1029, 1003 thanks to RubyLangdon. - 1047 and 1009: Change how Helm manages the custom resource defintions (CRDs) to support installing multiple Ingress Controller releases. Note: If you're using the custom resources (
controller.enableCustomResources
is set totrue
), this is a breaking change. See the HELM UPGRADE section below for the upgrade instructions.
CHANGES:
- Update NGINX version to 1.19.1.
- Update NGINX Plus to R22.
- 1029: Add readiness endpoint. The Ingress Controller now exposes a readiness endpoint on port
8081
and the path/nginx-ready
. The endpoint returns a200
response after the Ingress Controller finishes the initial configuration of NGINX at the start. The pod template was updated to use that endpoint in a readiness probe. - 980: Enable leader election by default.
UPGRADE:
- For NGINX, use the 1.8.0 image from our DockerHub:
nginx/nginx-ingress:1.8.0
,nginx/nginx-ingress:1.8.0-alpine
ornginx-ingress:1.8.0-ubi
- For NGINX Plus, please build your own image using the 1.8.0 source code.
- For Helm, use version 0.6.0 of the chart.
HELM UPGRADE:
If you're using custom resources like VirtualServer and TransportServer (controller.enableCustomResources
is set to true
), after you run the helm upgrade
command, the CRDs and the corresponding custom resources will be removed from the cluster. Before upgrading, make sure to back up the custom resources. After running the helm upgrade
command, run kubectl apply -f deployments/helm-chart/crds
to re-install the CRDs and then restore the custom resources.
NOTES:
- As part of installing a release, Helm will install the CRDs unless that step is disabled (see the corresponding doc). The installed CRDs include the CRDs for all Ingress Controller features, including the ones disabled by default (like App Protect with
aplogconfs.appprotect.f5.com
andappolicies.appprotect.f5.com
CRDs).
RESOURCES:
- Documentation -- https://docs.nginx.com/nginx-ingress-controller/
- Configuration examples -- https://github.com/nginxinc/kubernetes-ingress/tree/v1.8.0/examples and https://github.com/nginxinc/kubernetes-ingress/tree/v1.8.0/examples-of-custom-resources
- Helm Chart -- https://github.com/nginxinc/kubernetes-ingress/tree/v1.8.0/deployments/helm-chart
- Operator -- https://github.com/nginxinc/nginx-ingress-operator/
NGINX Ingress Controller 1.7.2
CHANGES:
- Update NGINX Plus version to R22.
HELM CHART:
- The version of the Helm chart is now 0.5.2.
UPGRADE:
- For NGINX, use the 1.7.2 image from our DockerHub:
nginx/nginx-ingress:1.7.2
,nginx/nginx-ingress:1.7.2-alpine
ornginx/nginx-ingress:1.7.2-ubi
- For NGINX Plus, please build your own image using the 1.7.2 source code.
- For Helm, use version 0.5.2 of the chart.
RESOURCES:
- Documentation -- https://docs.nginx.com/nginx-ingress-controller/
- Configuration examples -- https://github.com/nginxinc/kubernetes-ingress/tree/v1.7.2/examples and https://github.com/nginxinc/kubernetes-ingress/tree/v1.7.2/examples-of-custom-resources
- Helm Chart -- https://github.com/nginxinc/kubernetes-ingress/tree/v1.7.2/deployments/helm-chart
- Operator -- https://github.com/nginxinc/nginx-ingress-operator/
NOTES:
After the release, the tag v1.7.2
was updated to point to a new commit. This was done to fix a problem with the release - the version of NGINX Plus wasn't updated to R22
in the Dockerfiles. If you checked out the source code with the old version of the v1.7.2
tag, make sure to run the following command to update v1.7.2
on your machine:
$ git tag -d v1.7.2
$ git fetch origin tag v1.7.2
NGINX Ingress Controller 1.7.1
1.7.1
CHANGES:
- Update NGINX version to 1.19.0.
HELM CHART:
- The version of the Helm chart is now 0.5.1.
UPGRADE:
- For NGINX, use the 1.7.1 image from our DockerHub:
nginx/nginx-ingress:1.7.1
,nginx/nginx-ingress:1.7.1-alpine
ornginx/nginx-ingress:1.7.1-ubi
- For NGINX Plus, please build your own image using the 1.7.1 source code.
- For Helm, use version 0.5.1 of the chart.
RESOURCES:
- Documentation -- https://docs.nginx.com/nginx-ingress-controller/
- Configuration examples -- https://github.com/nginxinc/kubernetes-ingress/tree/v1.7.1/examples and https://github.com/nginxinc/kubernetes-ingress/tree/v1.7.1/examples-of-custom-resources
- Helm Chart -- https://github.com/nginxinc/kubernetes-ingress/tree/v1.7.1/deployments/helm-chart
- Operator -- https://github.com/nginxinc/nginx-ingress-operator/
NGINX Ingress Controller 1.7.0
OVERVIEW:
Release 1.7.0 includes:
- Support for TCP, UDP, and TLS Passthrough load balancing with the new configuration resources: TransportServer and GlobalConfiguration. The resources allow users to deliver complex, non-HTTP-based applications from Kubernetes using the NGINX Ingress Controller.
- Support for error pages in VirtualServer and VirtualServerRoute resources. A user can now specify custom error responses for errors returned by backend applications or generated by NGINX, such as a 502 response.
- Improved validation of VirtualServer and VirtualServerRoute resources. kubectl and the Kubernetes API server can now detect violations of the structure of VirtualServer/VirtualServerRoute resources and return an error.
- Support for an operator which manages the lifecycle of the Ingress Controller on Kubernetes or OpenShift. See the NGINX Ingress Operator GitHub repo.
See the 1.7.0 release announcement blog post, which includes an overview of each feature.
You will find the complete changelog for release 1.7.0, including bug fixes, improvements, and changes at https://github.com/nginxinc/kubernetes-ingress/blob/v1.7.0/CHANGELOG.md#170
UPGRADE:
- For NGINX, use the 1.7.0 image from our DockerHub:
nginx/nginx-ingress:1.7.0
,nginx/nginx-ingress:1.7.0-alpine
ornginx-ingress:1.7.0-ubi
- For NGINX Plus, please build your own image using the 1.7.0 source code.
- For Helm, use version 0.5.0 of the chart.
When upgrading using the manifests, make sure to deploy the new TransportServer CRD (common/ts-definition.yaml
), as it is required by the Ingress Controller. Otherwise, you will get error messages in the Ingress Controller logs.
RESOURCES:
- Documentation -- https://docs.nginx.com/nginx-ingress-controller/
- Configuration examples -- https://github.com/nginxinc/kubernetes-ingress/tree/v1.7.0/examples and https://github.com/nginxinc/kubernetes-ingress/tree/v1.7.0/examples-of-custom-resources
- Helm Chart -- https://github.com/nginxinc/kubernetes-ingress/tree/v1.7.0/deployments/helm-chart
- Operator -- https://github.com/nginxinc/nginx-ingress-operator/
NGINX Ingress Controller 1.7.0 - Release Candidate 1
OVERVIEW:
Release 1.7.0-rc1 includes:
- Support for TCP, UDP, and TLS Passthrough load balancing with the new configuration resources: TransportServer and GlobalConfiguration. The resources allow users to deliver complex, non-HTTP-based applications from Kubernetes using the NGINX Ingress Controller.
- Support for error pages in VirtualServer and VirtualServerRoute resources. A user can now specify custom error responses for errors returned by backend applications or generated by NGINX, such as a 502 response.
- Improved validation of VirtualServer and VirtualServerRoute resources. kubectl and the Kubernetes API server can now detect violations of the structure of VirtualServer/VirtualServerRoute resources and return an error.
Full changelog -- https://github.com/nginxinc/kubernetes-ingress/blob/v1.7.0-rc1/CHANGELOG.md#170---release-candidate-1
UPGRADE:
- For the release candidate, no DockerHub images are provided. Please build your own image using the 1.7.0-rc1 source code.
- For Helm, use version 0.5.0-rc1 of the chart. Note: this release candidate version is not available from the stable repo helm.nginx.com/stable, but only from the source files in the
deployments/helm-chart
folder.
RESOURCES:
NGINX Ingress Controller 1.6.3
CHANGES:
- Update NGINX version to 1.17.9.
HELM CHART:
- The version of the Helm chart is now 0.4.3.
UPGRADE:
- For NGINX, use the 1.6.3 image from our DockerHub:
nginx/nginx-ingress:1.6.3
ornginx/nginx-ingress:1.6.3-alpine
- For NGINX Plus, please build your own image using the 1.6.3 source code.
- For Helm, use version 0.4.3 of the chart.
RESOURCES:
- Documentation -- https://docs.nginx.com/nginx-ingress-controller/
- Configuration examples -- https://github.com/nginxinc/kubernetes-ingress/tree/v1.6.3/examples
- Helm Chart -- https://github.com/nginxinc/kubernetes-ingress/tree/v1.6.3/deployments/helm-chart