What's Changed
๐ Features
- Add nginx.org/ssl-redirect annotation support by @haywoodsh in #8656
- Add nginx.org/http-redirect-code annotation and ConfigMap support by @haywoodsh in #8711
- Add
nginx.org/app-rootannotation support by @AlexFenlon in #8720 - Initialise the $service variable early in the server block by @pdabelf5 in #8861
- Add custom time format to JSON and TEXT logging by @AlexFenlon in #8168
- Add RouteSelector Labels to VirtualServer and VirtualServerRoutes by @AlexFenlon in #8936
- feat: Add
proxy-next-upstreamdirectives to Ingress Annotations by @spencerugbo in #8972 - Support loadBalancerClass in Helm chart by @rodrigosandrin in #8555
- Add framework to attach Policy CR's to Ingress with annotations by @pdabelf5 in #9209
- add CORS policy to VS/VSR by @vepatel in #9148
- Ingress Policy: AccessControl by @sean-breen in #9280
- feat: add CORS to Ingress via Policy by @vepatel in #9292
- Automate Community PR Pipeline Run by @spencerugbo in #9260
- Enable Session Persistence for NGINX OSS config by @sean-breen in #9316
- Config rollback manager by @haywoodsh in #9288
๐ Bug Fixes
- fix: update stub_status client path by @vepatel in #8689
- update service template for ipFamilies by @vepatel in #8722
- add more validation on rewrite-target by @vepatel in #8740
- Implement zone size templates in configmap for oidc templates by @javorszky in #8831
- Refactor getValidTarget to return a list of items by @javorszky in #8869
- Fix Agent OTel metrics failing to start by @sean-breen in #8949
- fix load command by @vepatel in #9172
- Invalid VS with OIDC policy applied at VS Spec with trusted cert by @pdabelf5 in #9140
- Fix
unexpected ";"using zone-sync in the Configmap while disabling IPV6 by @AlexFenlon in #9213 - update openid_connect.js by @vepatel in #9315
๐งช Tests
- update nginxplus version in package tests by @vepatel in #8770
- update urllib to 2.6.2 by @vepatel in #8814
๐จ Maintenance
55 changes
- fix git user for release wf by @vepatel in #8601
- Fix shell variable globbing issue using quotes by @javorszky in #8603
- Bump IC to 5.4.0 and helm chart to 2.5.0 by @javorszky in #8604
- Bump WAF version to 5.10.0 by @AlexFenlon in #8606
- Split release docs tasks by @pdabelf5 in #8607
- Allow easy syncing of F5 WAF images for e2e tests by @pdabelf5 in #8609
- update release branch by @vepatel in #8614
- Update Community Call by @danielnginx in #8617
- fix govulncheck image promotion by @vepatel in #8648
- Get k8s version from tests/makefile rather than dockerfile by @javorszky in #8650
- fix cosign version by @vepatel in #8668
- update release branch docs by @javorszky in #8672
- Add 5.3.0 to bug-report template by @AlexFenlon in #8687
- Write images to GH cache on main & release branches by @pdabelf5 in #8713
- update nginx oss and alpine base by @vepatel in #8733
- Update Azure upload credentials by @pdabelf5 in #8745
- Tweak some maintenance make targets by @javorszky in #8618
- Use nginx-bot to checkout & commit renovate PR's by @pdabelf5 in #8773
- Give renovate build workflow id-write permissions by @pdabelf5 in #8775
- Use stdlib for slices package by @pdabelf5 in #8813
- Fix tilde spelling in validation.go by @AlexFenlon in #8818
- Update the NAP threat campaigns version by @javorszky in #8829
- Update app-protect-attack-signatures to 2026 versions by @pdabelf5 in #8860
- Update waf to 5.11.0 by @javorszky in #8874
- Actually update nap to 511 by @javorszky in #8878
- Correctly set PREBUILT_BASE_IMG build arg for full builds by @pdabelf5 in #8913
- Refactor TestAddVirtualServerWithVirtualServerRoutes for better clarity by @AlexFenlon in #8838
- Set pre-commit schedule to quarterly by @pdabelf5 in #8914
- Move JWT annotations names to consts by @pdabelf5 in #8937
- Replace hardcoded keys by @javorszky in #8536
- Add resource reference validation function by @pdabelf5 in #8454
- Update helm chart link in draft release notes by @pdabelf5 in #8989
- Update preflight to 1.16.0 & track version with renovate by @pdabelf5 in #9000
- Update example Secrets to work with new generated Secrets by @AlexFenlon in #9001
- use correct manifest sha for building cares dependency by @sean-breen in #9058
- Update NGINX versions by @pdabelf5 in #9066
- Only run notifications on scheduled or release workflows by @pdabelf5 in #9118
- Adds ARG NGINX_VERSION to fix undefined var by @javorszky in #9053
- Update bug template to include latest version of NIC by @AlexFenlon in #9090
- Fix VSR Selector flaky pytests by @AlexFenlon in #9078
- Add secret generation to regression tests by @javorszky in #9173
- Decouple generatePolicies() from vsc by @pdabelf5 in #9089
- Update WAF to 5.11.2 by @pdabelf5 in #9190
- Add 5.3.4 to the BUG template by @AlexFenlon in #9206
- Update Community Call Dates by @AlexFenlon in #9207
- Update 5.3.3 to 5.3.4 by @AlexFenlon in #9210
- Dynamically determine the architecture for the pytest image build by @pdabelf5 in #9217
- fix secret names in examples by @vepatel in #9237
- Refactor variable names by @sean-breen in #9215
- add parentType to policy owner struct by @vepatel in #9287
- Split virtual server tests into separate files by @pdabelf5 in #9293
- Refactor utils to remove duplicated methods and eliminate import circulations by @haywoodsh in #9317
- Update dependencies and Docker tags for various packages by @pdabelf5 in #9346
๐ Documentation
- Update versions of nic(5.3.1), helm chart(2.4.1), operator(3.4.1) by @vepatel in #8744
- cherry-pick release docs update to main by @vepatel in #9014
- Release 5.4.0 by @haywoodsh in #9409
โฌ๏ธ Dependencies
63 changes
- Update golang:1.25-alpine Docker digest to e689855 (main) by @renovate[bot] in #8612, #8760, #8890, #8909, #9003, #9061, #9093
- Update dependency go to v1.26.1 (main) by @renovate[bot] in #8613, #8891, #9065, #9297
- Update python:3.14-trixie Docker digest to abc08a8 (main) by @renovate[bot] in #8621, #8724, #8796, #8805, #8872, #8939, #9044, #9062, #9105
- Update redhat/ubi9 Docker tag to v9.7-1764794285 (main) by @renovate[bot] in #8625, #8782, #8819, #8921, #8976, #9195, #9322
- Update aws-sdk-go-v2 monorepo (main) by @renovate[bot] in #8622
- Update NGINX Agent to 3.6.0 by @AlexFenlon in #8691
- Update module github.com/gkampitakis/go-snaps to v0.5.21 (main) by @renovate[bot] in #8624, #8802, #9268, #9359
- Update ghcr.io/nginx/dependencies/nginx-ubi:ubi9 Docker digest to 890fce2 (main) by @renovate[bot] in #8694, #8781, #8790, #8847, #9042, #9092, #9120, #9149, #9178, #9220, #9319, #9336
- Update quay.io/jetstack/cert-manager-webhook Docker tag to v1.19.3 (main) by @renovate[bot] in #8677, #9028
- Update kubernetes packages to v0.35.2 (main) by @renovate[bot] in #8696, #9122, #9267
- Update coredns/coredns Docker tag to v1.14.2 (main) by @renovate[bot] in #8695, #8842, #8902, #9302
- Update quay.io/jetstack/cert-manager-controller Docker tag to v1.19.3 (main) by @renovate[bot] in #8676, #9027
- Update quay.io/skopeo/stable Docker tag to v1.22.0 (main) by @renovate[bot] in #8697, #9312
- Update quay.io/jetstack/cert-manager-cainjector Docker tag to v1.19.3 (main) by @renovate[bot] in #8675, #9026
- Update golangci/golangci-lint Docker tag to v2.11.3 (main) by @renovate[bot] in #8628, #8832, #9127, #9198, #9304
- Update redhat/ubi9-minimal Docker tag to v9.7-1764794109 (main) by @renovate[bot] in #8626, #8922, #8977, #9081, #9196, #9323
- Update module github.com/cert-manager/cert-manager to v1.19.3 [SECURITY] (main) by @renovate[bot] in #8673, #9039
- Update kindest/node Docker tag to v1.35.1 (main) by @renovate[bot] in #8716, #8749, #9156, #9193
- Update ghcr.io/nginx/dependencies/nginx-ubi:ubi8 Docker digest to e4ac6f7 (main) by @renovate[bot] in #8693, #8780, #8846, #8880, #8901, #8930, #8958, #8994, #9219, #9318
- Update pre-commit hook psf/black-pre-commit-mirror to v26.3.0 (main) by @renovate[bot] in #8661, #8910, #9311
- Update nginx:1.29.3 Docker digest to 2f4e101 (main) by @renovate[bot] in #8658
- Update module golang.org/x/tools to v0.42.0 (main) by @renovate[bot] in #8659, #8862, #9112
- Update opentelemetry-go monorepo to v1.42.0 (main) by @renovate[bot] in #8660, #9029, #9284, #9305
- Update pre-commit hook DavidAnson/markdownlint-cli2 to v0.21.0 (main) by @renovate[bot] in #8646, #9169
- Update debian:12-slim Docker digest to f065376 (main) by @renovate[bot] in #8657, #8794, #8870, #9041, #9242, #9365
- Update pre-commit hook python-jsonschema/check-jsonschema to v0.37.0 (main) by @renovate[bot] in #8726, #8975, #9179, #9269
- Update module github.com/aws/aws-sdk-go-v2/config to v1.32.9 (main) by @renovate[bot] in #8747, #9194, #9221
- Update redhat/ubi8 Docker digest to a287489 (main) by @renovate[bot] in #8763, #8920, #8974, #9023, #9063, #9110, #9142
- Update ghcr.io/nginx/alpine-fips Docker tag to v0.5.0 (main) by @renovate[bot] in #8748
- Update nginx:1.29.4-alpine3.23 Docker digest to b0f7830 (main) by @renovate[bot] in #8762, #8849, #8881
- Update nginx:1.29.4 Docker digest to c881927 (main) by @renovate[bot] in #8792, #8795, #8848, #8871, #9043
- Update pre-commit hook rhysd/actionlint to v1.7.11 (main) by @renovate[bot] in #8797, #9166
- Update k8s.io/utils digest to b8788ab (main) by @renovate[bot] in #8761, #8840, #9121
- Update quay.io/keycloak/keycloak Docker tag (main) by @renovate[bot] in #8821
- Update aws-sdk-go-v2 monorepo (main) by @renovate[bot] in #8850
- Update quay.io/keycloak/keycloak Docker tag to v26.5.5 (main) by @renovate[bot] in #8882, #8962, #9124, #9231, #9298
- Bump the pip group across 2 directories with 1 update by @dependabot[bot] in #8834
- Update module sigs.k8s.io/controller-tools to v0.20.1 (main) by @renovate[bot] in #8764, #9157
- Update module github.com/gruntwork-io/terratest to v0.56.0 (main) by @renovate[bot] in #8883, #9158
- Update module sigs.k8s.io/structured-merge-diff/v6 to v6.3.2 (main) by @renovate[bot] in #8904, #9095
- Update docker/dockerfile Docker tag to v1.22 (main) by @renovate[bot] in #8952, #9294
- Update module github.com/aws/aws-sdk-go-v2/service/marketplacemetering to v1.35.6 (main) by @renovate[bot] in #8951
- Update golang Docker tag to v1.26.1 (main) by @renovate[bot] in #8961, #9079, #9303
- Update module golang.org/x/crypto to v0.48.0 (main) by @renovate[bot] in #8963, #9111
- Update module github.com/golang-jwt/jwt/v5 to v5.3.1 (main) by @renovate[bot] in #9005
- Update alpine:3.22 Docker digest to 55ae5d2 (main) by @renovate[bot] in #9002
- update c-ares package to 1.19.1-2 by @sean-breen in #8877
- Update NGINX Agent to 3.7 by @AlexFenlon in #9059
- Update nginx:1.29.5 Docker digest to 0236ee0 (main) by @renovate[bot] in #9094, #9243
- Update nginx:1.29.5-alpine3.23 Docker digest to 1d13701 (main) by @renovate[bot] in #9103
- Loosen F5 WAF package versions to allow patch releases by @pdabelf5 in #9115
- Update dependency dominikh/go-tools to v2026 (main) by @renovate[bot] in #9159
- Update Go to v1.26 by @AlexFenlon in #9176
- Update pre-commit hook PyCQA/autoflake to v2.3.3 (main) by @renovate[bot] in #9222
- Update pre-commit hook PyCQA/isort to v8.0.1 (main) by @renovate[bot] in #9223, #9277
- Bump filippo.io/edwards25519 from 1.1.0 to 1.1.1 in the go_modules group across 1 directory by @dependabot[bot] in #9218
- Update aws-sdk-go-v2 monorepo (main) by @renovate[bot] in #9240
- Update golang:1.26-alpine Docker digest to 2389ebf (main) by @renovate[bot] in #9301
- Update golang.org/x/crypto to v0.49.0 & golang.org/x/tools to v0.42.0 by @pdabelf5 in #9344
- Update Docker image digests for NGINX and Python dependencies by @pdabelf5 in #9345
- Update nginx:1.29.6-alpine3.23 Docker digest to f46cb72 (main) by @renovate[bot] in #9349
- Update aws-sdk-go-v2 monorepo (main) by @renovate[bot] in #9350
- Bump google.golang.org/grpc from 1.79.2 to 1.79.3 in the go_modules group across 1 directory by @nginx-bot in #9404
Other Changes
- Update permissions on image promotion CI by @pdabelf5 in #8608
- Remove environment from Azure Upload job by @pdabelf5 in #8686
- Be more explicit about cache save/restore by @pdabelf5 in #8704
- Fix link to shared examples for custom templates by @aknot242 in #8938
- fix: Remove deprecated preserveUnknownFields field from crds by @MatthiasRoels in #8969
- fix: update link to Security Monitoring in examples by @aknot242 in #9358
New Contributors
- @sean-breen made their first contribution in #8949
- @MatthiasRoels made their first contribution in #8969
- @rodrigosandrin made their first contribution in #8555
Full Changelog: v5.3.4...v5.4.0
Upgrade
- For NGINX, use the v5.4.0 images from our DockerHub, GitHub Container, Amazon ECR Public Gallery or Quay.io.
- For NGINX Plus, use the v5.4.0 images from the F5 Container registry or build your own image using the v5.4.0 source code.
- For Helm, use version 2.5.0 of the chart.
Resources
- Documentation -- https://docs.nginx.com/nginx-ingress-controller/
- Configuration examples -- https://github.com/nginx/kubernetes-ingress/tree/v5.4.0/examples
- Helm Chart -- https://github.com/nginx/kubernetes-ingress/tree/v5.4.0/charts/nginx-ingress
- Operator -- https://github.com/nginx/nginx-ingress-helm-operator