diff --git a/CHANGELOG.md b/CHANGELOG.md index 4a6efa46cb..12d4d3b92b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,7 @@ _November 13, 2025_ FEATURES: - Add support to make endpoint picker communication settings configurable. [4105](https://github.com/nginx/nginx-gateway-fabric/pull/4105) +- Add support for exposing control plane readiness probe endpoint for external load balancer health checks. [4400](https://github.com/nginx/nginx-gateway-fabric/issues/4400) BUG FIXES: diff --git a/charts/nginx-gateway-fabric/README.md b/charts/nginx-gateway-fabric/README.md index 691eb26aa7..43dd7b7656 100644 --- a/charts/nginx-gateway-fabric/README.md +++ b/charts/nginx-gateway-fabric/README.md @@ -246,7 +246,7 @@ The following table lists the configurable parameters of the NGINX Gateway Fabri | `nginx.usage.resolver` | The nameserver used to resolve the NGINX Plus usage reporting endpoint. Used with NGINX Instance Manager. | string | `""` | | `nginx.usage.secretName` | The name of the Secret containing the JWT for NGINX Plus usage reporting. Must exist in the same namespace that the NGINX Gateway Fabric control plane is running in (default namespace: nginx-gateway). | string | `"nplus-license"` | | `nginx.usage.skipVerify` | Disable client verification of the NGINX Plus usage reporting server certificate. | bool | `false` | -| `nginxGateway` | The nginxGateway section contains configuration for the NGINX Gateway Fabric control plane deployment. | object | `{"affinity":{},"autoscaling":{"enable":false},"config":{"logging":{"level":"info"}},"configAnnotations":{},"extraVolumeMounts":[],"extraVolumes":[],"gatewayClassAnnotations":{},"gatewayClassName":"nginx","gatewayControllerName":"gateway.nginx.org/nginx-gateway-controller","gwAPIExperimentalFeatures":{"enable":false},"gwAPIInferenceExtension":{"enable":false,"endpointPicker":{"disableTLS":false,"skipVerify":true}},"image":{"pullPolicy":"Always","repository":"ghcr.io/nginx/nginx-gateway-fabric","tag":"edge"},"kind":"deployment","labels":{},"leaderElection":{"enable":true,"lockName":""},"lifecycle":{},"metrics":{"enable":true,"port":9113,"secure":false},"name":"","nodeSelector":{},"podAnnotations":{},"productTelemetry":{"enable":true},"readinessProbe":{"enable":true,"initialDelaySeconds":3,"port":8081},"replicas":1,"resources":{},"service":{"annotations":{},"labels":{}},"serviceAccount":{"annotations":{},"imagePullSecret":"","imagePullSecrets":[],"name":""},"snippetsFilters":{"enable":false},"terminationGracePeriodSeconds":30,"tolerations":[],"topologySpreadConstraints":[]}` | +| `nginxGateway` | The nginxGateway section contains configuration for the NGINX Gateway Fabric control plane deployment. | object | `{"affinity":{},"autoscaling":{"enable":false},"config":{"logging":{"level":"info"}},"configAnnotations":{},"extraVolumeMounts":[],"extraVolumes":[],"gatewayClassAnnotations":{},"gatewayClassName":"nginx","gatewayControllerName":"gateway.nginx.org/nginx-gateway-controller","gwAPIExperimentalFeatures":{"enable":false},"gwAPIInferenceExtension":{"enable":false,"endpointPicker":{"disableTLS":false,"skipVerify":true}},"image":{"pullPolicy":"Always","repository":"ghcr.io/nginx/nginx-gateway-fabric","tag":"edge"},"kind":"deployment","labels":{},"leaderElection":{"enable":true,"lockName":""},"lifecycle":{},"metrics":{"enable":true,"port":9113,"secure":false},"name":"","nodeSelector":{},"podAnnotations":{},"productTelemetry":{"enable":true},"readinessProbe":{"enable":true,"initialDelaySeconds":3,"port":8081},"replicas":1,"resources":{},"service":{"annotations":{},"exposeHealthPort":false,"labels":{}},"serviceAccount":{"annotations":{},"imagePullSecret":"","imagePullSecrets":[],"name":""},"snippetsFilters":{"enable":false},"terminationGracePeriodSeconds":30,"tolerations":[],"topologySpreadConstraints":[]}` | | `nginxGateway.affinity` | The affinity of the NGINX Gateway Fabric control plane pod. | object | `{}` | | `nginxGateway.autoscaling` | Autoscaling configuration for the NGINX Gateway Fabric control plane. | object | `{"enable":false}` | | `nginxGateway.autoscaling.enable` | Enable or disable Horizontal Pod Autoscaler for the control plane. | bool | `false` | @@ -281,8 +281,9 @@ The following table lists the configurable parameters of the NGINX Gateway Fabri | `nginxGateway.readinessProbe.port` | Port in which the readiness endpoint is exposed. | int | `8081` | | `nginxGateway.replicas` | The number of replicas of the NGINX Gateway Fabric Deployment. This value is ignored if autoscaling.enable is true. | int | `1` | | `nginxGateway.resources` | The resource requests and/or limits of the nginx-gateway container. | object | `{}` | -| `nginxGateway.service` | The service configuration for the NGINX Gateway Fabric control plane. | object | `{"annotations":{},"labels":{}}` | +| `nginxGateway.service` | The service configuration for the NGINX Gateway Fabric control plane. | object | `{"annotations":{},"exposeHealthPort":false,"labels":{}}` | | `nginxGateway.service.annotations` | The annotations of the NGINX Gateway Fabric control plane service. | object | `{}` | +| `nginxGateway.service.exposeHealthPort` | Expose the readiness probe port on the control plane service. When enabled, the readiness probe endpoint (/readyz) becomes accessible externally, allowing external load balancers (like Azure Application Gateway) to perform health checks. Requires nginxGateway.readinessProbe.enable to be true. | bool | `false` | | `nginxGateway.service.labels` | The labels of the NGINX Gateway Fabric control plane service. | object | `{}` | | `nginxGateway.serviceAccount` | The serviceaccount configuration for the NGINX Gateway Fabric control plane. | object | `{"annotations":{},"imagePullSecret":"","imagePullSecrets":[],"name":""}` | | `nginxGateway.serviceAccount.annotations` | Set of custom annotations for the NGINX Gateway Fabric control plane service account. | object | `{}` | diff --git a/charts/nginx-gateway-fabric/templates/service.yaml b/charts/nginx-gateway-fabric/templates/service.yaml index 988398d421..9690a392cd 100644 --- a/charts/nginx-gateway-fabric/templates/service.yaml +++ b/charts/nginx-gateway-fabric/templates/service.yaml @@ -23,3 +23,9 @@ spec: port: 443 protocol: TCP targetPort: 8443 + {{- if and .Values.nginxGateway.readinessProbe.enable .Values.nginxGateway.service.exposeHealthPort }} + - name: health + port: {{ .Values.nginxGateway.readinessProbe.port }} + protocol: TCP + targetPort: {{ .Values.nginxGateway.readinessProbe.port }} + {{- end }} diff --git a/charts/nginx-gateway-fabric/values.schema.json b/charts/nginx-gateway-fabric/values.schema.json index 85967e4913..dda1b10789 100644 --- a/charts/nginx-gateway-fabric/values.schema.json +++ b/charts/nginx-gateway-fabric/values.schema.json @@ -1086,6 +1086,13 @@ "title": "annotations", "type": "object" }, + "exposeHealthPort": { + "default": false, + "description": "Expose the readiness probe port on the control plane service. When enabled, the readiness probe endpoint\n(/readyz) becomes accessible externally, allowing external load balancers (like Azure Application Gateway)\nto perform health checks. Requires nginxGateway.readinessProbe.enable to be true.", + "required": [], + "title": "exposeHealthPort", + "type": "boolean" + }, "labels": { "description": "The labels of the NGINX Gateway Fabric control plane service.", "required": [], diff --git a/charts/nginx-gateway-fabric/values.yaml b/charts/nginx-gateway-fabric/values.yaml index 9e8e7de21d..87244a359f 100644 --- a/charts/nginx-gateway-fabric/values.yaml +++ b/charts/nginx-gateway-fabric/values.yaml @@ -63,6 +63,11 @@ nginxGateway: # -- The labels of the NGINX Gateway Fabric control plane service. labels: {} + # -- Expose the readiness probe port on the control plane service. When enabled, the readiness probe endpoint + # (/readyz) becomes accessible externally, allowing external load balancers (like Azure Application Gateway) + # to perform health checks. Requires nginxGateway.readinessProbe.enable to be true. + exposeHealthPort: false + # -- The serviceaccount configuration for the NGINX Gateway Fabric control plane. serviceAccount: # -- Set of custom annotations for the NGINX Gateway Fabric control plane service account.