diff --git a/changelog.d/2-features/nginx-ingress-services-custom-annotations b/changelog.d/2-features/nginx-ingress-services-custom-annotations new file mode 100644 index 00000000000..27925790cb9 --- /dev/null +++ b/changelog.d/2-features/nginx-ingress-services-custom-annotations @@ -0,0 +1 @@ +nginx-ingress-services: Add `ingressAnnotations` option to allow custom annotations on the main ingress resource (e.g., for TLS configuration via server-snippet). diff --git a/changelog.d/5-internal/nginx-ingress-controller-upgrade b/changelog.d/5-internal/nginx-ingress-controller-upgrade new file mode 100644 index 00000000000..e6ab1b62a09 --- /dev/null +++ b/changelog.d/5-internal/nginx-ingress-controller-upgrade @@ -0,0 +1 @@ +Upgrade nginx-ingress-controller from 4.11.5 to 4.13.5 (k8s 1.29 - 1.33 officially supported - other version may also work) diff --git a/charts/ingress-nginx-controller/Chart.yaml b/charts/ingress-nginx-controller/Chart.yaml index 64e708e97a8..bdfd92237bf 100644 --- a/charts/ingress-nginx-controller/Chart.yaml +++ b/charts/ingress-nginx-controller/Chart.yaml @@ -4,5 +4,5 @@ name: ingress-nginx-controller version: 0.0.42 dependencies: - name: ingress-nginx - version: 4.11.5 # k8s compatibility [1.26 - 1.30] + version: 4.13.5 # k8s compatibility [1.29 - 1.33] repository: https://kubernetes.github.io/ingress-nginx diff --git a/charts/ingress-nginx-controller/values.yaml b/charts/ingress-nginx-controller/values.yaml index c28eb2a065c..1020ceef6a8 100644 --- a/charts/ingress-nginx-controller/values.yaml +++ b/charts/ingress-nginx-controller/values.yaml @@ -14,6 +14,7 @@ # for all possible values to override. ingress-nginx: controller: + enableAnnotationValidations: false # due to https://github.com/kubernetes/ingress-nginx/issues/12709 enableTopologyAwareRouting: true # Use kind: `DaemonSet` (when using NodePort) or `Deployment` (when using # LoadBalancer) @@ -56,4 +57,5 @@ ingress-nginx: # Also add ssl/tls protocol/cipher to gain some observability here (can we turn off TLS 1.2?) log-format-escape-json: true log-format-upstream: '{"bytes_sent": "$bytes_sent", "duration": "$request_time", "http_referrer": "$http_referer", "http_user_agent": "$http_user_agent", "method": "$request_method", "path": "$uri", "remote_addr": "$proxy_protocol_addr", "remote_user": "$remote_user", "request_id": "$req_id", "request_length": "$request_length", "request_proto": "$server_protocol", "request_time": "$request_time", "status": "$status", "time": "$time_iso8601", "tls_cipher": "$ssl_cipher", "tls_protocol": "$ssl_protocol", "vhost": "$host", "x_forwarded_for": "$proxy_add_x_forwarded_for"}' - allowSnippetAnnotations: true + allow-snippet-annotations: true # new format for this flag in newer versions + allowSnippetAnnotations: true # needed up to and including version 1.13 diff --git a/charts/nginx-ingress-services/templates/ingress.yaml b/charts/nginx-ingress-services/templates/ingress.yaml index acca141ae0c..85954ecffc0 100644 --- a/charts/nginx-ingress-services/templates/ingress.yaml +++ b/charts/nginx-ingress-services/templates/ingress.yaml @@ -2,8 +2,13 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: {{ include "nginx-ingress-services.getIngressName" . | quote }} - {{- if .Values.config.renderCSPInIngress }} + {{- if or .Values.config.renderCSPInIngress .Values.ingressAnnotations }} annotations: + {{- /* Custom annotations (e.g., for server-snippet TLS configuration) */}} + {{- with .Values.ingressAnnotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if .Values.config.renderCSPInIngress }} {{- if not (contains .Values.config.ingressClass "nginx") }} {{ fail "In ingress CSP header setting only works with a 'nginx' controller. (Rename it to 'nginx-*' if it is one.)" }} {{- end }} @@ -38,6 +43,7 @@ metadata: set $CSP "${CSP} upgrade-insecure-requests"; more_set_headers "content-security-policy: $CSP"; } + {{- end }} {{- end }} spec: ingressClassName: "{{ .Values.config.ingressClass }}" diff --git a/charts/nginx-ingress-services/values.yaml b/charts/nginx-ingress-services/values.yaml index 8870f71af98..b5ce1373b4e 100644 --- a/charts/nginx-ingress-services/values.yaml +++ b/charts/nginx-ingress-services/values.yaml @@ -175,3 +175,11 @@ config: # If 'true' some resources aren't created because they're expected to already # exist. There must be one non-additional instantiation per deployment! isAdditionalIngress: false + +# Custom annotations to add to the main ingress resource. +# Useful for adding server-snippet or other nginx-specific configurations. +# Example: +# ingressAnnotations: +# nginx.ingress.kubernetes.io/server-snippet: | +# ssl_conf_command Curves X25519MLKEM768; +ingressAnnotations: {} diff --git a/hack/helm_vars/ingress-nginx-controller/values.yaml.gotmpl b/hack/helm_vars/ingress-nginx-controller/values.yaml.gotmpl index c137f045884..818abf412a9 100644 --- a/hack/helm_vars/ingress-nginx-controller/values.yaml.gotmpl +++ b/hack/helm_vars/ingress-nginx-controller/values.yaml.gotmpl @@ -20,3 +20,9 @@ ingress-nginx: # prevent new kind:Ingress resources to be created in the cluster. admissionWebhooks: enabled: false + # Post-Quantum TLS testing: TLS 1.3 only with ML-KEM key exchange curves + config: + ssl-protocols: "TLSv1.3" + server-snippet: | + ssl_conf_command Ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384; + ssl_conf_command Curves X25519MLKEM768:SecP256r1MLKEM768:SecP384r1MLKEM1024; diff --git a/hack/helm_vars/nginx-ingress-services/values.yaml.gotmpl b/hack/helm_vars/nginx-ingress-services/values.yaml.gotmpl index 958ba24ac9b..e806915242c 100644 --- a/hack/helm_vars/nginx-ingress-services/values.yaml.gotmpl +++ b/hack/helm_vars/nginx-ingress-services/values.yaml.gotmpl @@ -27,3 +27,10 @@ config: secrets: tlsClientCA: {{ .Values.federationCACertificate | quote }} + +# Post-Quantum TLS testing: Add server-snippet via the new ingressAnnotations feature +ingressAnnotations: + nginx.ingress.kubernetes.io/server-snippet: | + ssl_protocols TLSv1.3; + ssl_conf_command Ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384; + ssl_conf_command Curves X25519MLKEM768:SecP256r1MLKEM768:SecP384r1MLKEM1024;