From 72b73b0adad8849fbb9ae467427104d90d31424f Mon Sep 17 00:00:00 2001
From: Emil Abramov <emil.abramov@wire.com>
Date: Wed, 21 Jan 2026 18:34:07 +0100
Subject: [PATCH 1/5] add additional config options to nginx chart

---
 charts/nginx-ingress-services/templates/ingress.yaml | 8 +++++++-
 charts/nginx-ingress-services/values.yaml            | 8 ++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/charts/nginx-ingress-services/templates/ingress.yaml b/charts/nginx-ingress-services/templates/ingress.yaml
index acca141ae0..85954ecffc 100644
--- a/charts/nginx-ingress-services/templates/ingress.yaml
+++ b/charts/nginx-ingress-services/templates/ingress.yaml
@@ -2,8 +2,13 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: {{ include "nginx-ingress-services.getIngressName" . | quote }}
-  {{- if .Values.config.renderCSPInIngress }}
+  {{- if or .Values.config.renderCSPInIngress .Values.ingressAnnotations }}
   annotations:
+    {{- /* Custom annotations (e.g., for server-snippet TLS configuration) */}}
+    {{- with .Values.ingressAnnotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- if .Values.config.renderCSPInIngress }}
     {{- if not (contains .Values.config.ingressClass "nginx") }}
         {{ fail "In ingress CSP header setting only works with a 'nginx' controller. (Rename it to 'nginx-*' if it is one.)" }}
     {{- end }}
@@ -38,6 +43,7 @@ metadata:
         set $CSP "${CSP} upgrade-insecure-requests";
         more_set_headers "content-security-policy: $CSP";
       }
+    {{- end }}
   {{- end }}
 spec:
   ingressClassName: "{{ .Values.config.ingressClass }}"
diff --git a/charts/nginx-ingress-services/values.yaml b/charts/nginx-ingress-services/values.yaml
index 8870f71af9..b5ce1373b4 100644
--- a/charts/nginx-ingress-services/values.yaml
+++ b/charts/nginx-ingress-services/values.yaml
@@ -175,3 +175,11 @@ config:
 # If 'true' some resources aren't created because they're expected to already
 # exist. There must be one non-additional instantiation per deployment!
   isAdditionalIngress: false
+
+# Custom annotations to add to the main ingress resource.
+# Useful for adding server-snippet or other nginx-specific configurations.
+# Example:
+#   ingressAnnotations:
+#     nginx.ingress.kubernetes.io/server-snippet: |
+#       ssl_conf_command Curves X25519MLKEM768;
+ingressAnnotations: {}

From 6169db1b3246a97ccd7ffb5b74de956b8636f021 Mon Sep 17 00:00:00 2001
From: Emil Abramov <emil.abramov@wire.com>
Date: Wed, 21 Jan 2026 18:41:39 +0100
Subject: [PATCH 2/5] changelog item

---
 changelog.d/2-features/nginx-ingress-services-custom-annotations | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 changelog.d/2-features/nginx-ingress-services-custom-annotations

diff --git a/changelog.d/2-features/nginx-ingress-services-custom-annotations b/changelog.d/2-features/nginx-ingress-services-custom-annotations
new file mode 100644
index 0000000000..27925790cb
--- /dev/null
+++ b/changelog.d/2-features/nginx-ingress-services-custom-annotations
@@ -0,0 +1 @@
+nginx-ingress-services: Add `ingressAnnotations` option to allow custom annotations on the main ingress resource (e.g., for TLS configuration via server-snippet).

From 868e6125fbc9a46e5a06bbfcbd6b4307669df0a6 Mon Sep 17 00:00:00 2001
From: Emil Abramov <emil.abramov@wire.com>
Date: Thu, 22 Jan 2026 13:58:37 +0100
Subject: [PATCH 3/5] config for integration testing as suggested

---
 hack/helm_vars/ingress-nginx-controller/values.yaml.gotmpl | 6 ++++++
 hack/helm_vars/nginx-ingress-services/values.yaml.gotmpl   | 7 +++++++
 2 files changed, 13 insertions(+)

diff --git a/hack/helm_vars/ingress-nginx-controller/values.yaml.gotmpl b/hack/helm_vars/ingress-nginx-controller/values.yaml.gotmpl
index c137f04588..818abf412a 100644
--- a/hack/helm_vars/ingress-nginx-controller/values.yaml.gotmpl
+++ b/hack/helm_vars/ingress-nginx-controller/values.yaml.gotmpl
@@ -20,3 +20,9 @@ ingress-nginx:
     # prevent new kind:Ingress resources to be created in the cluster.
     admissionWebhooks:
       enabled: false
+    # Post-Quantum TLS testing: TLS 1.3 only with ML-KEM key exchange curves
+    config:
+      ssl-protocols: "TLSv1.3"
+      server-snippet: |
+        ssl_conf_command Ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384;
+        ssl_conf_command Curves X25519MLKEM768:SecP256r1MLKEM768:SecP384r1MLKEM1024;
diff --git a/hack/helm_vars/nginx-ingress-services/values.yaml.gotmpl b/hack/helm_vars/nginx-ingress-services/values.yaml.gotmpl
index 958ba24ac9..e806915242 100644
--- a/hack/helm_vars/nginx-ingress-services/values.yaml.gotmpl
+++ b/hack/helm_vars/nginx-ingress-services/values.yaml.gotmpl
@@ -27,3 +27,10 @@ config:
 
 secrets:
   tlsClientCA: {{ .Values.federationCACertificate | quote }}
+
+# Post-Quantum TLS testing: Add server-snippet via the new ingressAnnotations feature
+ingressAnnotations:
+  nginx.ingress.kubernetes.io/server-snippet: |
+    ssl_protocols TLSv1.3;
+    ssl_conf_command Ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384;
+    ssl_conf_command Curves X25519MLKEM768:SecP256r1MLKEM768:SecP384r1MLKEM1024;

From fcbb16c9c3c9092e95d63f4c9fe835e8277ef764 Mon Sep 17 00:00:00 2001
From: jschaul <jschaul@users.noreply.github.com>
Date: Thu, 22 Jan 2026 16:25:53 +0100
Subject: [PATCH 4/5] upgrade nginx-ingress-controller chart, update default
 flags

---
 changelog.d/5-internal/nginx-ingress-controller-upgrade | 1 +
 charts/ingress-nginx-controller/Chart.yaml              | 2 +-
 charts/ingress-nginx-controller/values.yaml             | 3 ++-
 3 files changed, 4 insertions(+), 2 deletions(-)
 create mode 100644 changelog.d/5-internal/nginx-ingress-controller-upgrade

diff --git a/changelog.d/5-internal/nginx-ingress-controller-upgrade b/changelog.d/5-internal/nginx-ingress-controller-upgrade
new file mode 100644
index 0000000000..e6ab1b62a0
--- /dev/null
+++ b/changelog.d/5-internal/nginx-ingress-controller-upgrade
@@ -0,0 +1 @@
+Upgrade nginx-ingress-controller from 4.11.5 to 4.13.5 (k8s 1.29 - 1.33 officially supported - other version may also work)
diff --git a/charts/ingress-nginx-controller/Chart.yaml b/charts/ingress-nginx-controller/Chart.yaml
index 64e708e97a..bdfd92237b 100644
--- a/charts/ingress-nginx-controller/Chart.yaml
+++ b/charts/ingress-nginx-controller/Chart.yaml
@@ -4,5 +4,5 @@ name: ingress-nginx-controller
 version: 0.0.42
 dependencies:
 - name: ingress-nginx
-  version: 4.11.5 # k8s compatibility [1.26 - 1.30]
+  version: 4.13.5 # k8s compatibility [1.29 - 1.33]
   repository: https://kubernetes.github.io/ingress-nginx
diff --git a/charts/ingress-nginx-controller/values.yaml b/charts/ingress-nginx-controller/values.yaml
index c28eb2a065..587bc47ae3 100644
--- a/charts/ingress-nginx-controller/values.yaml
+++ b/charts/ingress-nginx-controller/values.yaml
@@ -14,6 +14,7 @@
 # for all possible values to override.
 ingress-nginx:
   controller:
+    enableAnnotationValidations: false # due to https://github.com/kubernetes/ingress-nginx/issues/12709
     enableTopologyAwareRouting: true
     # Use kind: `DaemonSet` (when using NodePort) or `Deployment` (when using
     # LoadBalancer)
@@ -56,4 +57,4 @@ ingress-nginx:
       # Also add ssl/tls protocol/cipher to gain some observability here (can we turn off TLS 1.2?)
       log-format-escape-json: true
       log-format-upstream: '{"bytes_sent": "$bytes_sent", "duration": "$request_time", "http_referrer": "$http_referer", "http_user_agent": "$http_user_agent", "method": "$request_method", "path": "$uri", "remote_addr": "$proxy_protocol_addr", "remote_user": "$remote_user", "request_id": "$req_id", "request_length": "$request_length", "request_proto": "$server_protocol", "request_time": "$request_time", "status": "$status", "time": "$time_iso8601", "tls_cipher": "$ssl_cipher", "tls_protocol": "$ssl_protocol", "vhost": "$host", "x_forwarded_for": "$proxy_add_x_forwarded_for"}'
-    allowSnippetAnnotations: true
+      allow-snippet-annotations: true

From 35fbb07bfb0ada07a0923c0606012e9ee3c416fb Mon Sep 17 00:00:00 2001
From: jschaul <jschaul@users.noreply.github.com>
Date: Mon, 26 Jan 2026 14:27:45 +0100
Subject: [PATCH 5/5] re-add the older style allowSnippetAnnotations

---
 charts/ingress-nginx-controller/values.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/charts/ingress-nginx-controller/values.yaml b/charts/ingress-nginx-controller/values.yaml
index 587bc47ae3..1020ceef6a 100644
--- a/charts/ingress-nginx-controller/values.yaml
+++ b/charts/ingress-nginx-controller/values.yaml
@@ -57,4 +57,5 @@ ingress-nginx:
       # Also add ssl/tls protocol/cipher to gain some observability here (can we turn off TLS 1.2?)
       log-format-escape-json: true
       log-format-upstream: '{"bytes_sent": "$bytes_sent", "duration": "$request_time", "http_referrer": "$http_referer", "http_user_agent": "$http_user_agent", "method": "$request_method", "path": "$uri", "remote_addr": "$proxy_protocol_addr", "remote_user": "$remote_user", "request_id": "$req_id", "request_length": "$request_length", "request_proto": "$server_protocol", "request_time": "$request_time", "status": "$status", "time": "$time_iso8601", "tls_cipher": "$ssl_cipher", "tls_protocol": "$ssl_protocol", "vhost": "$host", "x_forwarded_for": "$proxy_add_x_forwarded_for"}'
-      allow-snippet-annotations: true
+      allow-snippet-annotations: true # new format for this flag in newer versions
+    allowSnippetAnnotations: true # needed up to and including version 1.13