wireapp · emil-wire · Jan 21, 2026 · Jan 21, 2026 · Jan 22, 2026 · Jan 22, 2026
@@ -0,0 +1 @@
+nginx-ingress-services: Add `ingressAnnotations` option to allow custom annotations on the main ingress resource (e.g., for TLS configuration via server-snippet).
@@ -0,0 +1 @@
+Upgrade nginx-ingress-controller from 4.11.5 to 4.13.5 (k8s 1.29 - 1.33 officially supported - other version may also work)
@@ -4,5 +4,5 @@ name: ingress-nginx-controller
 version: 0.0.42
 dependencies:
 - name: ingress-nginx
-  version: 4.11.5 # k8s compatibility [1.26 - 1.30]
+  version: 4.13.5 # k8s compatibility [1.29 - 1.33]
   repository: https://kubernetes.github.io/ingress-nginx
@@ -14,6 +14,7 @@
 # for all possible values to override.
 ingress-nginx:
   controller:
+    enableAnnotationValidations: false # due to https://github.com/kubernetes/ingress-nginx/issues/12709
     enableTopologyAwareRouting: true
     # Use kind: `DaemonSet` (when using NodePort) or `Deployment` (when using
     # LoadBalancer)
@@ -56,4 +57,4 @@ ingress-nginx:
       # Also add ssl/tls protocol/cipher to gain some observability here (can we turn off TLS 1.2?)
       log-format-escape-json: true
       log-format-upstream: '{"bytes_sent": "$bytes_sent", "duration": "$request_time", "http_referrer": "$http_referer", "http_user_agent": "$http_user_agent", "method": "$request_method", "path": "$uri", "remote_addr": "$proxy_protocol_addr", "remote_user": "$remote_user", "request_id": "$req_id", "request_length": "$request_length", "request_proto": "$server_protocol", "request_time": "$request_time", "status": "$status", "time": "$time_iso8601", "tls_cipher": "$ssl_cipher", "tls_protocol": "$ssl_protocol", "vhost": "$host", "x_forwarded_for": "$proxy_add_x_forwarded_for"}'
-    allowSnippetAnnotations: true
+      allow-snippet-annotations: true
@@ -2,8 +2,13 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: {{ include "nginx-ingress-services.getIngressName" . | quote }}
-  {{- if .Values.config.renderCSPInIngress }}
+  {{- if or .Values.config.renderCSPInIngress .Values.ingressAnnotations }}
   annotations:
+    {{- /* Custom annotations (e.g., for server-snippet TLS configuration) */}}
+    {{- with .Values.ingressAnnotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- if .Values.config.renderCSPInIngress }}
     {{- if not (contains .Values.config.ingressClass "nginx") }}
         {{ fail "In ingress CSP header setting only works with a 'nginx' controller. (Rename it to 'nginx-*' if it is one.)" }}
     {{- end }}
@@ -38,6 +43,7 @@ metadata:
         set $CSP "${CSP} upgrade-insecure-requests";
         more_set_headers "content-security-policy: $CSP";
       }
+    {{- end }}
   {{- end }}
 spec:
   ingressClassName: "{{ .Values.config.ingressClass }}"

@@ -175,3 +175,11 @@ config:
 # If 'true' some resources aren't created because they're expected to already
 # exist. There must be one non-additional instantiation per deployment!
   isAdditionalIngress: false
+
+# Custom annotations to add to the main ingress resource.
+# Useful for adding server-snippet or other nginx-specific configurations.
+# Example:
+#   ingressAnnotations:
+#     nginx.ingress.kubernetes.io/server-snippet: |
+#       ssl_conf_command Curves X25519MLKEM768;
+ingressAnnotations: {}
@@ -20,3 +20,9 @@ ingress-nginx:
     # prevent new kind:Ingress resources to be created in the cluster.
     admissionWebhooks:
       enabled: false
+    # Post-Quantum TLS testing: TLS 1.3 only with ML-KEM key exchange curves
+    config:
+      ssl-protocols: "TLSv1.3"
+      server-snippet: |
+        ssl_conf_command Ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384;
+        ssl_conf_command Curves X25519MLKEM768:SecP256r1MLKEM768:SecP384r1MLKEM1024;
@@ -27,3 +27,10 @@ config:
 
 secrets:
   tlsClientCA: {{ .Values.federationCACertificate | quote }}
+
+# Post-Quantum TLS testing: Add server-snippet via the new ingressAnnotations feature
+ingressAnnotations:
+  nginx.ingress.kubernetes.io/server-snippet: |
+    ssl_protocols TLSv1.3;
+    ssl_conf_command Ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384;
+    ssl_conf_command Curves X25519MLKEM768:SecP256r1MLKEM768:SecP384r1MLKEM1024;
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		nginx-ingress-services: Add `ingressAnnotations` option to allow custom annotations on the main ingress resource (e.g., for TLS configuration via server-snippet).
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		Upgrade nginx-ingress-controller from 4.11.5 to 4.13.5 (k8s 1.29 - 1.33 officially supported - other version may also work)