v3.6.0

What's Changed

🚀 Features

• Preserve valid listeners when invalid listeners are present in GlobalConfiguration by @haywoodsh in #5205
• Add proxy-set-headers annotation for ingress by @AlexFenlon in #5366
• Add telemetry data - ingresses by @jjngx in #5406
• add service count metric to telemetry by @j1m-ryan in #5408
• Add Ingress Classes to Telemetry data by @jjngx in #5418
• Add policies count to telemetry by @AlexFenlon in #5457
• Add support for headers in action return by @andrew-s in #5204
• Add Granular Policy count for telemetry by @AlexFenlon in #5489
• Add Ingress Annotation List to Telemetry by @AlexFenlon in #5516
• Add AppProtectVersion to Telemetry by @AlexFenlon in #5554
• Add IsPlus to Telemetry by @AlexFenlon in #5571
• Add Installation Flags to Telemetry by @AlexFenlon in #5586
• Scale ratelimit with ingress pods by @dbaumgarten in #5113
• Add Granular Ingress Counts to Telemetry by @AlexFenlon in #5608
• Add Granular Services Counts to Telemetry by @AlexFenlon in #5627
• enable external service args by @vepatel in #5736
• Integrate NAP WAF v5 by @shaun-nx in #5698
• Support APIKey authentication by @haywoodsh in #5580

🐛 Bug Fixes

• fix ap-waf flag in error message by @vepatel in #5350
• Don't reload when use-cluster-ip endpoints update, and change the ingress use-cluster-ip implementation to use the cluster ip instead of the fqdn by @j1m-ryan in #5318
• fix status for invalid vs and vsr, for weight changes dynamic reload by @j1m-ryan in #5375
• pin ap compiler by @vepatel in #5433
• Add support for named ports in ingresses which use-cluster-ip by @j1m-ryan in #5456
• Fix nginx breaking & remove unused code for ProxySetHeaders annotation by @AlexFenlon in #5426
• Fix error messages by @jjngx in #5542
• Fix incorrect errors showing in Telemetry by @AlexFenlon in #5561
• Don't count Custom Resources if not enabled at NIC startup by @jjngx in #5749
• Change log level, to Info and above, before calling prometheus exporter functions by @j1m-ryan in #5786
• fix api key policy undefined routes by @j1m-ryan in #5838

📦 Helm Chart

• Remove the before NGINX Ingress Controller in some cases by @j1m-ryan in #5274
• Version Bump for 3.6.0 by @nginx-bot in #5285
• correct helm version in docs by @pdabelf5 in #5287
• update helm flag in docs for enableWeightChangesDynamicReload by @j1m-ryan in #5313
• docs version update to 3.5.0 by @pdabelf5 in #5327
• Collect count of secrets by @shaun-nx in #5404
• add local helm schema validation by @pdabelf5 in #5493
• 3.5.1 docs update by @pdabelf5 in #5520
• Revert "add local helm schema validation" by @oseoin in #5528
• Release 3.5.2 by @pdabelf5 in #5678
• helm: add knob to control cluster level rbac rendering by @hafe in #5229
• update values schema from 1.29 to 1.30 by @j1m-ryan in #5772
• Version Bump for 3.7.0 by @nginx-bot in #5828

🧪 Tests

• Wait before assertion in weight changes dynamic reload test by @j1m-ryan in #5302
• simplify smoke-test action by @pdabelf5 in #5311
• enable logging in tests by @vepatel in #5499
• Revert "enable logging in tests" by @oseoin in #5543
• Bump kindest/node from v1.29.2 to v1.30.0 in /tests in the docker-tests group across 1 directory by @dependabot in #5549
• add files for upgrade tests by @vepatel in #5553
• Docker image update d41d8cd9 by @nginx-bot in #5570
• exclude upgrade files from nightly regression tests by @vepatel in #5581
• add wait to dos test by @vepatel in #5656
• skip dos log test by @vepatel in #5658
• Fix test_dos_sec_logs_on by @pasmant in #5725
• Mount config and deployments dirs to smoke containers by @oseoin in #5740
• Docker image update d41d8cd9 by @nginx-bot in #5743
• replace skopeo action with skopeo image by @pdabelf5 in #5760
• add functional tests for rate-limit scaling by @vepatel in #5758
• check pod readiness in ingress scale test by @vepatel in #5774
• Workflow refactor by @pdabelf5 in #5766
• add docker scout scan to pipelines by @pdabelf5 in #5759
• Docker image update d41d8cd9 by @nginx-bot in #5822
• check for non 50x 404 response by @vepatel in #5851

🔨 Maintenance

79 changes

• Bump Go version to v1.22.2 by @jjngx in #5354
• Fix false-positive code scanning issue by @jjngx in #5365
• update labeller config by @pdabelf5 in #5381
• Bump the go group with 3 updates by @dependabot in #5368
• Republish helm chart workflow by @pdabelf5 in #5370
• update github labels by @pdabelf5 in #5392
• docs only workflow by @pdabelf5 in #5405
• Set reporting endpoint in makefile by @shaun-nx in #5411
• [pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in #5403
• filter README changes in examples by @pdabelf5 in #5437
• Bump the actions group across 1 directory with 5 updates by @dependabot in #5438
• fix broken image cache update workflow by @pdabelf5 in #5439
• Bump the actions group across 1 directory with 5 updates by @dependabot in #5458
• update codegen by @haywoodsh in #5462
• [pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in #5475
• Bump the actions group across 1 directory with 4 updates by @dependabot in #5485
• Bump the actions group with 2 updates by @dependabot in #5494
• update image patching to use new workflows by @pdabelf5 in #5497
• improve forked workflow detection by @pdabelf5 in #5501
• [pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in #5507
• rebuild python test image daily by @pdabelf5 in #5508
• Bump the actions group across 1 directory with 3 updates by @dependabot in #5510
• fix syntax error in helm release workflow by @pdabelf5 in #5521
• Add missing dependency hash by @oseoin in #5531
• Bump the actions group across 1 directory with 8 updates by @dependabot in #5548
• [pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in #5539
• Forced SHA update workflow by @oseoin in #5560
• Fix workflow PR labels by @oseoin in #5574
• add cherry-pick action by @vepatel in #5575
• remove cert-gen script by @vepatel in #5583
• add top level permission by @vepatel in #5584
• Bump the actions group across 1 directory with 5 updates by @dependabot in #5587
• pick latest release branch for cherry picks by @pdabelf5 in #5595
• fix test artifact name and test marker by @vepatel in #5596
• [pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in #5593
• add PAT to jobs by @vepatel in #5599
• Bump aquasecurity/trivy-action from 0.20.0 to 0.21.0 in the actions group by @dependabot in #5609
• Add [cherry-pick] to title of dependabot cherry-pick prs by @oseoin in #5626
• [pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in #5629
• Fix repo references in version-bump by @oseoin in #5640
• fail smoke test job if we get a cache miss on fetching the binary by @pdabelf5 in #5672
• assign write permissions when publishing ghcr images by @pdabelf5 in #5663
• Bump the actions group across 1 directory with 4 updates by @dependabot in #5677
• address bug where base & head ref are not always correct by @pdabelf5 in #5681
• make helm-publish workflow re-usable by @pdabelf5 in #5682
• address "Invalid Semantic Version" error when building helm chart for… by @pdabelf5 in #5688
• update to gorelease 2.0 config syntax by @pdabelf5 in #5700
• Bump the actions group across 1 directory with 4 updates by @dependabot in #5708
• assign packages write permission to ghcr push by @pdabelf5 in #5711
• [pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in #5724
• Bump docker/build-push-action from 5.3.0 to 5.4.0 in the actions group by @dependabot in #5720
• Bump github/codeql-action from 3.25.8 to 3.25.9 in the actions group by @dependabot in #5739
• add release workflow by @pdabelf5 in #5742
• add slack notifications to release workflow by @pdabelf5 in #5751
• ensure wafv5 base images are created by @pdabelf5 in #5771
• Pipeline fixes by @pdabelf5 in #5785
• Change results order to allow auto-merge by @oseoin in #5788
• Remove duplicate repo owner and fix smoke test requirement by @pdabelf5 in #5791
• Add name to image promotion and always run promotion by @oseoin in #5793
• Add 'needs cherry pick' label to auto-create cherrypick PRs by @oseoin in #5796
• Bump the actions group across 1 directory with 12 updates by @dependabot in #5798
• add addiitional pr tag to images by @pdabelf5 in #5799
• Enable auto-merge for dependabot by @oseoin in #5801
• Bump docker/build-push-action from 6.0.1 to 6.0.2 in the actions group by @dependabot in #5805
• add regression workflow by @pdabelf5 in #5809
• Test splitting smoke tests by dependency by @oseoin in #5803
• Re-order docker builds by @oseoin in #5812
• consolidate image generation matrices by @pdabelf5 in #5815
• Run Trivy & DockerScout on main & release branches by @pdabelf5 in #5818
• Skip upload test results on skipped tests by @oseoin in #5827
• Change test upload logic to match test run logic by @oseoin in #5829
• Fix branch prefix for docker sha updates by @oseoin in #5830
• add permissions to update released images by @pdabelf5 in #5831
• Forked workflow build by @oseoin in #5835
• Bump the actions group across 1 directory with 5 updates by @dependabot in #5825
• Add actionlint pre commit plugin by @pdabelf5 in #5839
• [pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in #5841
• remove sarif artifact upload for images in feature branches by @pdabelf5 in #5850
• ensure example versions are updated by @pdabelf5 in #5853

📝 Documentation

• Fix incorrect example versions by @oseoin in #5300
• Security monitoring docs by @oseoin in #5301
• Documentation maintenance: tooling update and metadata fixes. by @ADubhlaoich in #5328
• Fix heading in agent config doc by @oseoin in #5356
• update doc for waf-dos image by @vepatel in #5360
• Update community call dates by @danielnginx in #5367
• use inclusive language by @vepatel in #5396
• fix link to rbac template by @vepatel in #5410
• fix example path by @vepatel in #5414
• Add docs for proxy-set-header annotation in Ingress by @AlexFenlon in #5413
• Collect usage of GlobalConfiguration resources by @shaun-nx in #5415
• Remove community call time column by @j1m-ryan in #5424
• Add examples for ProxySetHeaders Annotation by @AlexFenlon in #5431
• Remove bank holiday from community call dates by @j1m-ryan in #5477
• Added replaceAll support for go templates by @fabriziofiorucci in #5468
• Rewrite "Security recommendations" page. by @ADubhlaoich in #5342
• update operator version by @vepatel in #5564
• Fix codeblock languages, prefix instances by @ADubhlaoich in #5604
• NAP link fixes & improvements to troubleshooting documentation by @ADubhlaoich in #5605
• update google marketplace links by @vepatel in #5615
• Added missing "cd" command by @fabriziofiorucci in #5614
• add azure marketplace link by @vepatel in #5619
• Update Community Call Dates by @AlexFenlon in #5639
• update release 3.5.2 docs by @vepatel in #5684
• Add grpc example by @vepatel in #5699
• Add F5 prefix to configuration opening paragraphs, style consistency by @ADubhlaoich in #5737
• Update top level documentation pages for style consistency by @ADubhlaoich in #5754
• API Key Auth Policy Docs by @j1m-ryan in #5752
• Add examples for app protect waf v5 by @shaun-nx in #5784
• WAF v5 docs update by @jjngx in #5719
• fix path by @vepatel in #5847
• change telemetry to telemetryReporting in docs by @j1m-ryan in #5855

⬆️ Dependencies

85 changes

• [pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in #5268
• Bump the actions group with 3 updates by @dependabot in #5271
• Bump the actions group with 1 update by @dependabot in #5284
• Bump nginx from 02d8d94 to 31bad00 in /build by @dependabot in #5298
• Bump the actions group with 2 updates by @dependabot in #5303
• Bump the actions group with 1 update by @dependabot in #5306
• Bump the python group in /tests with 2 updates by @dependabot in #5307
• [pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in #5308
• Bump the actions group with 3 updates by @dependabot in #5314
• Bump the actions group with 3 updates by @dependabot in #5321
• [pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in #5326
• Bump the actions group with 1 update by @dependabot in #5332
• Bump golang from 0466223 to cdc86d9 in /build by @dependabot in #5344
• Bump redhat/ubi8 from bce7e9f to edc34f8 in /build by @dependabot in #5345
• Bump codecov/codecov-action from 4.1.1 to 4.2.0 in the actions group by @dependabot in #5353
• Bump the go group with 3 updates by @dependabot in #5331
• Bump the python group in /tests with 4 updates by @dependabot in #5324
• Bump the actions group with 2 updates by @dependabot in #5357
• Bump the actions group with 2 updates by @dependabot in #5362
• [pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in #5364
• Bump nginx from 31bad00 to 31bad00 in /build by @dependabot in #5371
• Bump codecov/codecov-action from 4.2.0 to 4.3.0 in the actions group by @dependabot in #5372
• Bump sigstore/cosign-installer from 3.4.0 to 3.5.0 in the actions group by @dependabot in #5376
• Bump actions/labeler from 5.0.0.pre.alpha.1 to 5 by @dependabot in #5377
• Bump opentracing/nginx-opentracing from 435e34d to aa7bdee in /build by @dependabot in #5378
• Bump nginx from 31bad00 to 31bad00 in /build by @dependabot in #5379
• Bump idna from 3.6 to 3.7 in /tests by @dependabot in #5380
• Bump the actions group with 2 updates by @dependabot in #5387
• ensure minimum of protobuf 1.33.0 by @pdabelf5 in #5384
• Bump redhat/ubi9-minimal from 582e18f to bc552ef in /build by @dependabot in #5398
• Bump nginxcontrib/nginx from e5a5611 to 5e6680d in /build by @dependabot in #5397
• Bump nginx from 31bad00 to 31bad00 in /build by @dependabot in #5399
• Bump redhat/ubi9 from 1fafb09 to 66233ee in /build by @dependabot in #5400
• Bump the docker-images group in /build with 3 updates by @dependabot in #5427
• Bump the python group across 1 directory with 4 updates by @dependabot in #5449
• Bump the docker-images group across 1 directory with 3 updates by @dependabot in #5447
• Bump pytest from 8.1.1 to 8.2.0 in /tests in the python group by @dependabot in #5473
• Bump nginxinc/alpine-fips from f00b3f2 to f00b3f2 in /build by @dependabot in #5472
• update codegen by @pdabelf5 in #5492
• Bump the go group across 1 directory with 7 updates by @dependabot in #5495
• Bump redhat/ubi9-minimal from bc552ef to b6ec3ea in /build by @dependabot in #5486
• Bump redhat/ubi9 from 66233ee to 770cf07 in /build by @dependabot in #5488
• Bump the python group in /tests with 4 updates by @dependabot in #5504
• Bump nginxcontrib/nginx from 41a840d to d3b4797 in /build by @dependabot in #5487
• Bump redhat/ubi9 from 770cf07 to ed84f34 in /build by @dependabot in #5514
• Bump redhat/ubi9-minimal from b6ec3ea to 2636170 in /build by @dependabot in #5512
• Bump Go version to fix vulnerability in std lib by @jjngx in #5540
• Bump redhat/ubi8 from edc34f8 to 83068ea in /build by @dependabot in #5535
• Bump the go group across 1 directory with 4 updates by @dependabot in #5537
• Bump golang from cdc86d9 to 2a88224 in /build by @dependabot in #5522
• Bump golang from 2a88224 to f1fe698 in /build by @dependabot in #5558
• Bump nginx from ca16009 to ef587d1 in /build by @dependabot in #5515
• Bump the go group with 6 updates by @dependabot in #5557
• Bump nginxcontrib/nginx from d3b4797 to 3cb2535 in /build by @dependabot in #5513
• update telemetry export version by @pdabelf5 in #5532
• Bump the go group with 4 updates by @dependabot in #5568
• Bump the go group with 2 updates by @dependabot in #5577
• Bump the python group across 1 directory with 4 updates by @dependabot in #5597
• Bump golang from f1fe698 to b8ded51 in /build by @dependabot in #5612
• Bump redhat/ubi8 from 83068ea to a424544 in /build by @dependabot in #5611
• Bump the go group across 1 directory with 4 updates by @dependabot in #5622
• Upgrade prometheus exporter to 1.1.2 by @pdabelf5 in #5655
• Bump the python group in /tests with 2 updates by @dependabot in #5628
• Bump golang from 421bc7f to 7e78833 in /build by @dependabot in #5667
• Docker image update d41d8cd9 by @nginx-bot in #5668
• Bump the python group in /tests with 2 updates by @dependabot in #5683
• Upgrade Go v1.22.4 with security fixes by @jjngx in #5693
• Bump redhat/ubi8 from f4292f4 to 2a5d234 in /build by @dependabot in #5690
• Bump golang from 7e78833 to 9bdd569 in /build by @dependabot in #5696
• Bump telemetry-exporter version to v0.1.0 by @jjngx in #5709
• Bump the go group across 1 directory with 8 updates by @dependabot in #5704
• Bump nginxcontrib/nginx from 8354754 to 2075c93 in /build by @dependabot in #5713
• Bump redhat/ubi9-minimal from ef6fb6b to 0d6b09f in /build by @dependabot in #5714
• Bump redhat/ubi8 from 2a5d234 to 143123d in /build by @dependabot in #5715
• Bump the go group with 2 updates by @dependabot in #5721
• Bump the python group in /tests with 10 updates by @dependabot in #5723
• Bump the go group with 4 updates by @dependabot in #5748
• Bump nginxcontrib/nginx from 2075c93 to 69de271 in /build by @dependabot in #5763
• Bump nginx from 69f8c2c to 69f8c2c in /build by @dependabot in #5764
• Snapshot testing for templates by @oseoin in #5735
• Bump the go group across 1 directory with 4 updates by @dependabot in #5789
• Bump urllib3 from 2.2.1 to 2.2.2 in /tests in the python group by @dependabot in #5768
• Bump the go group with 3 updates by @dependabot in #5804
• Bump nginx from d68d230 to 5c0c227 in /build by @dependabot in #5819
• Bump the go group with 1 update by @dependabot in #5821

Other Changes

• allow to choose previous nic/chart version by @pdabelf5 in #5276
• correct docs PR workflow variable by @pdabelf5 in #5279
• add merge queue support to workflows by @pdabelf5 in #5278
• remove gcr marketplace publish step by @pdabelf5 in #5309
• add build_tag variables by @pdabelf5 in #5316
• disable telemetry in helm tests by @pdabelf5 in #5336
• codecov v4 needs a token to upload results by @pdabelf5 in #5338
• remove unused variable from Dockerfile target by @pdabelf5 in #5341
• add script/config for tagging & pushing images by @pdabelf5 in #5343
• add image release workflows by @pdabelf5 in #5348
• recalculate forked_workflow variable by @pdabelf5 in #5352
• add release workflows by @pdabelf5 in #5346
• remove labeler config workaround by @pdabelf5 in #5382
• only apply test label to test file changes by @pdabelf5 in #5386
• Remove redundant import in telemetry package by @jjngx in #5423
• update nap logconf CRD by @galitskiy in #5273
• Add unit tests for replaceAll by @vepatel in #5481
• Remove unused var by @jjngx in #5541
• Remove deprecated Go code by @jjngx in #5559
• Fix error msg to comply with a Go linter by @jjngx in #5582
• Docker image update d41d8cd9 by @nginx-bot in #5637
• NGINX Plus R32 by @oseoin in #5649
• Update debian build stages to use gpg over sq by @shaun-nx in #5664
• update opentracing images to 1.27.0 by @pdabelf5 in #5674
• Test reducing size of UBI NAP images by @oseoin in #5613
• Fix ratelimit-scaling for mergable ingresses #5727 by @dbaumgarten in #5728
• update debian nap waf/dos image to debian:12 by @pdabelf5 in #5780
• Re-add docs string to telemetry schema file by @shaun-nx in #5775
• Docker image update d41d8cd9 by @nginx-bot in #5808
• Fix build arg for templates by @oseoin in #5844

New Contributors

• @andrew-s made their first contribution in #5204

Full Changelog: v3.5.2...v3.6.0

Upgrade

• For NGINX, use the 3.6.0 images from our DockerHub, GitHub Container, Amazon ECR Public Gallery or Quay.io.
• For NGINX Plus, use the 3.6.0 images from the F5 Container registry, the AWS Marketplace, the GCP Marketplace or build your own image using the v3.6.0 source code.
• For Helm, use version 1.3.0 of the chart.

Resources

• Documentation -- https://docs.nginx.com/nginx-ingress-controller/
• Configuration examples -- https://github.com/nginxinc/kubernetes-ingress/tree/3.6.0/examples
• Helm Chart -- https://github.com/nginxinc/kubernetes-ingress/tree/3.6.0/charts/nginx-ingress
• Operator -- https://github.com/nginxinc/nginx-ingress-helm-operator