nginx
diff --git a/‎.github/workflows/build.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/build.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/ci.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/nfr.yml‎
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/nfr.yml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎.pre-commit-config.yaml‎
Lines changed: 1 addition & 1 deletion b/‎.pre-commit-config.yaml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎apis/v1alpha2/nginxproxy_types.go‎
Lines changed: 46 additions & 0 deletions b/‎apis/v1alpha2/nginxproxy_types.go‎
Lines changed: 46 additions & 0 deletions
diff --git a/‎apis/v1alpha2/zz_generated.deepcopy.go‎
Lines changed: 55 additions & 8 deletions b/‎apis/v1alpha2/zz_generated.deepcopy.go‎
Lines changed: 55 additions & 8 deletions
diff --git a/‎config/crd/bases/gateway.nginx.org_nginxproxies.yaml‎
Lines changed: 72 additions & 0 deletions b/‎config/crd/bases/gateway.nginx.org_nginxproxies.yaml‎
Lines changed: 72 additions & 0 deletions
@@ -82,7 +82,7 @@ jobs:
 
       - name: Authenticate to Google Cloud
         id: auth
-        uses: google-github-actions/auth@ba79af03959ebeac9769e648f473a284504d9193 # v2.1.10
+        uses: google-github-actions/auth@140bb5113ffb6b65a7e9b937a81fa96cf5064462 # v2.1.11
         with:
           token_format: access_token
           workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY }}
 
@@ -165,7 +165,7 @@ jobs:
         if: github.ref_type == 'tag'
 
       - name: Install Cosign
-        uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3.9.1
+        uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2
         if: github.ref_type == 'tag'
 
       - name: Build binary
 
@@ -86,7 +86,7 @@ jobs:
 
       - name: Authenticate to Google Cloud
         id: auth
-        uses: google-github-actions/auth@ba79af03959ebeac9769e648f473a284504d9193 # v2.1.10
+        uses: google-github-actions/auth@140bb5113ffb6b65a7e9b937a81fa96cf5064462 # v2.1.11
         with:
           token_format: access_token
           workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY }}
@@ -100,7 +100,7 @@ jobs:
           password: ${{ steps.auth.outputs.access_token }}
 
       - name: Set up Cloud SDK
-        uses: google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a # v2.1.4
+        uses: google-github-actions/setup-gcloud@6a7c903a70c8625ed6700fa299f5ddb4ca6022e9 # v2.1.5
         with:
           project_id: ${{ secrets.GCP_PROJECT_ID }}
           install_components: kubectl
 
@@ -27,7 +27,7 @@ repos:
         exclude: (^examples/|^docs/|.*_test.go$)
 
   - repo: https://github.com/gitleaks/gitleaks
-    rev: v8.27.2
+    rev: v8.28.0
     hooks:
       - id: gitleaks
 
 
@@ -2,6 +2,7 @@ package v1alpha2
 
 import (
 	corev1 "k8s.io/api/core/v1"
+	apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	"github.com/nginx/nginx-gateway-fabric/apis/v1alpha1"
@@ -388,6 +389,36 @@ type KubernetesSpec struct {
 	Service *ServiceSpec `json:"service,omitempty"`
 }
 
+// Patch defines a patch to apply to a Kubernetes object.
+type Patch struct {
+	// Type is the type of patch. Defaults to StrategicMerge.
+	//
+	// +optional
+	// +kubebuilder:default:=StrategicMerge
+	Type *PatchType `json:"type,omitempty"`
+
+	// Value is the patch data as raw JSON.
+	// For StrategicMerge and Merge patches, this should be a JSON object.
+	// For JSONPatch patches, this should be a JSON array of patch operations.
+	//
+	// +optional
+	// +kubebuilder:validation:XPreserveUnknownFields
+	Value *apiextv1.JSON `json:"value,omitempty"`
+}
+
+// PatchType specifies the type of patch.
+// +kubebuilder:validation:Enum=StrategicMerge;Merge;JSONPatch
+type PatchType string
+
+const (
+	// PatchTypeStrategicMerge uses strategic merge patch.
+	PatchTypeStrategicMerge PatchType = "StrategicMerge"
+	// PatchTypeMerge uses merge patch (RFC 7386).
+	PatchTypeMerge PatchType = "Merge"
+	// PatchTypeJSONPatch uses JSON patch (RFC 6902).
+	PatchTypeJSONPatch PatchType = "JSONPatch"
+)
+
 // Deployment is the configuration for the NGINX Deployment.
 type DeploymentSpec struct {
 	// Container defines container fields for the NGINX container.
@@ -404,6 +435,11 @@ type DeploymentSpec struct {
 	//
 	// +optional
 	Pod PodSpec `json:"pod"`
+
+	// Patches are custom patches to apply to the NGINX Deployment.
+	//
+	// +optional
+	Patches []Patch `json:"patches,omitempty"`
 }
 
 // DaemonSet is the configuration for the NGINX DaemonSet.
@@ -417,6 +453,11 @@ type DaemonSetSpec struct {
 	//
 	// +optional
 	Pod PodSpec `json:"pod"`
+
+	// Patches are custom patches to apply to the NGINX DaemonSet.
+	//
+	// +optional
+	Patches []Patch `json:"patches,omitempty"`
 }
 
 // PodSpec defines Pod-specific fields.
@@ -594,6 +635,11 @@ type ServiceSpec struct {
 	//
 	// +optional
 	NodePorts []NodePort `json:"nodePorts,omitempty"`
+
+	// Patches are custom patches to apply to the NGINX Service.
+	//
+	// +optional
+	Patches []Patch `json:"patches,omitempty"`
 }
 
 // ServiceType describes ingress method for the Service.
 
@@ -511,6 +511,30 @@ spec:
                               type: object
                             type: array
                         type: object
+                      patches:
+                        description: Patches are custom patches to apply to the NGINX
+                          DaemonSet.
+                        items:
+                          description: Patch defines a patch to apply to a Kubernetes
+                            object.
+                          properties:
+                            type:
+                              default: StrategicMerge
+                              description: Type is the type of patch. Defaults to
+                                StrategicMerge.
+                              enum:
+                              - StrategicMerge
+                              - Merge
+                              - JSONPatch
+                              type: string
+                            value:
+                              description: |-
+                                Value is the patch data as raw JSON.
+                                For StrategicMerge and Merge patches, this should be a JSON object.
+                                For JSONPatch patches, this should be a JSON array of patch operations.
+                              x-kubernetes-preserve-unknown-fields: true
+                          type: object
+                        type: array
                       pod:
                         description: Pod defines Pod-specific fields.
                         properties:
@@ -3944,6 +3968,30 @@ spec:
                               type: object
                             type: array
                         type: object
+                      patches:
+                        description: Patches are custom patches to apply to the NGINX
+                          Deployment.
+                        items:
+                          description: Patch defines a patch to apply to a Kubernetes
+                            object.
+                          properties:
+                            type:
+                              default: StrategicMerge
+                              description: Type is the type of patch. Defaults to
+                                StrategicMerge.
+                              enum:
+                              - StrategicMerge
+                              - Merge
+                              - JSONPatch
+                              type: string
+                            value:
+                              description: |-
+                                Value is the patch data as raw JSON.
+                                For StrategicMerge and Merge patches, this should be a JSON object.
+                                For JSONPatch patches, this should be a JSON array of patch operations.
+                              x-kubernetes-preserve-unknown-fields: true
+                          type: object
+                        type: array
                       pod:
                         description: Pod defines Pod-specific fields.
                         properties:
@@ -6996,6 +7044,30 @@ spec:
                           - port
                           type: object
                         type: array
+                      patches:
+                        description: Patches are custom patches to apply to the NGINX
+                          Service.
+                        items:
+                          description: Patch defines a patch to apply to a Kubernetes
+                            object.
+                          properties:
+                            type:
+                              default: StrategicMerge
+                              description: Type is the type of patch. Defaults to
+                                StrategicMerge.
+                              enum:
+                              - StrategicMerge
+                              - Merge
+                              - JSONPatch
+                              type: string
+                            value:
+                              description: |-
+                                Value is the patch data as raw JSON.
+                                For StrategicMerge and Merge patches, this should be a JSON object.
+                                For JSONPatch patches, this should be a JSON array of patch operations.
+                              x-kubernetes-preserve-unknown-fields: true
+                          type: object
+                        type: array
                       type:
                         default: LoadBalancer
                         description: ServiceType describes ingress method for the