Merge branch 'main' into tests/cel-clientsettingspolicies

Author: shaun-nx

apis/v1alpha2/nginxproxy_types.go

@@ -390,6 +390,11 @@ type KubernetesSpec struct {
 
 // Deployment is the configuration for the NGINX Deployment.
 type DeploymentSpec struct {
+	// Container defines container fields for the NGINX container.
+	//
+	// +optional
+	Container ContainerSpec `json:"container"`
+
 	// Number of desired Pods.
 	//
 	// +optional
@@ -399,24 +404,19 @@ type DeploymentSpec struct {
 	//
 	// +optional
 	Pod PodSpec `json:"pod"`
+}
 
+// DaemonSet is the configuration for the NGINX DaemonSet.
+type DaemonSetSpec struct {
 	// Container defines container fields for the NGINX container.
 	//
 	// +optional
 	Container ContainerSpec `json:"container"`
-}
 
-// DaemonSet is the configuration for the NGINX DaemonSet.
-type DaemonSetSpec struct {
 	// Pod defines Pod-specific fields.
 	//
 	// +optional
 	Pod PodSpec `json:"pod"`
-
-	// Container defines container fields for the NGINX container.
-	//
-	// +optional
-	Container ContainerSpec `json:"container"`
 }
 
 // PodSpec defines Pod-specific fields.
@@ -486,6 +486,11 @@ type ContainerSpec struct {
 	// +optional
 	Lifecycle *corev1.Lifecycle `json:"lifecycle,omitempty"`
 
+	// ReadinessProbe defines the readiness probe for the NGINX container.
+	//
+	// +optional
+	ReadinessProbe *ReadinessProbeSpec `json:"readinessProbe,omitempty"`
+
 	// HostPorts are the list of ports to expose on the host.
 	//
 	// +optional
@@ -497,6 +502,26 @@ type ContainerSpec struct {
 	VolumeMounts []corev1.VolumeMount `json:"volumeMounts,omitempty"`
 }
 
+// ReadinessProbeSpec defines the configuration for the NGINX readiness probe.
+type ReadinessProbeSpec struct {
+	// Port is the port on which the readiness endpoint is exposed.
+	// If not specified, the default port is 8081.
+	//
+	// +optional
+	// +kubebuilder:validation:Minimum=1
+	// +kubebuilder:validation:Maximum=65535
+	Port *int32 `json:"port,omitempty"`
+
+	// InitialDelaySeconds is the number of seconds after the container has
+	// started before the readiness probe is initiated.
+	// If not specified, the default is 3 seconds.
+	//
+	// +optional
+	// +kubebuilder:validation:Minimum=0
+	// +kubebuilder:validation:Maximum=3600
+	InitialDelaySeconds *int32 `json:"initialDelaySeconds,omitempty"`
+}
+
 // Image is the NGINX image to use.
 type Image struct {
 	// Repository is the image path.

apis/v1alpha2/zz_generated.deepcopy.go

@@ -264,9 +264,9 @@ The following table lists the configurable parameters of the NGINX Gateway Fabri
 | `certGenerator.ttlSecondsAfterFinished` | How long to wait after the cert generator job has finished before it is removed by the job controller. | int | `30` |
 | `clusterDomain` | The DNS cluster domain of your Kubernetes cluster. | string | `"cluster.local"` |
 | `gateways` | A list of Gateway objects. View https://gateway-api.sigs.k8s.io/reference/spec/#gateway for full Gateway reference. | list | `[]` |
-| `nginx` | The nginx section contains the configuration for all NGINX data plane deployments installed by the NGINX Gateway Fabric control plane. | object | `{"config":{},"container":{"hostPorts":[],"lifecycle":{},"resources":{},"volumeMounts":[]},"debug":false,"image":{"pullPolicy":"Always","repository":"ghcr.io/nginx/nginx-gateway-fabric/nginx","tag":"edge"},"imagePullSecret":"","imagePullSecrets":[],"kind":"deployment","plus":false,"pod":{},"replicas":1,"service":{"externalTrafficPolicy":"Local","loadBalancerClass":"","loadBalancerIP":"","loadBalancerSourceRanges":[],"nodePorts":[],"type":"LoadBalancer"},"usage":{"caSecretName":"","clientSSLSecretName":"","endpoint":"","resolver":"","secretName":"nplus-license","skipVerify":false}}` |
+| `nginx` | The nginx section contains the configuration for all NGINX data plane deployments installed by the NGINX Gateway Fabric control plane. | object | `{"config":{},"container":{"hostPorts":[],"lifecycle":{},"readinessProbe":{},"resources":{},"volumeMounts":[]},"debug":false,"image":{"pullPolicy":"Always","repository":"ghcr.io/nginx/nginx-gateway-fabric/nginx","tag":"edge"},"imagePullSecret":"","imagePullSecrets":[],"kind":"deployment","plus":false,"pod":{},"replicas":1,"service":{"externalTrafficPolicy":"Local","loadBalancerClass":"","loadBalancerIP":"","loadBalancerSourceRanges":[],"nodePorts":[],"type":"LoadBalancer"},"usage":{"caSecretName":"","clientSSLSecretName":"","endpoint":"","resolver":"","secretName":"nplus-license","skipVerify":false}}` |
 | `nginx.config` | The configuration for the data plane that is contained in the NginxProxy resource. This is applied globally to all Gateways managed by this instance of NGINX Gateway Fabric. | object | `{}` |
-| `nginx.container` | The container configuration for the NGINX container. This is applied globally to all Gateways managed by this instance of NGINX Gateway Fabric. | object | `{"hostPorts":[],"lifecycle":{},"resources":{},"volumeMounts":[]}` |
+| `nginx.container` | The container configuration for the NGINX container. This is applied globally to all Gateways managed by this instance of NGINX Gateway Fabric. | object | `{"hostPorts":[],"lifecycle":{},"readinessProbe":{},"resources":{},"volumeMounts":[]}` |
 | `nginx.container.hostPorts` | A list of HostPorts to expose on the host. This configuration allows containers to bind to a specific port on the host node, enabling external network traffic to reach the container directly through the host's IP address and port. Use this option when you need to expose container ports on the host for direct access, such as for debugging, legacy integrations, or when NodePort/LoadBalancer services are not suitable. Note: Using hostPort may have security and scheduling implications, as it ties pods to specific nodes and ports. | list | `[]` |
 | `nginx.container.lifecycle` | The lifecycle of the NGINX container. | object | `{}` |
 | `nginx.container.resources` | The resource requirements of the NGINX container. | object | `{}` |

charts/nginx-gateway-fabric/README.md

@@ -351,6 +351,12 @@
               "title": "lifecycle",
               "type": "object"
             },
+            "readinessProbe": {
+              "description": "# -- Defines the settings for the data plane readiness probe. This probe returns Ready when the NGINX data plane is ready to serve traffic.",
+              "required": [],
+              "title": "readinessProbe",
+              "type": "object"
+            },
             "resources": {
               "description": "The resource requirements of the NGINX container.",
               "required": [],

charts/nginx-gateway-fabric/values.schema.json

@@ -441,6 +441,19 @@ nginx:
     # -- volumeMounts are the additional volume mounts for the NGINX container.
     volumeMounts: []
 
+    ## -- Defines the settings for the data plane readiness probe. This probe returns Ready when the NGINX data plane is ready to serve traffic.
+    readinessProbe: {}
+      # @schema
+      # type: integer
+      # minimum: 1
+      # maximum: 65535
+      # @schema
+      # -- Port in which the readiness endpoint is exposed.
+      # port: 8081
+
+      # -- The number of seconds after the Pod has started before the readiness probes are initiated.
+      # initialDelaySeconds: 3
+
   # -- The service configuration for the NGINX data plane. This is applied globally to all Gateways managed by this
   # instance of NGINX Gateway Fabric.
   service:

charts/nginx-gateway-fabric/values.yaml

@@ -362,6 +362,28 @@ spec:
                                   StopSignal can only be set for Pods with a non-empty .spec.os.name
                                 type: string
                             type: object
+                          readinessProbe:
+                            description: ReadinessProbe defines the readiness probe
+                              for the NGINX container.
+                            properties:
+                              initialDelaySeconds:
+                                description: |-
+                                  InitialDelaySeconds is the number of seconds after the container has
+                                  started before the readiness probe is initiated.
+                                  If not specified, the default is 3 seconds.
+                                format: int32
+                                maximum: 3600
+                                minimum: 0
+                                type: integer
+                              port:
+                                description: |-
+                                  Port is the port on which the readiness endpoint is exposed.
+                                  If not specified, the default port is 8081.
+                                format: int32
+                                maximum: 65535
+                                minimum: 1
+                                type: integer
+                            type: object
                           resources:
                             description: Resources describes the compute resource
                               requirements.
@@ -3773,6 +3795,28 @@ spec:
                                   StopSignal can only be set for Pods with a non-empty .spec.os.name
                                 type: string
                             type: object
+                          readinessProbe:
+                            description: ReadinessProbe defines the readiness probe
+                              for the NGINX container.
+                            properties:
+                              initialDelaySeconds:
+                                description: |-
+                                  InitialDelaySeconds is the number of seconds after the container has
+                                  started before the readiness probe is initiated.
+                                  If not specified, the default is 3 seconds.
+                                format: int32
+                                maximum: 3600
+                                minimum: 0
+                                type: integer
+                              port:
+                                description: |-
+                                  Port is the port on which the readiness endpoint is exposed.
+                                  If not specified, the default port is 8081.
+                                format: int32
+                                maximum: 65535
+                                minimum: 1
+                                type: integer
+                            type: object
                           resources:
                             description: Resources describes the compute resource
                               requirements.

config/crd/bases/gateway.nginx.org_nginxproxies.yaml

@@ -947,6 +947,28 @@ spec:
                                   StopSignal can only be set for Pods with a non-empty .spec.os.name
                                 type: string
                             type: object
+                          readinessProbe:
+                            description: ReadinessProbe defines the readiness probe
+                              for the NGINX container.
+                            properties:
+                              initialDelaySeconds:
+                                description: |-
+                                  InitialDelaySeconds is the number of seconds after the container has
+                                  started before the readiness probe is initiated.
+                                  If not specified, the default is 3 seconds.
+                                format: int32
+                                maximum: 3600
+                                minimum: 0
+                                type: integer
+                              port:
+                                description: |-
+                                  Port is the port on which the readiness endpoint is exposed.
+                                  If not specified, the default port is 8081.
+                                format: int32
+                                maximum: 65535
+                                minimum: 1
+                                type: integer
+                            type: object
                           resources:
                             description: Resources describes the compute resource
                               requirements.
@@ -4358,6 +4380,28 @@ spec:
                                   StopSignal can only be set for Pods with a non-empty .spec.os.name
                                 type: string
                             type: object
+                          readinessProbe:
+                            description: ReadinessProbe defines the readiness probe
+                              for the NGINX container.
+                            properties:
+                              initialDelaySeconds:
+                                description: |-
+                                  InitialDelaySeconds is the number of seconds after the container has
+                                  started before the readiness probe is initiated.
+                                  If not specified, the default is 3 seconds.
+                                format: int32
+                                maximum: 3600
+                                minimum: 0
+                                type: integer
+                              port:
+                                description: |-
+                                  Port is the port on which the readiness endpoint is exposed.
+                                  If not specified, the default port is 8081.
+                                format: int32
+                                maximum: 65535
+                                minimum: 1
+                                type: integer
+                            type: object
                           resources:
                             description: Resources describes the compute resource
                               requirements.

deploy/crds.yaml

@@ -13,17 +13,17 @@ require (
 	github.com/onsi/gomega v1.37.0
 	github.com/prometheus/client_golang v1.22.0
 	github.com/spf13/cobra v1.9.1
-	github.com/spf13/pflag v1.0.6
-	go.opentelemetry.io/otel v1.36.0
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.36.0
+	github.com/spf13/pflag v1.0.7
+	go.opentelemetry.io/otel v1.37.0
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.37.0
 	go.uber.org/zap v1.27.0
-	golang.org/x/text v0.25.0
-	google.golang.org/grpc v1.72.2
+	golang.org/x/text v0.27.0
+	google.golang.org/grpc v1.74.0
 	google.golang.org/protobuf v1.36.6
-	k8s.io/api v0.33.2
-	k8s.io/apiextensions-apiserver v0.33.2
-	k8s.io/apimachinery v0.33.2
-	k8s.io/client-go v0.33.2
+	k8s.io/api v0.33.3
+	k8s.io/apiextensions-apiserver v0.33.3
+	k8s.io/apimachinery v0.33.3
+	k8s.io/client-go v0.33.3
 	k8s.io/klog/v2 v2.130.1
 	sigs.k8s.io/controller-runtime v0.21.0
 	sigs.k8s.io/gateway-api v1.3.0
@@ -48,12 +48,12 @@ require (
 	github.com/google/btree v1.1.3 // indirect
 	github.com/google/gnostic-models v0.6.9 // indirect
 	github.com/google/pprof v0.0.0-20250423184734-337e5dd93bb4 // indirect
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.1 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
-	github.com/maxbrunsfeld/counterfeiter/v6 v6.11.2 // indirect
+	github.com/maxbrunsfeld/counterfeiter/v6 v6.11.3 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
@@ -63,24 +63,24 @@ require (
 	github.com/prometheus/procfs v0.16.0 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.36.0 // indirect
-	go.opentelemetry.io/otel/metric v1.36.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.36.0 // indirect
-	go.opentelemetry.io/otel/trace v1.36.0 // indirect
-	go.opentelemetry.io/proto/otlp v1.6.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.37.0 // indirect
+	go.opentelemetry.io/otel/metric v1.37.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.37.0 // indirect
+	go.opentelemetry.io/otel/trace v1.37.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.7.0 // indirect
 	go.uber.org/automaxprocs v1.6.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	golang.org/x/mod v0.24.0 // indirect
-	golang.org/x/net v0.40.0 // indirect
-	golang.org/x/oauth2 v0.27.0 // indirect
-	golang.org/x/sync v0.14.0 // indirect
-	golang.org/x/sys v0.33.0 // indirect
-	golang.org/x/term v0.32.0 // indirect
+	golang.org/x/mod v0.26.0 // indirect
+	golang.org/x/net v0.42.0 // indirect
+	golang.org/x/oauth2 v0.30.0 // indirect
+	golang.org/x/sync v0.16.0 // indirect
+	golang.org/x/sys v0.34.0 // indirect
+	golang.org/x/term v0.33.0 // indirect
 	golang.org/x/time v0.9.0 // indirect
-	golang.org/x/tools v0.32.0 // indirect
+	golang.org/x/tools v0.35.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20250519155744-55703ea1f237 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250519155744-55703ea1f237 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20250603155806-513f23925822 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250603155806-513f23925822 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect