nginx
diff --git a/‎apis/v1alpha1/nginxproxy_types.go
Lines changed: 19 additions & 6 deletions b/‎apis/v1alpha1/nginxproxy_types.go
Lines changed: 19 additions & 6 deletions
diff --git a/‎charts/nginx-gateway-fabric/README.md
Lines changed: 4 additions & 4 deletions b/‎charts/nginx-gateway-fabric/README.md
Lines changed: 4 additions & 4 deletions
diff --git a/‎charts/nginx-gateway-fabric/values.yaml
Lines changed: 6 additions & 5 deletions b/‎charts/nginx-gateway-fabric/values.yaml
Lines changed: 6 additions & 5 deletions
diff --git a/‎config/crd/bases/gateway.nginx.org_nginxproxies.yaml
Lines changed: 19 additions & 6 deletions b/‎config/crd/bases/gateway.nginx.org_nginxproxies.yaml
Lines changed: 19 additions & 6 deletions
diff --git a/‎config/tests/static-deployment.yaml
Lines changed: 2 additions & 2 deletions b/‎config/tests/static-deployment.yaml
Lines changed: 2 additions & 2 deletions
diff --git a/‎deploy/aws-nlb/deploy.yaml
Lines changed: 2 additions & 2 deletions b/‎deploy/aws-nlb/deploy.yaml
Lines changed: 2 additions & 2 deletions
diff --git a/‎deploy/azure/deploy.yaml
Lines changed: 2 additions & 2 deletions b/‎deploy/azure/deploy.yaml
Lines changed: 2 additions & 2 deletions
diff --git a/‎deploy/crds.yaml
Lines changed: 19 additions & 6 deletions b/‎deploy/crds.yaml
Lines changed: 19 additions & 6 deletions
diff --git a/‎deploy/default/deploy.yaml
Lines changed: 2 additions & 2 deletions b/‎deploy/default/deploy.yaml
Lines changed: 2 additions & 2 deletions
diff --git a/‎deploy/experimental-nginx-plus/deploy.yaml
Lines changed: 2 additions & 2 deletions b/‎deploy/experimental-nginx-plus/deploy.yaml
Lines changed: 2 additions & 2 deletions
diff --git a/‎deploy/experimental/deploy.yaml
Lines changed: 2 additions & 2 deletions b/‎deploy/experimental/deploy.yaml
Lines changed: 2 additions & 2 deletions
diff --git a/‎deploy/nginx-plus/deploy.yaml
Lines changed: 2 additions & 2 deletions b/‎deploy/nginx-plus/deploy.yaml
Lines changed: 2 additions & 2 deletions
diff --git a/‎deploy/nodeport/deploy.yaml
Lines changed: 2 additions & 2 deletions b/‎deploy/nodeport/deploy.yaml
Lines changed: 2 additions & 2 deletions
diff --git a/‎deploy/openshift/deploy.yaml
Lines changed: 2 additions & 2 deletions b/‎deploy/openshift/deploy.yaml
Lines changed: 2 additions & 2 deletions
@@ -124,25 +124,38 @@ type TelemetryExporter struct {
 // RewriteClientIP specifies the configuration for rewriting the client's IP address.
 type RewriteClientIP struct {
 	// Mode defines how NGINX will rewrite the client's IP address.
-	// Possible modes: ProxyProtocol, XForwardedFor.
+	// There are two possible modes:
+	// - ProxyProtocol: NGINX will rewrite the client's IP using the PROXY protocol header.
+	// - XForwardedFor: NGINX will rewrite the client's IP using the X-Forwarded-For header.
+	// Sets NGINX directive real_ip_header: https://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header
 	//
 	// +optional
 	Mode *RewriteClientIPModeType `json:"mode,omitempty"`
 
-	// SetIPRecursively configures whether recursive search is used for selecting client's
-	// address from the X-Forwarded-For header and used in conjunction with TrustedAddresses.
-	// If enabled, NGINX will recurse on the values in X-Forwarded-Header from the end of
-	// array to start of array and select the first untrusted IP.
+	// SetIPRecursively configures whether recursive search is used when selecting the client's address from.
+	// the X-Forwarded-For header. It is used in conjunction with TrustedAddresses.
+	// If enabled, NGINX will recurse on the values in X-Forwarded-Header from the end of array
+	// to start of array and select the first untrusted IP.
+	// For example, if X-Forwarded-For is [11.11.11.11, 22.22.22.22, 55.55.55.1],
+	// and TrustedAddresses is set to 55.55.55.1/0, NGINX will rewrite the client IP to 22.22.22.22.
+	// If disabled, NGINX will select the IP at the end of the array.
+	// In the previous example, 55.55.55.1 would be selected.
+	// Sets NGINX directive real_ip_recursive: https://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_recursive
 	//
 	// +optional
 	SetIPRecursively *bool `json:"setIPRecursively,omitempty"`
 
 	// TrustedAddresses specifies the addresses that are trusted to send correct client IP information.
 	// If a request comes from a trusted address, NGINX will rewrite the client IP information,
 	// and forward it to the backend in the X-Forwarded-For* and X-Real-IP headers.
+	// If the request does not come from a trusted address, NGINX will not rewrite the client IP information.
+	// Addresses must be provided as CIDR blocks: 10.0.0.0/32, 192.33.21/0.
+	// To trust all addresses (not recommended), set to 0.0.0.0/0.
+	// If no addresses are provided, NGINX will not rewrite the client IP information.
+	// Sets NGINX directive set_real_ip_from: https://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from
 	// This field is required if mode is set.
 	// +kubebuilder:validation:MaxItems=16
-	// +listType=atomic
+	// +listType=set
 	//
 	//
 	// +optional
 
@@ -263,8 +263,8 @@ The following table lists the configurable parameters of the NGINX Gateway Fabri
 | `nginx.config` | The configuration for the data plane that is contained in the NginxProxy resource. | object | `{}` |
 | `nginx.extraVolumeMounts` | extraVolumeMounts are the additional volume mounts for the nginx container. | list | `[]` |
 | `nginx.image.pullPolicy` |  | string | `"Always"` |
-| `nginx.image.repository` | The NGINX image to use. | string | `"gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nginx-gateway-fabric/nginx"` |
-| `nginx.image.tag` |  | string | `"sa.choudhary"` |
+| `nginx.image.repository` | The NGINX image to use. | string | `"ghcr.io/nginxinc/nginx-gateway-fabric/nginx"` |
+| `nginx.image.tag` |  | string | `"edge"` |
 | `nginx.lifecycle` | The lifecycle of the nginx container. | object | `{}` |
 | `nginx.plus` | Is NGINX Plus image being used | bool | `false` |
 | `nginx.usage.clusterName` | The display name of the Kubernetes cluster in the NGINX Plus usage reporting server. | string | `""` |
@@ -279,8 +279,8 @@ The following table lists the configurable parameters of the NGINX Gateway Fabri
 | `nginxGateway.gatewayControllerName` | The name of the Gateway controller. The controller name must be of the form: DOMAIN/PATH. The controller's domain is gateway.nginx.org. | string | `"gateway.nginx.org/nginx-gateway-controller"` |
 | `nginxGateway.gwAPIExperimentalFeatures.enable` | Enable the experimental features of Gateway API which are supported by NGINX Gateway Fabric. Requires the Gateway APIs installed from the experimental channel. | bool | `false` |
 | `nginxGateway.image.pullPolicy` |  | string | `"Always"` |
-| `nginxGateway.image.repository` | The NGINX Gateway Fabric image to use | string | `"gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nginx-gateway-fabric"` |
-| `nginxGateway.image.tag` |  | string | `"sa.choudhary"` |
+| `nginxGateway.image.repository` | The NGINX Gateway Fabric image to use | string | `"ghcr.io/nginxinc/nginx-gateway-fabric"` |
+| `nginxGateway.image.tag` |  | string | `"edge"` |
 | `nginxGateway.kind` | The kind of the NGINX Gateway Fabric installation - currently, only deployment is supported. | string | `"deployment"` |
 | `nginxGateway.leaderElection.enable` | Enable leader election. Leader election is used to avoid multiple replicas of the NGINX Gateway Fabric reporting the status of the Gateway API resources. If not enabled, all replicas of NGINX Gateway Fabric will update the statuses of the Gateway API resources. | bool | `true` |
 | `nginxGateway.leaderElection.lockName` | The name of the leader election lock. A Lease object with this name will be created in the same Namespace as the controller. | string | Autogenerated if not set or set to "". |
 
@@ -52,8 +52,8 @@ nginxGateway:
 
   image:
     # -- The NGINX Gateway Fabric image to use
-    repository: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nginx-gateway-fabric
-    tag: sa.choudhary
+    repository: ghcr.io/nginxinc/nginx-gateway-fabric
+    tag: edge
     pullPolicy: Always
 
   securityContext:
@@ -81,8 +81,8 @@ nginxGateway:
 nginx:
   image:
     # -- The NGINX image to use.
-    repository: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nginx-gateway-fabric/nginx
-    tag: sa.choudhary
+    repository: ghcr.io/nginxinc/nginx-gateway-fabric/nginx
+    tag: edge
     pullPolicy: Always
 
   # -- Is NGINX Plus image being used
@@ -95,7 +95,8 @@ nginx:
     # ipFamily: dual
     # rewriteClientIP:
     #   mode: "ProxyProtocol"
-    #   trustedAddresses: ["0.0.0.0/0"]
+    #   # -- The trusted addresses field needs to be replaced with the load balancer's IP address.
+    #   trustedAddresses: []
     #   setIPRecursively: true
     # telemetry:
     #   exporter:
 
@@ -69,23 +69,36 @@ spec:
                   mode:
                     description: |-
                       Mode defines how NGINX will rewrite the client's IP address.
-                      Possible modes: ProxyProtocol, XForwardedFor.
+                      There are two possible modes:
+                      - ProxyProtocol: NGINX will rewrite the client's IP using the PROXY protocol header.
+                      - XForwardedFor: NGINX will rewrite the client's IP using the X-Forwarded-For header.
+                      Sets NGINX directive real_ip_header: https://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header
                     enum:
                     - ProxyProtocol
                     - XForwardedFor
                     type: string
                   setIPRecursively:
                     description: |-
-                      SetIPRecursively configures whether recursive search is used for selecting client's
-                      address from the X-Forwarded-For header and used in conjunction with TrustedAddresses.
-                      If enabled, NGINX will recurse on the values in X-Forwarded-Header from the end of
-                      array to start of array and select the first untrusted IP.
+                      SetIPRecursively configures whether recursive search is used when selecting the client's address from.
+                      the X-Forwarded-For header. It is used in conjunction with TrustedAddresses.
+                      If enabled, NGINX will recurse on the values in X-Forwarded-Header from the end of array
+                      to start of array and select the first untrusted IP.
+                      For example, if X-Forwarded-For is [11.11.11.11, 22.22.22.22, 55.55.55.1],
+                      and TrustedAddresses is set to 55.55.55.1/0, NGINX will rewrite the client IP to 22.22.22.22.
+                      If disabled, NGINX will select the IP at the end of the array.
+                      In the previous example, 55.55.55.1 would be selected.
+                      Sets NGINX directive real_ip_recursive: https://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_recursive
                     type: boolean
                   trustedAddresses:
                     description: |-
                       TrustedAddresses specifies the addresses that are trusted to send correct client IP information.
                       If a request comes from a trusted address, NGINX will rewrite the client IP information,
                       and forward it to the backend in the X-Forwarded-For* and X-Real-IP headers.
+                      If the request does not come from a trusted address, NGINX will not rewrite the client IP information.
+                      Addresses must be provided as CIDR blocks: 10.0.0.0/32, 192.33.21/0.
+                      To trust all addresses (not recommended), set to 0.0.0.0/0.
+                      If no addresses are provided, NGINX will not rewrite the client IP information.
+                      Sets NGINX directive set_real_ip_from: https://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from
                       This field is required if mode is set.
                     items:
                       description: |-
@@ -95,7 +108,7 @@ spec:
                       type: string
                     maxItems: 16
                     type: array
-                    x-kubernetes-list-type: atomic
+                    x-kubernetes-list-type: set
                 type: object
                 x-kubernetes-validations:
                 - message: if mode is set, trustedAddresses is a required field
 
@@ -45,7 +45,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.name
-        image: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nginx-gateway-fabric:sa.choudhary
+        image: ghcr.io/nginxinc/nginx-gateway-fabric:edge
         imagePullPolicy: Always
         name: nginx-gateway
         ports:
@@ -82,7 +82,7 @@ spec:
           mountPath: /var/run/nginx
         - name: nginx-includes
           mountPath: /etc/nginx/includes
-      - image: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nginx-gateway-fabric/nginx:sa.choudhary
+      - image: ghcr.io/nginxinc/nginx-gateway-fabric/nginx:edge
         imagePullPolicy: Always
         name: nginx
         ports:
 
@@ -217,7 +217,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.name
-        image: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nginx-gateway-fabric:sa.choudhary
+        image: ghcr.io/nginxinc/nginx-gateway-fabric:edge
         imagePullPolicy: Always
         name: nginx-gateway
         ports:
@@ -256,7 +256,7 @@ spec:
           name: nginx-run
         - mountPath: /etc/nginx/includes
           name: nginx-includes
-      - image: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nginx-gateway-fabric/nginx:sa.choudhary
+      - image: ghcr.io/nginxinc/nginx-gateway-fabric/nginx:edge
         imagePullPolicy: Always
         name: nginx
         ports:
 
@@ -214,7 +214,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.name
-        image: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nginx-gateway-fabric:sa.choudhary
+        image: ghcr.io/nginxinc/nginx-gateway-fabric:edge
         imagePullPolicy: Always
         name: nginx-gateway
         ports:
@@ -253,7 +253,7 @@ spec:
           name: nginx-run
         - mountPath: /etc/nginx/includes
           name: nginx-includes
-      - image: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nginx-gateway-fabric/nginx:sa.choudhary
+      - image: ghcr.io/nginxinc/nginx-gateway-fabric/nginx:edge
         imagePullPolicy: Always
         name: nginx
         ports:
 
@@ -654,23 +654,36 @@ spec:
                   mode:
                     description: |-
                       Mode defines how NGINX will rewrite the client's IP address.
-                      Possible modes: ProxyProtocol, XForwardedFor.
+                      There are two possible modes:
+                      - ProxyProtocol: NGINX will rewrite the client's IP using the PROXY protocol header.
+                      - XForwardedFor: NGINX will rewrite the client's IP using the X-Forwarded-For header.
+                      Sets NGINX directive real_ip_header: https://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header
                     enum:
                     - ProxyProtocol
                     - XForwardedFor
                     type: string
                   setIPRecursively:
                     description: |-
-                      SetIPRecursively configures whether recursive search is used for selecting client's
-                      address from the X-Forwarded-For header and used in conjunction with TrustedAddresses.
-                      If enabled, NGINX will recurse on the values in X-Forwarded-Header from the end of
-                      array to start of array and select the first untrusted IP.
+                      SetIPRecursively configures whether recursive search is used when selecting the client's address from.
+                      the X-Forwarded-For header. It is used in conjunction with TrustedAddresses.
+                      If enabled, NGINX will recurse on the values in X-Forwarded-Header from the end of array
+                      to start of array and select the first untrusted IP.
+                      For example, if X-Forwarded-For is [11.11.11.11, 22.22.22.22, 55.55.55.1],
+                      and TrustedAddresses is set to 55.55.55.1/0, NGINX will rewrite the client IP to 22.22.22.22.
+                      If disabled, NGINX will select the IP at the end of the array.
+                      In the previous example, 55.55.55.1 would be selected.
+                      Sets NGINX directive real_ip_recursive: https://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_recursive
                     type: boolean
                   trustedAddresses:
                     description: |-
                       TrustedAddresses specifies the addresses that are trusted to send correct client IP information.
                       If a request comes from a trusted address, NGINX will rewrite the client IP information,
                       and forward it to the backend in the X-Forwarded-For* and X-Real-IP headers.
+                      If the request does not come from a trusted address, NGINX will not rewrite the client IP information.
+                      Addresses must be provided as CIDR blocks: 10.0.0.0/32, 192.33.21/0.
+                      To trust all addresses (not recommended), set to 0.0.0.0/0.
+                      If no addresses are provided, NGINX will not rewrite the client IP information.
+                      Sets NGINX directive set_real_ip_from: https://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from
                       This field is required if mode is set.
                     items:
                       description: |-
@@ -680,7 +693,7 @@ spec:
                       type: string
                     maxItems: 16
                     type: array
-                    x-kubernetes-list-type: atomic
+                    x-kubernetes-list-type: set
                 type: object
                 x-kubernetes-validations:
                 - message: if mode is set, trustedAddresses is a required field
 
@@ -214,7 +214,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.name
-        image: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nginx-gateway-fabric:sa.choudhary
+        image: ghcr.io/nginxinc/nginx-gateway-fabric:edge
         imagePullPolicy: Always
         name: nginx-gateway
         ports:
@@ -253,7 +253,7 @@ spec:
           name: nginx-run
         - mountPath: /etc/nginx/includes
           name: nginx-includes
-      - image: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nginx-gateway-fabric/nginx:sa.choudhary
+      - image: ghcr.io/nginxinc/nginx-gateway-fabric/nginx:edge
         imagePullPolicy: Always
         name: nginx
         ports:
 
@@ -229,7 +229,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.name
-        image: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nginx-gateway-fabric:sa.choudhary
+        image: ghcr.io/nginxinc/nginx-gateway-fabric:edge
         imagePullPolicy: Always
         name: nginx-gateway
         ports:
@@ -268,7 +268,7 @@ spec:
           name: nginx-run
         - mountPath: /etc/nginx/includes
           name: nginx-includes
-      - image: private-registry.nginx.com/nginx-gateway-fabric/nginx-plus:sa.choudhary
+      - image: private-registry.nginx.com/nginx-gateway-fabric/nginx-plus:edge
         imagePullPolicy: Always
         name: nginx
         ports:
 
@@ -220,7 +220,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.name
-        image: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nginx-gateway-fabric:sa.choudhary
+        image: ghcr.io/nginxinc/nginx-gateway-fabric:edge
         imagePullPolicy: Always
         name: nginx-gateway
         ports:
@@ -259,7 +259,7 @@ spec:
           name: nginx-run
         - mountPath: /etc/nginx/includes
           name: nginx-includes
-      - image: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nginx-gateway-fabric/nginx:sa.choudhary
+      - image: ghcr.io/nginxinc/nginx-gateway-fabric/nginx:edge
         imagePullPolicy: Always
         name: nginx
         ports:
 
@@ -225,7 +225,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.name
-        image: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nginx-gateway-fabric:sa.choudhary
+        image: ghcr.io/nginxinc/nginx-gateway-fabric:edge
         imagePullPolicy: Always
         name: nginx-gateway
         ports:
@@ -264,7 +264,7 @@ spec:
           name: nginx-run
         - mountPath: /etc/nginx/includes
           name: nginx-includes
-      - image: private-registry.nginx.com/nginx-gateway-fabric/nginx-plus:sa.choudhary
+      - image: private-registry.nginx.com/nginx-gateway-fabric/nginx-plus:edge
         imagePullPolicy: Always
         name: nginx
         ports:
 
@@ -214,7 +214,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.name
-        image: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nginx-gateway-fabric:sa.choudhary
+        image: ghcr.io/nginxinc/nginx-gateway-fabric:edge
         imagePullPolicy: Always
         name: nginx-gateway
         ports:
@@ -253,7 +253,7 @@ spec:
           name: nginx-run
         - mountPath: /etc/nginx/includes
           name: nginx-includes
-      - image: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nginx-gateway-fabric/nginx:sa.choudhary
+      - image: ghcr.io/nginxinc/nginx-gateway-fabric/nginx:edge
         imagePullPolicy: Always
         name: nginx
         ports:
 
@@ -222,7 +222,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.name
-        image: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nginx-gateway-fabric:sa.choudhary
+        image: ghcr.io/nginxinc/nginx-gateway-fabric:edge
         imagePullPolicy: Always
         name: nginx-gateway
         ports:
@@ -261,7 +261,7 @@ spec:
           name: nginx-run
         - mountPath: /etc/nginx/includes
           name: nginx-includes
-      - image: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nginx-gateway-fabric/nginx:sa.choudhary
+      - image: ghcr.io/nginxinc/nginx-gateway-fabric/nginx:edge
         imagePullPolicy: Always
         name: nginx
         ports: