Merge branch 'main' into hpa

nowjean · web-flow · commit 8075053c60d5 · 2025-06-12T10:00:25.000+09:00
diff --git a/charts/nginx-gateway-fabric/README.md b/charts/nginx-gateway-fabric/README.md
@@ -252,11 +252,16 @@ The following table lists the configurable parameters of the NGINX Gateway Fabri
 
 | Key | Description | Type | Default |
 |-----|-------------|------|---------|
-| `certGenerator` | The certGenerator section contains the configuration for the cert-generator Job. | object | `{"agentTLSSecretName":"agent-tls","annotations":{},"overwrite":false,"serverTLSSecretName":"server-tls"}` |
+| `certGenerator` | The certGenerator section contains the configuration for the cert-generator Job. | object | `{"affinity":{},"agentTLSSecretName":"agent-tls","annotations":{},"nodeSelector":{},"overwrite":false,"serverTLSSecretName":"server-tls","tolerations":[],"topologySpreadConstraints":[],"ttlSecondsAfterFinished":30}` |
+| `certGenerator.affinity` | The affinity of the cert-generator pod. | object | `{}` |
 | `certGenerator.agentTLSSecretName` | The name of the base Secret containing TLS CA, certificate, and key for the NGINX Agent to securely communicate with the NGINX Gateway Fabric control plane. Must exist in the same namespace that the NGINX Gateway Fabric control plane is running in (default namespace: nginx-gateway). | string | `"agent-tls"` |
 | `certGenerator.annotations` | The annotations of the cert-generator Job. | object | `{}` |
+| `certGenerator.nodeSelector` | The nodeSelector of the cert-generator pod. | object | `{}` |
 | `certGenerator.overwrite` | Overwrite existing TLS Secrets on startup. | bool | `false` |
 | `certGenerator.serverTLSSecretName` | The name of the Secret containing TLS CA, certificate, and key for the NGINX Gateway Fabric control plane to securely communicate with the NGINX Agent. Must exist in the same namespace that the NGINX Gateway Fabric control plane is running in (default namespace: nginx-gateway). | string | `"server-tls"` |
+| `certGenerator.tolerations` | Tolerations for the cert-generator pod. | list | `[]` |
+| `certGenerator.topologySpreadConstraints` | The topology spread constraints for the cert-generator pod. | list | `[]` |
+| `certGenerator.ttlSecondsAfterFinished` | How long to wait after the cert generator job has finished before it is removed by the job controller. | int | `30` |
 | `clusterDomain` | The DNS cluster domain of your Kubernetes cluster. | string | `"cluster.local"` |
 | `gateways` | A list of Gateway objects. View https://gateway-api.sigs.k8s.io/reference/spec/#gateway for full Gateway reference. | list | `[]` |
 | `nginx` | The nginx section contains the configuration for all NGINX data plane deployments installed by the NGINX Gateway Fabric control plane. | object | `{"config":{},"container":{},"debug":false,"image":{"pullPolicy":"Always","repository":"ghcr.io/nginx/nginx-gateway-fabric/nginx","tag":"edge"},"imagePullSecret":"","imagePullSecrets":[],"kind":"deployment","plus":false,"pod":{},"replicas":1,"service":{"externalTrafficPolicy":"Local","loadBalancerClass":"","loadBalancerIP":"","loadBalancerSourceRanges":[],"nodePorts":[],"type":"LoadBalancer"},"usage":{"caSecretName":"","clientSSLSecretName":"","endpoint":"","resolver":"","secretName":"nplus-license","skipVerify":false}}` |
@@ -283,7 +288,7 @@ The following table lists the configurable parameters of the NGINX Gateway Fabri
 | `nginx.usage.resolver` | The nameserver used to resolve the NGINX Plus usage reporting endpoint. Used with NGINX Instance Manager. | string | `""` |
 | `nginx.usage.secretName` | The name of the Secret containing the JWT for NGINX Plus usage reporting. Must exist in the same namespace that the NGINX Gateway Fabric control plane is running in (default namespace: nginx-gateway). | string | `"nplus-license"` |
 | `nginx.usage.skipVerify` | Disable client verification of the NGINX Plus usage reporting server certificate. | bool | `false` |
-| `nginxGateway` | The nginxGateway section contains configuration for the NGINX Gateway Fabric control plane deployment. | object | `{"affinity":{},"config":{"logging":{"level":"info"}},"configAnnotations":{},"extraVolumeMounts":[],"extraVolumes":[],"gatewayClassAnnotations":{},"gatewayClassName":"nginx","gatewayControllerName":"gateway.nginx.org/nginx-gateway-controller","gwAPIExperimentalFeatures":{"enable":false},"image":{"pullPolicy":"Always","repository":"ghcr.io/nginx/nginx-gateway-fabric","tag":"edge"},"kind":"deployment","labels":{},"leaderElection":{"enable":true,"lockName":""},"lifecycle":{},"metrics":{"enable":true,"port":9113,"secure":false},"nodeSelector":{},"podAnnotations":{},"productTelemetry":{"enable":true},"readinessProbe":{"enable":true,"initialDelaySeconds":3,"port":8081},"replicas":1,"resources":{},"service":{"annotations":{}},"serviceAccount":{"annotations":{},"imagePullSecret":"","imagePullSecrets":[],"name":""},"snippetsFilters":{"enable":false},"terminationGracePeriodSeconds":30,"tolerations":[],"topologySpreadConstraints":[]}` |
+| `nginxGateway` | The nginxGateway section contains configuration for the NGINX Gateway Fabric control plane deployment. | object | `{"affinity":{},"config":{"logging":{"level":"info"}},"configAnnotations":{},"extraVolumeMounts":[],"extraVolumes":[],"gatewayClassAnnotations":{},"gatewayClassName":"nginx","gatewayControllerName":"gateway.nginx.org/nginx-gateway-controller","gwAPIExperimentalFeatures":{"enable":false},"image":{"pullPolicy":"Always","repository":"ghcr.io/nginx/nginx-gateway-fabric","tag":"edge"},"kind":"deployment","labels":{},"leaderElection":{"enable":true,"lockName":""},"lifecycle":{},"metrics":{"enable":true,"port":9113,"secure":false},"nodeSelector":{},"podAnnotations":{},"productTelemetry":{"enable":true},"readinessProbe":{"enable":true,"initialDelaySeconds":3,"port":8081},"replicas":1,"resources":{},"service":{"annotations":{},"labels":{}},"serviceAccount":{"annotations":{},"imagePullSecret":"","imagePullSecrets":[],"name":""},"snippetsFilters":{"enable":false},"terminationGracePeriodSeconds":30,"tolerations":[],"topologySpreadConstraints":[]}` |
 | `nginxGateway.affinity` | The affinity of the NGINX Gateway Fabric control plane pod. | object | `{}` |
 | `nginxGateway.config.logging.level` | Log level. | string | `"info"` |
 | `nginxGateway.configAnnotations` | Set of custom annotations for NginxGateway objects. | object | `{}` |
@@ -311,8 +316,9 @@ The following table lists the configurable parameters of the NGINX Gateway Fabri
 | `nginxGateway.readinessProbe.port` | Port in which the readiness endpoint is exposed. | int | `8081` |
 | `nginxGateway.replicas` | The number of replicas of the NGINX Gateway Fabric Deployment. | int | `1` |
 | `nginxGateway.resources` | The resource requests and/or limits of the nginx-gateway container. | object | `{}` |
-| `nginxGateway.service` | The service configuration for the NGINX Gateway Fabric control plane. | object | `{"annotations":{}}` |
+| `nginxGateway.service` | The service configuration for the NGINX Gateway Fabric control plane. | object | `{"annotations":{},"labels":{}}` |
 | `nginxGateway.service.annotations` | The annotations of the NGINX Gateway Fabric control plane service. | object | `{}` |
+| `nginxGateway.service.labels` | The labels of the NGINX Gateway Fabric control plane service. | object | `{}` |
 | `nginxGateway.serviceAccount` | The serviceaccount configuration for the NGINX Gateway Fabric control plane. | object | `{"annotations":{},"imagePullSecret":"","imagePullSecrets":[],"name":""}` |
 | `nginxGateway.serviceAccount.annotations` | Set of custom annotations for the NGINX Gateway Fabric control plane service account. | object | `{}` |
 | `nginxGateway.serviceAccount.imagePullSecret` | The name of the secret containing docker registry credentials for the control plane. Secret must exist in the same namespace as the helm release. | string | `""` |
diff --git a/charts/nginx-gateway-fabric/templates/certs-job.yaml b/charts/nginx-gateway-fabric/templates/certs-job.yaml
@@ -153,4 +153,20 @@ spec:
       securityContext:
         fsGroup: 1001
         runAsNonRoot: true
-  ttlSecondsAfterFinished: 0
+      {{- if .Values.certGenerator.topologySpreadConstraints }}
+      topologySpreadConstraints:
+      {{- toYaml .Values.certGenerator.topologySpreadConstraints | nindent 6 }}
+      {{- end }}
+      {{- if .Values.certGenerator.affinity }}
+      affinity:
+      {{- toYaml .Values.certGenerator.affinity | nindent 8 }}
+      {{- end }}
+      {{- if .Values.certGenerator.tolerations }}
+      tolerations:
+      {{- toYaml .Values.certGenerator.tolerations | nindent 6 }}
+      {{- end }}
+      {{- if .Values.certGenerator.nodeSelector }}
+      nodeSelector:
+      {{- toYaml .Values.certGenerator.nodeSelector | nindent 8 }}
+      {{- end }}
+  ttlSecondsAfterFinished: {{ .Values.certGenerator.ttlSecondsAfterFinished }}
diff --git a/charts/nginx-gateway-fabric/templates/service.yaml b/charts/nginx-gateway-fabric/templates/service.yaml
@@ -5,6 +5,9 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     {{- include "nginx-gateway.labels" . | nindent 4 }}
+{{- if .Values.nginxGateway.service.labels }}
+{{ toYaml .Values.nginxGateway.service.labels | indent 4 }}
+{{- end }}
 {{- if .Values.nginxGateway.service.annotations }}
   annotations:
 {{ toYaml .Values.nginxGateway.service.annotations | indent 4 }}
diff --git a/charts/nginx-gateway-fabric/values.schema.json b/charts/nginx-gateway-fabric/values.schema.json
@@ -4,6 +4,12 @@
     "certGenerator": {
       "description": "The certGenerator section contains the configuration for the cert-generator Job.",
       "properties": {
+        "affinity": {
+          "description": "The affinity of the cert-generator pod.",
+          "required": [],
+          "title": "affinity",
+          "type": "object"
+        },
         "agentTLSSecretName": {
           "default": "agent-tls",
           "description": "The name of the base Secret containing TLS CA, certificate, and key for the NGINX Agent to securely\ncommunicate with the NGINX Gateway Fabric control plane. Must exist in the same namespace that the\nNGINX Gateway Fabric control plane is running in (default namespace: nginx-gateway).",
@@ -17,6 +23,12 @@
           "title": "annotations",
           "type": "object"
         },
+        "nodeSelector": {
+          "description": "The nodeSelector of the cert-generator pod.",
+          "required": [],
+          "title": "nodeSelector",
+          "type": "object"
+        },
         "overwrite": {
           "default": false,
           "description": "Overwrite existing TLS Secrets on startup.",
@@ -30,6 +42,31 @@
           "required": [],
           "title": "serverTLSSecretName",
           "type": "string"
+        },
+        "tolerations": {
+          "description": "Tolerations for the cert-generator pod.",
+          "items": {
+            "required": []
+          },
+          "required": [],
+          "title": "tolerations",
+          "type": "array"
+        },
+        "topologySpreadConstraints": {
+          "description": "The topology spread constraints for the cert-generator pod.",
+          "items": {
+            "required": []
+          },
+          "required": [],
+          "title": "topologySpreadConstraints",
+          "type": "array"
+        },
+        "ttlSecondsAfterFinished": {
+          "default": 30,
+          "description": "How long to wait after the cert generator job has finished before it is removed by the job controller.",
+          "required": [],
+          "title": "ttlSecondsAfterFinished",
+          "type": "integer"
         }
       },
       "required": [],
@@ -767,6 +804,12 @@
               "required": [],
               "title": "annotations",
               "type": "object"
+            },
+            "labels": {
+              "description": "The labels of the NGINX Gateway Fabric control plane service.",
+              "required": [],
+              "title": "labels",
+              "type": "object"
             }
           },
           "required": [],
diff --git a/charts/nginx-gateway-fabric/values.yaml b/charts/nginx-gateway-fabric/values.yaml
@@ -59,6 +59,9 @@ nginxGateway:
     # -- The annotations of the NGINX Gateway Fabric control plane service.
     annotations: {}
 
+    # -- The labels of the NGINX Gateway Fabric control plane service.
+    labels: {}
+
   # -- The serviceaccount configuration for the NGINX Gateway Fabric control plane.
   serviceAccount:
     # -- Set of custom annotations for the NGINX Gateway Fabric control plane service account.
@@ -512,6 +515,21 @@ certGenerator:
   # -- Overwrite existing TLS Secrets on startup.
   overwrite: false
 
+  # -- How long to wait after the cert generator job has finished before it is removed by the job controller.
+  ttlSecondsAfterFinished: 30
+
+  # -- Tolerations for the cert-generator pod.
+  tolerations: []
+
+  # -- The nodeSelector of the cert-generator pod.
+  nodeSelector: {}
+
+  # -- The affinity of the cert-generator pod.
+  affinity: {}
+
+  # -- The topology spread constraints for the cert-generator pod.
+  topologySpreadConstraints: []
+
 # -- A list of Gateway objects. View https://gateway-api.sigs.k8s.io/reference/spec/#gateway for full Gateway reference.
 gateways: []
 
diff --git a/deploy/azure/deploy.yaml b/deploy/azure/deploy.yaml
@@ -367,7 +367,7 @@ spec:
         fsGroup: 1001
         runAsNonRoot: true
       serviceAccountName: nginx-gateway-cert-generator
-  ttlSecondsAfterFinished: 0
+  ttlSecondsAfterFinished: 30
 ---
 apiVersion: gateway.networking.k8s.io/v1
 kind: GatewayClass
diff --git a/deploy/default/deploy.yaml b/deploy/default/deploy.yaml
@@ -365,7 +365,7 @@ spec:
         fsGroup: 1001
         runAsNonRoot: true
       serviceAccountName: nginx-gateway-cert-generator
-  ttlSecondsAfterFinished: 0
+  ttlSecondsAfterFinished: 30
 ---
 apiVersion: gateway.networking.k8s.io/v1
 kind: GatewayClass
diff --git a/deploy/experimental-nginx-plus/deploy.yaml b/deploy/experimental-nginx-plus/deploy.yaml
@@ -373,7 +373,7 @@ spec:
         fsGroup: 1001
         runAsNonRoot: true
       serviceAccountName: nginx-gateway-cert-generator
-  ttlSecondsAfterFinished: 0
+  ttlSecondsAfterFinished: 30
 ---
 apiVersion: gateway.networking.k8s.io/v1
 kind: GatewayClass
diff --git a/deploy/experimental/deploy.yaml b/deploy/experimental/deploy.yaml
@@ -370,7 +370,7 @@ spec:
         fsGroup: 1001
         runAsNonRoot: true
       serviceAccountName: nginx-gateway-cert-generator
-  ttlSecondsAfterFinished: 0
+  ttlSecondsAfterFinished: 30
 ---
 apiVersion: gateway.networking.k8s.io/v1
 kind: GatewayClass
diff --git a/deploy/nginx-plus/deploy.yaml b/deploy/nginx-plus/deploy.yaml
@@ -368,7 +368,7 @@ spec:
         fsGroup: 1001
         runAsNonRoot: true
       serviceAccountName: nginx-gateway-cert-generator
-  ttlSecondsAfterFinished: 0
+  ttlSecondsAfterFinished: 30
 ---
 apiVersion: gateway.networking.k8s.io/v1
 kind: GatewayClass
diff --git a/deploy/nodeport/deploy.yaml b/deploy/nodeport/deploy.yaml
@@ -365,7 +365,7 @@ spec:
         fsGroup: 1001
         runAsNonRoot: true
       serviceAccountName: nginx-gateway-cert-generator
-  ttlSecondsAfterFinished: 0
+  ttlSecondsAfterFinished: 30
 ---
 apiVersion: gateway.networking.k8s.io/v1
 kind: GatewayClass
diff --git a/deploy/openshift/deploy.yaml b/deploy/openshift/deploy.yaml
@@ -387,7 +387,7 @@ spec:
         fsGroup: 1001
         runAsNonRoot: true
       serviceAccountName: nginx-gateway-cert-generator
-  ttlSecondsAfterFinished: 0
+  ttlSecondsAfterFinished: 30
 ---
 apiVersion: gateway.networking.k8s.io/v1
 kind: GatewayClass
diff --git a/deploy/snippets-filters-nginx-plus/deploy.yaml b/deploy/snippets-filters-nginx-plus/deploy.yaml
@@ -371,7 +371,7 @@ spec:
         fsGroup: 1001
         runAsNonRoot: true
       serviceAccountName: nginx-gateway-cert-generator
-  ttlSecondsAfterFinished: 0
+  ttlSecondsAfterFinished: 30
 ---
 apiVersion: gateway.networking.k8s.io/v1
 kind: GatewayClass
diff --git a/deploy/snippets-filters/deploy.yaml b/deploy/snippets-filters/deploy.yaml
@@ -368,7 +368,7 @@ spec:
         fsGroup: 1001
         runAsNonRoot: true
       serviceAccountName: nginx-gateway-cert-generator
-  ttlSecondsAfterFinished: 0
+  ttlSecondsAfterFinished: 30
 ---
 apiVersion: gateway.networking.k8s.io/v1
 kind: GatewayClass
diff --git a/docs/developer/release-process.md b/docs/developer/release-process.md
@@ -66,6 +66,7 @@ To create a new release, follow these steps:
     5. Any references in the docs to the previous release.
     6. Any installation instructions to ensure that the supported Gateway API and NGF versions are correct. Specifically, helm README.
 8. Prepare and merge a PR into the main branch of the [documentation repository](https://github.com/nginx/documentation) from the relevant release branch, such as `ngf-release-2.0`.
+   - In the NGF repo, run `make generate-api-docs` and copy the generated file from `docs/api/content.md` into the documentation repo to `content/ngf/reference/api.md`.
    - Update the HTML file located at `layouts/shortcodes/version-ngf.html` with the latest version. Ensure you do not add an empty line to the file.
    - Documentation is built and deployed automatically from `main`, and will trigger when merging to it.
    - Create a new branch for the next release version, in the format `ngf-release-<i>.<i>`, substituting the *i* placeholders for major and minor version numbers.
@@ -94,4 +95,4 @@ To create a new release, follow these steps:
 4. Test the release branch for release-readiness.
 5. If a problem is found, return to Step 2.
 6. Follow Steps 5-7 from the [Major or Minor Release](#major-or-minor-release) section.
-7. Prepare and merge a PR into the main branch of the [documentation repository](https://github.com/nginx/documentation) to update the NGF version in `layouts/shortcodes/version-ngf.html`.
+7. Prepare and merge a PR into the main branch of the [documentation repository](https://github.com/nginx/documentation) to update the NGF version in `layouts/shortcodes/version-ngf.html`. If any of our APIs have changed, in the NGF repo, run `make generate-api-docs` and copy the generated file from `docs/api/content.md` into the documentation repo to `content/ngf/reference/api.md`.
