Update ghcr.io/nginx/nginx-gateway-fabric Docker tag to v2

[renovate]

Note

Mend has cancelled the proposed renaming of the Renovate GitHub app being renamed to mend[bot].

This notice will be removed on 2025-10-07.

---

This PR contains the following updates:

Package	Type	Update	Change
ghcr.io/nginx/nginx-gateway-fabric	Kustomization	major	v1.0.0 -> 2.1.4

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

nginx/nginx-gateway-fabric (ghcr.io/nginx/nginx-gateway-fabric)

v2.1.4

Compare Source

October 1, 2025

BUG FIXES:

• Update Alpine packages libcrpyto3 and libssl3 to fix cves. 3993

HELM CHART:

• The version of the Helm chart is now 2.1.4

COMPATIBILITY:

• Gateway API version: 1.3.0
• NGINX version: 1.29.1
• NGINX Plus version: R35
• NGINX Agent version: v3.3.1
• Kubernetes version: 1.25+

CONTAINER IMAGES:

• Control plane: ghcr.io/nginx/nginx-gateway-fabric:2.1.4
• Data plane: ghcr.io/nginx/nginx-gateway-fabric/nginx:2.1.4
• Data plane with NGINX Plus: private-registry.nginx.com/nginx-gateway-fabric/nginx-plus:2.1.4

v2.1.3

Compare Source

October 1, 2025

BUG FIXES:

• Update Alpine packages libexpat and tiff to fix cves. 3973

HELM CHART:

• The version of the Helm chart is now 2.1.3

COMPATIBILITY:

• Gateway API version: 1.3.0
• NGINX version: 1.29.1
• NGINX Plus version: R35
• NGINX Agent version: v3.3.1
• Kubernetes version: 1.25+

CONTAINER IMAGES:

• Control plane: ghcr.io/nginx/nginx-gateway-fabric:2.1.3
• Data plane: ghcr.io/nginx/nginx-gateway-fabric/nginx:2.1.3
• Data plane with NGINX Plus: private-registry.nginx.com/nginx-gateway-fabric/nginx-plus:2.1.3

v2.1.2

Compare Source

September 25, 2025

BUG FIXES:

• Fixes a bug where the subscribe method was incorrectly intercepting initial configuration operations after a ServiceAccountToken rotation and signaling broadcast completion. 3905
• Fixes an issue where a failed configuration reload caused all HTTPRoutes to be marked as invalid (Accepted: false). This led to external-dns removing DNS records even though the configuration had been rolled back. Routes now retain their valid state during reload failures, preventing unnecessary DNS disruptions. 3936
• Adds NGINX image version validation during agent connections to prevent newer config being sent to pods running previous image versions during upgrades. 3928

NGINX AGENT BUG FIXES:

• The NGINX Agent v3.3.1 update fixes connection reset issues during config apply by reusing existing connections, adds rollback on failures, and improves logging for more reliable configuration updates. 1261

HELM CHART:

• The version of the Helm chart is now 2.1.2

COMPATIBILITY:

• Gateway API version: 1.3.0
• NGINX version: 1.29.1
• NGINX Plus version: R35
• NGINX Agent version: v3.3.1
• Kubernetes version: 1.25+

CONTAINER IMAGES:

• Control plane: ghcr.io/nginx/nginx-gateway-fabric:2.1.2
• Data plane: ghcr.io/nginx/nginx-gateway-fabric/nginx:2.1.2
• Data plane with NGINX Plus: private-registry.nginx.com/nginx-gateway-fabric/nginx-plus:2.1.2

v2.1.1

Compare Source

September 3, 2025

BUG FIXES:

• Fix remove patch label/ annotation cross contamination. 3754
• Fix host readiness probe on ipv6 in addition to ipv4. 3765. Thanks to lucasl0st.
• Prevent policy includes duplication in advanced routing configuration. 3799
• Adjust nginx agent backoff settings and revert request timeout. 3820

HELM CHART:

• The version of the Helm chart is now 2.1.1
• Add patches to helm chart spec. 3773

COMPATIBILITY:

• Gateway API version: 1.3.0
• NGINX version: 1.29.1
• NGINX Plus version: R35
• NGINX Agent version: v3.2.1
• Kubernetes version: 1.25+

CONTAINER IMAGES:

• Control plane: ghcr.io/nginx/nginx-gateway-fabric:2.1.1
• Data plane: ghcr.io/nginx/nginx-gateway-fabric/nginx:2.1.1
• Data plane with NGINX Plus: private-registry.nginx.com/nginx-gateway-fabric/nginx-plus:2.1.1

v2.1.0

Compare Source

August 14, 2025

FEATURES:

• Add policyAffected status for policy target refs. 3535
• Add support for appProtocol on BackendRefs which point to a Kubernetes Service with a specified appProtocol on the target Service Port. 3511
• Support configurable hostPorts in NGINX container. 3321
• Add support for configuring NGINX worker_connections directive. 3611
• Add support for percentage based request mirroring. 3627
• NGINX Pod now has a configurable readiness probe. 3629
• Add the ability to patch the dataplane Service, Deployment, and DaemonSet resources through NginxProxy. 3630
• Add disableSNIHostValidation field to NginxProxy CRD to resolve HTTP/2 connection reuse issues with wildcard certificates, with documented security trade-offs. 3659
• Enable connection to NGINX One Console. 3676
• Add HorizontalPodAutoscaling support for both control plane and data plane deployments. 3702. Thanks to nowjean.
• Set the OverlappingTLSConfig condition on Listeners with overlapping TLS hostnames. 3709

BUG FIXES:

• Fix an issue where the NGINX Pod couldn't connect to control plane if multiple Pods shared the NGINX Pod's IP address. 3673

DOCUMENTATION:

• Add simplified architecture diagrams for traffic flow and config changes. 3557

HELM CHART:

• The version of the Helm chart is now 2.1.0.
• Allow users to specify nginxGateway.name to configure names of deployments. 3528
• Fix Helm Schema for data plane volume mounts. 3588. Thanks to vazkarvishal.
• Update Helm Chart README to recommend using server-side apply when applying NGF CRDs. 3589

UPGRADE:

• Important: Upgrading from v2.0.x to 2.1 requires the NGINX Gateway Fabric control plane to be uninstalled and then reinstalled to avoid any downtime to user traffic. CRDs do not need to be removed. The NGINX data plane deployment is not affected by this process, and traffic should still flow uninterrupted. For more information on how to do so, view our guide on Upgrading NGINX Gateway Fabric

COMPATIBILITY:

• Gateway API version: 1.3.0
• NGINX version: 1.29.0
• NGINX Plus version: R35
• NGINX Agent version: v3.2.0
• Kubernetes version: 1.25+

CONTAINER IMAGES:

• Control plane: ghcr.io/nginx/nginx-gateway-fabric:2.1.0
• Data plane: ghcr.io/nginx/nginx-gateway-fabric/nginx:2.1.0
• Data plane with NGINX Plus: private-registry.nginx.com/nginx-gateway-fabric/nginx-plus:2.1.0

v2.0.2

Compare Source

July 8, 2025

Bug Fixes:

• Fix crash when BackendRef filter is specified. 3508
• Fix index out of bounds error when building status. 3513
• Disable automountServiceAccountToken on ServiceAccount, and instead enable on the Pods directly. 3573
• Fix port binding with reduced privileges. 3574
• Fixed an issue where SnippetsFilters were being included in NGINX configuration for all gateways regardless of whether routes attached to those specific gateways actually referenced the filters. 3586

HELM CHART:

• The version of the Helm chart is now 2.0.2.
• Removes Extra keyword from volumeMounts and Volumes for the data plane. 3588. Thanks to vazkarvishal.

COMPATIBILITY:

• Gateway API version: 1.3.0
• NGINX version: 1.28.0
• NGINX Plus version: R34
• NGINX Agent version: v3.0.1
• Kubernetes version: 1.25+

CONTAINER IMAGES:

• Control plane: ghcr.io/nginx/nginx-gateway-fabric:2.0.2
• Data plane: ghcr.io/nginx/nginx-gateway-fabric/nginx:2.0.2
• Data plane with NGINX Plus: private-registry.nginx.com/nginx-gateway-fabric/nginx-plus:2.0.2

v2.0.1

Compare Source

June 11, 2025

Bug Fixes:

• Set proper IP family policy on NGINX LB Service. 3475.

HELM CHART:

• The version of the Helm chart is now 2.0.1.
• Add support to configure cert-generator job pod placement. 3493. Thanks to Baburciu.
• Add support for configuring the ttlSecondsAfterFinished field for the cert-generator job. The default is set to 30s. 3487. Thanks to Ab-andresc.
• Adds support for all additional labels for the control plane service. 3499. Thanks to MichasHL.

COMPATIBILITY:

• Gateway API version: 1.3.0
• NGINX version: 1.28.0
• NGINX Plus version: R34
• NGINX Agent version: v3.0.1
• Kubernetes version: 1.25+

CONTAINER IMAGES:

• Control plane: ghcr.io/nginx/nginx-gateway-fabric:2.0.1
• Data plane: ghcr.io/nginx/nginx-gateway-fabric/nginx:2.0.1
• Data plane with NGINX Plus: private-registry.nginx.com/nginx-gateway-fabric/nginx-plus:2.0.1

v2.0.0

Compare Source

June 5, 2025

BREAKING CHANGES:

How to upgrade to 2.0.0.

The following changes are breaking and require users to fully uninstall NGINX Gateway Fabric (including NGINX Gateway Fabric CRDs) before re-installing the new version. Gateway API resources (such as Gateway, HTTPRoute, etc) are unaffected and can be left alone. 3318

• Control plane and data plane have been separated into different Deployments. The control plane will provision an NGINX data plane Deployment and Service when a Gateway object is created.
• NginxProxy CRD resource is now namespace-scoped (was cluster-scoped).
• NginxProxy resource controls infrastructure fields for the NGINX Deployment and Service, such as replicas, loadBalancerIP, serviceType, etc. Users who want to set or update these fields must do so either at installation time through the helm chart (which sets them globally), or per Gateway. Updating these fields directly on a provisioned nginx Deployment or Service will not take effect. This does not apply to the the NGINX Gateway Fabric control plane Deployment.
• Helm values structure has changed slightly to better support the separate Deployments.
• nginxGateway.replicaCount Helm value has been renamed to nginxGateway.replicas.

FEATURES:

• Support for creating and deploying multiple Gateways. 3318
• NginxProxy resource can now additionally be attached to a Gateway, and will overwrite any settings that are attached at the GatewayClass level, for the Gateway that it's attached to. 3318
• Listener isolation supported for all routes. 3067
• Allow configuration of NGINX Plus API access. 3066
• Adds regex matching for headers and query params for HTTPRoutes and headers for GRPCRoutes. 3093
• Add support for request mirroring using the RequestMirror filter. 3066
• Adds support for Secrets to be used in BackendTLSPolicy for TLS certificates and CA certificates. 3084. Thanks to porthorian.

BUG FIXES:

• Fix an issue where default headers were still being set when overwritten by a user. 3249
• Add 503 status code when there are zero upstream endpoints. 3406
• Fixed bug that occurred when a route's ParentRef does not include a sectionName and the Gateway's listeners have duplicate hostnames. This would cause conflicts when the route tries to attach to all the listeners and falsely trigger validation checks around overlapping routes. 3418

DOCUMENTATION:

• Migrated the documentation website into the NGINX documentation repository. 3047

HELM CHART:

• The version of the Helm chart is now 2.0.0
• Helm values structure has changed slightly to better support the separate Deployments.
• nginxGateway.replicaCount Helm value has been renamed to nginxGateway.replicas.
• Add support for control plane Deployment labels. 3194. Thanks to Butterneck.

UPGRADE:

• Upgrade to 2.0.0

KNOWN ISSUES:

• NGINX LoadBalancer Service IPFamily uses Kubernetes default (likely SingleStack IPv4) instead of matching the ipFamily set in the NginxProxy resource, which defaults to DualStack. 3473

DEPENDENCIES:

• NGINX Plus was updated to R34. 3281
• Update to v1.3.0 of the Gateway API. 3348

COMPATIBILITY:

• Gateway API version: 1.3.0
• NGINX version: 1.28.0
• NGINX Plus version: R34
• NGINX Agent version: v3.0.0
• Kubernetes version: 1.25+

CONTAINER IMAGES:

• Control plane: ghcr.io/nginx/nginx-gateway-fabric:2.0.0
• Data plane: ghcr.io/nginx/nginx-gateway-fabric/nginx:2.0.0
• Data plane with NGINX Plus: private-registry.nginx.com/nginx-gateway-fabric/nginx-plus:2.0.0

v1.6.2

Compare Source

March 11, 2025

HELM CHART:

• The version of the Helm chart is now 1.6.2

UPGRADE:

• Update golang.org/x/oauth2. 3185

COMPATIBILITY:

• Gateway API version: 1.2.1
• NGINX version: 1.27.4
• NGINX Plus version: R33
• Kubernetes version: 1.25+

CONTAINER IMAGES:

• Control plane: ghcr.io/nginx/nginx-gateway-fabric:1.6.2
• Data plane: ghcr.io/nginx/nginx-gateway-fabric/nginx:1.6.2
• Data plane with NGINX Plus: private-registry.nginx.com/nginx-gateway-fabric/nginx-plus:1.6.2

v1.6.1

Compare Source

February 6, 2025

HELM CHART:

• The version of the Helm chart is now 1.6.1

UPGRADE:

• Update nginx to version 1.27.4. 3102

COMPATIBILITY:

• Gateway API version: 1.2.1
• NGINX version: 1.27.4
• NGINX Plus version: R33
• Kubernetes version: 1.25+

CONTAINER IMAGES:

• Control plane: ghcr.io/nginx/nginx-gateway-fabric:1.6.1
• Data plane: ghcr.io/nginx/nginx-gateway-fabric/nginx:1.6.1
• Data plane with NGINX Plus: private-registry.nginx.com/nginx-gateway-fabric/nginx-plus:1.6.1

v1.6.0

Compare Source

January 15, 2025

FEATURES:

• Add UpstreamSettingsPolicy to allow users to configure upstream settings for Services. 2941
• Add path support for RequestRedirect Filter. 2979
• Use state files for NGINX Plus upstream servers instead of the NGINX config. 2897

BUG FIXES:

• Fix rewrite path for ReplacePrefixMatch to parse request arguments correctly. 2951
• Fix an issue where updating upstreams with the NGINX Plus API would not occur if metrics were disabled. 2897
• Support updating stream upstreams with the NGINX Plus API instead of reloading NGINX. 2897

DOCUMENTATION:

• Docs: Update support referencing support package tool. 2789. Thanks to mrajagopal.
• Add how-to guide for configuring upstream settings for services using the UpstreamSettingsPolicy API. Find it here. 2987

HELM CHART:

• The version of the Helm chart is now 1.6.0

UPGRADE:

• The Gateway API version has been updated to 1.2.1. 2868
• ObservabilityPolicy API version has been increased to v1alpha2 due to a strengthening of validation rules. 2998

COMPATIBILITY:

• Gateway API version: 1.2.1
• NGINX version: 1.27.3
• NGINX Plus version: R33
• Kubernetes version: 1.25+

CONTAINER IMAGES:

• Control plane: ghcr.io/nginx/nginx-gateway-fabric:1.6.0
• Data plane: ghcr.io/nginx/nginx-gateway-fabric/nginx:1.6.0
• Data plane with NGINX Plus: private-registry.nginx.com/nginx-gateway-fabric/nginx-plus:1.6.0

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) in timezone America/Los_Angeles, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 86.81%. Comparing base (e3595a3) to head (a13df71).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4018      +/-   ##
==========================================
- Coverage   86.83%   86.81%   -0.02%     
==========================================
  Files         128      128              
  Lines       16607    16607              
  Branches       62       62              
==========================================
- Hits        14421    14418       -3     
- Misses       2004     2007       +3     
  Partials      182      182              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update. You will not get PRs for any future 2.x releases. But if you manually upgrade to 2.x then Renovate will re-enable minor and patch updates automatically.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.