nginx · ab-andresc · Jun 10, 2025 · Jun 10, 2025 · Jun 10, 2025 · Jun 10, 2025
@@ -397,6 +397,12 @@ type DeploymentSpec struct {
 	//
 	// +optional
 	Container ContainerSpec `json:"container"`
+
+	// ExtraContainers defines additional containers to be added to the NGINX Pod.
+	// Uses upstream corev1.Container to allow arbitrary sidecars.
+	//
+	// +optional
+	ExtraContainers []corev1.Container `json:"extraContainers,omitempty"`
 }
 
 // DaemonSet is the configuration for the NGINX DaemonSet.
@@ -410,6 +416,11 @@ type DaemonSetSpec struct {
 	//
 	// +optional
 	Container ContainerSpec `json:"container"`
+	// ExtraContainers defines additional containers to be added to the NGINX Pod.
-	// ExtraContainers defines additional containers to be added to the NGINX Pod.
+
+	// ExtraContainers defines additional containers to be added to the NGINX Pod.
-	// ExtraContainers defines additional containers to be added to the NGINX Pod.
+
+	// ExtraContainers defines additional containers to be added to the NGINX Pod.
+	// Uses upstream corev1.Container to allow arbitrary sidecars.
+	//
+	// +optional
+	ExtraContainers []corev1.Container `json:"extraContainers,omitempty"`
 }
 
 // PodSpec defines Pod-specific fields.
@@ -453,6 +464,8 @@ type PodSpec struct {
 	//
 	// +optional
 	TopologySpreadConstraints []corev1.TopologySpreadConstraint `json:"topologySpreadConstraints,omitempty"`
+
+	SecurityContext *corev1.PodSecurityContext `json:"securityContext,omitempty"`
 }
 
 // ContainerSpec defines container fields for the NGINX container.

@@ -264,10 +264,11 @@ The following table lists the configurable parameters of the NGINX Gateway Fabri
 | `certGenerator.ttlSecondsAfterFinished` | How long to wait after the cert generator job has finished before it is removed by the job controller. | int | `30` |
 | `clusterDomain` | The DNS cluster domain of your Kubernetes cluster. | string | `"cluster.local"` |
 | `gateways` | A list of Gateway objects. View https://gateway-api.sigs.k8s.io/reference/spec/#gateway for full Gateway reference. | list | `[]` |
-| `nginx` | The nginx section contains the configuration for all NGINX data plane deployments installed by the NGINX Gateway Fabric control plane. | object | `{"config":{},"container":{},"debug":false,"image":{"pullPolicy":"Always","repository":"ghcr.io/nginx/nginx-gateway-fabric/nginx","tag":"edge"},"imagePullSecret":"","imagePullSecrets":[],"kind":"deployment","plus":false,"pod":{},"replicas":1,"service":{"externalTrafficPolicy":"Local","loadBalancerClass":"","loadBalancerIP":"","loadBalancerSourceRanges":[],"nodePorts":[],"type":"LoadBalancer"},"usage":{"caSecretName":"","clientSSLSecretName":"","endpoint":"","resolver":"","secretName":"nplus-license","skipVerify":false}}` |
+| `nginx` | The nginx section contains the configuration for all NGINX data plane deployments installed by the NGINX Gateway Fabric control plane. | object | `{"config":{},"container":{},"debug":false,"extraContainers":[],"image":{"pullPolicy":"Always","repository":"ghcr.io/nginx/nginx-gateway-fabric/nginx","tag":"edge"},"imagePullSecret":"","imagePullSecrets":[],"kind":"deployment","plus":false,"pod":{},"replicas":1,"service":{"externalTrafficPolicy":"Local","loadBalancerClass":"","loadBalancerIP":"","loadBalancerSourceRanges":[],"nodePorts":[],"type":"LoadBalancer"},"usage":{"caSecretName":"","clientSSLSecretName":"","endpoint":"","resolver":"","secretName":"nplus-license","skipVerify":false}}` |
 | `nginx.config` | The configuration for the data plane that is contained in the NginxProxy resource. This is applied globally to all Gateways managed by this instance of NGINX Gateway Fabric. | object | `{}` |
 | `nginx.container` | The container configuration for the NGINX container. This is applied globally to all Gateways managed by this instance of NGINX Gateway Fabric. | object | `{}` |
 | `nginx.debug` | Enable debugging for NGINX. Uses the nginx-debug binary. The NGINX error log level should be set to debug in the NginxProxy resource. | bool | `false` |
+| `nginx.extraContainers` | extraVolumeMounts are the additional volume mounts for the NGINX container. extraVolumeMounts: [] Extra containers to be added to the NGINX Gateway Fabric control plane pod. Use this to add additional containers to the control plane pod, such as sidecars. Note that these containers will not have access to the NGINX Gateway Fabric control plane's service account. | list | `[]` |
 | `nginx.image.repository` | The NGINX image to use. | string | `"ghcr.io/nginx/nginx-gateway-fabric/nginx"` |
 | `nginx.imagePullSecret` | The name of the secret containing docker registry credentials. Secret must exist in the same namespace as the helm release. The control plane will copy this secret into any namespace where NGINX is deployed. | string | `""` |
 | `nginx.imagePullSecrets` | A list of secret names containing docker registry credentials. Secrets must exist in the same namespace as the helm release. The control plane will copy these secrets into any namespace where NGINX is deployed. | list | `[]` |

@@ -26,6 +26,9 @@ spec:
         {{- if .Values.nginx.debug }}
         debug: {{ .Values.nginx.debug }}
         {{- end }}
+      {{- if .Values.nginxGateway.extraContainers }}
+      {{- toYaml .Values.nginxGateway.extraContainers | nindent 6 }}
+      {{- end }}
     {{- end }}
     {{- if eq .Values.nginx.kind "daemonSet" }}
     daemonSet:
@@ -42,6 +45,9 @@ spec:
         {{- if .Values.nginx.debug }}
         debug: {{ .Values.nginx.debug }}
         {{- end }}
+      {{- if .Values.nginx.extraContainers }}
+      {{- toYaml .Values.nginx.extraContainers | nindent 6 }}
+      {{- end }}
     {{- end }}
     {{- if .Values.nginx.service }}
     service:

@@ -324,6 +324,15 @@
           "title": "debug",
           "type": "boolean"
         },
+        "extraContainers": {
+          "description": "Extra containers to be added to the NGINX Gateway Fabric control plane pod.\nUse this to add additional containers to the control plane pod, such as sidecars.\nNote that these containers will not have access to the NGINX Gateway Fabric control plane's service account.",
+          "items": {
+            "required": []
+          },
+          "required": [],
+          "title": "extraContainers",
+          "type": "array"
+        },
         "image": {
           "properties": {
             "pullPolicy": {

@@ -409,6 +409,11 @@ nginx:
     # -- extraVolumeMounts are the additional volume mounts for the NGINX container.
     # extraVolumeMounts: []
 
+  # Extra containers to be added to the NGINX Gateway Fabric control plane pod.
+  # Use this to add additional containers to the control plane pod, such as sidecars.
+  # Note that these containers will not have access to the NGINX Gateway Fabric control plane's service account.
+  extraContainers: []
+
   # -- The service configuration for the NGINX data plane. This is applied globally to all Gateways managed by this
   # instance of NGINX Gateway Fabric.
   service: