Ingress Nginx for Kubernetes

Deploys Ingress Nginx into a Kubernetes cluster via Helm.

Once you have a Corewide Solutions Portal account, this one-time action will use your browser session to retrieve credentials:

 shellterraform login solutions.corewide.com

Provision instructions

Initialize mandatory providers:

Copy and paste into your Terraform configuration and insert the variables:

 hclmodule "tf_k8s_ingress_nginx" {
  source  = "solutions.corewide.com/kubernetes/tf-k8s-ingress-nginx/helm"
  version = "~> 5.7.0"

  # specify module inputs here or try one of the examples below
  ...
}

Initialize the setup:

 shellterraform init

Define update strategy

Corewide DevOps team strictly follows Semantic Versioning Specification to provide our clients with products that have predictable upgrades between versions. We recommend pinning patch versions of our modules using pessimistic constraint operator (~>) to prevent breaking changes during upgrades.

To get new features during the upgrades (without breaking compatibility), use ~> 5.7 and run terraform init -upgrade

For the safest setup, use strict pinning with version = "5.7.0"

$550

Dependencies included: $250

tf-k8s-cert-manager	$200
tf-k8s-crd	$50

BUY

1,485

License

v5.7.0 released 1 month ago

New version approx. every 6 weeks

Upgrade Notes

Changelog

Deploys Ingress Nginx into a Kubernetes cluster via Helm.

All notable changes to this project are documented here.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

v5.7.0 - 2025-08-14

Added

ingress_nginx.enable_json_log_format variable to enable JSON-formatted logs

v5.6.0 - 2025-08-08

Added

ingress_nginx.values_override to allow passing custom values as Terraform map. Will supersede custom_values in the next major release

v5.5.0 - 2025-05-19

Added

DNS-01 ACME challenge support for Cert Manager module

v5.4.0 - 2025-04-10

Added

option to configure Ingress Class name by means of ingress_nginx.ingress_class_name variable
validation for the ingress_nginx.version variable (compatible chart version is 4.12.0 and newer)

Changed

Ingress Nginx Helm chart version (from 4.6.1 to 4.12.1) to align with latest fixes of Ingress Nginx vulnerabilities

Fixed

Ingress Class name definition and its reference for the ingress_class output

v5.3.2 - 2025-03-28

Fixed

incorrect naming of Ingress Controller Service in the data source making the module return an incorrect external IP address in the output

v5.3.1 - 2025-03-11

Removed

validation for the k8s_flavor variable

v5.3.0 - 2025-02-05

Added

output with ingressClass name (ingress_class)

v5.2.0 - 2024-12-12

Changed

ingress_nginx_ip output to ingress_ip
ingress_nginx_hostname output to ingress_hostname

Deprecated

ingress_nginx_ip in favour of ingress_ip and will be deleted in v6.0
ingress_nginx_hostname in favour of ingress_hostname and will be deleted in v6.0

v5.1.0 - 2024-12-10

Added

helm_timeout parameter for ingress_nginx variable to configure deployment timeout of its Helm release

v5.0.0 - 2024-11-25

BREAKING CHANGE: now Cert Manager setup is managed by the child module and Ingress Nginx deployment is mandatory

Added

acme_email variable for Cert Manager configuration

Changed

management of Cert Manager resources from in-module resources to the child module
optional Ingress Nginx deployment to mandatory

Removed

var.ingress_nginx.enabled parameter

v4.1.0 - 2024-09-04

Added

togglable real IP detection

v4.0.1 - 2024-07-10

Changed

updated version of tf-k8s-crd module dependency to ~> 2.0
Ingress Nginx Helm chart (from 4.0.18 to 4.6.1) version

v4.0.0 - 2023-10-19

BREAKING CHANGE: now all custom_values are declared as lists of objects which aren't compatible with previous version

NOTE: After module upgrade to v4.0 all custom_values definitions must be updated, see Upgrade Notes section

Added

possibility to declare a type of the custom values for Ingress Nginx and Cert Manager

Changed

definitions of custom values for Ingress Nginx and Cert Manager releases rollout from maps to list of objects

v3.1.1 - 2023-07-27

Changed

strict order of creation of resources to avoid race conditions

v3.1 - 2023-06-27

Added

an option to set ingress annotation of the load balancer health checks for AKS cluster by means of k8s_flavor variable

v3.0.0 - 2023-01-13

BREAKING CHANGE: now all kubernetes provider resources use versioned resources which aren't compatible with previous version

NOTE: After module upgrade to v3.0 all kubernetes provider resources and other resources that depend on them will be recreated, or they can be reimported to TF state manually, see Upgrade Notes section

Added

tf-k8s-crd module dependency

Changed

use versioned Kubernetes provider resources instead of standard ones in order to satisfy requirements of future updates of providers
updated main inputs that describe Ingress Nginx and Cert Manager parameters
definitions of ClusterIssuer custom resources use CRD TF module
declare default values of ingress_nginx variable
code formatting

Removed

gavinbunney/kubectl provider dependency
obsolete template of kubernetes manifest for Cert Manager cluster issuer

v2.1.0 - 2022-12-23

Added

an option to manage replicas' number for Ingress Nginx

Changed

Ingress Nginx controller deploys with 2 replicas by default

v2.0.0 - 2022-10-12

BREAKING CHANGE: now module inputs and resources management have fundamentally new concept which isn't compatible with previous version

Added

moved blocks to ensure reverse compatibility

Changed

bump terraform version to 1.3
combined all ingress_* and certmanager_* separate variables into two ingress and Cert Manager object variables that contain all related elements
combined three kubernetes_manifest calls for each cluser issuer into one
improve cluster issuer template. Made it unified for any of cluster issuer types

Fixed

letsencrypt production template call in letsencrypt staging terraform resource

v1.5.0 - 2022-09-28

Added

optional deployment of selfsigned cluster issuer (disabled by default)

v1.4.0 - 2022-09-23

Added

use configurable Ingress Class definition for Cert Manager deployment instead of predefined hardcoded value

v1.3.0 - 2022-09-12

Added

make Ingress Nginx deployment optional

v1.2.2 - 2022-08-17

Fixed

bumped Terraform version in the code

v1.2.1 - 2022-08-02

Fixed

formatted Nginx metrics annotations and set accurate type

v1.2.0 - 2022-08-01

Added

namespaces are handled by means of kubernetes provider resources
helm release can be deployed into a custom namespace

Changed

pinned minor provider versions
Helm release deployments are atomic now
templatefile function is used instead of template data sources
standardized documentation and changelog

Removed

dependency on template provider

v1.1 - 2022-07-28

Added

ingress Nginx LB hostname output

v1.0.2 - 2022-07-07

Fixed

expose Nginx metrics with proper annotations

v1.0.1 - 2022-05-18

Added

extra notes about purpose of two Let's Encrypt ClusterIssuers usage

v1.0 - 2022-04-18

Added

deploy Ingress Nginx
deploy Cert Manager
create let's encrypt cluster issuers

From `v2.x` to `v3.x`

Now all kubernetes provider resources use versioned resources. According to kubernetes provider's suggestions the simplest, non-destructive way to do this is to remove the old resource from state and import the resource as a version one. If Kubernetes namespaces were managed by the module, they must be re-imported, like so:

 bashterraform state rm module.ingress.kubernetes_namespace.ingress_namespace[0] module.ingress.kubernetes_namespace.certmanager_namespace[0]
terraform import module.ingress.kubernetes_namespace_v1.ingress_namespace[0] ingress-nginx
terraform import module.ingress.kubernetes_namespace_v1.certmanager_namespace[0] cert-manager
terraform state mv 'module.ingress.kubectl_manifest.cluster_issuer["letsencrypt"]' 'module.ingress.module.cluster_issuer["letsencrypt"].kubectl_manifest.crd'
terraform state mv 'module.ingress.kubectl_manifest.cluster_issuer["letsencrypt-staging"]' 'module.ingress.module.cluster_issuer["letsencrypt-staging"].kubectl_manifest.crd'
terraform state mv 'module.ingress.kubectl_manifest.cluster_issuer["selfsigned"]' 'module.ingress.module.cluster_issuer["selfsigned"].kubectl_manifest.crd'

From `v3.x` to `v4.x`

Now all custom_values are declared as lists of objects. In case if there were already declared custom_values in the module inputs, then they must be updated:

 hcl    # Old definition                        |     # New definition 
    custom_values = {                       |     custom_values = [
      "controller.containerPort" = 8080     |       {
    }                                       |         name  = "controller.containerPort"
                                            |         value = 8080
                                            |       },
                                            |     ]

If there weren't any custom_values declared (neither for Ingress Nginx nor Cert Manager), no actions are needed.

From `v4.x` to `v5.x`

Now Cert Manager setup is managed by the child module. Cert Manager resource addresses will be moved automatically with moved blocks. Ingress Nginx deployment is mandatory now. Manual removal of the input variable var.ingress_nginx.enabled is mandatory. Variable var.cert_manager.acme_email must be changed to the var.acme_email.

Deploy Ingress Nginx with Cert Manager and required parameters only:

 hclmodule "ingress" {
  source  = "solutions.corewide.com/kubernetes/tf-k8s-ingress-nginx/helm"
  version = "~> 5.7"

  acme_email = "[email protected]"
}

Deploy Ingress Nginx with mandatory parameters and Cert Manager's AWS Route53 integration for DNS-01 challenge. AWS Route53 RBAC configured with tf-k8s-cert-manager-dns-aws module and EKS cluster deployed with tf-aws-k8s-eks module:

 hclmodule "ingress" {
  source  = "solutions.corewide.com/kubernetes/tf-k8s-ingress-nginx/helm"
  version = "~> 5.7"

  acme_email = "[email protected]"

  cert_manager = {
    version                     = "1.17"
    dns_solver_config           = module.aws_cert_manager_iam.issuer_spec
    service_account_annotations = module.aws_cert_manager_iam.service_account_annotation
  }
}

module "eks" {
  source  = "solutions.corewide.com/aws/tf-aws-k8s-eks/aws"
  version = "~> 5.1"
  # ...
}

module "aws_cert_manager_iam" {
  source  = "solutions.corewide.com/aws/tf-k8s-cert-manager-dns-aws/aws"
  version = "~> 1.0"

  region            = "us-east-1"
  hosted_zone_id    = "FOO"
  oidc_provider_arn = module.eks.eks_identity_provider.arn
  oidc_provider_url = module.eks.eks_identity_provider.url
}

Deploy Ingress Nginx with mandatory parameters and Cert Manager's Google Cloud DNS integration for DNS-01 challenge. Google Cloud DNS RBAC configured with tf-k8s-cert-manager-dns-gcp module:

 hclmodule "ingress" {
  source  = "solutions.corewide.com/kubernetes/tf-k8s-ingress-nginx/helm"
  version = "~> 5.7"

  acme_email = "[email protected]"

  cert_manager = {
    version                     = "1.17"
    dns_solver_config           = module.gcp_cert_manager_iam.issuer_spec
    service_account_annotations = module.gcp_cert_manager_iam.service_account_annotation
  }
}

module "gcp_cert_manager_iam" {
  source  = "solutions.corewide.com/google-cloud/tf-k8s-cert-manager-dns-gcp/google"
  version = "~> 1.0"
}

Deploy Ingress Nginx with mandatory parameters and Cert Manager's Azure DNS integration for DNS-01 challenge. Azure DNS RBAC configured with tf-k8s-cert-manager-dns-azure module and AKS cluster deployed with tf-azure-k8s-aks module:

 hclmodule "ingress" {
  source  = "solutions.corewide.com/kubernetes/tf-k8s-ingress-nginx/helm"
  version = "~> 5.7"

  acme_email = "[email protected]"

  cert_manager = {
    version                = "1.17"
    dns_solver_config      = module.azure_cert_manager_iam.issuer_spec
    pod_labels             = module.azure_cert_manager_iam.pod_label
    service_account_labels = module.azure_cert_manager_iam.service_account_label
  }
}

resource "azurerm_resource_group" "main" {
  name     = "foo"
  location = "westus2"
}

module "aks" {
  source  = "solutions.corewide.com/azure/tf-azure-k8s-aks/azurerm"
  version = "~> 5.0"
  # ...
}

module "azure_cert_manager_iam" {
  source  = "solutions.corewide.com/azure/tf-k8s-cert-manager-dns-azure/azurerm"
  version = "~> 1.0"

  resource_group_name = azurerm_resource_group.main.name
  region              = azurerm_resource_group.main.location
  hosted_zone_name    = "example.com"
  hosted_zone_id      = "/subscriptions/bar/dnsZones/example.com"
  subscription_id     = "bar"
  oidc_provider_url   = module.aks.cluster.oidc_issuer_url
}

Deploy Ingress Nginx with JSON log format enabled. If ingress_nginx.enable_json_log_format is enabled, Ingress Nginx will use the following JSON access log format (unless overridden using ingress_nginx.values_override):

 json{
  "msec": "$msec",                           // request unixtime in seconds with a milliseconds resolution
  "connection": "$connection",               // Connection serial number for current worker process
  "connection_requests": "$connection_requests", // Number of requests made over the current connection
  "pid": "$pid",                             // Process ID
  "request_id": "$request_id",               // Unique request ID
  "request_length": "$request_length",       // Length of the request in bytes including headers and body
  "remote_addr": "$remote_addr",             // Client IP address
  "remote_user": "$remote_user",             // Client user
  "remote_port": "$remote_port",             // Client port
  "time_local": "$time_local",               // Local time of the request in common log format
  "time_iso8601": "$time_iso8601",           // ISO8601-formatted request time
  "request": "$request",                     // Full HTTP request line (method, URI, protocol)
  "request_uri": "$request_uri",             // URI path with query string
  "args": "$args",                           // Query string parameters only (without path)
  "status": "$status",                       // HTTP response status code
  "body_bytes_sent": "$body_bytes_sent",     // Number of bytes sent in response body (no headers)
  "bytes_sent": "$bytes_sent",               // Total bytes sent (body + headers)
  "http_referer": "$http_referer",           // Referring URL
  "http_user_agent": "$http_user_agent",     // User-Agent string from client
  "http_x_forwarded_for": "$http_x_forwarded_for", // Original client IP from proxy/load balancer
  "http_host": "$http_host",                 // Host header sent by the client
  "server_name": "$server_name",             // Name of the server handling the request
  "request_time": "$request_time",           // Time spent processing the request (seconds with milliseconds)
  "upstream": "$upstream_addr",              // Upstream server address (IP:port)
  "upstream_connect_time": "$upstream_connect_time", // Time to connect to upstream server
  "upstream_header_time": "$upstream_header_time", // Time to receive first byte from upstream
  "upstream_response_time": "$upstream_response_time", // Total time taken by upstream to respond
  "upstream_response_length": "$upstream_response_length", // Length of upstream response
  "upstream_cache_status": "$upstream_cache_status", // Cache status (HIT, MISS, etc.)
  "ssl_protocol": "$ssl_protocol",           // TLS/SSL protocol version used
  "ssl_cipher": "$ssl_cipher",               // TLS/SSL cipher used
  "scheme": "$scheme",                       // Request scheme
  "request_method": "$request_method",       // HTTP method
  "server_protocol": "$server_protocol",     // Protocol version
  "pipe": "$pipe",                           // 'p' for pipelined requests, '.' otherwise
  "gzip_ratio": "$gzip_ratio",               // Gzip compression ratio
  "http_cf_ray": "$http_cf_ray"              // Cloudflare Ray ID (if Cloudflare is used)
}

 hclmodule "ingress" {
  source  = "solutions.corewide.com/kubernetes/tf-k8s-ingress-nginx/helm"
  version = "~> 5.7"

  acme_email = "[email protected]"

  ingress_nginx = {
    enable_json_log_format = true
  }
}

NOTE: Values of annotations and labels must always be passed as strings regardless of their actual type.

Deploy Ingress Nginx with custom configuration and Cert Manager. Allows using configuration-snippet in Ingress annotations:

 hclmodule "ingress" {
  source  = "solutions.corewide.com/kubernetes/tf-k8s-ingress-nginx/helm"
  version = "~> 5.7"

  acme_email = "[email protected]"

  cert_manager = {
    version = "1.10.0"
  }

  ingress_nginx = {
    name         = "ingress"
    namespace    = "ingress"
    replicas     = 3
    helm_timeout = 600

    custom_values = [
      {
        name  = "controller.metrics.serviceMonitor.additionalLabels\.app\.kubernetes\.io/name"
        value = "ingress"
      },
    ]

    values_override = {
      controller = {
        allowSnippetAnnotations = true

        config = {
          annotations-risk-level = "Critical"
        }
      }
    }
  }
}

Variable	Description	Type	Default	Required	Sensitive
`acme_email`	E-mail that Let's Encrypt cluster issuer will use to request certificates	`string`		yes	no
`k8s_flavor`	Name of managed Kubernetes to enable cloud-specific adjustments. Applicable values are: `aks` or `eks`	`string`		yes	no
`cert_manager`	Cert Manager parameters. The parameters are passed to tf-k8s-cert-manager module	`any`	`{}`	no	no
`ingress_nginx`	Ingress Nginx parameters	`object`	`{}`	no	no
`ingress_nginx.create_namespace`	Indicates creation of dedicated namespace for Ingress Nginx deployment	`bool`	`true`	no	no
`ingress_nginx.custom_values`	A list of custom values for Ingress Nginx Helm Chart. Will be deprecated in `v6.0`	`list(object)`		no	no
`ingress_nginx.custom_values[*].name`	Full name of the custom value to be set	`string`		yes	no
`ingress_nginx.custom_values[*].type`	Type of the value to be set (valid options are `auto` and `string`)	`string`	`auto`	no	no
`ingress_nginx.custom_values[*].value`	Value of the custom value to be set	`any`		yes	no
`ingress_nginx.enable_json_log_format`	Enable JSON logging format for Ingress Nginx	`bool`	`false`	no	no
`ingress_nginx.enable_metrics`	Enable Prometheus metrics of Ingress Nginx	`bool`	`true`	no	no
`ingress_nginx.enable_real_ip_detection`	Enable/disable Ingress Nginx Real IP detection	`bool`	`true`	no	no
`ingress_nginx.helm_timeout`	Time in seconds for Helm resource to install in Kubernetes	`number`	`600`	no	no
`ingress_nginx.ingress_class_name`	Name of Ingress Class of Ingress Nginx	`string`	`nginx`	no	no
`ingress_nginx.name`	Name to override Ingress Nginx release name	`string`	`ingress-nginx`	no	no
`ingress_nginx.namespace`	Namespace to install Ingress Nginx into	`string`	`ingress-nginx`	no	no
`ingress_nginx.replicas`	Number of Ingress Nginx controller replicas	`number`	`2`	no	no
`ingress_nginx.values_override`	Custom values to override Ingress Nginx Helm chart defaults	`map(any)`	`{}`	no	no
`ingress_nginx.version`	Version of Ingress Nginx Helm chart	`string`	`4.12.1`	no	no

Output	Description	Type	Sensitive
`ingress_class`	Name of Ingress Class of Ingress Nginx	`attribute`	no
`ingress_hostname`	Hostname of Ingress Nginx Load Balancer	`computed`	no
`ingress_ip`	External IP of Ingress Nginx Load Balancer	`computed`	no
`ingress_nginx_hostname`	Hostname of Ingress Nginx Load Balancer	`computed`	no
`ingress_nginx_ip`	External IP of Ingress Nginx Load Balancer	`computed`	no

Dependency	Version	Kind
`terraform`	`>= 1.3`	CLI
`hashicorp/helm`	`~> 2.5`	provider
`hashicorp/kubernetes`	`~> 2.9`	provider
`tf-k8s-cert-manager`	`~> 1.1`	module

References

AWS Kubernetes Cluster management

3 weeks, 6 days ago 230

Azure Kubernetes Cluster management

4 days, 6 hours ago 89

DigitalOcean Kubernetes Cluster management

2 months, 4 weeks ago 778

GCP Kubernetes Cluster management

4 days, 6 hours ago 660

Docker-based Bitbucket Runner for Kubernetes

3 weeks, 4 days ago 35

Cert Manager setup in a Kubernetes cluster

2 months, 3 weeks ago 1467

Ingress Nginx for Kubernetes

v5.7.0 - 2025-08-14

Added

v5.6.0 - 2025-08-08

Added

v5.5.0 - 2025-05-19

Added

v5.4.0 - 2025-04-10

Added

Changed

Fixed

v5.3.2 - 2025-03-28

Fixed

v5.3.1 - 2025-03-11

Removed

v5.3.0 - 2025-02-05

Added

v5.2.0 - 2024-12-12

Changed

Deprecated

v5.1.0 - 2024-12-10

Added

v5.0.0 - 2024-11-25

Added

Changed

Removed

v4.1.0 - 2024-09-04

Added

v4.0.1 - 2024-07-10

Changed

v4.0.0 - 2023-10-19

Added

Changed

v3.1.1 - 2023-07-27

Changed

v3.1 - 2023-06-27

Added

v3.0.0 - 2023-01-13

Added

Changed

Removed

v2.1.0 - 2022-12-23

Added

Changed

v2.0.0 - 2022-10-12

Added

Changed

Fixed

v1.5.0 - 2022-09-28

Added

v1.4.0 - 2022-09-23

Added

v1.3.0 - 2022-09-12

Added

v1.2.2 - 2022-08-17

Fixed

v1.2.1 - 2022-08-02

Fixed

v1.2.0 - 2022-08-01

Added

Changed

Removed

v1.1 - 2022-07-28

Added

v1.0.2 - 2022-07-07

Fixed

v1.0.1 - 2022-05-18

Added

v1.0 - 2022-04-18

Added

From v2.x to v3.x

From v3.x to v4.x

From v4.x to v5.x

References

Not sure where to start?Let's find your perfect match.

From `v2.x` to `v3.x`

From `v3.x` to `v4.x`

From `v4.x` to `v5.x`

Not sure where to start?
Let's find your perfect match.