How to handle Ingress annotations mentioned below

rajasekhar.yannam · April 7, 2026, 7:01am

Please use this template for troubleshooting questions.

My issue: I am able to address below annotations in the HTTPRoute or Gateway.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
meta.helm.sh/release-name: dev-dc
meta.helm.sh/release-namespace: default
nginx.ingress.kubernetes.io/auth-tls-match-cn: CN=Pipeline Builder
nginx.ingress.kubernetes.io/auth-tls-secret: default/wac-certs
nginx.ingress.kubernetes.io/auth-tls-verify-client: “true”
nginx.ingress.kubernetes.io/auth-tls-verify-depth: “5”
nginx.ingress.kubernetes.io/proxy-body-size: 512m

How I encountered the problem: While I am running pipeline, I am not able to authenticate as the above annotations or not handled properly in my Gateway or HTTPRoute

Solutions I’ve tried:

Version of NGF and/or NGINX: 3.0.0

Deployment environment: Dev

Ciara · April 7, 2026, 12:15pm

Hi @rajasekhar.yannam , thanks so much for your interest in our project!

Here’s how these annotations map to NGF with Gateway API:

auth-tls-secret + auth-tls-verify-client These are addressed by FrontendTLSValidation, which is coming in the next NGF release. You’ll configure this on your Gateway listener:

tls:
  frontendValidation:
    caCertificateRefs:
      - kind: ConfigMap
        name: wac-certs

See the Gateway API FrontendTLSConfig spec for full details.

auth-tls-match-cn Gateway API has no native concept of filtering by client certificate CN. One approach is to propagate the cert subject as a request header using RequestHeaderModifier and have your backend perform the CN check. Support for NGINX variables in RequestHeaderModifier is also coming in the next release, so you’ll be able to do:

filters:
  - type: RequestHeaderModifier
    requestHeaderModifier:
      set:
        - name: X-SSL-Client-DN
          value: $ssl_client_s_dn

However - Note that auth-tls-match-cn enforces CN validation at the gateway, returning 403 before the request reaches your backend. The RequestHeaderModifier approach shifts that enforcement to the backend and so it is not an equivalent replacement if you require the gateway to be the enforcement point. If this is important for your use case, please let us know by opening an issue!

auth-tls-verify-depth There is currently no equivalent for this in Gateway API or NGF. As above, if this is important for your use case, please let us know by opening an issue!

proxy-body-size This is supported today via ProxySettingsPolicy. See the proxy settings documentation for configuration details.

I hope this helps!

Ciara

rajasekhar.yannam · April 7, 2026, 2:02pm

Hi @Ciara , Thank you for prompt response. I will definitely verify the given solutions. Meanwhile, Could you please let me know when can we expect the next release, So u am eager to apply these changes.

Ciara · April 8, 2026, 3:03pm

We are targeting the week of May 4th for our next release including these changes @rajasekhar.yannam!

Topic		Replies	Views
Ingress NGINX Controller to NGINX Ingress Controller translation help NGINX Ingress Controller ssl , reverse-proxy , networking	10	104	February 28, 2026
Need to translate ingress-nginx annotations to NGINX-ingress NGINX Ingress Controller nginx-ingress , reverse-proxy , annotations	3	116	March 4, 2026
Migrate from ingress-nginx/oauth2-proxy to NGINX Ingress Controller/oauth2-proxy NGINX Ingress Controller config , reverse-proxy , sso	9	454	December 3, 2025
Need to translate Kubernetes community ingress-nginx annotations to NGINX-ingress General Discussion nginx-ingress , reverse-proxy , annotations	1	14	April 2, 2026
Need help to translate ingress-nginx annotations to NGINX-ingress NGINX Ingress Controller config , reverse-proxy , ingress-nginx , annotations	4	129	January 9, 2026

How to handle Ingress annotations mentioned below

Related topics