{{<tabsname="deploy-config-resource">}}

{{%tab name="Helm"%}}

Edit your`values.yaml` file to enable NGINX Agent andconfigureit to connect to NGINX One Console:

Upgrade or install NGINX Ingress Controller with the following command toconfigureNGINX Agent and connect to NGINX One Console:

nginxAgent:

enable:true

dataplaneKeySecretName:"<data_plane_key_secret_name>"

- For NGINX:

helm upgrade --install my-release oci://ghcr.io/nginx/charts/nginx-ingress --version {{< nic-helm-version>}} \

--set nginxAgent.enable=true \

--set nginxAgent.dataplaneKeySecretName=<data_plane_key_secret_name> \

--set nginxAgent.endpointHost=agent.connect.nginx.com

```

- For NGINX Plus: (This assumes you have pushed NGINX Ingress Controller image`nginx-plus-ingress` to your private registry`myregistry.example.com`)

The`dataplaneKeySecretName` is used to authenticate the agent with NGINX One Console. See the [NGINX One Console Docs]({{< ref"/nginx-one/connect-instances/create-manage-data-plane-keys.md">}})

for instructions on how to generate your dataplane key from the NGINX One Console.

|**serviceNameOverride**| Used to prevent cloud load balancers from being replaced due to service name change during helm upgrades.|""|

|**nginxServiceMesh.enable**| Enable integration with NGINX Service Mesh. See the NGINX Service Mesh docsfor more details. Requires`controller.nginxplus`.|false|

|**nginxServiceMesh.enableEgress**| Enable NGINX Service Mesh workloads to route egress traffic through the Ingress Controller. See the NGINX Service Mesh docsfor more details. Requires`nginxServiceMesh.enable`.|false|

|**nginxAgent.enable**| Enable NGINX Agent to integrate the Security Monitoring and App Protect WAF modules. Requires`controller.appprotect.enable`.|false|

|**nginxAgent.instanceGroup**| Set a custom Instance Group namefor the deployment, shown when connected to NGINX Instance Manager.`nginx-ingress.controller.fullname` will be usedif not set.|""|

|**nginxAgent.logLevel**| Log levelfor NGINX Agent.|"error |

|**nginxAgent.instanceManager.sni** | Server Name Indication for Instance Manager. See the NGINX Agent [docs]({{< ref"/agent/configuration/encrypt-communication.md" >}}) for more details. |"" |

|**nginxAgent.instanceManager.tls.secret** | Name of`kubernetes.io/tls` secret with a TLS certificate and key for using mTLS between NGINX Agent and Instance Manager. See the NGINX Instance Manager [docs]({{< ref"/nim/system-configuration/secure-traffic.md#mutual-client-certificate-authentication-setup-mtls" >}}) and the NGINX Agent [docs]({{< ref"/agent/configuration/encrypt-communication.md" >}}) for more details. |"" |

|**nginxAgent.enable**| Enable NGINX Agent 3.x to allow [connecting to NGINX One Console]({{< ref"/nginx-one/k8s/add-nic.md">}}) or to integrate NGINX Agent 2.xfor [Security Monitoring]({{< ref"/nic/tutorials/security-monitoring.md">}}).|false|

|**nginxAgent.logLevel**| Log levelfor NGINX Agent.|"error"|

|**nginxAgent.dataplaneKeySecretName**| Name of the Kubernetes Secret containing the Data Plane key used to authenticate to NGINX One Console. Learn more [here]({{< ref"/nginx-one/k8s/add-nic.md">}}). Required when`nginxAgent.enable` isset to`true`. Requires NGINX Agent 3.x.|""|

|**nginxAgent.endpointHost**| Domain or IP addressfor the NGINX One Console. Requires NGINX Agent 3.x.|"agent.connect.nginx.com"|

|**nginxAgent.endpointPort**| Portfor the NGINX One Console endpoint. Requires NGINX Agent 3.x.| 443|

|**nginxAgent.tlsSkipVerify**| Skip TLS verificationfor the NGINX One Console endpoint. Requires NGINX Agent 3.x.|false|

|**nginxAgent.instanceGroup**| Set a custom Instance Group namefor the deployment, shown when connected to NGINX Instance Manager.`nginx-ingress.controller.fullname` will be usedif not set. Requires NGINX Agent 2.x.|""|

|**nginxAgent.instanceManager.host**| FQDN or IPfor connecting to NGINX Ingress Controller. Required when`nginxAgent.enable` isset to`true`. Requires NGINX Agent 2.x.|""|

|**nginxAgent.instanceManager.grpcPort**| Portfor connecting to NGINX Ingress Controller. Requires NGINX Agent 2.x.| 443|

|**nginxAgent.instanceManager.sni**| Server Name Indicationfor Instance Manager. See the NGINX Agent [docs]({{< ref"/agent/configuration/encrypt-communication.md">}})for more details. Requires NGINX Agent 2.x.|""|

|**nginxAgent.instanceManager.tls.enable**| Enable TLSfor Instance Manager connection. Requires NGINX Agent 2.x.|true|

|**nginxAgent.instanceManager.tls.skipVerify**| Skip certification verificationfor Instance Manager connection. Requires NGINX Agent 2.x.|false|

|**nginxAgent.instanceManager.tls.caSecret**| Name of`nginx.org/ca` secret usedfor verification of Instance Manager TLS. Requires NGINX Agent 2.x.|""|

|**nginxAgent.instanceManager.tls.secret**| Name of`kubernetes.io/tls` secret with a TLS certificate and keyfor using mTLS between NGINX Agent and Instance Manager. See the NGINX Instance Manager [docs]({{< ref"/nim/system-configuration/secure-traffic.md#mutual-client-certificate-authentication-setup-mtls">}}) and the NGINX Agent [docs]({{< ref"/agent/configuration/encrypt-communication.md">}})for more details. Requires NGINX Agent 2.x.|""|

|**nginxAgent.syslog.host**| Addressfor NGINX Agent to run syslog listener. Requires NGINX Agent 2.x.| 127.0.0.1|

|**nginxAgent.syslog.port**| Portfor NGINX Agent to run syslog listener. Requires NGINX Agent 2.x.| 1514|

|**nginxAgent.napMonitoring.collectorBufferSize**| Buffer sizefor collector. Will contain log lines and parsed log lines. Requires NGINX Agent 2.x.| 50000|

|**nginxAgent.napMonitoring.processorBufferSize**| Buffer sizefor processor. Will contain log lines and parsed log lines. Requires NGINX Agent 2.x.| 50000|

|**nginxAgent.customConfigMap**| The name of a custom ConfigMap to use instead of the one provided by default. Requires NGINX Agent 2.x.|""|

{{</bootstrap-table>}}

08 Jul 2025

This release includes the ability to configure Rate Limiting for your APIs based on a specific NGINX variable and its value. This allows you more granular control over how frequently specific users access your resources.

This NGINX Ingress Controller release brings initial connectivity to the NGINX One Console! You can now use NGINX One Console to manage NGINX instances that are part of your NGINX Ingress Controller cluster. See[here]({{< ref "/nginx-one/k8s/add-nic.md" >}}) to configure NGINX One Console with NGINX Ingress Controller.

This release also includes the ability to configure Rate Limiting for your APIs based on a specific NGINX variable and its value. This allows you more granular control over how frequently specific users access your resources.

Lastly, in our previous v5.0.0 release, we removed support for Open Tracing. This release replaces that observability capability with native NGINX Open Telemetry traces, allowing you to monitor the internal traffic of your applications.

-[7642](https://github.com/nginx/kubernetes-ingress/pull/7642) Add OpenTelemetry support

-[7916](https://github.com/nginx/kubernetes-ingress/pull/7916) Add support for AgentV3

-[7916](https://github.com/nginx/kubernetes-ingress/pull/7916) Add support forNGINXAgentversion 3 and Connecting to NGINX One Console

-[7884](https://github.com/nginx/kubernetes-ingress/pull/7884) Tiered rate limits with variables

-[7765](https://github.com/nginx/kubernetes-ingress/pull/7765) Add OIDC PKCE configuration through Policy

-[7832](https://github.com/nginx/kubernetes-ingress/pull/7832) Add request_method to rate-limit Policy