loft-sh · rmweir · Dec 18, 2025 · loft-bot · Dec 19, 2025 · loft-bot
@@ -1,7 +1,7 @@
-Deploy `nginx-ingress` controller to your cluster. Update `$PLATFORM_VERSION`
+[Deprecated]: Deploy `nginx-ingress` controller to your cluster. Update `$PLATFORM_VERSION`
 with a valid platform version.
 
-```bash title="Deploy nginx-ingress controller"
+```bash title="[Deprecated- the ingress-nginx project has been deprecated]: Deploy ingress-nginx controller"
 helm upgrade --install ingress-nginx ingress-nginx \
   --repository-config='' \
   -n ingress-nginx \

@@ -1,9 +1,9 @@
-To update the platform deployment to use the NGINX ingress controller, create a simple values
+[Deprecated]: To update the platform deployment to use the NGINX ingress controller, create a simple values
 file that tells the platform to do just that. If you created a values file during your initial
 deployment, you can simply edit that file, if you did not, you can create a new file with the
 following contents.
 
-```yaml title="Update to use NGINX ingress controller"
+```yaml title="[Deprecated- the ingress-nginx project has been deprecated]: Update to use NGINX ingress controller"
 ingress:
   enabled: true
   host: "vcluster-platform.mydomain.tld" # Make sure to change this

@@ -6,6 +6,10 @@ import PartialAdminUpgradeCLI from "../guides/upgrade-cli.mdx";
 import PartialStartGetExternalIP from "./external-access-nginx-get-external-ip.mdx";
 import PartialStartSetARecord from "./external-access-nginx-set-a-record.mdx";
 
+:::warning Deprecated
+The ingress-nginx project has been deprecated. We recommend using a different ingress controller.
+:::
+
 <Flow id="nginx-ingress-manual-install">
   <Step>
     <PartialNGINXDeploy />

@@ -6,6 +6,10 @@ import PartialStartWithHost from "./external-access-nginx-start.mdx";
 import PartialStartGetExternalIP from "./external-access-nginx-get-external-ip.mdx";
 import PartialStartSetARecord from "./external-access-nginx-set-a-record.mdx";
 
+:::warning Deprecated
+The ingress-nginx project has been deprecated. We recommend using a different ingress controller.
+:::
+
 :::warning Heads up.
 This section assumes you already have the nginx ingress controller installed, if you don't,
 check out the 'Manual Ingress Controller Installation' tab.

@@ -30,7 +30,7 @@ If your kube-context points to the platform's API server as a proxy before the a
 
 ### Ingress Requests
 
-For [ingress-nginx](https://github.com/kubernetes/ingress-nginx/tree/main) based Ingresses and [Istio](https://istio.io/) Gateways, activity detection works automatically.
+For [ingress-nginx](https://github.com/kubernetes/ingress-nginx/tree/main) (deprecated) based Ingresses and [Istio](https://istio.io/) Gateways, activity detection works automatically.
 For nginx based ingresses, the platform adds the [mirror-target](https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md#mirror) annotation to each ingress that will track activity and reset the timer when a request is made to that ingress.
 For Istio, the metrics from the istio-proxy container are used to determine activity.
 

@@ -41,5 +41,5 @@ You can set the required ingress suffix in the vCluster Platform UI:
 </Flow>
 
 :::info Pre-Requisites
-This will require an ingress-controller in the cluster (such as ingress-nginx) and a wildcard DNS record on the above configured domain. Make sure to enable ssl-passthrough on the ingress controller as well or install the ingress-nginx vCluster Platform app.
+This will require an ingress-controller in the cluster and a wildcard DNS record on the above configured domain. Make sure to enable ssl-passthrough on the ingress controller as well or install the ingress-nginx vCluster Platform app (deprecated).
 :::
@@ -19,7 +19,7 @@ kind: Ingress
 metadata:
   name: loft-agent-ingress
   annotations:
-    kubernetes.io/ingress.class: nginx
+    kubernetes.io/ingress.class: nginx # ingress-nginx has been deperecated
-    kubernetes.io/ingress.class: nginx # ingress-nginx has been deperecated
+    kubernetes.io/ingress.class: nginx # ingress-nginx has been deprecated
-    kubernetes.io/ingress.class: nginx # ingress-nginx has been deperecated
+    kubernetes.io/ingress.class: nginx # ingress-nginx has been deprecated
     nginx.ingress.kubernetes.io/proxy-read-timeout: "43200"
     nginx.ingress.kubernetes.io/proxy-send-timeout: "43200"
     nginx.ingress.kubernetes.io/proxy-buffers-number: "8 32k"

@@ -247,7 +247,7 @@ spec:
 
 ### Deny Ingress Classes
 
-This policy will deny all ingress classes except `nginx`.
+This policy will deny all ingress classes except `istio`.
 
 ```
 apiVersion: policy.jspolicy.com/v1beta1
@@ -259,7 +259,7 @@ spec:
   resources: ["ingresses"]
   javascript: |
     // ingress class can be set via annotation "kubernetes.io/ingress.class" or through spec.ingressClassName.
-    const allowedIngressClasses = ["nginx"];
+    const allowedIngressClasses = ["istio"];
     const ingressClasses = [request.object.metadata?.annotations?.["kubernetes.io/ingress.class"], request.object.spec.ingressClassName];
     const notAllowed = ingressClasses.filter(ingressClass => ingressClass && !allowedIngressClasses.includes(ingressClass));
     if (notAllowed.length > 0) {

@@ -217,7 +217,7 @@ Then open your browser and navigate to `http://localhost:8080`. Log in with user
 
 ### Option 2: Ingress
 
-Create an Ingress resource to expose Grafana externally. The following example uses the nginx ingress controller:
+Create an Ingress resource to expose Grafana externally. The following example uses the nginx ingress controller (deperecated):
-Create an Ingress resource to expose Grafana externally. The following example uses the nginx ingress controller (deperecated):
+Create an Ingress resource to expose Grafana externally. The following example uses the nginx ingress controller (deprecated):
-Create an Ingress resource to expose Grafana externally. The following example uses the nginx ingress controller (deperecated):
+Create an Ingress resource to expose Grafana externally. The following example uses the nginx ingress controller (deprecated):
 
 ```yaml title="grafana-ingress.yaml"
 apiVersion: networking.k8s.io/v1

@@ -546,7 +546,7 @@ spec:
                 annotations:
                   nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
                   nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
-                ingressClassName: "nginx"
+                ingressClassName: "nginx" # deperecated
-                ingressClassName: "nginx" # deperecated
+                ingressClassName: "nginx" # deprecated
-                ingressClassName: "nginx" # deperecated
+                ingressClassName: "nginx" # deprecated
                 hostname: {{ .Values.loft.virtualClusterName }}-{{ .Values.loft.project }}-{{ .Values.loft.clusterAnnotations.domainPrefix }}.{{ .Values.loft.clusterAnnotations.domain }}
                 tls: true
               ingressGrpc:
@@ -556,7 +556,7 @@ spec:
               logLevel: "debug"
               ingress:
                 enabled: true
-                ingressClassName: "nginx"
+                ingressClassName: "nginx" # deperecated
-                ingressClassName: "nginx" # deperecated
+                ingressClassName: "nginx" # deprecated
-                ingressClassName: "nginx" # deperecated
+                ingressClassName: "nginx" # deprecated
                 annotations:
                   nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
                 hostname: {{ .Values.loft.virtualClusterName }}-{{ .Values.loft.project }}-{{ .Values.loft.clusterAnnotations.domainPrefix }}-appset.{{ .Values.loft.clusterAnnotations.domain }}

@@ -34,7 +34,11 @@ The platform, like any other service in Kubernetes, can be exposed in multiple w
 <details>
   <summary>
 
-### External access via NGINX ingress controller
+### [Deprecated]: External access via NGINX ingress controller
+
+:::warning Deprecated
+The ingress-nginx project has been deprecated.
+:::
 
   </summary>
   <Tabs
@@ -134,7 +138,7 @@ certIssuer:
   secretName: vcluster-platform-letsencrypt-credentials
   httpResolver:
     enabled: true
-    ingressClass: nginx
+    ingressClass: nginx # the ingress-nginx project has been deprecated
   resolvers: []
   server: https://acme-v02.api.letsencrypt.org/directory
 ```

@@ -19,7 +19,7 @@ If your kube-context points to Loft's API server as a proxy before the actual co
 
 ### Ingress Requests
 
-For ingress-nginx based ingresses, activity detection also works automatically. Other ingress controllers are currently not supported. For nginx based ingresses, Loft will add a special annotation to each ingress that will track activity and reset the timer as soon as a request is made to that ingress.
+For ingress-nginx (deprecated) based ingresses, activity detection also works automatically. Other ingress controllers are currently not supported. For nginx based ingresses, Loft will add a special annotation to each ingress that will track activity and reset the timer as soon as a request is made to that ingress.
 
 :::info Ingress Wakeup
 <span>Loft supports waking up a {props.name} through an ingress independent of the underlying ingress controller. Just navigate to the ingress host and you should see a Loft wakeup page for the {props.name}.</span>

@@ -19,7 +19,7 @@ If your kube-context points to Loft's API server as a proxy before the actual co
 
 ### Ingress Requests
 
-For ingress-nginx based ingresses, activity detection also works automatically. Other ingress controllers are currently not supported. For nginx based ingresses, Loft will add a special annotation to each ingress that will track activity and reset the timer as soon as a request is made to that ingress.
+For ingress-nginx (deprecated) based ingresses, activity detection also works automatically. Other ingress controllers are currently not supported. For nginx based ingresses, Loft will add a special annotation to each ingress that will track activity and reset the timer as soon as a request is made to that ingress.
 
 :::info Ingress Wakeup
 <span>Loft supports waking up a {props.name} through an ingress independent of the underlying ingress controller. Just navigate to the ingress host and you should see a Loft wakeup page for the {props.name}.</span>

@@ -278,7 +278,7 @@ spec:
     solvers:
     - http01:
         ingress:
-          ingressClassName: nginx
+          ingressClassName: nginx # the ingress-nginx project has been deprecated, we recommend using a different ingress class # the ingress-nginx project has been deprecated, we recommend using a different ingress class
-          ingressClassName: nginx # the ingress-nginx project has been deprecated, we recommend using a different ingress class # the ingress-nginx project has been deprecated, we recommend using a different ingress class
+          ingressClassName: nginx # the ingress-nginx project has been deprecated, we recommend using a different ingress class
-          ingressClassName: nginx # the ingress-nginx project has been deprecated, we recommend using a different ingress class # the ingress-nginx project has been deprecated, we recommend using a different ingress class
+          ingressClassName: nginx # the ingress-nginx project has been deprecated, we recommend using a different ingress class
     - dns01:
         cloudflare:
           email: [email protected]
@@ -414,7 +414,7 @@ kind: Ingress
 metadata:
   name: secure-app-ingress
   annotations:
-    kubernetes.io/ingress.class: nginx
+    kubernetes.io/ingress.class: nginx # ingress-nginx has been deperecated
-    kubernetes.io/ingress.class: nginx # ingress-nginx has been deperecated
+    kubernetes.io/ingress.class: nginx # ingress-nginx has been deprecated
-    kubernetes.io/ingress.class: nginx # ingress-nginx has been deperecated
+    kubernetes.io/ingress.class: nginx # ingress-nginx has been deprecated
     nginx.ingress.kubernetes.io/ssl-redirect: "true"
 spec:
   tls:

@@ -27,7 +27,7 @@ EOF
 </Step>
 
 <Step>
-Install the NGINX `IngressController`.
+[Deprecated]: [Deprecated]: [Deprecated]: Install the NGINX `IngressController`.
-[Deprecated]: [Deprecated]: [Deprecated]: Install the NGINX `IngressController`.
+[Deprecated]: Install the NGINX `IngressController`.
-[Deprecated]: [Deprecated]: [Deprecated]: Install the NGINX `IngressController`.
+[Deprecated]: Install the NGINX `IngressController`.
-[Deprecated]: [Deprecated]: [Deprecated]: Install the NGINX `IngressController`.
+[Deprecated]: Install the NGINX `IngressController`.
-[Deprecated]: [Deprecated]: [Deprecated]: Install the NGINX `IngressController`.
+[Deprecated]: Install the NGINX `IngressController`.
 
 ```shell title="install ingress controller"
 helm install ingress-nginx ingress-nginx/ingress-nginx \

@@ -14,7 +14,7 @@ import DeployConfig from '../../_partials/config/deploy.mdx';
 
 vCluster supports addons that extend the functionality of your virtual cluster. You can configure these addons during deployment to adjust networking, observability, and other features for your environment and requirements.
 
-### Ingress Nginx
+### [Deprecated]: Ingress Nginx
 <TenancySupport privateNodes="true" hostNodes="true" />
 
 vCluster can install [ingress nginx](https://kubernetes.github.io/ingress-nginx/) into the vCluster. This can be enabled via:

@@ -53,7 +53,7 @@ metadata:
   name: example-ingress
   namespace: bar
 spec:
-  ingressClassName: nginx
+  ingressClassName: nginx # the ingress-nginx project has been deprecated, we recommend using a different ingress class # the ingress-nginx project has been deprecated, we recommend using a different ingress class
-  ingressClassName: nginx # the ingress-nginx project has been deprecated, we recommend using a different ingress class # the ingress-nginx project has been deprecated, we recommend using a different ingress class
+  ingressClassName: nginx # the ingress-nginx project has been deprecated, we recommend using a different ingress class
-  ingressClassName: nginx # the ingress-nginx project has been deprecated, we recommend using a different ingress class # the ingress-nginx project has been deprecated, we recommend using a different ingress class
+  ingressClassName: nginx # the ingress-nginx project has been deprecated, we recommend using a different ingress class
   rules:
     - http:
         paths:

@@ -105,7 +105,7 @@ Sleep mode tracks certain actions to detect activity and wake the cluster when n
 - Attempting to contact ingress endpoints (NGINX and Istio only).
 
 :::note
-Ingress activity detection with the [ingress-nginx](https://github.com/kubernetes/ingress-nginx/tree/main) ingress controller relies on the [mirror-target](https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md#mirror) annotation, which will overwrite any previously set mirror-target annotation.
+Ingress activity detection with the [ingress-nginx](https://github.com/kubernetes/ingress-nginx/tree/main) (deprecated) ingress controller relies on the [mirror-target](https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md#mirror) annotation, which will overwrite any previously set mirror-target annotation.
 :::
 
 ### Ignore other types of activity in sleep mode

@@ -28,7 +28,7 @@ This approach is useful in scenarios where selective access to ingress configura
 - **Multi-tenancy**: Enable teams to use their own IngressClass resources while sharing a single host cluster.
 - **Security**: Restrict the IngressClass resources available in the virtual cluster to enforce access control and prevent unintended configurations.
 
-<ClassSyncing showResource="true" lowercaseResource="ingress" resource="Ingress" pluralResource="ingresses" lowercaseResourceClass="ingressclass" resourceClass="IngressClass" pluralResourceClass="ingressClasses" resourceClassName="IngressClassName" expressionKey="kubernetes.io/ingress.class" expressionValue1="nginx" expressionValue2="traefik" />
+<ClassSyncing showResource="true" lowercaseResource="ingress" resource="Ingress" pluralResource="ingresses" lowercaseResourceClass="ingressclass" resourceClass="IngressClass" pluralResourceClass="ingressClasses" resourceClassName="IngressClassName" expressionKey="kubernetes.io/ingress.class" expressionValue1="istio" expressionValue2="traefik" />
 
 ## Config reference
 

@@ -54,7 +54,7 @@ vcluster connect my-vcluster -n my-vcluster --server my-domain.org
 
 By default, vCluster updates the current kubeconfig to access the vCluster that contains the default admin client certificate and client key to authenticate to the vCluster. This means that all kubeconfig files generated have cluster admin access within the vCluster.
 
-Often this might not be desired. Instead of giving a user admin access to the virtual cluster, you can also use [service account authentication](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#service-account-tokens) to the virtual cluster. Let's say we want to create a kubeconfig file that only has view access in the virtual cluster. Then you would create a new service account inside the vCluster and assign it the cluster role `view` via a cluster role binding. Then we would generate a service account token and use that instead of the client-cert and client-key inside the kubeconfig.
+Often this might not be desired. Instead of giving a user admin access to the virtual cluster, you can also use [service account authentication](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#service-account-tokens) to the virtual cluster. Say we want to create a kubeconfig file that only has view access in the virtual cluster. Then you would create a new service account inside the vCluster and assign it the cluster role `view` via a cluster role binding. Then we would generate a service account token and use that instead of the client-cert and client-key inside the kubeconfig.
 
 ```
 vcluster connect my-vcluster -n my-vcluster --service-account kube-system/my-user --cluster-role view
@@ -104,7 +104,7 @@ Error from server (Forbidden): namespaces is forbidden: User "system:serviceacco
 
 You can replace the token field in the kubeconfig with any other service account token from inside the vCluster to act as this service account against the vCluster. For more information about service accounts and tokens, refer to the [official Kubernetes documentation](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#service-account-tokens).
 
-## Retrieving the kubeconfig from the vCluster secret
+## Retrieve the kubeconfig from the vCluster secret
 
 <TenancySupport hostNodes="true" privateNodes="true"/>
 
@@ -223,7 +223,7 @@ If you are using a local Kubernetes cluster, such as docker-desktop, rancher-des
 
   An [Ingress Controller](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/) with SSL passthrough support provide the best user experience, but there is a workaround if this feature is not natively supported.
 
-  - [Kubernetes Nginx](https://kubernetes.github.io/ingress-nginx/user-guide/tls/#ssl-passthrough)
+  - [Kubernetes Nginx (DEPRECATED)](https://kubernetes.github.io/ingress-nginx/user-guide/tls/#ssl-passthrough)
   - [Traefik Proxy](https://doc.traefik.io/traefik/routing/routers/#passthrough)
   - [Emissary](https://www.getambassador.io/docs/emissary/latest/topics/using/tcpmappings#tls-termination)
 

@@ -17,7 +17,7 @@ This guide shows how to use vCluster and GitHub Actions to deploy preview enviro
 
 ### Install an `IngressController`
 
-Make sure to install an `IngressController` into the Kubernetes cluster where the preview environments should get created. Loft recommends [ingress-nginx](https://github.com/kubernetes/ingress-nginx), which can be installed through the platform under Cluster > Apps.
+Make sure to install an `IngressController` into the Kubernetes cluster where the preview environments should get created.
 
 ### Configure preview environments domain