nginx
diff --git a/‎cmd/nginx-ingress/main.go‎
Lines changed: 11 additions & 3 deletions b/‎cmd/nginx-ingress/main.go‎
Lines changed: 11 additions & 3 deletions
diff --git a/‎deployments/common/crds/k8s.nginx.org_policies.yaml‎
Lines changed: 1 addition & 1 deletion b/‎deployments/common/crds/k8s.nginx.org_policies.yaml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎deployments/helm-chart/README.md‎
Lines changed: 4 additions & 3 deletions b/‎deployments/helm-chart/README.md‎
Lines changed: 4 additions & 3 deletions
diff --git a/‎deployments/helm-chart/crds/k8s.nginx.org_policies.yaml‎
Lines changed: 1 addition & 1 deletion b/‎deployments/helm-chart/crds/k8s.nginx.org_policies.yaml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎deployments/helm-chart/templates/controller-daemonset.yaml‎
Lines changed: 1 addition & 0 deletions b/‎deployments/helm-chart/templates/controller-daemonset.yaml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎deployments/helm-chart/templates/controller-deployment.yaml‎
Lines changed: 1 addition & 0 deletions b/‎deployments/helm-chart/templates/controller-deployment.yaml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎deployments/helm-chart/values.yaml‎
Lines changed: 4 additions & 1 deletion b/‎deployments/helm-chart/values.yaml‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎docs/content/configuration/global-configuration/command-line-arguments.md‎
Lines changed: 9 additions & 1 deletion b/‎docs/content/configuration/global-configuration/command-line-arguments.md‎
Lines changed: 9 additions & 1 deletion
diff --git a/‎docs/content/configuration/policy-resource.md‎
Lines changed: 1 addition & 5 deletions b/‎docs/content/configuration/policy-resource.md‎
Lines changed: 1 addition & 5 deletions
diff --git a/‎docs/content/installation/installation-with-helm.md‎
Lines changed: 2 additions & 1 deletion b/‎docs/content/installation/installation-with-helm.md‎
Lines changed: 2 additions & 1 deletion
@@ -163,7 +163,10 @@ var (
 		"Enable custom resources")
 
 	enablePreviewPolicies = flag.Bool("enable-preview-policies", false,
-		"Enable preview policies")
+		"Enable preview policies. This flag is deprecated. To enable OIDC Policies please use -enable-oidc instead.")
+
+	enableOIDC = flag.Bool("enable-oidc", false,
+		"Enable OIDC Policies.")
 
 	enableSnippets = flag.Bool("enable-snippets", false,
 		"Enable custom NGINX configuration snippets in Ingress, VirtualServer, VirtualServerRoute and TransportServer resources.")
@@ -250,6 +253,11 @@ func main() {
 		glog.Fatal("enable-tls-passthrough flag requires -enable-custom-resources")
 	}
 
+	if *enablePreviewPolicies {
+		glog.Warning("enable-preview-policies is universally deprecated. To enable OIDC Policies please use -enable-oidc instead.")
+	}
+	*enableOIDC = *enablePreviewPolicies || *enableOIDC
+
 	if *appProtect && !*nginxPlus {
 		glog.Fatal("NGINX App Protect support is for NGINX Plus only")
 	}
@@ -580,7 +588,7 @@ func main() {
 		MainAppProtectLoadModule:       *appProtect,
 		MainAppProtectDosLoadModule:    *appProtectDos,
 		EnableLatencyMetrics:           *enableLatencyMetrics,
-		EnablePreviewPolicies:          *enablePreviewPolicies,
+		EnableOIDC:                     *enableOIDC,
 		SSLRejectHandshake:             sslRejectHandshake,
 		EnableCertManager:              *enableCertManager,
 	}
@@ -690,7 +698,7 @@ func main() {
 		ConfigMaps:                   *nginxConfigMaps,
 		GlobalConfiguration:          *globalConfiguration,
 		AreCustomResourcesEnabled:    *enableCustomResources,
-		EnablePreviewPolicies:        *enablePreviewPolicies,
+		EnableOIDC:                   *enableOIDC,
 		MetricsCollector:             controllerCollector,
 		GlobalConfigurationValidator: globalConfigurationValidator,
 		TransportServerValidator:     transportServerValidator,
 
@@ -99,7 +99,7 @@ spec:
                     token:
                       type: string
                 oidc:
-                  description: 'OIDC defines an Open ID Connect policy. policy status: preview'
+                  description: OIDC defines an Open ID Connect policy.
                   type: object
                   properties:
                     authEndpoint:
 
@@ -182,7 +182,8 @@ Parameter | Description | Default
 `controller.setAsDefaultIngress` | New Ingresses without an `"ingressClassName"` field specified will be assigned the class specified in `controller.ingressClass`. | false
 `controller.watchNamespace` | Namespace to watch for Ingress resources. By default the Ingress controller watches all namespaces. | ""
 `controller.enableCustomResources` | Enable the custom resources. | true
-`controller.enablePreviewPolicies` | Enable preview policies. | false
+`controller.enablePreviewPolicies` | Enable preview policies. This parameter is deprecated. To enable OIDC Policies please use `controller.enableOIDC` instead. | false
+`controller.enableOIDC` | Enable OIDC policies. | false
 `controller.enableTLSPassthrough` | Enable TLS Passthrough on port 443. Requires `controller.enableCustomResources`. | false
 `controller.enableCertManager` | Enable x509 automated certificate management for VirtualServer resources using cert-manager (cert-manager.io). Requires `controller.enableCustomResources`. | false
 `controller.globalConfiguration.create` | Creates the GlobalConfiguration custom resource. Requires `controller.enableCustomResources`. | false
@@ -216,7 +217,7 @@ Parameter | Description | Default
 `controller.serviceAccount.imagePullSec
6F26
retName` | The name of the secret containing docker registry credentials. Secret must exist in the same namespace as the helm release. | ""
 `controller.reportIngressStatus.enable` | Updates the address field in the status of Ingress resources with an external address of the Ingress controller. You must also specify the source of the external address either through an external service via `controller.reportIngressStatus.externalService`, `controller.reportIngressStatus.ingressLink` or the `external-status-address` entry in the ConfigMap via `controller.config.entries`. **Note:** `controller.config.entries.external-status-address` takes precedence over the others. | true
 `controller.reportIngressStatus.externalService` | Specifies the name of the service with the type LoadBalancer through which the Ingress controller is exposed externally. The external address of the service is used when reporting the status of Ingress, VirtualServer and VirtualServerRoute resources. `controller.reportIngressStatus.enable` must be set to `true`. The default is autogenerated and enabled when `controller.service.create` is set to `true` and `controller.service.type` is set to `LoadBalancer`. | Autogenerated
-`controller.reportIngressStatus.ingressLink` |  Specifies the name of the IngressLink resource, which exposes the Ingress Controller pods via a BIG-IP system. The IP of the BIG-IP system is used when reporting the status of Ingress, VirtualServer and VirtualServerRoute resources. `controller.reportIngressStatus.enable` must be set to `true`. | ""
+`controller.reportIngressStatus.ingressLink` | Specifies the name of the IngressLink resource, which exposes the Ingress Controller pods via a BIG-IP system. The IP of the BIG-IP system is used when reporting the status of Ingress, VirtualServer and VirtualServerRoute resources. `controller.reportIngressStatus.enable` must be set to `true`. | ""
 `controller.reportIngressStatus.enableLeaderElection` | Enable Leader election to avoid multiple replicas of the controller reporting the status of Ingress resources. `controller.reportIngressStatus.enable` must be set to `true`. | true
 `controller.reportIngressStatus.leaderElectionLockName` | Specifies the name of the ConfigMap, within the same namespace as the controller, used as the lock for leader election. controller.reportIngressStatus.enableLeaderElection must be set to true. | Autogenerated
 `controller.reportIngressStatus.annotations` | The annotations of the leader election configmap. | {}
@@ -230,7 +231,7 @@ Parameter | Description | Default
 `controller.appprotectdos.memory` | RAM memory size to consume in MB. | 50% of free RAM in the container or 80MB, the smaller
 `controller.readyStatus.enable` | Enables the readiness endpoint `"/nginx-ready"`. The endpoint returns a success code when NGINX has loaded all the config after the startup. This also configures a readiness probe for the Ingress Controller pods that uses the readiness endpoint. | true
 `controller.readyStatus.port` | The HTTP port for the readiness endpoint. | 8081
-`controller.enableLatencyMetrics` |  Enable collection of latency metrics for upstreams. Requires `prometheus.create`. | false
+`controller.enableLatencyMetrics` | Enable collection of latency metrics for upstreams. Requires `prometheus.create`. | false
 `rbac.create` | Configures RBAC. | true
 `prometheus.create` | Expose NGINX or NGINX Plus metrics in the Prometheus format. | false
 `prometheus.port` | Configures the port to scrape the metrics. | 9113
 
@@ -99,7 +99,7 @@ spec:
                     token:
                       type: string
                 oidc:
-                  description: 'OIDC defines an Open ID Connect policy. policy status: preview'
+                  description: OIDC defines an Open ID Connect policy.
                   type: object
                   properties:
                     authEndpoint:
 
@@ -182,6 +182,7 @@ spec:
           - -enable-tls-passthrough={{ .Values.controller.enableTLSPassthrough }}
           - -enable-preview-policies={{ .Values.controller.enablePreviewPolicies }}
           - -enable-cert-manager={{ .Values.controller.enableCertManager }}
+          - -enable-oidc={{ .Values.controller.enableOIDC }}
 {{- if .Values.controller.globalConfiguration.create }}
           - -global-configuration=$(POD_NAMESPACE)/{{ include "nginx-ingress.name" . }}
 {{- end }}
 
@@ -180,6 +180,7 @@ spec:
           - -enable-tls-passthrough={{ .Values.controller.enableTLSPassthrough }}
           - -enable-preview-policies={{ .Values.controller.enablePreviewPolicies }}
           - -enable-cert-manager={{ .Values.controller.enableCertManager }}
+          - -enable-oidc={{ .Values.controller.enableOIDC }}
 {{- if .Values.controller.globalConfiguration.create }}
           - -global-configuration=$(POD_NAMESPACE)/{{ include "nginx-ingress.name" . }}
 {{- end }}
 
@@ -162,9 +162,12 @@ controller:
   ## Enable the custom resources.
   enableCustomResources: true
 
-  ## Enable preview policies.
+  ## Enable preview policies. This parameter is deprecated. To enable OIDC Policies please use controller.enableOIDC instead.
   enablePreviewPolicies: false
 
+  ## Enable OIDC policies.
+  enableOIDC: false
+
   ## Enable TLS Passthrough on port 443. Requires controller.enableCustomResources.
   enableTLSPassthrough: false
 
 
@@ -59,7 +59,15 @@ Default `true`.
 
 ### -enable-preview-policies
 
-Enables preview policies.
+Enables preview policies. This flag is deprecated. To enable OIDC Policies please[-enable-oidc](#cmdoption-enable-oidc) instead.
+
+Default `false`.
+&nbsp;
+<a name="cmdoption-enable-oidc"></a>
+
+### -enable-oidc
+
+Enables OIDC policies.
 
 Default `false`.
 &nbsp;
 
@@ -276,7 +276,7 @@ In this example the Ingress Controller will use the configuration from the first
 
 ### OIDC
 
-> **Feature Status**: OIDC is available as a preview feature[^1]: We might introduce some backward-incompatible changes to the resource definition. The feature is disabled by default. To enable it, set the [enable-preview-policies](/nginx-ingress-controller/configuration/global-configuration/command-line-arguments/#cmdoption-enable-preview-policies) command-line argument of the Ingress Controller.
+> **Feature Status**: This feature is disabled by default. To enable it, set the [enable-oidc](/nginx-ingress-controller/configuration/global-configuration/command-line-arguments/#cmdoption-enable-oidc) command-line argument of the Ingress Controller.
 
 The OIDC policy configures NGINX Plus as a relying party for OpenID Connect authentication.
 
@@ -532,7 +532,3 @@ Status:
 ```
 
 **Note**: If you make an existing resource invalid, the Ingress Controller will reject it.
-
-## Footnotes
-
-[^1]: Capabilities labeled in preview status are fully supported.
@@ -185,7 +185,8 @@ The following tables lists the configurable parameters of the NGINX Ingress cont
 |``controller.setAsDefaultIngress`` | New Ingresses without an ingressClassName field specified will be assigned the class specified in `controller.ingressClass`. | false |
 |``controller.watchNamespace`` | Namespace to watch for Ingress resources. By default the Ingress controller watches all namespaces. | "" |
 |``controller.enableCustomResources`` | Enable the custom resources. | true |
-|``controller.enablePreviewPolicies`` | Enable preview policies. | false |
+|``controller.enablePreviewPolicies`` | Enable preview policies. This parameter is deprecated. To enable OIDC Policies please use ``controller.enableOIDC`` instead. | false |
+|``controller.enableOIDC`` | Enable OIDC policies. | false |
 |``controller.enableTLSPassthrough`` | Enable TLS Passthrough on port 443. Requires ``controller.enableCustomResources``. | false |
 |``controller.globalConfiguration.create`` | Creates the GlobalConfiguration custom resource. Requires ``controller.enableCustomResources``. | false |
 |``controller.globalConfiguration.spec`` | The spec of the GlobalConfiguration for defining the global configuration parameters of the Ingress Controller. | {} |