Merge branch 'main' into ngf-release-2.3

Author: ADubhlaoich

.github/workflows/ossf_scorecard.yml

@@ -56,6 +56,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: Upload SARIF results to code scanning
-        uses: github/codeql-action/upload-sarif@e12f0178983d466f2f6028f5cc7a6d786fd97f4b # v3.29.5
+        uses: github/codeql-action/upload-sarif@fdbfb4d2750291e159f0156def62b853c2798ca2 # v3.29.5
         with:
           sarif_file: results.sarif

content/nap-dos/deployment-guide/learn-about-deployment.md

@@ -1378,7 +1378,7 @@ You need root permissions to execute the following steps.
 
     # prepare environment
     mkdir -p /var/run/adm /tmp/cores ${LOGDIR}
-    chmod55 /var/run/adm /tmp/cores ${LOGDIR}
+    chmod 755 /var/run/adm /tmp/cores ${LOGDIR}
     chown ${USER}:${USER} /var/run/adm /tmp/cores ${LOGDIR}
 
     # run processes
@@ -1867,7 +1867,8 @@ Make sure to replace upstream and proxy pass directives in this example with rel
     chown ${USER}:${USER} /var/run/adm /tmp/cores ${LOGDIR}
 
     # run processes
-    /bin/su -s /bin/bash -c "/usr/bin/adminstall > ${LOGDIR}/adminstall.log 2>&1" ${USER}/bin/su -s /bin/bash -c '/opt/app_protect/bin/bd_agent &' ${USER}
+    /bin/su -s /bin/bash -c "/usr/bin/adminstall > ${LOGDIR}/adminstall.log 2>&1" ${USER}
+    /bin/su -s /bin/bash -c '/opt/app_protect/bin/bd_agent &' ${USER}
     /bin/su -s /bin/bash -c "/usr/share/ts/bin/bd-socket-plugin tmm_count 4 proc_cpuinfo_cpu_mhz 2000000 total_xml_memory 307200000 total_umu_max_size 3129344 sys_max_account_id 1024 no_static_config 2>&1 > /var/log/app_protect/bd-socket-plugin.log &" ${USER}
     /bin/su -s /bin/bash -c "/usr/bin/admd -d --log info > ${LOGDIR}/admd.log 2>&1 &" ${USER}
     /usr/sbin/nginx -g 'daemon off;'
@@ -2237,9 +2238,9 @@ Review the syslog ports by entering the following command:
 semanage port -l | grep syslog
 ```
 
-### Kubernetes Deployment Examples
+## Kubernetes Deployment Examples
 
-#### App Protect DoS
+### App Protect DoS
 
 `appprotect-dos.yaml`:
 
@@ -2425,6 +2426,9 @@ http {
     app_protect_dos_security_log "/etc/app_protect_dos/log-default.json" /var/log/adm/logger.log;
     # app_protect_dos_security_log "/etc/app_protect_dos/log-default.json" syslog:server=1.2.3.4:5261;
 
+    app_protect_dos_liveness on;    # uri:/app_protect_dos_liveness port:8090
+    app_protect_dos_readiness on;   # uri:/app_protect_dos_readiness port:8090
+
     server {
         listen 80 reuseport;
         server_name serv;
@@ -2447,9 +2451,6 @@ http {
         listen 8090;
         server_name probe;
 
-        app_protect_dos_liveness on;    # uri:/app_protect_dos_liveness port:8090
-        app_protect_dos_readiness on;   # uri:/app_protect_dos_readiness port:8090
-
         location / {
             proxy_pass http://localhost:8091;
         }
@@ -2466,7 +2467,7 @@ http {
 }
 ```
 
-#### App Protect DoS arb
+### App Protect DoS arb
 
 Arbitrator (arb) is an internal service that is essential for the scaling scenarios. The arbitrator service should be deployed in the same namespace as F5 DoS for NGINX.
 

content/nic/_index.md

@@ -27,10 +27,10 @@ It supports standard [Ingress]({{< ref "/nic/glossary.md#ingress">}}) features s
 ## Featured content
 
 {{<card-section showAsCards="true" isFeaturedSection="true">}}
-  {{<card title="Install NGINX Ingress Controller with Helm" titleUrl="/nginx-ingress-controller/installation/installing-nic/installation-with-helm">}}
+  {{<card title="Install NGINX Ingress Controller with Helm" titleUrl="/nginx-ingress-controller/install/helm">}}
     Use Helm to deploy and configure a NGINX Ingress Controller cluster
   {{</card>}}
-  {{<card title="Migrate from Ingress-NGINX Controller" titleUrl="/nginx-ingress-controller/installation/ingress-nginx">}}
+  {{<card title="Migrate from Ingress-NGINX Controller" titleUrl="/nginx-ingress-controller/install/ingress-nginx">}}
     Replace an Ingress-NGINX cluster with NGINX Ingress Controller
   {{</card>}}
   {{<card title="Changelog" titleUrl="/nginx-ingress-controller/changelog">}}

content/nic/install/helm/_index.md

@@ -0,0 +1,5 @@
+---
+title: Helm
+weight: 100
+url: /nginx-ingress-controller/install/helm/
+---

content/nic/install/helm/open-source.md

@@ -0,0 +1,155 @@
+---
+title: Use Helm to Install NGINX Ingress Controller with NGINX Open Source
+linkTitle: NGINX Open Source
+toc: true
+weight: 100
+nd-content-type: how-to
+nd-product: INGRESS
+---
+
+This page describes how to use Helm to install F5 NGINX Ingress Controller with NGINX Open Source. 
+
+It explains the requirements for NGINX Ingress Controller, how to obtain and install the Helm chart, and what custom resource definitions (CRDs) are installed during the process.
+
+By following these instructions, you will finish with a functional NGINX Ingress Controller instance for your Kubernetes cluster.
+
+## Before you begin
+
+- A [supported Kubernetes version]({{< ref "/nic/technical-specifications.md#supported-kubernetes-versions" >}})
+- A functional Kubernetes cluster
+- [Helm 3.19+.](https://helm.sh/docs/intro/install)
+
+Throughout this page, you will see placeholder values indicated with angular brackets, such as **\<my-release\>**. Replace them accordingly for your installation.
+
+{{< call-out "warning" >}}
+
+The `edge` version **is not intended for production use**. It is intended for testing and development purposes only.
+
+{{< /call-out >}}
+
+If you'd like to test the latest changes in NGINX Ingress Controller before a new release, you can install the `edge` version, which is built from the `main` branch of the [NGINX Ingress Controller repository](https://github.com/nginx/kubernetes-ingress).
+
+You can install the `edge` version by specifying the `--version` flag with the value `0.0.0-edge`:
+
+```shell
+helm install <my-release> oci://ghcr.io/nginx/charts/nginx-ingress --version 0.0.0-edge
+```
+
+## Install the Helm chart
+
+You have two options for installing the Helm chart: directly from the OCI registry, or using the source.
+
+### OCI Registry
+
+To install NGINX Ingress Controller using the OCI registry, run this command with your release name:
+
+```shell
+helm install <my-release> oci://ghcr.io/nginx/charts/nginx-ingress --version {{< nic-helm-version >}}
+```
+
+{{< details summary="Example output" >}}
+
+```text
+Pulled: ghcr.io/nginx/charts/nginx-ingress:2.3.1
+Digest: sha256:bb452d593c31b6be39f459f9604882e170227429821bac01e7ddd7da16d91ba1
+NAME: h4-oss
+LAST DEPLOYED: Fri Nov 28 11:53:57 2025
+NAMESPACE: default
+STATUS: deployed
+REVISION: 1
+DESCRIPTION: Install complete
+TEST SUITE: None
+NOTES:
+NGINX Ingress Controller 5.2.1 has been installed.
+
+For release notes for this version please see: https://docs.nginx.com/nginx-ingress-controller/releases/
+
+Installation and upgrade instructions: https://docs.nginx.com/nginx-ingress-controller/installation/installing-nic/installation-with-helm/
+```
+
+{{< /details >}}
+
+### From source
+
+To install NGINX Ingress Controller from source, first pull the chart by running this command:
+
+```shell
+helm pull oci://ghcr.io/nginx/charts/nginx-ingress --untar --version {{< nic-helm-version >}}
+```
+
+{{< details summary="Example output" >}}
+
+```text
+Pulled: ghcr.io/nginx/charts/nginx-ingress:2.3.1
+Digest: sha256:bb452d593c31b6be39f459f9604882e170227429821bac01e7ddd7da16d91ba1
+```
+
+{{< /details >}}
+
+Then use the `cd` command to change your working directory to _nginx-ingress_:
+
+```shell
+cd nginx-ingress
+```
+
+Finally, install the chart with your release name with `helm install`:
+
+```shell
+helm install <my-release> . 
+```
+
+{{< details summary="Example output" >}}
+
+```text
+NAME: h4-oss-source
+LAST DEPLOYED: Fri Nov 28 12:06:07 2025
+NAMESPACE: default
+STATUS: deployed
+REVISION: 1
+DESCRIPTION: Install complete
+TEST SUITE: None
+NOTES:
+NGINX Ingress Controller 5.2.1 has been installed.
+
+For release notes for this version please see: https://docs.nginx.com/nginx-ingress-controller/releases/
+
+Installation and upgrade instructions: https://docs.nginx.com/nginx-ingress-controller/installation/installing-nic/installation-with-helm/
+```
+
+{{< /details >}}
+
+## Verify the deployment
+
+To verify that NGINX Ingress Controller has been installed correctly, you can review `ingressclasses` with `kubectl get`:
+
+```shell
+kubectl get ingressclasses
+```
+
+{{< details summary="Example output" >}}
+
+```text
+NAME    CONTROLLER                     PARAMETERS   AGE
+nginx   nginx.org/ingress-controller   <none>       10m
+```
+
+{{< /details >}}
+
+## Custom Resource Definitions
+
+When installing the chart, Helm will install the required CRDs. Without them, NGINX Ingress Controller pods will not become _Ready_.
+
+If you do not use the custom resources that require those CRDs, add the parameter `--skip-crds` in your `helm install` command.
+
+The following chart parameters should be set to `false`:
+
+- `controller.enableCustomResources`
+- `controller.appprotect.enable`
+- `controller.appprotectdos.enable`
+
+## Next steps
+
+- [NGINX Ingress Controller Helm chart parameters]({{< ref "/nic/install/helm/parameters.md" >}})
+- [Security recommendations]({{< ref "/nic/configuration/security.md" >}})
+- [Basic configuration]({{< ref "/nic/configuration/ingress-resources/basic-configuration.md" >}})
+- [Extensibility with NGINX Plus]({{< ref "/nic/overview/nginx-plus.md" >}})