From d014b72eea967159e07298b4b8aaf871673aa390 Mon Sep 17 00:00:00 2001 From: Venktesh Shivam Patel Date: Tue, 30 Sep 2025 16:38:00 +0100 Subject: [PATCH 01/15] nic: add docs for sslVerify in JWT policy (#1198) --- content/nic/configuration/policy-resource.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/content/nic/configuration/policy-resource.md b/content/nic/configuration/policy-resource.md index 8efcc0064..d803f4207 100644 --- a/content/nic/configuration/policy-resource.md +++ b/content/nic/configuration/policy-resource.md @@ -456,6 +456,9 @@ This feature is implemented using the NGINX Plus directive [auth_jwt_key_request |``token`` | The token specifies a variable that contains the JSON Web Token. By default the JWT is passed in the ``Authorization`` header as a Bearer Token. JWT may be also passed as a cookie or a part of a query string, for example: ``$cookie_auth_token``. Accepted variables are ``$http_``, ``$arg_``, ``$cookie_``. | ``string`` | No | -- | |``sniEnabled`` | Enables SNI (Server Name Indication) for the JWT policy. This is useful when the remote server requires SNI to serve the correct certificate. | ``bool`` | No | `false` | |``sniName`` | The SNI name to use when connecting to the remote server. If not set, the hostname from the ``jwksURI`` will be used. | ``string`` | No | -- | +|``sslVerify`` | Enables verification of the JWKS server SSL certificate. | ``bool`` | No | `false` | +|``sslVerifyDepth`` | Sets the verification depth in the JWKS server certificates chain. | ``int`` | No | `1` | +|``trustedCertSecret`` | The name of the Kubernetes secret that stores the CA certificate for JWKS server verification. It must be in the same namespace as the Policy resource. The secret must be of the type ``nginx.org/ca``, and the certificate must be stored in the secret under the key ``ca.crt``. | ``string`` | No | -- | {{% /table %}} {{< call-out "note" >}} From d718d30e8c02af227d3779f534d125263bd07e8a Mon Sep 17 00:00:00 2001 From: Venktesh Shivam Patel Date: Thu, 23 Oct 2025 09:57:02 +0100 Subject: [PATCH 02/15] nic: add ssl cipher annotations (#1353) --- .../advanced-configuration-with-annotations.md | 2 ++ .../advanced-configuration-with-annotations.md | 2 ++ 2 files changed, 4 insertions(+) diff --git a/content/includes/nic/configuration/ingress-resources/advanced-configuration-with-annotations.md b/content/includes/nic/configuration/ingress-resources/advanced-configuration-with-annotations.md index 0cda88373..a7a130da6 100644 --- a/content/includes/nic/configuration/ingress-resources/advanced-configuration-with-annotations.md +++ b/content/includes/nic/configuration/ingress-resources/advanced-configuration-with-annotations.md @@ -138,6 +138,8 @@ The table below summarizes the available annotations. | *nginx.org/hsts-behind-proxy* | *hsts-behind-proxy* | Enables HSTS based on the value of the ``http_x_forwarded_proto* request header. Should only be used when TLS termination is configured in a load balancer (proxy) in front of NGINX Ingress Controller. Note: to control redirection from HTTP to HTTPS configure the ``nginx.org/redirect-to-https* annotation. | *False* | | | *nginx.org/basic-auth-secret* | N/A | Specifies a Secret resource with a user list for HTTP Basic authentication. | N/A | | | *nginx.org/basic-auth-realm* | N/A | Specifies a realm. | N/A | | +| *nginx.org/ssl-ciphers* | *ssl-ciphers* | Sets the value of the [ssl_ciphers](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers) directive. | N/A | *HIGH:!aNULL:!MD5* | +| *nginx.org/ssl-prefer-server-ciphers* | *ssl-prefer-server-ciphers* | Enables or disables the [ssl_prefer_server_ciphers](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_prefer_server_ciphers) directive. | *False* | | | *nginx.com/jwt-key* | N/A | Specifies a Secret resource with keys for validating JSON Web Tokens (JWTs). | N/A | [Support for JSON Web Tokens (JWTs)](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/jwt). | | *nginx.com/jwt-realm* | N/A | Specifies a realm. | N/A | [Support for JSON Web Tokens (JWTs)](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/jwt). | | *nginx.com/jwt-token* | N/A | Specifies a variable that contains a JSON Web Token. | By default, a JWT is expected in the ``Authorization* header as a Bearer Token. | [Support for JSON Web Tokens (JWTs)](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/jwt). | diff --git a/content/nic/configuration/ingress-resources/advanced-configuration-with-annotations.md b/content/nic/configuration/ingress-resources/advanced-configuration-with-annotations.md index 8fb2b4d3c..380f21581 100644 --- a/content/nic/configuration/ingress-resources/advanced-configuration-with-annotations.md +++ b/content/nic/configuration/ingress-resources/advanced-configuration-with-annotations.md @@ -139,6 +139,8 @@ The table below summarizes the available annotations. | *nginx.org/hsts-behind-proxy* | *hsts-behind-proxy* | Enables HSTS based on the value of the `http_x_forwarded_proto` request header. Should only be used when TLS termination is configured in a load balancer (proxy) in front of NGINX Ingress Controller. Note: to control redirection from HTTP to HTTPS configure the `nginx.org/redirect-to-https` annotation. | *False* | | | *nginx.org/basic-auth-secret* | N/A | Specifies a Secret resource with a user list for HTTP Basic authentication. | N/A | | | *nginx.org/basic-auth-realm* | N/A | Specifies a realm. | N/A | | +| *nginx.org/ssl-ciphers* | *ssl-ciphers* | Sets the value of the [ssl_ciphers](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers) directive. | N/A | *HIGH:!aNULL:!MD5* | +| *nginx.org/ssl-prefer-server-ciphers* | *ssl-prefer-server-ciphers* | Enables or disables the [ssl_prefer_server_ciphers](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_prefer_server_ciphers) directive. | *False* | | | *nginx.com/jwt-key* | N/A | Specifies a Secret resource with keys for validating JSON Web Tokens (JWTs). | N/A | [Support for JSON Web Tokens (JWTs)](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/jwt). | | *nginx.com/jwt-realm* | N/A | Specifies a realm. | N/A | [Support for JSON Web Tokens (JWTs)](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/jwt). | | *nginx.com/jwt-token* | N/A | Specifies a variable that contains a JSON Web Token. | By default, a JWT is expected in the `Authorization` header as a Bearer Token. | [Support for JSON Web Tokens (JWTs)](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/jwt). | From 30991bc9867d30b2cca9c563eea406c278074441 Mon Sep 17 00:00:00 2001 From: Paul Abel <128620221+pdabelf5@users.noreply.github.com> Date: Mon, 3 Nov 2025 11:18:21 +0000 Subject: [PATCH 03/15] feat: helm HorizontalPodAutoscaler creation flag (#1355) --- .../nic/installation/installing-nic/installation-with-helm.md | 1 + 1 file changed, 1 insertion(+) diff --git a/content/nic/installation/installing-nic/installation-with-helm.md b/content/nic/installation/installing-nic/installation-with-helm.md index a8a4c4eec..2f131c15c 100644 --- a/content/nic/installation/installing-nic/installation-with-helm.md +++ b/content/nic/installation/installing-nic/installation-with-helm.md @@ -272,6 +272,7 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont | **controller.enableLatencyMetrics** | Enable collection of latency metrics for upstreams. Requires `prometheus.create`. | false | | **controller.minReadySeconds** | Specifies the minimum number of seconds for which a newly created Pod should be ready without any of its containers crashing, for it to be considered available. [docs](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#min-ready-seconds) | 0 | | **controller.autoscaling.enabled** | Enables HorizontalPodAutoscaling. | false | +| **controller.autoscaling.create** | Create the HorizontalPodAutoscaler resource. This can be set to false to manage the HPA externally. | true | | **controller.autoscaling.annotations** | The annotations of the NGINX Ingress Controller HorizontalPodAutoscaler. | {} | | **controller.autoscaling.behavior** | Behavior configuration for the HPA. | {} | | **controller.autoscaling.minReplicas** | Minimum number of replicas for the HPA. | 1 | From 3735ffb70dc8617b38e4c133348f20016433cad8 Mon Sep 17 00:00:00 2001 From: AlexFenlon Date: Fri, 7 Nov 2025 11:55:29 +0000 Subject: [PATCH 04/15] feat: add OIDC timeout config options to NIC ConfigMap (#1413) feat: Add OIDC Timeout to NIC ConfigMap --- .../global-configuration/configmap-resource.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/content/nic/configuration/global-configuration/configmap-resource.md b/content/nic/configuration/global-configuration/configmap-resource.md index 4910a66d2..0e56b828b 100644 --- a/content/nic/configuration/global-configuration/configmap-resource.md +++ b/content/nic/configuration/global-configuration/configmap-resource.md @@ -178,6 +178,17 @@ If you encounter the error `error [emerg] 13#13: "zone_sync" directive is duplic |*zone-sync-resolver-ipv6* | Configures whether the optional [resolver](https://nginx.org/en/docs/http/ngx_http_core_module.html#resolver) directive for zone-sync will look up IPv6 addresses. NGINX Plus & `zone-sync` Required | `true` | |*zone-sync-resolver-valid* | Configures an [NGINX time](https://nginx.org/en/docs/syntax.html) that the optional [resolver](https://nginx.org/en/docs/http/ngx_http_core_module.html#resolver) directive for zone-sync will override the TTL value of responses from nameservers with. NGINX Plus & `zone-sync` Required | `5s` | +### OIDC (OpenID Connect) Timeouts + +For more information on timeouts, see [here](https://github.com/nginxinc/nginx-openid-connect?tab=readme-ov-file#configuring-the-key-value-store) + +|ConfigMap Key | Description | Default | +| ---| ---| ---| +| *oidc-pkce-timeout* | Sets the timeout for PKCE (Proof Key for Code Exchange) in OIDC. | `90s` | +| *oidc-id-tokens-timeout* | Sets the timeout for ID tokens in OIDC. | `1h` | +| *oidc-access-tokens-timeout* | Sets the timeout for access tokens in OIDC. | `1h` | +| *oidc-refresh-tokens-timeout* | Sets the timeout for refresh tokens in OIDC. | `24h` | +| *oidc-sids-timeout* | Sets the timeout for session IDs in OIDC. | `24h` | ### Snippets and custom templates From 8853b37736fab3191dad6218ff48e1beb9a01f76 Mon Sep 17 00:00:00 2001 From: Venktesh Shivam Patel Date: Fri, 7 Nov 2025 15:20:43 +0000 Subject: [PATCH 05/15] feat: add documentation for new ingress annotation(#1415) --- .../ingress-resources/advanced-configuration-with-annotations.md | 1 + 1 file changed, 1 insertion(+) diff --git a/content/nic/configuration/ingress-resources/advanced-configuration-with-annotations.md b/content/nic/configuration/ingress-resources/advanced-configuration-with-annotations.md index 380f21581..8746ff11b 100644 --- a/content/nic/configuration/ingress-resources/advanced-configuration-with-annotations.md +++ b/content/nic/configuration/ingress-resources/advanced-configuration-with-annotations.md @@ -123,6 +123,7 @@ The table below summarizes the available annotations. | *nginx.org/proxy-hide-headers* | *proxy-hide-headers* | Sets the value of one or more [proxy_hide_header](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_hide_header) directives. Example: `"nginx.org/proxy-hide-headers": "header-a,header-b"` | N/A | | | *nginx.org/proxy-pass-headers* | *proxy-pass-headers* | Sets the value of one or more [proxy_pass_header](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass_header) directives. Example: `"nginx.org/proxy-pass-headers": "header-a,header-b"` | N/A | | | *nginx.org/rewrites* | N/A | Configures URI rewriting using [proxy_pass](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass) directive. | N/A | [rewrites](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/rewrites) | +| *nginx.org/rewrite-target* | N/A | Configures URI rewriting using the [rewrite](https://nginx.org/en/docs/http/ngx_http_rewrite_module.html#rewrite) directive. The annotation value specifies the target path that requests should be rewritten to. Supports regex capture groups (`$1`, `$2`, etc.) when used with `nginx.org/path-regex`. Mutually exclusive with `nginx.org/rewrites`. | N/A | [rewrite-target](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/rewrite-target) | |*nginx.org/proxy-set-headers* | N/A | Enables customization of proxy headers and values using the [proxy_set_header](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_set_header) directive. Example: `"nginx.org/proxy-set-headers": "header-a: valueA,header-b: valueB,header-c: valueC"` | N/A | [Proxy Set Headers](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/proxy-set-headers). | {{< /table >}} From ec13f849b694834ed61e018d1a67f527a74c46d6 Mon Sep 17 00:00:00 2001 From: Haywood Shannon <5781935+haywoodsh@users.noreply.github.com> Date: Mon, 17 Nov 2025 13:51:06 +0000 Subject: [PATCH 06/15] update docs for upstream service in foreign namespace (#1419) --- .../virtualserver-and-virtualserverroute-resources.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/nic/configuration/virtualserver-and-virtualserverroute-resources.md b/content/nic/configuration/virtualserver-and-virtualserverroute-resources.md index 761929b9e..d6ad63edc 100644 --- a/content/nic/configuration/virtualserver-and-virtualserverroute-resources.md +++ b/content/nic/configuration/virtualserver-and-virtualserverroute-resources.md @@ -333,7 +333,7 @@ tls: |Field | Description | Type | Required | | ---| ---| ---| --- | |``name`` | The name of the upstream. Must be a valid DNS label as defined in RFC 1035. For example, ``hello`` and ``upstream-123`` are valid. The name must be unique among all upstreams of the resource. | ``string`` | Yes | -|``service`` | The name of a [service](https://kubernetes.io/docs/concepts/services-networking/service/). The service must belong to the same namespace as the resource. If the service doesn't exist, NGINX will assume the service has zero endpoints and return a ``502`` response for requests for this upstream. For NGINX Plus only, services of type [ExternalName](https://kubernetes.io/docs/concepts/services-networking/service/#externalname) are also supported (check the [prerequisites](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/externalname-services#prerequisites) ). | ``string`` | Yes | +|``service`` | The name of a [service](https://kubernetes.io/docs/concepts/services-networking/service/). If the Service belongs to a different namespace than the VirtualServer or VirtualServerRoute, you need to include the namespace. For example, ``tea-namespace/tea``. If the service doesn't exist, NGINX will assume the service has zero endpoints and return a ``502`` response for requests for this upstream. For NGINX Plus only, services of type [ExternalName](https://kubernetes.io/docs/concepts/services-networking/service/#externalname) are also supported in the same namespace (check the [prerequisites](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/externalname-services#prerequisites) ). | ``string`` | Yes | |``subselector`` | Selects the pods within the service using label keys and values. By default, all pods of the service are selected. Note: the specified labels are expected to be present in the pods when they are created. If the pod labels are updated, NGINX Ingress Controller will not see that change until the number of the pods is changed. | ``map[string]string`` | No | |``use-cluster-ip`` | Enables using the Cluster IP and port of the service instead of the default behavior of using the IP and port of the pods. When this field is enabled, the fields that configure NGINX behavior related to multiple upstream servers (like ``lb-method`` and ``next-upstream``) will have no effect, as NGINX Ingress Controller will configure NGINX with only one upstream server that will match the service Cluster IP. | ``boolean`` | No | |``port`` | The port of the service. If the service doesn't define that port, NGINX will assume the service has zero endpoints and return a ``502`` response for requests for this upstream. The port must fall into the range ``1..65535``. | ``uint16`` | Yes | From 5348a6e3ad3973e7bfb2626aef9dd7c8674ded1c Mon Sep 17 00:00:00 2001 From: AlexFenlon Date: Tue, 25 Nov 2025 13:17:50 +0000 Subject: [PATCH 07/15] feat: Add client-body-buffer-size directive to NIC Ingress Annotations, Configmap, VirtualServer (#1468) * feat: Add client-body-buffer-size directive to NIC Ingress Annotations, Configmap, VirtualServer * update descriptions based off pr changes --- .../nic/configuration/global-configuration/configmap-resource.md | 1 + .../ingress-resources/advanced-configuration-with-annotations.md | 1 + .../virtualserver-and-virtualserverroute-resources.md | 1 + .../nic/configuration/global-configuration/configmap-resource.md | 1 + .../ingress-resources/advanced-configuration-with-annotations.md | 1 + .../virtualserver-and-virtualserverroute-resources.md | 1 + content/nic/install/migrate-ingress-nginx.md | 1 + 7 files changed, 7 insertions(+) diff --git a/content/includes/nic/configuration/global-configuration/configmap-resource.md b/content/includes/nic/configuration/global-configuration/configmap-resource.md index b4c8ad7e3..0f2cde069 100644 --- a/content/includes/nic/configuration/global-configuration/configmap-resource.md +++ b/content/includes/nic/configuration/global-configuration/configmap-resource.md @@ -77,6 +77,7 @@ For more information, view the [VirtualServer and VirtualServerRoute resources]( |*proxy-read-timeout* | Sets the value of the [proxy_read_timeout](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_read_timeout) and [grpc_read_timeout](https://nginx.org/en/docs/http/ngx_http_grpc_module.html#grpc_read_timeout) directive. | *60s* | | |*proxy-send-timeout* | Sets the value of the [proxy_send_timeout](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_send_timeout) and [grpc_send_timeout](https://nginx.org/en/docs/http/ngx_http_grpc_module.html#grpc_send_timeout) directive. | *60s* | | |*client-max-body-size* | Sets the value of the [client_max_body_size](https://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size) directive. | *1m* | | +|*client-body-buffer-size* | Sets the value of the [client_body_buffer_size](https://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_buffer_size) directive. | N/A | | |*proxy-buffering* | Enables or disables [buffering of responses](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffering) from the proxied server. | *True* | | |*proxy-buffers* | Sets the value of the [proxy_buffers](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffers) directive. | Depends on the platform. | | |*proxy-buffer-size* | Sets the value of the [proxy_buffer_size](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size) and [grpc_buffer_size](https://nginx.org/en/docs/http/ngx_http_grpc_module.html#grpc_buffer_size) directives. | Depends on the platform. | | diff --git a/content/includes/nic/configuration/ingress-resources/advanced-configuration-with-annotations.md b/content/includes/nic/configuration/ingress-resources/advanced-configuration-with-annotations.md index a7a130da6..57ddffa7c 100644 --- a/content/includes/nic/configuration/ingress-resources/advanced-configuration-with-annotations.md +++ b/content/includes/nic/configuration/ingress-resources/advanced-configuration-with-annotations.md @@ -105,6 +105,7 @@ The table below summarizes the available annotations. | *nginx.org/proxy-read-timeout* | *proxy-read-timeout* | Sets the value of the [proxy_read_timeout](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_read_timeout) and [grpc_read_timeout](https://nginx.org/en/docs/http/ngx_http_grpc_module.html#grpc_read_timeout) directive. | *60s* | | | *nginx.org/proxy-send-timeout* | *proxy-send-timeout* | Sets the value of the [proxy_send_timeout](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_send_timeout) and [grpc_send_timeout](https://nginx.org/en/docs/http/ngx_http_grpc_module.html#grpc_send_timeout) directive. | *60s* | | | *nginx.org/client-max-body-size* | *client-max-body-size* | Sets the value of the [client_max_body_size](https://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size) directive. | *1m* | | +| *nginx.org/client-body-buffer-size* | *client-body-buffer-size* | Sets the value of the [client_body_buffer_size](https://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_buffer_size) directive. | N/A | | | *nginx.org/proxy-buffering* | *proxy-buffering* | Enables or disables [buffering of responses](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffering) from the proxied server. | *True* | | | *nginx.org/proxy-buffers* | *proxy-buffers* | Sets the value of the [proxy_buffers](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffers) directive. | Depends on the platform. | | | *nginx.org/proxy-buffer-size* | *proxy-buffer-size* | Sets the value of the [proxy_buffer_size](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size) and [grpc_buffer_size](https://nginx.org/en/docs/http/ngx_http_grpc_module.html#grpc_buffer_size) directives. | Depends on the platform. | | diff --git a/content/includes/nic/configuration/virtualserver-and-virtualserverroute-resources.md b/content/includes/nic/configuration/virtualserver-and-virtualserverroute-resources.md index 0bfc1f97e..437a2b13d 100644 --- a/content/includes/nic/configuration/virtualserver-and-virtualserverroute-resources.md +++ b/content/includes/nic/configuration/virtualserver-and-virtualserverroute-resources.md @@ -364,6 +364,7 @@ tls: |``next-upstream-timeout`` | The time during which a request can be passed to the next upstream server. See the [proxy_next_upstream_timeout](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_next_upstream_timeout) directive. The ``0`` value turns off the time limit. The default is ``0``. | ``string`` | No | |``next-upstream-tries`` | The number of possible tries for passing a request to the next upstream server. See the [proxy_next_upstream_tries](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_next_upstream_tries) directive. The ``0`` value turns off this limit. The default is ``0``. | ``int`` | No | |``client-max-body-size`` | Sets the maximum allowed size of the client request body. See the [client_max_body_size](https://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size) directive. The default is set in the ``client-max-body-size`` ConfigMap key. | ``string`` | No | +|``client-body-buffer-size`` | Sets the value of the [client_body_buffer_size](https://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_buffer_size) directive. | ``string`` | No | |``tls`` | The TLS configuration for the Upstream. | [tls](#upstreamtls) | No | |``healthCheck`` | The health check configuration for the Upstream. See the [health_check](https://nginx.org/en/docs/http/ngx_http_upstream_hc_module.html#health_check) directive. Note: this feature is supported only in NGINX Plus. | [healthcheck](#upstreamhealthcheck) | No | |``slow-start`` | The slow start allows an upstream server to gradually recover its weight from 0 to its nominal value after it has been recovered or became available or when the server becomes available after a period of time it was considered unavailable. By default, the slow start is disabled. See the [slow_start](https://nginx.org/en/docs/http/ngx_http_upstream_module.html#slow_start) parameter of the server directive. Note: The parameter cannot be used along with the ``random`` , ``hash`` or ``ip_hash`` load balancing methods and will be ignored. | ``string`` | No | diff --git a/content/nic/configuration/global-configuration/configmap-resource.md b/content/nic/configuration/global-configuration/configmap-resource.md index 255d6e873..c611da85d 100644 --- a/content/nic/configuration/global-configuration/configmap-resource.md +++ b/content/nic/configuration/global-configuration/configmap-resource.md @@ -68,6 +68,7 @@ For more information, view the [VirtualServer and VirtualServerRoute resources]( |*proxy-read-timeout* | Sets the value of the [proxy_read_timeout](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_read_timeout) and [grpc_read_timeout](https://nginx.org/en/docs/http/ngx_http_grpc_module.html#grpc_read_timeout) directive. | *60s* | | |*proxy-send-timeout* | Sets the value of the [proxy_send_timeout](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_send_timeout) and [grpc_send_timeout](https://nginx.org/en/docs/http/ngx_http_grpc_module.html#grpc_send_timeout) directive. | *60s* | | |*client-max-body-size* | Sets the value of the [client_max_body_size](https://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size) directive. | *1m* | | +|*client-body-buffer-size* | Sets the value of the [client_body_buffer_size](https://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_buffer_size) directive. | N/A | | |*proxy-buffering* | Enables or disables [buffering of responses](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffering) from the proxied server. | *True* | | |*proxy-buffers* | Sets the value of the [proxy_buffers](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffers) directive. | Depends on the platform. | | |*proxy-buffer-size* | Sets the value of the [proxy_buffer_size](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size) and [grpc_buffer_size](https://nginx.org/en/docs/http/ngx_http_grpc_module.html#grpc_buffer_size) directives. | Depends on the platform. | | diff --git a/content/nic/configuration/ingress-resources/advanced-configuration-with-annotations.md b/content/nic/configuration/ingress-resources/advanced-configuration-with-annotations.md index c69ffed40..c83d5eda1 100644 --- a/content/nic/configuration/ingress-resources/advanced-configuration-with-annotations.md +++ b/content/nic/configuration/ingress-resources/advanced-configuration-with-annotations.md @@ -108,6 +108,7 @@ The table below summarizes the available annotations. | *nginx.org/proxy-read-timeout* | *proxy-read-timeout* | Sets the value of the [proxy_read_timeout](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_read_timeout) and [grpc_read_timeout](https://nginx.org/en/docs/http/ngx_http_grpc_module.html#grpc_read_timeout) directive. | *60s* | | | *nginx.org/proxy-send-timeout* | *proxy-send-timeout* | Sets the value of the [proxy_send_timeout](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_send_timeout) and [grpc_send_timeout](https://nginx.org/en/docs/http/ngx_http_grpc_module.html#grpc_send_timeout) directive. | *60s* | | | *nginx.org/client-max-body-size* | *client-max-body-size* | Sets the value of the [client_max_body_size](https://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size) directive. | *1m* | | +| *nginx.org/client-body-buffer-size* | *client-body-buffer-size* | Sets the value of the [client_body_buffer_size](https://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_buffer_size) directive. | N/A | | | *nginx.org/proxy-buffering* | *proxy-buffering* | Enables or disables [buffering of responses](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffering) from the proxied server. | *True* | | | *nginx.org/proxy-buffers* | *proxy-buffers* | Sets the value of the [proxy_buffers](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffers) directive. | Depends on the platform. | | | *nginx.org/proxy-buffer-size* | *proxy-buffer-size* | Sets the value of the [proxy_buffer_size](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size) and [grpc_buffer_size](https://nginx.org/en/docs/http/ngx_http_grpc_module.html#grpc_buffer_size) directives. | Depends on the platform. | | diff --git a/content/nic/configuration/virtualserver-and-virtualserverroute-resources.md b/content/nic/configuration/virtualserver-and-virtualserverroute-resources.md index d6ad63edc..8b861dd46 100644 --- a/content/nic/configuration/virtualserver-and-virtualserverroute-resources.md +++ b/content/nic/configuration/virtualserver-and-virtualserverroute-resources.md @@ -349,6 +349,7 @@ tls: |``next-upstream-timeout`` | The time during which a request can be passed to the next upstream server. See the [proxy_next_upstream_timeout](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_next_upstream_timeout) directive. The ``0`` value turns off the time limit. The default is ``0``. | ``string`` | No | |``next-upstream-tries`` | The number of possible tries for passing a request to the next upstream server. See the [proxy_next_upstream_tries](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_next_upstream_tries) directive. The ``0`` value turns off this limit. The default is ``0``. | ``int`` | No | |``client-max-body-size`` | Sets the maximum allowed size of the client request body. See the [client_max_body_size](https://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size) directive. The default is set in the ``client-max-body-size`` ConfigMap key. | ``string`` | No | +|``client-body-buffer-size`` | Sets the value of the [client_body_buffer_size](https://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_buffer_size) directive. The default is set in the ``client-body-buffer-size`` ConfigMap key. | ``string`` | No | |``tls`` | The TLS configuration for the Upstream. | [tls](#upstreamtls) | No | |``healthCheck`` | The health check configuration for the Upstream. See the [health_check](https://nginx.org/en/docs/http/ngx_http_upstream_hc_module.html#health_check) directive. Note: this feature is supported only in NGINX Plus. | [healthcheck](#upstreamhealthcheck) | No | |``slow-start`` | The slow start allows an upstream server to gradually recover its weight from 0 to its nominal value after it has been recovered or became available or when the server becomes available after a period of time it was considered unavailable. By default, the slow start is disabled. See the [slow_start](https://nginx.org/en/docs/http/ngx_http_upstream_module.html#slow_start) parameter of the server directive. Note: The parameter cannot be used along with the ``random`` , ``hash`` or ``ip_hash`` load balancing methods and will be ignored. | ``string`` | No | diff --git a/content/nic/install/migrate-ingress-nginx.md b/content/nic/install/migrate-ingress-nginx.md index 58bf97cbe..671657cb4 100644 --- a/content/nic/install/migrate-ingress-nginx.md +++ b/content/nic/install/migrate-ingress-nginx.md @@ -542,6 +542,7 @@ Some of the key names are identical, and each Ingress Controller has ConfigMap k | [_max-worker-connections_](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#max-worker-connections) | [_worker-connections_]({{< ref "/nic/configuration/global-configuration/configmap-resource.md#general-customization" >}}) | | [_max-worker-open-files_](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#max-worker-open-files) | [_worker-rlimit-nofile_]({{< ref "/nic/configuration/global-configuration/configmap-resource.md#general-customization" >}}) | | [_proxy-body-size_](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#proxy-body-size) | [_client-max-body-size_]({{< ref "/nic/configuration/global-configuration/configmap-resource.md#general-customization" >}}) | +| [_client-body-buffer-size_](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#client-body-buffer-size) | [_client-body-buffer-size_]({{< ref "/nic/configuration/global-configuration/configmap-resource.md#general-customization" >}}) | | [_proxy-buffering_](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#proxy-buffering) | [_proxy-buffering_]({{< ref "/nic/configuration/global-configuration/configmap-resource.md#general-customization" >}}) | | [_proxy-buffers-number_](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#proxy-buffers-number) | [_proxy-buffers: number size_]({{< ref "/nic/configuration/global-configuration/configmap-resource.md#general-customization" >}}) | | [_proxy-buffer-size_](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#proxy-buffer-size) | [_proxy-buffers: number size_]({{< ref "/nic/configuration/global-configuration/configmap-resource.md#general-customization" >}}) | From 6f0ad963ea09f67abb9c7bdc994af2113936a252 Mon Sep 17 00:00:00 2001 From: Paul Abel <128620221+pdabelf5@users.noreply.github.com> Date: Wed, 26 Nov 2025 18:20:54 +0000 Subject: [PATCH 08/15] feat: Add OIDC Policy sslVerify parameters (#1479) --- content/nic/configuration/policy-resource.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/content/nic/configuration/policy-resource.md b/content/nic/configuration/policy-resource.md index 94c0e3522..d9facf2cb 100644 --- a/content/nic/configuration/policy-resource.md +++ b/content/nic/configuration/policy-resource.md @@ -755,6 +755,9 @@ The OIDC policy defines a few internal locations that can't be customized: `/_jw |``zoneSyncLeeway`` | Specifies the maximum timeout in milliseconds for synchronizing ID/access tokens and shared values between Ingress Controller pods. The default is ``200``. | ``int`` | No | |``accessTokenEnable`` | Option of whether Bearer token is used to authorize NGINX to access protected backend. | ``boolean`` | No | |``pkceEnable`` | Switches Proof Key for Code Exchange on. The OpenID client needs to be in public mode. `clientSecret` is not used in this mode. | ``boolean`` | No | +|``sslVerify`` | Use this option to enable TLS verification when calls are made to the IDP endpoints. | ``boolean`` | No | +|``verifyDepth`` | Sets the verification depth in the proxied HTTPS server certificates chain. The default is ``1``. | ``int`` | No | +|``trustedCertSecret`` | The name of the Kubernetes secret that stores the CA certificate. It must be in the same namespace as the Policy resource. The secret must be of the type ``nginx.org/ca``, and the certificate must be stored in the secret under the key ``ca.crt``, otherwise the secret will be rejected as invalid. | ``string`` | No | {{% /table %}} From 94d397c3cc9c2e21f009ecf50a8b4e1cab6acdf2 Mon Sep 17 00:00:00 2001 From: Venktesh Shivam Patel Date: Fri, 28 Nov 2025 09:53:13 +0000 Subject: [PATCH 09/15] nic: update policy resource with new fields (#1495) --- ...server-and-virtualserverroute-resources.md | 6 +-- content/nic/configuration/policy-resource.md | 42 ++++++++++++++++++- 2 files changed, 44 insertions(+), 4 deletions(-) diff --git a/content/includes/nic/configuration/virtualserver-and-virtualserverroute-resources.md b/content/includes/nic/configuration/virtualserver-and-virtualserverroute-resources.md index a15b7ce9b..c5720335f 100644 --- a/content/includes/nic/configuration/virtualserver-and-virtualserverroute-resources.md +++ b/content/includes/nic/configuration/virtualserver-and-virtualserverroute-resources.md @@ -421,7 +421,7 @@ timeout: 60s See [`queue`](https://nginx.org/en/docs/http/ngx_http_upstream_module.html#queue) directive for additional information. -{{< call-out "note" >}} This feature is only supported with NGINX Plus. {{ /call-out }} +{{< call-out "note" >}} This feature is only supported with NGINX Plus. {{< /call-out >}} {{< table >}} @@ -463,7 +463,7 @@ healthCheck: keepalive-time: 60s ``` -{{< call-out "note" >}} This feature is only supported with NGINX Plus. {{ /call-out }} +{{< call-out "note" >}} This feature is only supported with NGINX Plus. {{< /call-out >}} {{< table >}} @@ -513,7 +513,7 @@ sessionCookie: See the [`sticky`](https://nginx.org/en/docs/http/ngx_http_upstream_module.html?#sticky) directive for additional information. The session cookie corresponds to the `sticky cookie` method. -{{< call-out "note" >}} This feature is only supported with NGINX Plus. {{ /call-out }} +{{< call-out "note" >}} This feature is only supported with NGINX Plus. {{< /call-out >}} |Field | Description | Type | Required | | ---| ---| ---| --- | diff --git a/content/nic/configuration/policy-resource.md b/content/nic/configuration/policy-resource.md index d9facf2cb..9a6f1f11d 100644 --- a/content/nic/configuration/policy-resource.md +++ b/content/nic/configuration/policy-resource.md @@ -805,6 +805,26 @@ cache: time: "5m" levels: "1:2" overrideUpstreamCache: true + inactive: "60m" + useTempPath: false + maxSize: "10g" + minFree: "1g" + manager: + files: 100 + sleep: "50ms" + threshold: "200ms" + cacheKey: "$scheme$host$request_uri" + cacheUseStale: [ "error", "timeout", "updating", "http_500" ] + cacheRevalidate: true + cacheBackgroundUpdate: true + cacheMinUses: 1 + lock: + enable: true + timeout: "5s" + age: "30s" + conditions: + noCache: [ "$cookie_nocache", "$arg_nocache" ] + bypass: [ "$http_authorization" ] ``` {{< call-out "note" >}} @@ -817,7 +837,7 @@ The feature is implemented using the NGINX [ngx_http_proxy_module](https://nginx |Field | Description | Type | Required | | --- | ---| ---| --- | -| ``cacheZoneName`` | CacheZoneName defines the name of the cache zone. Must start with a lowercase letter,followed by alphanumeric characters or underscores, and end with an alphanumeric character. Single lowercase letters are also allowed. Examples: "cache", "my_cache", "cache1". | ``string`` | Yes | +|``cacheZoneName`` | CacheZoneName defines the name of the cache zone. Must start with a lowercase letter,followed by alphanumeric characters or underscores, and end with an alphanumeric character. Single lowercase letters are also allowed. Examples: "cache", "my_cache", "cache1". | ``string`` | Yes | |``cacheZoneSize`` | CacheZoneSize defines the size of the cache zone. Must be a number followed by a size unit: 'k' for kilobytes, 'm' for megabytes, or 'g' for gigabytes. Examples: "10m", "1g", "512k". | ``string`` | Yes | |``allowedCodes`` | AllowedCodes defines which HTTP response codes should be cached. Accepts either: - The string "any" to cache all response codes (must be the only element) - A list of HTTP status codes as integers (100-599) Examples: ["any"], [200, 301, 404], [200]. Invalid: ["any", 200] (cannot mix "any" with specific codes). | ``[]IntOrString`` | No | |``time`` | The default cache time for responses. Required when allowedCodes is specified. Must be a number followed by a time unit: 's' for seconds, 'm' for minutes, 'h' for hours, 'd' for days. Examples: "30s", "5m", "1h", "2d". | ``string`` | No | @@ -825,6 +845,26 @@ The feature is implemented using the NGINX [ngx_http_proxy_module](https://nginx |``levels`` | Levels defines the cache directory hierarchy levels for storing cached files. Must be in format "X:Y" or "X:Y:Z" where X, Y, Z are either 1 or 2. This controls the number of subdirectory levels and their name lengths. Examples: "1:2", "2:2", "1:2:2". Invalid: "3:1", "1:3", "1:2:3". | ``string`` | No | |``overrideUpstreamCache`` | OverrideUpstreamCache controls whether to override upstream cache headers (using proxy_ignore_headers directive). When true, NGINX will ignore cache-related headers from upstream servers like Cache-Control, Expires etc, Default: false. | ``bool`` | No | |``cachePurgeAllow`` | CachePurgeAllow defines IP addresses or CIDR blocks allowed to purge cache. This feature is only available in NGINX Plus. Examples: ["192.168.1.100", "10.0.0.0/8", "::1"]. | ``[]string`` | No | +|``cacheKey`` | CacheKey defines a key for caching (proxy_cache_key). By default, "$scheme$proxy_host$uri". Must not contain command execution patterns: $(, `, ;, &&, || | ``string`` | No | +|``cacheUseStale`` | CacheUseStale determines in which cases a stale cached response can be used (proxy_cache_use_stale). Valid parameters: error, timeout, invalid_header, updating, http_500, http_502, http_503, http_504, http_403, http_404, http_429, off. | ``[]string`` | No | +|``cacheRevalidate`` | CacheRevalidate enables revalidation of expired cache items using conditional requests (proxy_cache_revalidate). Uses "If-Modified-Since" and "If-None-Match" header fields. | ``bool`` | No | +|``cacheBackgroundUpdate`` | CacheBackgroundUpdate allows starting a background subrequest to update an expired cache item (proxy_cache_background_update). A stale cached response is returned to the client while the cache is being updated. | ``bool`` | No | +|``cacheMinUses`` | CacheMinUses sets the number of requests after which the response will be cached (proxy_cache_min_uses). | ``integer`` | No | +|``inactive`` | Inactive sets the time after which cached data that are not accessed get removed from the cache (inactive parameter). By default, inactive is set to 10 minutes. | ``string`` | No | +|``maxSize`` | MaxSize sets the maximum cache size (max_size parameter). When the size is exceeded, the cache manager removes the least recently used data. | ``string`` | No | +|``minFree`` | MinFree sets the minimum amount of free space required on the file system with cache (min_free parameter). When there is not enough free space, the cache manager removes the least recently used data. | ``string`` | No | +|``useTempPath`` | UseTempPath controls whether temporary files and the cache are put on different file systems (use_temp_path parameter). If set to false, temporary files will be put directly in the cache directory (use_temp_path=off). Default: false (use_temp_path=off, which puts temp files directly in cache directory for better performance). | ``bool`` | No | +|``manager`` | Manager configures the cache manager process parameters (manager_files, manager_sleep, manager_threshold). | ``object`` | No | +|``manager.files`` | Files sets the maximum number of files that will be deleted in one iteration by the cache manager. During one iteration no more than manager_files items are deleted (by default, 100). | ``integer`` | No | +|``manager.sleep`` | Sleep sets the pause between cache manager iterations. Between iterations, a pause configured by manager_sleep (by default, 50 milliseconds) is made. | ``string`` | No | +|``manager.threshold`` | Threshold sets the maximum duration of one cache manager iteration. The duration of one iteration is limited by manager_threshold (by default, 200 milliseconds). | ``string`` | No | +|``lock`` | Lock configures cache locking to prevent multiple identical requests from populating the same cache element simultaneously. | ``object`` | No | +|``lock.enable`` | Enable sets whether cache locking is enabled (proxy_cache_lock). When enabled, only one request at a time will be allowed to populate a new cache element according to the proxy_cache_key. | ``bool`` | No | +|``lock.timeout`` | Timeout sets a timeout for proxy_cache_lock. When the time expires, the request will be passed to the proxied server, however, the response will not be cached. | ``string`` | No | +|``lock.age`` | Age sets the maximum time a cache lock can be held (proxy_cache_lock_age). If the last request passed to the proxied server for populating a new cache element has not completed for the specified time, one more request may be passed. | ``string`` | No | +|``conditions`` | Conditions defines when responses should not be cached or taken from cache. | ``object`` | No | +|``conditions.noCache`` | NoCache defines conditions under which the response will not be saved to a cache (proxy_no_cache). If at least one value of the string parameters is not empty and is not equal to "0" then the response will not be saved. | ``[]string`` | No | +|``conditions.bypass`` | Bypass defines conditions under which the response will not be taken from a cache (proxy_cache_bypass). If at least one value of the string parameters is not empty and is not equal to "0" then the response will not be taken from the cache. | ``[]string`` | No | {{% /table %}} From d39a1faee54c7050e7148674bb7c454cb3c37d0c Mon Sep 17 00:00:00 2001 From: Alan Dooley Date: Tue, 9 Dec 2025 10:26:46 +0000 Subject: [PATCH 10/15] feat: Rework Manifest installation paths This commit reworks the manifest installation document to instead become a folder, with each individual page within covering exactly one use case. The new structure guides a user completely from end to end on the process necessary for installing NGINX Gateway Fabric NGINX Open Source or NGINX Plus without using multiple documents. It also includes general improvements to specification discoverability, allowing readers to more easily find what parts of the Gateway API specification are supported and what to expect from future releases. --- .../k8s/create-license-registry-secret.md | 41 ++++ .../includes/ngf/gateway-api-compat-table.md | 25 ++ .../expose-nginx-gateway-fabric.md | 4 +- .../installation/manifests/api-resources.md | 22 ++ .../ngf/installation/manifests/crds.md | 21 ++ .../manifests/secure-certificates.md | 127 +++++++++++ .../nginx-plus/docker-registry-secret.md | 6 +- .../uninstall-gateway-api-resources.md | 18 +- content/ngf/install/manifests.md | 215 ------------------ content/ngf/install/manifests/_index.md | 5 + content/ngf/install/manifests/open-source.md | 208 +++++++++++++++++ content/ngf/install/manifests/plus.md | 42 ++++ content/ngf/install/manifests/uninstall.md | 47 ++++ content/ngf/overview/custom-policies.md | 7 +- .../ngf/overview/gateway-api-compatibility.md | 44 ++-- content/ngf/overview/nginx-plus.md | 4 +- content/ngf/overview/product-telemetry.md | 2 +- content/ngf/overview/resource-validation.md | 3 +- .../ngf/overview/technical-specifications.md | 46 ++++ content/nic/install/helm/plus.md | 37 +-- 20 files changed, 641 insertions(+), 283 deletions(-) create mode 100644 content/includes/k8s/create-license-registry-secret.md create mode 100644 content/includes/ngf/gateway-api-compat-table.md create mode 100644 content/includes/ngf/installation/manifests/api-resources.md create mode 100644 content/includes/ngf/installation/manifests/crds.md create mode 100644 content/includes/ngf/installation/manifests/secure-certificates.md delete mode 100644 content/ngf/install/manifests.md create mode 100644 content/ngf/install/manifests/_index.md create mode 100644 content/ngf/install/manifests/open-source.md create mode 100644 content/ngf/install/manifests/plus.md create mode 100644 content/ngf/install/manifests/uninstall.md create mode 100644 content/ngf/overview/technical-specifications.md diff --git a/content/includes/k8s/create-license-registry-secret.md b/content/includes/k8s/create-license-registry-secret.md new file mode 100644 index 000000000..c7192c4da --- /dev/null +++ b/content/includes/k8s/create-license-registry-secret.md @@ -0,0 +1,41 @@ +--- +--- + +{{< call-out "note" >}} + +The commands in the rest of this document should be run in the same directory as your **license.jwt** file. + +JWTs are sensitive information and should be stored securely. Delete them after use to prevent unauthorized access. + +{{< /call-out >}} + +Once you have obtained your license JWT, create a Kubernetes secret using `kubectl create`: + +```shell +kubectl create secret generic nplus-license --from-file license.jwt +``` + +{{< details summary="Example output" >}} + +```text +secret/nplus-license created +``` + +{{< /details >}} + +Then create another Kubernetes secret to allow interactions with the F5 registry: + +```shell +kubectl create secret docker-registry regcred \ + --docker-server=private-registry.nginx.com \ + --docker-username=$(cat license.jwt) \ + --docker-password=none +``` + +{{< details summary="Example output" >}} + +```text +secret/regcred created +``` + +{{< /details >}} \ No newline at end of file diff --git a/content/includes/ngf/gateway-api-compat-table.md b/content/includes/ngf/gateway-api-compat-table.md new file mode 100644 index 000000000..1b96a8e97 --- /dev/null +++ b/content/includes/ngf/gateway-api-compat-table.md @@ -0,0 +1,25 @@ +--- +--- + +{{< call-out "important" >}} + +You can view the [Milestone Roadmap](https://github.com/orgs/nginx/projects/10/views/5) in the NGINX Gateway Fabric GitHub project to see what API resources will be supported in upcoming releases. + +{{< /call-out >}} + +{{< table >}} + +| Resource | Core Support Level | Extended Support Level | Implementation-Specific Support Level | API Version | API Release Channel | +|---------------------------------------|---------------------|------------------------|---------------------------------------|-------------|---------------------| +| [GatewayClass]({{< ref "/ngf/overview/gateway-api-compatibility.md#gatewayclass" >}}) | Supported | Not supported | Supported | v1 | Standard | +| [Gateway]({{< ref "/ngf/overview/gateway-api-compatibility.md#gateway" >}}) | Supported | Partially supported | Not supported | v1 | Standard | +| [HTTPRoute]({{< ref "/ngf/overview/gateway-api-compatibility.md#httproute" >}}) | Supported | Partially supported | Not supported | v1 | Standard | +| [GRPCRoute]({{< ref "/ngf/overview/gateway-api-compatibility.md#grpcroute" >}}) | Supported | Partially supported | Not supported | v1 | Standard | +| [ReferenceGrant]({{< ref "/ngf/overview/gateway-api-compatibility.md#referencegrant" >}}) | Supported | N/A | Not supported | v1beta1 | Standard | +| [TLSRoute]({{< ref "/ngf/overview/gateway-api-compatibility.md#tlsroute" >}}) | Supported | Not supported | Not supported | v1alpha2 | Experimental | +| [TCPRoute]({{< ref "/ngf/overview/gateway-api-compatibility.md#tcproute" >}}) | Not supported | Not supported | Not supported | v1alpha2 | Experimental | +| [UDPRoute]({{< ref "/ngf/overview/gateway-api-compatibility.md#udproute" >}}) | Not supported | Not supported | Not supported | v1alpha2 | Experimental | +| [BackendTLSPolicy]({{< ref "/ngf/overview/gateway-api-compatibility.md#backendtlspolicy" >}}) | Partially Supported | Supported | Partially supported | v1alpha3 | Experimental | +| [Custom policies]({{< ref "/ngf/overview/gateway-api-compatibility.md#custom-policies" >}}) | N/A | N/A | Supported | N/A | N/A | + +{{< /table >}} \ No newline at end of file diff --git a/content/includes/ngf/installation/expose-nginx-gateway-fabric.md b/content/includes/ngf/installation/expose-nginx-gateway-fabric.md index c072b0b35..9161fda86 100644 --- a/content/includes/ngf/installation/expose-nginx-gateway-fabric.md +++ b/content/includes/ngf/installation/expose-nginx-gateway-fabric.md @@ -7,4 +7,6 @@ nd-files: - content/ngf/install/manifests.md --- -The Service that is provisioned when NGINX Gateway Fabric is first installed is a ClusterIP Service used only for internal communication between the control plane and data planes. To deploy NGINX itself and get a LoadBalancer Service, you now need to [create a Gateway]({{< ref "/ngf/install/deploy-data-plane.md" >}}). +When NGINX Gateway Fabric is installed, it provisions a ClusterIP Service used only for internal communication between the control plane and data planes. + +To deploy NGINX itself and get a LoadBalancer Service, you should follow the [Deploy a Gateway for data plane instances]({{< ref "/ngf/install/deploy-data-plane.md" >}}) instructions. diff --git a/content/includes/ngf/installation/manifests/api-resources.md b/content/includes/ngf/installation/manifests/api-resources.md new file mode 100644 index 000000000..dc1e5e998 --- /dev/null +++ b/content/includes/ngf/installation/manifests/api-resources.md @@ -0,0 +1,22 @@ +--- +--- + +{{< call-out "note" >}} If you have already installed Gateway API resources in your cluster, ensure they are a version [supported by NGINX Gateway Fabric]({{< ref "/ngf/overview/technical-specifications.md" >}}) {{< /call-out >}} + +To install the Gateway API resources, use `kubectl kustomize`: + +```shell +kubectl kustomize "https://github.com/nginx/nginx-gateway-fabric/config/crd/gateway-api/standard?ref=v{{< version-ngf >}}" | kubectl apply -f - +``` + +{{< details summary="Example output" >}} + +```text +customresourcedefinition.apiextensions.k8s.io/gatewayclasses.gateway.networking.k8s.io created +customresourcedefinition.apiextensions.k8s.io/gateways.gateway.networking.k8s.io created +customresourcedefinition.apiextensions.k8s.io/grpcroutes.gateway.networking.k8s.io created +customresourcedefinition.apiextensions.k8s.io/httproutes.gateway.networking.k8s.io created +customresourcedefinition.apiextensions.k8s.io/referencegrants.gateway.networking.k8s.io created +``` + +{{< /details >}} \ No newline at end of file diff --git a/content/includes/ngf/installation/manifests/crds.md b/content/includes/ngf/installation/manifests/crds.md new file mode 100644 index 000000000..9adbba015 --- /dev/null +++ b/content/includes/ngf/installation/manifests/crds.md @@ -0,0 +1,21 @@ +--- +--- + +Deploy the NGINX Gateway Fabric CRDs using `kubectl apply`: + +```shell +kubectl apply --server-side -f https://raw.githubusercontent.com/nginx/nginx-gateway-fabric/v{{< version-ngf >}}/deploy/crds.yaml +``` + +{{< details summary="Example output" >}} + +```text +customresourcedefinition.apiextensions.k8s.io/clientsettingspolicies.gateway.nginx.org serverside-applied +customresourcedefinition.apiextensions.k8s.io/nginxgateways.gateway.nginx.org serverside-applied +customresourcedefinition.apiextensions.k8s.io/nginxproxies.gateway.nginx.org serverside-applied +customresourcedefinition.apiextensions.k8s.io/observabilitypolicies.gateway.nginx.org serverside-applied +customresourcedefinition.apiextensions.k8s.io/snippetsfilters.gateway.nginx.org serverside-applied +customresourcedefinition.apiextensions.k8s.io/upstreamsettingspolicies.gateway.nginx.org serverside-applied +``` + +{{< /details >}} \ No newline at end of file diff --git a/content/includes/ngf/installation/manifests/secure-certificates.md b/content/includes/ngf/installation/manifests/secure-certificates.md new file mode 100644 index 000000000..e7b73a797 --- /dev/null +++ b/content/includes/ngf/installation/manifests/secure-certificates.md @@ -0,0 +1,127 @@ +--- +--- + +{{< call-out "note" >}} These steps use a self-signed issuer, which should not be used in production environments. For production environments, you should use a real [CA issuer](https://cert-manager.io/docs/configuration/ca/). {{< /call-out >}} + +First, create a CA (certificate authority) issuer: + +```yaml +kubectl apply -f - <}} + +```text +issuer.cert-manager.io/selfsigned-issuer created +Warning: spec.privateKey.rotationPolicy: In cert-manager >= v1.18.0, the default value changed from `Never` to `Always`. +certificate.cert-manager.io/nginx-gateway-ca created +issuer.cert-manager.io/nginx-gateway-issuer created +``` + +{{< /details >}} + +You will then need to create a server certificate for the NGINX Gateway Fabric control plane (server): + +{{< call-out "note" >}} + +The default service name is _nginx-gateway_, and the namespace is _nginx-gateway_, so the `dnsNames` value should be `nginx-gateway.nginx-gateway.svc`. + +This value becomes the name of the NGINX Gateway Fabric control plane service. + +{{< /call-out >}} + +```yaml {hl_lines=[13]} +kubectl apply -f - <}} + +```text +agent-tls kubernetes.io/tls 3 3s +nginx-gateway-ca kubernetes.io/tls 3 15s +server-tls kubernetes.io/tls 3 8s +``` + +{{< /details >}} \ No newline at end of file diff --git a/content/includes/ngf/installation/nginx-plus/docker-registry-secret.md b/content/includes/ngf/installation/nginx-plus/docker-registry-secret.md index d421f30b8..7c98e6684 100644 --- a/content/includes/ngf/installation/nginx-plus/docker-registry-secret.md +++ b/content/includes/ngf/installation/nginx-plus/docker-registry-secret.md @@ -20,4 +20,8 @@ Create a Kubernetes `docker-registry` secret type using the contents of the JWT kubectl create secret docker-registry nginx-plus-registry-secret --docker-server=private-registry.nginx.com --docker-username= --docker-password=none -n nginx-gateway ``` -It is important that the `--docker-username=` contains the contents of the token and is not pointing to the token itself. When you copy the contents of the JWT, ensure there are no additional characters such as extra whitespaces. This can invalidate the token, causing 401 errors when trying to authenticate to the registry. +It is important that the `--docker-username=` contains the contents of the token and is not pointing to the token itself. + +When you copy the contents of the JWT, ensure there are no additional characters such as extra whitespaces. + +This can invalidate the token, causing 401 errors when trying to authenticate to the registry. diff --git a/content/includes/ngf/installation/uninstall-gateway-api-resources.md b/content/includes/ngf/installation/uninstall-gateway-api-resources.md index c16b40fb6..88d84755c 100644 --- a/content/includes/ngf/installation/uninstall-gateway-api-resources.md +++ b/content/includes/ngf/installation/uninstall-gateway-api-resources.md @@ -6,7 +6,9 @@ nd-files: - content/ngf/install/manifests.md --- -{{< call-out "warning" >}} This will remove all corresponding custom resources in your entire cluster, across all namespaces. Double-check to make sure you don't have any custom resources you need to keep, and confirm that there are no other Gateway API implementations active in your cluster. {{< /call-out >}} +{{< call-out "warning" >}} This step will remove all corresponding custom resources in your entire cluster, across every namespace. + +Ensure you don't have any custom resources you need to keep, and confirm that there are no other Gateway API implementations active in your cluster. {{< /call-out >}} To uninstall the Gateway API resources, run the following: @@ -14,7 +16,19 @@ To uninstall the Gateway API resources, run the following: kubectl kustomize "https://github.com/nginx/nginx-gateway-fabric/config/crd/gateway-api/standard?ref=v{{< version-ngf >}}" | kubectl delete -f - ``` -Alternatively, if you installed the Gateway APIs from the experimental channel, run the following: +{{< details summary="Example output" >}} + +```text +customresourcedefinition.apiextensions.k8s.io "gatewayclasses.gateway.networking.k8s.io" deleted +customresourcedefinition.apiextensions.k8s.io "gateways.gateway.networking.k8s.io" deleted +customresourcedefinition.apiextensions.k8s.io "grpcroutes.gateway.networking.k8s.io" deleted +customresourcedefinition.apiextensions.k8s.io "httproutes.gateway.networking.k8s.io" deleted +customresourcedefinition.apiextensions.k8s.io "referencegrants.gateway.networking.k8s.io" deleted +``` + +{{< /details >}} + +If you installed the Gateway APIs from the experimental channel, run the following instead: ```shell kubectl kustomize "https://github.com/nginx/nginx-gateway-fabric/config/crd/gateway-api/experimental?ref=v{{< version-ngf >}}" | kubectl delete -f - diff --git a/content/ngf/install/manifests.md b/content/ngf/install/manifests.md deleted file mode 100644 index ef1fb6665..000000000 --- a/content/ngf/install/manifests.md +++ /dev/null @@ -1,215 +0,0 @@ ---- -title: Install NGINX Gateway Fabric with Manifests -weight: 200 -toc: true -nd-content-type: how-to -nd-product: FABRIC -nd-docs: DOCS-1429 ---- - -## Overview - -Learn how to install, upgrade, and uninstall NGINX Gateway Fabric using Kubernetes manifests. - -## Before you begin - -To complete this guide, you'll need to install: - -- [kubectl](https://kubernetes.io/docs/tasks/tools/), a command-line interface for managing Kubernetes clusters. -- [Add certificates for secure authentication]({{< ref "/ngf/install/secure-certificates.md" >}}) in a production environment. - -{{< call-out "important" >}} If you’d like to use NGINX Plus, some additional setup is also required: {{< /call-out >}} - -{{< details summary="NGINX Plus JWT setup" >}} - -{{< include "/ngf/installation/jwt-password-note.md" >}} - -### Download the JWT from MyF5 - -{{< include "/ngf/installation/nginx-plus/download-jwt.md" >}} - -### Create the Docker Registry Secret - -{{< include "/ngf/installation/nginx-plus/docker-registry-secret.md" >}} - -### Create the NGINX Plus Secret - -{{< include "/ngf/installation/nginx-plus/nginx-plus-secret.md" >}} - -{{< call-out "note" >}} For more information on why this is needed and additional configuration options, including how to report to NGINX Instance Manager instead, see the [NGINX Plus Image and JWT Requirement]({{< ref "/ngf/install/nginx-plus.md" >}}) document. {{< /call-out >}} - -{{< /details >}} - -## Deploy NGINX Gateway Fabric - -Deploying NGINX Gateway Fabric with Kubernetes manifests takes only a few steps. With manifests, you can configure your deployment exactly how you want. Manifests also make it easy to replicate deployments across environments or clusters, ensuring consistency. - -### Install the Gateway API resources - -{{< include "/ngf/installation/install-gateway-api-resources.md" >}} - -### Deploy the NGINX Gateway Fabric CRDs - -#### Stable release - -```shell -kubectl apply --server-side -f https://raw.githubusercontent.com/nginx/nginx-gateway-fabric/v{{< version-ngf >}}/deploy/crds.yaml -``` - -#### Edge version - -```shell -kubectl apply --server-side -f https://raw.githubusercontent.com/nginx/nginx-gateway-fabric/main/deploy/crds.yaml -``` - -### Deploy NGINX Gateway Fabric - -{{< call-out "note" >}} By default, NGINX Gateway Fabric is installed in the **nginx-gateway** namespace. You can deploy in another namespace by modifying the manifest files. {{< /call-out >}} - -{{}} - -{{%tab name="Default"%}} - -Deploys NGINX Gateway Fabric with NGINX OSS. - -```shell -kubectl apply -f https://raw.githubusercontent.com/nginx/nginx-gateway-fabric/v{{< version-ngf >}}/deploy/default/deploy.yaml -``` - -{{% /tab %}} - -{{%tab name="AWS NLB"%}} - -Deploys NGINX Gateway Fabric with NGINX OSS. - -```shell -kubectl apply -f https://raw.githubusercontent.com/nginx/nginx-gateway-fabric/v{{< version-ngf >}}/deploy/default/deploy.yaml -``` - -To set up an AWS Network Load Balancer service, add these annotations to your Gateway infrastructure field: - -```yaml -spec: - infrastructure: - annotations: - service.beta.kubernetes.io/aws-load-balancer-type: "external" - service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip" -``` - -{{% /tab %}} - -{{%tab name="Azure"%}} - -Deploys NGINX Gateway Fabric with NGINX OSS and `nodeSelector` to deploy on Linux nodes. - -```shell -kubectl apply -f https://raw.githubusercontent.com/nginx/nginx-gateway-fabric/v{{< version-ngf >}}/deploy/azure/deploy.yaml -``` - -{{% /tab %}} - -{{%tab name="NGINX Plus"%}} - -Deploys NGINX Gateway Fabric with NGINX Plus. The image is pulled from the -NGINX Plus Docker registry, and the `imagePullSecretName` is the name of the Secret to use to pull the image. -The NGINX Plus JWT Secret used to run NGINX Plus is also specified in a volume mount and the `--usage-report-secret` parameter. These Secrets are created as part of the [Before you begin](#before-you-begin) section. - -```shell -kubectl apply -f https://raw.githubusercontent.com/nginx/nginx-gateway-fabric/v{{< version-ngf >}}/deploy/nginx-plus/deploy.yaml -``` - -{{% /tab %}} - -{{%tab name="Experimental"%}} - -Deploys NGINX Gateway Fabric with NGINX OSS and experimental features. - -```shell -kubectl apply -f https://raw.githubusercontent.com/nginx/nginx-gateway-fabric/v{{< version-ngf >}}/deploy/experimental/deploy.yaml -``` - -{{< call-out "note" >}} Requires the Gateway APIs installed from the experimental channel. {{< /call-out >}} - -{{% /tab %}} - -{{%tab name="NGINX Plus Experimental"%}} - -Deploys NGINX Gateway Fabric with NGINX Plus and experimental features. The image is pulled from the -NGINX Plus Docker registry, and the `imagePullSecretName` is the name of the Secret to use to pull the image. -The NGINX Plus JWT Secret used to run NGINX Plus is also specified in a volume mount and the `--usage-report-secret` parameter. These Secrets are created as part of the [Before you begin](#before-you-begin) section. - -```shell -kubectl apply -f https://raw.githubusercontent.com/nginx/nginx-gateway-fabric/v{{< version-ngf >}}/deploy/nginx-plus-experimental/deploy.yaml -``` - -{{< call-out "note" >}} Requires the Gateway APIs installed from the experimental channel. {{< /call-out >}} - -{{% /tab %}} - -{{%tab name="NodePort"%}} - -Deploys NGINX Gateway Fabric with NGINX OSS using a Service type of `NodePort`. - -```shell -kubectl apply -f https://raw.githubusercontent.com/nginx/nginx-gateway-fabric/v{{< version-ngf >}}/deploy/nodeport/deploy.yaml -``` - -{{% /tab %}} - -{{%tab name="OpenShift"%}} - -Deploys NGINX Gateway Fabric with NGINX OSS on OpenShift. - -```shell -kubectl apply -f https://raw.githubusercontent.com/nginx/nginx-gateway-fabric/v{{< version-ngf >}}/deploy/openshift/deploy.yaml -``` - -{{% /tab %}} - -{{}} - -### Verify the Deployment - -To confirm that NGINX Gateway Fabric is running, check the pods in the `nginx-gateway` namespace: - -```shell -kubectl get pods -n nginx-gateway -``` - -The output should look similar to this (note that the pod name will include a unique string): - -```text -NAME READY STATUS RESTARTS AGE -nginx-gateway-5d4f4c7db7-xk2kq 1/1 Running 0 112s -``` - -### Access NGINX Gateway Fabric - -{{< include "/ngf/installation/expose-nginx-gateway-fabric.md" >}} - -## Uninstall NGINX Gateway Fabric - -Follow these steps to uninstall NGINX Gateway Fabric and Gateway API from your Kubernetes cluster: - -1. **Uninstall NGINX Gateway Fabric:** - - - To remove NGINX Gateway Fabric and its custom resource definitions (CRDs), run: - - ```shell - kubectl delete namespace nginx-gateway - kubectl delete cluterrole nginx-gateway - kubectl delete clusterrolebinding nginx-gateway - ``` - - ```shell - kubectl delete -f https://raw.githubusercontent.com/nginx/nginx-gateway-fabric/v{{< version-ngf >}}/deploy/crds.yaml - ``` - -1. **Remove the Gateway API resources:** - - - {{< include "/ngf/installation/uninstall-gateway-api-resources.md" >}} - -## Next steps - -- [Deploy a Gateway for data plane instances]({{< ref "/ngf/install/deploy-data-plane.md" >}}) -- [Routing traffic to applications]({{< ref "/ngf/traffic-management/basic-routing.md" >}}) \ No newline at end of file diff --git a/content/ngf/install/manifests/_index.md b/content/ngf/install/manifests/_index.md new file mode 100644 index 000000000..c3d20a585 --- /dev/null +++ b/content/ngf/install/manifests/_index.md @@ -0,0 +1,5 @@ +--- +title: "Manifests" +url: /nginx-gateway-fabric/install/manifests +weight: 200 +--- diff --git a/content/ngf/install/manifests/open-source.md b/content/ngf/install/manifests/open-source.md new file mode 100644 index 000000000..a1733f048 --- /dev/null +++ b/content/ngf/install/manifests/open-source.md @@ -0,0 +1,208 @@ +--- +title: Use Manifests to install NGINX Gateway Fabric with NGINX Open Source +linkTitle: NGINX Open Source +weight: 100 +toc: true +nd-content-type: how-to +nd-product: FABRIC +nd-docs: DOCS-1429 +--- + +This page describes how to use Manifests to install NGINX Gateway Fabric with NGINX Open Source. + +It explains how to install the Gateway API resources and add certificates for secure authentication, then deploy NGINX Gateway Fabric and its CRDs (Custom resource definitions). + +By following these instructions, you will finish with a functional NGINX Gateway Fabric instance for your Kubernetes cluster. + +{{< call-out "note" >}} To learn which Gateway API resources NGINX Gateway Fabric currently supports, view the [Gateway API Compatibility]({{< ref "/ngf/overview/gateway-api-compatibility.md" >}}) topic. {{< /call-out >}} + +## Before you begin + +To complete this guide, you will need the following pre-requisites: + +- [A supported Kubernetes version]({{< ref "/ngf/overview/technical-specifications.md" >}}) +- A functional Kubernetes cluster +- [cert-manager](https://cert-manager.io/docs/installation/) + +## Install the Gateway API resources + +{{< include "/ngf/installation/manifests/api-resources.md" >}} + +You should also create the _nginx-gateway_ namespace, which is used by the Manifest files by default: + +```shell +kubectl create namespace nginx-gateway +``` + +## Add certificates for secure authentication + +{{< include "/ngf/installation/manifests/secure-certificates.md" >}} + +## Deploy the NGINX Gateway Fabric CRDs + +{{< include "/ngf/installation/manifests/crds.md" >}} + +## Deploy NGINX Gateway Fabric + +By default, NGINX Gateway Fabric is installed in the **nginx-gateway** namespace. + +If you want to deploy it in another namespace, you must modify the Manifest files. + +Your next step is dependent on how you intend to expose NGINX Gateway Fabric: + +{{< tabs name="install-manifests" >}} + +{{% tab name="Default" %}} + +To deploy NGINX Gateway Fabric with NGINX Open Source, use this `kubectl` command: + +```shell +kubectl apply -f https://raw.githubusercontent.com/nginx/nginx-gateway-fabric/v{{< version-ngf >}}/deploy/default/deploy.yaml +``` + +{{% /tab %}} + +{{% tab name="AWS NLB" %}} + +To deploy NGINX Gateway Fabric with NGINX Open Source, use this `kubectl` command: + +```shell +kubectl apply -f https://raw.githubusercontent.com/nginx/nginx-gateway-fabric/v{{< version-ngf >}}/deploy/default/deploy.yaml +``` + +To set up an AWS Network Load Balancer service, add these annotations to your Gateway infrastructure field: + +```yaml +spec: + infrastructure: + annotations: + service.beta.kubernetes.io/aws-load-balancer-type: "external" + service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip" +``` + +{{% /tab %}} + +{{% tab name="Azure" %}} + +To deploy NGINX Gateway Fabric with NGINX Open Source and `nodeSelector`, use this `kubectl` command: + +```shell +kubectl apply -f https://raw.githubusercontent.com/nginx/nginx-gateway-fabric/v{{< version-ngf >}}/deploy/azure/deploy.yaml +``` + +{{% /tab %}} + +{{% tab name="NodePort "%}} + +To deploy NGINX Gateway Fabric with NGINX Open Source and a `NodePort` service, use this `kubectl` command: + +```shell +kubectl apply -f https://raw.githubusercontent.com/nginx/nginx-gateway-fabric/v{{< version-ngf >}}/deploy/nodeport/deploy.yaml +``` + +{{% /tab %}} + +{{% tab name="OpenShift "%}} + +To deploy NGINX Gateway Fabric with NGINX Open Source on OpenShift, use this `kubectl` command: + +```shell +kubectl apply -f https://raw.githubusercontent.com/nginx/nginx-gateway-fabric/v{{< version-ngf >}}/deploy/openshift/deploy.yaml +``` + +{{% /tab %}} + +{{< /tabs >}} + +{{< details summary="Example output" >}} + +```text +namespace/nginx-gateway configured +serviceaccount/nginx-gateway created +serviceaccount/nginx-gateway-cert-generator created +role.rbac.authorization.k8s.io/nginx-gateway-cert-generator created +clusterrole.rbac.authorization.k8s.io/nginx-gateway created +rolebinding.rbac.authorization.k8s.io/nginx-gateway-cert-generator created +clusterrolebinding.rbac.authorization.k8s.io/nginx-gateway created +service/nginx-gateway created +deployment.apps/nginx-gateway created +job.batch/nginx-gateway-cert-generator created +gatewayclass.gateway.networking.k8s.io/nginx created +nginxgateway.gateway.nginx.org/nginx-gateway-config created +nginxproxy.gateway.nginx.org/nginx-gateway-proxy-config created +``` + +{{< /details >}} + +## Verify the Deployment + +To confirm that NGINX Gateway Fabric is running, check the pods in the `nginx-gateway` namespace: + +```shell +kubectl get pods -n nginx-gateway +``` + +The output should look similar to this (The pod name will include a unique string): + +```text +NAME READY STATUS RESTARTS AGE +nginx-gateway-694897c587-bbz62 1/1 Running 0 29s +``` + +## Access NGINX Gateway Fabric + +{{< include "/ngf/installation/expose-nginx-gateway-fabric.md" >}} + +## Next steps + +- [Deploy a Gateway for data plane instances]({{< ref "/ngf/install/deploy-data-plane.md" >}}) +- [Routing traffic to applications]({{< ref "/ngf/traffic-management/basic-routing.md" >}}) + +## edge versions + +### API resources + +Installing Gateway API resources from the experimental channel includes everything in the standard release channel plus additional experimental resources and fields. +NGINX Gateway Fabric currently supports a subset of the additional features provided by the experimental channel. +To install from the experimental channel, run the following: + +```shell +kubectl kustomize "https://github.com/nginx/nginx-gateway-fabric/config/crd/gateway-api/experimental?ref=v{{< version-ngf >}}" | kubectl apply -f - +``` + +### CRDs + +```shell +kubectl apply --server-side -f https://raw.githubusercontent.com/nginx/nginx-gateway-fabric/main/deploy/crds.yaml + +``` + +### NGF itself + +{{< call-out "note" >}} Requires the Gateway APIs installed from the experimental channel. {{< /call-out >}} + +#### OSS + Experimental + +```shell +kubectl apply -f https://raw.githubusercontent.com/nginx/nginx-gateway-fabric/v{{< version-ngf >}}/deploy/experimental/deploy.yaml +``` + +#### Plus + +The image is pulled from the NGINX Plus Docker registry, and the `imagePullSecretName` is the name of the Secret to use to pull the image. + +The NGINX Plus JWT Secret used to run NGINX Plus is also specified in a volume mount and the `--usage-report-secret` parameter. These Secrets are created as part of the [Before you begin](#before-you-begin) section. + +```shell +kubectl apply -f https://raw.githubusercontent.com/nginx/nginx-gateway-fabric/v{{< version-ngf >}}/deploy/nginx-plus/deploy.yaml +``` + +#### Plus + Experimental + +The image is pulled from the NGINX Plus Docker registry, and the `imagePullSecretName` is the name of the Secret to use to pull the image. + +The NGINX Plus JWT Secret used to run NGINX Plus is also specified in a volume mount and the `--usage-report-secret` parameter. These Secrets are created as part of the [Before you begin](#before-you-begin) section. + +```shell +kubectl apply -f https://raw.githubusercontent.com/nginx/nginx-gateway-fabric/v{{< version-ngf >}}/deploy/nginx-plus-experimental/deploy.yaml +``` \ No newline at end of file diff --git a/content/ngf/install/manifests/plus.md b/content/ngf/install/manifests/plus.md new file mode 100644 index 000000000..9021803bb --- /dev/null +++ b/content/ngf/install/manifests/plus.md @@ -0,0 +1,42 @@ +--- +title: Use Manifests to install NGINX Gateway Fabric with NGINX Plus +linkTitle: NGINX Plus +weight: 200 +toc: true +nd-content-type: how-to +nd-product: FABRIC +--- + +This page describes how to use Manifests to install NGINX Gateway Fabric with NGINX Plus. + +It explains the requirements for NGINX Gateway Fabric, how to deploy NGINX Gateway Fabric, its custom resource definitions (CRDs) and the Gateway API resources. + +By following these instructions, you will finish with a functional NGINX Gateway Fabric instance for your Kubernetes cluster. + +## Before you begin + +To complete this guide, you will need the following pre-requisites: + +- An active NGINX Plus subscription (Purchased or trial) +- [A supported Kubernetes version]({{< ref "/ngf/overview/technical-specifications.md" >}}) +- A functional Kubernetes cluster + +## Download your JSON web token + +{{< include "/ngf/installation/nginx-plus/download-jwt.md" >}} + +## Create license and registry secrets + +{{< include "/k8s/create-license-registry-secret.md" >}} + +## Install the Gateway API resources + +{{< include "/ngf/installation/manifests/api-resources" >}} + +## Add certificates for secure authentication + +{{< include "/ngf/installation/manifests/secure-certificates.md" >}} + +## Deploy the NGINX Gateway Fabric CRDs + +{{< include "/ngf/installation/manifests/crds.md" >}} \ No newline at end of file diff --git a/content/ngf/install/manifests/uninstall.md b/content/ngf/install/manifests/uninstall.md new file mode 100644 index 000000000..16668578c --- /dev/null +++ b/content/ngf/install/manifests/uninstall.md @@ -0,0 +1,47 @@ +--- +title: Use Manifests to uninstall NGINX Gateway Fabric +linkTitle: Uninstall +weight: 300 +toc: true +nd-content-type: how-to +nd-product: FABRIC +--- + +This page describes how to uninstall NGINX Gateway Fabric, its custom resource definitions (CRDs) and the Gateway API resources from a Kubernetes cluster. + +These instructions are for a Manifest deployment: for a Helm deployment, view the [Use Helm to uninstall NGINX Gateway Fabric]({{< ref "/ngf/install/helm.md#uninstall-nginx-gateway-fabric" >}}) topic. + +## Remove NGINX Gateway Fabric + +To remove NGINX Gateway Fabric run: + +```shell +kubectl delete namespace nginx-gateway +kubectl delete clusterrole nginx-gateway +kubectl delete clusterrolebinding nginx-gateway +``` + +## Remove CRDs + +To remove the NGINX Gateway Fabric CRDs, run: + +```shell +kubectl delete -f https://raw.githubusercontent.com/nginx/nginx-gateway-fabric/v{{< version-ngf >}}/deploy/crds.yaml +``` + +{{< details summary="Example output" >}} + +```text +customresourcedefinition.apiextensions.k8s.io "clientsettingspolicies.gateway.nginx.org" deleted +customresourcedefinition.apiextensions.k8s.io "nginxgateways.gateway.nginx.org" deleted +customresourcedefinition.apiextensions.k8s.io "nginxproxies.gateway.nginx.org" deleted +customresourcedefinition.apiextensions.k8s.io "observabilitypolicies.gateway.nginx.org" deleted +customresourcedefinition.apiextensions.k8s.io "snippetsfilters.gateway.nginx.org" deleted +customresourcedefinition.apiextensions.k8s.io "upstreamsettingspolicies.gateway.nginx.org" deleted +``` + +{{< /details >}} + +## Remove the Gateway API resources + +{{< include "/ngf/installation/uninstall-gateway-api-resources.md" >}} \ No newline at end of file diff --git a/content/ngf/overview/custom-policies.md b/content/ngf/overview/custom-policies.md index 7d904fdaf..51ce6da7f 100644 --- a/content/ngf/overview/custom-policies.md +++ b/content/ngf/overview/custom-policies.md @@ -1,21 +1,19 @@ --- title: Custom policies -weight: 600 +weight: 700 toc: true nd-content-type: reference nd-product: FABRIC nd-docs: DOCS-1835 --- -## Overview +This topic explains the custom policies for NGINX Gateway Fabric CRDs (Custom Resource Definitions), which allow users to configure NGINX data plane features that are unavailable in the Gateway API. -Custom policies are NGINX Gateway Fabric CRDs (Custom Resource Definitions) that allow users to configure NGINX data plane features that are unavailable in the Gateway API. These custom policies follow the Gateway API [Policy Attachment](https://gateway-api.sigs.k8s.io/reference/policy-attachment/) pattern, which allows users to extend the Gateway API functionality by creating implementation-specific policies and attaching them to Kubernetes objects such as HTTPRoutes, Gateways, and Services. Policies are a Kubernetes object that augments the behavior of an object in a standard way. Policies can be attached to one object ([Direct Policy Attachment](#direct-policy-attachment)) or objects in a hierarchy ([Inherited Policy Attachment](#inherited-policy-attachment)). The following table summarizes NGINX Gateway Fabric custom policies: - | Policy | Description | Attachment Type | Supported Target Object(s) | Supports Multiple Target Refs | Mergeable | API Version | |---------------------------------------------------------------------------------------------|---------------------------------------------------------|-----------------|-------------------------------|-------------------------------|-----------|-------------| | [ClientSettingsPolicy]({{< ref "/ngf/traffic-management/client-settings.md" >}}) | Configure connection behavior between client and NGINX | Inherited | Gateway, HTTPRoute, GRPCRoute | No | Yes | v1alpha1 | @@ -90,7 +88,6 @@ spec: retries: 10 ``` - ```yaml apiVersion: gateway.nginx.org/v1alpha1 kind: ExamplePolicy diff --git a/content/ngf/overview/gateway-api-compatibility.md b/content/ngf/overview/gateway-api-compatibility.md index 79a5b503e..cbe75b629 100644 --- a/content/ngf/overview/gateway-api-compatibility.md +++ b/content/ngf/overview/gateway-api-compatibility.md @@ -1,5 +1,5 @@ --- -title: Gateway API Compatibility +title: Gateway API compatibility weight: 200 toc: true nd-content-type: reference @@ -7,24 +7,13 @@ nd-product: FABRIC nd-docs: DOCS-1412 --- -Learn which Gateway API resources NGINX Gateway Fabric supports and to which level. +This page describes which Gateway API resources NGINX Gateway Fabric supports and to which level. + +For information about NGINX Gateway Fabric and Gateway API version compatibility, view the [Technical specifications]({{< ref "/ngf/overview/technical-specifications.md" >}}) topic. ## Summary -{{< table >}} -| Resource | Core Support Level | Extended Support Level | Implementation-Specific Support Level | API Version | API Release Channel | -|---------------------------------------|---------------------|------------------------|---------------------------------------|-------------|---------------------| -| [GatewayClass](#gatewayclass) | Supported | Not supported | Supported | v1 | Standard | -| [Gateway](#gateway) | Supported | Partially supported | Not supported | v1 | Standard | -| [HTTPRoute](#httproute) | Supported | Partially supported | Not supported | v1 | Standard | -| [GRPCRoute](#grpcroute) | Supported | Partially supported | Not supported | v1 | Standard | -| [ReferenceGrant](#referencegrant) | Supported | N/A | Not supported | v1beta1 | Standard | -| [TLSRoute](#tlsroute) | Supported | Not supported | Not supported | v1alpha2 | Experimental | -| [TCPRoute](#tcproute) | Not supported | Not supported | Not supported | v1alpha2 | Experimental | -| [UDPRoute](#udproute) | Not supported | Not supported | Not supported | v1alpha2 | Experimental | -| [BackendTLSPolicy](#backendtlspolicy) | Partially Supported | Supported | Partially supported | v1alpha3 | Experimental | -| [Custom policies](#custom-policies) | N/A | N/A | Supported | N/A | N/A | -{{< /table >}} +{{< include "ngf/gateway-api-compat-table.md" >}} ## Terminology @@ -41,7 +30,6 @@ Gateway API features has three [support levels](https://gateway-api.sigs.k8s.io/ Please note that while we make every effort to reflect the support status of experimental fields in our code and documentation, there may be instances where this is not explicitly indicated. Support for such fields is provided on a best-effort basis.{{< /call-out >}} - ## Resources Each resource below includes the support status of their corresponding fields. @@ -51,9 +39,11 @@ For a description of each field, visit the [Gateway API documentation](https://g ### GatewayClass {{< table >}} + | Resource | Core Support Level | Extended Support Level | Implementation-Specific Support Level | API Version | API Release Channel | |--------------|--------------------|------------------------|---------------------------------------|-------------|---------------------| | GatewayClass | Supported | Not supported | Supported | v1 | Standard | + {{< /table >}} NGINX Gateway Fabric supports a single GatewayClass resource configured with the `--gatewayclass` flag of the [controller]({{< ref "/ngf/reference/cli-help.md#controller">}}) command. @@ -77,9 +67,11 @@ NGINX Gateway Fabric supports a single GatewayClass resource configured with the ### Gateway {{< table >}} + | Resource | Core Support Level | Extended Support Level | Implementation-Specific Support Level | API Version | API Release Channel | |----------|--------------------|------------------------|---------------------------------------|-------------|---------------------| | Gateway | Supported | Partially supported | Not supported | v1 | Standard | + {{< /table >}} NGINX Gateway Fabric supports multiple Gateway resources. The Gateway resources must reference NGINX Gateway Fabric's corresponding GatewayClass. @@ -145,9 +137,11 @@ See the [controller]({{< ref "/ngf/reference/cli-help.md#controller">}}) command ### HTTPRoute {{< table >}} + | Resource | Core Support Level | Extended Support Level | Implementation-Specific Support Level | API Version | API Release Channel | |-----------|--------------------|------------------------|---------------------------------------|-------------|---------------------| | HTTPRoute | Supported | Partially supported | Not supported | v1 | Standard | + {{< /table >}} **Fields**: @@ -200,9 +194,11 @@ See the [controller]({{< ref "/ngf/reference/cli-help.md#controller">}}) command ### GRPCRoute {{< table >}} + | Resource | Core Support Level | Extended Support Level | Implementation-Specific Support Level | API Version | API Release Channel | |-----------|--------------------|------------------------|---------------------------------------|-------------|---------------------| | GRPCRoute | Supported | Partially supported | Not supported | v1 | Standard | + {{< /table >}} **Fields**: @@ -247,9 +243,11 @@ See the [controller]({{< ref "/ngf/reference/cli-help.md#controller">}}) command ### ReferenceGrant {{< table >}} + | Resource | Core Support Level | Extended Support Level | Implementation-Specific Support Level | API Version | API Release Channel | |----------------|--------------------|------------------------|---------------------------------------|-------------|---------------------| | ReferenceGrant | Supported | N/A | Not supported | v1beta1 | Standard | + {{< /table >}} Fields: @@ -267,9 +265,11 @@ Fields: ### TLSRoute {{< table >}} + | Resource | Core Support Level | Extended Support Level | Implementation-Specific Support Level | API Version | API Release Channel | |----------|--------------------|------------------------|---------------------------------------|-------------|---------------------| | TLSRoute | Supported | Not supported | Not supported | v1alpha2 | Experimental | + {{< /table >}} **Fields**: @@ -299,30 +299,34 @@ Fields: - `ResolvedRefs/False/UnsupportedValue`: Custom reason for when one of the TLSRoute rules has a backendRef with an unsupported value. - `PartiallyInvalid/True/UnsupportedValue` ---- - ### TCPRoute {{< table >}} + | Resource | Core Support Level | Extended Support Level | Implementation-Specific Support Level | API Version | API Release Channel | |----------|--------------------|------------------------|---------------------------------------|-------------|---------------------| | TCPRoute | Not supported | Not supported | Not supported | v1alpha2 | Experimental | + {{< /table >}} ### UDPRoute {{< table >}} + | Resource | Core Support Level | Extended Support Level | Implementation-Specific Support Level | API Version | API Release Channel | |----------|--------------------|------------------------|---------------------------------------|-------------|---------------------| | UDPRoute | Not supported | Not supported | Not supported | v1alpha2 | Experimental | + {{< /table >}} ### BackendTLSPolicy {{< table >}} + | Resource | Core Support Level | Extended Support Level | Implementation-Specific Support Level | API Version | API Release Channel | |------------------|---------------------|------------------------|---------------------------------------|-------------|---------------------| | BackendTLSPolicy | Partially Supported | Supported | Partially Supported | v1alpha3 | Experimental | + {{< /table >}} Fields: @@ -354,9 +358,11 @@ Fields: ### Custom Policies {{< table >}} + | Resource | Core Support Level | Extended Support Level | Implementation-Specific Support Level | API Version | API Release Channel | |-----------------|--------------------|------------------------|---------------------------------------|-------------|---------------------| | Custom policies | N/A | N/A | Supported | N/A | N/A | + {{< /table >}} Custom policies are NGINX Gateway Fabric-specific CRDs (Custom Resource Definitions) that support features such as tracing, and client connection settings. These important data-plane features are not part of the Gateway API specifications. diff --git a/content/ngf/overview/nginx-plus.md b/content/ngf/overview/nginx-plus.md index 923947786..f3e166e4e 100644 --- a/content/ngf/overview/nginx-plus.md +++ b/content/ngf/overview/nginx-plus.md @@ -1,7 +1,7 @@ --- title: Advanced features with NGINX Plus -weight: 300 -type: reference +weight: 400 +nd-content-type: reference nd-product: FABRIC nd-docs: DOCS-1837 --- diff --git a/content/ngf/overview/product-telemetry.md b/content/ngf/overview/product-telemetry.md index 714d83ea2..594f9d06e 100644 --- a/content/ngf/overview/product-telemetry.md +++ b/content/ngf/overview/product-telemetry.md @@ -1,6 +1,6 @@ --- title: Product telemetry -weight: 500 +weight: 600 nd-content-type: reference nd-product: FABRIC nd-docs: DOCS-1836 diff --git a/content/ngf/overview/resource-validation.md b/content/ngf/overview/resource-validation.md index f4200948e..75bdd5d26 100644 --- a/content/ngf/overview/resource-validation.md +++ b/content/ngf/overview/resource-validation.md @@ -1,6 +1,6 @@ --- title: Resource validation -weight: 400 +weight: 500 toc: true nd-content-type: reference nd-product: FABRIC @@ -63,6 +63,7 @@ Below is an example of how NGINX Gateway Fabric rejects an invalid resource. The ```shell kubectl describe httproutes.gateway.networking.k8s.io coffee ``` + ```text . . . Status: diff --git a/content/ngf/overview/technical-specifications.md b/content/ngf/overview/technical-specifications.md new file mode 100644 index 000000000..51ddee62d --- /dev/null +++ b/content/ngf/overview/technical-specifications.md @@ -0,0 +1,46 @@ +--- +title: Technical specifications +weight: 300 +nd-content-type: reference +nd-product: FABRIC +--- + +This page describes the technical specifications for NGINX Gateway Fabric. + +The information included covers version compatibility between NGINX Gateway Fabric and the Gateway API, as well as other NGINX products. + +## NGINX Gateway Fabric versions + +The following table lists the software versions NGINX Gateway Fabric supports. + +| NGINX Gateway Fabric | Gateway API | Kubernetes | NGINX OSS | NGINX Plus | NGINX Agent | +|----------------------|-------------|------------|-----------|------------|-------------| +| Edge | 1.4.0 | 1.25+ | 1.29.3 | R35 | v3.5.0 | +| 2.2.1 | 1.3.0 | 1.25+ | 1.29.2 | R35 | v3.5.0 | +| 2.2.0 | 1.3.0 | 1.25+ | 1.29.2 | R35 | v3.3.2 | +| 2.1.4 | 1.3.0 | 1.25+ | 1.29.1 | R35 | v3.3.1 | +| 2.1.3 | 1.3.0 | 1.25+ | 1.29.1 | R35 | v3.3.1 | +| 2.1.2 | 1.3.0 | 1.25+ | 1.29.1 | R35 | v3.3.1 | +| 2.1.1 | 1.3.0 | 1.25+ | 1.29.1 | R35 | v3.2.1 | +| 2.1.0 | 1.3.0 | 1.25+ | 1.29.1 | R35 | v3.2.1 | +| 2.0.2 | 1.3.0 | 1.25+ | 1.28.0 | R34 | v3.0.1 | +| 2.0.1 | 1.3.0 | 1.25+ | 1.28.0 | R34 | v3.0.1 | +| 2.0.0 | 1.3.0 | 1.25+ | 1.28.0 | R34 | v3.0.0 | +| 1.6.2 | 1.2.1 | 1.25+ | 1.27.4 | R33 | --- | +| 1.6.1 | 1.2.1 | 1.25+ | 1.27.4 | R33 | --- | +| 1.6.0 | 1.2.1 | 1.25+ | 1.27.3 | R33 | --- | +| 1.5.1 | 1.2.0 | 1.25+ | 1.27.2 | R33 | --- | +| 1.5.0 | 1.2.0 | 1.25+ | 1.27.2 | R33 | --- | +| 1.4.0 | 1.1.0 | 1.25+ | 1.27.1 | R32 | --- | +| 1.3.0 | 1.1.0 | 1.25+ | 1.27.0 | R32 | --- | +| 1.2.0 | 1.0.0 | 1.23+ | 1.25.4 | R31 | --- | +| 1.1.0 | 1.0.0 | 1.23+ | 1.25.3 | n/a | --- | +| 1.0.0 | 0.8.1 | 1.23+ | 1.25.2 | n/a | --- | + +## Gateway API compatibility + +The following tables summarizes which Gateway API resources NGINX Gateway Fabric supports and to which level. + +You can read more information by viewing the [Gateway API compatibility]({{< ref "/ngf/overview/gateway-api-compatibility.md" >}}) topic, or by selecting the resource name to go directly to the full details. + +{{< include "ngf/gateway-api-compat-table.md" >}} \ No newline at end of file diff --git a/content/nic/install/helm/plus.md b/content/nic/install/helm/plus.md index baa07b3cc..d29010740 100644 --- a/content/nic/install/helm/plus.md +++ b/content/nic/install/helm/plus.md @@ -87,42 +87,7 @@ helm install oci://ghcr.io/nginx/charts/nginx-ingress \ ## Create license and registry secrets -{{< call-out "note" >}} - -The commands in the rest of this document should be run in the same directory as your **license.jwt** file. - -{{< /call-out >}} - -Once you have obtained your license JWT, create a Kubernetes secret using `kubectl create`: - -```shell -kubectl create secret generic nplus-license --from-file license.jwt -``` - -{{< details summary="Example output" >}} - -```text -secret/nplus-license created -``` - -{{< /details >}} - -Then create another Kubernetes secret to allow interactions with the F5 registry: - -```shell -kubectl create secret docker-registry regcred \ - --docker-server=private-registry.nginx.com \ - --docker-username=$(cat license.jwt) \ - --docker-password=none -``` - -{{< details summary="Example output" >}} - -```text -secret/regcred created -``` - -{{< /details >}} +{{< include "k8s/create-license-registry-secret.md" >}} ## Install the Helm chart From 9abdbf6672aacbc4786965f3a0a306e30f0eb2bf Mon Sep 17 00:00:00 2001 From: Alan Dooley Date: Tue, 9 Dec 2025 16:22:36 +0000 Subject: [PATCH 11/15] feat: Add current work --- .../k8s/delete-license-registry-secrets.md | 28 ++++++++++++ .../installation/manifests/api-resources.md | 8 +++- .../manifests/verify-deployment.md | 15 +++++++ content/ngf/install/manifests/open-source.md | 29 +----------- content/ngf/install/manifests/plus.md | 45 ++++++++++++++++++- content/ngf/install/manifests/uninstall.md | 8 +++- content/nic/install/helm/uninstall.md | 26 +---------- 7 files changed, 102 insertions(+), 57 deletions(-) create mode 100644 content/includes/k8s/delete-license-registry-secrets.md create mode 100644 content/includes/ngf/installation/manifests/verify-deployment.md diff --git a/content/includes/k8s/delete-license-registry-secrets.md b/content/includes/k8s/delete-license-registry-secrets.md new file mode 100644 index 000000000..d79ef65b2 --- /dev/null +++ b/content/includes/k8s/delete-license-registry-secrets.md @@ -0,0 +1,28 @@ +--- +--- + +If your deployment used NGINX Plus, you should also remove the secrets created for your license and the F5 registry. + +```shell +kubectl delete secret nplus-license +``` + +{{< details summary="Example output" >}} + +```text +secret "nplus-license" deleted +``` + +{{< /details >}} + +```shell +kubectl delete secret regcred +``` + +{{< details summary="Example output" >}} + +```text +secret "regcred" deleted +``` + +{{< /details >}} \ No newline at end of file diff --git a/content/includes/ngf/installation/manifests/api-resources.md b/content/includes/ngf/installation/manifests/api-resources.md index dc1e5e998..3addd8283 100644 --- a/content/includes/ngf/installation/manifests/api-resources.md +++ b/content/includes/ngf/installation/manifests/api-resources.md @@ -19,4 +19,10 @@ customresourcedefinition.apiextensions.k8s.io/httproutes.gateway.networking.k8s. customresourcedefinition.apiextensions.k8s.io/referencegrants.gateway.networking.k8s.io created ``` -{{< /details >}} \ No newline at end of file +{{< /details >}} + +You should also create the _nginx-gateway_ namespace, which is used by the Manifest files by default: + +```shell +kubectl create namespace nginx-gateway +``` \ No newline at end of file diff --git a/content/includes/ngf/installation/manifests/verify-deployment.md b/content/includes/ngf/installation/manifests/verify-deployment.md new file mode 100644 index 000000000..5dfabbdf3 --- /dev/null +++ b/content/includes/ngf/installation/manifests/verify-deployment.md @@ -0,0 +1,15 @@ +--- +--- + +To confirm that NGINX Gateway Fabric is running, check the pods in the `nginx-gateway` namespace: + +```shell +kubectl get pods -n nginx-gateway +``` + +The output should look similar to this (The pod name will include a unique string): + +```text +NAME READY STATUS RESTARTS AGE +nginx-gateway-694897c587-bbz62 1/1 Running 0 29s +``` \ No newline at end of file diff --git a/content/ngf/install/manifests/open-source.md b/content/ngf/install/manifests/open-source.md index a1733f048..8981ae4d5 100644 --- a/content/ngf/install/manifests/open-source.md +++ b/content/ngf/install/manifests/open-source.md @@ -28,12 +28,6 @@ To complete this guide, you will need the following pre-requisites: {{< include "/ngf/installation/manifests/api-resources.md" >}} -You should also create the _nginx-gateway_ namespace, which is used by the Manifest files by default: - -```shell -kubectl create namespace nginx-gateway -``` - ## Add certificates for secure authentication {{< include "/ngf/installation/manifests/secure-certificates.md" >}} @@ -136,18 +130,7 @@ nginxproxy.gateway.nginx.org/nginx-gateway-proxy-config created ## Verify the Deployment -To confirm that NGINX Gateway Fabric is running, check the pods in the `nginx-gateway` namespace: - -```shell -kubectl get pods -n nginx-gateway -``` - -The output should look similar to this (The pod name will include a unique string): - -```text -NAME READY STATUS RESTARTS AGE -nginx-gateway-694897c587-bbz62 1/1 Running 0 29s -``` +{{< include "/ngf/installation/manifests/verify-deployment.md" >}} ## Access NGINX Gateway Fabric @@ -187,16 +170,6 @@ kubectl apply --server-side -f https://raw.githubusercontent.com/nginx/nginx-gat kubectl apply -f https://raw.githubusercontent.com/nginx/nginx-gateway-fabric/v{{< version-ngf >}}/deploy/experimental/deploy.yaml ``` -#### Plus - -The image is pulled from the NGINX Plus Docker registry, and the `imagePullSecretName` is the name of the Secret to use to pull the image. - -The NGINX Plus JWT Secret used to run NGINX Plus is also specified in a volume mount and the `--usage-report-secret` parameter. These Secrets are created as part of the [Before you begin](#before-you-begin) section. - -```shell -kubectl apply -f https://raw.githubusercontent.com/nginx/nginx-gateway-fabric/v{{< version-ngf >}}/deploy/nginx-plus/deploy.yaml -``` - #### Plus + Experimental The image is pulled from the NGINX Plus Docker registry, and the `imagePullSecretName` is the name of the Secret to use to pull the image. diff --git a/content/ngf/install/manifests/plus.md b/content/ngf/install/manifests/plus.md index 9021803bb..ccf5b46df 100644 --- a/content/ngf/install/manifests/plus.md +++ b/content/ngf/install/manifests/plus.md @@ -39,4 +39,47 @@ To complete this guide, you will need the following pre-requisites: ## Deploy the NGINX Gateway Fabric CRDs -{{< include "/ngf/installation/manifests/crds.md" >}} \ No newline at end of file +{{< include "/ngf/installation/manifests/crds.md" >}} + +## Deploy NGINX Gateway Fabric + +By default, NGINX Gateway Fabric is installed in the **nginx-gateway** namespace. + +If you want to deploy it in another namespace, you must modify the Manifest files + +```shell +kubectl apply -f https://raw.githubusercontent.com/nginx/nginx-gateway-fabric/v{{< version-ngf >}}/deploy/nginx-plus/deploy.yaml +``` + +{{< details summary="Example output" >}} + +```text +namespace/nginx-gateway configured +serviceaccount/nginx-gateway created +serviceaccount/nginx-gateway-cert-generator created +role.rbac.authorization.k8s.io/nginx-gateway-cert-generator created +clusterrole.rbac.authorization.k8s.io/nginx-gateway created +rolebinding.rbac.authorization.k8s.io/nginx-gateway-cert-generator created +clusterrolebinding.rbac.authorization.k8s.io/nginx-gateway created +service/nginx-gateway created +deployment.apps/nginx-gateway created +job.batch/nginx-gateway-cert-generator created +gatewayclass.gateway.networking.k8s.io/nginx created +nginxgateway.gateway.nginx.org/nginx-gateway-config created +nginxproxy.gateway.nginx.org/nginx-gateway-proxy-config created +``` + +{{< /details >}} + +## Verify the Deployment + +{{< include "/ngf/installation/manifests/verify-deployment.md" >}} + +## Access NGINX Gateway Fabric + +{{< include "/ngf/installation/expose-nginx-gateway-fabric.md" >}} + +## Next steps + +- [Deploy a Gateway for data plane instances]({{< ref "/ngf/install/deploy-data-plane.md" >}}) +- [Routing traffic to applications]({{< ref "/ngf/traffic-management/basic-routing.md" >}}) \ No newline at end of file diff --git a/content/ngf/install/manifests/uninstall.md b/content/ngf/install/manifests/uninstall.md index 16668578c..0814243ca 100644 --- a/content/ngf/install/manifests/uninstall.md +++ b/content/ngf/install/manifests/uninstall.md @@ -21,7 +21,7 @@ kubectl delete clusterrole nginx-gateway kubectl delete clusterrolebinding nginx-gateway ``` -## Remove CRDs +## Remove the CRDs To remove the NGINX Gateway Fabric CRDs, run: @@ -44,4 +44,8 @@ customresourcedefinition.apiextensions.k8s.io "upstreamsettingspolicies.gateway. ## Remove the Gateway API resources -{{< include "/ngf/installation/uninstall-gateway-api-resources.md" >}} \ No newline at end of file +{{< include "/ngf/installation/uninstall-gateway-api-resources.md" >}} + +## Remove secrets + +{{< include "/k8s/delete-license-registry-secrets.md" >}} \ No newline at end of file diff --git a/content/nic/install/helm/uninstall.md b/content/nic/install/helm/uninstall.md index 4fb883e02..cb2f06a2c 100644 --- a/content/nic/install/helm/uninstall.md +++ b/content/nic/install/helm/uninstall.md @@ -78,28 +78,4 @@ The [Run multiple NGINX Ingress Controllers]({{< ref "/nic/install/multiple-cont ## Remove secrets -If your deployment used NGINX Plus, you should also remove the secrets created for your license and the F5 registry. - -```shell -kubectl delete secret nplus-license -``` - -{{< details summary="Example output" >}} - -```text -secret "nplus-license" deleted -``` - -{{< /details >}} - -```shell -kubectl delete secret regcred -``` - -{{< details summary="Example output" >}} - -```text -secret "regcred" deleted -``` - -{{< /details >}} \ No newline at end of file +{{< include "/k8s/delete-license-registry-secrets.md" >}} \ No newline at end of file From f9e4db1bdbf96742eee9c83df51c0856e4ebe49e Mon Sep 17 00:00:00 2001 From: Alan Dooley Date: Wed, 10 Dec 2025 10:45:45 +0000 Subject: [PATCH 12/15] feat: Finish core Plus manifest deployment instructions --- .../k8s/create-license-registry-secret.md | 41 ----------------- .../installation/manifests/api-resources.md | 8 +--- content/ngf/install/manifests/open-source.md | 6 +++ content/ngf/install/manifests/plus.md | 45 ++++++++++++++++++- content/ngf/install/manifests/uninstall.md | 6 +-- content/nic/install/helm/plus.md | 39 +++++++++++++++- 6 files changed, 90 insertions(+), 55 deletions(-) delete mode 100644 content/includes/k8s/create-license-registry-secret.md diff --git a/content/includes/k8s/create-license-registry-secret.md b/content/includes/k8s/create-license-registry-secret.md deleted file mode 100644 index c7192c4da..000000000 --- a/content/includes/k8s/create-license-registry-secret.md +++ /dev/null @@ -1,41 +0,0 @@ ---- ---- - -{{< call-out "note" >}} - -The commands in the rest of this document should be run in the same directory as your **license.jwt** file. - -JWTs are sensitive information and should be stored securely. Delete them after use to prevent unauthorized access. - -{{< /call-out >}} - -Once you have obtained your license JWT, create a Kubernetes secret using `kubectl create`: - -```shell -kubectl create secret generic nplus-license --from-file license.jwt -``` - -{{< details summary="Example output" >}} - -```text -secret/nplus-license created -``` - -{{< /details >}} - -Then create another Kubernetes secret to allow interactions with the F5 registry: - -```shell -kubectl create secret docker-registry regcred \ - --docker-server=private-registry.nginx.com \ - --docker-username=$(cat license.jwt) \ - --docker-password=none -``` - -{{< details summary="Example output" >}} - -```text -secret/regcred created -``` - -{{< /details >}} \ No newline at end of file diff --git a/content/includes/ngf/installation/manifests/api-resources.md b/content/includes/ngf/installation/manifests/api-resources.md index 3addd8283..dc1e5e998 100644 --- a/content/includes/ngf/installation/manifests/api-resources.md +++ b/content/includes/ngf/installation/manifests/api-resources.md @@ -19,10 +19,4 @@ customresourcedefinition.apiextensions.k8s.io/httproutes.gateway.networking.k8s. customresourcedefinition.apiextensions.k8s.io/referencegrants.gateway.networking.k8s.io created ``` -{{< /details >}} - -You should also create the _nginx-gateway_ namespace, which is used by the Manifest files by default: - -```shell -kubectl create namespace nginx-gateway -``` \ No newline at end of file +{{< /details >}} \ No newline at end of file diff --git a/content/ngf/install/manifests/open-source.md b/content/ngf/install/manifests/open-source.md index 8981ae4d5..9702f6581 100644 --- a/content/ngf/install/manifests/open-source.md +++ b/content/ngf/install/manifests/open-source.md @@ -28,6 +28,12 @@ To complete this guide, you will need the following pre-requisites: {{< include "/ngf/installation/manifests/api-resources.md" >}} +You should also create the _nginx-gateway_ namespace, which is used by the Manifest files by default: + +```shell +kubectl create namespace nginx-gateway +``` + ## Add certificates for secure authentication {{< include "/ngf/installation/manifests/secure-certificates.md" >}} diff --git a/content/ngf/install/manifests/plus.md b/content/ngf/install/manifests/plus.md index ccf5b46df..6ce47422f 100644 --- a/content/ngf/install/manifests/plus.md +++ b/content/ngf/install/manifests/plus.md @@ -27,7 +27,50 @@ To complete this guide, you will need the following pre-requisites: ## Create license and registry secrets -{{< include "/k8s/create-license-registry-secret.md" >}} +First, create the _nginx-gateway_ namespace, which is used by the Manifest files by default: + +```shell +kubectl create namespace nginx-gateway +``` + +{{< call-out "note" >}} + +The commands in the rest of this document should be run in the same directory as your **license.jwt** file. + +JWTs are sensitive information and should be stored securely. Delete them after use to prevent unauthorized access. + +{{< /call-out >}} + +Once you have obtained your license JWT, create a Kubernetes secret using `kubectl create`: + +```shell +kubectl create -n nginx-gateway secret generic nplus-license --from-file license.jwt +``` + +Then create another Kubernetes secret to allow interactions with the F5 registry: + +```shell +kubectl create -n nginx-gateway secret docker-registry regcred \ + --docker-server=private-registry.nginx.com \ + --docker-username=$(cat license.jwt) \ + --docker-password=none +``` + +You can verify the creation of the secrets using `kubectl get`: + +```shell +kubectl get -n nginx-gateway secrets +``` + +{{< details summary="Example output" >}} + +```text +NAME TYPE DATA AGE +nplus-license Opaque 1 31s +regcred kubernetes.io/dockerconfigjson 1 22s +``` + +{{< /details >}} ## Install the Gateway API resources diff --git a/content/ngf/install/manifests/uninstall.md b/content/ngf/install/manifests/uninstall.md index 0814243ca..a6fb4c491 100644 --- a/content/ngf/install/manifests/uninstall.md +++ b/content/ngf/install/manifests/uninstall.md @@ -44,8 +44,4 @@ customresourcedefinition.apiextensions.k8s.io "upstreamsettingspolicies.gateway. ## Remove the Gateway API resources -{{< include "/ngf/installation/uninstall-gateway-api-resources.md" >}} - -## Remove secrets - -{{< include "/k8s/delete-license-registry-secrets.md" >}} \ No newline at end of file +{{< include "/ngf/installation/uninstall-gateway-api-resources.md" >}} \ No newline at end of file diff --git a/content/nic/install/helm/plus.md b/content/nic/install/helm/plus.md index d29010740..e169bb89e 100644 --- a/content/nic/install/helm/plus.md +++ b/content/nic/install/helm/plus.md @@ -87,7 +87,44 @@ helm install oci://ghcr.io/nginx/charts/nginx-ingress \ ## Create license and registry secrets -{{< include "k8s/create-license-registry-secret.md" >}} +{{< call-out "note" >}} + +The commands in the rest of this document should be run in the same directory as your **license.jwt** file. + +JWTs are sensitive information and should be stored securely. Delete them after use to prevent unauthorized access. + +{{< /call-out >}} + +Once you have obtained your license JWT, create a Kubernetes secret using `kubectl create`: + +```shell +kubectl create secret generic nplus-license --from-file license.jwt +``` + +{{< details summary="Example output" >}} + +```text +secret/nplus-license created +``` + +{{< /details >}} + +Then create another Kubernetes secret to allow interactions with the F5 registry: + +```shell +kubectl create secret docker-registry regcred \ + --docker-server=private-registry.nginx.com \ + --docker-username=$(cat license.jwt) \ + --docker-password=none +``` + +{{< details summary="Example output" >}} + +```text +secret/regcred created +``` + +{{< /details >}} ## Install the Helm chart From 6549688b3321bba2cd5f0760b8631b0e10a2ecf3 Mon Sep 17 00:00:00 2001 From: Alan Dooley Date: Wed, 10 Dec 2025 11:38:56 +0000 Subject: [PATCH 13/15] feat: Finish experimental document --- .../includes/ngf/installation/next-steps.md | 6 ++ content/ngf/_index.md | 12 ++-- content/ngf/install/manifests/experimental.md | 68 +++++++++++++++++++ content/ngf/install/manifests/open-source.md | 42 +----------- content/ngf/install/manifests/plus.md | 3 +- content/ngf/install/manifests/uninstall.md | 2 +- 6 files changed, 82 insertions(+), 51 deletions(-) create mode 100644 content/includes/ngf/installation/next-steps.md create mode 100644 content/ngf/install/manifests/experimental.md diff --git a/content/includes/ngf/installation/next-steps.md b/content/includes/ngf/installation/next-steps.md new file mode 100644 index 000000000..a566d285a --- /dev/null +++ b/content/includes/ngf/installation/next-steps.md @@ -0,0 +1,6 @@ +--- +--- + +- [Deploy a Gateway for data plane instances]({{< ref "/ngf/install/deploy-data-plane.md" >}}) +- [Routing traffic to applications]({{< ref "/ngf/traffic-management/basic-routing.md" >}}) +- [Secure traffic using Let's Encrypt]({{< ref "/ngf/traffic-security/integrate-cert-manager.md" >}}) \ No newline at end of file diff --git a/content/ngf/_index.md b/content/ngf/_index.md index 67b974f39..f91d3e15b 100644 --- a/content/ngf/_index.md +++ b/content/ngf/_index.md @@ -27,8 +27,6 @@ nd-product: FABRIC NGINX Gateway Fabric provides an implementation of the [Gateway API](https://gateway-api.sigs.k8s.io/) using [NGINX](https://nginx.org/) as the data plane. The goal of the project is to implement the core Gateway APIs needed to configure an HTTP or TCP/UDP load balancer, reverse proxy, or API gateway for Kubernetes applications. -For a list of supported Gateway API resources and features, see the [Gateway API Compatibility]({{< ref "/ngf/overview/gateway-api-compatibility.md" >}}) documentation. - ## Featured content {{}} @@ -38,8 +36,8 @@ For a list of supported Gateway API resources and features, see the [Gateway API {{}} Choose how to deploy NGINX Gateway Fabric in production. {{}} - {{}} - Review the changes from the latest releases. + {{}} + View how much of the Gateway API NGINX Gateway Fabric supports. {{}} {{}} @@ -58,8 +56,8 @@ For more information, see the [Gateway architecture]({{< ref "/ngf/overview/gate ## More information {{}} - {{}} - View how much of the Gateway API NGINX Gateway Fabric supports. + {{}} + Review the changes from the latest releases. {{}} {{}} Check which versions of NGINX Gateway Fabric match the API. @@ -67,7 +65,7 @@ For more information, see the [Gateway architecture]({{< ref "/ngf/overview/gate {{}} Create simple rules for directing network traffic with HTTPRoute resources. {{}} - {{}} + {{}} Implement HTTPS with Let's Encrypt to secure client-server communication. {{}} {{}} \ No newline at end of file diff --git a/content/ngf/install/manifests/experimental.md b/content/ngf/install/manifests/experimental.md new file mode 100644 index 000000000..1f35b7926 --- /dev/null +++ b/content/ngf/install/manifests/experimental.md @@ -0,0 +1,68 @@ +--- +title: Use Manifests to install experimental NGINX Gateway Fabric versions +linkTitle: Experimental +weight: 300 +toc: true +nd-content-type: reference +nd-product: FABRIC +--- + +This page describes how to use Manifests to install experimental NGINX Gateway Fabric versions. + +The deployment process is similar to other installation procedures, and can be done with NGINX Open Source or NGINX Plus. + +{{< call-out "note" >}} + +Using experimental NGINX Gateway Fabric versions can allow you to test API resources from upcoming releases as outlined by the [Milestone Roadmap](https://github.com/orgs/nginx/projects/10/views/5). + +For information on API resource support, view the [Gateway API compatibility]({{< ref "/ngf/overview/gateway-api-compatibility.md" >}}) topic. + +{{< /call-out >}} + +The main requirement for installing experimental NGINX Gateway Fabric versions is to change the URL for each resource during the installation steps. + +Each of the following sections provides the necessary replacement URL and any other necessary information. + +## API resources + +The Gateway API resources from the experimental channel include everything in the standard release channel. + +To install API resources from the experimental channel, run the following command: + +```shell +kubectl kustomize "https://github.com/nginx/nginx-gateway-fabric/config/crd/gateway-api/experimental?ref=v{{< version-ngf >}}" | kubectl apply -f - +``` + +## Custom resource definitions + +The custom resource definitions (CRDs) for an experimental NGINX Gateway Fabric release are the same as a regular deployment, and do not require replacement. + +## NGINX Gateway Fabric deployment + +{{< call-out "warning" >}} + +To install an experimental NGINX Gateway Fabric version, you **must** also install [experimental API resources](#api-resources). They cannot be mis-matched. + +{{< /call-out >}} + +To deploy an experimental NGINX Gateway Fabric instance, use the command based on your NGINX type: + +{{< tabs name="nginx-version" >}} + +{{% tab name="NGINX Open Source" %}} + +```shell +kubectl apply -f https://raw.githubusercontent.com/nginx/nginx-gateway-fabric/v{{< version-ngf >}}/deploy/experimental/deploy.yaml +``` + +{{% /tab %}} + +{{% tab name="NGINX Plus" %}} + +```shell +kubectl apply -f https://raw.githubusercontent.com/nginx/nginx-gateway-fabric/v{{< version-ngf >}}/deploy/nginx-plus-experimental/deploy.yaml +``` + +{{% /tab %}} + +{{< /tabs >}} \ No newline at end of file diff --git a/content/ngf/install/manifests/open-source.md b/content/ngf/install/manifests/open-source.md index 9702f6581..bc69cc97d 100644 --- a/content/ngf/install/manifests/open-source.md +++ b/content/ngf/install/manifests/open-source.md @@ -144,44 +144,4 @@ nginxproxy.gateway.nginx.org/nginx-gateway-proxy-config created ## Next steps -- [Deploy a Gateway for data plane instances]({{< ref "/ngf/install/deploy-data-plane.md" >}}) -- [Routing traffic to applications]({{< ref "/ngf/traffic-management/basic-routing.md" >}}) - -## edge versions - -### API resources - -Installing Gateway API resources from the experimental channel includes everything in the standard release channel plus additional experimental resources and fields. -NGINX Gateway Fabric currently supports a subset of the additional features provided by the experimental channel. -To install from the experimental channel, run the following: - -```shell -kubectl kustomize "https://github.com/nginx/nginx-gateway-fabric/config/crd/gateway-api/experimental?ref=v{{< version-ngf >}}" | kubectl apply -f - -``` - -### CRDs - -```shell -kubectl apply --server-side -f https://raw.githubusercontent.com/nginx/nginx-gateway-fabric/main/deploy/crds.yaml - -``` - -### NGF itself - -{{< call-out "note" >}} Requires the Gateway APIs installed from the experimental channel. {{< /call-out >}} - -#### OSS + Experimental - -```shell -kubectl apply -f https://raw.githubusercontent.com/nginx/nginx-gateway-fabric/v{{< version-ngf >}}/deploy/experimental/deploy.yaml -``` - -#### Plus + Experimental - -The image is pulled from the NGINX Plus Docker registry, and the `imagePullSecretName` is the name of the Secret to use to pull the image. - -The NGINX Plus JWT Secret used to run NGINX Plus is also specified in a volume mount and the `--usage-report-secret` parameter. These Secrets are created as part of the [Before you begin](#before-you-begin) section. - -```shell -kubectl apply -f https://raw.githubusercontent.com/nginx/nginx-gateway-fabric/v{{< version-ngf >}}/deploy/nginx-plus-experimental/deploy.yaml -``` \ No newline at end of file +{{< include "/ngf/installation/next-steps.md" >}} \ No newline at end of file diff --git a/content/ngf/install/manifests/plus.md b/content/ngf/install/manifests/plus.md index 6ce47422f..35df3e178 100644 --- a/content/ngf/install/manifests/plus.md +++ b/content/ngf/install/manifests/plus.md @@ -124,5 +124,4 @@ nginxproxy.gateway.nginx.org/nginx-gateway-proxy-config created ## Next steps -- [Deploy a Gateway for data plane instances]({{< ref "/ngf/install/deploy-data-plane.md" >}}) -- [Routing traffic to applications]({{< ref "/ngf/traffic-management/basic-routing.md" >}}) \ No newline at end of file +{{< include "/ngf/installation/next-steps.md" >}} \ No newline at end of file diff --git a/content/ngf/install/manifests/uninstall.md b/content/ngf/install/manifests/uninstall.md index a6fb4c491..3bc9e4916 100644 --- a/content/ngf/install/manifests/uninstall.md +++ b/content/ngf/install/manifests/uninstall.md @@ -1,7 +1,7 @@ --- title: Use Manifests to uninstall NGINX Gateway Fabric linkTitle: Uninstall -weight: 300 +weight: 400 toc: true nd-content-type: how-to nd-product: FABRIC From 43630ba971bb99834b6d6282a83a40921509e5dd Mon Sep 17 00:00:00 2001 From: Alan Dooley Date: Thu, 11 Dec 2025 10:59:18 +0000 Subject: [PATCH 14/15] Apply suggestions from code review Co-authored-by: Jon Torre <78599298+JTorreG@users.noreply.github.com> --- content/includes/k8s/delete-license-registry-secrets.md | 1 + 1 file changed, 1 insertion(+) diff --git a/content/includes/k8s/delete-license-registry-secrets.md b/content/includes/k8s/delete-license-registry-secrets.md index d79ef65b2..38e7e1178 100644 --- a/content/includes/k8s/delete-license-registry-secrets.md +++ b/content/includes/k8s/delete-license-registry-secrets.md @@ -1,4 +1,5 @@ --- +nd-product: FABRIC --- If your deployment used NGINX Plus, you should also remove the secrets created for your license and the F5 registry. From 2cec96cb2b1516cd8aa8cfbbb21112cae9a22bae Mon Sep 17 00:00:00 2001 From: Alan Dooley Date: Thu, 11 Dec 2025 11:30:56 +0000 Subject: [PATCH 15/15] fix: Address feedback --- content/includes/k8s/delete-license-registry-secrets.md | 2 +- content/ngf/install/manifests/plus.md | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/content/includes/k8s/delete-license-registry-secrets.md b/content/includes/k8s/delete-license-registry-secrets.md index 38e7e1178..8e306e8a7 100644 --- a/content/includes/k8s/delete-license-registry-secrets.md +++ b/content/includes/k8s/delete-license-registry-secrets.md @@ -1,5 +1,5 @@ --- -nd-product: FABRIC +nd-product: MISCEL --- If your deployment used NGINX Plus, you should also remove the secrets created for your license and the F5 registry. diff --git a/content/ngf/install/manifests/plus.md b/content/ngf/install/manifests/plus.md index 35df3e178..32c58f1c7 100644 --- a/content/ngf/install/manifests/plus.md +++ b/content/ngf/install/manifests/plus.md @@ -20,6 +20,7 @@ To complete this guide, you will need the following pre-requisites: - An active NGINX Plus subscription (Purchased or trial) - [A supported Kubernetes version]({{< ref "/ngf/overview/technical-specifications.md" >}}) - A functional Kubernetes cluster +- [cert-manager](https://cert-manager.io/docs/installation/) ## Download your JSON web token @@ -50,7 +51,7 @@ kubectl create -n nginx-gateway secret generic nplus-license --from-file licens Then create another Kubernetes secret to allow interactions with the F5 registry: ```shell -kubectl create -n nginx-gateway secret docker-registry regcred \ +kubectl create -n nginx-gateway secret docker-registry nginx-plus-registry-secret \ --docker-server=private-registry.nginx.com \ --docker-username=$(cat license.jwt) \ --docker-password=none