Skip to content

feat: Rework Manifest installation cases #1551

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ADubhlaoich wants to merge 26 commits into
base: main
Choose a base branch
from
Open

feat: Rework Manifest installation cases #1551

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
26 commits
Select commit Hold shift + click to select a range
d014b72
nic: add docs for sslVerify in JWT policy (#1198)
vepatel Sep 30, 2025
d718d30
nic: add ssl cipher annotations (#1353)
vepatel Oct 23, 2025
30991bc
feat: helm HorizontalPodAutoscaler creation flag (#1355)
pdabelf5 Nov 3, 2025
3735ffb
feat: add OIDC timeout config options to NIC ConfigMap (#1413)
AlexFenlon Nov 7, 2025
8853b37
feat: add documentation for new ingress annotation(#1415)
vepatel Nov 7, 2025
df3490f
Merge branch 'main' into nic-release-5.3
ADubhlaoich Nov 14, 2025
ec13f84
update docs for upstream service in foreign namespace (#1419)
haywoodsh Nov 17, 2025
5348a6e
feat: Add client-body-buffer-size directive to NIC Ingress Annotation…
AlexFenlon Nov 25, 2025
92fe573
Merge branch 'main' into nic-release-5.3
ADubhlaoich Nov 25, 2025
47d13db
Merge branch 'main' into nic-release-5.3
ADubhlaoich Nov 26, 2025
6f0ad96
feat: Add OIDC Policy sslVerify parameters (#1479)
pdabelf5 Nov 26, 2025
94d397c
nic: update policy resource with new fields (#1495)
vepatel Nov 28, 2025
77ef1b8
Merge branch 'main' into nic-release-5.3
ADubhlaoich Dec 1, 2025
3a0e6e7
Merge branch 'main' into nic-release-5.3
ADubhlaoich Dec 3, 2025
278864c
Merge branch 'main' into ngf/rework-manifest-install
ADubhlaoich Dec 4, 2025
d39a1fa
feat: Rework Manifest installation paths
ADubhlaoich Dec 9, 2025
3fb8f54
Merge branch 'main' into ngf/rework-manifest-install
ADubhlaoich Dec 9, 2025
90dc768
Merge branch 'main' into ngf/rework-manifest-install
ADubhlaoich Dec 9, 2025
9abdbf6
feat: Add current work
ADubhlaoich Dec 9, 2025
0e0a8de
Merge branch 'main' into ngf/rework-manifest-install
ADubhlaoich Dec 10, 2025
f9e4db1
feat: Finish core Plus manifest deployment instructions
ADubhlaoich Dec 10, 2025
6549688
feat: Finish experimental document
ADubhlaoich Dec 10, 2025
c7d1c36
Merge branch 'main' into ngf/rework-manifest-install
ADubhlaoich Dec 10, 2025
43630ba
Apply suggestions from code review
ADubhlaoich Dec 11, 2025
9e2b8e5
Merge branch 'main' into ngf/rework-manifest-install
ADubhlaoich Dec 11, 2025
2cec96c
fix: Address feedback
ADubhlaoich Dec 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 29 additions & 0 deletions content/includes/k8s/delete-license-registry-secrets.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
---
nd-product: MISCEL
---

If your deployment used NGINX Plus, you should also remove the secrets created for your license and the F5 registry.

```shell
kubectl delete secret nplus-license
```

{{< details summary="Example output" >}}

```text
secret "nplus-license" deleted
```

{{< /details >}}

```shell
kubectl delete secret regcred
```

{{< details summary="Example output" >}}

```text
secret "regcred" deleted
```

{{< /details >}}
25 changes: 25 additions & 0 deletions content/includes/ngf/gateway-api-compat-table.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
---
---

{{< call-out "important" >}}

You can view the [Milestone Roadmap](https://github.com/orgs/nginx/projects/10/views/5) in the NGINX Gateway Fabric GitHub project to see what API resources will be supported in upcoming releases.

{{< /call-out >}}

{{< table >}}

| Resource | Core Support Level | Extended Support Level | Implementation-Specific Support Level | API Version | API Release Channel |
|---------------------------------------|---------------------|------------------------|---------------------------------------|-------------|---------------------|
| [GatewayClass]({{< ref "/ngf/overview/gateway-api-compatibility.md#gatewayclass" >}}) | Supported | Not supported | Supported | v1 | Standard |
| [Gateway]({{< ref "/ngf/overview/gateway-api-compatibility.md#gateway" >}}) | Supported | Partially supported | Not supported | v1 | Standard |
| [HTTPRoute]({{< ref "/ngf/overview/gateway-api-compatibility.md#httproute" >}}) | Supported | Partially supported | Not supported | v1 | Standard |
| [GRPCRoute]({{< ref "/ngf/overview/gateway-api-compatibility.md#grpcroute" >}}) | Supported | Partially supported | Not supported | v1 | Standard |
| [ReferenceGrant]({{< ref "/ngf/overview/gateway-api-compatibility.md#referencegrant" >}}) | Supported | N/A | Not supported | v1beta1 | Standard |
| [TLSRoute]({{< ref "/ngf/overview/gateway-api-compatibility.md#tlsroute" >}}) | Supported | Not supported | Not supported | v1alpha2 | Experimental |
| [TCPRoute]({{< ref "/ngf/overview/gateway-api-compatibility.md#tcproute" >}}) | Not supported | Not supported | Not supported | v1alpha2 | Experimental |
| [UDPRoute]({{< ref "/ngf/overview/gateway-api-compatibility.md#udproute" >}}) | Not supported | Not supported | Not supported | v1alpha2 | Experimental |
| [BackendTLSPolicy]({{< ref "/ngf/overview/gateway-api-compatibility.md#backendtlspolicy" >}}) | Partially Supported | Supported | Partially supported | v1alpha3 | Experimental |
| [Custom policies]({{< ref "/ngf/overview/gateway-api-compatibility.md#custom-policies" >}}) | N/A | N/A | Supported | N/A | N/A |

{{< /table >}}
4 changes: 3 additions & 1 deletion content/includes/ngf/installation/expose-nginx-gateway-fabric.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,4 +7,6 @@ nd-files:
- content/ngf/install/manifests.md
---

The Service that is provisioned when NGINX Gateway Fabric is first installed is a ClusterIP Service used only for internal communication between the control plane and data planes. To deploy NGINX itself and get a LoadBalancer Service, you now need to [create a Gateway]({{< ref "/ngf/install/deploy-data-plane.md" >}}).
When NGINX Gateway Fabric is installed, it provisions a ClusterIP Service used only for internal communication between the control plane and data planes.

To deploy NGINX itself and get a LoadBalancer Service, you should follow the [Deploy a Gateway for data plane instances]({{< ref "/ngf/install/deploy-data-plane.md" >}}) instructions.
22 changes: 22 additions & 0 deletions content/includes/ngf/installation/manifests/api-resources.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
---
---

{{< call-out "note" >}} If you have already installed Gateway API resources in your cluster, ensure they are a version [supported by NGINX Gateway Fabric]({{< ref "/ngf/overview/technical-specifications.md" >}}) {{< /call-out >}}

To install the Gateway API resources, use `kubectl kustomize`:

```shell
kubectl kustomize "https://github.com/nginx/nginx-gateway-fabric/config/crd/gateway-api/standard?ref=v{{< version-ngf >}}" | kubectl apply -f -
```

{{< details summary="Example output" >}}

```text
customresourcedefinition.apiextensions.k8s.io/gatewayclasses.gateway.networking.k8s.io created
customresourcedefinition.apiextensions.k8s.io/gateways.gateway.networking.k8s.io created
customresourcedefinition.apiextensions.k8s.io/grpcroutes.gateway.networking.k8s.io created
customresourcedefinition.apiextensions.k8s.io/httproutes.gateway.networking.k8s.io created
customresourcedefinition.apiextensions.k8s.io/referencegrants.gateway.networking.k8s.io created
Copy link
Contributor

@sjberman sjberman Dec 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is going to continually change as Gateway API adds new CRDs. Doesn't seem maintainable.

Copy link
Member Author

@ADubhlaoich ADubhlaoich Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unless the new CRDs are being added daily, I don't know why there wouldn't be a problem updating the example output periodically.

They're meant to give an impression of output, and are hidden by default.

```

{{< /details >}}
21 changes: 21 additions & 0 deletions content/includes/ngf/installation/manifests/crds.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
---
---

Deploy the NGINX Gateway Fabric CRDs using `kubectl apply`:

```shell
kubectl apply --server-side -f https://raw.githubusercontent.com/nginx/nginx-gateway-fabric/v{{< version-ngf >}}/deploy/crds.yaml
```

{{< details summary="Example output" >}}

```text
customresourcedefinition.apiextensions.k8s.io/clientsettingspolicies.gateway.nginx.org serverside-applied
customresourcedefinition.apiextensions.k8s.io/nginxgateways.gateway.nginx.org serverside-applied
customresourcedefinition.apiextensions.k8s.io/nginxproxies.gateway.nginx.org serverside-applied
customresourcedefinition.apiextensions.k8s.io/observabilitypolicies.gateway.nginx.org serverside-applied
customresourcedefinition.apiextensions.k8s.io/snippetsfilters.gateway.nginx.org serverside-applied
customresourcedefinition.apiextensions.k8s.io/upstreamsettingspolicies.gateway.nginx.org serverside-applied
Copy link
Contributor

@sjberman sjberman Dec 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is going to continually change as we add new CRDs. Doesn't seem maintainable.

Copy link
Member Author

@ADubhlaoich ADubhlaoich Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unless the new CRDs are being added daily, I don't know why there wouldn't be a problem updating the example output periodically.

They're meant to give an impression of output, and are hidden by default.

```

{{< /details >}}
127 changes: 127 additions & 0 deletions content/includes/ngf/installation/manifests/secure-certificates.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,127 @@
---
---

{{< call-out "note" >}} These steps use a self-signed issuer, which should not be used in production environments. For production environments, you should use a real [CA issuer](https://cert-manager.io/docs/configuration/ca/). {{< /call-out >}}

First, create a CA (certificate authority) issuer:

```yaml
kubectl apply -f - <<EOF
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: selfsigned-issuer
namespace: nginx-gateway
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: nginx-gateway-ca
namespace: nginx-gateway
spec:
isCA: true
commonName: nginx-gateway
secretName: nginx-gateway-ca
privateKey:
algorithm: RSA
size: 2048
issuerRef:
name: selfsigned-issuer
kind: Issuer
group: cert-manager.io
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: nginx-gateway-issuer
namespace: nginx-gateway
spec:
ca:
secretName: nginx-gateway-ca
EOF
```

{{< details summary="Example output" >}}

```text
issuer.cert-manager.io/selfsigned-issuer created
Warning: spec.privateKey.rotationPolicy: In cert-manager >= v1.18.0, the default value changed from `Never` to `Always`.
certificate.cert-manager.io/nginx-gateway-ca created
issuer.cert-manager.io/nginx-gateway-issuer created
```

{{< /details >}}

You will then need to create a server certificate for the NGINX Gateway Fabric control plane (server):

{{< call-out "note" >}}

The default service name is _nginx-gateway_, and the namespace is _nginx-gateway_, so the `dnsNames` value should be `nginx-gateway.nginx-gateway.svc`.

This value becomes the name of the NGINX Gateway Fabric control plane service.

{{< /call-out >}}

```yaml {hl_lines=[13]}
kubectl apply -f - <<EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: nginx-gateway
namespace: nginx-gateway
spec:
secretName: server-tls
usages:
- digital signature
- key encipherment
dnsNames:
- ngf-nginx-gateway-fabric.nginx-gateway.svc
issuerRef:
name: nginx-gateway-issuer
EOF
```

Since the TLS Secrets are mounted into each pod that uses them, the NGINX agent (client) Secret is duplicated by the NGINX Gateway Fabric control plane into whichever namespace NGINX is deployed into.

All updates to the source Secret are propagated to the duplicate Secrets.

Add the certificate for the NGINX agent (client):

```yaml
kubectl apply -f - <<EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: nginx
namespace: nginx-gateway
spec:
secretName: agent-tls
usages:
- "digital signature"
- "key encipherment"
dnsNames:
- "*.cluster.local"
issuerRef:
name: nginx-gateway-issuer
EOF
```

`agent-tls` is the default name: if you use a different name, provide it when installing NGINX Gateway Fabric with the `agent-tls-secret` argument.

You should see the Secrets created in the `nginx-gateway` namespace:

```shell
kubectl -n nginx-gateway get secrets
```

{{< details summary="Example output" >}}

```text
agent-tls kubernetes.io/tls 3 3s
nginx-gateway-ca kubernetes.io/tls 3 15s
server-tls kubernetes.io/tls 3 8s
```

{{< /details >}}
15 changes: 15 additions & 0 deletions content/includes/ngf/installation/manifests/verify-deployment.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
---
---

To confirm that NGINX Gateway Fabric is running, check the pods in the `nginx-gateway` namespace:

```shell
kubectl get pods -n nginx-gateway
```

The output should look similar to this (The pod name will include a unique string):

```text
NAME READY STATUS RESTARTS AGE
nginx-gateway-694897c587-bbz62 1/1 Running 0 29s
```
6 changes: 6 additions & 0 deletions content/includes/ngf/installation/next-steps.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
---
---

- [Deploy a Gateway for data plane instances]({{< ref "/ngf/install/deploy-data-plane.md" >}})
- [Routing traffic to applications]({{< ref "/ngf/traffic-management/basic-routing.md" >}})
- [Secure traffic using Let's Encrypt]({{< ref "/ngf/traffic-security/integrate-cert-manager.md" >}})
6 changes: 5 additions & 1 deletion content/includes/ngf/installation/nginx-plus/docker-registry-secret.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,4 +20,8 @@ Create a Kubernetes `docker-registry` secret type using the contents of the JWT
kubectl create secret docker-registry nginx-plus-registry-secret --docker-server=private-registry.nginx.com --docker-username=<JWT Token> --docker-password=none -n nginx-gateway
```

It is important that the `--docker-username=<JWT Token>` contains the contents of the token and is not pointing to the token itself. When you copy the contents of the JWT, ensure there are no additional characters such as extra whitespaces. This can invalidate the token, causing 401 errors when trying to authenticate to the registry.
It is important that the `--docker-username=<JWT Token>` contains the contents of the token and is not pointing to the token itself.

When you copy the contents of the JWT, ensure there are no additional characters such as extra whitespaces.

This can invalidate the token, causing 401 errors when trying to authenticate to the registry.
18 changes: 16 additions & 2 deletions content/includes/ngf/installation/uninstall-gateway-api-resources.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,15 +6,29 @@ nd-files:
- content/ngf/install/manifests.md
---

{{< call-out "warning" >}} This will remove all corresponding custom resources in your entire cluster, across all namespaces. Double-check to make sure you don't have any custom resources you need to keep, and confirm that there are no other Gateway API implementations active in your cluster. {{< /call-out >}}
{{< call-out "warning" >}} This step will remove all corresponding custom resources in your entire cluster, across every namespace.

Ensure you don't have any custom resources you need to keep, and confirm that there are no other Gateway API implementations active in your cluster. {{< /call-out >}}

To uninstall the Gateway API resources, run the following:

```shell
kubectl kustomize "https://github.com/nginx/nginx-gateway-fabric/config/crd/gateway-api/standard?ref=v{{< version-ngf >}}" | kubectl delete -f -
```

Alternatively, if you installed the Gateway APIs from the experimental channel, run the following:
{{< details summary="Example output" >}}

```text
customresourcedefinition.apiextensions.k8s.io "gatewayclasses.gateway.networking.k8s.io" deleted
customresourcedefinition.apiextensions.k8s.io "gateways.gateway.networking.k8s.io" deleted
customresourcedefinition.apiextensions.k8s.io "grpcroutes.gateway.networking.k8s.io" deleted
customresourcedefinition.apiextensions.k8s.io "httproutes.gateway.networking.k8s.io" deleted
customresourcedefinition.apiextensions.k8s.io "referencegrants.gateway.networking.k8s.io" deleted
Copy link
Contributor

@sjberman sjberman Dec 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is going to continually change as Gateway API adds new CRDs. Doesn't seem maintainable.

Copy link
Member Author

@ADubhlaoich ADubhlaoich Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unless the new CRDs are being added daily, I don't know why there wouldn't be a problem updating the example output periodically.

They're meant to give an impression of output, and are hidden by default.

Copy link
Contributor

@sjberman sjberman Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't know why there wouldn't be a problem updating the example output periodically

When adding a new CRD, nobody is going to remember that they are referenced in some text output in a random doc. It'll only be when someone is looking at the docs at some point and realizes the inconsistency. It's not the end of the world to be innacurate, but inevitably someone is going to get confused why their output doesn't match what's here.

```

{{< /details >}}

If you installed the Gateway APIs from the experimental channel, run the following instead:

```shell
kubectl kustomize "https://github.com/nginx/nginx-gateway-fabric/config/crd/gateway-api/experimental?ref=v{{< version-ngf >}}" | kubectl delete -f -
Expand Down
Loading