Merge branch 'main' into n4a-landing

Author: ADubhlaoich

_banners/eos-acm.md

@@ -0,0 +1,8 @@
+{{< banner "warning" "End of Sale Notice:" >}}
+  <br>
+  F5 NGINX is announcing the <strong>End of Sale (EoS)</strong> for NGINX Management Suite API Connectivity Manager Module, <strong>effective January 1, 2024</strong>.
+  <br><br>
+  F5 maintains generous lifecycle policies that allow customers to continue support and receive product updates. Existing API Connectivity Manager Module customers can continue to use the product past the EoS date. <strong>License renewals are not available after September 30, 2024.</strong>
+  <br><br>
+  See our <a href="https://my.f5.com/manage/s/article/K000137989">End of Sale announcement</a> for more details.
+{{</ banner >}}

_banners/eos-mesh.md

@@ -1,8 +1,8 @@
 {{< banner "warning" "End of Sale Notice:" >}}
-  <br>
-  F5 NGINX is announcing the <strong>End of Sale (EoS)</strong> for NGINX Management Suite API Connectivity Manager Module, <strong>effective January 1, 2024</strong>.
-  <br><br>
-  F5 maintains generous lifecycle policies that allow customers to continue support and receive product updates. Existing API Connectivity Manager Module customers can continue to use the product past the EoS date. <strong>License renewals are not available after September 30, 2024.</strong>
-  <br><br>
-  See our <a href="https://my.f5.com/manage/s/article/K000137989">End of Sale announcement</a> for more details.
+  <p>
+    Commercial support for NGINX Service Mesh is available to customers who currently have active NGINX Microservices Bundle subscriptions. F5 NGINX announced the End of Sale (EoS) for the NGINX Microservices Bundles as of <strong>July 1, 2023</strong>.
+  </p>
+  <p>
+    See our <a href="https://my.f5.com/manage/s/article/K000135468">End of Sale announcement</a> for more details.
+  </p>
 {{</ banner >}}

content/includes/nap-waf/config/common/nginx-app-protect-waf-terminology.md

@@ -1,5 +1,8 @@
 ---
 nd-docs: "DOCS-1605"
+files:
+  - content/nap-waf/v5/configuration-guide/configuration.md
+  - content/nginx-one/glossary.md
 ---
 
 This guide assumes that you have some familiarity with various Layer 7 (L7) Hypertext Transfer Protocol (HTTP) concepts, such as Uniform Resource Identifier (URI)/Uniform Resource Locator (URL), method, header, cookie, status code, request, response, and parameters.
@@ -26,4 +29,4 @@ This guide assumes that you have some familiarity with various Layer 7 (L7) Hype
 |Tuning | Making manual changes to an existing security policy to reduce false positives and increase the policy’s security level. |
 |URI/URL | The Uniform Resource Identifier (URI) specifies the name of a web object in a request. A Uniform Resource Locator (URL) specifies the location of an object on the Internet. For example, in the web address, `http://www.siterequest.com/index.html`, index.html is the URI, and the URL is `http://www.siterequest.com/index.html`. In NGINX App Protect WAF, the terms URI and URL are used interchangeably. |
 |Violation | Violations occur when some aspect of a request or response does not comply with the security policy. You can configure the blocking settings for any violation in a security policy. When a violation occurs, the system can Alarm or Block a request (blocking is only available when the enforcement mode is set to Blocking). |
-{{</bootstrap-table>}}
+{{</bootstrap-table>}}

content/ngf/get-started.md

@@ -132,13 +132,76 @@ The YAML code in the following sections can be found in the [cafe-example folder
 
 ### Create the application resources
 
-Create the file _cafe.yaml_ with the following contents:
-
-{{< ghcode `https://raw.githubusercontent.com/nginx/nginx-gateway-fabric/refs/heads/main/examples/cafe-example/cafe.yaml`>}}
-
-Apply it using `kubectl`:
-
-```shell
+Run the following command to create the file _cafe.yaml_, which is then used to deploy the *coffee* application to your cluster:
+
+```yaml
+cat <<EOF > cafe.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: coffee
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: coffee
+  template:
+    metadata:
+      labels:
+        app: coffee
+    spec:
+      containers:
+      - name: coffee
+        image: nginxdemos/nginx-hello:plain-text
+        ports:
+        - containerPort: 8080
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: coffee
+spec:
+  ports:
+  - port: 80
+    targetPort: 8080
+    protocol: TCP
+    name: http
+  selector:
+    app: coffee
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: tea
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: tea
+  template:
+    metadata:
+      labels:
+        app: tea
+    spec:
+      containers:
+      - name: tea
+        image: nginxdemos/nginx-hello:plain-text
+        ports:
+        - containerPort: 8080
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: tea
+spec:
+  ports:
+  - port: 80
+    targetPort: 8080
+    protocol: TCP
+    name: http
+  selector:
+    app: tea
+EOF
 kubectl apply -f cafe.yaml
 ```
 
@@ -163,13 +226,22 @@ tea-6fbfdcb95d-9lhbj      1/1     Running   0          9s
 
 ### Create Gateway and HTTPRoute resources
 
-Create the file _gateway.yaml_ with the following contents:
-
-{{< ghcode `https://raw.githubusercontent.com/nginx/nginx-gateway-fabric/refs/heads/main/examples/cafe-example/gateway.yaml`>}}
-
-Apply it using `kubectl`:
-
-```shell
+Run the following command to create the file _gateway.yaml_, which is then used to deploy a Gateway to your cluster:
+
+```yaml
+cat <<EOF > gateway.yaml
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: gateway
+spec:
+  gatewayClassName: nginx
+  listeners:
+  - name: http
+    port: 80
+    protocol: HTTP
+    hostname: "*.example.com"
+EOF
 kubectl apply -f gateway.yaml
 ```
 
@@ -190,13 +262,48 @@ gateway-nginx-66b5d78f8f-4fmtb   1/1     Running   0          13s
 tea-6fbfdcb95d-9lhbj             1/1     Running   0          31s
 ```
 
-Create the file _cafe-routes.yaml_ with the following contents:
-
-{{< ghcode `https://raw.githubusercontent.com/nginx/nginx-gateway-fabric/refs/heads/main/examples/cafe-example/cafe-routes.yaml`>}}
-
-Apply it using `kubectl`:
-
-```shell
+Run the following command to create the file _cafe-routes.yaml_. It is then used to deploy two *HTTPRoute* resources in your cluster: one each for _/coffee_ and _/tea_.
+
+```yaml
+cat <<EOF > cafe-routes.yaml
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: coffee
+spec:
+  parentRefs:
+  - name: gateway
+    sectionName: http
+  hostnames:
+  - "cafe.example.com"
+  rules:
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /coffee
+    backendRefs:
+    - name: coffee
+      port: 80
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: tea
+spec:
+  parentRefs:
+  - name: gateway
+    sectionName: http
+  hostnames:
+  - "cafe.example.com"
+  rules:
+  - matches:
+    - path:
+        type: Exact
+        value: /tea
+    backendRefs:
+    - name: tea
+      port: 80
+EOF
 kubectl apply -f cafe-routes.yaml
 ```
 

content/ngf/reference/permissions.md

@@ -0,0 +1,110 @@
+---
+title: Permissions
+description: NGINX Gateway Fabric permissions required by components.
+weight: 300
+toc: true
+type: reference
+product: NGF
+---
+
+## Overview
+
+NGINX Gateway Fabric uses a split-plane architecture with three components that require different permissions:
+
+- **Control Plane**: Manages Kubernetes APIs and data plane deployments. Needs broad API access but handles no user traffic.
+- **Data Plane**: Processes user traffic. Requires minimal permissions since configuration comes from control plane via secure gRPC.
+- **Certificate Generator**: One-time job that creates TLS certificates for inter-plane communication.
+
+## Security Context
+
+All components share these security settings:
+
+- **User ID**: 101 (non-root)
+- **Group ID**: 1001  
+- **Capabilities**: All dropped (`drop: ALL`)
+- **Root Filesystem**: Read-only except for specific writable volumes
+- **Seccomp**: Runtime default profile
+
+## Control Plane
+
+Runs as a single container in the `nginx-gateway` deployment.
+
+**Additional Security Settings:**
+- **Privilege Escalation**: Disabled
+
+**Volumes:**
+- Secret mounts for TLS certificates
+
+**RBAC Permissions:**
+- **Secrets, ConfigMaps, Services**: Create, update, delete, list, get, watch
+- **Deployments, DaemonSets**: Create, update, delete, list, get, watch
+- **ServiceAccounts**: Create, update, delete, list, get, watch
+- **Namespaces, Pods**: Get, list, watch
+- **Events**: Create, patch
+- **EndpointSlices**: List, watch
+- **Gateway API resources**: List, watch (read-only) + update status subresources only
+- **NGF Custom resources**: Get, list, watch (read-only) + update status subresources only
+- **Leases**: Create, get, update (for leader election)
+- **CustomResourceDefinitions**: List, watch
+- **TokenReviews**: Create (for authentication)
+
+## Data Plane
+
+NGINX containers managed by the control plane. No RBAC permissions needed since configuration comes via secure gRPC.
+
+**Additional Security Settings:**
+- **Privilege Escalation**: Disabled
+- **Sysctl**: `net.ipv4.ip_unprivileged_port_start=0` (enables binding to ports < 1024)
+
+**Volumes:**
+- EmptyDir volumes for NGINX configuration, runtime files, logs, and cache
+- Secret mounts for TLS certificates and the NGINX Plus JWT token 
+- Projected token mounts for service account authentication
+
+**Volume Permissions:**
+- **EmptyDir**: Read-write (required for NGINX operation)
+- **Secret/ConfigMap/Projected**: Read-only
+
+## Certificate Generator
+
+Kubernetes Job that creates initial TLS certificates.
+
+**RBAC Permissions:**
+- **Secrets**: Create, update, get (control plane namespace only)
+
+## Platform-Specific Considerations
+
+### OpenShift Compatibility
+
+NGINX Gateway Fabric includes Security Context Constraints (SCCs) for OpenShift:
+
+**Control Plane SCC:**
+- **Privilege Escalation**: Disabled
+- **Host Access**: Disabled (network, IPC, PID, ports)
+- **User ID Range**: 101-101 (fixed)
+- **Group ID Range**: 1001-1001 (fixed)
+- **Volumes**: Secret only
+
+**Data Plane SCC:**
+Same restrictions as control plane, plus additional volume types:
+- **Additional Volumes**: EmptyDir, ConfigMap, Projected
+
+### Linux Capabilities
+
+NGINX Gateway Fabric drops ALL Linux capabilities and adds none, following security best practices.
+
+**How It Works Without Capabilities:**
+- **Process Management**: Standard Unix signals (no elevated privileges needed)
+- **Port Binding**: Uses sysctl `net.ipv4.ip_unprivileged_port_start=0` for ports < 1024
+- **File Operations**: Volume mounts provide necessary write access
+
+
+## Security Features
+
+- **Separation of concerns**: Control plane (API access, no traffic) vs data plane (traffic, no API access)
+- **Non-root execution**: All components run as unprivileged user (UID 101)
+- **Zero capabilities**: All Linux capabilities dropped
+- **Read-only root filesystem**: Prevents runtime modifications
+- **Ephemeral storage**: Temporary volumes only, no persistent storage
+- **Least privilege RBAC**: Minimal required permissions per component
+- **Secure communication**: mTLS-encrypted gRPC (TLS 1.3+) between planes

content/nginx-one/_index.md

@@ -19,6 +19,7 @@ F5 NGINX One Console makes it easy to manage NGINX instances across locations an
 [//]: # "You can add a maximum of three cards: any extra will not display."
 [//]: # "One card will take full width page: two will take half width each. Three will stack like an inverse pyramid."
 [//]: # "Some examples of content could be the latest release note, the most common install path, and a popular new feature."
+
 {{<card-layout>}}
   {{<card-section showAsCards="true" isFeaturedSection="true">}}
     {{<card title="Get started" titleUrl="/nginx-one/getting-started/" isFeatured="true" icon="unplug">}}
@@ -36,6 +37,12 @@ F5 NGINX One Console makes it easy to manage NGINX instances across locations an
     {{<card title="Manage your NGINX instances" titleUrl="/nginx-one/nginx-configs/" >}}
       Manage one instance or groups of instances. Monitor certificates. Set up metrics.
     {{</card>}}
+    {{<card title="Secure with NGINX App Protect" titleUrl="/nginx-one/nap-integration/" >}}
+      Manage one instance or groups of instances. Monitor certificates. Set up metrics.
+    {{</card>}}
+    {{<card title="Connect Kubernetes deployments" titleUrl="/nginx-one/k8s/">}}
+      Monitor deployments for CVEs and certificates
+    {{</ card >}}
     {{<card title="Organize users with RBAC" titleUrl="/nginx-one/rbac/" >}}
       Assign responsibilities with role-based access control 
     {{</card>}}
@@ -58,10 +65,23 @@ F5 NGINX One Console makes it easy to manage NGINX instances across locations an
   {{</card-section>}}
 {{</card-layout>}}
 
+### More information
+
+{{<card-layout>}}
+  {{<card-section showAsCards="true" >}}
+    {{<card title="Glossary" titleUrl="/nginx-one/glossary/" >}}
+      See latest updates: New features, improvements, and bug fixes
+    {{</card>}}
+    {{<card title="Changelog" titleUrl="/nginx-one/changelog/" icon="clock-alert">}}
+      See latest updates: New features, improvements, and bug fixes
+    {{</card>}}
+  {{</card-section>}}
+{{</card-layout>}}
+
 ## NGINX One components
 [//]: # "You can add any extra content for the page here, such as additional cards, diagrams or text."
 
-{{< card-layout >}}
+{{<card-layout>}}
   {{< card-section title="Kubernetes Solutions">}}
     {{< card title="NGINX Ingress Controller" titleUrl="/nginx-ingress-controller/" brandIcon="NGINX-Ingress-Controller-product-icon">}}
       Kubernetes traffic management with API gateway, identity, and observability features.

content/nginx-one/api/_index.md

@@ -1,6 +1,6 @@
 ---
 title: Automate with the NGINX One API
 description:
-weight: 700
+weight: 800
 url: /nginx-one/api
 ---