feat: Set up NGF integration to N1 Console

mjang · mjang · commit 119fef71b02d · 2025-07-29T09:39:38.000-07:00
diff --git a/content/includes/ngf/installation/install-oci-registry.md b/content/includes/ngf/installation/install-oci-registry.md
@@ -0,0 +1,43 @@
+---
+nd-docs: "DOCS-0000"
+files:
+  - content/nginx-one/k8s/add-ngf.md
+  - content/ngf/install/helm.md
+---
+
+The following steps install NGINX Gateway Fabric directly from the OCI helm registry. If you prefer, you can [install from sources](#install-from-sources) instead.
+
+{{<tabs name="install-helm-oci">}}
+
+{{%tab name="NGINX"%}}
+
+To install the latest stable release of NGINX Gateway Fabric in the **nginx-gateway** namespace, run the following command:
+
+```shell
+helm install ngf oci://ghcr.io/nginx/charts/nginx-gateway-fabric --create-namespace -n nginx-gateway
+```
+
+{{% /tab %}}
+
+{{%tab name="NGINX Plus"%}}
+
+{{< note >}} If applicable, replace the F5 Container registry `private-registry.nginx.com` with your internal registry for your NGINX Plus image, and replace `nginx-plus-registry-secret` with your Secret name containing the registry credentials. If your NGINX Plus JWT Secret has a different name than the default `nplus-license`, then define that name using the `nginx.usage.secretName` flag. {{< /note >}}
+
+To install the latest stable release of NGINX Gateway Fabric in the **nginx-gateway** namespace, run the following command:
+
+```shell
+helm install ngf oci://ghcr.io/nginx/charts/nginx-gateway-fabric  --set nginx.image.repository=private-registry.nginx.com/nginx-gateway-fabric/nginx-plus --set nginx.plus=true --set nginx.imagePullSecret=nginx-plus-registry-secret -n nginx-gateway
+```
+
+{{% /tab %}}
+
+{{</tabs>}}
+
+`ngf` is the name of the release, and can be changed to any name you want. This name is added as a prefix to the Deployment name.
+
+If you want the latest version from the **main** branch, add `--version 0.0.0-edge` to your install command.
+
+To wait for the Deployment to be ready, you can either add the `--wait` flag to the `helm install` command, or run the following after installing:
+
+```shell
+kubectl wait --timeout=5m -n nginx-gateway deployment/ngf-nginx-gateway-fabric --for=condition=Available
diff --git a/content/includes/nginx-one/data-plane-key-warning.md b/content/includes/nginx-one/data-plane-key-warning.md
@@ -0,0 +1,8 @@
+---
+files:
+  - content/nginx-one/k8s/add-ngf.md
+  - content/nginx-one/k8s/add-nic.md
+---
+{{<note>}}
+
+{{</note>}}
diff --git a/content/ngf/install/helm.md b/content/ngf/install/helm.md
@@ -52,43 +52,7 @@ To complete this guide, you will need:
 
 ### Install from the OCI registry
 
-The following steps install NGINX Gateway Fabric directly from the OCI helm registry. If you prefer, you can [install from sources](#install-from-sources) instead.
-
-{{<tabs name="install-helm-oci">}}
-
-{{%tab name="NGINX"%}}
-
-To install the latest stable release of NGINX Gateway Fabric in the **nginx-gateway** namespace, run the following command:
-
-```shell
-helm install ngf oci://ghcr.io/nginx/charts/nginx-gateway-fabric --create-namespace -n nginx-gateway
-```
-
-{{% /tab %}}
-
-{{%tab name="NGINX Plus"%}}
-
-{{< note >}} If applicable, replace the F5 Container registry `private-registry.nginx.com` with your internal registry for your NGINX Plus image, and replace `nginx-plus-registry-secret` with your Secret name containing the registry credentials. If your NGINX Plus JWT Secret has a different name than the default `nplus-license`, then define that name using the `nginx.usage.secretName` flag. {{< /note >}}
-
-To install the latest stable release of NGINX Gateway Fabric in the **nginx-gateway** namespace, run the following command:
-
-```shell
-helm install ngf oci://ghcr.io/nginx/charts/nginx-gateway-fabric  --set nginx.image.repository=private-registry.nginx.com/nginx-gateway-fabric/nginx-plus --set nginx.plus=true --set nginx.imagePullSecret=nginx-plus-registry-secret -n nginx-gateway
-```
-
-{{% /tab %}}
-
-{{</tabs>}}
-
-`ngf` is the name of the release, and can be changed to any name you want. This name is added as a prefix to the Deployment name.
-
-If you want the latest version from the **main** branch, add `--version 0.0.0-edge` to your install command.
-
-To wait for the Deployment to be ready, you can either add the `--wait` flag to the `helm install` command, or run the following after installing:
-
-```shell
-kubectl wait --timeout=5m -n nginx-gateway deployment/ngf-nginx-gateway-fabric --for=condition=Available
-```
+{{< include "/ngf/installation/install-oci-registry.md" >}}
 
 ### Install from sources {#install-from-sources}
 
diff --git a/content/nginx-one/connect-instances/create-manage-data-plane-keys.md b/content/nginx-one/connect-instances/create-manage-data-plane-keys.md
@@ -24,7 +24,12 @@ Data plane keys are displayed only once and cannot be retrieved later. Be sure t
 
 Data plane keys expire after one year. You can change this expiration date later by editing the key.
 
-Revoking a data plane key disconnects all instances that were registered with that key.
+You can disconnect all instances associated with a data plane key in the following ways:
+
+- Revoke the data plane key
+- Let the data plane key expire
+
+Either action disconnects all instances registered with that key.
 {{</call-out>}}
 
 ## Create a new data plane key
diff --git a/content/nginx-one/k8s/add-ngf.md b/content/nginx-one/k8s/add-ngf.md
@@ -0,0 +1,147 @@
+---
+title: Connect NGINX Gateway Fabric
+toc: true
+weight: 300
+nd-content-type: how-to
+nd-product: NGINX One
+---
+
+This document explains how to connect F5 NGINX Gateway Fabric to F5 NGINX One Console using NGINX Agent.
+Connecting NGINX Gateway Fabric to NGINX One Console enables centralized monitoring of all controller instances.
+
+Once connected, you'll see a **read-only** configuration of NGINX Gateway Fabric. For each instance, you can review:
+
+- Read-only configuration file
+- Unmanaged SSL/TLS certificates for Control Planes
+
+## Before you begin
+
+Log in to NGINX One Console. If you need more information, review our [Get started guide]({{< ref "/nginx-one/getting-started.md#before-you-begin" >}}).
+
+You also need:
+
+- Administrator access to a Kubernetes cluster.
+- [Helm](https://helm.sh) and [kubectl](https://kubernetes.io/docs/tasks/tools/#kubectl) must be installed locally.
+
+
+### Create a data plane key
+
+Data plane keys are displayed only once, when you create that key, and cannot be retrieved later.
+
+If you've created and recorded one or more data plane keys, you can edit or revoke those keys. To do so, select **Manage > Data Plane Keys**. NGINX One Console does not store your actual data plane key.
+
+If you've forgotten your data plane key, you can create a new one. Select **Manage > Data Plane Keys > Add Data Plane Key**.
+
+For more options associated with data plane keys, see [Create and manage data plane keys]({{ ref "/nginx-one/connect-instances/create-manage-data-plane-keys" >}}).
+
+### Create a Kubernetes secret with the data plane key
+<!-- Maybe this is wrong. I'm assuming that we need to follow this step from the current version of https://docs.nginx.com/nginx-one/k8s/add-nic/#before-you-begin -->
+To create a Kubernetes secret with the data play key, use the following command:
+
+   ```shell
+   kubectl create secret generic dataplane-key \
+     --from-literal=dataplane.key=<Your Dataplane Key> \
+     -n <namespace>
+   ```
+
+### Install cert-manager
+
+Add the Helm repository:
+
+```shell
+helm repo add jetstack https://charts.jetstack.io
+helm repo update
+```
+
+Install cert-manager:
+
+```shell
+helm install \
+  cert-manager jetstack/cert-manager \
+  --namespace cert-manager \
+  --create-namespace \
+  --set config.apiVersion="controller.config.cert-manager.io/v1alpha1" \
+  --set config.kind="ControllerConfiguration" \
+  --set config.enableGatewayAPI=true \
+  --set crds.enabled=true
+```
+
+This also enables Gateway API features for cert-manager, which can be useful for [securing your workload traffic]({{< ref "/ngf/traffic-security/integrate-cert-manager.md" >}}).
+
+## Install the Gateway API resources
+<!-- Corresponds to step 2 in the UX -->
+{{< include "/ngf/installation/install-gateway-api-resources.md" >}}
+
+## Install from the OCI registry
+<!-- Corresponds to step 3 in the UX -->
+{{< include "/ngf/installation/install-oci-registry.md" >}}
+
+### Install from sources {#install-from-sources}
+<!-- Corresponds to step 4 in the UX -->
+If you prefer to install directly from sources, instead of through the OCI helm registry, use the following steps.
+
+{{< include "/ngf/installation/helm/pulling-the-chart.md" >}}
+
+{{<tabs name="install-helm-src">}}
+
+{{%tab name="NGINX"%}}
+
+To install the chart into the **nginx-gateway** namespace, run the following command:
+
+```shell
+helm install ngf . --create-namespace -n nginx-gateway
+```
+
+{{% /tab %}}
+
+{{%tab name="NGINX Plus"%}}
+
+{{< note >}} If applicable, replace the F5 Container registry `private-registry.nginx.com` with your internal registry for your NGINX Plus image, and replace `nginx-plus-registry-secret` with your Secret name containing the registry credentials. If your NGINX Plus JWT Secret has a different name than the default `nplus-license`, then define that name using the `nginx.usage.secretName` flag. {{< /note >}}
+
+To install the chart into the **nginx-gateway** namespace, run the following command:
+
+```shell
+helm install ngf . --set nginx.image.repository=private-registry.nginx.com/nginx-gateway-fabric/nginx-plus --set nginx.plus=true --set nginx.imagePullSecret=nginx-plus-registry-secret -n nginx-gateway
+```
+
+{{% /tab %}}
+
+{{</tabs>}}
+
+`ngf` is the name of the release, and can be changed to any name you want. This name is added as a prefix to the Deployment name.
+
+To wait for the Deployment to be ready, you can either add the `--wait` flag to the `helm install` command, or run the following after installing:
+
+```shell
+kubectl wait --timeout=5m -n nginx-gateway deployment/ngf-nginx-gateway-fabric --for=condition=Available
+```
+
+## Verify a connection to NGINX One Console
+
+After deploying NGINX Gateway Fabric with NGINX Agent, you can verify the connection to NGINX One Console.
+Log in to your F5 Distributed Cloud Console account. Select **NGINX One > Visit Service**. In the dashboard, go to **Manage > Instances**. You should see your instances listed by name. The instance name matches both the hostname and the pod name.
+
+## Troubleshooting
+
+If you encounter issues connecting your instances to NGINX One Console, try the following commands:
+
+Check the NGINX Agent version:
+
+```shell
+kubectl exec -it -n <namespace> <nginx_ingress_pod_name> -- nginx-agent -v
+```
+  
+If nginx-agent version is v3, continue with the following steps.
+Otherwise, make sure you are using an image that does not include NGINX App Protect. 
+
+Check the NGINX Agent configuration:
+
+```shell
+kubectl exec -it -n <namespace> <nginx_pod_name> -- cat /etc/nginx-agent/nginx-agent.conf
+```
+
+Check NGINX Agent logs:
+
+```shell
+kubectl exec -it -n <namespace> <nginx_pod_name> -- nginx-agent
+```
diff --git a/content/nginx-one/k8s/add-nic.md b/content/nginx-one/k8s/add-nic.md
@@ -1,12 +1,12 @@
 ---
-title: Connect to NGINX One Console
+title: Connect NGINX Ingress Controller
 toc: true
 weight: 200
 nd-content-type: how-to
 nd-product: NGINX One
 ---
 
-This document explains how to connect F5 NGINX Ingress Controller <!-- and F5 NGINX Gateway Fabric -->to F5 NGINX One Console using NGINX Agent.
+This document explains how to connect F5 NGINX Ingress Controller to F5 NGINX One Console using NGINX Agent.
 Connecting NGINX Ingress Controller to NGINX One Console enables centralized monitoring of all controller instances.
 
 Once connected, you'll see a **read-only** configuration of NGINX Ingress Controller. For each instance, you can review:
@@ -16,6 +16,10 @@ Once connected, you'll see a **read-only** configuration of NGINX Ingress Contro
 
 ## Before you begin
 
+If you do not already have a [data plane key]({{< ref "/nginx-one/connect-instances/create-manage-data-plane-keys.md" >}}), you can create one. Pay attention to the expiration date of that key. Any instance that's connected to a data plane key that's expired or revoked will stop working.
+
+You can create a data plane key through the NGINX One Console. Once loggged in, select **Manage > Control Planes > Add Control Plane**, and follow the steps shown.
+
 Before connecting NGINX Ingress Controller to NGINX One Console, you need to create a Kubernetes Secret with the data plane key. Use the following command:
 
 ```shell
@@ -28,10 +32,6 @@ When you create a Kubernetes Secret, use the same namespace where NGINX Ingress
 If you use [`-watch-namespace`]({{< ref "/nic/configuration/global-configuration/command-line-arguments.md#watch-namespace-string" >}}) or [`watch-secret-namespace`]({{< ref "/nic/configuration/global-configuration/command-line-arguments.md#watch-secret-namespace-string" >}}) arguments with NGINX Ingress Controller, 
 you need to add the dataplane key secret to the watched namespaces. This secret will take approximately 60 - 90 seconds to reload on the pod.
 
-{{<note>}}
-You can also create a data plane key through the NGINX One Console. Once loggged in, select **Manage > Control Planes > Add Control Plane**, and follow the steps shown.
-{{</note>}}
-
 ## Deploy NGINX Ingress Controller with NGINX Agent
 
 {{<tabs name="deploy-config-resource">}}
