feat: Finish Manifest deployment

Author: ADubhlaoich

content/includes/waf/install-update-configuration.md

@@ -122,10 +122,4 @@ server {
 Once you have updated your configuration files, you can reload NGINX to apply the changes. You have two options depending on your environment:
 
 - `nginx -s reload`
-- `sudo systemctl reload nginx`
-
-{{< call-out "note" >}}
-
-If you're using a V4 package, you have finished installing F5 WAF for NGINX and can look at [Post-installation checks](#post-installation-checks).
-
-{{< /call-out >}}
+- `sudo systemctl reload nginx`

content/waf/fundamentals/overview.md

@@ -25,15 +25,15 @@ For more details, see the [Supported security policy features]({{< ref "/waf/fun
 
 It is platform-agnostic and supports a range of deployment options for operational needs:
 
-1. [Virtual environment (Bare metal)]({{< ref "/waf/install/virtual-environment.md" >}})
+1. [Virtual machine or bare metal]({{< ref "/waf/install/virtual-environment.md" >}})
     - NGINX operates on the host system
     - WAF components are deployed in containers
     - Ideal for existing NGINX virtual environments
-1. [Docker]({{< ref "/waf/install/docker.md" >}})
-    - NGINX and WAF components are deployed as containers
-    - Suitable for environments with multiple deployment stages
 1. [Kubernetes]({{< ref "/waf/install/kubernetes.md" >}})
     - Integrates NGINX and WAF components in a single pod
     - Ideal for scalable, cloud-native environments
+1. [Docker]({{< ref "/waf/install/docker.md" >}})
+    - NGINX and WAF components are deployed as containers
+    - Suitable for environments with multiple deployment stages
 
 F5 WAF for NGINX is part of the [NGINX One](https://www.f5.com/products/nginx/one) premium packages and runs natively on [NGINX Plus](https://www.f5.com/products/nginx/nginx-plus) and [NGINX Ingress Controller](https://www.f5.com/products/nginx/nginx-ingress-controller). 

content/waf/install/docker.md

@@ -2,7 +2,7 @@
 # We use sentence case and present imperative tone
 title: "Docker"
 # Weights are assigned in increments of 100: determines sorting order
-weight: 200
+weight: 300
 # Creates a table of contents and sidebar, useful for large documents
 toc: true
 # Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this
@@ -739,6 +739,12 @@ docker ps
 
 {{< include "waf/install-update-configuration.md" >}}
 
+{{< call-out "note" >}}
+
+If you're using a V4 package, you have finished installing F5 WAF for NGINX and can look at [Post-installation checks](#post-installation-checks).
+
+{{< /call-out >}}
+
 ## Configure Docker services
 
 {{< include "waf/install-services-docker.md" >}}

content/waf/install/kubernetes.md

@@ -2,7 +2,7 @@
 # We use sentence case and present imperative tone
 title: "Kubernetes"
 # Weights are assigned in increments of 100: determines sorting order
-weight: 300
+weight: 200
 # Creates a table of contents and sidebar, useful for large documents
 toc: true
 # Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this
@@ -284,6 +284,8 @@ kubectl create secret docker-registry regcred -n <namespace> \
     --docker-password=none
 ```
 
+The `<JWT Token>` argument should be the _contents_ of the file, not the file itself. Ensure there are no additional characters such as extra whitespace.
+
 Once you have updated `values.yaml`, you can install F5 WAF for NGINX using `helm install`:
 
 ```shell
@@ -310,10 +312,10 @@ This table lists the configurable parameters of the F5 WAF for NGINX Helm chart
 To understand the _mTLS Configuration_ options, view the [Secure traffic between NGINX and WAF enforcer]() topic.
 
 {{< table >}}
-| **Section** | **Key** | **Description** | **Default Value** |
+| **Topic** | **Parameter** | **Description** | **Default value** |
 |-------------|---------|-----------------|-------------------|
 | **Namespace** | _namespace_ | The target Kubernetes namespace where the Helm chart will be deployed. | N/A |
-| **App Protect Configuration** | _appprotect.replicas_ | The number of replicas of the Nginx App Protect deployment. | 1 |
+| **F5 WAF for NGINX Configuration** | _appprotect.replicas_ | The number of replicas for the F5 WAF for NGINX deployment. | 1 |
 | | _appprotect.readOnlyRootFilesystem_ | Specifies if the root filesystem is read-only. | false |
 | | _appprotect.annotations_ | Custom annotations for the deployment. | {} |
 | **NGINX Configuration** | _appprotect.nginx.image.repository_ | Docker image repository for NGINX. | \<your-private-registry>/nginx-app-protect-5 |
@@ -362,11 +364,233 @@ To understand the _mTLS Configuration_ options, view the [Secure traffic between
 
 ## Use Manifests to install F5 WAF for NGINX
 
+### Update configuration files
+
+{{< include "waf/install-update-configuration.md" >}}
+
+### Create a Secret
+
+Before you can start the Manifest deployment, you need a Kubernetes secret for the Docker registry.
+
+You can create the secret using `kubectl create`:
+
+```shell
+kubectl create secret docker-registry regcred --docker-server=private-registry.nginx.com --docker-username=<JWT Token> --docker-password=none
+```
+
+The `<JWT Token>` argument should be the _contents_ of the file, not the file itself. Ensure there are no additional characters such as extra whitespace.
+
+
+### Edit Manifest files
+
+The default configuration provided creates two replicas, each hosting NGINX and WAF services together in a single Kubernetes pod.
+
+Create all of these files in a single folder (Such as `/manifests`).
+
+In each file, replace `<your-private-registry>/waf:<your-tag>` with your actual image tag.
+
+
+{{< tabs name="manifest-files" >}}
+
+{{% tab name="waf-storage.yaml" %}}
+
+{{< call-out "note" >}}
+
+This configuration uses a _hostPath_ backed persistent volume claim.
+
+{{< /call-out >}}
+
+```yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nap5-deployment
+spec:
+  selector:
+    matchLabels:
+      app: nap5
+  replicas: 2
+  template:
+    metadata:
+      labels:
+        app: nap5
+    spec:
+      imagePullSecrets:
+        - name: regcred
+      containers:
+        - name: nginx
+          image: <your-private-registry>/waf:<your-tag>
+          imagePullPolicy: IfNotPresent
+          volumeMounts:
+            - name: app-protect-bd-config
+              mountPath: /opt/app_protect/bd_config
+            - name: app-protect-config
+              mountPath: /opt/app_protect/config
+        - name: waf-enforcer
+          image: private-registry.nginx.com/nap/waf-enforcer:<version-tag>
+          imagePullPolicy: IfNotPresent
+          env:
+            - name: ENFORCER_PORT
+              value: "50000"
+          volumeMounts:
+            - name: app-protect-bd-config
+              mountPath: /opt/app_protect/bd_config
+        - name: waf-config-mgr
+          image: private-registry.nginx.com/nap/waf-config-mgr:<version-tag>
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - all
+          volumeMounts:
+            - name: app-protect-bd-config
+              mountPath: /opt/app_protect/bd_config
+            - name: app-protect-config
+              mountPath: /opt/app_protect/config
+            - name: app-protect-bundles
+              mountPath: /etc/app_protect/bundles
+      volumes:
+        - name: app-protect-bd-config
+          emptyDir: {}
+        - name: app-protect-config
+          emptyDir: {}
+        - name: app-protect-bundles
+          persistentVolumeClaim:
+            claimName: nap5-bundles-pvc
+```
+
+{{% /tab %}}
+
+{{% tab name="waf-deployment.yaml" %}}
+
+```yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nap5-deployment
+spec:
+  selector:
+    matchLabels:
+      app: nap5
+  replicas: 2
+  template:
+    metadata:
+      labels:
+        app: nap5
+    spec:
+      imagePullSecrets:
+        - name: regcred
+      containers:
+        - name: nginx
+          image: <your-private-registry>/waf:<your-tag>
+          imagePullPolicy: IfNotPresent
+          volumeMounts:
+            - name: app-protect-bd-config
+              mountPath: /opt/app_protect/bd_config
+            - name: app-protect-config
+              mountPath: /opt/app_protect/config
+        - name: waf-enforcer
+          image: private-registry.nginx.com/nap/waf-enforcer:<version-tag>
+          imagePullPolicy: IfNotPresent
+          env:
+            - name: ENFORCER_PORT
+              value: "50000"
+          volumeMounts:
+            - name: app-protect-bd-config
+              mountPath: /opt/app_protect/bd_config
+        - name: waf-config-mgr
+          image: private-registry.nginx.com/nap/waf-config-mgr:<version-tag>
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - all
+          volumeMounts:
+            - name: app-protect-bd-config
+              mountPath: /opt/app_protect/bd_config
+            - name: app-protect-config
+              mountPath: /opt/app_protect/config
+            - name: app-protect-bundles
+              mountPath: /etc/app_protect/bundles
+      volumes:
+        - name: app-protect-bd-config
+          emptyDir: {}
+        - name: app-protect-config
+          emptyDir: {}
+        - name: app-protect-bundles
+          persistentVolumeClaim:
+            claimName: nap5-bundles-pvc
+```
+
+{{% /tab %}}
+
+{{% tab name="waf-service.yaml" %}}
+
+```yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: nginx
+spec:
+  selector:
+    app: nap5
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 80
+  type: NodePort
+```
+
+{{% /tab %}}
+
+{{< /tabs >}}
+
+
+### Start the Manifest deployment
+
+From the folder containing the YAML files from the previous step (Suggested as `/manifests`), deploy F5 WAF for NGINX using `kubectl`:
+
+```shell
+kubectl apply -f manifests/
+```
+
+It will apply all the configuration defined in the files to your Kubernetes cluster.
+
+You can then check the status of the deployment with `kubectl get`:
+
+```shell
+kubectl get deployments
+kubectl get pods
+kubectl get services
+```
+
+You should see output similar to the following:
+
+```text
+deployment.apps/nap5-deployment created
+service/nginx created
+persistentvolume/nap5-bundles-pv created
+persistentvolumeclaim/nap5-bundles-pvc created
+```
+
+{{< call-out "note" >}}
+
+At this stage, you have finished deploying F5 WAF for NGINX and can look at [Post-installation checks](#post-installation-checks).
+
+{{< /call-out >}}
 
 ## Post-installation checks
 
 {{< include "waf/install-post-checks.md" >}}
 
+Or from an external host:
+
+```shell
+curl "<node-external-ip>:<node-port>/<script>"
+```
+
 ## Next steps
 
 {{< include "waf/install-next-steps.md" >}}

content/waf/install/virtual-environment.md

@@ -485,6 +485,12 @@ sudo dnf install app-protect
 
 {{< include "waf/install-update-configuration.md" >}}
 
+{{< call-out "note" >}}
+
+If you're using a V4 package, you have finished installing F5 WAF for NGINX and can look at [Post-installation checks](#post-installation-checks).
+
+{{< /call-out >}}
+
 ## Configure Docker services
 
 {{< include "waf/install-services-docker.md" >}}