feat: Add docs to install Nginx Gateway Fabric with N+ (nginxinc#1524)

* feat: add docs for NGINX plus installation with NGF
lucacome · Feb 14, 2024 · 9ad1bda · 9ad1bda
1 parent 25ea723
commit 9ad1bda
Show file tree

Hide file tree

Showing 15 changed files with 550 additions and 13 deletions.
diff --git a/Makefile b/Makefile
@@ -81,14 +81,18 @@ generate-crds: ## Generate CRDs and Go types using kubebuilder
 	go run sigs.k8s.io/controller-tools/cmd/controller-gen object paths=./apis/...
 
 .PHONY: generate-manifests
-generate-manifests: ## Generate manifests using Helm.
+generate-manifests: generate-manifests-plus ## Generate manifests using Helm.
 	cp $(CHART_DIR)/crds/* $(MANIFEST_DIR)/crds/
 	helm template nginx-gateway $(CHART_DIR) $(HELM_TEMPLATE_COMMON_ARGS) $(HELM_TEMPLATE_EXTRA_ARGS_FOR_ALL_MANIFESTS_FILE) -n nginx-gateway | cat $(strip $(MANIFEST_DIR))/namespace.yaml - > $(strip $(MANIFEST_DIR))/nginx-gateway.yaml
 	helm template nginx-gateway $(CHART_DIR) $(HELM_TEMPLATE_COMMON_ARGS) --set metrics.enable=false -n nginx-gateway -s templates/deployment.yaml > conformance/provisioner/static-deployment.yaml
 	helm template nginx-gateway $(CHART_DIR) $(HELM_TEMPLATE_COMMON_ARGS) -n nginx-gateway -s templates/service.yaml > $(strip $(MANIFEST_DIR))/service/loadbalancer.yaml
 	helm template nginx-gateway $(CHART_DIR) $(HELM_TEMPLATE_COMMON_ARGS) --set service.annotations.'service\.beta\.kubernetes\.io\/aws-load-balancer-type'="nlb" -n nginx-gateway -s templates/service.yaml > $(strip $(MANIFEST_DIR))/service/loadbalancer-aws-nlb.yaml
 	helm template nginx-gateway $(CHART_DIR) $(HELM_TEMPLATE_COMMON_ARGS) --set service.type=NodePort --set service.externalTrafficPolicy="" -n nginx-gateway -s templates/service.yaml > $(strip $(MANIFEST_DIR))/service/nodeport.yaml
 
+.PHONY: generate-manifests-plus
+generate-manifests-plus: ## Generate manifests using Helm for NGINX Plus.
+	helm template nginx-gateway $(CHART_DIR) $(HELM_TEMPLATE_COMMON_ARGS) $(HELM_TEMPLATE_EXTRA_ARGS_FOR_ALL_MANIFESTS_FILE) --set nginx.plus=true --set nginx.image.repository=$(NGINX_PLUS_PREFIX) -n nginx-gateway | cat $(strip $(MANIFEST_DIR))/namespace.yaml - > $(strip $(MANIFEST_DIR))/nginx-plus-gateway.yaml
+
 .PHONY: crds-release-file
 crds-release-file: ## Generate combined crds file for releases
 	scripts/combine-crds.sh

diff --git a/README.md b/README.md
@@ -18,7 +18,7 @@ Learn about our [design principles](/docs/developer/design-principles.md) and [a
 
 1. [Quick Start on a kind cluster](https://docs.nginx.com/nginx-gateway-fabric/installation/running-on-kind/).
 2. [Install](https://docs.nginx.com/nginx-gateway-fabric/installation/) NGINX Gateway Fabric.
-3. [Build](https://docs.nginx.com/nginx-gateway-fabric/installation/building-the-images/) an NGINX Gateway Fabric container image from source or use a pre-built image
+3. [Build](https://docs.nginx.com/nginx-gateway-fabric/installation/ngf-images/building-the-images/) an NGINX Gateway Fabric container image from source or use a pre-built image
    available
    on [GitHub Container Registry](https://github.com/nginxinc/nginx-gateway-fabric/pkgs/container/nginx-gateway-fabric).
 4. Deploy various [examples](examples).

diff --git a/deploy/helm-chart/templates/rbac.yaml b/deploy/helm-chart/templates/rbac.yaml
@@ -7,6 +7,17 @@ metadata:
   {{- include "nginx-gateway.labels" . | nindent 4 }}
   annotations:
     {{- toYaml .Values.serviceAccount.annotations | nindent 4 }}
+  {{- if or .Values.serviceAccount.imagePullSecret .Values.serviceAccount.imagePullSecrets }}
+  imagePullSecrets:
+    {{- if .Values.serviceAccount.imagePullSecret }}
+    - name: {{ .Values.serviceAccount.imagePullSecret}}
+    {{- end }}
+    {{- if .Values.serviceAccount.imagePullSecrets }}
+    {{- range .Values.serviceAccount.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+    {{- end }}
+  {{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole

diff --git a/deploy/helm-chart/values.yaml b/deploy/helm-chart/values.yaml
@@ -85,6 +85,14 @@ serviceAccount:
   ## Autogenerated if not set or set to "".
   # name: nginx-gateway
 
+  ## The name of the secret containing docker registry credentials.
+  ## Secret must exist in the same namespace as the helm release.
+  imagePullSecret: ""
+
+  ## A list of secret names containing docker registry credentials.
+  ## Secrets must exist in the same namespace as the helm release.
+  imagePullSecrets: []
+
 service:
   ## Creates a service to expose the NGINX Gateway Fabric pods.
   create: true

diff --git a/deploy/manifests/nginx-plus-gateway.yaml b/deploy/manifests/nginx-plus-gateway.yaml
@@ -0,0 +1,288 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: nginx-gateway
+---
+# Source: nginx-gateway-fabric/templates/rbac.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: nginx-gateway
+  namespace: nginx-gateway
+  labels:
+    app.kubernetes.io/name: nginx-gateway
+    app.kubernetes.io/instance: nginx-gateway
+    app.kubernetes.io/version: "edge"
+  annotations:
+    {}
+---
+# Source: nginx-gateway-fabric/templates/rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: nginx-gateway
+  labels:
+    app.kubernetes.io/name: nginx-gateway
+    app.kubernetes.io/instance: nginx-gateway
+    app.kubernetes.io/version: "edge"
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  - services
+  - secrets
+  verbs:
+  - list
+  - watch
+# FIXME(bjee19): make nodes, pods, replicasets permission dependent on telemetry being enabled.
+# https://github.com/nginxinc/nginx-gateway-fabric/issues/1317.
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - list
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - apps
+  resources:
+  - replicasets
+  verbs:
+  - get
+- apiGroups:
+  - discovery.k8s.io
+  resources:
+  - endpointslices
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - gateway.networking.k8s.io
+  resources:
+  - gatewayclasses
+  - gateways
+  - httproutes
+  - referencegrants
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - gateway.networking.k8s.io
+  resources:
+  - httproutes/status
+  - gateways/status
+  - gatewayclasses/status
+  verbs:
+  - update
+- apiGroups:
+  - gateway.nginx.org
+  resources:
+  - nginxgateways
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - gateway.nginx.org
+  resources:
+  - nginxgateways/status
+  verbs:
+  - update
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - create
+  - get
+  - update
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions
+  verbs:
+  - list
+  - watch
+---
+# Source: nginx-gateway-fabric/templates/rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: nginx-gateway
+  labels:
+    app.kubernetes.io/name: nginx-gateway
+    app.kubernetes.io/instance: nginx-gateway
+    app.kubernetes.io/version: "edge"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: nginx-gateway
+subjects:
+- kind: ServiceAccount
+  name: nginx-gateway
+  namespace: nginx-gateway
+---
+# Source: nginx-gateway-fabric/templates/deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx-gateway
+  namespace: nginx-gateway
+  labels:
+    app.kubernetes.io/name: nginx-gateway
+    app.kubernetes.io/instance: nginx-gateway
+    app.kubernetes.io/version: "edge"
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: nginx-gateway
+      app.kubernetes.io/instance: nginx-gateway
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: nginx-gateway
+        app.kubernetes.io/instance: nginx-gateway
+      annotations:
+        prometheus.io/scrape: "true"
+        prometheus.io/port: "9113"
+    spec:
+      containers:
+      - args:
+        - static-mode
+        - --gateway-ctlr-name=gateway.nginx.org/nginx-gateway-controller
+        - --gatewayclass=nginx
+        - --config=nginx-gateway-config
+        - --service=nginx-gateway
+        - --nginx-plus
+        - --metrics-port=9113
+        - --health-port=8081
+        - --leader-election-lock-name=nginx-gateway-leader-election
+        env:
+        - name: POD_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        image: ghcr.io/nginxinc/nginx-gateway-fabric:edge
+        imagePullPolicy: Always
+        name: nginx-gateway
+        ports:
+        - name: metrics
+          containerPort: 9113
+        - name: health
+          containerPort: 8081
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: health
+          initialDelaySeconds: 3
+          periodSeconds: 1
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            add:
+            - KILL
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          runAsUser: 102
+          runAsGroup: 1001
+        volumeMounts:
+        - name: nginx-conf
+          mountPath: /etc/nginx/conf.d
+        - name: nginx-secrets
+          mountPath: /etc/nginx/secrets
+        - name: nginx-run
+          mountPath: /var/run/nginx
+      - image: nginx-gateway-fabric/nginx-plus:edge
+        imagePullPolicy: Always
+        name: nginx
+        ports:
+        - containerPort: 80
+          name: http
+        - containerPort: 443
+          name: https
+        securityContext:
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          runAsUser: 101
+          runAsGroup: 1001
+        volumeMounts:
+        - name: nginx-conf
+          mountPath: /etc/nginx/conf.d
+        - name: nginx-secrets
+          mountPath: /etc/nginx/secrets
+        - name: nginx-run
+          mountPath: /var/run/nginx
+        - name: nginx-cache
+          mountPath: /var/cache/nginx
+        - name: nginx-lib
+          mountPath: /var/lib/nginx
+      terminationGracePeriodSeconds: 30
+      serviceAccountName: nginx-gateway
+      shareProcessNamespace: true
+      securityContext:
+        fsGroup: 1001
+        runAsNonRoot: true
+      volumes:
+      - name: nginx-conf
+        emptyDir: {}
+      - name: nginx-secrets
+        emptyDir: {}
+      - name: nginx-run
+        emptyDir: {}
+      - name: nginx-cache
+        emptyDir: {}
+      - name: nginx-lib
+        emptyDir: {}
+---
+# Source: nginx-gateway-fabric/templates/gatewayclass.yaml
+apiVersion: gateway.networking.k8s.io/v1
+kind: GatewayClass
+metadata:
+  name: nginx
+  labels:
+    app.kubernetes.io/name: nginx-gateway
+    app.kubernetes.io/instance: nginx-gateway
+    app.kubernetes.io/version: "edge"
+spec:
+  controllerName: gateway.nginx.org/nginx-gateway-controller
+---
+# Source: nginx-gateway-fabric/templates/nginxgateway.yaml
+apiVersion: gateway.nginx.org/v1alpha1
+kind: NginxGateway
+metadata:
+  name: nginx-gateway-config
+  namespace: nginx-gateway
+  labels:
+    app.kubernetes.io/name: nginx-gateway
+    app.kubernetes.io/instance: nginx-gateway
+    app.kubernetes.io/version: "edge"
+spec:
+  logging:
+    level: info
diff --git a/site/content/installation/installing-ngf/_index.md b/site/content/installation/installing-ngf/_index.md
@@ -1,7 +1,7 @@
 ---
 title: "Installing NGINX Gateway Fabric"
 description:
-weight: 200
+weight: 100
 linkTitle: "Installing NGINX Gateway Fabric"
 menu:
   docs: