nginx · ADubhlaoich · Sep 30, 2025 · Oct 23, 2025 · Nov 3, 2025 · Nov 7, 2025
@@ -0,0 +1,29 @@
+---
+nd-product: MISCEL
+---
+
+If your deployment used NGINX Plus, you should also remove the secrets created for your license and the F5 registry.
+
+```shell
+kubectl delete secret nplus-license
+```
+
+{{< details summary="Example output" >}}
+
+```text
+secret "nplus-license" deleted
+```
+
+{{< /details >}}
+
+```shell
+kubectl delete secret regcred
+```
+
+{{< details summary="Example output" >}}
+
+```text
+secret "regcred" deleted
+```
+
+{{< /details >}}
@@ -0,0 +1,25 @@
+---
+---
+
+{{< call-out "important" >}}
+
+You can view the [Milestone Roadmap](https://github.com/orgs/nginx/projects/10/views/5) in the NGINX Gateway Fabric GitHub project to see what API resources will be supported in upcoming releases.
+
+{{< /call-out >}}
+
+{{< table >}}
+
+| Resource                              | Core Support Level  | Extended Support Level | Implementation-Specific Support Level | API Version | API Release Channel |
+|---------------------------------------|---------------------|------------------------|---------------------------------------|-------------|---------------------|
+| [GatewayClass]({{< ref "/ngf/overview/gateway-api-compatibility.md#gatewayclass" >}})         | Supported           | Not supported          | Supported                             | v1          | Standard            |
+| [Gateway]({{< ref "/ngf/overview/gateway-api-compatibility.md#gateway" >}})                   | Supported           | Partially supported    | Not supported                         | v1          | Standard            |
+| [HTTPRoute]({{< ref "/ngf/overview/gateway-api-compatibility.md#httproute" >}})               | Supported           | Partially supported    | Not supported                         | v1          | Standard            |
+| [GRPCRoute]({{< ref "/ngf/overview/gateway-api-compatibility.md#grpcroute" >}})               | Supported           | Partially supported    | Not supported                         | v1          | Standard            |
+| [ReferenceGrant]({{< ref "/ngf/overview/gateway-api-compatibility.md#referencegrant" >}})     | Supported           | N/A                    | Not supported                         | v1beta1     | Standard            |
+| [TLSRoute]({{< ref "/ngf/overview/gateway-api-compatibility.md#tlsroute" >}})                 | Supported           | Not supported          | Not supported                         | v1alpha2    | Experimental        |
+| [TCPRoute]({{< ref "/ngf/overview/gateway-api-compatibility.md#tcproute" >}})                 | Not supported       | Not supported          | Not supported                         | v1alpha2    | Experimental        |
+| [UDPRoute]({{< ref "/ngf/overview/gateway-api-compatibility.md#udproute" >}})                 | Not supported       | Not supported          | Not supported                         | v1alpha2    | Experimental        |
+| [BackendTLSPolicy]({{< ref "/ngf/overview/gateway-api-compatibility.md#backendtlspolicy" >}}) | Partially Supported | Supported              | Partially supported                   | v1alpha3    | Experimental        |
+| [Custom policies]({{< ref "/ngf/overview/gateway-api-compatibility.md#custom-policies" >}})   | N/A                 | N/A                    | Supported                             | N/A         | N/A                 |
+
+{{< /table >}}
@@ -7,4 +7,6 @@ nd-files:
 - content/ngf/install/manifests.md
 ---
 
-The Service that is provisioned when NGINX Gateway Fabric is first installed is a ClusterIP Service used only for internal communication between the control plane and data planes. To deploy NGINX itself and get a LoadBalancer Service, you now need to [create a Gateway]({{< ref "/ngf/install/deploy-data-plane.md" >}}).
+When NGINX Gateway Fabric is installed, it provisions a ClusterIP Service used only for internal communication between the control plane and data planes. 
+
+To deploy NGINX itself and get a LoadBalancer Service, you should follow the [Deploy a Gateway for data plane instances]({{< ref "/ngf/install/deploy-data-plane.md" >}}) instructions.
@@ -0,0 +1,22 @@
+---
+---
+
+{{< call-out "note" >}} If you have already installed Gateway API resources in your cluster, ensure they are a version [supported by NGINX Gateway Fabric]({{< ref "/ngf/overview/technical-specifications.md" >}}) {{< /call-out >}}
+
+To install the Gateway API resources, use `kubectl kustomize`:
+
+```shell
+kubectl kustomize "https://github.com/nginx/nginx-gateway-fabric/config/crd/gateway-api/standard?ref=v{{< version-ngf >}}" | kubectl apply -f -
+```
+
+{{< details summary="Example output" >}}
+
+```text
+customresourcedefinition.apiextensions.k8s.io/gatewayclasses.gateway.networking.k8s.io created
+customresourcedefinition.apiextensions.k8s.io/gateways.gateway.networking.k8s.io created
+customresourcedefinition.apiextensions.k8s.io/grpcroutes.gateway.networking.k8s.io created
+customresourcedefinition.apiextensions.k8s.io/httproutes.gateway.networking.k8s.io created
+customresourcedefinition.apiextensions.k8s.io/referencegrants.gateway.networking.k8s.io created
+```
+
+{{< /details >}}
@@ -0,0 +1,21 @@
+---
+---
+
+Deploy the NGINX Gateway Fabric CRDs using `kubectl apply`:
+
+```shell
+kubectl apply --server-side -f https://raw.githubusercontent.com/nginx/nginx-gateway-fabric/v{{< version-ngf >}}/deploy/crds.yaml
+```
+
+{{< details summary="Example output" >}}
+
+```text
+customresourcedefinition.apiextensions.k8s.io/clientsettingspolicies.gateway.nginx.org serverside-applied
+customresourcedefinition.apiextensions.k8s.io/nginxgateways.gateway.nginx.org serverside-applied
+customresourcedefinition.apiextensions.k8s.io/nginxproxies.gateway.nginx.org serverside-applied
+customresourcedefinition.apiextensions.k8s.io/observabilitypolicies.gateway.nginx.org serverside-applied
+customresourcedefinition.apiextensions.k8s.io/snippetsfilters.gateway.nginx.org serverside-applied
+customresourcedefinition.apiextensions.k8s.io/upstreamsettingspolicies.gateway.nginx.org serverside-applied
+```
+
+{{< /details >}}
@@ -0,0 +1,127 @@
+---
+---
+
+{{< call-out "note" >}} These steps use a self-signed issuer, which should not be used in production environments. For production environments, you should use a real [CA issuer](https://cert-manager.io/docs/configuration/ca/). {{< /call-out >}}
+
+First, create a CA (certificate authority) issuer:
+
+```yaml
+kubectl apply -f - <<EOF
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: selfsigned-issuer
+  namespace: nginx-gateway
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: nginx-gateway-ca
+  namespace: nginx-gateway
+spec:
+  isCA: true
+  commonName: nginx-gateway
+  secretName: nginx-gateway-ca
+  privateKey:
+    algorithm: RSA
+    size: 2048
+  issuerRef:
+    name: selfsigned-issuer
+    kind: Issuer
+    group: cert-manager.io
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: nginx-gateway-issuer
+  namespace: nginx-gateway
+spec:
+  ca:
+    secretName: nginx-gateway-ca
+EOF
+```
+
+{{< details summary="Example output" >}}
+
+```text
+issuer.cert-manager.io/selfsigned-issuer created
+Warning: spec.privateKey.rotationPolicy: In cert-manager >= v1.18.0, the default value changed from `Never` to `Always`.
+certificate.cert-manager.io/nginx-gateway-ca created
+issuer.cert-manager.io/nginx-gateway-issuer created
+```
+
+{{< /details >}}
+
+You will then need to create a server certificate for the NGINX Gateway Fabric control plane (server):
+
+{{< call-out "note" >}}
+
+The default service name is _nginx-gateway_, and the namespace is _nginx-gateway_, so the `dnsNames` value should be `nginx-gateway.nginx-gateway.svc`.
+
+This value becomes the name of the NGINX Gateway Fabric control plane service.
+
+{{< /call-out >}}
+
+```yaml {hl_lines=[13]}
+kubectl apply -f - <<EOF
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: nginx-gateway
+  namespace: nginx-gateway
+spec:
+  secretName: server-tls
+  usages:
+  - digital signature
+  - key encipherment
+  dnsNames:
+  - ngf-nginx-gateway-fabric.nginx-gateway.svc
+  issuerRef:
+    name: nginx-gateway-issuer
+EOF
+```
+
+Since the TLS Secrets are mounted into each pod that uses them, the NGINX agent (client) Secret is duplicated by the NGINX Gateway Fabric control plane into whichever namespace NGINX is deployed into.
+
+All updates to the source Secret are propagated to the duplicate Secrets. 
+
+Add the certificate for the NGINX agent (client):
+
+```yaml
+kubectl apply -f - <<EOF
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: nginx
+  namespace: nginx-gateway
+spec:
+  secretName: agent-tls
+  usages:
+  - "digital signature"
+  - "key encipherment"
+  dnsNames:
+  - "*.cluster.local"
+  issuerRef:
+    name: nginx-gateway-issuer
+EOF
+```
+
+`agent-tls` is the default name: if you use a different name, provide it when installing NGINX Gateway Fabric with the `agent-tls-secret` argument.
+
+You should see the Secrets created in the `nginx-gateway` namespace:
+
+```shell
+kubectl -n nginx-gateway get secrets
+```
+
+{{< details summary="Example output" >}}
+
+```text
+agent-tls          kubernetes.io/tls   3      3s
+nginx-gateway-ca   kubernetes.io/tls   3      15s
+server-tls         kubernetes.io/tls   3      8s
+```
+
+{{< /details >}}
@@ -0,0 +1,15 @@
+---
+---
+
+To confirm that NGINX Gateway Fabric is running, check the pods in the `nginx-gateway` namespace:
+
+```shell
+kubectl get pods -n nginx-gateway
+```
+
+The output should look similar to this (The pod name will include a unique string):
+
+```text
+NAME                             READY   STATUS    RESTARTS   AGE
+nginx-gateway-694897c587-bbz62       1/1     Running     0          29s
+```
@@ -0,0 +1,6 @@
+---
+---
+
+- [Deploy a Gateway for data plane instances]({{< ref "/ngf/install/deploy-data-plane.md" >}})
+- [Routing traffic to applications]({{< ref "/ngf/traffic-management/basic-routing.md" >}})
+- [Secure traffic using Let's Encrypt]({{< ref "/ngf/traffic-security/integrate-cert-manager.md" >}})
@@ -20,4 +20,8 @@ Create a Kubernetes `docker-registry` secret type using the contents of the JWT
 kubectl create secret docker-registry nginx-plus-registry-secret --docker-server=private-registry.nginx.com --docker-username=<JWT Token> --docker-password=none -n nginx-gateway
 ```
 
-It is important that the `--docker-username=<JWT Token>` contains the contents of the token and is not pointing to the token itself. When you copy the contents of the JWT, ensure there are no additional characters such as extra whitespaces. This can invalidate the token, causing 401 errors when trying to authenticate to the registry.
+It is important that the `--docker-username=<JWT Token>` contains the contents of the token and is not pointing to the token itself. 
+
+When you copy the contents of the JWT, ensure there are no additional characters such as extra whitespaces. 
+
+This can invalidate the token, causing 401 errors when trying to authenticate to the registry.
@@ -6,15 +6,29 @@ nd-files:
 - content/ngf/install/manifests.md
 ---
 
-{{< call-out "warning" >}} This will remove all corresponding custom resources in your entire cluster, across all namespaces. Double-check to make sure you don't have any custom resources you need to keep, and confirm that there are no other Gateway API implementations active in your cluster. {{< /call-out >}}
+{{< call-out "warning" >}} This step will remove all corresponding custom resources in your entire cluster, across every namespace. 
+
+Ensure you don't have any custom resources you need to keep, and confirm that there are no other Gateway API implementations active in your cluster. {{< /call-out >}}
 
 To uninstall the Gateway API resources, run the following:
 
 ```shell
 kubectl kustomize "https://github.com/nginx/nginx-gateway-fabric/config/crd/gateway-api/standard?ref=v{{< version-ngf >}}" | kubectl delete -f -
 ```
 
-Alternatively, if you installed the Gateway APIs from the experimental channel, run the following:
+{{< details summary="Example output" >}}
+
+```text
+customresourcedefinition.apiextensions.k8s.io "gatewayclasses.gateway.networking.k8s.io" deleted
+customresourcedefinition.apiextensions.k8s.io "gateways.gateway.networking.k8s.io" deleted
+customresourcedefinition.apiextensions.k8s.io "grpcroutes.gateway.networking.k8s.io" deleted
+customresourcedefinition.apiextensions.k8s.io "httproutes.gateway.networking.k8s.io" deleted
+customresourcedefinition.apiextensions.k8s.io "referencegrants.gateway.networking.k8s.io" deleted
+```
+
+{{< /details >}}
+
+If you installed the Gateway APIs from the experimental channel, run the following instead:
 
 ```shell
 kubectl kustomize "https://github.com/nginx/nginx-gateway-fabric/config/crd/gateway-api/experimental?ref=v{{< version-ngf >}}" | kubectl delete -f -