Deploy using Helm
You can deploy F5 NGINX Instance Manager on Kubernetes using Helm. This method is quick, scalable, and supports both standard and lightweight modes.
Starting with version 2.20.0, NGINX Instance Manager supports lightweight mode, which skips ClickHouse and disables metrics collection, ideal for simpler setups or resource-limited environments.
- Lightweight mode requires NGINX Agent v2.41.1 or later.
Starting with version 2.20.0, the Helm chart was renamed fromnginx-stable/nms-hybrid
tonginx-stable/nim
. Chart versioning was also reset;v2.0.0
is the first release under the new name. Be sure to update your chart references if you’re using version2.20.0
or later.
To deploy NGINX Instance Manager using a Helm chart, you need:
Requirements | Notes |
---|---|
Docker 20.10 or later (linux/amd64) | Docker documentation |
Kubernetes 1.21.3 or later (linux/amd64) | Ensure your client can access the Kubernetes API server. Helm uses the default storage class for persistent volume provisioning. |
kubectl 1.21.3 or later |
kubectl documentation |
Helm 3.10.0 or later | Helm installation guide |
OpenSSL 1.1.1 or later | OpenSSL source |
tar 1.20 or later |
The tar tool is usually installed by default. Check with tar --version . |
values.yaml file with nmsClickhouse.mode |
Optional. Defaults to internal . Set to external or disabled to use an external ClickHouse instance or enable lightweight mode. In external mode, set nim.externalClickhouse.address to your ClickHouse host. |
NGINX subscription JWT | Required to authenticate with private-registry.nginx.com to pull the image. Download your JWT from MyF5 under My Products & Plans > Subscriptions. |
You can use your NGINX JWT as a Docker configuration secret with Helm charts.
Create a Docker registry secret on the cluster, using the JWT token as the username and none
as the password. The Docker server is private-registry.nginx.com
.
Make sure there are no extra characters or spaces when copying the JWT token. They can invalidate the token and cause 401 errors during authentication.
kubectl create namespace nim
kubectl create secret docker-registry regcred \
--docker-server=private-registry.nginx.com \
--docker-username=<NGINX JWT Token> \
--docker-password=none \
-n nim
oc new-project nim && \
oc create secret docker-registry regcred \
--docker-server=private-registry.nginx.com \
--docker-username=<NGINX JWT Token> \
--docker-password=none \
-n nim
You might see a warning that
--password
is insecure. In this case, it’s safe to ignore—none is used as a placeholder.As a best practice, you can delete the JWT token and clear your shell history after deployment if others have access to the system.
-
Kubernetes
kubectl get secret regcred --output=yaml -n nim
-
OpenShift
oc get secret regcred --output=yaml -n nim
You can now use this secret for Helm deployments and point the chart to the private registry.
Run the following commands to add the official NGINX Helm repository and update your local chart list.
helm repo add nginx-stable https://helm.nginx.com/stable
helm repo update
Create a file named values.yaml
using the following example. This file customizes your NGINX Instance Manager deployment with Helm.
The values file lets you:
- Set the deployment mode
- Provide registry credentials
- Specify image sources for each NIM service
Set nmsClickhouse.mode
to control ClickHouse deployment:
Mode | Description |
---|---|
internal |
Deploys ClickHouse in the cluster (default). |
external |
Connects to an external ClickHouse instance and requires nim.externalClickhouse.address . |
disabled |
Disables ClickHouse and enables lightweight mode (no metrics). |
See the Helm chart configuration settings guide for a complete list of chart parameters.
nmsClickhouse:
mode: internal # options: internal, external, disabled
# when mode is external, uncomment and set this:
# externalClickhouse:
# address: <clickhouse-host>:<port>
imagePullSecrets:
- name: regcred
apigw:
image:
repository: private-registry.nginx.com/nms/apigw
tag: <version>
core:
image:
repository: private-registry.nginx.com/nms/core
tag: <version>
dpm:
image:
repository: private-registry.nginx.com/nms/dpm
tag: <version>
ingestion:
image:
repository: private-registry.nginx.com/nms/ingestion
tag: <version>
integrations:
image:
repository: private-registry.nginx.com/nms/integrations
tag: <version>
secmon:
image:
repository: private-registry.nginx.com/nms/secmon
tag: <version>
utility:
image:
repository: private-registry.nginx.com/nms/utility
tag: <version>
These values are required when pulling images from the NGINX private registry. The chart doesn’t auto-resolve image tags. Set each tag:
value to match the NGINX Instance Manager version you want to install. Refer to the Helm chart table for version details.
Use the file with the -f values.yaml
flag when installing the chart.
OpenShift support was added in NGINX Instance Manager 2.19. To enable it, add the settingopenshift.enabled: true
to yourvalues.yaml
file. For more details, see Appendix: OpenShift security constraints.
Install NGINX Instance Manager using Helm. The adminPasswordHash
sets the default admin password.
helm install nim nginx-stable/nim \
-n nim \
--create-namespace \
--set adminPasswordHash=$(openssl passwd -6 '<your-password>') \
-f <your-values.yaml> \
--version <chart-version> \
--wait
- Replace
<your-password>
with your preferred admin password. - Replace
<your-values.yaml>
with the path to your customized values.yaml file. - Replace
<chart-version>
with the version you want to install (for example,2.0.0
).
Note: You can set the ClickHouse mode at install time instead of editing values.yaml
:
For lightweight mode (no ClickHouse):
--set nmsClickhouse.mode=disabled
For external ClickHouse:
--set nmsClickhouse.mode=external \
--set nim.externalClickhouse.address=<clickhouse-host>:<port>
Validate the deployment
After installation, run the following command to confirm the deployment was successful:
helm status nim -n nim
You should see STATUS: deployed
in the output.
To find the right NGINX Instance Manager chart version, see the following table:
NGINX Instance Manager chart | Chart | Instance Manager |
---|---|---|
2.0.0 | nginx-stable/nim | 2.20.0 |
2.19.2 | nginx-stable/nms-hybrid | 2.19.2 |
2.19.1 | nginx-stable/nms-hybrid | 2.19.1 |
2.19.0 | nginx-stable/nms-hybrid | 2.19.0 |
1.15.0 | ngnx-stable/nms | 2.18.0 |
1.14.4 | ngnx-stable/nms | 2.17.4 |
1.14.0 | ngnx-stable/nms | 2.17.0 |
1.13.0 | ngnx-stable/nms | 2.16.0 |
1.12.1 | ngnx-stable/nms | 2.15.1 |
1.12.0 | ngnx-stable/nms | 2.15.0 |
1.11.0 | ngnx-stable/nms | 2.14.0 |
1.10.1 | ngnx-stable/nms | 2.13.1 |
1.10.0 | ngnx-stable/nms | 2.13.1 |
1.9.0 | ngnx-stable/nms | 2.13.0 |
You can access the NGINX Instance Manager web interface using the external IP address for the API Gateway.
-
To look up the external IP address for the API Gateway, run the following command:
kubectl -n nim get svc apigw
This
kubectl
command shows details for theapigw
service in thenim
namespace. You’ll see the service type, port, cluster IP, and external IP addresses.The default service type is
ClusterIP
and the output looks similar to the following example:text NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE apigw ClusterIP 10.108.57.167 <none> 443/TCP 32s
Using the
CLUSTER-IP
value, go tohttps://<CLUSTER-IP>:443/ui
.For example,
https://10.108.57.167/ui
.This IP address might not be reachable, depending on how the Kubernetes cluster networking was configured. If so, the
apigw
service type can be changed to a more suitable option, such asLoadBalancer
, by changing the Configurable Helm Setting value forapigw.service.type
.
A valid license is required to use all NGINX Instance Manager features.
For instructions on downloading and applying a license, see Add a License.
To upgrade your deployment:
- Update the Helm repository list.
- Review and adjust your
values.yaml
file as needed. - Run the following command to upgrade the deployment. This command uses the current chart version from the
nginx-stable/nim
repository and applies the configuration from yourvalues.yaml
file.
helm upgrade nim nginx-stable/nim \
-n nim \
--set adminPasswordHash=$(openssl passwd -6 '<your-password>') \
-f <path-to-your-values.yaml> \
--version <chart-version> \
--wait
- Replace
<your-password>
with your preferred admin password. - Replace
<your-values.yaml>
with the path to your customized values.yaml file. - Replace
<chart-version>
with the version you want to install (for example,2.0.0
).
Save the password!Only the encrypted version of the admin password is stored in Kubernetes. If you lose it, it can’t be recovered or reset. Make sure to save the password in a secure place.
If you’re upgrading from a deployment that used the legacynms
chart or release name, you’ll need to update the chart reference and adjust the release name as needed. The latest chart is now callednginx-stable/nim
, andnim
is the recommended release name.
To uninstall NGINX Instance Manager, run:
helm uninstall <release-name> -n <namespace>
This command removes the deployment and all Kubernetes resources managed by the Helm chart.
For example, if you used the default release and namespace names:
helm uninstall nim -n nim
If you plan to use network policies, make sure your Kubernetes cluster has a supported network plugin installed before you install the Helm chart.
By default, the Helm chart creates a set of network policies for NGINX Instance Manager in the deployment namespace.
To view them:
-
Kubernetes:
kubectl get netpol -n <namespace>
-
OpenShift:
oc get netpol -n <namespace>
The number and names of network policies vary depending on the deployment mode (standard vs. lightweight). For example, in standard mode, you might see output like this:
NAME POD-SELECTOR AGE
apigw app.kubernetes.io/name=apigw 2m
core app.kubernetes.io/name=core 2m
dpm app.kubernetes.io/name=dpm 2m
ingestion app.kubernetes.io/name=ingestion 2m
secmon app.kubernetes.io/name=secmon 2m
If you’re using lightweight mode, your output may include fewer entries.
To disable network policies, add the following to your values.yaml
file:
networkPolicies:
enabled: false
The values.yaml
file customizes the Helm chart installation without changing the chart itself. You can use it to set image repositories, environment variables, resource requests, and other options.
-
Create a
values.yaml
file like this example:- In the
imagePullSecrets
section, add your private Docker registry credentials. - Set the
tag:
field to the version of NGINX Instance Manager you want to install. You can find supported versions in the Helm chart table.
- In the
For details on creating a secret, see the Kubernetes Pull an Image from a Private Registry guide.
imagePullSecrets:
- name: regcred
apigw:
image:
repository: private-registry.nginx.com/nms/apigw
tag: <version>
core:
image:
repository: private-registry.nginx.com/nms/core
tag: <version>
dpm:
image:
repository: private-registry.nginx.com/nms/dpm
tag: <version>
ingestion:
image:
repository: private-registry.nginx.com/nms/ingestion
tag: <version>
integrations:
image:
repository: private-registry.nginx.com/nms/integrations
tag: <version>
secmon:
image:
repository: private-registry.nginx.com/nms/secmon
tag: <version>
utility:
image:
repository: private-registry.nginx.com/nms/utility
tag: <version>
- Save and close the
values.yaml
file.
Run the helm install
command to deploy NGINX Instance Manager:
-
Replace
<path-to-your-values.yaml>
with the path to yourvalues.yaml
file. -
Replace
<your-password>
with a secure password (containing a mix of uppercase, lowercase letters, numbers, and special characters).Remember to save the password for future use. Only the encrypted password is stored, and there’s no way to recover or reset it if lost.
helm install -n nms-hybrid \
--set adminPasswordHash=$(openssl passwd -6 '<your-password>') \
nms nginx-stable/nms-hybrid \
--create-namespace \
-f <path-to-your-values.yaml> \
--version <chart-version> \
--wait
To upgrade:
-
Adjust your
values.yaml
file if needed. -
To upgrade the NGINX Instance Manager deployment, run the following command. This command updates the
nms
deployment with a new version from thenginx-stable/nms-hybrid
repository. It also hashes the provided password and uses thevalues.yaml
file at the path you specify. -
Replace
<chart-version>
with the desired chart version of NGINX Instance Manager 2.19.x referring the Helm chart table.shell helm upgrade -n nms \ --set nms-hybrid.adminPasswordHash=$(openssl passwd -6 '<your-password>') \ nms nginx-stable/nms-hybrid \ -f <path-to-your-values.yaml> \ --version <chart-version> \ --wait
-
Replace
<path-to-your-values.yaml>
with the path to thevalues.yaml
file you created](https://frontdoor-test-docs.nginx.com/previews/docs/1359/nginx-instance-manager/deploy/kubernetes/deploy-using-helm/#configure-chart). -
Replace
<your-password>
with a secure password that includes uppercase and lowercase letters, numbers, and special characters.Save the password!Save this password for future use. Only the encrypted password is stored in Kubernetes, and you can’t recover or reset it later.
-
If you’re upgrading from version 2.18.0 or earlier to 2.19.x, note the following changes:
- If you used the legacy
nms
chart or release name, update the chart reference and adjust the release name if needed.- The structure of the
values.yaml
file has changed in this release.
The values.yaml
file customizes the Helm chart installation without modifying the chart itself. You can use it to specify image repositories, environment variables, resource requests, and other settings.
-
Create a
values.yaml
file similar to this example:- In the
imagePullSecrets
section, add the credentials for your private Docker registry. - Change the version tag to the version of NGINX Instance Manager you would like to install. See "Install the chart" below for versions.
For details on creating a secret, see Kubernetes Pull an Image from a Private Registry.yaml nms-hybrid: imagePullSecrets: - name: regcred apigw: image: repository: private-registry.nginx.com/nms/apigw tag: <version> core: image: repository: private-registry.nginx.com/nms/core tag: <version> dpm: image: repository: private-registry.nginx.com/nms/dpm tag: <version> ingestion: image: repository: private-registry.nginx.com/nms/ingestion tag: <version> integrations: image: repository: private-registry.nginx.com/nms/integrations tag: <version> utility: image: repository: private-registry.nginx.com/nms/utility tag: <version>
- In the
-
Save and close the
values.yaml
file.
Run the helm install
command to deploy NGINX Instance Manager:
-
Replace
<path-to-your-values.yaml>
with the path to yourvalues.yaml
file. -
Replace
YourPassword123#
with a secure password (containing a mix of uppercase, lowercase letters, numbers, and special characters).Remember to save the password for future use. Only the encrypted password is stored, and there’s no way to recover or reset it if lost. -
(Optional) Replace
<chart-version>
with the desired chart version. If omitted, the latest version will be installed.
helm install -n nms \
--set nms-hybrid.adminPasswordHash=$(openssl passwd -6 'YourPassword123#') \
nms nginx-stable/nms \
--create-namespace \
-f <path-to-your-values.yaml> \
--version <chart-version> \
--wait
To upgrade:
-
Adjust your
values.yaml
file if needed. -
To upgrade the NGINX Instance Manager deployment, run the following command. This command updates the
nms
deployment with a new version from thenginx-stable/nms
repository. It also hashes the provided password and uses thevalues.yaml
file at the path you specify. -
Replace
<chart-version>
with the desired chart version 1.15.0 or lower. If omitted, it will lead to an unsuccessful deployment as it will try to upgrade to the latest vesrion 1.16.0 or later.shell helm upgrade -n nms \ --set nms-hybrid.adminPasswordHash=$(openssl passwd -6 'YourPassword123#') \ nms nginx-stable/nms \ -f <path-to-your-values.yaml> \ --version <chart-version> \ --wait
-
Replace
<path-to-your-values.yaml>
with the path to thevalues.yaml
file you created](https://frontdoor-test-docs.nginx.com/previews/docs/1359/nginx-instance-manager/deploy/kubernetes/deploy-using-helm/#configure-chart). -
Replace
YourPassword123#
with a secure password that includes uppercase and lowercase letters, numbers, and special characters.Save the password!Save this password for future use. Only the encrypted password is stored in Kubernetes, and you can’t recover or reset it later.
-
For instructions on creating a support package to share with NGINX Customer Support, see Create a Support Package from a Helm Installation.
OpenShift restricts containers from running as root by default. To support NGINX Instance Manager, the Helm chart creates a custom Security Context Constraint (SCC) when you set:
openshift:
enabled: true
This ensures pods can run with the user IDs required by NGINX Instance Manager services.
When openshift.enabled: true
is set in the values.yaml
file, the NGINX Instance Manager deployment automatically creates a custom Security Context Constraints (SCC) object and links it to the Service Account used by all pods.
By default, OpenShift enforces strict security policies that require containers to run as non-root users. The deployment needs specific user IDs (UIDs) for certain services—1000 for nms
, and 101 for nginx
and clickhouse
. Since the default SCCs don’t allow these UIDs, the deployment creates a custom SCC. This SCC sets the runAsUser
field to allow the necessary UIDs while still complying with OpenShift’s security standards.
This deployment has been tested with OpenShift v4.13.0 Server.
If you see permission errors during deployment, your account might not have access to manage SCCs. Ask a cluster administrator for access.
To verify that the SCC was created after installing the Helm chart, run:
oc get scc nms-restricted-v2-scc --output=yaml