NGINX Plus R33 requires NGINX Instance Manager 2.18 or later

If your NGINX data plane instances are running NGINX Plus R33 or later, you must upgrade to NGINX Instance Manager 2.18 or later to support usage reporting. NGINX Plus R33 instances must report usage data to the F5 licensing endpoint or NGINX Instance Manager. Otherwise, they will stop processing traffic.

For more details about usage reporting and enforcement, see About solution licenses

Configurable Helm settings

This reference guide lists the configurable Helm chart parameters and default settings for F5 NGINX Instance Manager.

NGINX Instance Manager Helm chart settings

legacy chart name

In version 2.20.0, we renamed the Helm chart from nms-hybrid to nim when we moved it to its own repository. For versions 2.19.0 and earlier, use nms-hybrid instead of nim in each parameter name.

To update an existing release, run helm upgrade with the -f <MY_VALUES_FILE> flag, where <MY_VALUES_FILE> is the path to your values file.

Parameter	Description	Default
`nim.adminPasswordHash`	The hashed value of the password for the admin user. To generate a hash using OpenSSL, run `openssl passwd -1 "YourPassword123#"`	N/A
`nim.nmsClickhouse.mode`	Controls ClickHouse deployment: - `internal` (default, in-cluster) - `external` (requires `nim.externalClickhouse.address`) - `disabled` (lightweight mode). Available in the `nim` chart 2.20.0 and later.	`internal`
`nms-hybrid.nmsClickhouse.enabled`	(legacy, available in `nms-hybrid` chart 2.19.0 and earlier) Enable ClickHouse when using the legacy chart.	`true`
`nim.nmsClickhouse.fullnameOverride`	Modify the name of ClickHouse resources.	`clickhouse`
`nim.nmsClickhouse.image.repository`	Repository path for the public ClickHouse image.	`clickhouse/clickhouse-server`
`nim.nmsClickhouse.image.tag`	Tag used for pulling ClickHouse images from the registry.	`21.3.20.1-alpine`
`nim.nmsClickhouse.image.pullPolicy`	Image pull policy.	`IfNotPresent`
`nim.nmsClickhouse.user`	Username for the ClickHouse server.	N/A
`nim.nmsClickhouse.password`	Password for the ClickHouse server.	N/A
`nim.nmsClickhouse.service.name`	ClickHouse service name.	`clickhouse`
`nim.nmsClickhouse.service.rpcPort`	ClickHouse service port.	`9000`
`nim.nmsClickhouse.resources.requests.cpu`	Minimum required CPU to run the ClickHouse server.	`500m`
`nim.nmsClickhouse.resources.requests.memory`	Minimum required memory to run the ClickHouse server.	`1Gi`
`nim.nmsClickhouse.persistence.enabled`	Use a PVC to persist ClickHouse data.	`true`
`nim.nmsClickhouse.persistence.existingClaim`	Name of an existing PVC to use for ClickHouse persistence.	N/A
`nim.nmsClickhouse.persistence.storageClass`	Storage class for creating a ClickHouse PVC.
`nim.nmsClickhouse.persistence.volumeName`	Name to use for a ClickHouse PVC volume.
`nim.nmsClickhouse.persistence.accessMode`	PVC access mode for ClickHouse.	`ReadWriteOnce`
`nim.nmsClickhouse.persistence.size`	PVC size for ClickHouse.	`1G`
`nim.nmsClickhouse.tolerations`	List of Kubernetes tolerations if any.	See Kubernetes taints and tolerations
`nim.externalClickhouse.address`	Address of the external ClickHouse service.
`nim.externalClickhouse.user`	User for the external ClickHouse service.
`nim.externalClickhouse.password`	Password for the external ClickHouse service.
`nim.serviceAccount.annotations`	Set custom annotations for the service account used by NGINX Instance Manager.	`{}`
`nim.apigw.name`	Name for API Gateway resources.	`apigw`
`nim.apigw.tlsSecret`	Name of a `kubernetes.io/tls` Secret containing `tls.crt` and `tls.key` for the API Gateway’s external HTTPS endpoint. Leave empty to use the chart’s self-signed certificate. See Use external TLS certificates.
`nim.apigw.serverName`	The NGINX `server_name` value for the API Gateway. Accepts a single domain or space-separated list. Defaults to `_` (catch-all) when empty. See Use external TLS certificates.
`nim.apigw.tlsReload.enabled`	When `true`, a watcher monitors the mounted certificate volume and sends `SIGHUP` to NGINX when the certificate rotates. See Use external TLS certificates.	`false`
`nim.externalCerts.ca.enabled`	When `true`, the chart doesn’t generate the CA Secret. You must create it before installation. See Use external TLS certificates.	`false`
`nim.externalCerts.ca.secretName`	Overrides the default CA Secret name. Default: `nms-ca`.
`nim.externalCerts.core.enabled`	When `true`, the chart doesn’t generate the `core` mTLS Secret.	`false`
`nim.externalCerts.core.secretName`	Overrides the default `core` Secret name. Default: `nms-core-certs`.
`nim.externalCerts.dpm.enabled`	When `true`, the chart doesn’t generate the `dpm` mTLS Secret.	`false`
`nim.externalCerts.dpm.secretName`	Overrides the default `dpm` Secret name. Default: `nms-dpm-certs`.
`nim.externalCerts.ingestion.enabled`	When `true`, the chart doesn’t generate the `ingestion` mTLS Secret.	`false`
`nim.externalCerts.ingestion.secretName`	Overrides the default `ingestion` Secret name. Default: `nms-ingestion-certs`.
`nim.externalCerts.integrations.enabled`	When `true`, the chart doesn’t generate the `integrations` mTLS Secret.	`false`
`nim.externalCerts.integrations.secretName`	Overrides the default `integrations` Secret name. Default: `nms-integrations-certs`.
`nim.externalCerts.secmon.enabled`	When `true`, the chart doesn’t generate the `secmon` mTLS Secret.	`false`
`nim.externalCerts.secmon.secretName`	Overrides the default `secmon` Secret name. Default: `nms-secmon-certs`.
`nim.externalCerts.apigw.enabled`	When `true`, the chart doesn’t generate the `apigw` client mTLS Secret.	`false`
`nim.externalCerts.apigw.secretName`	Overrides the default `apigw` client Secret name. Default: `nms-apigw-client-certs`.
`nim.apigw.image.repository`	Repository path for the `apigw` image.	`apigw`
`nim.apigw.image.tag`	Tag used for pulling `apigw` images.	`latest`
`nim.apigw.image.pullPolicy`	Image pull policy.	`IfNotPresent`
`nim.apigw.container.port.https`	Container HTTPS port.	`443`
`nim.apigw.service.name`	Service name.	`apigw`
`nim.apigw.service.type`	Service type (`ClusterIp`, `LoadBalancer`, `NodePort`).	`ClusterIp`
`nim.apigw.service.httpsPort`	Service HTTPS port.	`443`
`nim.apigw.resources.requests.cpu`	Minimum required CPU to run `apigw`.	`250m`
`nim.apigw.resources.requests.memory`	Minimum required memory to run `apigw`.	`256Mi`
`nim.apigw.tolerations`	List of Kubernetes tolerations if any.	See Kubernetes taints and tolerations
`nim.core.name`	Name for core resources.	`core`
`nim.core.image.repository`	Repository path for the `core` image.	`core`
`nim.core.image.tag`	Tag used for pulling `core` images.	`latest`
`nim.core.image.pullPolicy`	Image pull policy.	`IfNotPresent`
`nim.core.container.port.http`	Container HTTP port.	`8033`
`nim.core.container.port.db`	Container database port.	`7891`
`nim.core.container.port.grpc`	Container gRPC port.	`8038`
`nim.core.service.httpPort`	Service HTTP port.	`8033`
`nim.core.service.grpcPort`	Service gRPC port.	`8038`
`nim.core.resources.requests.cpu`	Minimum required CPU to run `core`.	`500m`
`nim.core.resources.requests.memory`	Minimum required memory to run `core`.	`512Mi`
`nim.core.persistence.enabled`	Enable persistence for `core`.	`true`
`nim.core.persistence.claims`	Array of PVCs for Dqlite and secrets. Modify to use an existing PVC.	See Dqlite storage and Secrets storage
`nim.core.persistence.storageClass`	Storage class for creating a `core` PVC.
`nim.core.persistence.volumeName`	Name for a `core` PVC volume.
`nim.core.tolerations`	List of Kubernetes tolerations if any.	See Kubernetes taints and tolerations
`nim.dpm.name`	Name for `dpm` resources.	`dpm`
`nim.dpm.image.repository`	Repository path for the `dpm` image.	`dpm`
`nim.dpm.image.tag`	Tag used for pulling `dpm` images.	`latest`
`nim.dpm.image.pullPolicy`	Image pull policy.	`IfNotPresent`
`nim.dpm.container.port.http`	Container HTTP port.	`8034`
`nim.dpm.container.port.nats`	Container NATS port.	`9100`
`nim.dpm.container.port.db`	Container database port.	`7890`
`nim.dpm.container.port.grpc`	Container gRPC port.	`8036`

NGINX Instance Manager dqlite storage configuration

yaml- name: dqlite
  existingClaim:
  size: 500Mi
  accessMode: ReadWriteOnce

NGINX Instance Manager secrets storage configuration

yaml  - name: secrets
    existingClaim:
    size: 128Mi
    accessMode: ReadWriteOnce

NGINX Instance Manager NATS storage configuration

yaml  - name: nats-streaming
    existingClaim:
    size: 1Gi
    accessMode: ReadWriteOnce

Kubernetes taints and tolerations

This example shows how to set the API Gateway pod to wait 60 seconds when Kubernetes applies the NoExecute taint (which marks a node as unschedulable) before it removes the pod.

yamltolerations:
  - key: "node.kubernetes.io/unreachable"
    operator: "Exists"
    effect: "NoExecute"
    tolerationSeconds: 60
  - key: "node.kubernetes.io/network-unavailable"
    operator: "Exists"
    effect: "NoExecute"
    tolerationSeconds: 60

For more information, refer to the official Kubernetes Taints and Tolerations documentation.

View source

Edit this page

Create a new issue