# Connect NGINX Gateway Fabric with Manifests




This document explains how to connect F5 NGINX Gateway Fabric to F5 NGINX One Console with Manifests.
Connecting NGINX Gateway Fabric to NGINX One Console enables centralized monitoring of all controller instances.

Once connected, you'll see a **read-only** configuration of NGINX Gateway Fabric. For each instance, you can review:

- Read-only configuration file
- Unmanaged SSL/TLS certificates for Control Planes

## Before you begin

Log in to NGINX One Console. If you need more information, review our [Get started guide](/nginx-one-console/getting-started.md#before-you-begin).

To complete this guide, you'll need to install:

- [kubectl](https://kubernetes.io/docs/tasks/tools/), a command-line interface for managing Kubernetes clusters.
- [Add certificates for secure authentication](/ngf/install/secure-certificates.md) in a production environment.

**Note:**  If you’d like to use NGINX Plus, some additional setup is also required:

### Create a data plane key

A data plane key is a security token that ensures only trusted NGINX instances can register and communicate with NGINX One.

To generate a data plane key, select **Manage > Instances > Add Instance**:

- **For a new key:** In the **Add Instance** pane, select **Generate Data Plane Key**.
- **To reuse an existing key:** If you already have a data plane key and want to use it again, select **Use existing key**. Then, enter the key's value in the **Data Plane Key** box.

**Note:** 
Data plane keys are displayed only once and cannot be retrieved later. Be sure to copy and store this key securely.

Data plane keys expire after one year. You can change this expiration date later by [editing the key](/nginx-one-console/connect-instances/create-manage-data-plane-keys.md#change-expiration-date). If you [revoke a data plane key](/nginx-one-console/connect-instances/create-manage-data-plane-keys.md#revoke-data-plane-key) you disconnect all instances registered with that key.

For more options associated with data plane keys, see [Create and manage data plane keys](/nginx-one-console/connect-instances/create-manage-data-plane-keys.md).

### Create a Kubernetes secret with the data plane key

To create a Kubernetes secret, you'll need:

- The Data Plane Key
- The `nginx-gateway` namespace must exist. You can create it with the following command: `kubectl create namespace nginx-gateway`

   - Then create the secret with the following command. The key must be named `dataplane.key`:

   ```shell
   kubectl create secret generic dataplane-key \
     --from-literal=dataplane.key=<Your Dataplane Key> \
     -n nginx-gateway
   ```

## Install Gateway API resources
<!-- Corresponds to step 2 in the UX -->
**Note:**  The [Gateway API resources](https://github.com/kubernetes-sigs/gateway-api) from the standard channel must be installed before deploying NGINX Gateway Fabric. If they are already installed in your cluster, please ensure they are the correct version as supported by the NGINX Gateway Fabric - [see the Technical Specifications](https://github.com/nginx/nginx-gateway-fabric/blob/v/README.md#technical-specifications). 

To install the Gateway API resources, run the following:

```shell
kubectl kustomize "https://github.com/nginx/nginx-gateway-fabric/config/crd/gateway-api/standard?ref=v" | kubectl apply -f -
```

**Note:**  If you plan to use the `edge` version of NGINX Gateway Fabric, you can replace the version in `ref` with `main`, for example `ref=main`. 

Alternatively, you can install the Gateway API resources from the experimental channel.
Installing Gateway API resources from the experimental channel includes everything in the standard release channel plus additional experimental resources and fields.
NGINX Gateway Fabric currently supports a subset of the additional features provided by the experimental channel.
To install from the experimental channel, run the following:

```shell
kubectl kustomize "https://github.com/nginx/nginx-gateway-fabric/config/crd/gateway-api/experimental?ref=v" | kubectl apply -f -
```

**Note:**  To learn more about what Gateway API resources NGINX Gateway Fabric currently supports, visit our [Gateway API Compatibility](/ngf/overview/gateway-api-compatibility.md) document.

## Deploy NGINX Gateway Fabric CRDs
<!-- Corresponds to step 3 in the UX -->

#### Stable release

```shell
kubectl apply --server-side -f https://raw.githubusercontent.com/nginx/nginx-gateway-fabric/v/deploy/crds.yaml
```

#### Edge version

```shell
kubectl apply --server-side -f https://raw.githubusercontent.com/nginx/nginx-gateway-fabric/main/deploy/crds.yaml
```

## Deploy NGINX Gateway Fabric

Specify the data plane key Secret name in the `--nginx-one-dataplane-key-secret` command-line argument of the nginx-gateway container.

**Note:**  By default, NGINX Gateway Fabric is installed in the **nginx-gateway** namespace. You can deploy in another namespace by modifying the manifest files. 

#### Default

Deploys NGINX Gateway Fabric with NGINX OSS.

```shell
kubectl apply -f https://raw.githubusercontent.com/nginx/nginx-gateway-fabric/v/deploy/default/deploy.yaml
```

#### AWS NLB

Deploys NGINX Gateway Fabric with NGINX OSS.

```shell
kubectl apply -f https://raw.githubusercontent.com/nginx/nginx-gateway-fabric/v/deploy/default/deploy.yaml
```

To set up an AWS Network Load Balancer service, add these annotations to your Gateway infrastructure field:

```yaml
spec:
  infrastructure:
    annotations:
      service.beta.kubernetes.io/aws-load-balancer-type: "external"
      service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip"
```

#### Azure

Deploys NGINX Gateway Fabric with NGINX OSS and `nodeSelector` to deploy on Linux nodes.

```shell
kubectl apply -f https://raw.githubusercontent.com/nginx/nginx-gateway-fabric/v/deploy/azure/deploy.yaml
```

#### NGINX Plus

Deploys NGINX Gateway Fabric with NGINX Plus. The image is pulled from the
NGINX Plus Docker registry, and the `imagePullSecretName` is the name of the Secret to use to pull the image.
The NGINX Plus JWT Secret used to run NGINX Plus is also specified in a volume mount and the `--usage-report-secret` parameter. These Secrets are created as part of the [Before you begin](#before-you-begin) section.

```shell
kubectl apply -f https://raw.githubusercontent.com/nginx/nginx-gateway-fabric/v/deploy/nginx-plus/deploy.yaml
```

#### Experimental

Deploys NGINX Gateway Fabric with NGINX OSS and experimental features.

```shell
kubectl apply -f https://raw.githubusercontent.com/nginx/nginx-gateway-fabric/v/deploy/experimental/deploy.yaml
```

**Note:**  Requires the Gateway APIs installed from the experimental channel. 

#### NGINX Plus Experimental

Deploys NGINX Gateway Fabric with NGINX Plus and experimental features. The image is pulled from the
NGINX Plus Docker registry, and the `imagePullSecretName` is the name of the Secret to use to pull the image.
The NGINX Plus JWT Secret used to run NGINX Plus is also specified in a volume mount and the `--usage-report-secret` parameter. These Secrets are created as part of the [Before you begin](#before-you-begin) section.

```shell
kubectl apply -f https://raw.githubusercontent.com/nginx/nginx-gateway-fabric/v/deploy/nginx-plus-experimental/deploy.yaml
```

**Note:**  Requires the Gateway APIs installed from the experimental channel. 

#### NodePort

Deploys NGINX Gateway Fabric with NGINX OSS using a Service type of `NodePort`.

```shell
kubectl apply -f https://raw.githubusercontent.com/nginx/nginx-gateway-fabric/v/deploy/nodeport/deploy.yaml
```

#### OpenShift

Deploys NGINX Gateway Fabric with NGINX OSS on OpenShift.

```shell
kubectl apply -f https://raw.githubusercontent.com/nginx/nginx-gateway-fabric/v/deploy/openshift/deploy.yaml
```

### Provision an NGINX data plane

To deploy the NGINX data plane to connect to the NGINX One Console, follow this guide: [Deploy a Gateway for data plane instances](/ngf/install/deploy-data-plane.md).

## Deploy a Gateway

Now that the control plane is installed, you need to create a Gateway, which will provision NGINX and NGINX Agent. For example:

```yaml
kubectl apply -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: gateway
spec:
  gatewayClassName: nginx
  listeners:
  - name: http
    port: 80
    protocol: HTTP
EOF
```

An NGINX Deployment will be created in the `default` namespace (same namespace as the Gateway). Once `Running`, it should report to the NGINX One Console.

## Verify a connection to NGINX One Console

After deploying NGINX Gateway Fabric with NGINX Agent, you can verify the connection to NGINX One Console.
Log in to your F5 Distributed Cloud Console account. 

- Select **NGINX One > Visit Service**. 
- In the dashboard, select **Manage > Control Planes**.  You should see your Control Planes listed by name, product, and version. Each control plane is associated with one or more instances.
- Select the name of the Control Plane. In the **Instances** section, select the instance of your choice. You can review instance details, including the name of the **Control Plane**.

## Troubleshooting

If you encounter issues connecting your instances to NGINX One Console, try the following commands:

Check the NGINX Agent version:

```shell
kubectl exec -it -n <namespace> <nginx_pod_name> -- nginx-agent -v
```

Check the NGINX Agent configuration:

```shell
kubectl exec -it -n <namespace> <nginx_pod_name> -- cat /etc/nginx-agent/nginx-agent.conf
```

Check NGINX Agent logs:

```shell
kubectl exec -it -n <namespace> <nginx_pod_name> -- nginx-agent
```

## References

For more details, see:

- [Install NGINX Gateway Fabric with Manifests](/ngf/install/manifests.md)