# Use Manifests to install NGINX Gateway Fabric (experimental) with NGINX Plus Type of document: How-to guide Product: NGINX Gateway Fabric --- This page describes how to use Manifests to install NGINX Gateway Fabric (experimental) with NGINX Plus. It explains how to install the Gateway API resources and add authentication certificates, then deploy NGINX Gateway Fabric and its custom resource definitions. Using experimental NGINX Gateway Fabric versions allows to test API resources from upcoming releases as outlined by the [Milestone Roadmap](https://github.com/orgs/nginx/projects/10/views/5). By following these instructions, you will finish with a functional NGINX Gateway Fabric instance for your Kubernetes cluster. **Note:** To learn which Gateway API resources NGINX Gateway Fabric currently supports, view the [Gateway API Compatibility](/ngf/overview/gateway-api-compatibility.md) topic. ## Before you begin To complete this guide, you will need the following pre-requisites: - An active NGINX Plus subscription (Purchased or trial) - [A supported Kubernetes version](/ngf/overview/technical-specifications.md) - A functional Kubernetes cluster ## Download your JSON web token 1. Log in to [MyF5](https://my.f5.com/manage/s/). 2. Go to **My Products & Plans > Subscriptions** to see your active subscriptions. 3. Find your NGINX products or services subscription, and select the **Subscription ID** for details. 4. Download the **JSON Web Token (JWT)** from the subscription page. **Note:** The Connectivity Stack for Kubernetes JWT does not work with NGINX Plus reporting. A regular NGINX Plus instance JWT must be used. ## Create license and registry secrets First, create the _nginx-gateway_ namespace, which is used by the Manifest files by default: ```shell kubectl create namespace nginx-gateway ``` **Note:** The commands in the rest of this document should be run in the same directory as your **license.jwt** file. JWTs are sensitive information and should be stored securely. Delete them after use to prevent unauthorized access. Once you have obtained your license JWT, create a Kubernetes secret using `kubectl create`: ```shell kubectl create -n nginx-gateway secret generic nplus-license --from-file license.jwt ``` Then create another Kubernetes secret to allow interactions with the F5 registry: ```shell kubectl create -n nginx-gateway secret docker-registry nginx-plus-registry-secret \ --docker-server=private-registry.nginx.com \ --docker-username=$(cat license.jwt) \ --docker-password=none ``` You can verify the creation of the secrets using `kubectl get`: ```shell kubectl get -n nginx-gateway secrets ``` #### Example output ```text NAME TYPE DATA AGE nginx-plus-registry-secret kubernetes.io/dockerconfigjson 1 8s nplus-license Opaque 1 21s ``` ## Install the Gateway API resources **Note:** If you have already installed Gateway API resources in your cluster, ensure they are a version [supported by NGINX Gateway Fabric](/ngf/overview/technical-specifications.md) To install API resources from the experimental channel, use `kubectl kustomize`: ```shell kubectl kustomize "https://github.com/nginx/nginx-gateway-fabric/config/crd/gateway-api/experimental?ref=v" | kubectl apply --server-side -f - ``` #### Example output ```text customresourcedefinition.apiextensions.k8s.io/backendtlspolicies.gateway.networking.k8s.io serverside-applied customresourcedefinition.apiextensions.k8s.io/gatewayclasses.gateway.networking.k8s.io serverside-applied customresourcedefinition.apiextensions.k8s.io/gateways.gateway.networking.k8s.io serverside-applied customresourcedefinition.apiextensions.k8s.io/grpcroutes.gateway.networking.k8s.io serverside-applied customresourcedefinition.apiextensions.k8s.io/httproutes.gateway.networking.k8s.io serverside-applied customresourcedefinition.apiextensions.k8s.io/referencegrants.gateway.networking.k8s.io serverside-applied customresourcedefinition.apiextensions.k8s.io/tcproutes.gateway.networking.k8s.io serverside-applied customresourcedefinition.apiextensions.k8s.io/tlsroutes.gateway.networking.k8s.io serverside-applied customresourcedefinition.apiextensions.k8s.io/udproutes.gateway.networking.k8s.io serverside-applied customresourcedefinition.apiextensions.k8s.io/xbackendtrafficpolicies.gateway.networking.x-k8s.io serverside-applied customresourcedefinition.apiextensions.k8s.io/xlistenersets.gateway.networking.x-k8s.io serverside-applied ``` ## Install cert-manager Install cert-manager onto the cluster using Helm with Gateway API features enabled. - Add the Helm repository. ```shell helm repo add jetstack https://charts.jetstack.io helm repo update ``` - Install cert-manager, and enable the GatewayAPI feature gate: ```shell helm install \ cert-manager jetstack/cert-manager \ --namespace cert-manager \ --create-namespace \ --set config.apiVersion="controller.config.cert-manager.io/v1alpha1" \ --set config.kind="ControllerConfiguration" \ --set config.enableGatewayAPI=true \ --set crds.enabled=true ``` ## Add certificates for secure authentication **Note:** These steps use a self-signed issuer, which should not be used in production environments. For production environments, you should use a real [CA issuer](https://cert-manager.io/docs/configuration/ca/). First, create a CA (certificate authority) issuer: ```yaml kubectl apply -f - <= v1.18.0, the default value changed from `Never` to `Always`. certificate.cert-manager.io/nginx-gateway-ca created issuer.cert-manager.io/nginx-gateway-issuer created ``` You will then need to create a server certificate for the NGINX Gateway Fabric control plane (server): **Note:** The default service name is _nginx-gateway_, and the namespace is _nginx-gateway_, so the `dnsNames` value should be `nginx-gateway.nginx-gateway.svc`. This value becomes the name of the NGINX Gateway Fabric control plane service. ```yaml {hl_lines=[13]} kubectl apply -f - <