Get the NGINX Plus image using JWT
Overview
This document describes how to use a JWT token to get an NGINX Plus image for NGINX Gateway Fabric from the F5 Docker registry.
Follow the steps in this document to pull the NGINX Plus image for NGINX Gateway Fabric from the F5 Docker registry into your Kubernetes cluster using your JWT token. To list available image tags using the Docker registry API, you will also need to download its certificate and key from MyF5.
Important:
An NGINX Plus subscription will not work with these instructions. For NGINX Gateway Fabric, you must have an Connectivity Stack for Kubernetes subscription.
Before you begin
You will need the following items from MyF5 for these instructions:
- A JWT Access Token for NGINX Gateway Fabric from an active Connectivity Stack for Kubernetes subscription (Per instance).
- The certificate (nginx-repo.crt) and key (nginx-repo.key) for each NGINX Gateway Fabric instance.
Get the Credentials
- Log into the MyF5 Portal, navigate to your subscription details, and download the required certificate, key and JWT files.
Using the JWT token in a Docker Config Secret
-
Create a Kubernetes
docker-registry
secret type on the cluster, using the contents of the JWT token as the username andnone
for password (as the password is not used). The name of the docker server isprivate-registry.nginx.com
.kubectl create secret docker-registry nginx-plus-registry-secret --docker-server=private-registry.nginx.com --docker-username=<JWT Token> --docker-password=none [-n nginx-gateway]
It is important that the
--docker-username=<JWT Token>
contains the contents of the token and is not pointing to the token itself. When you copy the contents of the JWT token, ensure there are no additional characters such as extra whitespaces. This can invalidate the token, causing 401 errors when trying to authenticate to the registry. -
Inspect and verify the details of the created secret by running:
kubectl get secret nginx-plus-registry-secret --output=yaml
Note:
For security, follow these practices with JSON Web Tokens (JWTs), passwords, and shell history:
JWTs: JWTs are sensitive information. Store them securely. Delete them after use to prevent unauthorized access.
Shell history: Commands that include JWTs or passwords are recorded in the history of your shell, in plain text. Clear your shell history after running such commands. For example, if you use bash, you can delete commands in your
~/.bash_history
file. Alternatively, you can run thehistory -c
command to erase your shell history.Follow these practices to help ensure the security of your system and data.
Install NGINX Gateway Fabric
Please refer to Installing NGINX Gateway Fabric
Pulling an image for local use
To pull an image for local use, use this command:
docker login private-registry.nginx.com --username=<output_of_jwt_token> --password=none
Replace the contents of <output_of_jwt_token>
with the contents of the JWT token itself.
Once you have successfully pulled the image, you can tag it as needed, then push it to a different container registry.
Alternative installation options
There are alternative ways to get an NGINX Plus image for NGINX Gateway Fabric:
- Build the Gateway Fabric image describes how to use the source code with an NGINX Plus subscription certificate and key to build an image.