Merge branch 'main' into nic/upgrade-instructions

Author: ADubhlaoich

content/includes/nap-waf/config/common/nginx-app-protect-waf-terminology.md

@@ -1,5 +1,8 @@
 ---
 nd-docs: "DOCS-1605"
+files:
+  - content/nap-waf/v5/configuration-guide/configuration.md
+  - content/nginx-one/glossary.md
 ---
 
 This guide assumes that you have some familiarity with various Layer 7 (L7) Hypertext Transfer Protocol (HTTP) concepts, such as Uniform Resource Identifier (URI)/Uniform Resource Locator (URL), method, header, cookie, status code, request, response, and parameters.
@@ -26,4 +29,4 @@ This guide assumes that you have some familiarity with various Layer 7 (L7) Hype
 |Tuning | Making manual changes to an existing security policy to reduce false positives and increase the policy’s security level. |
 |URI/URL | The Uniform Resource Identifier (URI) specifies the name of a web object in a request. A Uniform Resource Locator (URL) specifies the location of an object on the Internet. For example, in the web address, `http://www.siterequest.com/index.html`, index.html is the URI, and the URL is `http://www.siterequest.com/index.html`. In NGINX App Protect WAF, the terms URI and URL are used interchangeably. |
 |Violation | Violations occur when some aspect of a request or response does not comply with the security policy. You can configure the blocking settings for any violation in a security policy. When a violation occurs, the system can Alarm or Block a request (blocking is only available when the enforcement mode is set to Blocking). |
-{{</bootstrap-table>}}
+{{</bootstrap-table>}}

content/nginx-one/_index.md

@@ -19,6 +19,7 @@ F5 NGINX One Console makes it easy to manage NGINX instances across locations an
 [//]: # "You can add a maximum of three cards: any extra will not display."
 [//]: # "One card will take full width page: two will take half width each. Three will stack like an inverse pyramid."
 [//]: # "Some examples of content could be the latest release note, the most common install path, and a popular new feature."
+
 {{<card-layout>}}
   {{<card-section showAsCards="true" isFeaturedSection="true">}}
     {{<card title="Get started" titleUrl="/nginx-one/getting-started/" isFeatured="true" icon="unplug">}}
@@ -36,6 +37,12 @@ F5 NGINX One Console makes it easy to manage NGINX instances across locations an
     {{<card title="Manage your NGINX instances" titleUrl="/nginx-one/nginx-configs/" >}}
       Manage one instance or groups of instances. Monitor certificates. Set up metrics.
     {{</card>}}
+    {{<card title="Secure with NGINX App Protect" titleUrl="/nginx-one/nap-integration/" >}}
+      Manage one instance or groups of instances. Monitor certificates. Set up metrics.
+    {{</card>}}
+    {{<card title="Connect Kubernetes deployments" titleUrl="/nginx-one/k8s/">}}
+      Monitor deployments for CVEs and certificates
+    {{</ card >}}
     {{<card title="Organize users with RBAC" titleUrl="/nginx-one/rbac/" >}}
       Assign responsibilities with role-based access control 
     {{</card>}}
@@ -58,10 +65,23 @@ F5 NGINX One Console makes it easy to manage NGINX instances across locations an
   {{</card-section>}}
 {{</card-layout>}}
 
+### More information
+
+{{<card-layout>}}
+  {{<card-section showAsCards="true" >}}
+    {{<card title="Glossary" titleUrl="/nginx-one/glossary/" >}}
+      See latest updates: New features, improvements, and bug fixes
+    {{</card>}}
+    {{<card title="Changelog" titleUrl="/nginx-one/changelog/" icon="clock-alert">}}
+      See latest updates: New features, improvements, and bug fixes
+    {{</card>}}
+  {{</card-section>}}
+{{</card-layout>}}
+
 ## NGINX One components
 [//]: # "You can add any extra content for the page here, such as additional cards, diagrams or text."
 
-{{< card-layout >}}
+{{<card-layout>}}
   {{< card-section title="Kubernetes Solutions">}}
     {{< card title="NGINX Ingress Controller" titleUrl="/nginx-ingress-controller/" brandIcon="NGINX-Ingress-Controller-product-icon">}}
       Kubernetes traffic management with API gateway, identity, and observability features.

content/nginx-one/api/_index.md

@@ -1,6 +1,6 @@
 ---
 title: Automate with the NGINX One API
 description:
-weight: 700
+weight: 800
 url: /nginx-one/api
 ---

content/nginx-one/changelog.md

@@ -30,6 +30,24 @@ h2 {
 
 Stay up-to-date with what's new and improved in the F5 NGINX One Console.
 
+## July 15, 2025
+
+### Set up F5 NGINX App Protect WAF security policies
+
+You can now incorporate [NGINX App Protect WAF]({{< ref "/nap-waf/" >}}) in NGINX One Console UI. For details, see [Secure with NGINX App Protect]({{< ref "/nginx-one/nap-integration/" >}}).
+
+In NGINX One Console, you can:
+
+- Toggle between [Default policy bundles]({{< ref "/nap-waf/v5/configuration-guide/configuration/#updating-default-policy-bundles" >}})
+- Set a blocking or transparant [Policy enforcement mode]({{< ref "/nap-waf/v5/configuration-guide/configuration/#policy-enforcement-modes" >}})
+
+### Monitor F5 NGINX Ingress Controller deployments
+
+You can now monitor your NGINX Ingress Controller deployments. For details, see how
+you can [Connect to NGINX One Console]({{< ref "/nginx-one/k8s/add-nic.md" >}}).
+
+Unlike other NGINX instances, when you connect NGINX Ingress Controller to NGINX One Console, access is read-only. Refer to our [NGINX Ingress Controller]({{< ref "/nic/" >}}) for details on how to modify these instances.
+
 ## July 1, 2025
 
 ### NGINX Agent version 3 support

content/nginx-one/glossary.md

@@ -3,13 +3,13 @@ description: ''
 nd-docs: DOCS-1396
 title: Glossary
 toc: true
-weight: 800
-type:
-- reference
+weight: 1000
+nd-content-type: reference
 ---
 
 This glossary defines terms used in the F5 NGINX One Console and F5 Distributed Cloud.
 
+## General terms
 
 {{<bootstrap-table "table table-striped table-bordered">}}
 | Term        | Definition |
@@ -24,6 +24,10 @@ This glossary defines terms used in the F5 NGINX One Console and F5 Distributed
 | **Tenant** | A tenant in F5 Distributed Cloud is an entity that owns a specific set of configuration and infrastructure. It is fundamental for isolation, meaning a tenant cannot access objects or infrastructure of other tenants. Tenants can be either individual or enterprise, with the latter allowing multiple users with role-based access control (RBAC). |
 {{</bootstrap-table>}}
 
+## NGINX App Protect WAF terminology
+
+{{< include "nap-waf/config/common/nginx-app-protect-waf-terminology.md" >}}
+
 ## Legal notice: Licensing agreements for NGINX products
 
 Using NGINX One is subject to our End User Service Agreement (EUSA). For [NGINX Plus]({{< ref "/nginx" >}}), usage is governed by the End User License Agreement (EULA). Open source projects, including [NGINX Agent](https://github.com/nginx/agent) and [NGINX Open Source](https://github.com/nginx/nginx), are covered under their respective licenses. For more details on these licenses, follow the provided links.

content/nginx-one/k8s/_index.md

@@ -0,0 +1,8 @@
+---
+title: Connect Kubernetes deployments
+description:
+weight: 700
+url: /nginx-one/k8s
+nd-product: NGINX One
+---
+

content/nginx-one/k8s/add-nic.md

@@ -0,0 +1,159 @@
+---
+title: Connect to NGINX One Console
+toc: true
+weight: 200
+nd-content-type: how-to
+nd-product: NGINX One
+---
+
+This document explains how to connect F5 NGINX Ingress Controller <!-- and F5 NGINX Gateway Fabric -->to F5 NGINX One Console using NGINX Agent.
+Connecting NGINX Ingress Controller to NGINX One Console enables centralized monitoring of all controller instances.
+
+Once connected, you'll see a **read-only** configuration of NGINX Ingress Controller. For each instance, you can review:
+
+- Read-only configuration file
+- Unmanaged SSL/TLS certificates for Control Planes
+
+## Before you begin
+
+Before connecting NGINX Ingress Controller to NGINX One Console, you need to create a Kubernetes Secret with the data plane key. Use the following command:
+
+```shell
+kubectl create secret generic dataplane-key \
+  --from-literal=dataplane.key=<Your Dataplane Key> \
+  -n <namespace>
+```
+
+When you create a Kubernetes Secret, use the same namespace where NGINX Ingress Controller is running. 
+If you use [`-watch-namespace`]({{< ref "/nic/configuration/global-configuration/command-line-arguments.md#watch-namespace-string" >}}) or [`watch-secret-namespace`]({{< ref "/nic/configuration/global-configuration/command-line-arguments.md#watch-secret-namespace-string" >}}) arguments with NGINX Ingress Controller, 
+you need to add the dataplane key secret to the watched namespaces. This secret will take approximately 60 - 90 seconds to reload on the pod.
+
+{{<note>}}
+You can also create a data plane key through the NGINX One Console. Once loggged in, select **Manage > Control Planes > Add Control Plane**, and follow the steps shown.
+{{</note>}}
+
+## Deploy NGINX Ingress Controller with NGINX Agent
+
+{{<tabs name="deploy-config-resource">}}
+{{%tab name="Helm"%}}
+
+Edit your `values.yaml` file to enable NGINX Agent and configure it to connect to NGINX One Console:
+
+```yaml
+nginxAgent:
+  enable: true
+  dataplaneKeySecretName: "<data_plane_key_secret_name>"
+```
+
+The `dataplaneKeySecretName` is used to authenticate the agent with NGINX One Console. See the [NGINX One Console Docs]({{< ref "/nginx-one/connect-instances/create-manage-data-plane-keys.md" >}})
+for instructions on how to generate your dataplane key from the NGINX One Console.
+
+Follow the [Installation with Helm]({{< ref "/nic/installation/installing-nic/installation-with-helm.md" >}}) instructions to deploy NGINX Ingress Controller.
+
+{{%/tab%}}
+{{%tab name="Manifests"%}}
+
+Add the following flag to the Deployment/DaemonSet file of NGINX Ingress Controller:
+
+```yaml
+args:
+- -agent=true
+```
+
+Create a `ConfigMap` with an `nginx-agent.conf` file:
+
+```yaml
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: nginx-agent-config
+  namespace: <namespace>
+data:
+  nginx-agent.conf: |-
+    log:
+      # set log level (error, info, debug; default "info")
+      level: info
+      # set log path. if empty, don't log to file.
+      path: ""
+  
+    allowed_directories:
+      - /etc/nginx
+      - /usr/lib/nginx/modules
+  
+    features:
+      - certificates
+      - connection
+      - metrics
+      - file-watcher
+  
+    ## command server settings
+    command:
+      server:
+        host: product.connect.nginx.com
+        port: 443
+      auth:
+        tokenpath: "/etc/nginx-agent/secrets/dataplane.key"
+      tls:
+        skip_verify: false
+```      
+
+Make sure to set the namespace in the nginx-agent.config to the same namespace as NGINX Ingress Controller.
+Mount the ConfigMap to the Deployment/DaemonSet file of NGINX Ingress Controller:
+
+```yaml
+volumeMounts:
+- name: nginx-agent-config
+  mountPath: /etc/nginx-agent/nginx-agent.conf
+  subPath: nginx-agent.conf
+- name: dataplane-key
+  mountPath: /etc/nginx-agent/secrets
+volumes:
+- name: nginx-agent-config
+  configMap:
+    name: nginx-agent-config
+- name: dataplane-key
+  secret:
+    secretName: "<data_plane_key_secret_name>"
+```
+
+Follow the [Installation with Manifests]({{< ref "/nic/installation/installing-nic/installation-with-manifests.md" >}}) instructions to deploy NGINX Ingress Controller.
+
+{{%/tab%}}
+{{</tabs>}}
+
+## Verify a connection to NGINX One Console
+
+After deploying NGINX Ingress Controller <!-- or NGINX Gateway Fabric --> with NGINX Agent, you can verify the connection to NGINX One Console.
+Log in to your F5 Distributed Cloud Console account. Select **NGINX One > Visit Service**. In the dashboard, go to **Manage > Instances**. You should see your instances listed by name. The instance name matches both the hostname and the pod name.
+
+## Troubleshooting
+
+If you encounter issues connecting your instances to NGINX One Console, try the following commands:
+
+Check the NGINX Agent version:
+
+```shell
+kubectl exec -it -n <namespace> <nginx_ingress_pod_name> -- nginx-agent -v
+```
+  
+If nginx-agent version is v3, continue with the following steps.
+Otherwise, make sure you are using an image that does not include NGINX App Protect. 
+
+Check the NGINX Agent configuration:
+
+```shell
+kubectl exec -it -n <namespace> <nginx_ingress_pod_name> -- cat /etc/nginx-agent/nginx-agent.conf
+```
+
+Check NGINX Agent logs:
+
+```shell
+kubectl exec -it -n <namespace> <nginx_ingress_pod_name> -- nginx-agent
+```
+
+Select the instance associated with your deployment of NGINX Ingress Controller. Under the **Details** tab, you'll see information associated with:
+
+- Unmanaged SSL/TLS certificates for Control Planes 
+- Configuration recommendations 
+
+Under the **Configuration** tab, you'll see a **read-only** view of the configuration files.

content/nginx-one/k8s/overview.md

@@ -0,0 +1,19 @@
+---
+# We use sentence case and present imperative tone
+title: "Integrate Kubernetes control planes"
+# Weights are assigned in increments of 100: determines sorting order
+weight: 100
+# Creates a table of contents and sidebar, useful for large documents
+toc: false
+# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this
+nd-content-type: concept
+# Intended for internal catalogue and search, case sensitive:
+# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit
+nd-product: NGINX One
+---
+
+You can now include Kubernetes systems through the [control plane](https://www.f5.com/glossary/control-plane). In related documentation, you can learn how to:
+
+- Set up a connection to F5 NGINX One Console through a data plane key.
+- Review the NGINX Ingress Controller instances that are part of your fleet.
+

content/nginx-one/nap-integration/_index.md

@@ -0,0 +1,6 @@
+---
+title: Secure with NGINX App Protect
+description:
+weight: 400
+url: /nginx-one/nap-integration
+---

content/nginx-one/nap-integration/configure-policy.md

@@ -0,0 +1,48 @@
+---
+# We use sentence case and present imperative tone
+title: "Add and configure a policy"
+# Weights are assigned in increments of 100: determines sorting order
+weight: 200
+# Creates a table of contents and sidebar, useful for large documents
+toc: false
+# Types have a 1:1 relationship with Hugo archetypes, so you shouldn't need to change this
+nd-content-type: how-to
+# Intended for internal catalogue and search, case sensitive:
+# Agent, N4Azure, NIC, NIM, NGF, NAP-DOS, NAP-WAF, NGINX One, NGINX+, Solutions, Unit
+nd-product: NGINX One
+---
+
+This document describes how you can configure a security policy in the F5 NGINX One Console. When you add a policy, NGINX One Console includes several UI-based options and presets, based on NGINX App Protect WAF.
+
+
+If you already know NGINX App Protect WAF, you can go beyond the options available in the UI. 
+
+## Add a policy
+
+From NGINX One Console, select App Protect > Policies. In the screen that appears, select **Add Policy**. That action opens a screen where you can:
+
+- In General Settings, name and describe the policy.
+  - You can also set one of the following enforcement modes:
+    - Transparent
+    - Blocking
+
+For details, see the [Glossary]({{< ref "/nginx-one/glossary.md#nginx-app-protect-waf-terminology" >}}), specifically the entry: **Enforcement mode**. You'll see this in the associated configuration file,
+with the `enforcementMode` property.
+
+You can also set a character encoding. The default encoding is `Unicode (utf-8)`. To set a different character encoding, select **Show Advanced Fields** and select the **Application Language** of your choice.
+
+## Configure a policy
+
+With NGINX One Console User Interface, you get a default policy. You can also select **NGINX Strict** for a more rigorous policy:
+
+### Basic Configuration and the Default Policy
+
+{{< include "/nap-waf/concept/basic-config-default-policy.md" >}}
+
+## Save your policy
+
+NGINX One Console includes a Policy JSON section which displays your policy in JSON format. What you configure here is written to your instance of NGINX App Protect WAF. 
+
+With the **Edit** option, you can customize this policy. It opens the JSON file in a local editor. When you select **Save Policy**, it saves the latest version of what you've configured. You'll see your new policy under the name you used.
+
+From NGINX One Console, you can review the policies that you've saved, along with their versions. Select **App Protect** > **Policies**. Select the policy that you want to review or modify.