Merge branch 'main' into nic/upgrade-instructions

Author: ADubhlaoich

content/nginx-one/k8s/add-nic.md

@@ -37,13 +37,27 @@ You can also create a data plane key through the NGINX One Console. Once loggged
 {{<tabs name="deploy-config-resource">}}
 {{%tab name="Helm"%}}
 
-Edit your `values.yaml` file to enable NGINX Agent and configure it to connect to NGINX One Console:
+Upgrade or install NGINX Ingress Controller with the following command to configure NGINX Agent and connect to NGINX One Console:
 
-```yaml
-nginxAgent:
-  enable: true
-  dataplaneKeySecretName: "<data_plane_key_secret_name>"
-```
+- For NGINX:
+
+    ```shell
+    helm upgrade --install my-release oci://ghcr.io/nginx/charts/nginx-ingress --version {{< nic-helm-version >}} \
+      --set nginxAgent.enable=true \
+      --set nginxAgent.dataplaneKeySecretName=<data_plane_key_secret_name> \
+      --set nginxAgent.endpointHost=agent.connect.nginx.com
+    ```
+
+- For NGINX Plus: (This assumes you have pushed NGINX Ingress Controller image `nginx-plus-ingress` to your private registry `myregistry.example.com`)
+
+    ```shell
+    helm upgrade --install my-release oci://ghcr.io/nginx/charts/nginx-ingress --version {{< nic-helm-version >}} \
+      --set controller.image.repository=myregistry.example.com/nginx-plus-ingress \
+      --set controller.nginxplus=true \
+      --set nginxAgent.enable=true \
+      --set nginxAgent.dataplaneKeySecretName=<data_plane_key_secret_name> \
+      --set nginxAgent.endpointHost=agent.connect.nginx.com
+    ```
 
 The `dataplaneKeySecretName` is used to authenticate the agent with NGINX One Console. See the [NGINX One Console Docs]({{< ref "/nginx-one/connect-instances/create-manage-data-plane-keys.md" >}})
 for instructions on how to generate your dataplane key from the NGINX One Console.
@@ -89,7 +103,7 @@ data:
     ## command server settings
     command:
       server:
-        host: product.connect.nginx.com
+        host: agent.connect.nginx.com
         port: 443
       auth:
         tokenpath: "/etc/nginx-agent/secrets/dataplane.key"

content/nginx-one/nginx-configs/config-sync-groups/manage-config-sync-groups.md

@@ -81,7 +81,7 @@ When you plan Config Sync Groups, consider the following factors:
 
 - **Single Config Sync Group membership**: You can add an instance to only one Config Sync Group.
 
-- **NGINX Agent configuration file location**: When you run the NGINX Agent installation script to register an instance with NGINX One, the script creates the `agent-dynamic.conf` file, which contains settings for the NGINX Agent, including the specified Config Sync Group. This file is typically located in `/var/lib/nginx-agent/` on most systems; however, on FreeBSD, it's located at `/var/db/nginx-agent/`.
+- **NGINX Agent configuration file location**: When you run the NGINX Agent installation script to register an instance with NGINX One, the script creates the `nginx-agent.conf` (or `agent-dynamic.conf` if you are using NGINX Agent 2.x) file, which contains settings for the NGINX Agent, including the specified Config Sync Group. This file is typically located in `/etc/nginx-agent/` on most systems.
 
 - **Mixing NGINX Open Source and NGINX Plus instances**: You can add both NGINX Open Source and NGINX Plus instances to the same Config Sync Group, but there are limitations. If your configuration includes features exclusive to NGINX Plus, synchronization will fail on NGINX Open Source instances because they don't support these features. NGINX One allows you to mix NGINX instance types for flexibility, but it’s important to ensure that the configurations you're applying are compatible with all instances in the group.
 
@@ -104,6 +104,28 @@ Any instance that joins the group afterwards inherits that configuration.
 
 You can add existing NGINX instances that are already registered with NGINX One to a Config Sync Group.
 
+{{< tabs name="Add existing instance to Config Sync Group" >}}
+
+{{%tab name="NGINX Agent 3.x"%}}
+
+1. Open a command-line terminal on the NGINX instance.
+2. Open the `/etc/nginx-agent/nginx-agent.conf` file in a text editor.
+3. Find or create the `labels` section and change the `config_sync_group` label to the name of the new Config Sync Group.
+
+   ``` text
+   labels:
+      config_sync_group: <config_sync_group>
+   ```
+
+4. Restart NGINX Agent:
+
+   ``` shell
+   sudo systemctl restart nginx-agent
+   ```
+
+{{%/tab%}}
+{{%tab name="NGINX Agent 2.x"%}}
+
 1. Open a command-line terminal on the NGINX instance.
 2. Open the `/var/lib/nginx-agent/agent-dynamic.conf` file in a text editor.
 3. At the end of the file, add a new line beginning with `instance_group:`, followed by the Config Sync Group name.
@@ -118,6 +140,9 @@ You can add existing NGINX instances that are already registered with NGINX One
    sudo systemctl restart nginx-agent
    ```
 
+{{%/tab%}}
+{{< /tabs >}}
+
 ### Add a new instance to a Config Sync Group {#add-a-new-instance-to-a-config-sync-group}
 
 When adding a new NGINX instance that is not yet registered with NGINX One, you need a data plane key to securely connect the instance. You can generate a new data plane key during the process or use an existing one if you already have it.
@@ -185,6 +210,29 @@ For more details on creating and managing data plane keys, see [Create and manag
 
 If you need to move an NGINX instance to a different Config Sync Group, follow these steps:
 
+{{< tabs name="Move instance to Config Sync Group" >}}
+
+{{%tab name="NGINX Agent 3.x"%}}
+
+1. Open a command-line terminal on the NGINX instance.
+2. Open the `/etc/nginx-agent/nginx-agent.conf` file in a text editor.
+3. Find the `labels` section and change the `config_sync_group` label to the name of the new Config Sync Group.
+
+   ``` text
+   labels:
+      config-sync-group: <new_config_sync_group>
+   ```
+
+4. Restart NGINX Agent by running the following command:
+
+   ```shell
+   sudo systemctl restart nginx-agent
+   ```
+
+{{%/tab%}}
+{{%tab name="NGINX Agent 2.x"%}}
+
+
 1. Open a command-line terminal on the NGINX instance.
 2. Open the `/var/lib/nginx-agent/agent-dynamic.conf` file in a text editor.
 3. Locate the line that begins with `instance_group:` and change it to the name of the new Config Sync Group.
@@ -199,12 +247,39 @@ If you need to move an NGINX instance to a different Config Sync Group, follow t
    sudo systemctl restart nginx-agent
    ```
 
+{{%/tab%}}
+{{< /tabs >}}
+
+
 If you move an instance with certificates from one Config Sync Group to another, NGINX One adds or removes those certificates from the data plane, to synchronize with the deployed certificates of the group.
 
 ### Remove an instance from a Config Sync Group
 
 If you need to remove an NGINX instance from a Config Sync Group without adding it to another group, follow these steps:
 
+
+{{< tabs name="Remove instance from Config Sync Group" >}}
+
+{{%tab name="NGINX Agent 3.x"%}}
+
+1. Open a command-line terminal on the NGINX instance.
+2. Open the `/etc/nginx-agent/nginx-agent.conf` file in a text editor.
+3. Locate the line that begins with `labels:` section and either remove the `config-sync-group` line or comment it out by adding a `#` at the beginning of the line.
+
+   ```text
+   labels:
+      # config-sync-group: <new_config_sync_group>
+   ```
+
+4. Restart NGINX Agent:
+
+   ```shell
+   sudo systemctl restart nginx-agent
+   ```
+
+{{%/tab%}}
+{{%tab name="NGINX Agent 2.x"%}}
+
 1. Open a command-line terminal on the NGINX instance.
 2. Open the `/var/lib/nginx-agent/agent-dynamic.conf` file in a text editor.
 3. Locate the line that begins with `instance_group:` and either remove it or comment it out by adding a `#` at the beginning of the line.
@@ -219,6 +294,10 @@ If you need to remove an NGINX instance from a Config Sync Group without adding
    sudo systemctl restart nginx-agent
    ```
 
+{{%/tab%}}
+{{< /tabs >}}
+
+
 By removing or commenting out this line, the instance will no longer be associated with any Config Sync Group.
 
 ## Publish the Config Sync Group configuration {#publish-the-config-sync-group-configuration}

content/nic/installation/installing-nic/installation-with-helm.md

@@ -298,21 +298,25 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont
 | **serviceNameOverride** | Used to prevent cloud load balancers from being replaced due to service name change during helm upgrades. | "" |
 | **nginxServiceMesh.enable** | Enable integration with NGINX Service Mesh. See the NGINX Service Mesh docs for more details. Requires `controller.nginxplus`. | false |
 | **nginxServiceMesh.enableEgress** | Enable NGINX Service Mesh workloads to route egress traffic through the Ingress Controller. See the NGINX Service Mesh docs for more details. Requires `nginxServiceMesh.enable`. | false |
-|**nginxAgent.enable** | Enable NGINX Agent to integrate the Security Monitoring and App Protect WAF modules. Requires `controller.appprotect.enable`. | false |
-|**nginxAgent.instanceGroup** | Set a custom Instance Group name for the deployment, shown when connected to NGINX Instance Manager. `nginx-ingress.controller.fullname` will be used if not set. | "" |
-|**nginxAgent.logLevel** | Log level for NGINX Agent. | "error |
-|**nginxAgent.instanceManager.host** | FQDN or IP for connecting to NGINX Ingress Controller. Required when `nginxAgent.enable` is set to `true` | "" |
-|**nginxAgent.instanceManager.grpcPort** | Port for connecting to NGINX Ingress Controller. | 443 |
-|**nginxAgent.instanceManager.sni** | Server Name Indication for Instance Manager. See the NGINX Agent [docs]({{< ref "/agent/configuration/encrypt-communication.md" >}}) for more details. | "" |
-|**nginxAgent.instanceManager.tls.enable** | Enable TLS for Instance Manager connection. | true |
-|**nginxAgent.instanceManager.tls.skipVerify** | Skip certification verification for Instance Manager connection. | false |
-|**nginxAgent.instanceManager.tls.caSecret** | Name of `nginx.org/ca` secret used for verification of Instance Manager TLS. | "" |
-|**nginxAgent.instanceManager.tls.secret** | Name of `kubernetes.io/tls` secret with a TLS certificate and key for using mTLS between NGINX Agent and Instance Manager. See the NGINX Instance Manager [docs]({{< ref "/nim/system-configuration/secure-traffic.md#mutual-client-certificate-authentication-setup-mtls" >}}) and the NGINX Agent [docs]({{< ref "/agent/configuration/encrypt-communication.md" >}}) for more details. | "" |
-|**nginxAgent.syslog.host** | Address for NGINX Agent to run syslog listener. | 127.0.0.1 |
-|**nginxAgent.syslog.port** | Port for NGINX Agent to run syslog listener. | 1514 |
-|**nginxAgent.napMonitoring.collectorBufferSize** | Buffer size for collector. Will contain log lines and parsed log lines. | 50000 |
-|**nginxAgent.napMonitoring.processorBufferSize** | Buffer size for processor. Will contain log lines and parsed log lines. | 50000 |
-|**nginxAgent.customConfigMap** | The name of a custom ConfigMap to use instead of the one provided by default. | "" |
+|**nginxAgent.enable** | Enable NGINX Agent 3.x to allow [connecting to NGINX One Console]({{< ref "/nginx-one/k8s/add-nic.md" >}}) or to integrate NGINX Agent 2.x for [Security Monitoring]({{< ref "/nic/tutorials/security-monitoring.md" >}}) . | false |
+|**nginxAgent.logLevel** | Log level for NGINX Agent. | "error" |
+|**nginxAgent.dataplaneKeySecretName** | Name of the Kubernetes Secret containing the Data Plane key used to authenticate to NGINX One Console. Learn more [here]({{< ref "/nginx-one/k8s/add-nic.md" >}}). Required when `nginxAgent.enable` is set to `true`. Requires NGINX Agent 3.x. | "" |
+|**nginxAgent.endpointHost** | Domain or IP address for the NGINX One Console. Requires NGINX Agent 3.x. | "agent.connect.nginx.com" |
+|**nginxAgent.endpointPort** | Port for the NGINX One Console endpoint. Requires NGINX Agent 3.x. | 443 |
+|**nginxAgent.tlsSkipVerify** | Skip TLS verification for the NGINX One Console endpoint. Requires NGINX Agent 3.x. | false |
+|**nginxAgent.instanceGroup** | Set a custom Instance Group name for the deployment, shown when connected to NGINX Instance Manager. `nginx-ingress.controller.fullname` will be used if not set. Requires NGINX Agent 2.x. | "" |
+|**nginxAgent.instanceManager.host** | FQDN or IP for connecting to NGINX Ingress Controller. Required when `nginxAgent.enable` is set to `true`. Requires NGINX Agent 2.x. | "" |
+|**nginxAgent.instanceManager.grpcPort** | Port for connecting to NGINX Ingress Controller. Requires NGINX Agent 2.x. | 443 |
+|**nginxAgent.instanceManager.sni** | Server Name Indication for Instance Manager. See the NGINX Agent [docs]({{< ref "/agent/configuration/encrypt-communication.md" >}}) for more details. Requires NGINX Agent 2.x. | "" |
+|**nginxAgent.instanceManager.tls.enable** | Enable TLS for Instance Manager connection. Requires NGINX Agent 2.x. | true |
+|**nginxAgent.instanceManager.tls.skipVerify** | Skip certification verification for Instance Manager connection. Requires NGINX Agent 2.x. | false |
+|**nginxAgent.instanceManager.tls.caSecret** | Name of `nginx.org/ca` secret used for verification of Instance Manager TLS. Requires NGINX Agent 2.x. | "" |
+|**nginxAgent.instanceManager.tls.secret** | Name of `kubernetes.io/tls` secret with a TLS certificate and key for using mTLS between NGINX Agent and Instance Manager. See the NGINX Instance Manager [docs]({{< ref "/nim/system-configuration/secure-traffic.md#mutual-client-certificate-authentication-setup-mtls" >}}) and the NGINX Agent [docs]({{< ref "/agent/configuration/encrypt-communication.md" >}}) for more details. Requires NGINX Agent 2.x. | "" |
+|**nginxAgent.syslog.host** | Address for NGINX Agent to run syslog listener. Requires NGINX Agent 2.x. | 127.0.0.1 |
+|**nginxAgent.syslog.port** | Port for NGINX Agent to run syslog listener. Requires NGINX Agent 2.x. | 1514 |
+|**nginxAgent.napMonitoring.collectorBufferSize** | Buffer size for collector. Will contain log lines and parsed log lines. Requires NGINX Agent 2.x. | 50000 |
+|**nginxAgent.napMonitoring.processorBufferSize** | Buffer size for processor. Will contain log lines and parsed log lines. Requires NGINX Agent 2.x. | 50000 |
+|**nginxAgent.customConfigMap** | The name of a custom ConfigMap to use instead of the one provided by default. Requires NGINX Agent 2.x.| "" |
 {{</bootstrap-table>}}
 
 ## Uninstall NGINX Ingress Controller

content/nic/installation/integrations/nic-n1-console.md

@@ -10,13 +10,15 @@ nd-docs: DOCS-616
 
 08 Jul 2025
 
-This release includes the ability to configure Rate Limiting for your APIs based on a specific NGINX variable and its value. This allows you more granular control over how frequently specific users access your resources.
+This NGINX Ingress Controller release brings initial connectivity to the NGINX One Console! You can now use NGINX One Console to manage NGINX instances that are part of your NGINX Ingress Controller cluster. See [here]({{< ref "/nginx-one/k8s/add-nic.md" >}}) to configure NGINX One Console with NGINX Ingress Controller.
+
+This release also includes the ability to configure Rate Limiting for your APIs based on a specific NGINX variable and its value. This allows you more granular control over how frequently specific users access your resources.
 
 Lastly, in our previous v5.0.0 release, we removed support for Open Tracing. This release replaces that observability capability with native NGINX Open Telemetry traces, allowing you to monitor the internal traffic of your applications.
 
 ### <i class="fa-solid fa-rocket"></i> Features
 - [7642](https://github.com/nginx/kubernetes-ingress/pull/7642) Add OpenTelemetry support
-- [7916](https://github.com/nginx/kubernetes-ingress/pull/7916) Add support for Agent V3
+- [7916](https://github.com/nginx/kubernetes-ingress/pull/7916) Add support for NGINX Agent version 3 and Connecting to NGINX One Console
 - [7884](https://github.com/nginx/kubernetes-ingress/pull/7884) Tiered rate limits with variables
 - [7765](https://github.com/nginx/kubernetes-ingress/pull/7765) Add OIDC PKCE configuration through Policy
 - [7832](https://github.com/nginx/kubernetes-ingress/pull/7832) Add request_method to rate-limit Policy