Merge branch 'main' into Update-docs-issue147

Author: jawfu-M

.github/CODEOWNERS

@@ -37,6 +37,10 @@ content/includes/nginxaas-azure/* @nginx/n4a-docs-approvers
 content/ngf/*               @nginx/nginx-gateway-fabric
 content/includes/ngf/*      @nginx/nginx-gateway-fabric
 
+# NGINX Ingress Controller
+content/nic/*                   @nginx/kic
+content/includes/nic/*          @nginx/kic
+
 # NGINX Instance Manager
 content/nms/nim/*           @nginx/nim-docs-approvers
 content/nim/*               @nginx/nim-docs-approvers

.github/workflows/build-push.yml

@@ -58,7 +58,7 @@ jobs:
 
   call-docs-build-push:
     needs: prod-check-branch
-    uses: nginxinc/docs-actions/.github/workflows/docs-build-push.yml@9c59fab05a8131f4d691ba6ea2b6a119f3ef832a # v1.0.7
+    uses: nginxinc/docs-actions/.github/workflows/docs-build-push.yml@bc2ae667727ba02b3d70dacee231ce04f7d94344 # v1.0.8
     with:
       production_url_path: ""
       preview_url_path: "${{ vars.PREVIEW_URL_PATH }}"
@@ -79,16 +79,37 @@ jobs:
     runs-on: ubuntu-latest
     permissions: read-all
     steps:
-      - name: Trigger 'Slack notification for new theme release' workflow in 'nginx-hugo-theme' repo.
-        run: |
-           curl -L \
-              -X POST \
-              -H "Accept: application/vnd.github+json" \
-              -H "Authorization: Bearer ${{ secrets.THEME_SLACK_FLOW_PAT }}" \
-              -H "X-GitHub-Api-Version: 2022-11-28" \
-              "https://api.github.com/repos/${{ secrets.OWNER }}/${{ secrets.REPO }}/dispatches" \
-              -d "{\"event_type\": \"trigger-slack-notification\", \"client_payload\": {\"previewURL\": \"${{ env.PREVIEW_URL }}\",  \"author\": \"${{ github.event.client_payload.author}}\", \"tag_name\": \"${{ github.event.client_payload.tag_name }}\", \"release_name\": \"${{ github.event.client_payload.release_name }}\"}}"
+      - name: Send notification
+        uses:  8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
+        with: 
+          status: custom
+          custom_payload: |
+            {
+                username: 'Github',
+                mention: 'channel',
+                attachments: [{
+                  title: `New theme release - ${{ github.event.client_payload.release_name }}`,
+                  color: '#009223',
+                  fields: [
+                  {
+                    title: 'Tag',
+                    value: `${{ github.event.client_payload.tag_name }}`,
+                    short: true
+                  },
+                  {
+                    title: 'Author',
+                    value: `${{ github.event.client_payload.author }}`,
+                    short: true
+                  },
+                  {
+                    title: 'Preview URL',
+                    value: `${{ env.PREVIEW_URL }}`,
+                    short: true
+                  }]
+                }]
+            }
     env:
+      SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL_FRIENDS_OF_DOCS }}
       PREVIEW_URL: ${{ needs.call-docs-build-push.outputs.PREVIEW_URL }}
 
 

.github/workflows/notification.yml

@@ -75,4 +75,4 @@ jobs:
                 }]
             }
         env:
-          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL_DOCS_INCIDENT }}

.github/workflows/ossf_scorecard.yml

@@ -56,6 +56,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: Upload SARIF results to code scanning
-        uses: github/codeql-action/upload-sarif@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19
+        uses: github/codeql-action/upload-sarif@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 # v3.29.0
         with:
           sarif_file: results.sarif

_banners/agent-v3-release.md

@@ -0,0 +1,9 @@
+{{< banner "notice" "NGINX Agent 3.0 is now available" >}}
+
+
+F5 NGINX One Console does not currently support Agent 3.x. If you are using NGINX One Console in your environment, upgrade to the latest Agent 2.x version by following the [Upgrade NGINX Agent](/nginx-agent/installation-upgrade/upgrade/) guide.
+
+Please see the [Technical specifications](/nginx-agent/technical-specifications/) for product compatibility.
+
+
+{{< /banner >}}

cleanup_log.txt

@@ -7,18 +7,19 @@ pygmentsUseClasses = true
 enableGitInfo = true
 
 [permalinks]
+  agent = '/nginx-agent/:sections[1:]/:filename'
   amplify = '/nginx-amplify/:sections[1:]/:filename'
   controller = '/nginx-controller/:sections[1:]/:filename'
   mesh = '/nginx-service-mesh/:sections[1:]/:filename'
   modsec-waf = '/nginx-waf/:sections[1:]/:filename'
   nap-dos = '/nginx-app-protect-dos/:sections[1:]/:filename'
   nap-waf = '/nginx-app-protect-waf/:sections[1:]/:filename'
+  nginxaas = '/nginxaas/azure/:sections[1:]/:filename'
   ngf = '/nginx-gateway-fabric/:sections[1:]/:filename'
+  nic = '/nginx-ingress-controller/:sections[1:]/:filename'
   nim = '/nginx-instance-manager/:sections[1:]/:filename'
   nms = '/nginx-management-suite/:sections[1:]/:filename'
   unit = '/nginx-unit/:sections[1:]/:filename'
-  agent = '/nginx-agent/:sections[1:]/:filename'
-  nginxaas = '/nginxaas/azure/:sections[1:]/:filename'
 
 [caches]
   [caches.modules]

config/_default/config.toml

@@ -1,8 +1,12 @@
 ---
 title: NGINX Agent
-description: NGINX Agent is a companion daemon for your NGINX Open Source or NGINX
-  Plus instance.
 url: /nginx-agent/
 cascade:
   logo: NGINX-product-icon.png
+  banner:
+    enabled: true
+    type: deprecation
+    start-date: 2025-05-29
+    end-date: 2025-09-09
+    md: /_banners/agent-v3-release.md
 ---

content/agent/_index.md

@@ -12,6 +12,17 @@ type:
 
 This document provides technical specifications for NGINX Agent. It includes information on supported distributions, deployment environments, NGINX versions, sizing recommendations, and logging.
 
+## NGINX Agent v3.0 Compatibility 
+{{< bootstrap-table "table table-striped table-bordered" >}}
+| NGINX Product                | Agent Version  |
+|------------------------------|----------------|
+| **NGINX One Console**        | 2.x            |
+| **NGINX Gateway Fabric**     | 3.x            | 
+| **NGINX Plus**               | 2.x, 3.x       |
+| **NGINX Ingress Controller** | 2.x            |
+| **NGINX Instance Manager**   | 2.x            |
+{{< /bootstrap-table >}}
+
 ## Supported Distributions
 
 NGINX Agent can run in most environments. We support the following distributions:

content/agent/technical-specifications.md

@@ -36,23 +36,39 @@ Add the NGINX Instance Manager repository:
 
 {{%tab name="Debian, Ubuntu, Deb-Based"%}}
 
-Add the NGINX Instance Manager repository:
-
-- **Debian**
+1. Add the NGINX signing key:
 
   ```shell
-  printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/nms/debian `lsb_release -cs` nginx-plus\n" | sudo tee /etc/apt/sources.list.d/nms.list
-  sudo wget -q -O /etc/apt/apt.conf.d/90pkgs-nginx https://cs.nginx.com/static/files/90pkgs-nginx
+  wget -qO - https://cs.nginx.com/static/keys/nginx_signing.key \
+      | gpg --dearmor \
+      | sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null 
   ```
 
-  <br>
+2. Add the NGINX Instance Manager repository:
 
-- **Ubuntu**
+   - **Debian**
 
-  ```shell
-  printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://pkgs.nginx.com/nms/ubuntu `lsb_release -cs` nginx-plus\n" | sudo tee /etc/apt/sources.list.d/nms.list
-  sudo wget -q -O /etc/apt/apt.conf.d/90pkgs-nginx https://cs.nginx.com/static/files/90pkgs-nginx
-  ```
+    ```shell
+    printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
+    https://pkgs.nginx.com/nms/debian $(lsb_release -cs) nginx-plus\n" | \
+    sudo tee /etc/apt/sources.list.d/nms.list
+
+    sudo wget -q -O /etc/apt/apt.conf.d/90pkgs-nginx \
+    https://cs.nginx.com/static/files/90pkgs-nginx
+    ```
+
+     <br>
+
+   - **Ubuntu**
+
+    ```shell
+    printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
+    https://pkgs.nginx.com/nms/ubuntu $(lsb_release -cs) nginx-plus\n" | \
+    sudo tee /etc/apt/sources.list.d/nms.list
+
+    sudo wget -q -O /etc/apt/apt.conf.d/90pkgs-nginx \
+    https://cs.nginx.com/static/files/90pkgs-nginx
+    ```
 
 {{%/tab%}}
 {{</tabs>}}

content/includes/installation/add-nms-repo.md

@@ -50,4 +50,4 @@ There are two options for accessing NGINX Gateway Fabric depending on the type o
 
 NGINX Gateway Fabric uses the created service to update the **Addresses** field in the **Gateway Status** resource. Using a **LoadBalancer** service sets this field to the IP address and/or hostname of that service. Without a service, the pod IP address is used.
 
-This gateway is associated with the NGINX Gateway Fabric through the **gatewayClassName** field. The default installation of NGINX Gateway Fabric creates a **GatewayClass** with the name **nginx**. NGINX Gateway Fabric will only configure gateways with a **gatewayClassName** of **nginx** unless you change the name via the `--gatewayclass` [command-line flag]({{< ref "/ngf/reference/cli-help.md#static-mode">}}).
+This gateway is associated with the NGINX Gateway Fabric through the **gatewayClassName** field. The default installation of NGINX Gateway Fabric creates a **GatewayClass** with the name **nginx**. NGINX Gateway Fabric will only configure gateways with a **gatewayClassName** of **nginx** unless you change the name via the `--gatewayclass` [command-line flag]({{< ref "/ngf/reference/cli-help.md#controller">}}).

content/includes/installation/clickhouse-defaults.md

@@ -2,7 +2,7 @@
 docs: "DOCS-000"
 ---
 
-{{< note >}} If you would rather pull the NGINX Plus image and push to a private registry, you can skip this specific step and instead follow [this step]({{< ref "/ngf/install/nginx-plus.md#pulling-an-image-for-local-use" >}}). {{< /note >}}
+{{< note >}} If you would rather pull the NGINX Plus image and push to a private registry, you can skip this specific step and instead follow [this step]({{< ref "/ngf/install/nginx-plus.md#pull-an-image-for-local-use" >}}). {{< /note >}}
 
 If the `nginx-gateway` namespace does not yet exist, create it:
 

content/includes/ngf/installation/expose-nginx-gateway-fabric.md

@@ -6,5 +6,5 @@ Start by installing NGINX Instance Manager on a dedicated host. Then, configure
 
 
 {{<call-out tip "Tip for Automated Reporting">}}
-To set up automatic reporting, [add your JWT-based license to NGINX Instance Manager]({{< ref "/nim/admin-guide/license/add-license.md#apply-jwt-license" >}}). This license can be downloaded from [MyF5](https://account.f5.com/myf5) if needed.
+To set up automatic reporting, [add your JWT-based license to NGINX Instance Manager]({{< ref "/nim/admin-guide/add-license.md#apply-jwt-license" >}}). This license can be downloaded from [MyF5](https://account.f5.com/myf5) if needed.
 {{</call-out>}}

content/includes/ngf/installation/nginx-plus/docker-registry-secret.md

@@ -0,0 +1,10 @@
+The following table shows compatibility between NGINX Ingress Controller (NIC) and NGINX App Protect WAF (NAP-WAF) versions:
+
+{{< bootstrap-table "table table-striped table-responsive" >}}
+| NIC Version         | NAP-WAF Version | Config Manager | Enforcer |
+| ------------------- | --------------- | -------------- | -------- |
+| {{< nic-version >}} | 34+5.332        | 5.6.0          | 5.6.0    |
+| 4.0.1               | 33+5.264        | 5.5.0          | 5.5.0    |
+| 3.7.2               | 32+5.1          | 5.3.0          | 5.3.0    |
+| 3.6.2               | 32+5.48         | 5.2.0          | 5.2.0    |
+{{% /bootstrap-table %}}

content/includes/nginx-plus/usage-tracking/overview.md

@@ -0,0 +1,8 @@
+---
+title: Configuration
+description:
+weight: 1400
+menu:
+  docs:
+    parent: NGINX Ingress Controller
+---

content/includes/nic/compatibility-tables/nic-nap.md

@@ -0,0 +1,120 @@
+---
+title: Deploy a Policy for access control
+weight: 900
+toc: true
+docs: DOCS-000
+---
+
+This topic describes how to use F5 NGINX Ingress Controller to apply and update a Policy for access control. It demonstrates it using an example application and a [VirtualServer custom resource]({{< ref "/configuration/virtualserver-and-virtualserverroute-resources.md" >}}).
+
+---
+
+## Before you begin
+
+You should have a [working NGINX Ingress Controller]({{< ref "/installation/installing-nic/installation-with-helm.md" >}}) instance.
+
+For ease of use in shell commands, set two shell variables:
+
+1. The public IP address for your NGINX Ingress Controller instance.
+
+```shell
+IC_IP=<ip-address>
+```
+
+2. The HTTP port of the same instance.
+
+```shell
+IC_HTTP_PORT=<port number>
+```
+
+---
+
+## Deploy the example application
+
+Create the file _webapp.yaml_ with the following contents:
+
+{{< ghcode "https://raw.githubusercontent.com/nginx/kubernetes-ingress/refs/heads/main/examples/custom-resources/access-control/webapp.yaml" >}}
+
+Apply it using `kubectl`:
+
+```shell
+kubectl apply -f webapp.yaml
+```
+
+---
+
+## Deploy a Policy to create a deny rule
+
+Create a file named _access-control-policy-deny.yaml_. The highlighted _deny_ field will be used by the example application, and should be changed to the subnet of your machine.
+
+{{< ghcode "https://raw.githubusercontent.com/nginx/kubernetes-ingress/refs/heads/main/examples/custom-resources/access-control/access-control-policy-deny.yaml" "hl_lines=7-8" >}}
+
+Apply the policy:
+
+```shell
+kubectl apply -f access-control-policy-deny.yaml
+```
+
+---
+
+## Configure load balancing
+
+Create a file named _virtual-server.yaml_ for the VirtualServer resource. The _policies_ field references the access control Policy created in the previous section.
+
+{{< ghcode "https://raw.githubusercontent.com/nginx/kubernetes-ingress/refs/heads/main/examples/custom-resources/access-control/virtual-server.yaml" "hl_lines=7-8" >}}
+
+Apply the policy:
+
+```shell
+kubectl apply -f virtual-server.yaml
+```
+
+---
+
+## Test the example application
+
+Use `curl` to attempt to access the application:
+
+```shell
+curl --resolve webapp.example.com:$IC_HTTP_PORT:$IC_IP http://webapp.example.com:$IC_HTTP_PORT
+```
+```text
+<html>
+<head><title>403 Forbidden</title></head>
+<body>
+<center><h1>403 Forbidden</h1></center>
+</body>
+</html>
+```
+
+The *403* response is expected, successfully blocking your machine.
+
+---
+
+## Update the Policy to create an allow rule
+
+Update the Policy with the file _access-control-policy-allow.yaml_, setting the _allow_ field to the subnet of your machine.
+
+{{< ghcode "https://raw.githubusercontent.com/nginx/kubernetes-ingress/refs/heads/main/examples/custom-resources/access-control/access-control-policy-allow.yaml" "hl_lines=7-8" >}}
+
+Apply the Policy:
+
+```shell
+kubectl apply -f access-control-policy-allow.yaml
+```
+
+----
+
+## Verify the Policy update
+
+Attempt to access the application again:
+
+```shell
+curl --resolve webapp.example.com:$IC_HTTP_PORT:$IC_IP http://webapp.example.com:$IC_HTTP_PORT
+```
+```text
+Server address: 10.64.0.13:8080
+Server name: webapp-5cbbc7bd78-wf85w
+```
+
+The successful response demonstrates that the policy has been updated.

content/includes/nic/configuration/_index.md

@@ -0,0 +1,13 @@
+---
+docs: DOCS-584
+doctypes:
+- ''
+title: Configuration examples
+toc: true
+weight: 400
+---
+
+Our [GitHub repo](https://github.com/nginx/kubernetes-ingress) includes a number of configuration examples:
+
+- [*Examples of Custom Resources*](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/custom-resources) show how to advanced NGINX features by using VirtualServer, VirtualServerRoute, TransportServer and Policy Custom Resources.
+- [*Examples of Ingress Resources*](https://github.com/nginx/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources) show how to use advanced NGINX features in Ingress resources with annotations.