Get the NGINX Plus image using JWT

Overview

This document describes how to use a JWT token to get an NGINX Plus image for NGINX Gateway Fabric from the F5 Docker registry.

Follow the steps in this document to pull the NGINX Plus image for NGINX Gateway Fabric from the F5 Docker registry into your Kubernetes cluster using your JWT token. To list available image tags using the Docker registry API, you will also need to download its certificate and key from MyF5.

Important:
An NGINX Plus subscription will not work with these instructions. For NGINX Gateway Fabric, you must have an Connectivity Stack for Kubernetes subscription.

Before you begin

You will need the following items from MyF5 for these instructions:

  1. A JWT Access Token for NGINX Gateway Fabric from an active Connectivity Stack for Kubernetes subscription (Per instance).
  2. The certificate (nginx-repo.crt) and key (nginx-repo.key) for each NGINX Gateway Fabric instance.

Get the Credentials

  1. Log into the MyF5 Portal, navigate to your subscription details, and download the required certificate, key and JWT files.

Using the JWT token in a Docker Config Secret

  1. Create a Kubernetes docker-registry secret type on the cluster, using the contents of the JWT token as the username and none for password (as the password is not used). The name of the docker server is private-registry.nginx.com.

    kubectl create secret docker-registry nginx-plus-registry-secret --docker-server=private-registry.nginx.com --docker-username=<JWT Token> --docker-password=none [-n nginx-gateway]
    

    It is important that the --docker-username=<JWT Token> contains the contents of the token and is not pointing to the token itself. When you copy the contents of the JWT token, ensure there are no additional characters such as extra whitespaces. This can invalidate the token, causing 401 errors when trying to authenticate to the registry.

  2. Inspect and verify the details of the created secret by running:

    kubectl get secret nginx-plus-registry-secret --output=yaml
    
Note:

For security, follow these practices with JSON Web Tokens (JWTs), passwords, and shell history:

  1. JWTs: JWTs are sensitive information. Store them securely. Delete them after use to prevent unauthorized access.

  2. Shell history: Commands that include JWTs or passwords are recorded in the history of your shell, in plain text. Clear your shell history after running such commands. For example, if you use bash, you can delete commands in your ~/.bash_history file. Alternatively, you can run the history -c command to erase your shell history.

Follow these practices to help ensure the security of your system and data.

Install NGINX Gateway Fabric

Please refer to Installing NGINX Gateway Fabric

Pulling an image for local use

To pull an image for local use, use this command:

docker login private-registry.nginx.com --username=<output_of_jwt_token> --password=none

Replace the contents of <output_of_jwt_token> with the contents of the JWT token itself. Once you have successfully pulled the image, you can tag it as needed, then push it to a different container registry.

Alternative installation options

There are alternative ways to get an NGINX Plus image for NGINX Gateway Fabric: