Using the NGINX IC Plus JWT token in a Docker Config Secret

This document explains how to use the NGINX Plus Ingress Controller image from the F5 Docker registry in your Kubernetes cluster by using your NGINX Ingress Controller subscription JWT token.

This document explains how to use the NGINX Plus Ingress Controller image from the F5 Docker registry in your Kubernetes cluster by using your NGINX Ingress Controller subscription JWT token. Please note that an NGINX Plus subscription certificate and key will not work with the F5 Docker registry. You can also get the image using alternative methods:

• You can use Docker to pull an Ingress Controller image with NGINX Plus and push it to your private registry by following the Pulling the Ingress Controller Image documentation.
• Please see the information on how to build an Ingress Controller image using the source code from this repository and your NGINX Plus subscription certificate and key.
• Note that for NGINX Ingress Controller based on NGINX OSS, we provide the image through DockerHub.

Prerequisites

• For NGINX Ingress Controller, you must have the NGINX Ingress Controller subscription – download the NGINX Plus Ingress Controller (per instance) JWT access token from MyF5.
• To list the available image tags using the Docker registry API, you will also need to download the NGINX Plus Ingress Controller (per instance) certificate (nginx-repo.crt) and the key (nginx-repo.key) from MyF5.

Using the JWT token in a Docker Config Secret

1. Create a docker-registry secret on the cluster using the JWT token as the username and none for password (password is unused). The name of the docker server is private-registry.nginx.com. Optionally namespace the secret.

   kubectl create secret docker-registry regcred --docker-server=private-registry.nginx.com --docker-username=<JWT Token> --docker-password=none [-n nginx-ingress]
   

2. Confirm the details of the created secret by running:

   kubectl get secret regcred --output=yaml
   

3. You can now add this secret to a deployment spec or to a service account to apply to all deployments for a given SA spec. See the Create a Pod that uses your Secret and Add ImagePullSecrets to a service account documentation for more details.

4. Update the deployment spec with the chosen image path. Choose the image from the available images.

5. You can use the certificate and key from the MyF5 portal and the Docker registry API to list the available image tags for the repositories, e.g.:

   $ curl https://private-registry.nginx.com/v2/nginx-ic/nginx-plus-ingress/tags/list --key <path-to-client.key> --cert <path-to-client.cert> | jq
   {
    "name": "nginx-ic/nginx-plus-ingress",
    "tags": [
        "3.1.1-alpine",
        "3.1.1-ubi",
        "3.1.1"
    ]
    }
   
   $ curl https://private-registry.nginx.com/v2/nginx-ic-nap/nginx-plus-ingress/tags/list --key <path-to-client.key> --cert <path-to-client.cert> | jq
   {
    "name": "nginx-ic-nap/nginx-plus-ingress",
    "tags": [
        "3.1.1-ubi",
        "3.1.1"
    ]
    }
   
   $ curl https://private-registry.nginx.com/v2/nginx-ic-dos/nginx-plus-ingress/tags/list --key <path-to-client.key> --cert <path-to-client.cert> | jq
   {
    "name": "nginx-ic-dos/nginx-plus-ingress",
    "tags": [
        "3.1.1-ubi",
        "3.1.1"
    ]
    }