Important: NGINX Plus R33 requires NGINX Instance Manager 2.18 or later
To ensure uninterrupted traffic processing, upgrade to NGINX Instance Manager 2.18 or later if your NGINX data plane instances are running NGINX Plus R33. This upgrade is necessary to support usage reporting.

NGINX Plus R33 instances must send usage data to the F5 licensing endpoint or NGINX Instance Manager. If they don’t, they will stop processing user traffic.

For more information about usage reporting and enforcement, see About solution licenses.

Configurable Helm settings

Legacy 'nms' references
Some commands, file paths, and configuration references still use nms due to the ongoing transition from NGINX Management Suite (NMS) to NGINX Instance Manager (NIM). These will be updated in future releases.

This reference guide lists the configurable Helm chart parameters and default settings for NGINX Instance Manager.

NGINX Instance Manager Helm chart settings

The following table lists the configurable parameters and default values for NGINX Instance Manager when installing from a Helm chart.

To modify a configuration for an existing release, run the helm upgrade command and use -f <my-values-file>, where <my-values-file> is the path to a values file with your desired configuration.

Parameter Description Default
nms-hybrid.adminPasswordHash The hashed value of the password for the admin user.
To generate the hash using openssl, run a command like: openssl passwd -1 "YourPassword123#"
N/A
nms-hybrid.nmsClickhouse.enabled Enable this if external ClickHouse is not used. true
nms-hybrid.nmsClickhouse.fullnameOverride Modify the name of ClickHouse resources. clickhouse
nms-hybrid.nmsClickhouse.image.repository Repository name and path for the public ClickHouse image. clickhouse/clickhouse-server
nms-hybrid.nmsClickhouse.image.tag Tag used for pulling images from the registry. 21.3.20.1-alpine
nms-hybrid.nmsClickhouse.image.pullPolicy Image pull policy. IfNotPresent
nms-hybrid.nmsClickhouse.user Username to connect to the ClickHouse server. N/A
nms-hybrid.nmsClickhouse.password Password for the ClickHouse server. N/A
nms-hybrid.nmsClickhouse.service.name ClickHouse service name. clickhouse
nms-hybrid.nmsClickhouse.service.rpcPort ClickHouse service port. 9000
nms-hybrid.nmsClickhouse.resources.requests.cpu Minimum required CPU to run the ClickHouse server. 500m
nms-hybrid.nmsClickhouse.resources.requests.memory Minimum required memory to run the ClickHouse server. 1Gi
nms-hybrid.nmsClickhouse.persistence.enabled Use PVCs to persist ClickHouse data. true
nms-hybrid.nmsClickhouse.persistence.existingClaim Name of an existing Persistent Volume Claim (PVC) to use for ClickHouse persistence. N/A
nms-hybrid.nmsClickhouse.persistence.storageClass Storage class to use for creating a ClickHouse PVC.
nms-hybrid.nmsClickhouse.persistence.volumeName Name to use for a ClickHouse PVC volume.
nms-hybrid.nmsClickhouse.persistence.accessMode PVC access mode for ClickHouse. ReadWriteOnce
nms-hybrid.nmsClickhouse.persistence.size PVC size for ClickHouse. 1G
nms-hybrid.nmsClickhouse.tolerations List of Kubernetes tolerations, if any. See Kubernetes taints and tolerations
nms-hybrid.externalClickhouse.address Address of the external ClickHouse service.
nms-hybrid.externalClickhouse.user User of the external ClickHouse service.
nms-hybrid.externalClickhouse.password Password of the external ClickHouse service.
nms-hybrid.serviceAccount.annotations Set custom annotations for the service account used by NGINX Instance Manager. {}
nms-hybrid.apigw.name Name used for API Gateway resources. apigw
nms-hybrid.apigw.tlsSecret By default, this Helm chart creates its own Certificate Authority (CA) to self-sign HTTPS server cert key pairs. These are not managed by NGINX Instance Manager. You can bring your own NGINX API Gateway certificates for hosting the HTTPS server by setting tlsSecret to an existing Kubernetes secret name in the targeted namespace. The secret should include tls.crt, tls.key, and ca.pem in the data object. Using a self-provisioned “tlsSecret” is recommended for production.

Refer to the “Use your own certificates” section in Frequently used Helm configurations for an example.
nms-hybrid.apigw.image.repository Repository name and path for the apigw image. apigw
nms-hybrid.apigw.image.tag Tag used for pulling images from the registry. latest
nms-hybrid.apigw.image.pullPolicy Image pull policy. IfNotPresent
nms-hybrid.apigw.container.port.https Container HTTPS port. 443
nms-hybrid.apigw.service.name Service name. apigw
nms-hybrid.apigw.service.type Service type (options: ClusterIp, LoadBalancer, NodePort). ClusterIp
nms-hybrid.apigw.service.httpsPort Service HTTPS port. 443
nms-hybrid.apigw.resources.requests.cpu Minimum required CPU to run apigw. 250m
nms-hybrid.apigw.resources.requests.memory Minimum required memory to run apigw. 256Mi
nms-hybrid.apigw.tolerations List of Kubernetes tolerations, if any. See Kubernetes taints and tolerations
nms-hybrid.core.name Name used for core resources. core
nms-hybrid.core.image.repository Repository name and path for the core image. core
nms-hybrid.core.image.tag Tag used for pulling images from the registry. latest
nms-hybrid.core.image.pullPolicy Image pull policy. IfNotPresent
nms-hybrid.core.container.port.http Container HTTP port. 8033
nms-hybrid.core.container.port.db Container database port. 7891
nms-hybrid.core.container.port.grpc Container gRPC port. 8038
nms-hybrid.core.service.httpPort Service HTTP port. 8033
nms-hybrid.core.service.grpcPort Service gRPC port. 8038
nms-hybrid.core.resources.requests.cpu Minimum required CPU to run core. 500m
nms-hybrid.core.resources.requests.memory Minimum required memory to run core. 512Mi
nms-hybrid.core.persistence.enabled Enable persistence for core service. true
nms-hybrid.core.persistence.claims An array of persistent volume claims for Dqlite and secrets. Can be modified to use an existing PVC. See Dqlite and Secrets
nms-hybrid.core.persistence.storageClass Storage class to use for creating a core PVC.
nms-hybrid.core.persistence.volumeName Name to use for a core PVC volume.
nms-hybrid.core.tolerations List of Kubernetes tolerations, if any. See Kubernetes taints and tolerations
nms-hybrid.dpm.name Name used for dpm. dpm
nms-hybrid.dpm.image.repository Repository name and path for the dpm image. dpm
nms-hybrid.dpm.image.tag Tag used for pulling images from the registry. latest
nms-hybrid.dpm.image.pullPolicy Image pull policy. IfNotPresent
nms-hybrid.dpm.container.port.http Container HTTP port. 8034
nms-hybrid.dpm.container.port.nats Container NATS port. 9100
nms-hybrid.dpm.container.port.db Container database port. 7890
nms-hybrid.dpm.container.port.grpc Container gRPC port. 8036

NGINX Instance Manager dqlite storage configuration

  - name: dqlite
    existingClaim:
    size: 500Mi
    accessMode: ReadWriteOnce

NGINX Instance Manager secrets storage configuration

  - name: secrets
    existingClaim:
    size: 128Mi
    accessMode: ReadWriteOnce

NGINX Instance Manager NATS storage configuration

  - name: nats-streaming
    existingClaim:
    size: 1Gi
    accessMode: ReadWriteOnce

Kubernetes taints and tolerations

The following example snippet shows a toleration for an NGINX Instance Manager API Gateway deployment. In this example, Kubernetes will tolerate the “NoExecute” effect for 60 seconds before evicting the pod from the tainted node.

tolerations:
  - key: "node.kubernetes.io/unreachable"
    operator: "Exists"
    effect: "NoExecute"
    tolerationSeconds: 60
  - key: "node.kubernetes.io/network-unavailable"
    operator: "Exists"
    effect: "NoExecute"
    tolerationSeconds: 60

For more information, refer to the official Kubernetes Taints and Tolerations documentation.