Connect NGINX Plus container images to NGINX One

Overview

This guide explains how to set up an F5 NGINX Plus Docker container with NGINX Agent and connect it to the NGINX One Console.

Before you start

Before you start, make sure you have:

• A valid JSON Web Token (JWT) for your NGINX subscription.
• A data plane key from NGINX One.
• Docker installed and running on your system.

Download your JWT license from MyF5

1. Log in to MyF5.
2. Go to My Products & Plans > Subscriptions to see your active subscriptions.
3. Find your NGINX products or services subscription, and select the Subscription ID for details.
4. Download the JSON Web Token from the subscription page.

Process for private registry

Log in to the NGINX private registry

Use your JWT to log in to the NGINX private registry. Replace YOUR_JWT_HERE with your JWT.

sudo docker login private-registry.nginx.com --username=YOUR_JWT_HERE --password=none

Protect sensitive data

To protect your system and data, follow these security practices:

1. JWTs: Treat JSON Web Tokens (JWTs) as sensitive data. Store them securely and delete them after use to prevent unauthorized access.

2. Shell history: Commands with JWTs or passwords are saved in plain text in your shell history. After running such commands, clear the history to protect credentials. For example:

   • Edit your shell history file (such as ~/.bash_history or ~/.zsh_history) to remove specific commands.
   • Use history -c to clear all shell history in bash or zsh.

Pull the NGINX Plus image

Pull the NGINX Plus image from the private registry. Replace VERSION_TAG with the desired version, such as alpine, debian, or ubi.

sudo docker pull private-registry.nginx.com/nginx-plus/agent:VERSION_TAG

You must specify a version tag. The latest tag is not supported. Learn more in the Deploying NGINX and NGINX Plus on Docker guide.

Example:

To pull the debian image:

sudo docker pull private-registry.nginx.com/nginx-plus/agent:debian

Start the NGINX Plus container

Start the Docker container to connect it to NGINX One. Replace YOUR_NGINX_ONE_DATA_PLANE_KEY_HERE with your data plane key and VERSION_TAG with the version tag you pulled.

For NGINX Plus R33 or later:

• Use the NGINX_LICENSE_JWT variable to pass your JWT license. Replace YOUR_JWT_HERE with your JWT.

For more details, see About subscription licenses.

sudo docker run \
--env=NGINX_LICENSE_JWT="YOUR_JWT_HERE" \
--env=NGINX_AGENT_SERVER_GRPCPORT=443 \
--env=NGINX_AGENT_SERVER_HOST=agent.connect.nginx.com \
--env=NGINX_AGENT_SERVER_TOKEN="YOUR_NGINX_ONE_DATA_PLANE_KEY_HERE" \
--env=NGINX_AGENT_TLS_ENABLE=true \
--restart=always \
--runtime=runc \
-d private-registry.nginx.com/nginx-plus/agent:<VERSION_TAG>

Example:

To start the container with the debian image:

sudo docker run \
--env=NGINX_LICENSE_JWT="YOUR_JWT_HERE" \
--env=NGINX_AGENT_SERVER_GRPCPORT=443 \
--env=NGINX_AGENT_SERVER_HOST=agent.connect.nginx.com \
--env=NGINX_AGENT_SERVER_TOKEN="YOUR_NGINX_ONE_DATA_PLANE_KEY_HERE" \
--env=NGINX_AGENT_TLS_ENABLE=true \
--restart=always \
--runtime=runc \
-d private-registry.nginx.com/nginx-plus/agent:debian

References

For more details, see:

• Deploying NGINX and NGINX Plus on Docker
• Full List of Agent Environment Variables
• NGINX One Data Plane Keys
• My F5 Knowledge Article