From d18cd97686d51c64cdcaa7f5936b5b9150587f7b Mon Sep 17 00:00:00 2001 From: Chris Lovering Date: Wed, 27 May 2026 18:59:43 +0100 Subject: [PATCH 1/3] Move mTLS CA cert mount out of /etc/nginx to avoid agent backup failure --- kubernetes/namespaces/nginx-gateway/snippets/policy-mtls.yaml | 2 +- kubernetes/namespaces/nginx-gateway/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/kubernetes/namespaces/nginx-gateway/snippets/policy-mtls.yaml b/kubernetes/namespaces/nginx-gateway/snippets/policy-mtls.yaml index d88ee2dd..64a97e0d 100644 --- a/kubernetes/namespaces/nginx-gateway/snippets/policy-mtls.yaml +++ b/kubernetes/namespaces/nginx-gateway/snippets/policy-mtls.yaml @@ -11,7 +11,7 @@ spec: snippets: - context: http.server value: | - ssl_client_certificate /etc/nginx/mtls-ca.crt; + ssl_client_certificate /etc/ssl/nginx/mtls-ca.crt; ssl_verify_client optional; ssl_verify_depth 1; set_real_ip_from 0.0.0.0/0; diff --git a/kubernetes/namespaces/nginx-gateway/values.yaml b/kubernetes/namespaces/nginx-gateway/values.yaml index b14142b6..92b41f92 100644 --- a/kubernetes/namespaces/nginx-gateway/values.yaml +++ b/kubernetes/namespaces/nginx-gateway/values.yaml @@ -19,7 +19,7 @@ nginx: container: volumeMounts: - name: mtls-client-crt-bundle - mountPath: /etc/nginx/mtls-ca.crt + mountPath: /etc/ssl/nginx/mtls-ca.crt subPath: ca.crt config: From db54c6d85c0355a296ec5767cb3a416eda4fe2ff Mon Sep 17 00:00:00 2001 From: Chris Lovering Date: Wed, 27 May 2026 19:08:35 +0100 Subject: [PATCH 2/3] Update nginx-gateway README with CRD install steps --- kubernetes/namespaces/nginx-gateway/README.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/kubernetes/namespaces/nginx-gateway/README.md b/kubernetes/namespaces/nginx-gateway/README.md index 187d70c6..aac6b11d 100644 --- a/kubernetes/namespaces/nginx-gateway/README.md +++ b/kubernetes/namespaces/nginx-gateway/README.md @@ -13,9 +13,10 @@ We use NGINX Gateway Fabric to manage our ingress traffic. This replaced the pre ## Helm Installation of Gateway Fabric control plane -1. Create NGINX CRDs with `kubectl kustomize "https://github.com/nginx/nginx-gateway-fabric/config/crd/gateway-api/standard?ref=v2.5.1" | kubectl apply -f -` -2. Run `helm install ngf oci://ghcr.io/nginx/charts/nginx-gateway-fabric --create-namespace -n nginx-gateway -f values.yaml` to install NGINX Gateway Fabric using Helm. -3. Wait for the installation to complete with `kubectl wait --timeout=5m -n nginx-gateway deployment/ngf-nginx-gateway-fabric --for=condition=Available` +1. Create NGINX CRDs with `kubectl kustomize "https://github.com/nginx/nginx-gateway-fabric/config/crd/gateway-api/standard?ref=v2.6.2" | kubectl apply -f -` +2. Install NGF-specific CRDs `helm show crds oci://ghcr.io/nginx/charts/nginx-gateway-fabric --version 2.6.2 | kubectl apply --server-side -f -` +3. Install the Helm chart `helm install ngf oci://ghcr.io/nginx/charts/nginx-gateway-fabric --create-namespace -n nginx-gateway -f values.yaml` +4. Wait for the installation to complete with `kubectl wait --timeout=5m -n nginx-gateway deployment/ngf-nginx-gateway-fabric --for=condition=Available` NOTE: To upgrade/change values, switch from `helm install` to `helm upgrade`. From 35070901f94a63dba014792655f2f81c51f614b2 Mon Sep 17 00:00:00 2001 From: Chris Lovering Date: Wed, 27 May 2026 20:01:00 +0100 Subject: [PATCH 3/3] Also pin version of ngf installed/upgraded in readme --- kubernetes/namespaces/nginx-gateway/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/namespaces/nginx-gateway/README.md b/kubernetes/namespaces/nginx-gateway/README.md index aac6b11d..7d2252bc 100644 --- a/kubernetes/namespaces/nginx-gateway/README.md +++ b/kubernetes/namespaces/nginx-gateway/README.md @@ -15,7 +15,7 @@ We use NGINX Gateway Fabric to manage our ingress traffic. This replaced the pre 1. Create NGINX CRDs with `kubectl kustomize "https://github.com/nginx/nginx-gateway-fabric/config/crd/gateway-api/standard?ref=v2.6.2" | kubectl apply -f -` 2. Install NGF-specific CRDs `helm show crds oci://ghcr.io/nginx/charts/nginx-gateway-fabric --version 2.6.2 | kubectl apply --server-side -f -` -3. Install the Helm chart `helm install ngf oci://ghcr.io/nginx/charts/nginx-gateway-fabric --create-namespace -n nginx-gateway -f values.yaml` +3. Install the Helm chart `helm install ngf oci://ghcr.io/nginx/charts/nginx-gateway-fabric --version 2.6.2 --create-namespace -n nginx-gateway -f values.yaml` 4. Wait for the installation to complete with `kubectl wait --timeout=5m -n nginx-gateway deployment/ngf-nginx-gateway-fabric --for=condition=Available` NOTE: To upgrade/change values, switch from `helm install` to `helm upgrade`.