docs: NIM 2.19.0 release documentation (#170)

Co-authored-by: Mike Jang <[email protected]>

Author: travisamartin

content/includes/nim/docker/docker-compose-env-vars.md

@@ -0,0 +1,26 @@
+---
+docs:
+---
+
+{{<bootstrap-table "table table-striped table-bordered">}}
+| Variable | Category | Description |
+|----------|----------|------------|
+| **NIM_LOG_LEVEL** | General | Sets the logging level for NGINX Instance Manager. |
+| **NIM_METRICS_TTL** | General | Specifies the number of days to retain metrics. |
+| **NIM_EVENTS_TTL** | General | Specifies the number of days to retain event logs. |
+| **NIM_SECURITY_TTL** | General | Specifies the number of days to retain security violation logs. |
+| **NIM_MAINTENANCE** | General | Enables maintenance mode for backup, restore, and troubleshooting (`true` or `false`). |
+| **NIM_WATCHDOG_TIMEOUT** | General | Sets the timeout (in seconds) for the Data Plane Monitoring (DPM) watchdog. |
+| **NIM_LICENSE_MODE_OF_OPERATION** | General | Sets the license mode to either `connected` (default) or `disconnected`. |
+| **PROXY_ENABLE** | Forward Proxy | Enables or disables the use of a forward proxy (`true` or `false`). |
+| **PROXY_HOST** | Forward Proxy | The IP address or hostname of the proxy server. |
+| **PROXY_PORT** | Forward Proxy | The port number of the proxy server. |
+| **PROXY_PROTOCOL** | Forward Proxy | The proxy protocol (`http` or `https`). |
+| **PROXY_AUTH_REQUIRED** | Forward Proxy | Specifies whether authentication is required for the proxy (`true` or `false`). |
+| **PROXY_USERNAME** | Forward Proxy | (Required if `PROXY_AUTH_REQUIRED=true`) The username for proxy authentication. |
+| **PROXY_PASSWORD** | Forward Proxy | (Required if `PROXY_AUTH_REQUIRED=true`) The password for proxy authentication. |
+| **PROXY_SSL_VERIFY** | Forward Proxy | Enables or disables SSL verification when `PROXY_PROTOCOL=https`. Default is `true`, meaning the proxy must have a valid certificate issued by a trusted Certificate Authority (CA). Set to `false` to allow self-signed or untrusted certificates (not recommended). |
+
+{{</bootstrap-table>}}
+
+

content/includes/nim/system-configuration/trust-proxy-ca-certificates.md

@@ -0,0 +1,18 @@
+---
+docs:
+---
+
+1. Copy the proxy CA certificate into the system’s trusted certificate directory, for example **/usr/local/share/ca-certificates/** or **/etc/ssl/certs/** (path varies by distribution).
+1. Run the appropriate command to update the system’s trusted certificates:
+
+    - **Debian/Ubuntu**:
+
+       ```bash
+       sudo update-ca-certificates
+       ``` 
+
+    - **RHEL/CentOS**:
+
+        ```shell
+        sudo update-ca-trust
+        ```

content/nap-waf/v4/admin-guide/install-nms.md

@@ -21,7 +21,7 @@ weight: 100
 
 [NGINX Management Suite Security Monitoring]({{< relref "/nms/about.md#security-monitoring" >}}) provides a centralized visualization tool that lets you analyze threats, view protection insights, and identify areas for policy tuning.
 
-- For more information on how to configure Security Monitoring, see [Set Up App Protect Instances for Security Monitoring]({{< relref "/nim/monitoring/security-monitoring/configure/set-up-app-protect-instances.md" >}}).
+- For more information on how to configure Security Monitoring, see [Set Up App Protect Instances for Security Monitoring]({{< relref "/nim/nginx-app-protect/security-monitoring/set-up-app-protect-instances.md" >}}).
 
 ---
 

content/nim/admin-guide/authentication/oidc/getting-started.md

@@ -18,6 +18,8 @@ NGINX Instance Manager’s implementation of OIDC is designed to work with any I
 
 {{<call-out "tip" "Do you need to configure a specific IdP?">}}To learn how to configure OIDC with a specific identity provider, refer to the linked topics in the [Set up specific IdPs for OIDC](#oidc-specific-idps) section at the bottom of this page.{{</call-out>}}
 
+{{<call-out "important" "OIDC is not supported in forward-proxy mode" "fa-solid fa-triangle-exclamation" >}}OpenID Connect (OIDC) authentication is not supported when NGINX Instance Manager is running in [forward-proxy mode]({{< relref "nim/system-configuration/configure-forward-proxy.md" >}}). OIDC is configured on the NGINX Plus layer and cannot pass authentication requests through a forward proxy.{{</call-out>}}
+
 ## Create roles and user groups in NGINX Instance Manager {#configure-nim}
 
 When using OIDC for authentication, administrators don't need to create and manage users in NGINX Instance Manager. Instead, they create user groups in NGINX Instance Manager that match groups in their IdP. The roles assigned to the user group set the access level and permissions for users based on their group membership. Users who aren't in a group with an assigned role won't have access to NGINX Instance Manager.

content/nim/deploy/docker/deploy-nginx-instance-manager-docker-compose.md

@@ -52,32 +52,41 @@ To set up Docker to communicate with the NGINX container registry located at `pr
 
 ### Compose deployment
 
-Navigate to the directory where you downloaded `docker-compose.yaml`. With the following commands, use docker to log in to private-registry.nginx.com and then run `docker compose up -d`.
+{{<call-out "note" "Configuring a forward proxy:" "" >}}
+
+If you are configuring a **forward proxy**, follow the steps in the [Forward Proxy Configuration Guide]({{< relref "nim/system-configuration/configure-forward-proxy.md" >}}) to modify `docker-compose.yaml` with the correct proxy settings **before** deploying NGINX Instance Manager.
+
+{{</call-out>}}
+
+Go to the directory where you downloaded `docker-compose.yaml`. Use the following commands to log in to `private-registry.nginx.com` and deploy NGINX Instance Manager.
 
 ```shell
-~$ docker login private-registry.nginx.com --username=<JWT_CONTENTS> --password=none
-~$ echo "admin" > admin_password.txt
-~$ docker compose up -d
+docker login private-registry.nginx.com --username=<JWT_CONTENTS> --password=none
+echo "admin" > admin_password.txt
+docker compose up -d
+```
+
+If the deployment succeeds, you’ll see output similar to this:
+
+```text
 [+] Running 6/6
  ✔ Network nim_clickhouse        Created   0.1s
  ✔ Network nim_external_network  Created   0.2s
  ✔ Network nim_default           Created   0.2s
  ✔ Container nim-precheck-1      Started   0.8s
  ✔ Container nim-clickhouse-1    Healthy   6.7s
  ✔ Container nim-nim-1           Started   7.4s
-```
+ ```
 
 ### Supported environment variables
 
-You may modify the following variables in the `docker-compose.yaml` file:
+{{< include "nim/docker/docker-compose-env-vars.md" >}}
+
+<br>
 
-- `NIM_LOG_LEVEL` - set the NGINX Instance Manager logging level.
-- `NIM_METRICS_TTL` - set a custom time-to-live in days value for metrics retention.
-- `NIM_EVENTS_TTL` -  set a custom time-to-live in days value for events retention.
-- `NIM_SECURITY_TTL` -  set a custom time-to-live in days value for security violation retention.
-- `NIM_MAINTENANCE` - enable maintenance mode to preform backup, restore and troubleshooting.
-- `NIM_WATCHDOG_TIMEOUT` - set a custom dpm watchdog timeout in seconds.
-- `NIM_LICENSE_MODE_OF_OPERATION` - set the NGINX Instance Manager license mode of operation to either connected or disconnected. Default is connected.
+{{<call-out "tip" "See also:" "" >}} 
+For details on configuring a forward proxy, see the [Forward Proxy Configuration Guide]({{< relref "nim/system-configuration/configure-forward-proxy.md" >}}).
+{{</call-out>}}
 
 ### Compose stop or tear down
 

content/nim/deploy/kubernetes/deploy-using-helm.md

@@ -13,16 +13,14 @@ tags:
 
 {{< include "/nim/decoupling/note-legacy-nms-references.md" >}}
 
-This guide provides a step-by-step tutorial on how to set up F5 NGINX Instance Manager on a Kubernetes cluster using Helm. You'll learn how to download and use Docker images and customize your deployment.
+This guide explains how to deploy F5 NGINX Instance Manager on a Kubernetes or OpenShift cluster using Helm. You’ll learn how to download and use Docker images and customize your deployment.
 
 ### About Helm
 
 Helm charts are pre-configured packages of Kubernetes resources deployed with a single command. They let you define, install, and upgrade Kubernetes applications easily.
 
 Helm charts consist of files that describe a group of related Kubernetes resources, like deployments, services, and ingress. They also allow you to manage dependencies between applications, making it easier to deploy multi-tier or complex applications.
 
-{{< call-out "important" "Supportability considerations" >}} NGINX Instance Manager **does not** support [OpenShift](https://www.redhat.com/en/technologies/cloud-computing/openshift). For better compatibility, use [NGINX Ingress Controller](https://docs.nginx.com/nginx-ingress-controller/). {{< /call-out >}}
-
 ---
 
 ## Before you begin
@@ -41,8 +39,6 @@ To deploy NGINX Instance Manager using a Helm chart, you need:
 
 {{< /bootstrap-table >}}
 
-
-
 ---
 
 ## Get the NGINX Instance Manager images
@@ -57,12 +53,23 @@ Create a Docker registry secret on the cluster, using the JWT token as the usern
 
 {{< note >}} Make sure there are no extra characters or spaces when copying the JWT token. They can invalidate the token and cause 401 errors during authentication. {{< /note >}}
 
-```shell
-kubectl create secret docker-registry regcred \
---docker-server=private-registry.nginx.com \
---docker-username=<JWT Token> \
---docker-password=none
-```
+- **Kubernetes**:
+
+  ```shell
+  kubectl create secret docker-registry regcred \
+  --docker-server=private-registry.nginx.com \
+  --docker-username=<JWT Token> \
+  --docker-password=none
+  ```
+
+- **OpenShift**:
+
+  ```shell
+  oc create secret docker-registry regcred \
+  --docker-server=private-registry.nginx.com \
+  --docker-username=<JWT Token> \
+  --docker-password=none
+  ```
 
 {{< warning >}} 
 
@@ -74,9 +81,18 @@ This can be ignored (since no password is used), but if others have access to th
 
 To confirm the secret is created:
 
-```shell
-kubectl get secret regcred --output=yaml
-```
+- **Kubernetes**:
+
+  ```shell
+  kubectl get secret regcred --output=yaml
+  ```
+
+- **OpenShift**:
+
+  ```shell
+  oc get secret regcred --output=yaml
+  ```
+
 
 You can now use this secret for Helm deployments and point the charts to the public registry.
 
@@ -99,14 +115,16 @@ The first command adds the `nginx-stable` repository to your local Helm repo lis
 
 ## Create a Helm deployment values.yaml file
 
-The `values.yaml` file customizes the Helm chart installation without editing the chart itself. You can specify image repositories, environment variables, resource requests, and more.
+The `values.yaml` file customizes the Helm chart installation without modifying the chart itself. You can use it to specify image repositories, environment variables, resource requests, and other settings.
 
 1. Create a `values.yaml` file similar to this example:
 
     - In the `imagePullSecrets` section, add the credentials for your private Docker registry.
     - Change the version tag to the version of NGINX Instance Manager you would like to install. See "Install the chart" below for versions.
+    - Replace `<my-docker-registry:port>` with your private Docker registry and port (if applicable).
+    - If deploying on OpenShift, add the `openshift.enabled: true` setting.
 
-    {{< see-also >}} For more on creating a secret, see Kubernetes [Pull an Image from a Private Registry](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/). {{</ see-also >}}
+    {{< see-also >}} For details on creating a secret, see Kubernetes [Pull an Image from a Private Registry](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/). {{</ see-also >}}
 
     ```yaml
     nms-hybrid:
@@ -138,13 +156,74 @@ The `values.yaml` file customizes the Helm chart installation without editing th
                 tag: <version>
     ```
 
-    This file specifies the Docker images for `apigw`, `core`, `dpm`, `ingestion`, `integrations`, and `utility`. It also indicates that a secret called `regcred` should be used for pulling images.
+2. Save and close the `values.yaml` file.
+
+---
+
+## Enabling OpenShift  
+
+If deploying on OpenShift, include this setting in the `values.yaml` file:
+
+```yaml
+nms-hybrid:
+  openshift:
+    enabled: true
+```
+
+### How OpenShift handles security constraints
+
+When `openshift.enabled: true` is set in the `values.yaml` file, the NGINX Instance Manager deployment automatically creates a **custom Security Context Constraint (SCC)** and links it to the Service Account used by all pods.  
+
+By default, OpenShift enforces strict security policies that require containers to run as **non-root** users. The NGINX Instance Manager deployment needs specific user IDs (UIDs) for certain services, such as **1000** for `nms` and **101** for `nginx` and `clickhouse`. Since the default SCCs do not allow these UIDs, a **custom SCC** is created. This ensures that the deployment can run with the necessary permissions while maintaining OpenShift’s security standards.  
+
+The custom SCC allows these UIDs by setting the `runAsUser` field, which controls which users can run containers. To verify that the SCC has been created, run:  
+
+```shell
+oc get scc nms-restricted-v2-scc --output=yaml
+```
 
-1. Save and close the `values.yaml` file.
 
 ---
 
 
+To apply network policies for NGINX Instance Manager, ensure Kubernetes has a [network plugin](https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/) installed before the Helm chart installation.
+
+By default, the following network policies will be created in the release namespace:
+
+- **Kubernetes**:
+
+  ```shell
+  kubectl get netpol -n nms
+  ```
+
+- **OpenShift**:
+
+  ```shell
+  oc get netpol -n nms
+  ```
+
+  **Output**
+
+  ```text
+  NAME           POD-SELECTOR                          AGE
+  apigw          app.kubernetes.io/name=apigw          4m47s
+  clickhouse     app.kubernetes.io/name=clickhouse     4m47s
+  core           app.kubernetes.io/name=core           4m47s
+  dpm            app.kubernetes.io/name=dpm            4m47s
+  ingestion      app.kubernetes.io/name=ingestion      4m47s
+  integrations   app.kubernetes.io/name=integrations   4m47s
+  utility        app.kubernetes.io/name=integrations   4m47s
+  ```
+
+To disable network policies, update the `values.yaml` file:
+
+```yaml
+networkPolicies:
+    # Set this to true to enable network policies for NGINX Instance Manager.
+    enabled: false
+```
+
+---
 
 ## Install the chart