From 70d10c19ad00b5d50756ad234fc333208e44f7e3 Mon Sep 17 00:00:00 2001
From: Ciara Stacke <18287516+ciarams87@users.noreply.github.com>
Date: Wed, 13 May 2026 10:21:02 +0100
Subject: [PATCH] NGF: Add supported images to tech specs and guidance around
WAF images
---
content/ngf/install/helm.md | 2 +
content/ngf/install/nginx-plus.md | 2 +
.../ngf/overview/technical-specifications.md | 52 +++++++++++
content/ngf/waf-integration/configuration.md | 86 ++++++++++++++++++-
4 files changed, 140 insertions(+), 2 deletions(-)
diff --git a/content/ngf/install/helm.md b/content/ngf/install/helm.md
index 23259bd2d..a8634fac9 100644
--- a/content/ngf/install/helm.md
+++ b/content/ngf/install/helm.md
@@ -20,6 +20,8 @@ To complete this guide, you will need:
- [Helm 3.0 or later](https://helm.sh/docs/intro/install/), for deploying and managing applications on Kubernetes.
- [Add certificates for secure authentication]({{< ref "/ngf/install/secure-certificates.md" >}}) in a production environment.
+For a list of available images and their registries, see [Supported container images]({{< ref "/ngf/overview/technical-specifications.md#supported-container-images" >}}).
+
{{< call-out "important" >}} If you’d like to use NGINX Plus, some additional setup is also required: {{< /call-out >}}
{{< details summary="NGINX Plus JWT setup" >}}
diff --git a/content/ngf/install/nginx-plus.md b/content/ngf/install/nginx-plus.md
index a988fd5f7..065b5f289 100644
--- a/content/ngf/install/nginx-plus.md
+++ b/content/ngf/install/nginx-plus.md
@@ -192,6 +192,8 @@ docker pull private-registry.nginx.com/nginx-gateway-fabric/nginx-plus:{{< versi
Once you have successfully pulled the image, you can tag it as needed, then push it to a different container registry.
+For a complete list of available NGINX Plus images, including UBI-based and WAF variants, see [Supported container images]({{< ref "/ngf/overview/technical-specifications.md#supported-container-images" >}}).
+
## Alternative installation options
There are alternative ways to get an NGINX Plus image for NGINX Gateway Fabric:
diff --git a/content/ngf/overview/technical-specifications.md b/content/ngf/overview/technical-specifications.md
index 1f594dd0b..309cca323 100644
--- a/content/ngf/overview/technical-specifications.md
+++ b/content/ngf/overview/technical-specifications.md
@@ -45,6 +45,58 @@ The following table lists the OpenShift versions and Operator versions compatibl
NGINX Gateway Fabric is conformant with the Gateway API version installed on supported OCP versions. The "OCP with Preferred GWAPI" column shows which OCP versions ship with the preferred Gateway API version. On OCP versions with an older Gateway API installed, NGF remains fully conformant with that installed version, but features from newer Gateway API versions that NGF supports will be unavailable.
+## Supported container images
+
+NGINX Gateway Fabric provides container images for the control plane and the NGINX data plane. All images are available for `amd64` and `arm64` architectures unless otherwise noted.
+
+### Control plane images
+
+The control plane image contains the NGINX Gateway Fabric binary.
+
+| Name | Base image | Image | Architectures |
+|-----------------|-----------------------|--------------------------------------------------------------|----------------|
+| Default image | `scratch` | `ghcr.io/nginx/nginx-gateway-fabric:{{< version-ngf >}}` | amd64
arm64 |
+| UBI-based image | `redhat/ubi9-minimal` | `ghcr.io/nginx/nginx-gateway-fabric:{{< version-ngf >}}-ubi` | amd64
arm64 |
+
+### Data plane images with NGINX
+
+_All images include NGINX 1.30.0._
+
+| Name | Base image | Image | Architectures |
+|-----------------|----------------------------|--------------------------------------------------------------------|----------------|
+| Default image | `nginx:1.30.0-alpine-otel` | `ghcr.io/nginx/nginx-gateway-fabric/nginx:{{< version-ngf >}}` | amd64
arm64 |
+| UBI-based image | `redhat/ubi9-minimal` | `ghcr.io/nginx/nginx-gateway-fabric/nginx:{{< version-ngf >}}-ubi` | amd64
arm64 |
+
+### Data plane images with NGINX Plus
+
+NGINX Plus images are available through the F5 Container registry `private-registry.nginx.com`. For setup instructions and authentication details, see [Install NGINX Gateway Fabric with NGINX Plus]({{< ref "/ngf/install/nginx-plus.md" >}}).
+
+_All images include NGINX Plus R36._
+
+| Name | Base image | Image | Architectures |
+|---------------------------------------|-----------------------|--------------------------------------------------------------------------------------------|----------------|
+| Default image | `alpine:3.22` | `private-registry.nginx.com/nginx-gateway-fabric/nginx-plus:{{< version-ngf >}}` | amd64
arm64 |
+| UBI-based image | `redhat/ubi9-minimal` | `private-registry.nginx.com/nginx-gateway-fabric/nginx-plus:{{< version-ngf >}}-ubi` | amd64
arm64 |
+| Default image with F5 WAF for NGINX | `alpine:3.22` | `private-registry.nginx.com/nginx-gateway-fabric/nginx-plus-f5waf:{{< version-ngf >}}` | amd64 |
+| UBI-based image with F5 WAF for NGINX | `redhat/ubi9-minimal` | `private-registry.nginx.com/nginx-gateway-fabric/nginx-plus-f5waf:{{< version-ngf >}}-ubi` | amd64 |
+
+### WAF sidecar images
+
+When F5 WAF for NGINX is enabled, two additional sidecar containers are deployed alongside the NGINX container. These images are available from the F5 Container registry.
+
+| Name | Image | Architectures |
+|--------------------|---------------------------------------------------------------------------------|-------|
+| WAF Enforcer | `private-registry.nginx.com/nap/waf-enforcer:{{< ngf-waf-release-version >}}` | amd64 |
+| WAF Config Manager | `private-registry.nginx.com/nap/waf-config-mgr:{{< ngf-waf-release-version >}}` | amd64 |
+
+For more information on WAF integration, see [F5 WAF for NGINX overview]({{< ref "/ngf/waf-integration/overview.md" >}}).
+
+### Custom images
+
+You can build custom NGINX Gateway Fabric images from source. For instructions, see [Build NGINX Gateway Fabric]({{< ref "/ngf/install/build-image.md" >}}).
+
+---
+
## Gateway API compatibility
The following tables summarizes which Gateway API resources NGINX Gateway Fabric supports and to which level.
diff --git a/content/ngf/waf-integration/configuration.md b/content/ngf/waf-integration/configuration.md
index 9a0ed79d5..b9f1eaa51 100644
--- a/content/ngf/waf-integration/configuration.md
+++ b/content/ngf/waf-integration/configuration.md
@@ -4,10 +4,10 @@ weight: 400
toc: true
f5-content-type: how-to
f5-product: FABRIC
-f5-description: Configure security logging, polling, TLS, authentication, cookie seed, bundle integrity, and fail-open behavior for F5 WAF for NGINX.
+f5-description: Configure security logging, polling, TLS, authentication, cookie seed, bundle integrity, fail-open behavior, and WAF container settings for F5 WAF for NGINX.
---
-This page covers operational configuration for F5 WAF for NGINX in NGINX Gateway Fabric: security logging, automatic policy updates, TLS and authentication, bundle integrity verification, cookie seed management, and fetch failure handling.
+This page covers operational configuration for F5 WAF for NGINX in NGINX Gateway Fabric: security logging, automatic policy updates, TLS and authentication, bundle integrity verification, cookie seed management, fetch failure handling, and WAF container settings.
---
@@ -250,10 +250,92 @@ NGINX Gateway Fabric retries on the next reconciliation or poll cycle. No manual
---
+## Configure WAF containers
+
+When WAF is enabled, NGINX Gateway Fabric deploys two sidecar containers — `waf-enforcer` and `waf-config-mgr` — alongside the main NGINX container. You can customize the image, resource requirements, and additional volume mounts for each container using the `NginxProxy` resource.
+
+These settings are configured under `spec.kubernetes.deployment.wafContainers` (or `spec.kubernetes.daemonSet.wafContainers` for DaemonSet mode). This follows the same infrastructure configuration pattern described in [Configure infrastructure-related settings]({{< ref "/ngf/how-to/data-plane-configuration.md#configure-infrastructure-related-settings" >}}). For the full list of configurable fields, see the `NginxProxy` spec in the [API reference]({{< ref "/ngf/reference/api.md" >}}).
+
+Each container (`enforcer` and `configManager`) supports the following fields:
+
+- **`image`**: Override the default image repository, tag, and pull policy. If not specified, NGINX Gateway Fabric uses the defaults from the F5 Container registry. For the default images, see [Supported container images]({{< ref "/ngf/overview/technical-specifications.md#supported-container-images" >}}).
+- **`resources`**: Set CPU and memory requests and limits.
+- **`volumeMounts`**: Add extra volume mounts. NGINX Gateway Fabric automatically configures the shared volumes required for communication between the NGINX, `waf-enforcer`, and `waf-config-mgr` containers. Additional mounts are appended to these defaults.
+
+The following example uses custom images from a private registry and sets resource requirements for both containers:
+
+```yaml
+apiVersion: gateway.nginx.org/v1alpha2
+kind: NginxProxy
+metadata:
+ name: waf-enabled-proxy
+spec:
+ waf:
+ enable: true
+ kubernetes:
+ deployment:
+ wafContainers:
+ enforcer:
+ image:
+ repository: registry.example.com/nap/waf-enforcer
+ tag: "5.12.1"
+ resources:
+ requests:
+ cpu: 100m
+ memory: 128Mi
+ limits:
+ cpu: "1"
+ memory: 1Gi
+ configManager:
+ image:
+ repository: registry.example.com/nap/waf-config-mgr
+ tag: "5.12.1"
+ resources:
+ requests:
+ cpu: 50m
+ memory: 64Mi
+ limits:
+ cpu: 500m
+ memory: 256Mi
+```
+
+When installing with Helm, set the equivalent values under `nginx.wafContainers`:
+
+```yaml
+# values.yaml
+nginx:
+ config:
+ waf:
+ enable: true
+ wafContainers:
+ enforcer:
+ image:
+ repository: registry.example.com/nap/waf-enforcer
+ tag: "5.12.1"
+ resources:
+ requests:
+ cpu: 100m
+ memory: 128Mi
+ configManager:
+ image:
+ repository: registry.example.com/nap/waf-config-mgr
+ tag: "5.12.1"
+ resources:
+ requests:
+ cpu: 50m
+ memory: 64Mi
+```
+
+{{< call-out "note" >}} Image pull Secrets for private registries must be configured at install time using the `nginx.imagePullSecret` or `nginx.imagePullSecrets` Helm values (or the `--nginx-docker-secret` flag for manifest installs). The control plane copies these Secrets into any namespace where NGINX is deployed. For details, see [Install NGINX Gateway Fabric with NGINX Plus]({{< ref "/ngf/install/nginx-plus.md" >}}). {{< /call-out >}}
+
+---
+
## See also
- [F5 WAF for NGINX overview]({{< ref "/ngf/waf-integration/overview.md" >}})
- [Configure policy sources (NGINX Instance Manager and NGINX One Console)]({{< ref "/ngf/waf-integration/policy-sources.md" >}})
+- [Configure infrastructure-related settings]({{< ref "/ngf/how-to/data-plane-configuration.md#configure-infrastructure-related-settings" >}})
- [Troubleshoot WAFPolicy status]({{< ref "/ngf/waf-integration/troubleshooting.md" >}})
+- [Supported container images]({{< ref "/ngf/overview/technical-specifications.md#supported-container-images" >}})
- [WAFPolicy and NginxProxy API reference]({{< ref "/ngf/reference/api.md" >}})
- [Build and use the compiler tool]({{< ref "/waf/configure/compiler.md" >}})