From fd48e4bfc3e06e723b3e732c9f0c5dac52da43ae Mon Sep 17 00:00:00 2001
From: zahava-brown <127731351+zahava-brown@users.noreply.github.com>
Date: Mon, 8 Sep 2025 16:07:55 +0300
Subject: [PATCH 1/6] feat: PLM Overview and Installation (#1060)

* PLM Overview and Installation

* fix: remove redundant section

* fix: MR comments

* chore: added doc dor new directive
---
 content/nap-waf/v5/admin-guide/overview.md    |   8 +
 .../policy-lifecycle-management.md            | 422 ++++++++++++++++++
 .../v5/configuration-guide/configuration.md   |   1 +
 3 files changed, 431 insertions(+)
 create mode 100644 content/nap-waf/v5/admin-guide/policy-lifecycle-management.md

diff --git a/content/nap-waf/v5/admin-guide/overview.md b/content/nap-waf/v5/admin-guide/overview.md
index 563b1e637..71e040735 100644
--- a/content/nap-waf/v5/admin-guide/overview.md
+++ b/content/nap-waf/v5/admin-guide/overview.md
@@ -66,6 +66,14 @@ Use the [NGINX App Protect WAF Compiler]({{< ref "/nap-waf/v5/admin-guide/compil
 
 For signature updates, read the [Update App Protect Signatures]({{< ref "/nap-waf/v5/admin-guide/compiler.md#update-app-protect-signatures" >}}) section of the compiler documentation.
 
+## Policy Lifecycle Management
+
+NGINX App Protect WAF v5 introduces Policy Lifecycle Management (PLM) as a comprehensive solution for automating the management, compilation, and deployment of security policies within Kubernetes environments. PLM extends the WAF compiler capabilities by providing a native Kubernetes operator-based approach to policy orchestration.
+
+The Policy Lifecycle Management system is architected around a **Policy Controller** that implements the Kubernetes operator pattern to manage the complete lifecycle of WAF security artifacts. The system addresses the fundamental challenge of policy distribution at scale by eliminating manual intervention points and providing a declarative configuration model through Custom Resource Definitions (CRDs) for policies, logging profiles, signatures, and user-defined signatures.
+
+For detailed information about PLM architecture, functional components, and deployment procedures, see [Policy Lifecycle Management Guide]({{< ref "/nap-waf/v5/admin-guide/policy-lifecycle-management.md" >}}).
+
 ---
 
 ## Transitioning from NGINX App Protect WAF v4 to v5
diff --git a/content/nap-waf/v5/admin-guide/policy-lifecycle-management.md b/content/nap-waf/v5/admin-guide/policy-lifecycle-management.md
new file mode 100644
index 000000000..46fbf4785
--- /dev/null
+++ b/content/nap-waf/v5/admin-guide/policy-lifecycle-management.md
@@ -0,0 +1,422 @@
+---
+title: Policy Lifecycle Management
+weight: 200
+toc: true
+type: how-to
+product: NAP-WAF
+---
+
+## Overview
+
+Policy Lifecycle Management (PLM) provides a comprehensive solution for automating the management, compilation, and deployment of security policies within Kubernetes environments. PLM extends the WAF compiler capabilities by providing a native Kubernetes operator-based approach to policy orchestration.
+
+The Policy Lifecycle Management system is architected around a **Policy Controller** that implements the Kubernetes operator pattern to manage the complete lifecycle of WAF security artifacts. The system addresses the fundamental challenge of policy distribution at scale by eliminating manual intervention points and providing a declarative configuration model through Custom Resource Definitions (CRDs) for policies, logging profiles, signatures, and user-defined signatures.
+
+## Prerequisites
+
+Before deploying Policy Lifecycle Management, ensure you have the following prerequisites:
+
+### System Requirements
+
+- Kubernetes cluster (tested with k3s)
+- Helm 3 installed
+- Docker installed and configured
+- NGINX Docker Image
+- NGINX JWT License
+- Docker registry credentials for private-registry.nginx.com
+
+### Custom Resource Definitions (CRDs)
+
+Policy Lifecycle Management requires specific Custom Resource Definitions to be applied before deployment. These CRDs define the resources that the Policy Controller manages:
+
+**Required CRDs:**
+- `appolicies.appprotect.f5.com` - Defines WAF security policies
+- `aplogconfs.appprotect.f5.com` - Manages logging profiles and configurations  
+- `apusersigs.appprotect.f5.com` - Handles user-defined signatures
+- `apsignatures.appprotect.f5.com` - Manages signature updates and collections
+
+Apply the CRDs using the following command:
+```bash
+kubectl apply -f crds/
+```
+
+### NGINX Configuration
+
+Policy Lifecycle Management requires specific NGINX configuration to integrate with the Policy Controller. The key directive `app_protect_default_config_source` must be set to `"custom-resource"` to enable PLM integration.
+
+**Required NGINX Configuration:**
+
+```nginx
+user nginx;
+worker_processes auto;
+
+load_module modules/ngx_http_app_protect_module.so;
+
+error_log /var/log/nginx/error.log notice;
+pid /var/run/nginx.pid;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+    '$status $body_bytes_sent "$http_referer" '
+    '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log stdout main;
+    sendfile on;
+    keepalive_timeout 65;
+
+    app_protect_enforcer_address 127.0.0.1:50000;
+
+    # Enable Policy Lifecycle Management
+    app_protect_default_config_source "custom-resource";
+
+    app_protect_security_log_enable on;
+    app_protect_security_log my-logging-cr /opt/app_protect/bd_config/s.log;
+
+    server {
+        listen       80;
+        server_name  localhost;
+        proxy_http_version 1.1;
+
+        location / {
+            app_protect_enable on;
+
+            # Reference to Custom Resource policy name
+            app_protect_policy_file my-policy-cr;
+
+            client_max_body_size 0;
+            default_type text/html;
+            proxy_pass  http://127.0.0.1/proxy$request_uri;
+        }
+       
+        location /proxy {
+            app_protect_enable off;
+            client_max_body_size 0;
+            default_type text/html;
+            return 200 "Hello! I got your URI request - $request_uri\n";
+        }
+    }
+}
+```
+
+**Key PLM-specific directives:**
+- `app_protect_default_config_source "custom-resource"` - Enables Policy Controller integration
+- `app_protect_policy_file my-policy-cr` - References the Custom Resource policy name instead of bundle file paths
+- `app_protect_security_log my-logging-cr` - References the Custom Resource logging configuration name
+
+## Helm Chart Configuration
+
+Policy Lifecycle Management is deployed as part of the NGINX App Protect Helm chart. To enable PLM, you must configure the Policy Controller settings in your `values.yaml` file.
+
+### Enabling Policy Controller
+
+Set the following configuration in your `values.yaml`:
+
+```yaml
+appprotect:
+  policyController:
+    enable: true
+    replicas: 1
+    image:
+      repository: private-registry.nginx.com/nap/waf-policy-controller
+      tag: 5.8.0
+      imagePullPolicy: IfNotPresent
+    wafCompiler:
+      image:
+        repository: private-registry.nginx.com/nap/waf-compiler
+        tag: 5.8.0
+    enableJobLogSaving: false
+    resources:
+      requests:
+        cpu: 100m
+        memory: 128Mi
+```
+
+### NGINX Repository Configuration
+
+To enable signature updates with the APSignatures CRD, configure the NGINX repository credentials:
+
+```yaml
+appprotect:
+  nginxRepo:
+    nginxCrt: <base64-encoded-cert>
+    nginxKey: <base64-encoded-key>
+```
+
+## Installation Flow
+
+### Step-by-Step Installation Process
+
+1. **Prepare Environment Variables**
+   
+   Set the required environment variables:
+   ```bash
+   export JWT=<your-nginx-jwt-token>
+   export NGINX_REGISTRY_TOKEN=<base64-encoded-docker-credentials>
+   export NGINX_CERT=<base64-encoded-nginx-cert>
+   export NGINX_KEY=<base64-encoded-nginx-key>
+   ```
+
+2. **Pull the Helm Chart**
+   
+   Login to the registry and pull the chart:
+   ```bash
+   helm registry login private-registry.nginx.com
+   helm pull oci://private-registry.nginx.com/nap/nginx-app-protect --version <release-version> --untar
+   cd nginx-app-protect
+   ```
+
+3. **Apply Custom Resource Definitions**
+   
+   Apply the required CRDs before deploying the chart:
+   ```bash
+   kubectl apply -f crds/
+   ```
+
+4. **Create Storage**
+   
+   Create the directory and persistent volume for policy bundles:
+   ```bash
+   mkdir -p /mnt/nap5_bundles_pv_data
+   chown -R 101:101 /mnt/nap5_bundles_pv_data
+   kubectl apply -f <your-pv-yaml-file>
+   ```
+   
+   {{< call-out "note" >}}
+   The PV name defaults to `<release-name>-bundles-pv`, but can be customized using the `appprotect.storage.pv.name` setting in your values.yaml file.
+   {{< /call-out >}}
+
+5. **Configure Docker Registry Credentials**
+   
+   Create the Docker registry secret or configure in values.yaml:
+   ```bash
+   kubectl create secret docker-registry regcred -n <namespace> \
+     --docker-server=private-registry.nginx.com \
+     --docker-username=<JWT-Token> \
+     --docker-password=none
+   ```
+
+6. **Deploy the Helm Chart with Policy Controller**
+   
+   Install the chart with Policy Controller enabled:
+   ```bash
+   helm install <release-name> . \
+     --namespace <namespace> \
+     --create-namespace \
+     --set appprotect.policyController.enable=true \
+     --set dockerConfigJson=$NGINX_REGISTRY_TOKEN \
+     --set appprotect.config.nginxJWT=$JWT \
+     --set appprotect.nginxRepo.nginxCert=$NGINX_CERT \
+     --set appprotect.nginxRepo.nginxKey=$NGINX_KEY
+   ```
+
+7. **Verify Installation**
+   
+   Check that all components are deployed successfully:
+   ```bash
+   kubectl get pods -n <namespace>
+   kubectl get crds | grep appprotect.f5.com
+   kubectl get all -n <namespace>
+   ```
+
+## Using Policy Lifecycle Management
+
+### Creating Policy Resources
+
+Once PLM is deployed, you can create policy resources using Kubernetes manifests. Apply the following Custom Resource examples or create your own based on these templates:
+
+**Sample APPolicy Resource:**
+
+Create a file named `dataguard-blocking-policy.yaml` with the following content:
+
+```yaml
+apiVersion: appprotect.f5.com/v1
+kind: APPolicy
+metadata:
+  name: dataguard-blocking
+spec:
+  policy:
+    name: dataguard_blocking
+    template:
+      name: POLICY_TEMPLATE_NGINX_BASE
+    applicationLanguage: utf-8
+    enforcementMode: blocking
+    blocking-settings:
+      violations:
+        - name: VIOL_DATA_GUARD
+          alarm: true
+          block: true
+    data-guard:
+      enabled: true
+      maskData: true
+      creditCardNumbers: true
+      usSocialSecurityNumbers: true
+      enforcementMode: ignore-urls-in-list
+      enforcementUrls: []
+```
+
+Apply the policy:
+```bash
+kubectl apply -f dataguard-blocking-policy.yaml -n <namespace>
+```
+
+**Sample APUserSig Resource:**
+
+Create a file named `apple-usersig.yaml` with the following content:
+
+```yaml
+apiVersion: appprotect.f5.com/v1
+kind: APUserSig
+metadata:
+  name: apple
+spec:
+  signatures:
+    - accuracy: medium
+      attackType:
+        name: Brute Force Attack
+      description: Medium accuracy user defined signature with tag (Fruits)
+      name: Apple_medium_acc
+      risk: medium
+      rule: content:"apple"; nocase;
+      signatureType: request
+      systems:
+        - name: Microsoft Windows
+        - name: Unix/Linux
+  tag: Fruits
+```
+
+Apply the user signature:
+```bash
+kubectl apply -f apple-usersig.yaml -n <namespace>
+```
+
+### Monitoring Policy Status
+
+Check the status of your policy resources:
+
+```bash
+kubectl get appolicy -n <namespace>
+kubectl describe appolicy <policy-name> -n <namespace>
+```
+
+The Policy Controller will show status information including:
+- Bundle location
+- Compilation status
+- Signature update timestamps
+
+## Confirming Setup is Functioning
+
+### 1. Test Policy Compilation
+
+Apply one of the sample policy Custom Resources to verify PLM is working correctly. For example, using the dataguard policy you created earlier:
+
+```bash
+kubectl apply -f dataguard-blocking-policy.yaml -n <namespace>
+```
+
+### 2. Check Policy Compilation Status
+
+Verify that the policy has been compiled successfully by checking the Custom Resource status:
+
+```bash
+kubectl get appolicy <custom-resource-name> -n <namespace> -o yaml
+```
+
+You should see output similar to this, with `state: ready` and no errors:
+
+```yaml
+status:
+  bundle:
+    compilerVersion: 11.553.0
+    location: /etc/app_protect/bundles/dataguard-blocking-policy/dataguard-blocking_policy20250904100458.tgz
+    signatures:
+      attackSignatures: "2025-08-28T01:16:06Z"
+      botSignatures: "2025-08-27T11:35:31Z"
+      threatCampaigns: "2025-08-25T09:57:39Z"
+    state: ready
+  processing:
+    datetime: "2025-09-04T10:05:52Z"
+    isCompiled: true
+```
+
+### 3. Verify Policy Controller Logs
+
+Check the Policy Controller logs for expected compilation messages:
+
+```bash
+kubectl logs <policy-controller-pod> -n <namespace>
+```
+
+Look for successful compilation messages like:
+
+```
+2025-09-04T10:05:52Z    INFO    Job is completed        {"controller": "appolicy", "controllerGroup": "appprotect.f5.com", "controllerKind": "APPolicy", "APPolicy": {"name":"dataguard-blocking","namespace":"localenv-plm"}, "namespace": "localenv-plm", "name": "dataguard-blocking", "reconcileID": "6bab7054-8a8a-411f-8ecc-01399a308ef6", "job": "dataguard-blocking-appolicy-compile"}
+
+2025-09-04T10:05:52Z    INFO    job state is    {"controller": "appolicy", "controllerGroup": "appprotect.f5.com", "controllerKind": "APPolicy", "APPolicy": {"name":"dataguard-blocking","namespace":"localenv-plm"}, "namespace": "localenv-plm", "name": "dataguard-blocking", "reconcileID": "6bab7054-8a8a-411f-8ecc-01399a308ef6", "job": "dataguard-blocking-appolicy-compile", "state": "ready"}
+
+2025-09-04T10:05:52Z    INFO    bundle state was changed        {"controller": "appolicy", "controllerGroup": "appprotect.f5.com", "controllerKind": "APPolicy", "APPolicy": {"name":"dataguard-blocking","namespace":"localenv-plm"}, "namespace": "localenv-plm", "name": "dataguard-blocking", "reconcileID": "6bab7054-8a8a-411f-8ecc-01399a308ef6", "job": "dataguard-blocking-appolicy-compile", "from": "processing", "to": "ready"}
+```
+
+### 4. Verify Bundle Creation
+
+Check that the policy bundle has been created in the shared volume directory:
+
+```bash
+ls -la /mnt/nap5_bundles_pv_data/dataguard-blocking-policy/
+```
+
+You should see the compiled policy bundle file in the directory structure.
+
+### 5. Test Policy Enforcement
+
+To verify that the policy bundles are being deployed and enforced correctly:
+
+1. **Update NGINX Configuration**
+   
+   Use the Custom Resource name in your NGINX configuration:
+   ```nginx
+   app_protect_policy_file dataguard-blocking;
+   ```
+
+2. **Reload NGINX**
+   
+   Reload NGINX to apply the new policy:
+   ```bash
+   nginx -s reload
+   ```
+
+3. **Test Policy Enforcement**
+   
+   Send a request that should be blocked by the dataguard policy to verify it's working:
+   ```bash
+   curl "http://[CLUSTER-IP]:80/?a=<script>"
+   ```
+   
+   The request should be blocked, confirming that PLM has successfully compiled and deployed the policy.
+
+## Troubleshooting
+
+### Common Issues
+
+**Policy Controller Not Starting**
+- Verify CRDs are installed: `kubectl get crds | grep appprotect.f5.com`
+- Check pod logs: `kubectl logs <policy-controller-pod> -n <namespace>`
+- Ensure proper RBAC permissions are configured
+
+**Policy Compilation Failures**
+- Check Policy Controller logs for compilation errors
+- Verify WAF compiler image is accessible
+- Ensure policy syntax is valid
+
+**Bundle Storage Issues**  
+- Verify persistent volume is properly mounted
+- Check storage permissions (should be 101:101)
+- Confirm PVC is bound to the correct PV
+
+For additional troubleshooting information, see the [Troubleshooting Guide]({{< ref "/nap-waf/v5/troubleshooting-guide/troubleshooting.md#nginx-app-protect-5" >}}).
diff --git a/content/nap-waf/v5/configuration-guide/configuration.md b/content/nap-waf/v5/configuration-guide/configuration.md
index 7b01bac9e..552bd64dc 100644
--- a/content/nap-waf/v5/configuration-guide/configuration.md
+++ b/content/nap-waf/v5/configuration-guide/configuration.md
@@ -1048,6 +1048,7 @@ This table summarizes the nginx.conf directives for NGINX App Protect WAF functi
 |load_module | load_module <library_file_path> | NGINX directive to load the App Protect module. It must be invoked with the App Protect library path | Global | load_module modules/ngx_http_app_protect_module.so |
 |app_protect_enforcer_address | <hostname/ip>:<port> | The Enforcer service address. | HTTP | app_protect_enforcer_address 127.0.0.1:50000; |
 |app_protect_enable | app_protect_enable on &#124; off | Whether to enable App Protect at the respective context. If not present, inherits from the parent context | HTTP, Server, Location | app_protect_enable on |
+|app_protect_default_config_source | app_protect_default_config_source <resource_name> | Directive to specify custom resource for policy/logging profile bundles. Currently, only "custom-resource" is supported, and it enables Policy Lifecycle Management functionality. See [Policy Lifecycle Management]({{< ref "/nap-waf/v5/admin-guide/policy-lifecycle-management.md" >}}) for more details. | HTTP | app_protect_default_config_source "custom-resource" |
 |app_protect_policy_file | app_protect_policy_file <file_path> | Set a App Protect policy configuring behavior for the respective context. | HTTP, Server, Location | app_protect_policy_file /config/waf/strict_policy.tgz |
 |app_protect_security_log_enable | app_protect_security_log_enable on &#124; off | Whether to enable the App Protect per-request log at the respective context. | HTTP, Server, Location | app_protect_security_log_enable on |
 |app_protect_security_log | app_protect_security_log <file_path> <destination> | Specifies the per-request logging: what to log and where | HTTP, Server, Location | app_protect_security_log /config/waf/log_illegal.tgz syslog:localhost:522 |

From 062000510c0a05dc82f359574817a6fa271453b5 Mon Sep 17 00:00:00 2001
From: ViktorFefilovF5 <140407159+ViktorFefilovF5@users.noreply.github.com>
Date: Wed, 10 Sep 2025 13:35:17 +0300
Subject: [PATCH 2/6] PLM APSignatures CRD (#1080)

* ApSignatures

* fix: new line
---
 .../policy-lifecycle-management.md            | 40 ++++++++++++++++++-
 1 file changed, 39 insertions(+), 1 deletion(-)

diff --git a/content/nap-waf/v5/admin-guide/policy-lifecycle-management.md b/content/nap-waf/v5/admin-guide/policy-lifecycle-management.md
index 46fbf4785..bedb7a1bc 100644
--- a/content/nap-waf/v5/admin-guide/policy-lifecycle-management.md
+++ b/content/nap-waf/v5/admin-guide/policy-lifecycle-management.md
@@ -227,6 +227,42 @@ appprotect:
 
 ## Using Policy Lifecycle Management
 
+### Setting up desired security update versions
+
+Once PLM is deployed, you can create APSignatures resource using Kubernetes manifests and specify desired security update versions. Apply the following Custom Resource example or create your own based on the template:
+
+**Sample APSignatures Resource:**
+
+Create a file named `signatures.yaml` with the following content:
+
+```yaml
+apiVersion: appprotect.f5.com/v1
+kind: APSignatures
+metadata:
+  name: signatures
+spec:
+  attack-signatures:
+    revision: "2025.06.19" # attack signatures revision to be used
+  bot-signatures:
+    revision: "latest" # bot signatures revision to be used
+  threat-campaigns:
+    revision: "2025.06.24" # threat campaigns revision to be used
+```
+
+{{< call-out "note" >}}
+The APSignatures must have name `signatures`. Only one APSignatures instance can exist
+{{< /call-out >}}
+
+Apply the manifest:
+
+```bash
+kubectl apply -f config/policy-manager/samples/appprotect_v1_apsignatures.yaml
+```
+
+{{< call-out "note" >}}
+Downloading security updates may take several minutes. The version of security updates available at the time of compilation is always used to compile policies. If APSignatures is not created or the specified versions are not downloaded, the versions contained in the compiler docker image will be used.
+{{< /call-out >}}
+
 ### Creating Policy Resources
 
 Once PLM is deployed, you can create policy resources using Kubernetes manifests. Apply the following Custom Resource examples or create your own based on these templates:
@@ -262,6 +298,7 @@ spec:
 ```
 
 Apply the policy:
+
 ```bash
 kubectl apply -f dataguard-blocking-policy.yaml -n <namespace>
 ```
@@ -292,6 +329,7 @@ spec:
 ```
 
 Apply the user signature:
+
 ```bash
 kubectl apply -f apple-usersig.yaml -n <namespace>
 ```
@@ -397,7 +435,7 @@ To verify that the policy bundles are being deployed and enforced correctly:
    ```bash
    curl "http://[CLUSTER-IP]:80/?a=<script>"
    ```
-   
+
    The request should be blocked, confirming that PLM has successfully compiled and deployed the policy.
 
 ## Troubleshooting

From 43b7cb568be4c5149f8f06b43ebe1da0715a110b Mon Sep 17 00:00:00 2001
From: mouraddmeiri <67323028+mouraddmeiri@users.noreply.github.com>
Date: Wed, 10 Sep 2025 13:47:55 +0300
Subject: [PATCH 3/6] chore: support NAP install for PLM via helm (#1081)

chore: add upgrade/uninstall steps for PLM
---
 .../policy-lifecycle-management.md            | 151 +++++++++++++++++-
 1 file changed, 148 insertions(+), 3 deletions(-)

diff --git a/content/nap-waf/v5/admin-guide/policy-lifecycle-management.md b/content/nap-waf/v5/admin-guide/policy-lifecycle-management.md
index bedb7a1bc..dcf459466 100644
--- a/content/nap-waf/v5/admin-guide/policy-lifecycle-management.md
+++ b/content/nap-waf/v5/admin-guide/policy-lifecycle-management.md
@@ -181,15 +181,37 @@ appprotect:
 
 4. **Create Storage**
    
-   Create the directory and persistent volume for policy bundles:
+   Create the directory on the cluster:
    ```bash
    mkdir -p /mnt/nap5_bundles_pv_data
    chown -R 101:101 /mnt/nap5_bundles_pv_data
-   kubectl apply -f <your-pv-yaml-file>
    ```
    
+   Create a YAML file `pv-hostpath.yaml` with the persistent volume file content:
+   ```
+   apiVersion: v1
+   kind: PersistentVolume
+   metadata:
+   name: nginx-app-protect-shared-bundles-pv
+   labels:
+       type: local
+   spec:
+   accessModes:
+       - ReadWriteMany
+   capacity:
+       storage: "2Gi"
+   hostPath:
+       path: "/mnt/nap5_bundles_pv_data"
+   persistentVolumeReclaimPolicy: Retain
+   storageClassName: manual
+   ``` 
+   Apply the `pv-hostpath.yaml` file to create the new persistent volume for policy bundles:
+   ```shell
+   kubectl apply -f pv-hostpath.yaml
+   ```
+  
    {{< call-out "note" >}}
-   The PV name defaults to `<release-name>-bundles-pv`, but can be customized using the `appprotect.storage.pv.name` setting in your values.yaml file.
+   The PV name defaults to `<release-name>-shared-bundles-pv`, but can be customized using the `appprotect.storage.pv.name` setting in your values.yaml file. Make sure to update all corresponding values for the PV and PVC to point to the correct names.
    {{< /call-out >}}
 
 5. **Configure Docker Registry Credentials**
@@ -438,6 +460,129 @@ To verify that the policy bundles are being deployed and enforced correctly:
 
    The request should be blocked, confirming that PLM has successfully compiled and deployed the policy.
 
+## Upgrade the chart
+
+1. **Prepare Environment Variables**
+   
+   Set the required environment variables:
+   ```bash
+   export JWT=<your-nginx-jwt-token>
+   export NGINX_REGISTRY_TOKEN=<base64-encoded-docker-credentials>
+   export NGINX_CERT=<base64-encoded-nginx-cert>
+   export NGINX_KEY=<base64-encoded-nginx-key>
+   ```
+
+2. **Pull the new Helm Chart version**
+   
+   Login to the registry and pull the chart:
+   ```bash
+   helm registry login private-registry.nginx.com
+   helm pull oci://private-registry.nginx.com/nap/nginx-app-protect --version <new-release-version> --untar
+   cd nginx-app-protect
+   ```
+
+3. **Apply Custom Resource Definitions**
+   
+   Apply the required CRDs before deploying the chart:
+   ```bash
+   kubectl apply -f crds/
+   ```
+
+4. **Create Storage**
+   
+   Create the directory on the cluster, and persistent volume for policy bundles:
+   ```bash
+   mkdir -p /mnt/nap5_bundles_pv_data
+   chown -R 101:101 /mnt/nap5_bundles_pv_data
+   ```
+   
+   Create a YAML file `pv-hostpath.yaml` with the PV file content:
+   ```
+   apiVersion: v1
+   kind: PersistentVolume
+   metadata:
+   name: nginx-app-protect-shared-bundles-pv
+   labels:
+       type: local
+   spec:
+   accessModes:
+       - ReadWriteMany
+   capacity:
+       storage: "2Gi"
+   hostPath:
+       path: "/mnt/nap5_bundles_pv_data"
+   persistentVolumeReclaimPolicy: Retain
+   storageClassName: manual
+   ``` 
+   Apply the `pv-hostpath.yaml` file to create the new PV:
+   ```shell
+   kubectl apply -f pv-hostpath.yaml
+   ```
+  
+   {{< call-out "note" >}}
+   The PV name defaults to `<release-name>-shared-bundles-pv`, but can be customized using the `appprotect.storage.pv.name` setting in your values.yaml file.
+   {{< /call-out >}}
+
+5. **Configure Docker Registry Credentials**
+   
+   Create the Docker registry secret or configure in values.yaml:
+   ```bash
+   kubectl create secret docker-registry regcred -n <namespace> \
+     --docker-server=private-registry.nginx.com \
+     --docker-username=<JWT-Token> \
+     --docker-password=none
+   ```
+
+6. **Deploy the Helm Chart with Policy Controller**
+   
+   Install the chart with Policy Controller enabled:
+   ```bash
+   helm install <release-name> . \
+     --namespace <namespace> \
+     --create-namespace \
+     --set appprotect.policyController.enable=true \
+     --set dockerConfigJson=$NGINX_REGISTRY_TOKEN \
+     --set appprotect.config.nginxJWT=$JWT \
+     --set appprotect.nginxRepo.nginxCert=$NGINX_CERT \
+     --set appprotect.nginxRepo.nginxKey=$NGINX_KEY
+   ```
+
+7. **Verify Installation**
+   
+   Check that all components are deployed successfully:
+   ```bash
+   kubectl get pods -n <namespace>
+   kubectl get crds | grep appprotect.f5.com
+   kubectl get all -n <namespace>
+   ```
+
+## Uninstall the chart
+
+1. **Manually Delete the CRs**
+
+   Delete all the existing CRs created for the deployment:
+   ```bash
+   kubectl -n <namespace> delete appolicy <policy-name>
+   kubectl -n <namespace> delete aplogconf <logconf-name>
+   kubectl -n <namespace> delete apusersigs <user-defined-signature-name>
+   kubectl -n <namespace> delete apsignatures <signature-update-name>
+   ```
+2. **Uninstall/delete the release `<release-name>`**
+
+   To delete the current release, you just need to delete it using helm:
+   ```bash
+   helm uninstall <release-name> -n <namespace>
+   ```
+
+3. **Delete any possible residual resources**
+
+   Delete any remaining CRDs, PVC, PV, and the namespace:
+   ```bash
+   kubectl delete pvc nginx-app-protect-shared-bundles-pvc -n <namespace>
+   kubectl delete pv nginx-app-protect-shared-bundles-pv
+   kubectl delete crd --all
+   kubectl delete ns <namespace>
+   ```
 ## Troubleshooting
 
 ### Common Issues

From 40e16793432746091ef0b9e44ca82ffea9d29625 Mon Sep 17 00:00:00 2001
From: Y-Klughaupt <78073400+Y-Klughaupt@users.noreply.github.com>
Date: Mon, 15 Sep 2025 13:18:06 +0300
Subject: [PATCH 4/6] Wafmc 13048 doc offline solution ap signatures (#1098)

* WAFMC-13048-offline-solution-for-APSignature

* fix: doc offline solution for APSignatures
---
 .../admin-guide/policy-lifecycle-management.md   | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/content/nap-waf/v5/admin-guide/policy-lifecycle-management.md b/content/nap-waf/v5/admin-guide/policy-lifecycle-management.md
index dcf459466..dfcba2b75 100644
--- a/content/nap-waf/v5/admin-guide/policy-lifecycle-management.md
+++ b/content/nap-waf/v5/admin-guide/policy-lifecycle-management.md
@@ -285,6 +285,22 @@ kubectl apply -f config/policy-manager/samples/appprotect_v1_apsignatures.yaml
 Downloading security updates may take several minutes. The version of security updates available at the time of compilation is always used to compile policies. If APSignatures is not created or the specified versions are not downloaded, the versions contained in the compiler docker image will be used.
 {{< /call-out >}}
 
+#### Using Security Update for users who can't use the nginx repo - Offline solution
+
+For users who prefer not to download the security update packages directly from the NGINX repository when using the APSignatures CR, there are two supported options:
+
+**1. Manual Package Placement**
+
+ - Download the required packages.
+ - Place them in the `/mnt/nap5_bundles_pv_data/security_updates_data/` directory.
+ - Ensure the files have `101:101` ownership and permissions.
+
+**2. Custom Compiler Image**
+
+ - Build a Docker image that includes the desired packages.
+ - Use this custom image in place of downloading packages at runtime.
+
+
 ### Creating Policy Resources
 
 Once PLM is deployed, you can create policy resources using Kubernetes manifests. Apply the following Custom Resource examples or create your own based on these templates:

From e9bec43b5f6020fbabc115031f3a8e85b5a66868 Mon Sep 17 00:00:00 2001
From: zahava-brown <127731351+zahava-brown@users.noreply.github.com>
Date: Thu, 18 Sep 2025 10:56:18 +0300
Subject: [PATCH 5/6] fix: WAFMC-13098 Update PLM Installation Section (#1099)

* Update PLM Installation Section

* fix: namespace

* fix: namespace values.yaml

* fix: namespace instructions

* fix: remove unneeded line

* fix: release name

* fix: missing pvc in values.yaml

* fix: missing values.yaml content

* fix: correct dockerfile

* fix: missing values.yaml sections

* fix: clarify verify output

* fix: clarifications

* fix: sudo

* fix: 5.9.0

* fix: typo

* fix: clarify cert and key files

* fix: test policy clarification

* fix: edit nginx.conf

* fix: clarify configuration

* fix: pv yaml indent

* fix: values.yaml

* fix: clarifications

* fix: missing set args

* fix: helm upgrade

* fix: after rebase
---
 .../policy-lifecycle-management.md            | 890 +++++++++++++++---
 1 file changed, 733 insertions(+), 157 deletions(-)

diff --git a/content/nap-waf/v5/admin-guide/policy-lifecycle-management.md b/content/nap-waf/v5/admin-guide/policy-lifecycle-management.md
index dfcba2b75..ce94e4d5a 100644
--- a/content/nap-waf/v5/admin-guide/policy-lifecycle-management.md
+++ b/content/nap-waf/v5/admin-guide/policy-lifecycle-management.md
@@ -8,7 +8,7 @@ product: NAP-WAF
 
 ## Overview
 
-Policy Lifecycle Management (PLM) provides a comprehensive solution for automating the management, compilation, and deployment of security policies within Kubernetes environments. PLM extends the WAF compiler capabilities by providing a native Kubernetes operator-based approach to policy orchestration.
+Policy Lifecycle Management (PLM) is an integrated feature of NGINX App Protect WAF that provides a comprehensive solution for automating the management, compilation, and deployment of security policies within Kubernetes environments. Policy Lifecycle Management is deployed as part of the NGINX App Protect Helm chart and extends the WAF compiler capabilities by providing a native Kubernetes operator-based approach to policy orchestration.
 
 The Policy Lifecycle Management system is architected around a **Policy Controller** that implements the Kubernetes operator pattern to manage the complete lifecycle of WAF security artifacts. The system addresses the fundamental challenge of policy distribution at scale by eliminating manual intervention points and providing a declarative configuration model through Custom Resource Definitions (CRDs) for policies, logging profiles, signatures, and user-defined signatures.
 
@@ -18,10 +18,9 @@ Before deploying Policy Lifecycle Management, ensure you have the following prer
 
 ### System Requirements
 
-- Kubernetes cluster (tested with k3s)
 - Helm 3 installed
 - Docker installed and configured
-- NGINX Docker Image
+- **[NGINX App Protect WAF Docker Image]({{< ref "/nap-waf/v5/admin-guide/deploy-on-docker.md#nginx-open-source-dockerfile" >}}) - REQUIRED**: You must build and push the NGINX App Protect WAF Docker image to your registry before proceeding with PLM installation. Use the NGINX Open Source Dockerfile for your preferred operating system.
 - NGINX JWT License
 - Docker registry credentials for private-registry.nginx.com
 
@@ -35,133 +34,373 @@ Policy Lifecycle Management requires specific Custom Resource Definitions to be
 - `apusersigs.appprotect.f5.com` - Handles user-defined signatures
 - `apsignatures.appprotect.f5.com` - Manages signature updates and collections
 
-Apply the CRDs using the following command:
-```bash
-kubectl apply -f crds/
-```
-
-### NGINX Configuration
-
-Policy Lifecycle Management requires specific NGINX configuration to integrate with the Policy Controller. The key directive `app_protect_default_config_source` must be set to `"custom-resource"` to enable PLM integration.
-
-**Required NGINX Configuration:**
-
-```nginx
-user nginx;
-worker_processes auto;
-
-load_module modules/ngx_http_app_protect_module.so;
-
-error_log /var/log/nginx/error.log notice;
-pid /var/run/nginx.pid;
 
-events {
-    worker_connections 1024;
-}
+## Configuration
 
-http {
-    include /etc/nginx/mime.types;
-    default_type application/octet-stream;
+Policy Lifecycle Management is deployed as part of the NGINX App Protect Helm chart and is configured through the Helm `values.yaml` file.
 
-    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
-    '$status $body_bytes_sent "$http_referer" '
-    '"$http_user_agent" "$http_x_forwarded_for"';
+### Policy Controller Configuration
 
-    access_log stdout main;
-    sendfile on;
-    keepalive_timeout 65;
+#### Helm Configuration (values.yaml)
 
-    app_protect_enforcer_address 127.0.0.1:50000;
-
-    # Enable Policy Lifecycle Management
-    app_protect_default_config_source "custom-resource";
-
-    app_protect_security_log_enable on;
-    app_protect_security_log my-logging-cr /opt/app_protect/bd_config/s.log;
-
-    server {
-        listen       80;
-        server_name  localhost;
-        proxy_http_version 1.1;
-
-        location / {
-            app_protect_enable on;
-
-            # Reference to Custom Resource policy name
-            app_protect_policy_file my-policy-cr;
-
-            client_max_body_size 0;
-            default_type text/html;
-            proxy_pass  http://127.0.0.1/proxy$request_uri;
-        }
-       
-        location /proxy {
-            app_protect_enable off;
-            client_max_body_size 0;
-            default_type text/html;
-            return 200 "Hello! I got your URI request - $request_uri\n";
-        }
-    }
-}
-```
+The following is the complete Helm configuration required for Policy Lifecycle Management. The Policy Controller option is enabled by default (`appprotect.policyController.enable: true`).
 
-**Key PLM-specific directives:**
-- `app_protect_default_config_source "custom-resource"` - Enables Policy Controller integration
-- `app_protect_policy_file my-policy-cr` - References the Custom Resource policy name instead of bundle file paths
-- `app_protect_security_log my-logging-cr` - References the Custom Resource logging configuration name
-
-## Helm Chart Configuration
-
-Policy Lifecycle Management is deployed as part of the NGINX App Protect Helm chart. To enable PLM, you must configure the Policy Controller settings in your `values.yaml` file.
+```yaml
+# Specify the target namespace for your deployment
+# Replace <namespace> with your chosen namespace name (e.g., "nap-plm" or "production")
+# This must match the namespace you will create in Step 4 or an existing namespace you plan to use
+namespace: <namespace>
 
-### Enabling Policy Controller
+appprotect:
+  ## Note: This option is useful if you use Nginx Ingress Controller for example.
+  ## Enable/Disable Nginx App Protect Deployment
+  enable: true
+  
+  ## The number of replicas of the Nginx App Protect deployment
+  replicas: 1
+  
+  ## Configure root filesystem as read-only and add volumes for temporary data
+  readOnlyRootFilesystem: false
+  
+  ## The annotations for deployment
+  annotations: {}
+  
+  ## InitContainers for the Nginx App Protect pod
+  initContainers: []
+    # - name: init-container
+    #   image: busybox:latest
+    #   command: ['sh', '-c', 'echo this is initial setup!']
+  
+  nginx:
+    image:
+      ## The image repository of the Nginx App Protect WAF image you built
+      ## This must reference the Docker image you built following the Docker deployment guide
+      ## Replace <your-private-registry> with your actual registry and update the image name/tag as needed
+      repository: <your-private-registry>/nginx-app-protect-5
+      ## The tag of the Nginx image
+      tag: latest
+    ## The pull policy for the Nginx image
+    imagePullPolicy: IfNotPresent
+    ## The resources of the Nginx container.
+    resources:
+      requests:
+        cpu: 10m
+        memory: 16Mi
+      # limits:
+      #   cpu: 1
+      #   memory: 1Gi
 
-Set the following configuration in your `values.yaml`:
+  wafConfigMgr:
+    image:
+      ## The image repository of the WAF Config Mgr
+      repository: private-registry.nginx.com/nap/waf-config-mgr
+      ## The tag of the WAF Config Mgr image
+      tag: 5.9.0
+    ## The pull policy for the WAF Config Mgr image
+    imagePullPolicy: IfNotPresent
+    ## The resources of the Waf Config Manager container
+    resources:
+      requests:
+        cpu: 10m
+        memory: 16Mi
+      # limits:
+      #   cpu: 500m
+      #   memory: 500Mi
 
-```yaml
-appprotect:
+  wafEnforcer:
+    image:
+      ## The image repository of the WAF Enforcer
+      repository: private-registry.nginx.com/nap/waf-enforcer
+      ## The tag of the WAF Enforcer image
+      tag: 5.9.0
+    ## The pull policy for the WAF Enforcer image
+    imagePullPolicy: IfNotPresent
+    ## The environment variable for enforcer port to be set on the WAF Enforcer container
+    env:
+      enforcerPort: "50000"
+    ## The resources of the WAF Enforcer container
+    resources:
+      requests:
+        cpu: 20m
+        memory: 256Mi
+      # limits:
+      #   cpu: 1
+      #   memory: 1Gi
+
+  wafIpIntelligence:
+    enable: false
+    image:
+      ## The image repository of the WAF IP Intelligence
+      repository: private-registry.nginx.com/nap/waf-ip-intelligence
+      ## The tag of the WAF IP Intelligence
+      tag: 5.9.0
+    ## The pull policy for the WAF IP Intelligence
+    imagePullPolicy: IfNotPresent
+    ## The resources of the WAF IP Intelligence container
+    resources:
+      requests:
+        cpu: 10m
+        memory: 256Mi
+      # limits:
+      #   cpu: 200m
+      #   memory: 1Gi
+  
   policyController:
+    ## Enable/Disable Policy Controller Deployment
     enable: true
+    ## Number of replicas for the Policy Controller
     replicas: 1
+    ## The image repository of the WAF Policy Controller
     image:
       repository: private-registry.nginx.com/nap/waf-policy-controller
-      tag: 5.8.0
+      ## The tag of the WAF Policy COntroller
+      tag: 5.9.0
+      ## The pull policy for the WAF Policy Controller
       imagePullPolicy: IfNotPresent
     wafCompiler:
+      ## The image repository of the WAF Compiler
       image:
         repository: private-registry.nginx.com/nap/waf-compiler
-        tag: 5.8.0
+         ## The tag of the WAF Compiler image
+        tag: 5.9.0
+    ## Save logs before deleting a job or not
     enableJobLogSaving: false
+    ## The resources of the WAF Policy Controller
     resources:
       requests:
         cpu: 100m
         memory: 128Mi
+      # limits:
+      #   memory: 256Mi
+      #   cpu: 250m
+    ## InitContainers for the Policy Controller pod
+    initContainers: []
+      # - name: init-container
+      #   image: busybox:latest
+      #   command: ['sh', '-c', 'echo this is initial setup!']
+
+  storage:
+    bundlesPath:
+      ## Specifies the name of the volume to be used for storing policy bundles
+      name: app-protect-bundles
+      ## Defines the mount path inside the WAF Config Manager container where the bundles will be stored
+      mountPath: /etc/app_protect/bundles
+    pv:
+      ## PV name that pvc will request
+      ## if empty will be used <release-name>-shared-bundles-pv
+      name: nginx-app-protect-shared-bundles-pv
+    pvc:
+      ## The storage class to be used for the PersistentVolumeClaim. 'manual' indicates a manually managed storage class
+      bundlesPvc:
+        storageClass: manual
+        ## The amount of storage requested for the PersistentVolumeClaim
+        storageRequest: 2Gi
+
+  # Not needed as values will be set during helm install
+  # nginxRepo:
+  #   ## Used for Policy Controller to pull the security updates from the NGINX repository.
+  #   ## The base64-encoded TLS certificate for the NGINX repository.
+  #   nginxCrt: ""
+  #   ## The base64-encoded TLS key for the NGINX repository.
+  #   nginxKey: ""
+
+  config:
+    ## The name of the ConfigMap used by the Nginx container
+    name: nginx-config
+    ## The annotations of the configmap
+    annotations: {}
+
+    # Not needed as value will be set during helm install
+    # ## The JWT token license.txt of the ConfigMap for customizing NGINX configuration.
+    # nginxJWT: ""
+
+    ## The nginx.conf of the ConfigMap for customizing NGINX configuration
+    nginxConf: |-
+      user nginx;
+      worker_processes auto;
+
+      load_module modules/ngx_http_app_protect_module.so;
+
+      error_log /var/log/nginx/error.log notice;
+      pid /var/run/nginx.pid;
+
+      events {
+          worker_connections 1024;
+      }
+
+      # Uncomment if using mtls
+      # mTLS configuration
+      # stream {
+      #   upstream enforcer {
+      #     # Replace with the actual App Protect Enforcer address and port if different
+      #     server 127.0.0.1:4431;
+      #   }
+      #   server {
+      #     listen 5000;
+      #     proxy_pass enforcer;
+      #     proxy_ssl_server_name on;
+      #     proxy_timeout 30d;
+      #     proxy_ssl on;
+      #     proxy_ssl_certificate /etc/ssl/certs/app_protect_client.crt;
+      #     proxy_ssl_certificate_key /etc/ssl/certs/app_protect_client.key;
+      #     proxy_ssl_trusted_certificate /etc/ssl/certs/app_protect_server_ca.crt;
+      #   }
+      # }
+
+      http {
+          include /etc/nginx/mime.types;
+          default_type application/octet-stream;
+
+          log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+          '$status $body_bytes_sent "$http_referer" '
+          '"$http_user_agent" "$http_x_forwarded_for"';
+
+          access_log stdout main;
+          sendfile on;
+          keepalive_timeout 65;
+
+          # Enable Policy Lifecycle Management
+          # WAF default config source. For policies from CRDs, use "custom-resource"
+          # Remove this line to use default bundled policies
+          app_protect_default_config_source "custom-resource";
+
+          # WAF enforcer address. For mTLS, use port 5000
+          app_protect_enforcer_address 127.0.0.1:50000;
+
+          server {
+              listen       80;
+              server_name  localhost;
+              proxy_http_version 1.1;
+
+              location / {
+                  app_protect_enable on;
+                  app_protect_security_log_enable on;
+                  app_protect_security_log log_all stderr;
+                  
+                  # WAF policy - use Custom Resource name when PLM is enabled
+                  app_protect_policy_file app_protect_default_policy;
+
+                  client_max_body_size 0;
+                  default_type text/html;
+                  proxy_pass  http://127.0.0.1/proxy$request_uri;
+              }
+              
+              location /proxy {
+                  app_protect_enable off;
+                  client_max_body_size 0;
+                  default_type text/html;
+                  return 200 "Hello! I got your URI request - $request_uri\n";
+              }
+          }
+          # include /etc/nginx/conf.d/*.conf;
+      }
+
+    ## The default.conf of the ConfigMap for customizing NGINX configuration
+    nginxDefault: {}
+
+    ## The extra entries of the ConfigMap for customizing NGINX configuration
+    entries: {}
+
+  ## It is recommended to use your own TLS certificates and keys
+  mTLS:
+    ## The base64-encoded TLS certificate for the App Protect Enforcer (server)
+    ## Note: It is recommended that you specify your own certificate
+    serverCert: ""
+    ## The base64-encoded TLS key for the App Protect Enforcer (server)
+    ## Note: It is recommended that you specify your own key
+    serverKey: ""
+    ## The base64-encoded TLS CA certificate for the App Protect Enforcer (server)
+    ## Note: It is recommended that you specify your own certificate
+    serverCACert: ""
+    ## The base64-encoded TLS certificate for the NGINX (client)
+    ## Note: It is recommended that you specify your own certificate
+    clientCert: ""
+    ## The base64-encoded TLS key for the NGINX (client)
+    ## Note: It is recommended that you specify your own key
+    clientKey: ""
+    ## The base64-encoded TLS CA certificate for the NGINX (client)
+    ## Note: It is recommended that you specify your own certificate
+    clientCACert: ""
+
+  ## The extra volumes of the Nginx container
+  volumes: []
+  # - name: extra-conf
+  #   configMap:
+  #     name: extra-conf
+
+  ## The extra volumeMounts of the Nginx container
+  volumeMounts: []
+  # - name: extra-conf
+  #   mountPath: /etc/nginx/conf.d/extra.conf
+  #   subPath: extra.conf
+
+  service:
+    nginx:
+      ports:
+        - port: 80
+          protocol: TCP
+          targetPort: 80
+      ## The type of service to create. NodePort will expose the service on each Node's IP at a static port.
+      type: NodePort
+
+# Not needed as value will be set during helm install
+# ## This is a base64-encoded string representing the contents of the Docker configuration file (config.json).
+# ## This file is used by Docker to manage authentication credentials for accessing private Docker registries.
+# ## By encoding the configuration file in base64, sensitive information such as usernames, passwords, and access tokens are protected from being exposed directly in plain text.
+# ## You can create this base64-encoded string yourself by encoding your config.json file, or you can create the Kubernetes secret containing these credentials before deployment and not use this value directly in the values.yaml file.
+# dockerConfigJson: ""
 ```
 
-### NGINX Repository Configuration
+#### Enable/Disable the Policy Controller
 
-To enable signature updates with the APSignatures CRD, configure the NGINX repository credentials:
+The Policy Controller option is enabled by default (`appprotect.policyController.enable: true`). Helm will also install the required custom resource definitions (CRDs) required by the policy controller pod.
 
-```yaml
-appprotect:
-  nginxRepo:
-    nginxCrt: <base64-encoded-cert>
-    nginxKey: <base64-encoded-key>
-```
+**Important**: Before applying the Policy Controller, the required Custom Resource Definitions (CRDs) must be installed first. If the CRDs are not installed, the Policy Controller pod will fail to start and show CRD-related errors in the logs.
+
+If you do not use the custom resources that require those CRDs (with `appprotect.policyController.enable` set to false), the installation of the CRDs can be skipped by specifying `--skip-crds` in your helm install command. Please also note that when upgrading helm charts, the current CRDs will need to be deleted and the new ones will be created as part of the helm install of the new version.
+
+If you wish to pull security updates from the NGINX repository (with APSignatures CRD), you should set the `appprotect.nginxRepo` value in values.yaml file.
+
+#### NGINX Configuration Requirements
+
+When Policy Controller is enabled in Helm, the NGINX configuration in your values.yaml must include the `app_protect_default_config_source` directive to enable Policy Controller integration. The values.yaml above already includes this configuration.
+
+**Key PLM-specific directives in the nginx.conf:**
+- `app_protect_default_config_source "custom-resource"` - Enables Policy Controller integration
+- `app_protect_policy_file app_protect_default_policy;` - Default policy (can be changed to reference Custom Resource names)
+
+**To disable Policy Controller:**
+1. Set `appprotect.policyController.enable: false` in your values.yaml
+2. Remove or comment out the `app_protect_default_config_source` directive from your nginx.conf in values.yaml
+3. Use traditional bundle file paths with `app_protect_policy_file`
 
 ## Installation Flow
 
+### New Installations vs. Upgrades
+
+**For New Installations**: Follow the complete step-by-step process below to install NGINX App Protect WAF with Policy Lifecycle Management enabled.
+
+**For Existing Customers**: If you have an existing NGINX App Protect WAF deployment without Policy Lifecycle Management, you need to upgrade your installation to enable PLM functionality. Use `helm upgrade` instead of `helm install` in step 6, and ensure you have the required CRDs and storage configured before upgrading.
+
 ### Step-by-Step Installation Process
 
+{{< call-out "important" >}}
+**Before You Begin**: Ensure you have already built and pushed your NGINX App Protect WAF Docker image to your private registry following the [Docker deployment guide]({{< ref "/nap-waf/v5/admin-guide/deploy-on-docker.md#nginx-open-source-dockerfile" >}}). Choose the NGINX Open Source Dockerfile for your preferred operating system. The values.yaml configuration below assumes this image is available in your registry.
+{{< /call-out >}}
+
 1. **Prepare Environment Variables**
    
    Set the required environment variables:
    ```bash
    export JWT=<your-nginx-jwt-token>
    export NGINX_REGISTRY_TOKEN=<base64-encoded-docker-credentials>
-   export NGINX_CERT=<base64-encoded-nginx-cert>
-   export NGINX_KEY=<base64-encoded-nginx-key>
+   export NGINX_CERT=$(cat /path/to/your/nginx-repo.crt | base64 -w 0)
+   export NGINX_KEY=$(cat /path/to/your/nginx-repo.key | base64 -w 0)
    ```
+   
+   {{< call-out "note" >}}
+   **NGINX Repository Credentials**: Replace `/path/to/your/nginx-repo.crt` and `/path/to/your/nginx-repo.key` with the actual paths to your NGINX repository certificate and key files. These are typically provided by NGINX when you get access to the private registry. The files may have similar names like `nginx-repo.crt` and `nginx-repo.key` or `nginx.crt` and `nginx.key`.
+   {{< /call-out >}}
 
 2. **Pull the Helm Chart**
    
@@ -171,52 +410,56 @@ appprotect:
    helm pull oci://private-registry.nginx.com/nap/nginx-app-protect --version <release-version> --untar
    cd nginx-app-protect
    ```
-
-3. **Apply Custom Resource Definitions**
    
-   Apply the required CRDs before deploying the chart:
-   ```bash
-   kubectl apply -f crds/
-   ```
+   {{< call-out "important" >}}
+   **Important**: The extracted Helm chart includes a default `values.yaml` file. Ignore this file and use your custom values.yaml created from the Configuration section above.
+   {{< /call-out >}}
 
-4. **Create Storage**
+3. **Create Storage**
    
    Create the directory on the cluster:
    ```bash
-   mkdir -p /mnt/nap5_bundles_pv_data
-   chown -R 101:101 /mnt/nap5_bundles_pv_data
+   sudo mkdir -p /mnt/nap5_bundles_pv_data
+   sudo chown -R 101:101 /mnt/nap5_bundles_pv_data
    ```
    
    Create a YAML file `pv-hostpath.yaml` with the persistent volume file content:
-   ```
+   ```yaml
    apiVersion: v1
    kind: PersistentVolume
    metadata:
-   name: nginx-app-protect-shared-bundles-pv
-   labels:
+     name: nginx-app-protect-shared-bundles-pv
+     labels:
        type: local
    spec:
-   accessModes:
+     accessModes:
        - ReadWriteMany
-   capacity:
+     capacity:
        storage: "2Gi"
-   hostPath:
+     hostPath:
        path: "/mnt/nap5_bundles_pv_data"
-   persistentVolumeReclaimPolicy: Retain
-   storageClassName: manual
+     persistentVolumeReclaimPolicy: Retain
+     storageClassName: manual
    ``` 
    Apply the `pv-hostpath.yaml` file to create the new persistent volume for policy bundles:
    ```shell
    kubectl apply -f pv-hostpath.yaml
    ```
-  
-   {{< call-out "note" >}}
-   The PV name defaults to `<release-name>-shared-bundles-pv`, but can be customized using the `appprotect.storage.pv.name` setting in your values.yaml file. Make sure to update all corresponding values for the PV and PVC to point to the correct names.
+
+4. **Create Namespace**
+   
+   Create a namespace for the deployment (if you don't already have one):
+   ```bash
+   kubectl create namespace <namespace>
+   ```
+   
+   {{< call-out "important" >}}
+   **Important**: The namespace name you choose here must be used consistently in ALL subsequent commands throughout this guide AND must also be specified in your values.yaml file. Replace `<namespace>` with your actual namespace name in every command that follows and update the `namespace:` field in your values.yaml file to match. If you already have an existing namespace, you can skip this step and use your existing namespace name in all subsequent commands and configuration files.
    {{< /call-out >}}
 
 5. **Configure Docker Registry Credentials**
    
-   Create the Docker registry secret or configure in values.yaml:
+   Create the Docker registry secret:
    ```bash
    kubectl create secret docker-registry regcred -n <namespace> \
      --docker-server=private-registry.nginx.com \
@@ -226,19 +469,79 @@ appprotect:
 
 6. **Deploy the Helm Chart with Policy Controller**
    
-   Install the chart with Policy Controller enabled:
+   {{< call-out "note" >}}
+   **Release Name**: Replace `<release-name>` with your chosen Helm release name (e.g., "nginx-app-protect", "nap-plm", or "production-waf"). This name identifies your deployment and is used by Helm to manage the installation.
+   {{< /call-out >}}
+   
+   **For new installations:**
    ```bash
    helm install <release-name> . \
      --namespace <namespace> \
-     --create-namespace \
+     --values /path/to/your/values.yaml \
+     --set appprotect.policyController.enable=true \
+     --set dockerConfigJson=$NGINX_REGISTRY_TOKEN \
+     --set appprotect.config.nginxJWT=$JWT \
+     --set appprotect.nginxRepo.nginxCrt=$NGINX_CERT \
+     --set appprotect.nginxRepo.nginxKey=$NGINX_KEY
+   ```
+   
+   **For existing deployments (upgrade):**
+   ```bash
+   helm upgrade <release-name> . \
+     --namespace <namespace> \
+     --values /path/to/your/values.yaml \
      --set appprotect.policyController.enable=true \
      --set dockerConfigJson=$NGINX_REGISTRY_TOKEN \
      --set appprotect.config.nginxJWT=$JWT \
-     --set appprotect.nginxRepo.nginxCert=$NGINX_CERT \
+     --set appprotect.nginxRepo.nginxCrt=$NGINX_CERT \
      --set appprotect.nginxRepo.nginxKey=$NGINX_KEY
    ```
 
-7. **Verify Installation**
+7. **Verify Storage Setup**
+   
+   After Helm deployment, verify that the PersistentVolumeClaim has been created and bound:
+   ```bash
+   kubectl get pvc -n <namespace>
+   kubectl get pv
+   ```
+   
+   You should see output similar to:
+   ```
+   NAME                              STATUS   VOLUME                               CAPACITY   ACCESS MODES   STORAGECLASS   AGE
+   <release-name>-shared-bundles-pvc   Bound    nginx-app-protect-shared-bundles-pv   2Gi        RWX            manual         1m
+   ```
+   
+   {{< call-out "warning" >}}
+   **Troubleshooting PVC Issues**: If you don't see a PVC in your namespace or the PVC shows "Pending" status:
+   
+   1. **Check if storage configuration is complete in values.yaml:**
+      ```bash
+      helm get values <release-name> -n <namespace>
+      ```
+      Ensure you have the complete `appprotect.storage` section including `bundlesPvc.storageRequest`
+   
+   2. **If storage configuration is missing, upgrade with proper storage settings:**
+      ```bash
+      helm upgrade <release-name> . --namespace <namespace> \
+        --values /path/to/your/values.yaml \
+        --set appprotect.policyController.enable=true \
+        --set dockerConfigJson=$NGINX_REGISTRY_TOKEN \
+        --set appprotect.config.nginxJWT=$JWT \
+        --set appprotect.nginxRepo.nginxCrt=$NGINX_CERT \
+        --set appprotect.nginxRepo.nginxKey=$NGINX_KEY \
+        --set appprotect.storage.pvc.bundlesPvc.storageClass=manual \
+        --set appprotect.storage.pvc.bundlesPvc.storageRequest=2Gi
+      ```
+   
+   3. **If PVC exists but shows "Pending", check PV binding:**
+      ```bash
+      kubectl describe pvc -n <namespace>
+      kubectl describe pv nginx-app-protect-shared-bundles-pv
+      ```
+      Ensure the PV `storageClassName` matches the PVC requirements.
+   {{< /call-out >}}
+
+8. **Verify Installation**
    
    Check that all components are deployed successfully:
    ```bash
@@ -247,11 +550,61 @@ appprotect:
    kubectl get all -n <namespace>
    ```
 
+   You should see output similar to this:
+
+   **Pods Status:**
+   ```
+   NAME                                                         READY   STATUS    RESTARTS   AGE
+   <release-name>-policy-controller-cbd97c8db-tbq7j               1/1     Running   0          3d23h
+   <release-name>-nginx-app-protect-deployment-5c99b8df65-g4nfn   3/3     Running   0          3d23h
+   ```
+
+   **CRDs Verification:**
+   ```
+   aplogconfs.appprotect.f5.com                 2025-08-27T10:23:34Z
+   appolicies.appprotect.f5.com                 2025-08-27T10:23:34Z
+   apsignatures.appprotect.f5.com               2025-08-27T10:23:34Z
+   apusersigs.appprotect.f5.com                 2025-08-27T10:23:34Z
+   ```
+
+   **All Resources:**
+   ```
+   NAME                                                             READY   STATUS    RESTARTS   AGE
+   pod/<release-name>-policy-controller-cbd97c8db-tbq7j               1/1     Running   0          3d23h
+   pod/<release-name>-nginx-app-protect-deployment-5c99b8df65-g4nfn   4/4     Running   0          3d23h
+
+   NAME                                           TYPE       CLUSTER-IP     EXTERNAL-IP   PORT(S)        AGE
+   service/<release-name>-nginx-app-protect-nginx   NodePort   10.43.125.76   <none>        80:30847/TCP   3d23h
+
+   NAME                                                        READY   UP-TO-DATE   AVAILABLE   AGE
+   deployment.apps/<release-name>-policy-controller              1/1     1            1           3d23h
+   deployment.apps/<release-name>-nginx-app-protect-deployment   1/1     1            1           3d23h
+
+   NAME                                                                   DESIRED   CURRENT   READY   AGE
+   replicaset.apps/<release-name>-policy-controller-cbd97c8db               1         1         1       3d23h
+   replicaset.apps/<release-name>-nginx-app-protect-deployment-5c99b8df65   1         1         1       3d23h
+   ```
+
+   **Key components to verify:**
+   - **Policy Controller Pod**: Should show `1/1 Running` status
+   - **NGINX App Protect Pod**: Should show `4/4 Running` status (nginx, waf-config-mgr, waf-enforcer, waf-ip-intelligence containers)
+   - **All 4 CRDs**: Should be installed and show creation timestamps
+   - **Service**: NodePort service should be available with assigned port
+
 ## Using Policy Lifecycle Management
 
 ### Setting up desired security update versions
 
-Once PLM is deployed, you can create APSignatures resource using Kubernetes manifests and specify desired security update versions. Apply the following Custom Resource example or create your own based on the template:
+Once PLM is deployed, you can create APSignatures resource using Kubernetes manifests and specify desired security update versions. 
+
+**Organize Your Custom Resources:**
+
+It's recommended to create a dedicated directory to organize your Custom Resource files:
+
+```bash
+mkdir -p custom-resources
+cd custom-resources
+```
 
 **Sample APSignatures Resource:**
 
@@ -278,9 +631,13 @@ The APSignatures must have name `signatures`. Only one APSignatures instance can
 Apply the manifest:
 
 ```bash
-kubectl apply -f config/policy-manager/samples/appprotect_v1_apsignatures.yaml
+kubectl apply -f signatures.yaml -n <namespace>
 ```
 
+{{< call-out "note" >}}
+If you're not in the `custom-resources` directory, include the path: `kubectl apply -f custom-resources/signatures.yaml -n <namespace>`
+{{< /call-out >}}
+
 {{< call-out "note" >}}
 Downloading security updates may take several minutes. The version of security updates available at the time of compilation is always used to compile policies. If APSignatures is not created or the specified versions are not downloaded, the versions contained in the compiler docker image will be used.
 {{< /call-out >}}
@@ -303,7 +660,18 @@ For users who prefer not to download the security update packages directly from
 
 ### Creating Policy Resources
 
-Once PLM is deployed, you can create policy resources using Kubernetes manifests. Apply the following Custom Resource examples or create your own based on these templates:
+Once PLM is deployed, you can create policy resources using Kubernetes manifests. 
+
+**Organize Your Custom Resources (if not already done):**
+
+If you haven't created a directory for your Custom Resources yet, create one:
+
+```bash
+mkdir -p custom-resources
+cd custom-resources
+```
+
+Apply the following Custom Resource examples or create your own based on these templates:
 
 **Sample APPolicy Resource:**
 
@@ -336,11 +704,14 @@ spec:
 ```
 
 Apply the policy:
-
 ```bash
 kubectl apply -f dataguard-blocking-policy.yaml -n <namespace>
 ```
 
+{{< call-out "note" >}}
+If you're not in the `custom-resources` directory, include the path: `kubectl apply -f custom-resources/dataguard-blocking-policy.yaml -n <namespace>`
+{{< /call-out >}}
+
 **Sample APUserSig Resource:**
 
 Create a file named `apple-usersig.yaml` with the following content:
@@ -367,11 +738,14 @@ spec:
 ```
 
 Apply the user signature:
-
 ```bash
 kubectl apply -f apple-usersig.yaml -n <namespace>
 ```
 
+{{< call-out "note" >}}
+If you're not in the `custom-resources` directory, include the path: `kubectl apply -f custom-resources/apple-usersig.yaml -n <namespace>`
+{{< /call-out >}}
+
 ### Monitoring Policy Status
 
 Check the status of your policy resources:
@@ -379,12 +753,119 @@ Check the status of your policy resources:
 ```bash
 kubectl get appolicy -n <namespace>
 kubectl describe appolicy <policy-name> -n <namespace>
+kubectl get appolicy <policy-name> -n <namespace> -o yaml
+```
+
+**Using kubectl describe for human-readable output:**
+
+```bash
+kubectl describe appolicy dataguard-blocking -n <namespace>
+```
+
+**Sample describe output:**
+```
+Name:         dataguard-blocking
+Namespace:    localenv-plm
+Labels:       <none>
+Annotations:  <none>
+API Version:  appprotect.f5.com/v1
+Kind:         APPolicy
+Metadata:
+  Creation Timestamp:  2025-09-10T11:17:07Z
+  Finalizers:
+    appprotect.f5.com/finalizer
+  Generation:  3
+  # ... other metadata fields
+Spec:
+  Policy:
+    Application Language:  utf-8
+    Blocking - Settings:
+      Violations:
+        Alarm:  true
+        Block:  true
+        Name:   VIOL_DATA_GUARD
+    Data - Guard:
+      Credit Card Numbers:  true
+      Enabled:              true
+      Enforcement Mode:     ignore-urls-in-list
+      # ... other policy settings
+Status:
+  Bundle:
+    Compiler Version:  11.553.0
+    Location:          /etc/app_protect/bundles/dataguard-blocking-policy/dataguard-blocking_policy20250914102339.tgz
+    Signatures:
+      Attack Signatures:  2025-09-03T08:36:25Z
+      Bot Signatures:     2025-09-03T10:50:19Z
+      Threat Campaigns:   2025-09-02T07:28:43Z
+    State:                ready
+  Processing:
+    Datetime:     2025-09-14T10:23:48Z
+    Is Compiled:  true
+Events:           <none>
+```
+
+**Using kubectl get for YAML output:**
+
+```bash
+kubectl get appolicy dataguard-blocking -n <namespace> -o yaml
 ```
 
-The Policy Controller will show status information including:
-- Bundle location
-- Compilation status
-- Signature update timestamps
+**Sample YAML output:**
+
+```yaml
+apiVersion: appprotect.f5.com/v1
+kind: APPolicy
+metadata:
+  name: dataguard-blocking
+  namespace: localenv-plm
+  # ... other metadata fields
+spec:
+  policy:
+    # ... policy configuration
+status:
+  bundle:
+    compilerVersion: 11.553.0
+    location: /etc/app_protect/bundles/dataguard-blocking-policy/dataguard-blocking_policy20250914102339.tgz
+    signatures:
+      attackSignatures: "2025-09-03T08:36:25Z"
+      botSignatures: "2025-09-03T10:50:19Z"
+      threatCampaigns: "2025-09-02T07:28:43Z"
+    state: ready
+  processing:
+    datetime: "2025-09-14T10:23:48Z"
+    isCompiled: true
+```
+
+**Key Status Fields to Monitor:**
+
+- **`Status.Bundle.State`**: Policy compilation state
+  - `ready` - Policy successfully compiled and available
+  - `processing` - Policy is being compiled
+  - `error` - Compilation failed (check Policy Controller logs)
+
+- **`Status.Bundle.Location`**: File path where the compiled policy bundle is stored
+
+- **`Status.Bundle.Compiler Version`**: Version of the WAF compiler used for compilation
+
+- **`Status.Bundle.Signatures`**: Timestamps showing when security signatures were last updated
+  - `Attack Signatures` - Attack signature update timestamp
+  - `Bot Signatures` - Bot signature update timestamp  
+  - `Threat Campaigns` - Threat campaign signature update timestamp
+
+- **`Status.Processing.Is Compiled`**: Boolean indicating if compilation completed successfully
+
+- **`Status.Processing.Datetime`**: Timestamp of the last compilation attempt
+
+- **`Events`**: Shows any Kubernetes events related to the policy (usually none for successful policies)
+
+- **`status.bundle.signatures`**: Timestamps showing when security signatures were last updated
+  - `attackSignatures` - Attack signature update timestamp
+  - `botSignatures` - Bot signature update timestamp  
+  - `threatCampaigns` - Threat campaign signature update timestamp
+
+- **`status.processing.isCompiled`**: Boolean indicating if compilation completed successfully
+
+- **`status.processing.datetime`**: Timestamp of the last compilation attempt
 
 ## Confirming Setup is Functioning
 
@@ -396,6 +877,10 @@ Apply one of the sample policy Custom Resources to verify PLM is working correct
 kubectl apply -f dataguard-blocking-policy.yaml -n <namespace>
 ```
 
+{{< call-out "note" >}}
+If you're not in the `custom-resources` directory, include the path: `kubectl apply -f custom-resources/dataguard-blocking-policy.yaml -n <namespace>`
+{{< /call-out >}}
+
 ### 2. Check Policy Compilation Status
 
 Verify that the policy has been compiled successfully by checking the Custom Resource status:
@@ -425,8 +910,14 @@ status:
 
 Check the Policy Controller logs for expected compilation messages:
 
+First, get the Policy Controller pod name:
+```bash
+kubectl get pods -n <namespace> | grep policy-controller
+```
+
+Then check the logs using the pod name from the output above:
 ```bash
-kubectl logs <policy-controller-pod> -n <namespace>
+kubectl logs <policy-controller-pod-name> -n <namespace>
 ```
 
 Look for successful compilation messages like:
@@ -453,25 +944,96 @@ You should see the compiled policy bundle file in the directory structure.
 
 To verify that the policy bundles are being deployed and enforced correctly:
 
-1. **Update NGINX Configuration**
+1. **Get Deployment Information**
+   
+   First, get the deployment name and cluster IP by running:
+   ```bash
+   kubectl get all -n <namespace>
+   ```
    
-   Use the Custom Resource name in your NGINX configuration:
-   ```nginx
+   In the output, look for:
+   - **Service CLUSTER-IP**: Under the `service/` entries, note the `CLUSTER-IP` value (e.g., `10.43.205.101`)
+   - **Deployment name**: Under the `deployment.apps/` entries, note the full deployment name (e.g., `localenv-plm-nginx-app-protect-deployment`)
+
+   Example output:
+   ```
+   NAME                                           TYPE       CLUSTER-IP      EXTERNAL-IP   PORT(S)        AGE
+   service/localenv-plm-nginx-app-protect-nginx   NodePort   10.43.205.101   <none>        80:30970/TCP   21h
+
+   NAME                                                        READY   UP-TO-DATE   AVAILABLE   AGE
+   deployment.apps/localenv-plm-nginx-app-protect-deployment   1/1     1            1           21h
+   ```
+
+2. **Update NGINX Configuration via values.yaml**
+   
+   Open your `values.yaml` file with your preferred editor:
+   ```bash
+   nano values.yaml
+   # or
+   vi values.yaml
+   # or any editor of your choice
+   ```
+   
+   Find the nginx configuration section and update the policy directive. Look for this line:
+   ```yaml
+   app_protect_policy_file app_protect_default_policy;
+   ```
+   
+   Change it to use your Custom Resource name:
+   ```yaml
    app_protect_policy_file dataguard-blocking;
    ```
+   
+   Save and close the file.
 
-2. **Reload NGINX**
+3. **Apply the Updated Configuration**
    
-   Reload NGINX to apply the new policy:
+   Run the Helm upgrade command to apply the new configuration (replace with your actual release name and namespace):
    ```bash
-   nginx -s reload
+   helm upgrade <release-name> . \
+     --namespace <namespace> \
+     --values /path/to/your/values.yaml \
+     --set appprotect.policyController.enable=true \
+     --set dockerConfigJson=$NGINX_REGISTRY_TOKEN \
+     --set appprotect.config.nginxJWT=$JWT \
+     --set appprotect.nginxRepo.nginxCrt=$NGINX_CERT \
+     --set appprotect.nginxRepo.nginxKey=$NGINX_KEY
+   ```
+   
+   Example:
+   ```bash
+   helm upgrade localenv-plm . \
+     --namespace localenv-plm \
+     --values /tmp/helm-chart/values.yaml \
+     --set appprotect.policyController.enable=true \
+     --set dockerConfigJson=$NGINX_REGISTRY_TOKEN \
+     --set appprotect.config.nginxJWT=$JWT \
+     --set appprotect.nginxRepo.nginxCrt=$NGINX_CERT \
+     --set appprotect.nginxRepo.nginxKey=$NGINX_KEY
+   ```
+
+4. **Restart the NGINX Deployment**
+   
+   Restart the deployment to apply the configuration changes (replace with your actual deployment name and namespace):
+   ```bash
+   kubectl rollout restart deployment <deployment-name> -n <namespace>
+   ```
+   
+   Example:
+   ```bash
+   kubectl rollout restart deployment localenv-plm-nginx-app-protect-deployment -n localenv-plm
    ```
 
-3. **Test Policy Enforcement**
+5. **Test Policy Enforcement**
    
-   Send a request that should be blocked by the dataguard policy to verify it's working:
+   Send a request that should be blocked by the dataguard policy using the cluster IP you noted earlier:
    ```bash
-   curl "http://[CLUSTER-IP]:80/?a=<script>"
+   curl "http://<CLUSTER-IP>:80/680-15-0817"
+   ```
+
+   Example:
+   ```bash
+   curl "http://10.43.205.101:80/680-15-0817"
    ```
 
    The request should be blocked, confirming that PLM has successfully compiled and deployed the policy.
@@ -484,8 +1046,8 @@ To verify that the policy bundles are being deployed and enforced correctly:
    ```bash
    export JWT=<your-nginx-jwt-token>
    export NGINX_REGISTRY_TOKEN=<base64-encoded-docker-credentials>
-   export NGINX_CERT=<base64-encoded-nginx-cert>
-   export NGINX_KEY=<base64-encoded-nginx-key>
+   export NGINX_CERT=$(cat /path/to/your/nginx-repo.crt | base64 -w 0)
+   export NGINX_KEY=$(cat /path/to/your/nginx-repo.key | base64 -w 0)
    ```
 
 2. **Pull the new Helm Chart version**
@@ -496,6 +1058,10 @@ To verify that the policy bundles are being deployed and enforced correctly:
    helm pull oci://private-registry.nginx.com/nap/nginx-app-protect --version <new-release-version> --untar
    cd nginx-app-protect
    ```
+   
+   {{< call-out "important" >}}
+   **Important**: The extracted Helm chart includes a default `values.yaml` file. Ignore this file and use your custom values.yaml created from the Configuration section above.
+   {{< /call-out >}}
 
 3. **Apply Custom Resource Definitions**
    
@@ -508,27 +1074,27 @@ To verify that the policy bundles are being deployed and enforced correctly:
    
    Create the directory on the cluster, and persistent volume for policy bundles:
    ```bash
-   mkdir -p /mnt/nap5_bundles_pv_data
-   chown -R 101:101 /mnt/nap5_bundles_pv_data
+   sudo mkdir -p /mnt/nap5_bundles_pv_data
+   sudo chown -R 101:101 /mnt/nap5_bundles_pv_data
    ```
    
    Create a YAML file `pv-hostpath.yaml` with the PV file content:
-   ```
+   ```yaml
    apiVersion: v1
    kind: PersistentVolume
    metadata:
-   name: nginx-app-protect-shared-bundles-pv
-   labels:
+     name: nginx-app-protect-shared-bundles-pv
+     labels:
        type: local
    spec:
-   accessModes:
+     accessModes:
        - ReadWriteMany
-   capacity:
+     capacity:
        storage: "2Gi"
-   hostPath:
+     hostPath:
        path: "/mnt/nap5_bundles_pv_data"
-   persistentVolumeReclaimPolicy: Retain
-   storageClassName: manual
+     persistentVolumeReclaimPolicy: Retain
+     storageClassName: manual
    ``` 
    Apply the `pv-hostpath.yaml` file to create the new PV:
    ```shell
@@ -539,7 +1105,18 @@ To verify that the policy bundles are being deployed and enforced correctly:
    The PV name defaults to `<release-name>-shared-bundles-pv`, but can be customized using the `appprotect.storage.pv.name` setting in your values.yaml file.
    {{< /call-out >}}
 
-5. **Configure Docker Registry Credentials**
+5. **Create Namespace**
+   
+   Create a namespace for the deployment (if you don't already have one):
+   ```bash
+   kubectl create namespace <namespace>
+   ```
+   
+   {{< call-out "note" >}}
+   You can name the namespace whatever you want. If you already have an existing namespace, you can skip this step and use your existing namespace in the subsequent commands.
+   {{< /call-out >}}
+
+6. **Configure Docker Registry Credentials**
    
    Create the Docker registry secret or configure in values.yaml:
    ```bash
@@ -549,21 +1126,21 @@ To verify that the policy bundles are being deployed and enforced correctly:
      --docker-password=none
    ```
 
-6. **Deploy the Helm Chart with Policy Controller**
+7. **Upgrade the Helm Chart with Policy Controller**
    
-   Install the chart with Policy Controller enabled:
+   Upgrade the chart with Policy Controller enabled:
    ```bash
-   helm install <release-name> . \
+   helm upgrade <release-name> . \
      --namespace <namespace> \
-     --create-namespace \
+     --values /path/to/your/values.yaml \
      --set appprotect.policyController.enable=true \
      --set dockerConfigJson=$NGINX_REGISTRY_TOKEN \
      --set appprotect.config.nginxJWT=$JWT \
-     --set appprotect.nginxRepo.nginxCert=$NGINX_CERT \
+     --set appprotect.nginxRepo.nginxCrt=$NGINX_CERT \
      --set appprotect.nginxRepo.nginxKey=$NGINX_KEY
    ```
 
-7. **Verify Installation**
+8. **Verify Upgrade**
    
    Check that all components are deployed successfully:
    ```bash
@@ -599,13 +1176,14 @@ To verify that the policy bundles are being deployed and enforced correctly:
    kubectl delete crd --all
    kubectl delete ns <namespace>
    ```
+
 ## Troubleshooting
 
 ### Common Issues
 
 **Policy Controller Not Starting**
 - Verify CRDs are installed: `kubectl get crds | grep appprotect.f5.com`
-- Check pod logs: `kubectl logs <policy-controller-pod> -n <namespace>`
+- Check pod logs: `kubectl logs $(kubectl get pods -n <namespace> -l app=policy-controller -o jsonpath='{.items[0].metadata.name}') -n <namespace>`
 - Ensure proper RBAC permissions are configured
 
 **Policy Compilation Failures**
@@ -617,5 +1195,3 @@ To verify that the policy bundles are being deployed and enforced correctly:
 - Verify persistent volume is properly mounted
 - Check storage permissions (should be 101:101)
 - Confirm PVC is bound to the correct PV
-
-For additional troubleshooting information, see the [Troubleshooting Guide]({{< ref "/nap-waf/v5/troubleshooting-guide/troubleshooting.md#nginx-app-protect-5" >}}).

From dd6b820cffc5fb5aa22f61ccc828c819af7626c5 Mon Sep 17 00:00:00 2001
From: ViktorFefilovF5 <140407159+ViktorFefilovF5@users.noreply.github.com>
Date: Mon, 22 Sep 2025 12:25:34 +0300
Subject: [PATCH 6/6] fix: APSignatures information (#1149)

---
 .../policy-lifecycle-management.md            | 43 +++++++++++++++----
 1 file changed, 35 insertions(+), 8 deletions(-)

diff --git a/content/nap-waf/v5/admin-guide/policy-lifecycle-management.md b/content/nap-waf/v5/admin-guide/policy-lifecycle-management.md
index ce94e4d5a..d650bf4cc 100644
--- a/content/nap-waf/v5/admin-guide/policy-lifecycle-management.md
+++ b/content/nap-waf/v5/admin-guide/policy-lifecycle-management.md
@@ -608,6 +608,7 @@ cd custom-resources
 
 **Sample APSignatures Resource:**
 
+APSignatures CR is required for download the security update packages directly from the NGINX repository.
 Create a file named `signatures.yaml` with the following content:
 
 ```yaml
@@ -625,7 +626,7 @@ spec:
 ```
 
 {{< call-out "note" >}}
-The APSignatures must have name `signatures`. Only one APSignatures instance can exist
+The APSignatures `metadata.name` must be `signatures`. Only one APSignatures instance can exist
 {{< /call-out >}}
 
 Apply the manifest:
@@ -644,20 +645,46 @@ Downloading security updates may take several minutes. The version of security u
 
 #### Using Security Update for users who can't use the nginx repo - Offline solution
 
-For users who prefer not to download the security update packages directly from the NGINX repository when using the APSignatures CR, there are two supported options:
+For users who prefer not to download the security update packages directly from the NGINX repository, there are two supported options:
+
+{{< call-out "note" >}}
+You should not create APSignatures CR in this case.
+{{< /call-out >}}
+
 
 **1. Manual Package Placement**
 
- - Download the required packages.
+ - Create `/mnt/nap5_bundles_pv_data/security_updates_data/` directory.
+ - Download the required security update packages (attack-signatures/bot-signatures/threat-campaigns). Use Debian packages. Don't change package file names.
  - Place them in the `/mnt/nap5_bundles_pv_data/security_updates_data/` directory.
- - Ensure the files have `101:101` ownership and permissions.
+ - Ensure the files and `security_updates_data` directory have `101:101` ownership and permissions.
 
 **2. Custom Compiler Image**
 
- - Build a Docker image that includes the desired packages.
- - Use this custom image in place of downloading packages at runtime.
-
-
+ - Build a Docker image that includes the desired packages. See [Building Compiler Image]({{< ref "/nap-waf/v5/admin-guide/compiler.md" >}})
+ - Use this custom image in helm chart deployment:
+  
+  Change `appprotect.policyController.wafCompiler.image.repository` and `appprotect.policyController.wafCompiler.image.tag` values in your `values.yaml` file:
+  ```yaml
+  appprotect:
+    policyController:
+      wafCompiler:
+        image:
+          ## The image repository of the WAF Compiler.
+          repository: <your custom repo>
+          ## The tag of the WAF Compiler image.
+          tag: <your custom tag>
+  ```
+    
+  OR use `--set`:
+  ```bash
+  helm install 
+     ...
+     --set appprotect.policyController.wafCompiler.image.repository="<your custom repo>"
+     --set appprotect.policyController.wafCompiler.image.tag="<your custom tag>"
+     ...
+  ```
+    
 ### Creating Policy Resources
 
 Once PLM is deployed, you can create policy resources using Kubernetes manifests.