add documentation for NIC statefulset

content/includes/nic/configuration/global-configuration/configmap-resource.md

@@ -199,7 +199,7 @@ If you encounter the error `error [emerg] 13#13: "zone_sync" directive is duplic
 {{<bootstrap-table "table table-striped table-bordered table-responsive">}}
 |ConfigMap Key | Description | Default | Example |
 | ---| ---| ---| --- |
-|*zone-sync* | Enables zone synchronization between NGINX Ingress Controller Pods. This autogenerates a [zone_sync_server](https://nginx.org/en/docs/stream/ngx_stream_zone_sync_module.html#zone_sync_server) and a headless service using the `ReplicaSet` or `DaemonSet` name. Please note that this headless service will be automatically cleaned up when uninstalling via Helm or by removing the value from the ConfigMap. The headless service will need to be manually removed if the `controller.customConfigMap` value is set via Helm or the deployment is uninstalled via Manifests. Each Ingress Controller manages its own headless service.  NGINX Plus Required. | *False* |  |
+|*zone-sync* | Enables zone synchronization between NGINX Ingress Controller Pods. This autogenerates a [zone_sync_server](https://nginx.org/en/docs/stream/ngx_stream_zone_sync_module.html#zone_sync_server) and a headless service using the `ReplicaSet`, `DaemonSet` or `StatefulSet` name. Please note that this headless service will be automatically cleaned up when uninstalling via Helm or by removing the value from the ConfigMap. The headless service will need to be manually removed if the `controller.customConfigMap` value is set via Helm or the deployment is uninstalled via Manifests. Each Ingress Controller manages its own headless service.  NGINX Plus Required. | *False* |  |
 |*zone-sync-port* | Specifies the optional port on which NGINX Ingress Controller listens for zone sync traffic. NGINX Plus & `zone-sync` Required. | *12345* |  |
 |*zone-sync-resolver-addresses* | Configures optional addresses used in the [resolver](https://nginx.org/en/docs/http/ngx_http_core_module.html#resolver) directive for zone-sync. This field takes a comma separated list of addresses. NGINX Plus & `zone-sync` Required | `kube-dns.kube-system.svc.cluster.local` |  |
 |*zone-sync-resolver-ipv6* | Configures whether the optional [resolver](https://nginx.org/en/docs/http/ngx_http_core_module.html#resolver) directive for zone-sync will look up IPv6 addresses. NGINX Plus & `zone-sync` Required | `true` |  |

content/includes/nic/configuration/security.md

@@ -53,10 +53,12 @@ The block below shows the code you will look for:
 #      volumes:
 #      - name: nginx-etc
 #        emptyDir: {}
-#      - name: nginx-cache
-#        emptyDir: {}
+#      - name: nginx-cache  # not required for statefulset
+#        emptyDir: {}       # not required for statefulset
 #      - name: nginx-lib
 #        emptyDir: {}
+#      - name: nginx-lib-state
+#        emptyDir: {}
 #      - name: nginx-log
 #        emptyDir: {}
 .
@@ -73,6 +75,8 @@ The block below shows the code you will look for:
 #          name: nginx-cache
 #        - mountPath: /var/lib/nginx
 #          name: nginx-lib
+#        - mountPath: /var/lib/nginx/state
+#          name: nginx-lib-state
 #        - mountPath: /var/log/nginx
 #          name: nginx-log
 ```

content/includes/nic/installation/deploy-controller.md

@@ -6,5 +6,6 @@ You have two options for deploying NGINX Ingress Controller:
 
 - **Deployment**. Choose this method for the flexibility to dynamically change the number of NGINX Ingress Controller replicas.
 - **DaemonSet**. Choose this method if you want NGINX Ingress Controller to run on all nodes or a subset of nodes.
+- **StatefulSet**. Choose this method when you need stable, persistent storage and ordered deployment/scaling for your NGINX Ingress Controller pods.
 
 Before you start, update the [command-line arguments]({{< ref "/nic/configuration/global-configuration/command-line-arguments.md" >}}) for the NGINX Ingress Controller container in the relevant manifest file to meet your specific requirements.

content/includes/nic/installation/manifests/statefulset.md

@@ -0,0 +1,25 @@
+---
+nd-docs: DOCS-000
+---
+
+For additional context on managing containers using Kubernetes StatefulSets, refer to the official Kubernetes [StatefulSets](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/) documentation.
+
+When you deploy NGINX Ingress Controller as a StatefulSet, Kubernetes creates pods with stable network identities and persistent storage.
+
+- For NGINX, run:
+
+    ```shell
+    kubectl apply -f deployments/stateful-set/nginx-ingress.yaml
+    ```
+
+- For NGINX Plus, run:
+
+    ```shell
+    kubectl apply -f deployments/stateful-set/nginx-plus-ingress.yaml
+    ```
+
+    Update the `nginx-plus-ingress.yaml` file to include your chosen image from the F5 Container registry or your custom container image.
+
+{{< call-out "note" >}}
+StatefulSets include persistent volume claims for nginx cache storage via `volumeClaimTemplates`. You may need to configure a StorageClass in your cluster or modify the volumeClaimTemplates section in the manifest to match your storage requirements. Other volumes (like those needed for App Protect modules) are configured in the regular `volumes` section, not in volumeClaimTemplates. 
+{{< /call-out >}}

content/nic/configuration/global-configuration/configmap-resource.md

@@ -172,7 +172,7 @@ If you encounter the error `error [emerg] 13#13: "zone_sync" directive is duplic
 
 |ConfigMap Key | Description | Default |
 | ---| ---| ---| 
-|*zone-sync* | Enables zone synchronization between NGINX Ingress Controller Pods. This autogenerates a [zone_sync_server](https://nginx.org/en/docs/stream/ngx_stream_zone_sync_module.html#zone_sync_server) and a headless service using the `ReplicaSet` or `DaemonSet` name. Please note that this headless service will be automatically cleaned up when uninstalling via Helm or by removing the value from the ConfigMap. The headless service will need to be manually removed if the `controller.customConfigMap` value is set via Helm or the deployment is uninstalled via Manifests. Each Ingress Controller manages its own headless service.  NGINX Plus Required. | *False* |
+|*zone-sync* | Enables zone synchronization between NGINX Ingress Controller Pods. This autogenerates a [zone_sync_server](https://nginx.org/en/docs/stream/ngx_stream_zone_sync_module.html#zone_sync_server) and a headless service using the `ReplicaSet`, `DaemonSet` or `StatefulSet` name. Please note that this headless service will be automatically cleaned up when uninstalling via Helm or by removing the value from the ConfigMap. The headless service will need to be manually removed if the `controller.customConfigMap` value is set via Helm or the deployment is uninstalled via Manifests. Each Ingress Controller manages its own headless service.  NGINX Plus Required. | *False* |
 |*zone-sync-port* | Specifies the optional port on which NGINX Ingress Controller listens for zone sync traffic. NGINX Plus & `zone-sync` Required. | *12345* |
 |*zone-sync-resolver-addresses* | Configures optional addresses used in the [resolver](https://nginx.org/en/docs/http/ngx_http_core_module.html#resolver) directive for zone-sync. This field takes a comma separated list of addresses. NGINX Plus & `zone-sync` Required | `kube-dns.kube-system.svc.cluster.local` |
 |*zone-sync-resolver-ipv6* | Configures whether the optional [resolver](https://nginx.org/en/docs/http/ngx_http_core_module.html#resolver) directive for zone-sync will look up IPv6 addresses. NGINX Plus & `zone-sync` Required | `true` |

content/nic/configuration/policy-resource.md

@@ -770,11 +770,11 @@ cache:
   overrideUpstreamCache: true
 ```
 
-{{< note >}}
+{{< call-out "note" >}}
 
 The feature is implemented using the NGINX [ngx_http_proxy_module](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_path) proxy_cache_path and related directives.
 
-{{< /note >}}
+{{< /call-out >}}
 
 {{% table %}}
 |Field | Description | Type | Required |

content/nic/configuration/security.md

@@ -53,10 +53,12 @@ The block below shows the code you will look for:
 #      volumes:
 #      - name: nginx-etc
 #        emptyDir: {}
-#      - name: nginx-cache
-#        emptyDir: {}
+#      - name: nginx-cache  # not required for statefulset
+#        emptyDir: {}       # not required for statefulset
 #      - name: nginx-lib
 #        emptyDir: {}
+#      - name: nginx-lib-state
+#        emptyDir: {}
 #      - name: nginx-log
 #        emptyDir: {}
 .
@@ -73,6 +75,8 @@ The block below shows the code you will look for:
 #          name: nginx-cache
 #        - mountPath: /var/lib/nginx
 #          name: nginx-lib
+#        - mountPath: /var/lib/nginx/state
+#          name: nginx-lib-state
 #        - mountPath: /var/log/nginx
 #          name: nginx-log
 ```

content/nic/installation/installing-nic/installation-with-helm.md

@@ -129,10 +129,10 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont
 {{< table >}}
 |Parameter | Description | Default |
 | --- | --- | --- |
-| **controller.name** | The name of the NGINX Ingress Controller daemonset or deployment. | Autogenerated |
-| **controller.kind** | The kind of the NGINX Ingress Controller installation - deployment or daemonset. | deployment |
-| **controller.annotations** | Allows for setting of `annotations` for deployment or daemonset. | {} |
-| **controller.nginxplus** | Deploys the NGINX Ingress Controller for NGINX Plus. | false |
+| **controller.name** | The name of the Ingress Controller deployment, daemonset, or statefulset. | Autogenerated |
+| **controller.kind** | The kind of the Ingress Controller installation - deployment, daemonset, or statefulset. | deployment |
+| **controller.annotations** | Allows for setting of `annotations` for deployment, daemonset, or statefulset. | {} |
+| **controller.nginxplus** | Deploys the Ingress Controller for NGINX Plus. | false |
 | **controller.mgmt.licenseTokenSecretName** | Configures the secret used in the [license_token](https://nginx.org/en/docs/ngx_mgmt_module.html#license_token) directive. This key assumes the secret is in the Namespace that NGINX Ingress Controller is deployed in. The secret must be of type `nginx.com/license` with the base64 encoded JWT in the `license.jwt` key. | license-token |
 | **controller.mgmt.enforceInitialReport** | Configures the [enforce_initial_report](https://nginx.org/en/docs/ngx_mgmt_module.html#enforce_initial_report) directive, which enables or disables the 180-day grace period for sending the initial usage report. | false |
 | **controller.mgmt.usageReport.endpoint** | Configures the endpoint of the [usage_report](https://nginx.org/en/docs/ngx_mgmt_module.html#usage_report) directive. This is used to configure the endpoint NGINX uses to send usage reports to NIM. | product.connect.nginx.com |
@@ -282,7 +282,13 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont
 | **controller.podDisruptionBudget.annotations** | The annotations of the NGINX Ingress Controller pod disruption budget | {} |
 | **controller.podDisruptionBudget.minAvailable** | The number of Ingress Controller pods that should be available. This is a mutually exclusive setting with "maxUnavailable". | 0 |
 | **controller.podDisruptionBudget.maxUnavailable** | The number of Ingress Controller pods that can be unavailable. This is a mutually exclusive setting with "minAvailable". | 0 |
-| **controller.strategy** | Specifies the strategy used to replace old Pods with new ones. Docs for [Deployment update strategy](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy) and [Daemonset update strategy](https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#daemonset-update-strategy) | {} |
+| **controller.strategy** | Specifies the strategy used to replace old Pods with new ones. Docs for [Deployment update strategy](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy), [Daemonset update strategy](https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#daemonset-update-strategy) and [StatefulSet update strategy](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies) | {} |
+| **controller.statefulset.podManagementPolicy** | Controls how pods are created during initial scale up, when replacing pods on nodes, or when scaling down. Available options: `OrderedReady` or `Parallel`. Only applies when `controller.kind` is set to `statefulset`. | `OrderedReady` |
+| **controller.statefulset.persistentVolumeClaimRetentionPolicy.whenDeleted** | Controls the retention policy for PVCs when the StatefulSet is deleted. Available options: `Retain` or `Delete`. Only applies when `controller.kind` is set to `statefulset`. | `Retain` |
+| **controller.statefulset.persistentVolumeClaimRetentionPolicy.whenScaled** | Controls the retention policy for PVCs when the StatefulSet is scaled down. Available options: `Retain` or `Delete`. Only applies when `controller.kind` is set to `statefulset`. | `Retain` |
+| **controller.statefulset.nginxCachePVC.size** | The size of the persistent volume claim for NGINX cache storage. Only applies when `controller.kind` is set to `statefulset`. | `256Mi` |
+| **controller.statefulset.nginxCachePVC.storageClass** | The storage class for the persistent volume claim. Only applies when `controller.kind` is set to `statefulset`. | `""` |
+| **controller.statefulset.nginxCachePVC.accessModes** | The access modes for the persistent volume claim. Only applies when `controller.kind` is set to `statefulset`. | `["ReadWriteOnce"]` |
 | **controller.disableIPV6** | Disable IPV6 listeners explicitly for nodes that do not support the IPV6 stack. | false |
 | **controller.defaultHTTPListenerPort**  | Sets the port for the HTTP `default_server` listener. | 80 |
 | **controller.defaultHTTPSListenerPort**  | Sets the port for the HTTPS `default_server` listener. | 443 |

content/nic/installation/installing-nic/installation-with-manifests.md

@@ -132,10 +132,11 @@ kubectl apply -f config/crd/bases/appprotectdos.f5.com_dosprotectedresources.yam
 
 ## Deploy NGINX Ingress Controller {#deploy-ingress-controller}
 
-You have two options for deploying NGINX Ingress Controller:
+You have three options for deploying NGINX Ingress Controller:
 
 - **Deployment**. Choose this method for the flexibility to dynamically change the number of NGINX Ingress Controller replicas.
 - **DaemonSet**. Choose this method if you want NGINX Ingress Controller to run on all nodes or a subset of nodes.
+- **StatefulSet**. Choose this method when you need stable, persistent storage and ordered deployment/scaling for your NGINX Ingress Controller pods.
 
 Before you start, update the [command-line arguments]({{< ref "/nic/configuration/global-configuration/command-line-arguments.md" >}}) for the NGINX Ingress Controller container in the relevant manifest file to meet your specific requirements.
 
@@ -147,6 +148,10 @@ Before you start, update the [command-line arguments]({{< ref "/nic/configuratio
 
 {{< include "/nic/installation/manifests/daemonset.md" >}}
 
+### Using a StatefulSet
+
+{{< include "/nic/installation/manifests/statefulset.md" >}}
+
 ---
 
 ## Confirm NGINX Ingress Controller is running
@@ -157,9 +162,9 @@ Before you start, update the [command-line arguments]({{< ref "/nic/configuratio
 
 ## How to access NGINX Ingress Controller
 
-### Using a Deployment
+### Using a Deployment or StatefulSet
 
-For Deployments, you have two options for accessing NGINX Ingress Controller pods.
+For Deployments and StatefulSets, you have two options for accessing NGINX Ingress Controller pods.
 
 #### Option 1: Create a NodePort service
 

content/nic/installation/integrations/app-protect-dos/installation.md

@@ -166,6 +166,10 @@ kubectl apply -f config/crd/bases/appprotectdos.f5.com_dosprotectedresources.yam
 
 {{< include "/nic/installation/manifests/daemonset.md" >}}
 
+### Using a StatefulSet
+
+{{< include "/nic/installation/manifests/statefulset.md" >}}
+
 ---
 
 ## Install the App Protect DoS Arbitrator
@@ -204,7 +208,7 @@ Alternatively, you can install the App Protect DoS Arbitrator using the YAML man
 
 To enable the NGINX App Protect DoS Module:
 
-- Add the `enable-app-protect-dos` [command-line argument]({{< ref "/nic/configuration/global-configuration/command-line-arguments.md#cmdoption-enable-app-protect-dos" >}}) to your Deployment or DaemonSet file.
+- Add the `enable-app-protect-dos` [command-line argument]({{< ref "/nic/configuration/global-configuration/command-line-arguments.md#cmdoption-enable-app-protect-dos" >}}) to your Deployment, DaemonSet, or StatefulSet file.
 
 ---
 

content/nic/installation/integrations/app-protect-waf-v5/installation.md

@@ -132,7 +132,7 @@ docker push <my-docker-registry>/waf-enforcer:<your-tag>
 
 ## Deploy NGINX Ingress Controller {#deploy-ingress-controller}
 
-{{< call-out "important" >}} NGINX Ingress Controller with the AppProtect WAF v5 module works only with policy bundles. You need to modify the Deployment or DaemonSet file to include volumes, volume mounts and two WAF 5 docker images: `waf-config-mgr` and `waf-enforcer`.
+{{< important >}} NGINX Ingress Controller with the AppProtect WAF v5 module works only with policy bundles. You need to modify the Deployment, DaemonSet, or StatefulSet file to include volumes, volume mounts and two WAF 5 docker images: `waf-config-mgr` and `waf-enforcer`.
 
 NGINX Ingress Controller **requires** the volume mount path to be `/etc/app_protect/bundles`. {{< /call-out >}}
 
@@ -227,18 +227,18 @@ Create required volumes:
 volumes:
   - name: nginx-etc
     emptyDir: {}
-  - name: nginx-cache
-    emptyDir: {}
+  - name: nginx-cache # not required for statefulset
+    emptyDir: {}      # not required for statefulset
   - name: nginx-lib
     emptyDir: {}
   - name: nginx-log
     emptyDir: {}
-  - emptyDir: {}
-    name: app-protect-bd-config
-  - emptyDir: {}
-    name: app-protect-config
-  - emptyDir: {}
-    name: app-protect-bundles
+  - name: app-protect-bd-config
+    emptyDir: {}
+  - name: app-protect-config
+    emptyDir: {}
+  - name: app-protect-bundles
+    emptyDir: {}
 ```
 
 Set `controller.securityContext.readOnlyRootFilesystem` to `true`.
@@ -291,6 +291,7 @@ You have two options for deploying NGINX Ingress Controller:
 
 - **Deployment**. Choose this method for the flexibility to dynamically change the number of NGINX Ingress Controller replicas.
 - **DaemonSet**. Choose this method if you want NGINX Ingress Controller to run on all nodes or a subset of nodes.
+- **StatefulSet**. Choose this method when you need stable, persistent storage and ordered deployment/scaling for your NGINX Ingress Controller pods.
 
 ---
 
@@ -377,7 +378,7 @@ Add `waf-enforcer` image to the `containers` section:
 ...
 ```
 
-### Update NIC container in deployment or daemonset
+### Update NIC container in deployment, daemonset or statefulset
 
 Add `volumeMounts` as below:
 
@@ -464,6 +465,10 @@ Add `readOnlyRootFilesystem` to the `waf-enforcer` container and set value to `t
 ...
 ```
 
+{{< call-out "note" >}}
+**StatefulSet Volume Configuration**: When using StatefulSet deployments, the `nginx-cache` volume is automatically provided via `volumeClaimTemplates` for persistent storage. App Protect WAF v5 volumes (like app-protect-config, app-protect-bundles) are still configured as regular volumes in the `volumes` section. Use `emptyDir` for temporary data or PersistentVolumeClaims if you need persistence for App Protect configurations across pod restarts.
+{{< /call-out >}}
+
 ### Using a Deployment
 
 {{< include "/nic/installation/manifests/deployment.md" >}}
@@ -472,13 +477,17 @@ Add `readOnlyRootFilesystem` to the `waf-enforcer` container and set value to `t
 
 {{< include "/nic/installation/manifests/daemonset.md" >}}
 
+### Using a StatefulSet
+
+{{< include "/nic/installation/manifests/statefulset.md" >}}
+
 ---
 
 ### Enable NGINX App Protect WAF module
 
 To enable the NGINX App Protect DoS Module:
 
-- Add the `enable-app-protect` [command-line argument]({{< ref "/nic/configuration/global-configuration/command-line-arguments.md#cmdoption-enable-app-protect" >}}) to your Deployment or DaemonSet file.
+- Add the `enable-app-protect` [command-line argument]({{< ref "/nic/configuration/global-configuration/command-line-arguments.md#cmdoption-enable-app-protect" >}}) to your Deployment, DaemonSet, or StatefulSet file.
 
 {{%/tab%}}