From d5bc4e904d090eb5484ecf7fd956e1f3fca0c471 Mon Sep 17 00:00:00 2001 From: nginx-seanmoloney Date: Tue, 21 Apr 2026 12:52:21 +0100 Subject: [PATCH 1/3] Add instructions that shows a user how update an existing license --- content/nic/install/license-secret.md | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/content/nic/install/license-secret.md b/content/nic/install/license-secret.md index d9066ef6ba..2dea0fa713 100644 --- a/content/nic/install/license-secret.md +++ b/content/nic/install/license-secret.md @@ -41,6 +41,30 @@ Once created, you can download the `.jwt` file. {{< include "/nic/installation/jwt-password-note.md" >}} +### Update the Secret + +If you've already deployed NGINX Ingress Controller and need to rotate or renew the JWT (for example, when the existing token is about to expire or has been replaced), update the existing Secret in place. + +First, take your new JWT license token, and save it to your existing `license.jwt` file. + +Next, use the following command to generate the updated Secret manifest and apply it: + +```shell +kubectl create secret generic license-token \ +--save-config \ +--dry-run=client \ +--from-file=license.jwt=license.jwt \ +--type=nginx.com/license \ +-o yaml | \ +kubectl apply -f - +``` + +Notes: +- Replace `license.jwt` on the `--from-file` flag with the path to your renewed JWT file if it's not in the current directory. +- If your Secret resides in a specific namespace, include `-n ` on the `kubectl create secret` command so the generated YAML contains the correct namespace. +- Ensure the Secret name (`license-token` by default) matches the name referenced by your Helm values or Management ConfigMap. +- After the Secret is updated, the mounted Secret volume in the Pod is refreshed automatically by Kubernetes. NGINX Plus applies the updated license automatically. If you do not see the update take effect after a short period, restart the Ingress Controller Pod(s) to force a re-read of the Secret. + ### Add the license Secret to your deployment If using a name other than the default `license-token`, provide the name of this Secret when installing NGINX Ingress Controller: From 49de896cd519fa44978d12b7fccc386025a1c37e Mon Sep 17 00:00:00 2001 From: nginx-seanmoloney Date: Tue, 21 Apr 2026 14:52:18 +0100 Subject: [PATCH 2/3] Minor change to kubectl param --- content/nic/install/license-secret.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/nic/install/license-secret.md b/content/nic/install/license-secret.md index 2dea0fa713..b1de22a6c5 100644 --- a/content/nic/install/license-secret.md +++ b/content/nic/install/license-secret.md @@ -53,7 +53,7 @@ Next, use the following command to generate the updated Secret manifest and appl kubectl create secret generic license-token \ --save-config \ --dry-run=client \ ---from-file=license.jwt=license.jwt \ +--from-file==license.jwt \ --type=nginx.com/license \ -o yaml | \ kubectl apply -f - From 6f7b6871b497553a1a6f31811ff889b181a53d1f Mon Sep 17 00:00:00 2001 From: nginx-seanmoloney Date: Tue, 21 Apr 2026 15:42:09 +0100 Subject: [PATCH 3/3] Correct param --- content/nic/install/license-secret.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/nic/install/license-secret.md b/content/nic/install/license-secret.md index b1de22a6c5..d1f0ccf59c 100644 --- a/content/nic/install/license-secret.md +++ b/content/nic/install/license-secret.md @@ -53,7 +53,7 @@ Next, use the following command to generate the updated Secret manifest and appl kubectl create secret generic license-token \ --save-config \ --dry-run=client \ ---from-file==license.jwt \ +--from-file=license.jwt= \ --type=nginx.com/license \ -o yaml | \ kubectl apply -f -