F5 Container Integrations v1.3

Current Page

Application Services Proxy

Cloud Foundry

Kubernetes / OpenShift

Mesos Marathon

Support

Troubleshooting

Tutorials

Cloud Docs Home > F5 Container Integrations Index

Set up authentication to a secure DC/OS cluster

If you’re using the Apache Mesos DC/OS cluster security features, you’ll need to give BIG-IP Controller for Marathon access to your cluster.

DC/OS Open

Apache Mesos DC/OS Open uses DC/OS oauth to secure access. To use the BIG-IP Controller App with a secure cluster, assign it a user account with permission to access the desired cluster.

  1. Create a user account for the App

  2. Generate the HTTP API token and record it in a safe place.

  3. Add the token to your BIG-IP Controller App definition using the F5_CC_DCOS_AUTH_TOKEN configuration parameter.

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    // REMOVE ALL COMMENTS FROM THIS FILE BEFORE USING
    {
      "id": "marathon-bigip-ctlr",
      "cpus": 0.5,
      "mem": 64.0,
      "instances": 1,
      "container": {
        "type": "DOCKER",
        "docker": {
          // replace the version as needed
          "image": "f5networks/marathon-bigip-ctlr:1.1.0",
          "network": "BRIDGE"
        }
      },
      "env": {
        "MARATHON_URL": "http://10.190.25.75:8080",
        "F5_CC_PARTITIONS": "mesos",
        "F5_CC_BIGIP_HOSTNAME": "10.190.25.80",
        "F5_CC_DCOS_AUTH_CREDENTIALS": "{ \"scheme\": \"RS256\", \"uid\": \"my-dcos-account\", \"login_endpoint\": \"https://10.190.25.75:8080/acs/api/v1/auth/login\", \"private_key\": \"<my-private_key-string>\" }",
        "F5_CC_MARATHON_CA_CERT": "<marathon_ca_cert>"
        // Mesos DC/OS Open oath authentication
        "F5_CC_DCOS_AUTH_TOKEN": "<authentication-token>"
      }
    

DC/OS Enterprise

DC/OS Enterprise provides access control via Service Accounts.

  • If you use the permissive or strict Security Mode, you’ll need to create a Service Account for the BIG-IP Controller.
  • If you have disabled the Security Mode, you don’t need to create a Service Account for the BIG-IP Controller.
  1. Create a Service Account with the permissions shown below.

    Resource Action
    dcos:adminrouter:service:marathon full
    dcos:service:marathon:marathon:admin:events read
    dcos:service:marathon:marathon:services:/ read
  2. Get the certificate for your cluster:

    curl -k -v https://<cluster-url>/ca/dcos-ca.crt -o dcos-ca.crt
    

    Important

    If you don’t provide a server certificate, the BIG-IP Controller won’t be able to authenticate to the Marathon API server.

  3. Define the F5_DC/OS_AUTH_CREDENTIALS JSON blob.

    Important

    • F5_CC_DCOS_AUTH_CREDENTIALS is a JSON object, so you’ll have to escape all quotes (e.g., \").
    • Incorrectly formatted keys will cause authentication failures. Denote all newlines (\n) in the private key string before removing the line breaks.
    "{
        \"scheme\": \"RS256\",
        ## the DC/OS account name
        \"uid\": \"<service_account_name>\",
        ## the cluster login endpoint
        \"login_endpoint\": \"https://<mesos_master>/acs/api/v1/auth/login\",
        ## the contents of the private key you created for the DC/OS account
        \"private_key\": \"<private_key>\"
    }"
    
  4. Add the F5_CC_DCOS_AUTH_CREDENTIALS and F5_CC_MARATHON_CA_CERT labels to the BIG-IP Controller App definition.

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    // REMOVE ALL COMMENTS FROM THIS FILE BEFORE USING
    {
      "id": "marathon-bigip-ctlr",
      "cpus": 0.5,
      "mem": 64.0,
      "instances": 1,
      "container": {
        "type": "DOCKER",
        "docker": {
          // replace the version as needed
          "image": "f5networks/marathon-bigip-ctlr:1.1.0",
          "network": "BRIDGE"
        }
      },
      "env": {
        "MARATHON_URL": "http://10.190.25.75:8080",
        "F5_CC_PARTITIONS": "mesos",
        "F5_CC_BIGIP_HOSTNAME": "10.190.25.80",
        "F5_CC_DCOS_AUTH_CREDENTIALS": "{ \"scheme\": \"RS256\", \"uid\": \"my-dcos-account\", \"login_endpoint\": \"https://10.190.25.75:8080/acs/api/v1/auth/login\", \"private_key\": \"<my-private_key-string>\" }",
        "F5_CC_MARATHON_CA_CERT": "<marathon_ca_cert>"
        // Mesos DC/OS Open oath authentication
        "F5_CC_DCOS_AUTH_TOKEN": "<authentication-token>"
      }