Attach Virtual Servers to Services

Tip

You can use F5 resources to attach custom BIG-IP virtual servers to Services in both Kubernetes and OpenShift.

Overview

An F5 Resource ConfigMap lets you expose an individual Service to external traffic. Use an F5 resource if you need:

  • a greater degree of flexibility and customization than that provided for Ingresses and Routes;
  • to deploy iApps;
  • L4 ingress (TCP or UDP);
  • L7 ingress on non-standard ports (for example, 8080, 8443).
Task summary
Step Task
Define a virtual server for a Service
Upload the ConfigMap to the API Server
Verify changes on the BIG-IP system

Define a virtual server for a Service

  1. Define the virtual server you want to create in an F5 resource JSON blob.
  2. Include the JSON blob in the data section of a Kubernetes ConfigMap resource.

HTTP example

For example, if your Service looks like this:

apiVersion: v1
kind: Service
metadata:
  name: myService
  labels:
    app: myApp
spec:
  ports:
  - protocol: TCP
    port: 80
    targetPort: 9376
  type: clusterIP

Your F5 resource ConfigMap might look like this:

kind: ConfigMap
apiVersion: v1
metadata:
  name: myApp.vs
  labels:
    f5type: virtual-server
data:
  # http://clouddocs.f5.com/containers/latest/releases_and_versioning.html#f5-schema
  schema: "f5schemadb://bigip-virtual-server_v0.1.7.json"
  data: |
    {
      "virtualServer": {
        "backend": {
          "servicePort": 80,
          }]
        },
        "frontend": {
          "virtualAddress": {
            "port": 8080,
            "bindAddr": "1.2.3.4"
          },
          "partition": "k8s",
          "balance": "least-connections-member",
          "mode": "http"
        }
      }

f5-resource-vs-example.configmap.yaml

  • The backend.servicePort property in the F5 resource matches the ports.port property in the Service definition. The BIG-IP Controller uses this to relate the Pod Node Ports and Endpoints to the BIG-IP virtual server.
  • The ports.targetPort setting is the Pod/Container port to which you want to send traffic.
  • You can replace balance: round-robin with any supported BIG-IP load balancing mode. [1]

HTTPS example

For an HTTPS virtual server, your ConfigMap for the same Service might look like this:

kind: ConfigMap
apiVersion: v1
metadata:
  name: myApp.vs.https
  labels:
    f5type: virtual-server
data:
  schema: "f5schemadb://bigip-virtual-server_v0.1.7.json"
  data: |
    {
      "virtualServer": {
        "backend": {
          "servicePort": 80,
          "serviceName": "myService",
        },
        "frontend": {
          "virtualAddress": {
            "port": 8443,
            "bindAddr": "1.2.3.4"
          },
          "partition": "k8s",
          "balance": "round-robin",
          "mode": "http",
          "sslProfile": {
          "f5ProfileName": "Common/clientssl"
          }
        }
      }
    }

f5-resource-configmap-https.yaml

  • You can define sslProfile.f5ProfileName using any existing BIG-IP client SSL profile.
  • To provide a list of SSL profiles, use sslProfile.f5ProfileNames.

Upload the ConfigMap to the API Server

Tip

If you want to create both HTTP and HTTPS virtual servers (in other words, expose multiple ports) for the same Service, create an F5 resource ConfigMap for each port. You can pass the names of both YAML files in your apply command or include both resources in a single manifest file.

Kubernetes

Tip

When uploading resources that don’t reside in the default namespace, specify the correct namespace using the --namespace (or -n) flag.

kubectl
kubectl apply -f <filename.yaml> [--namespace=<resource-namespace>]

OpenShift

Tip

When uploading resources that don’t reside in the default or current Project, specify the correct Project using the --namespace (or -n) flag.

openshift cli
oc apply -f <filename.yaml> [--namespace=<resource-project>]

Verify changes on the BIG-IP system

You can use the BIG-IP configuration utility or a TMOS shell to verify creation/modification/deletion of BIG-IP objects.

Configuration Utility

  • Go to Local Traffic ‣ Virtual Servers.
  • Select the correct partition from the Partition drop-down menu.

TMOS Management Console

admin@(bigip)(cfg-sync Standalone)(Active)(/Common) cd my-partition
admin@(bigip)(cfg-sync Standalone)(Active)(/my-partition) tmsh
admin@(bigip)(cfg-sync Standalone)(Active)(/my-partition)(tmos)$ show ltm virtual
------------------------------------------------------------------
Ltm::Virtual Server: default_myApp.vs_173.16.2.2_80
------------------------------------------------------------------
Status
  Availability     : available
  State            : enabled
  Reason           : The virtual server is available
  CMP              : enabled
  CMP Mode         : all-cpus
  Destination      : 173.16.2.2:80
...
Ltm::Virtual Server: default_myApp.vs_173.16.2.2_443
------------------------------------------------------------------
Status
  Availability     : available
  State            : enabled
  Reason           : The virtual server is available
  CMP              : enabled
  CMP Mode         : all-cpus
  Destination      : 173.16.2.2:443
...

Removing or replacing Services

If you remove the Service associated with an F5 resource ConfigMap from the API server, the BIG-IP Controller will remove all BIG-IP objects associated with that Service.

If you remove a Service, you should also delete the F5 Resource ConfigMap associated with it.

When replacing a Service, you should create a new F5 resource ConfigMap that meets the new Service’s needs.

See also

See Manage Your BIG-IP Virtual Servers for more information.

Footnotes

[1]The BIG-IP Controller supports BIG-IP load balancing algorithms that do not require additional configuration parameters. You can view the full list of supported algorithms in the f5-cccl schema. See the BIG-IP Local Traffic Management Basics user guide for information about each load balancing mode.