F5 Container Integrations v2.0

Current Page

Cloud Foundry

Kubernetes / OpenShift

Mesos Marathon

Support

Troubleshooting

Tutorials

Cloud Docs Home > F5 Container Integrations Index

Expose OpenShift Services to External Traffic using Routes

Overview

As described in the OpenShift documentation, the IP address assigned to an OpenShift Pod is only accessible from within the cluster network. You can use the BIG-IP Controller for OpenShift as a router to expose Services to external traffic.

When you use the BIG-IP Controller as a Router, you can

Attention

  • All Route resources share two virtual servers:

    • “ose-vserver” for HTTP traffic, and
    • “https-ose-vserver” for HTTPS traffic.

    These are the default names used for the virtual servers. You can set custom names for HTTP and HTTPS virtual servers using the route-http-vserver and route-https-vserver configuration parameters, respectively.

Task table
Step Task
Set up the BIG-IP Controller to manage Routes
Create a new OpenShift Route Resource
SSL Profiles (OPTIONAL)
Health monitors (OPTIONAL)
Deploy the Route Resource
Verify creation of BIG-IP objects

Set up the BIG-IP Controller to manage Routes

If you haven’t already done so, add the BIG-IP Controller Route configuration parameters to the BIG-IP Controller Deployment:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: k8s-bigip-ctlr
  namespace: kube-system
spec:
  replicas: 1
  template:
    metadata:
      name: k8s-bigip-ctlr
      labels:
        app: k8s-bigip-ctlr
    spec:
      # Name of the Service Account bound to a Cluster Role with the required
      # permissions
      serviceAccountName: bigip-ctlr
      containers:
        - name: k8s-bigip-ctlr
          image: "f5networks/k8s-bigip-ctlr:1.3.0"
          env:
            - name: BIGIP_USERNAME
              valueFrom:
                secretKeyRef:
                  # Replace with the name of the Secret containing your login
                  # credentials
                  name: bigip-login
                  key: username
            - name: BIGIP_PASSWORD
              valueFrom:
                secretKeyRef:
                  # Replace with the name of the Secret containing your login
                  # credentials
                  name: bigip-login
                  key: password
          command: ["/app/bin/k8s-bigip-ctlr"]
          args: [
            "--bigip-username=$(BIGIP_USERNAME)",
            "--bigip-password=$(BIGIP_PASSWORD)",
            # Replace with the IP address or hostname of your BIG-IP device
            "--bigip-url=10.190.24.171",
            # Replace with the name of the BIG-IP partition you want to manage
            "--bigip-partition=openshift",
            # To manage a single namespace, enter it below
            # (required in v1.0.0)
            # To manage all namespaces, omit the `namespace` entry
            # (default as of v1.1.0)
            # To manage multiple namespaces, enter a separate flag for each
            # namespace below (as of v1.1.0)
            #"--namespace=default",
            "--pool-member-type=cluster",
            # Replace with the path to the BIG-IP VXLAN connected to the
            # OpenShift HostSubnet
            "--openshift-sdn-name=/Common/openshift_vxlan",
            # Enables use of a BIG-IP device as an OpenShift Router
            # (available as of v1.2.0)
            "--manage-routes=true",
            # Assign an IP address to the BIG-IP virtual server
            # Be sure to use an IP address from the HostSubnet to which the
            # BIG-IP device connects
            "--route-vserver-addr=1.2.3.4"
            # OPTIONAL: Provide an "f5type" label you want the BIG-IP Controller
            # to watch for. This information should be defined in a Route
            # Resource (for example, "f5type: App1")
            "--route-label=App1"
            ]
      imagePullSecrets:
        - name: f5-docker-images

Create a new OpenShift Route Resource

To use the BIG-IP device as an OpenShift Router, create a new Route Resource. The BIG-IP Controller supports use of the following Route Resource types:

Unsecured

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
apiVersion: v1
kind: Route
metadata:
  labels:
    name: myService
  name: myService-route-unsecured
  namespace: default
spec:
  host: mysite.example.com
  path: "/myApp"
  port:
    targetPort: 80
  to:
    kind: Service
    name: myService

f5-openshift-unsecured-route.yaml

Edge Termination

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
apiVersion: v1
kind: Route
metadata:
  labels:
    name: myService
  name: myService-route-edge
  namespace: default
spec:
  host: mysite.example.com
  path: "/myApp"
  port:
    targetPort: 443
  tls:
    certificate: |
      -----BEGIN CERTIFICATE-----
      [...]
      -----END CERTIFICATE-----
    key: |
      -----BEGIN PRIVATE KEY-----
      [...]
      -----END PRIVATE KEY-----
    caCertificate: |
      -----BEGIN CERTIFICATE-----
      [...]
      -----END CERTIFICATE-----
    termination: edge
    insecureEdgeTerminationPolicy: Allow
  to:
    kind: Service
    name: myService

f5-openshift-edge-route.yaml

Passthrough Termination

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
apiVersion: v1
kind: Route
metadata:
  labels:
    name: myService
  name: myService-route-passthrough
  namespace: default
spec:
  host: mysite.example.com
  path: "/myApp"
  port:
    targetPort: 443
  tls:
    termination: passthrough
  to:
    kind: Service
    name: myService

f5-openshift-passthrough-route.yaml

Re-encryption Termination

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
apiVersion: v1
kind: Route
metadata:
  labels:
    name: myService
  name: myService-route-reencrypt
  namespace: default
spec:
  host: mysite.example.com
  path: "/myApp"
  port:
    targetPort: https
  tls:
    certificate:  |
      -----BEGIN CERTIFICATE-----
      [...]
      -----END CERTIFICATE-----
    key:  |
      -----BEGIN CERTIFICATE-----
      [...]
      -----END CERTIFICATE-----
    destinationCACertificate: |
      -----BEGIN CERTIFICATE-----
      [...]
      -----END CERTIFICATE-----
    termination: reencrypt
  to:
    kind: Service
    name: myService
    weight: 100

f5-openshift-reencrypt-route.yaml

Attach BIG-IP objects to the Route virtual servers

Use the BIG-IP Controller Route annotations to attach various types of BIG-IP objects to the virtual servers corresponding to OpenShift Routes.

Health monitors

  1. Define the virtual-server.f5.com/health annotation JSON blob using the BIG-IP Controller supported route annotations.

  2. Add the health monitor annotation to the Route Resource.

    Health Monitor Example
     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    apiVersion: v1
    kind: Route
    metadata:
      name: route-unsecured
      annotations:
        virtual-server.f5.com/health: |
          [
            {
              "path":     "mysite.example.com/app1",
              "send":     "HTTP GET /health/app1",
              "interval": 5,
              "timeout":  10
            }
          ]
    spec:
      host: mysite.example.com
      path: "/app1"
      to:
        kind: Service
        name: myService1
    

SSL Profiles

By default, the Controller creates custom BIG-IP SSL Profiles using the certificates and keys defined in the Route resource. You can also use an existing BIG-IP SSL profile to secure traffic for a Route.

  • For a Client SSL profile, annotate the Route resource as shown below:

    oc annotate route <route_name> virtual-server.f5.com/clientssl=<BIG-IP-SSL-profile-name>
    
  • For a Server SSL profile, annotate the Route resource as shown below:

    oc annotate route <route_name> virtual-server.f5.com/serverssl=<BIG-IP-SSL-profile-name>
    

Note

Each SSL profile applies to one (1) individual Route. In addition, the Controller creates one client ssl and one server ssl profile for the https virtual server, called “default-client-ssl” and “default-server-ssl”. These are the default profiles used for SNI.

Deploy the Route Resource

Use oc create to upload the Route Resource to the OpenShift API server.

oc create route -f <filename>.yaml
route myRoute created

Verify creation of BIG-IP objects

You can use TMOS or the BIG-IP configuration utility to verify that the BIG-IP Controller created the requested BIG-IP objects for your Route.

To verify using the BIG-IP configuration utility:

  1. Log in to the configuration utility at the management IP address (for example: https://10.190.25.225/tmui/login.jsp?).
  2. Select the correct partition from the Partition drop-down menu.
  3. Go to Local Traffic ‣ Virtual Servers to view all virtual servers, pools, and pool members.
  4. Go to Local Traffic ‣ Policies to view all of the policies configured in the partition.

To verify using TMOS, see the TMSH Reference Guide (PDF) for the relevant tmsh commands.