The F5 BIG-IP Controller for Cloud Foundry (cf-bigip-ctlr
) manages F5 BIG-IP Local Traffic Manager (LTM) objects from Cloud Foundry.
See the F5 Container Connector for Cloud Foundry user documentation.
The F5 BIG-IP Controller for Cloud Foundry is a Docker container that runs in a Cloud Foundry cell. It subscribes to the Cloud Foundry NATS message bus and routing API; gathers application route information; and configures the BIG-IP device with a routing policy, emulating the behavior of the Cloud Foundry Gorouter.
The F5 BIG-IP Controller for Cloud Foundry receives route updates and transforms them into BIG-IP policies when the following events occur in Cloud Foundry:
For example:
The BIG-IP device handles traffic for every Cloud Foundry route and application and load balances to each application instance. All route domains are global. The F5 BIG-IP Controller for Cloud Foundry can create a total of two (2) BIG-IP virtual servers:
The virtual server contains pools and pool members for each application and application instance.
You can define policies, profiles, and health monitors on the BIG-IP device in advance and apply them to the virtual server created by cf-bigip-ctlr
.
Parameter | Type | Required | Default | Description | Allowed Values | |
---|---|---|---|---|---|---|
bigip | object | Required | n/a | A YAML blob defining BIG-IP parameters. | ||
url | string | Required | n/a | BIG-IP admin IP address | ||
user | string | Required | n/a | BIG-IP iControl REST username | ||
pass | string | Required | n/a | BIG-IP iControl REST password | ||
partition | array | Required | n/a | The BIG-IP partition in which to configure objects. | ||
balance | string | Optional | round-robin | Set the load balancing mode | Any BIG-IP supported | |
verify_interval | integer | Optional | 30 | In seconds, interval at which to verify the BIG-IP configuration | ||
external_addr | string | Required | n/a | Virtual address from the BIG-IP, this is the cloud ingress address | ||
ssl_profiles | array | Optional | n/a | List of pre-configured BIG-IP SSL policies to attach to the HTTPS routing virtual server | ||
policies | array | Optional | n/a | Additional pre-configured BIG-IP policies to attach to routing virtual servers | ||
profiles | array | Optional | n/a | Additional pre-configured BIG-IP profiles to attach to routing virtual servers | ||
health_monitors | array | Optional | n/a | Health monitors attached to each configured routing pool | ||
status | object | Optional | n/a | Basic authorization credentials for debug and health information | ||
user | string | Optional | n/a | Status username | ||
pass | string | Optional | n/a | Status password | ||
nats | array | Required | n/a | NATS message bus | ||
host | string | Required | n/a | NATS host | ||
port | integer | Required | n/a | NATS port | ||
user | string | Required | n/a | NATS username | ||
pass | string | Required | n/a | NATS password | ||
logging | object | Optional | n/a | Logging configuration | ||
file | string | Optional | n/a | Logging file name | ||
syslog | string | Optional | n/a | Syslog ID | ||
level | string | Optional | debug | Logging level | ||
loggregator_enabled | boolean | Optional | false | Is loggregator facility enabled | ||
metron_address | string | Optional | localhost:3457 | Metron address | ||
oauth | object | Optional | n/a | UAA token server configuration | ||
token_endpoint | string | Optional | n/a | UAA token server | ||
client_name | string | Optional | n/a | UAA username | ||
client_secret | string | Optional | n/a | UAA password | ||
port | string | Optional | n/a | UAA listen port | ||
skip_ssl_validation | boolean | Optional | false | Should skip SSL verification | ||
ca_certs | string | Optional | n/a | CA cert bundle | ||
routing_api | object | Optional | n/a | Routing API configuratoin | ||
uri | string | Optional | n/a | Routing API endpoint | ||
port | integer | Optional | n/a | Routing API listen port | ||
auth_disabled | boolean | Optional | false | Routing API authorization status | ||
go_max_procs | integer | Optional | -1 | Golang GOMAXPROCS limits | ||
prune_stale_droplets_interval | integer | Optional | 30 | In seconds, interval to check and prune stale routes | ||
droplet_stale_threshold | integer | Optional | 120 | In seconds, threshold to consider route stale | ||
suspend_prune_if_nats_unavailable | boolean | Optional | false | If NATS becomes unavailable should pruning suspend | ||
start_response_delay_interval | integer | Optional | 5 | In seconds, wait time to achieve steady state from routing message bus | ||
token_fetcher_max_retries | integer | Optional | 3 | Number of retries to fetch auth token | ||
token_fetcher_retry_interval | integer | Optional | 5 | In seconds, time to wait between token fetch retries | ||
token_fetcher_expiration_buffer_time | integer | Optional | 30 | In seconds, time to re-fetch auth token |
The F5 BIG-IP Controller for Cloud Foundry manages the BIG-IP virtual servers used for policy routing. It will always create an HTTP virtual server (virtual address port 80) for routing into Cloud Foundry. If one or more SSL profiles exist in the configuration (the ssl_profiles
parameter) the controller creates an additional HTTPS virtual server (virtual address port 443).
You can attach multiple certificate/key pairs to the HTTPS virtual server using ssl_profile
. The BIG-IP device uses TLS Server Name Indication (SNI) to choose the correct certificate to present to the client; SNI allows the Cloud Foundry instance to support multiple hostnames (foo.mypcf.com and bar.mypcf.com). Some of these cert/key pairs can be wildcard (*.mypcf.com).
``` .. important:
Do not confuse the ``profiles`` configuration parameter with the ``ssl_profiles`` parameter.
- The ``profiles`` configuration parameter attaches other pre-existing BIG-IP profiles to each of the managed routing virtual servers (for example, TCP acceleration or the ``X-Forwarded-For`` header).
- The ``ssl_profiles`` configuration parameter tells the Controller to create an HTTPS virtual server and attach the specified BIG-IP SSL profiles to it.
/health
: The controller health endpoint. The controller returns 200 OK
to indicate health; any other response is unhealthy.
/routes
: The routes endpoint returns the entire routing table as JSON. Each route has an associated array of host:port entries.
Important
Both endpoints require basic authentication.