Install and configure the F5 License Proxy (FLP)

F5 License Proxy (FLP) enables you to efficiently license and manage the F5 BIG-IP Next for Kubernetes instances within a cluster. You must configure FLP only if you are planning to license the BIG-IP Next for Kubernetes cluster in FLP mode. Users have the option to license a new BIG-IP Next for Kubernetes cluster in FLP mode directly or switch an already licensed cluster to FLP mode effortlessly. Follow the instructions below to install and configure the F5 License Proxy (FLP):

Prerequisites

Ensure that you have:

• Obtained the JWT for F5 BIG-IP Next for Kubernetes.

• Access to the myF5.

• Capability to provision a virtual machine.

• Compatible Hypervisor with FLP QCOW2 image.

• Network reachability to the F5 TEEMS entitlement URL at https://product.apis.f5.com.

• Virtual Machine minimum requirements:

  • CPU, 4

  • Memory, 8GB

  • Storage, >80GB (more than 80GB).

To Install and configure the F5 License Proxy (FLP), follow the instructions below:

1. Download the FLP OS Image from myF5, see Artifacts via F5 Artifact Registry (FAR).

2. Provision Virtual Machine with specified CPU, Memory, and storage that supports FLP QCOW2 image.

3. While you provision a VM, you must set up a password for the admin user through the cloud-init config plain text password, with encrypted password or using ssh keys as shown below. Choose only one cloud-init config option to set up a password.

   Important: Make sure to copy the entire cloud-init config with #cloud-config while you set up a password for the admin user.

   1. Cloud-init config plain text password.

      #cloud-config
      users:
        - name: admin
          lock_passwd: false
          shell: /bin/bash
      chpasswd:
        expire: false
        users:
          - name: admin
          # you can change the password here
          password: admin
          type: text
      

   2. Cloud-init config with encrypted password.

      • Before you configure Cloud-init with encrypted password, you must generate an encrypted password in your local host and use as part of Cloud-init config.

      openssl passwd -6 admin
      $6$fG216xAgMBIkUQ8.rTco4sddfhBdL9sdfPcnd1uUte3zAwHFhbdJ0
      

      • Cloud-init config.

      #cloud-config
      users:
        - name: admin
          lock_passwd: false
          shell: /bin/bash
      chpasswd:
        expire: false
        users:
          - name: admin
          # you can change the password here
          password: $6$fG216xAgMBIkUQ8.rTco4sddfhBdL9sdfPcnd1uUte3zAwHFhbdJ0
      

   3. Cloud-init config with ssh keys.

      #cloud-config
      users:
        - name: admin
          lock_passwd: false
          shell: /bin/bash
          ssh_authorized_keys:
            - ssh-ed25519 AAAAC3NzaCsfjyYerNTE5AAAAUwebyAOBEXFJRmJReGvx1GI8IRu7                
      

4. Login to the VM with admin credentials and proceed with FLP configuration.

5. Follow these steps to create secrets and set up a customer forward proxy:

   • Run sudo setup script. Follow the on-screen instructions to complete the configuration.

     • When prompted for admin password, input your admin password that you have configured using Cloud-init config.

   • When prompted for JWT, input your JWT and press ENTER.

   • When prompted to update the f5CertUrl, f5Entitlement, f5InitialConfig URL? (Y/N)\[N\]:

     • You must input N and press ENTER to continue.

   • When prompted to set up a proxy? (Y/N)\[N\]:, If you choose Y, you must provide Proxy Host and Proxy Port. To know more about Forward Proxy, see What Is a Forward Proxy?.

     • Enter Proxy Host: <proxy host>.

     • Enter Proxy Port: <port number>.

   • When prompted to enter Proxy Protocol, if you choose https, you must provide a Proxy ca bundle:

     • Paste the proxy cert, press Enter, then Ctrl+D.

       -----BEGIN CERTIFICATE-----  
       DksfeHtRAnugAwsdgIUEwtqc5WIsdhWly+DbxcaJKoZIhvEL  
       -----END CERTIFICATE------
       

   • When prompted to Enable proxy authentication, if you choose Y, you must provide Proxy Username and Proxy Password.

     • Enter Proxy Username: XXXXXX.

     • Enter Proxy Password: XXXXXXX.

     This step will validate the Proxy Host, Port, Cert, Username, and Password. If any of the provided values are incorrect, the configuration will fail.

   • When prompted to Enter F5 Root Cert, input N and proceed.

   • When prompted to restore FLP root certificates? (Y/N)\[N\], input N and press ENTER if you are configuring FLP for the first time.

     Note: User must copy and save the directory of the encrypted file in order to restore FLP root certificates when needed.

     Starting MTLS execution - creating root CA
     Starting MTLS execution - creating server cert
     Starting vault execution - creating server cert
     Environment preparation successful
     Create the secret for flp-jwt-secret flp-mtls-secret postgresql-mtls-secret vault-ssl-secret
     Secret creation successful
     

   • Creating backup of FLP root certificates. If you choose to restore the FLP root certificates in previous step, you will not be prompted with this information.

     Note: The user must retain the FLP root certificates backup and the password used for encrypting the backup. If you lose the password or the FLP root certificates backup, you must configure all the BIG-IP Next for Kubernetes clusters with a new FLP root certificate.

     • When prompted with Encryption password for FLP root certificates backup, provide the encryption password to the backup FLP root certificates.

     • When prompted with Reenter encryption password for FLP root certificates backup, re-enter the encryption password to the backup FLP root certificates.

       Passwords accepted.
       Creating backup bundle backup.20250314-045912.tgz...
       Encrypting backup bundle...
       Backup bundle created at /root/.flp_spk_backup/backup.20250314-045912.tgz.enc
       

   • When prompted to configure container log rotation, if you input Y, you will be prompted to configure log max file size, log max files, and log monitor interval. Follow the onscreen instructions:

     Note: The examples values give below are only for reference. To know the recommended values for different storage capacities, see Container log rotation storage recommendations.

     • Enter container log max file size (Ki/Mi/Gi): 100Ki.

     • Enter container log max files: 3

     • Enter container log monitor interval (hms): 5s

     Note: User must specify only positive values (> 0). If a user wants to pass seconds - 5s , minutes and seconds - 3m5s, for hours, minutes and seconds - 1h2m5s.

     Updating container log rotation configurations
     Updated container log rotation configurations successfully
     Restarting K3S Server to apply new configurations
     K3S Server started with new log rotation configurations.
     

Container log rotation storage recommendations

The below are the recommended container log rotation storage values for different storage capacities:

• For 3 GB:

Parameter	Recommended Value	Description
containerLogMaxSize	10Mi	Maximum log size per container
containerLogMaxFiles	3	Retain up to 3 log files
containerLogMonitorInterval	"0h0m5s"	Monitor log rotation every 5 seconds

• For 5 GB:

Parameter	Recommended Value	Description
containerLogMaxSize	20Mi	Maximum log size per container
containerLogMaxFiles	6	Retain up to 6 log files
containerLogMonitorInterval	"0h0m10s"	Monitor log rotation every 10 seconds

Create debug logs archive

The debug log archive serves as a valuable resource for the F5 support team, aiding in the efficient resolution of any issues reported by users.

To create a debug logs archive, follow the instructions below:

1. Create a debug logs archive gzip file.

   kubectl -n default logs deployment/f5-license-proxy --all-containers=true &>f5-license-proxy.log ; gzip  f5-license-proxy.log
   

2. Verify the created

   ls

3. Submit the debug logs archive gzip file to the F5 support team through the Customer Support portal.