Set-up BIG-IP Next for Kubernetes License

The BIG-IP Next for Kubernetes software requires a valid license to process the application traffic using BIG-IP Next for Kubernetes CRs. Once the BIG-IP Next for Kubernetes CWC obtains a valid license, it begins collecting and reporting monthly usage summary of the BIG-IP Next for Kubernetes CRDs and telemetry statistics for the cluster. BIG-IP Next for Kubernetes uses F5’s flexible consumption software licensing model, billing only for the BIG-IP Next for Kubernetes features used.

Note: BIG-IP Next for Kubernetes Licensing applies to the cluster level, and is performed after installing BIG-IP Next for Kubernetes.

Licensing Modes

As described in the SPK CWC guide, the Common Product Component and Libraries (CPCL) module supports two licensing modes:

• Connected - When the CWC has access to the internet, it can automatically perform each of the licensing tasks. For more information, see License the cluster in Connected Mode.

• F5 License Proxy (FLP) - F5 License Proxy (FLP) enables you to efficiently license and manage the F5 BNK instances within a cluster. When a cluster is licensed in FLP mode, it will send licensing data to FLP. FLP will then share it with F5 Licensing Services (TEEMS) automatically. Users have the option to license a new BNK cluster in FLP mode directly or switch an already licensed cluster to FLP mode effortlessly. For more information, see * Install and configure F5 License Proxy (FLP).

This document guides you through the process of activating and managing the BIG-IP Next for Kubernetes software license:

• Activate BIG-IP Next for Kubernetes License

• Switching License

• Renew Your License

• Telemetry reports

• Licensing APIs

Switching License

Notes:

• Switching license is allowed from eval to paid and from paid to paid, but not from eval to eval.

• Switching license is not allowed when current telemetry report is in any of the below states. User is expected to submit these reports prior to switching the license.

  • Config report ready to download.

  • Config report downloaded.

Use the following steps to switch license to a new license:

1. Verify the current license status and Telemetry state.

   • The license status should be Verification Complete.

   • Telemetry state should be Telemetry in Progress.

   curl --key cwc_api/client_key.pem --cert cwc_api/client_certificate.pem \
   --cacert cwc_api/ca_certificate.pem https://f5-spk-cwc.f5-utils:30881/status
   

2. Switch license by calling /reactivate API.

   Example:

   curl --k --cert-type PEM -cert client_certificate.pem --key client_key.pem --cacert ca_certificate.pem \
   https://f5-spk-cwc.f5-utils:30881/reactivate -d <JWT object>
   

3. Download Update report. This update report is the aggregated telemetry report from the start of month till the switch license is triggered.

   Example:

   curl --cert client_certificate.pem --key client_key.pem --cacert ca_certificate.pem \
   https://f5-spk-cwc.f5-utils:30881/report
   

4. Send Update Report to Telemetry server.

   Example:

   curl -X POST https://product.apis.f5.com/ee/v1/entitlements/telemetry \
   -H "Content-Type: application/json" -H "F5-DigitalAssetId: <DigitalAssetID>" \
   -H "User-Agent: SPK" -H "Authorization: Bearer <JWT Object>" -d '<Full_Report>'
   

   Important: The returned manifest is quite large, the command below captures the output to a file named manifest.txt.

   Example:

   curl -X POST https://product.apis.f5.com/ee/v1/entitlements/telemetry \
   -H "Content-Type: application/json" \
   -H "F5-DigitalAssetId: b9270cae-5980-4c0e-bb44-f1948ff4b235" \
   -H "User-Agent: SPK" \
   -H "Authorization: Bearer eyJhbGciOiJSUzUxMiIsInR5cCI6" \
   -d '{"report": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJwYXlsb2FkIjp7ImRv"}' \
   -o 'manifest.txt'
   

5. View the contents of the returned manifest.txt file:

   cat manifest.txt
   

   The command output should resemble this truncated example:

   {"manifest":"eyJhbGciOiJSUzUxMiIsImtpZCI6InYxIiwiamt1"}
   

6. Send only the Manifest string after the : character. Do not include the { and } or " characters:

   curl --key cwc_api/client_key.pem --cert cwc_api/client_certificate.pem \
   --cacert cwc_api/ca_certificate.pem https://f5-spk-cwc.f5-utils:30881/receipt \
   -d eyJhbGciOiJSUzUxMiIsImtpZCI6InYxIiwiamt1
   

7. Verify the cluster license status:

   curl --key cwc_api/client_key.pem --cert cwc_api/client_certificate.pem \
   --cacert cwc_api/ca_certificate.pem https://f5-spk-cwc.f5-utils:30881/status  | jq
   

   The command output indicates the EntitlementType is paid and the LicenseExpiryDate is 2024-03-05. The LicenseExpiryInDays shows expiration occurs in 362 days.

   {
   "Status": {
      "ClusterDetails": {
         "Name": "My Cluster"
      },
      "LicenseDetails": {
         "DigitalAssetID": "5c367e83-b6cf-4a28-9899-8a3a98b65460",
         "EntitlementType": "eval",
         "LicenseExpiryDate": "2025-02-21T20:01:18Z",
         "LicenseExpiryInDays": "0"
      },
      "LicenseStatus": {
         "State": "Verification Complete"
      }
   },
   "TelemetryStatus": {
      "NextReport": {
         "StartDate": "2025-02-22 19:55:43 +0000 UTC",
         "EndDate": "2025-02-28 19:55:43 +0000 UTC",
         "State": "Telemetry In Progress"
      }
   }
   }
   

Renew Your License

The cluster license must be renewed after the LicenseExpiryDate has passed. It is important to note that the BIG-IP Next for Kubernetes continues to process application traffic seamlessly after this period, but will begin logging messages indicating the need to renew the license and relicense the BIG-IP Next for Kubernetes cluster.

When a user renews their subscription, the F5 Licensing Server updates the entitlement expiry date. Post expiry, CPCL directly interacts with the F5 Licensing Server and updates the product with renewed license details.

Licensing APIs

The CWC licensing APIs listed below are used to perform licensing tasks such as checking license status, sending license report or generating license report programmatically, or with API platforms. See Collect REST API Info section to obtain the CWC’s SSL/TLS certificates and hostname.

Important: The URL to contact the CWC Pod includes the namespace. In the examples below, the CWC is in the f5-utils namespace.

License status

Returns the current CWC licensing status. This API should be used both for licensing the cluster and checking the telemetry report status. The LicenseStatus should indicate Config Report Ready to Download prior to downloading a license report.

https://f5-spk-cwc.f5-utils:30881/status

Example:

curl --cert client_certificate.pem --key client_key.pem --cacert ca_certificate.pem \
https://f5-spk-cwc.f5-utils:30881/status

License report

Downloads the CWC license report for the cluster. The license report will be sent to the F5 licensing server for acknowledgement.

https://f5-spk-cwc.f5-utils:30881/report

Example:

curl --cert client_certificate.pem --key client_key.pem --cacert ca_certificate.pem \
https://f5-spk-cwc.f5-utils:30881/report

Send report

Sends the license report to Telemetry server for acknowledgement. Send the full report, including the {} curly brackets.

Note: The DigitalAssetID is obtained from the License status, and the JWT from your MyF5 account.

https://product.apis.f5.com/ee/v1/entitlements/telemetry

Example:

curl -X POST https://product.apis.f5.com/ee/v1/entitlements/telemetry \
-H "Content-Type: application/json" -H "F5-DigitalAssetId: <DigitalAssetID>" \
-H "User-Agent: SPK" -H "Authorization: Bearer <JWT Object>" -d '<Full_Report>'

Send manifest

Sends the acknowledged manifest to CWC. Send only the manifest data without curly brackets {}, or “ quotations.

https://f5-spk-cwc.f5-utils:30881/receipt 

Example:

curl --cert client_certificate.pem --key client_key.pem --cacert ca_certificate.pem \
https://f5-spk-cwc.f5-utils:30881/receipt -d eyJhbGciOiJSUzUxMiIs

Reactivate/Switch License

Sends the JWT object to CWC. Send only the JWT data without curly brackets {}, or “ quotations.

Can either switch a license from evaluation to paid license using the new JWT, or resubmit a JWT that was not properly submitted causing a CWC failure.

https://f5-spk-cwc.f5-utils:30881/reactivate

Example:

curl --k --cert-type PEM -cert client_certificate.pem --key client_key.pem --cacert ca_certificate.pem \
https://f5-spk-cwc.f5-utils:30881/reactivate -d <JWT object>

Telemetry reports

Once the cluster is successfully licensed, the CWC enters a Telemetry In Progress state, calculating the software CRD usage summary telemetry statistics for the cluster. At the end of each month, the CWC generates a telemetry report which should be downloaded, sent to the F5 licensing server for acknowledgement, and the signed acknowledgement should then be sent back to the CWC. If a telemetry report is not signed by the F5 licensing server at the end of the month, it will be consolidated with the next telemetry report, and a consolidated report will then be available to download and sign.

Example of the Telemetry In Progress and report EndDate:

"TelemetryStatus": {
    "NextReport": {
        "StartDate": "2024-01-06 13:59:35.306014074 +0000 UTC m=+1346.343452122",
        "EndDate": "2024-01-31 13:59:35",
        "State": "Telemetry In Progress"
    }
}