Install BIG-IP Next for Kubernetes

To install an instance of BIG-IP Next for Kubernetes, apply both an SPKInfrastructure and an SPKInstance CR. Utilizing SPKInfrastructure enables users to set up networking specifications, while SPKInstance CR installs BIG-IP Next for Kubernetes, allowing F5 Orchestrator to access the docker images and helm charts for F5 BIG-IP Next for Kubernetes through FAR. By default, both the SPKInfrastructure CR and SPKInstance CR are applied on default namespace. The Orchestrator will bring up the pods in default namespace and shared components in f5-utils namespace, as described below:

  • In the default namespace (the namespace in which the Infrastructure and Instance CRs are applied):
    • F5ingress
    • TMM
    • AFM
    • Open telemetry collector (Otel-collector)
  • In the f5-utils namespace:
    • F5TodaFluentd
    • CWC
    • RabbitMq
    • CRD conversion
    • CSRC
    • DSSM

If you want to have multiple instances of BIG-IP Next for Kubernetes, create a namespace and apply SPKInstance and SPKInfrastructure CRs in that namespace. The pods such as F5Ingress, TMM, AFM, and OTEL are created in the newly created namespace. Meanwhile the shared components such as RabbitMq, DSSM, and so on, are created in f5-utils namespace.

To install the F5 BIG-IP Next for Kubernetes successfully, complete the following steps:

SPKInfrastructure CR

For information on the SPKInfrastructure spec parameters featured in this example, or for a comprehensive list of available parameters, see SPKInfrastructure CR Parameters.

Prerequisites:

To apply SPKInfrastructure CR:

  1. Create a file named spkinfrastructure-resource.yaml with the following content:

    Note: Make sure to update the cidr values in egress section as per cluser configurations.

    apiVersion: charts.k8s.f5net.com/v1alpha1
kind: SPKInfrastructure
metadata:
  labels:
    app.kubernetes.io/name: spkinfrastructure
    app.kubernetes.io/instance: spkinfrastructure-sample
    app.kubernetes.io/part-of: orchestrator
    app.kubernetes.io/managed-by: kustomize
    app.kubernetes.io/created-by: orchestrator
  name: spk-19-infrastructure
spec:
networkAttachment:
  - name: default/sf-external
  - name: default/sf-internal
platformType: other
hugepages: true
sriovResources:
  nvidia.com/bf3_p0_sf: "1"
  nvidia.com/bf3_p1_sf: "1"
wholeClusterMode: "enabled"
calicoRouter: "default"
egress:
  json:
    ipPoolCidrInfo:
      cidrList:
      - name: vlan_cidr
        value: "15.15.0.0/16"
      - name: vlan_ipv6_cidr
        value: "fa00::10:10:3:0/112"
      - name: node_cidr_ipv4
        value: "10.144.39.0/24"
      - name: node_cidr_ipv6
        value: "2620:128:e008:4013::2:0/112"
      - name: test_cidr
        value: ""
      ipPoolList:
      - name: pod_cidr_ipv4
        value: "10.244.0.0/16"
      - name: pod_cidr_ipv6
        value: "fd00:10:244::/48"
      - name: test_pod_cidr
        value: ""

  2. Apply the spkinfrastructure-resource.yaml in default namespace or a namespace of your choice, but you should create a far-secret in the same namespace.

    kubectl apply -f spkinfrastructure-resource.yaml -n default

SPKInstance CR

For information on the SPKInstance spec parameters featured in this example, or for a comprehensive list of available parameters, see SPKInstance CR Parameters.

Prerequisites:

  • To enable Dynamic Routing, set the spec.tmm.dynamicRouting.enabled to true, See ZebOS ConfigMaps.
  • To enable TLS Store, set the spec.tmm.tlsStore.enabled to true, See Managing certs and keys section in F5SPKIngressHTTP2.
  • To configure persistence for CWC, set the spec.cwc.persistence.enabled to true and refer the storageClass name in the SPKInstance CR. To create storageClass, see Create a Storage Class.
  • If you choose to use your local registry, make sure to update the imageRepository parameter in spkinstance-resource.yaml and the repository parameter in orchestrator-values.yaml (see F5 Orchestrator) with your registry path.
  • Make sure to update the imagePullSecrets to download artifacts from the registry.
  • Make sure to update the spec.global.certmgr.issuerRef.name with actual clusterissuer name, see Configure Cert Manager.
  • Make sure to create CWC QKView ConfigMap, see Create CWC QKView ConfigMap.
  • Make sure to update the spec.cwc.cpclConfig.jwt with the actual JWT.
  • To configure persistence for fluentd, set the spec.fluentd.persistence.enabled to true and refer the storageClass name in the SPKInstance CR. To create storageClass, see Create a Storage Class.

Apply SPKInstance CR

  1. Create application namespaces, for example “app-ns”.

    Note: Make sure to update the parameter spec.controller.watchnamespace value to created application namespace.

    kubectl create namespace app-ns

  2. Create a file named spkinstance-resource.yaml with the following contents:

    apiVersion: charts.k8s.f5net.com/v1alpha1
kind: SPKInstance
metadata:
  name: spkinstance
spec:
  global:
    certmgr:
      issuerRef:
        name: arm-ca-cluster-issuer
        kind: ClusterIssuer
        group: cert-manager.io
    imageRepository: repo.f5.com/images
    imagePullSecrets:
    - name: far-secret
    logging:
      logLevel: "Info"
      fluentbitSidecar:
        enabled: true
        logLevel: info
        fluentd:
          host: 'f5-toda-fluentd.f5-utils.svc.cluster.local'
          port: "54321"
    debugging:
      csmQkview:
        enabled: true
      csmOrchestrator:
        enabled: true
      prometheus:
        enabled: true
  tmm:
    replicaCount: 1
    nodeAssign:
      nodeSelector:
        app: f5-tmm
      tolerations: []
      affinity: {}
    egress:
      useSnatpools: false
      dnsNat46Enabled: false
      dnsNat46UpstreamDnsIP: ""
      dnsNat46Ipv4Subnet: ""
      dnsNat46SorryIP: ""
      dnsCacheName: ""
    tlsStore:
      enabled: false
    service:
      create: true
      name: f5-tmm-service
      type: LoadBalancer
      externalTrafficPolicy: Local
      annotations: {}
      externalIPs: []
      customPorts: []
    sessiondb:
      useExternalStorage: "false"
    resources:
      limits:
        cpu: "1"
        hugepages-2Mi: "3Gi"
        memory: "2Gi"
    palCPUSet: "1"
    usePhysMem: true
    tmmMapresHugepages: 1024
    tmmMapresHalt: false
    tmmMTU: 1500
    xnetDPDKAllow:
    - auxiliary:mlx5_core.sf.4,dv_flow_en=2
    - auxiliary:mlx5_core.sf.5,dv_flow_en=2
    dynamicRouting:
      enabled: true
      exportZebosLogs: true
      configMapName: spk-bgp
    blobd:
      enabled: true
      resources:
        limits:
          cpu: "1"
          memory: "4Gi"
        requests:
          cpu: "1"
          memory: "4Gi"
    debug:
      enabled: true
      resources:
        limits:
          cpu: "500m"
          memory: "1Gi"
        requests:
          cpu: "500m"
          memory: "1Gi"
    tmrouted:
      resources:
        limits:
          cpu: "300m"
          memory: "512Mi"
        requests:
          cpu: "300m"
          memory: "512Mi"
    tmmRouting:
      resources:
        limits:
          cpu: "700m"
          memory: "1Gi"
        requests:
          cpu: "700m"
          memory: "1Gi"
  controller:
    watchNamespace: "app-ns"
    egress:
      snatpoolName: "egress_snatpool"
  fluentd:
    persistence:
      enabled: true
      accessMode:
      - ReadWriteOnce
      size: 3Gi
    component:
      cm_logs:
        enabled: true
        stdout: true
      crdconversion_logs:
        enabled: true
        stdout: true
      cwc_logs:
        enabled: true
        stdout: true
      dnsx_logs:
        enabled: true
        stdout: true
      downloader_logs:
        enabled: true
        stdout: true
      dssm_logs:
        enabled: true
        stdout: true
      dssm_sentinel_logs:
        enabled: true
        stdout: true
      f5_csm_qkview:
        enabled: true
      cert_manager:
        enabled: true
      f5_fqdn_resolver_logs:
        enabled: true
        stdout: true
      f5ingress_logs:
        enabled: true
        stdout: true
      spk_csrc_logs:
        enabled: true
        stdout: true
      rabbitmq_logs:
        enabled: true
        stdout: true
      pccd_logs:
        enabled: true
        stdout: true
  cwc:
    persistence:
      enabled: true
      accessMode:
      - "ReadWriteOnce"
      size: "3Gi"
    cpclConfig:
      operationMode: "disconnected"
      jwt: ""
  afm:
    enabled: true
    pccd:
      enabled: true
      blob:
        maxFwBlobSizeMb: "512"
        maxNatBlobSizeMb: "512"
  sidecar:
    resources:
      limits:
        cpu: 700m
        memory: 1Gi
      requests:
        cpu: 700m
        memory: 1Gi
  tmstats:
    tmstatsConfig:
      resources:
        limits:
          cpu: 700m
          memory: 1Gi
        requests:
          cpu: 700m
          memory: 1Gi
  spkManifest: spk-19-manifest
  spkInfrastructure: spk-infrastructure

    Note: If the spec.afm.enabled value is set to true then you must set the spec.afm.pccd.enabled value to true

  3. Apply the spkinstance-resource.yaml in default namespace or a namespace of your choosing, but you should create a far-secret in the same namespace.

    Note: If spec.cpclConfig.operationMode is set to disconnected, to activate the license, see License the cluster in Disconnected Mode section in BIG-IP Next for Kubernetes Licensing.

    kubectl apply -f spkinstance-resource.yaml -n default

  4. Verify the pvc.

    kubectl get pvc -n f5-utils

    Sample Response:

    NAME                      STATUS   VOLUME                       CAPACITY   ACCESS MODES   STORAGECLASS   VOLUMEATTRIBUTESCLASS   AGE
cluster-wide-controller   Bound    cluster-wide-controller-pv   3Gi        RWO                           <unset>                 12m

Next Steps: