BIG-IP Next CIS Installation

F5 BIG-IP Next CIS configuration is achieved in multiple ways depending on your requirements. BIG-IP Next CIS can be deployed on Kubernetes and OpenShift platform. BIG-IP Next CIS installation also depends on Kubernetes cluster networking i.e., Flannel/OVNKubernetes. One CIS can be configured to deploy the applications on multiple BIG-IP Next instances through the BIG-IP Next Central Manager.

Prerequisites

The below are the mandatory requirements to deploy BIG-IP Next CIS:

  • OpenShift/Kubernetes Cluster must be up and running.
  • BIG-IP Next Central Manager and BIG-IP Next instances should be up and running.
  • Use the latest TLS version and cipher suites in Kubernetes for kube-api.
  • You need a BIG-IP Next Central Manager user with administrative access.
  • If you need to pull the k8s-bigip-ctlr image from a private Docker registry, store your Docker login credentials as a secret.

Install the BIG-IP Next CIS Using Helm Charts

The simplest way to install the CIS on an OpenShift/Kubernetes cluster is by using Helm. Helm is a package manager for Kubernetes, similar to yum or apt for other operating systems. Helm deploys charts, which are packaged applications that include all the versioned and pre-configured application resources that can be deployed as a single unit. This chart creates a Deployment for one Pod containing the k8s-bigip-ctlr, it’s supporting RBAC, Service Account, and Custom Resources Definition (CRD) installations.

Prerequisites

  • Refer to prerequisites to install Container Ingress Services on Kubernetes or Openshift.
  • Helm 3 should be installed.

Installing Helm Chart

  1. (Optional) Add BIG-IP Next Central Manager credentials as Kubernetes secrets.

    • For Kubernetes, use the following command:
    kubectl create secret generic f5-bigip-ctlr-login -n kube-system --from-literal=username=<cm-username> --from-literal=password=<cm-password>
    
    • For OpenShift, use the following command:
    oc create secret generic f5-bigip-ctlr-login -n kube-system --from-literal=username=<cm-username> --from-literal=password=<cm-password>
    
  2. Add the BIG-IP Next CIS chart repository in Helm using the following command:

    helm repo add f5-stable https://f5networks.github.io/k8s-bigip-ctlr/helm-charts/stable
    
  3. Create values.yaml as shown in examples. See chart-param.

  4. Install the Helm chart if BIG-IP Next Central Manager credential secrets created manually, use the following command:

    helm install -f values.yaml <new-chart-name> f5-stable/f5-bigip-ctlr
    
  5. Install the Helm chart with skip crds if BIG-IP Next Central Manager credential secrets created manually (without custom resource definitions installations).

    helm install --skip-crds -f values.yaml <new-chart-name> f5-stable/f5-bigip-ctlr
    
  6. If you want to create the BIG-IP Next Central Manager credential secret with helm charts, use the following command:

    helm install --set cm_secret.create="true" --set cm_secret.username=$CM_USERNAME --set cm_secret.password=$CM_PASSWORD -f values.yaml <new-chart-name> f5-stable/f5-bigip-ctlr
    

Uninstalling the Helm Chart

Run the following command to uninstall the chart.

helm uninstall <new-chart-name>

Chart parameters

Parameter Required Description Default
cm_login_secret Optional
Secret that contains BIG-IP Next Central Manager login
credentials
f5-bigip-ctlr-login
args.cm_url Required The management IP for your BIG-IP Next Central Manager device Required, no default
args.<parameter> Optional
See CIS Deployment Parameters for more args.
NOTE: Helm value names cannot include the character ‘-’ which is commonly used in the names of parameters passed to the controller. To accommodate Helm, the parameter names in values.yaml use ‘_’ and then replace them with ‘-’ when rendering. e.g. args.cm_url is rendered as cm-url as required by the CIS Controller.
empty
cm_secret.create Optional Create kubernetes secret using username and password false
cm_secret.username Optional
The BIG-IP Next Central Manager username to create the
kubernetes secret
empty
cm_secret.password Optional
The BIG-IP Next Central Manager password to create the
kubernetes secret
empty
rbac.create Optional Create ClusterRole and ClusterRoleBinding true
serviceAccount.name Optional The name of the ServiceAccount for CIS controller f5-bigip-ctlr-serviceaccount
serviceAccount.create Optional Create service account for the CIS controller true
namespace Optional
The name of namespace CIS will use to create deployment and
other resources
kube-system
image.user Optional CIS Controller image repository username f5networks
image.repo Optional CIS Controller image repository name k8s-bigip-ctlr
image.pullPolicy Optional CIS Controller image pull policy Always
image.pullSecrets Optional List of secrets of container registry to pull image empty
version Optional CIS Controller image tag latest
nodeSelector Optional Dictionary of Node selector labels empty
tolerations Optional Array of labels empty
limits_cpu Optional CPU limits for the pod 100m
limits_memory Optional Memory limits for the pod 512Mi
requests_cpu Optional CPU request for the pod 100m
requests_memory Optional Memory request for the pod 512Mi
affinity Optional Dictionary of affinity empty
securityContext Optional Dictionary of deployment securityContext empty
podSecurityContext Optional Dictionary of pod securityContext empty
deployConfig.baseConfig.controllerIdentifier Optional
controllerIdentifier is used to identify the unique CIS
cluster/instance
empty
deployConfig.baseConfig.nodeLabel Optional
nodeLabel is used to define the nodes which can be monitored by
CIS
empty
deployConfig.baseConfig.namespaceLabel Optional
namespaceLabel is used to define the namespces which can be
monitored by CIS
empty
deployConfig.networkConfig.orchestrationCNI Required Orchestration CNI for the kuberentes/openshift cluster empty
deployConfig.networkConfig.metaData.poolMemberType Optional
poolMemberType is optional parameter, and it is used to specify
the pool member type in CIS default value is nodeport
nodeport
deployConfig.networkConfig.metaData.networkCIDR Optional
Network CIDR is optional parameter and required if your nodes
are using multiple network interfaces
empty
deployConfig.networkConfig.metaData.staticRoutingMode Optional
staticRoutingMode creates the static routes for pod network on
the BIG-IP Next
false
deployConfig.as3Config.debugAS3 Optional
debugAS3 is a optional parameter, and it is used to enable the
debug logs for AS3
false
deployConfig.as3Config.postDelayAS3 Optional
post delay is a optional parameter, and it is used if AS3 is
taking more time to apply the configuration
0
deployConfig.bigIpConfig[*].bigIpAddress Required BIG-IP to deploy the application empty
deployConfig.bigIpConfig[*].bigIpLabel Required
bigIpLabel is used to map the ingress resource to the BIG-IP
Next, you can specify the BIG-IP Next label in TS/IngressLink CR
empty
deployConfig.bigIpConfig[*].defaultPartition Optional BIG-IP tenant 0

Note

cm_login_secret and cm_secret are mutually exclusive, if both are defined in values.yaml file cm_secret will be given priority. See CIS Configuration Options for a full list of args supported for BIG-IP Next CIS.

Note

Helm value names cannot include the character ‘-’ which is commonly used in the names of parameters passed to the controller. To accommodate Helm, the parameter names in values.yaml use ‘_’ and then replace them with ‘-’ when rendering. e.g. args.cm_url is rendered as cm-url as required by the CIS Controller.

If you have a specific use case for F5 products in the Kubernetes environment that would benefit from a curated chart, please open an issue describing your use case and providing example resources.

Install the BIG-IP Next CIS Manually

  1. Download the RBAC and Install the RBAC for CIS Controller

    kubectl create -f clusterrole.yaml
    
  2. Download and Install the Custom Resource Definitions (CRDs) for CIS Controller.

    export CIS_VERSION=<cis-version>
    
    # For example
    
    # export CIS_VERSION=v3.0.0
    
    kubectl create -f https://raw.githubusercontent.com/F5Networks/k8s-bigip-ctlr/${CIS_VERSION} /docs/cis-3.x/config_examples/customResourceDefinitions/stable/customresourcedefinitions.yml
    
    kubectl create -f customresourcedefinitions.yml
    
  3. Download the deploy config CR.

    wget https://raw.githubusercontent.com/F5Networks/k8s-bigip-ctlr/master/docs/cis-3.x/deploy-config/cis-deploy-config-cr.yaml
    
  4. Update with the required parameters and create the deploy config CR. See DeployConfigCR-param.

    Note

    You may configure CNI during the BIG-IP Next CIS installation, see the cni-configuration section. Any changes to the CNI configuration after the installation requires CIS restart.

    kubectl create -f cis-deploy-config-cr.yaml
    

5. Create the Kubernetes secret for BIG-IP Next Central Manager credentials. Here, username file should contains the BIG-IP Next Central Manager user with admin privileges, password file should contain the password for BIG-IP Next Central Manager user and url file should contain the hostname or IP Address of BIG-IP Next Central Manager.

mkdir "creds"

echo -n "admin" > creds/username

echo -n "admin" > creds/password

echo -n "10.10.10.10" > creds/url

kubectl create secret generic f5-bigip-ctlr-login -n kube-system --from-file=creds/
  1. Download the sample BIG-IP Next CIS deployment file.

    wget https://raw.githubusercontent.com/F5Networks/k8s-bigip-ctlr/master/docs/cis-3.x/install/k8s/sample-k8s-bigip-ctlr.yaml
    
  2. Update the sample deployment file with required image and parameters and install the CIS Controller.

    kubectl create -f sample-k8s-bigip-ctlr.yaml
    

Uninstall the BIG-IP Next CIS Manually

To uninstall BIG-IP Next CIS, run the following commands:

kubectl delete -f sample-k8s-bigip-ctlr.yaml

kubectl delete secret f5-bigip-ctlr-login -n kube-system

kubectl delete -f customresourcedefinitions.yml

kubectl delete -f clusterrole.yaml

Examples

See Examples.


Note

To provide feedback on Container Ingress Services or this documentation, please file a GitHub Issue.