BIG-IP Next CIS Installation¶
F5 BIG-IP Next CIS configuration is achieved in multiple ways depending on your requirements. BIG-IP Next CIS can be deployed on Kubernetes and OpenShift platform. BIG-IP Next CIS installation also depends on Kubernetes cluster networking i.e., Flannel/OVNKubernetes. One CIS can be configured to deploy the applications on multiple BIG-IP Next instances through the BIG-IP Next Central Manager.
Prerequisites¶
The below are the mandatory requirements to deploy BIG-IP Next CIS:
- OpenShift/Kubernetes Cluster must be up and running.
- BIG-IP Next Central Manager and BIG-IP Next instances should be up and running.
- Use the latest TLS version and cipher suites in Kubernetes for kube-api.
- You need a BIG-IP Next Central Manager user with administrative access.
- If you need to pull the k8s-bigip-ctlr image from a private Docker registry, store your Docker login credentials as a secret.
Install the BIG-IP Next CIS Using Helm Charts¶
The simplest way to install the CIS on an OpenShift/Kubernetes cluster is by using Helm. Helm is a package manager for Kubernetes, similar to yum or apt for other operating systems. Helm deploys charts, which are packaged applications that include all the versioned and pre-configured application resources that can be deployed as a single unit. This chart creates a Deployment for one Pod containing the k8s-bigip-ctlr, it’s supporting RBAC, Service Account, and Custom Resources Definition (CRD) installations.
Prerequisites¶
- Refer to prerequisites to install Container Ingress Services on Kubernetes or Openshift.
- Helm 3 should be installed.
Installing Helm Chart¶
(Optional) Add BIG-IP Next Central Manager credentials as Kubernetes secrets.
- For Kubernetes, use the following command:
kubectl create secret generic f5-bigip-ctlr-login -n kube-system --from-literal=username=<cm-username> --from-literal=password=<cm-password>
- For OpenShift, use the following command:
oc create secret generic f5-bigip-ctlr-login -n kube-system --from-literal=username=<cm-username> --from-literal=password=<cm-password>
Add the BIG-IP Next CIS chart repository in Helm using the following command:
helm repo add f5-stable https://f5networks.github.io/k8s-bigip-ctlr/helm-charts/stable
Create values.yaml as shown in examples. See chart-param.
Install the Helm chart if BIG-IP Next Central Manager credential secrets created manually, use the following command:
helm install -f values.yaml <new-chart-name> f5-stable/f5-bigip-ctlr
Install the Helm chart with skip crds if BIG-IP Next Central Manager credential secrets created manually (without custom resource definitions installations).
helm install --skip-crds -f values.yaml <new-chart-name> f5-stable/f5-bigip-ctlr
If you want to create the BIG-IP Next Central Manager credential secret with helm charts, use the following command:
helm install --set cm_secret.create="true" --set cm_secret.username=$CM_USERNAME --set cm_secret.password=$CM_PASSWORD -f values.yaml <new-chart-name> f5-stable/f5-bigip-ctlr
Uninstalling the Helm Chart¶
Run the following command to uninstall the chart.
helm uninstall <new-chart-name>
Chart parameters¶
Parameter | Required | Description | Default |
---|---|---|---|
cm_login_secret | Optional |
|
f5-bigip-ctlr-login |
args.cm_url | Required | The management IP for your BIG-IP Next Central Manager device | Required, no default |
args.<parameter> | Optional |
|
empty |
cm_secret.create | Optional | Create kubernetes secret using username and password | false |
cm_secret.username | Optional |
|
empty |
cm_secret.password | Optional |
|
empty |
rbac.create | Optional | Create ClusterRole and ClusterRoleBinding | true |
serviceAccount.name | Optional | The name of the ServiceAccount for CIS controller | f5-bigip-ctlr-serviceaccount |
serviceAccount.create | Optional | Create service account for the CIS controller | true |
namespace | Optional |
|
kube-system |
image.user | Optional | CIS Controller image repository username | f5networks |
image.repo | Optional | CIS Controller image repository name | k8s-bigip-ctlr |
image.pullPolicy | Optional | CIS Controller image pull policy | Always |
image.pullSecrets | Optional | List of secrets of container registry to pull image | empty |
version | Optional | CIS Controller image tag | latest |
nodeSelector | Optional | Dictionary of Node selector labels | empty |
tolerations | Optional | Array of labels | empty |
limits_cpu | Optional | CPU limits for the pod | 100m |
limits_memory | Optional | Memory limits for the pod | 512Mi |
requests_cpu | Optional | CPU request for the pod | 100m |
requests_memory | Optional | Memory request for the pod | 512Mi |
affinity | Optional | Dictionary of affinity | empty |
securityContext | Optional | Dictionary of deployment securityContext | empty |
podSecurityContext | Optional | Dictionary of pod securityContext | empty |
deployConfig.baseConfig.controllerIdentifier | Optional |
|
empty |
deployConfig.baseConfig.nodeLabel | Optional |
|
empty |
deployConfig.baseConfig.namespaceLabel | Optional |
|
empty |
deployConfig.networkConfig.orchestrationCNI | Required | Orchestration CNI for the kuberentes/openshift cluster | empty |
deployConfig.networkConfig.metaData.poolMemberType | Optional |
|
nodeport |
deployConfig.networkConfig.metaData.networkCIDR | Optional |
|
empty |
deployConfig.networkConfig.metaData.staticRoutingMode | Optional |
|
false |
deployConfig.as3Config.debugAS3 | Optional |
|
false |
deployConfig.as3Config.postDelayAS3 | Optional |
|
0 |
deployConfig.bigIpConfig[*].bigIpAddress | Required | BIG-IP to deploy the application | empty |
deployConfig.bigIpConfig[*].bigIpLabel | Required |
|
empty |
deployConfig.bigIpConfig[*].defaultPartition | Optional | BIG-IP tenant | 0 |
Note
cm_login_secret
and cm_secret
are mutually exclusive, if both are defined in values.yaml file cm_secret
will be given priority. See CIS Configuration Options for a full list of args supported for BIG-IP Next CIS.
Note
Helm value names cannot include the character ‘-’ which is commonly used in the names of parameters passed to the controller. To accommodate Helm, the parameter names in values.yaml use ‘_’ and then replace them with ‘-’ when rendering. e.g. args.cm_url is rendered as cm-url as required by the CIS Controller.
If you have a specific use case for F5 products in the Kubernetes environment that would benefit from a curated chart, please open an issue describing your use case and providing example resources.
Install the BIG-IP Next CIS Manually¶
Download the RBAC and Install the RBAC for CIS Controller
kubectl create -f clusterrole.yaml
Download and Install the Custom Resource Definitions (CRDs) for CIS Controller.
export CIS_VERSION=<cis-version> # For example # export CIS_VERSION=v3.0.0 kubectl create -f https://raw.githubusercontent.com/F5Networks/k8s-bigip-ctlr/${CIS_VERSION} /docs/cis-3.x/config_examples/customResourceDefinitions/stable/customresourcedefinitions.yml kubectl create -f customresourcedefinitions.yml
Download the deploy config CR.
wget https://raw.githubusercontent.com/F5Networks/k8s-bigip-ctlr/master/docs/cis-3.x/deploy-config/cis-deploy-config-cr.yaml
Update with the required parameters and create the deploy config CR. See DeployConfigCR-param.
Note
You may configure CNI during the BIG-IP Next CIS installation, see the cni-configuration section. Any changes to the CNI configuration after the installation requires CIS restart.
kubectl create -f cis-deploy-config-cr.yaml
5. Create the Kubernetes secret for BIG-IP Next Central Manager credentials. Here, username file should contains the BIG-IP Next Central Manager user with admin privileges, password file should contain the password for BIG-IP Next Central Manager user and url file should contain the hostname or IP Address of BIG-IP Next Central Manager.
mkdir "creds" echo -n "admin" > creds/username echo -n "admin" > creds/password echo -n "10.10.10.10" > creds/url kubectl create secret generic f5-bigip-ctlr-login -n kube-system --from-file=creds/
Download the sample BIG-IP Next CIS deployment file.
wget https://raw.githubusercontent.com/F5Networks/k8s-bigip-ctlr/master/docs/cis-3.x/install/k8s/sample-k8s-bigip-ctlr.yaml
Update the sample deployment file with required image and parameters and install the CIS Controller.
kubectl create -f sample-k8s-bigip-ctlr.yaml
Uninstall the BIG-IP Next CIS Manually¶
To uninstall BIG-IP Next CIS, run the following commands:
kubectl delete -f sample-k8s-bigip-ctlr.yaml
kubectl delete secret f5-bigip-ctlr-login -n kube-system
kubectl delete -f customresourcedefinitions.yml
kubectl delete -f clusterrole.yaml
Examples¶
Note
To provide feedback on Container Ingress Services or this documentation, please file a GitHub Issue.