F5 IngressLink¶
The F5 IngressLink solution addresses modern app delivery at scale. IngressLink is a resource definition defined between BIG-IP Next and NGINX using F5 Container Ingress Service and NGINX Ingress Service.
The F5 IngressLink is the true integration between BIG-IP Next and NGINX technologies. F5 IngressLink was built to support customers with modern, container application workloads that use both BIG-IP Next Container Ingress Services and NGINX Ingress Controller for Kubernetes. It is an elegant control plane solution that offers a unified method of working with both technologies from a single interface—offering the best of BIG-IP Next and NGINX and fostering better collaboration across NetOps and DevOps teams. The diagram below demonstrates this use case.
This architecture diagram demonstrates the IngressLink solution:
IngressLink Compatibility Matrix¶
CIS | BIG-IP | NGINX+ IC |
---|---|---|
V3.0 | V20.3 | v1.10+ |
IngressLink does not have any restrictions for customizing the namespace or service endpoint. However, F5 recommends using the default nginx-ingress.
IngressLink Configuration¶
Prerequisites¶
- BIG-IP Nex CIS, BIG-IP Next Central Manager and BIG-IP Next are up and running.
- Make sure that you deploy BIG-IP Next CIS in CRD mode (use
—manage-custom-resources=true
in your BIG-IP Nex CIS Configuration). - NGINX Ingress Controller is up and running.
- See the documentation for Installation with Manifests or Installation with Helm for more information.
- Refer to Integration with F5 BIG-IP Container Ingress Services.
To Configure the IngressLink
Create the Proxy iRule on BIG-IP Next Central Manager:
Log in to the BIG-IP Next Central Manager GUI.
On the Main tab, select Applications > iRules.
Select Create.
In the Name field, type a name. For example, “Proxy_Protocol_iRule”.
Give a brief description and copy the following code and then select Save.
when SERVER_CONNECTED { TCP::respond "PROXY TCP[IP::version] [IP::client_addr] [clientside {IP::local_addr}] [TCP::client_port] [clientside {TCP::local_port}]\\r\\n" }
Download the sample IngressLink Resource.
curl -OL https://raw.githubusercontent.com/F5Networks/k8s-bigip-ctlr/master/docs/cis-3.x/config_examples/customResource/IngressLink/ingressLink-with-iRule-reference-from-cm/ingresslink-with-iRule-reference-from-cm.yaml -o ingresslink.yaml
Update the
virtualServerAddress
parameter in theingresslink.yaml
resource. This IP address will be used to configure the BIG-IP Next device. It will be used to accept traffic and load balance it among the NGINX Ingress Controller pods.kubectl apply -f ingresslink.yaml
Monitoring NGINX+ Ingress Controller Readiness (Optional).
You can configure the NGINX+ Ingress Controller Readiness in the
nginx-ingress-ingresslink
service by exposing port 8081, which is used by BIG-IP Next to monitor NGINX+ Ingress Controller’s readiness.Note
- The name of the IngressLink resource should be the same which is defined during NGINX Ingress Controller installation.
- The selector in the IngressLink resource is the same as the Service
labels configured in the
nginx-ingress-ingresslink
service during NGINX Ingress Controller installation. - The service which exposes the NGINX Ingress Controller should be of type nodeport.
- The IngressLink must belong to the same namespace as the Ingress
Controller pod
- nginx-ingress
or the namespace used for installing the Helm chart.
Verifying the configuration¶
Deploy your test application:
Deploy the App:
kubectl apply -f https://github.com/F5Networks/k8s-bigip-ctlr/raw/master/docs/cis-3.x/config_examples/customResource/IngressLink/ingress-example/cafe-secret.yaml
kubectl apply -f https://github.com/F5Networks/k8s-bigip-ctlr/raw/master/docs/cis-3.x/config_examples/customResource/IngressLink/ingress-example/cafe.yaml
Deploy the Ingress Service:
kubectl apply -f https://github.com/F5Networks/k8s-bigip-ctlr/raw/master/docs/cis-3.x/config_examples/customResource/IngressLink/ingress-example/cafe-ingress.yaml
Access the Application:
The Ingress Controller pods are behind the IP configured in Step 4 (
virtualServerAddress
parameter). Test the traffic (in this example we used 192.168.10.5 as our VirtualServerAddress) by running the following command:$ curl --resolve cafe.example.com:443:192.168.10.5 https://cafe.example.com:443/coffee --insecure Server address: 10.12.0.18:80 Server name: coffee-7586895968-r26zns
Parameters¶
Parameter | Type | Required | Default | Description |
---|---|---|---|---|
ipamLabel | String | Optional | N/A | FIC allocates IP addresses from an IPAM system’s address pool |
virtualServerAddress | String | Yes | N/A | IPAddress of Virtual server |
iRules | List | Yes | N/A | List of iRules which needs to be attached to virtual server |
partition | String | Optional | N/A | BIG-IP Next Partition |
Note
You can use IPAM controller to configure and manage virtual server addresses in IngressLink by using ipamLabel
. If you are using IPAM, virtualServerAddress
is not required.
Frequently Asked Questions (F5 IngressLink)¶
Q: Is Ingress Address updated with the Ingress-Link implementation?
A: No, BIG-IP Next CIS does not update the ingress address in ingress status.
Note
To provide feedback on Container Ingress Services or this documentation, please file a GitHub Issue.