Upgrading CNFs¶
Overview¶
This document discusses how to upgrade the various Cloud-Native Network Functions (CNFs) software components. Each section represents the independent upgradable components.
Important: F5 recommends that you perform software upgrades during a planned maintenance window.
Requirements¶
Ensure you have:
- Reviewed the CNF Release Notes
- Extracted the CNFs Software.
- A workstation with Helm installed.
BIG-IP Controller¶
The BIG-IP Controller installs using the f5ingress Helm chart, released as a versioned tarball, for example f5ingress-9.0.0.tgz. When extracted from the tarball, the f5ingress Helm chart also contains multiple subcharts that will in the future enable upgrading CNFs Pods independently. The table below lists the Pods and their charts or subcharts:
Charts/Subcharts¶
| Chart/Subchart | Pod | Containers |
|---|---|---|
| f5ingress | f5ingress | f5ingress and f5-license-helper |
| f5ingress | f5-tmm | f5-tmm and f5-debug-sidecar |
| f5-afm | f5-afm | f5-l4p-engine and f5-fluentbit |
| f5-ipsd | f5-ipds | f5-nsec-ips-daemon and f5-fluentbit |
| f5-stats_collector | otel-collector | opentelemetry-collector |
TMM RollingUpdate¶
The TMM rolling update feature enables smooth execution of F5 Ingress deployment updates, to ensure that the TMM pod is readily available to receive network traffic with minimal traffic loss. This is achieved by using the readinessGates (config and routing gates) fields, which ensures incremental replacement of existing TMM pods with the new ones. Kubernetes cluster waits for the new TMM pods before terminating the old TMM pods.
The number of TMM pods upgrading at a time is dependent on maxUnavailable and maxSurge parameters defined in the Kubernetes cluster, and the number of TMM replicas. For more information on maxUnavailable and maxSurge parameters, see Rolling Update Deployment.
For more information on f5ingress pod upgrade, see step#17 of Upgrading CNFs from 1.4.0 to 2.0 using F5 Cert Manager
Important:
- Before performing a rolling update, ensure enough resources are available based on the
maxUnavailableandmaxSurgeparameter configurations in Kubernetes. - Ensure you have additional
SelfIPsandtranslationIPs(SNAT and CGNAT) based on themaxUnavailableandmaxSurgeparameter configurations in Kubernetes.
Full upgrade¶
Use these steps to upgrade the BIG-IP Controller and all of the Pods listed in the Charts/Subcharts table above.
Change into the directory containing the latest CNFs Software, and list the f5ingress Helm chart:
cd cnfinstall; ls -1 tar | grep f5ingress
f5ingress-9.0.0.tgz
Obtain the Helm release name for the current CNFs installation:
In this example, the Helm release is in the cnf-gateway namespace.
helm list -n cnf-gateway
In this example, the Helm release is using CHART version f5ingress-8.0.0.
NAME NAMESPACE REVISION STATUS CHART f5ingress cnf-gateway 1 deployed f5ingress-8.0.0
Use the new Helm chart to upgrade the installation:
helm upgrade f5ingress tar/f5ingress-<version>.tgz \ -f <values>.yaml -n namespace
In this example, the Pods will be upgraded using the f5ingress-9.0.0.tgz Helm chart.
helm upgrade f5ingress tar/f5ingress-9.0.0.tgz \ -f values.yaml -n cnf-gateway
Verify the Helm CHART and REVISION have incremented:
helm list -n cnf-gateway
In this example, the Helm CHART is now 9.0.0 and the REVISION is now 2.
NAME NAMESPACE REVISION STATUS CHART f5ingress cnf-gateway 2 deployed f5ingress-9.0.0
Verify the Pods have a STATUS of Running:
kubectl get pods -n cnf-gateway
In this example, the upgraded Pods have a STATUS of Running.
NAME READY STATUS f5-afm-54d66946cd-5dmvs 2/2 Running f5-ipsd-54df45c9cf-tmvqv 2/2 Running f5-tmm-6fbbbcfb8-8jvkh 4/4 Running f5ingress-f5ingress-597894b455-4hglb 2/2 Running
Note: The ability to perform parital, or single CNFs Pod upgrades is not yet supported.
CRDs¶
CRD upgrades should be performed after installing the latest BIG-IP Controller that came packaged with the CRD bundle. If the CRD bundle is newer than the BIG-IP Controller, it will not not recognize the newer CRD paramaters, and the expected configuration will not be applied to the Service Proxy TMM. Use these steps to upgrade the CRDs:
Full upgrade¶
Use these steps to upgrade all of the CNFs CRDs.
Change into the directory containing the latest CNFs Software, and list the CRD bundle:
cd cnfinstall; ls -1 | grep crds
f5-cnf-crds-n6lan-8.5.2-0.1.12.tgzExtract the Helm subcharts from the f5ingress tarball:
tar xvf f5-cnf-crds-n6lan-8.5.2-0.1.12.tgz
Install the CRDs:
helm upgrade f5crds f5-cnf-crds-n6lan-8.5.2-0.1.12.tgz -n default
Partial upgrade¶
Use these steps to upgrade a single CNFs CRD.
Change into the directory containing the latest CNFs Software, and list the CRD bundle:
cd cnfinstall; ls -1 | grep crds
f5-cnf-crds-n6lan-8.5.2-0.1.12.tgzExtract the Helm subcharts from the f5ingress tarball:
tar xvf f5-cnf-crds-n6lan-8.5.2-0.1.12.tgz
Install a specific CRD:
Note: In this example, only the f5-big-nat-policy.yaml CRD is upgraded.
kubectl apply -f f5-cnf-crds-n6lan/crds/f5-big-nat-policy.yaml
dSSM database¶
To ensure there is no loss of data or downtime, the dSSM Databases should be upgraded using the Upgrading dSSM guide.
Fluentd logging¶
Use these steps to upgrade the Fluentd Logging collector.
Change into the directory containing the latest CNFs Software, and list the f5-fluentd Helm chart:
cd cnfinstall; ls -1 tar | grep fluentd
f5-toda-fluentd-1.31.12-10.0.12.tgz
Obtain the Helm release name for the current CNFs installation:
helm list -n cnf-gateway
In this example, the release name is f5-fluentd.
NAME NAMESPACE REVISION STATUS CHART f5-fluentd cnf-gateway 1 deployed f5-toda-fluentd-1.0.0
Use the new Helm chart to upgrade the installation:
helm upgrade f5-fluentd tar/f5-toda-fluentd-<version>.tgz \ -f <values>.yaml -n cnf-gateway
In this example, the Fluend Pod will be upgraded using the f5-toda-fluentd-1.31.12-10.0.12.tgz Helm chart.
helm upgrade f5-fluentd tar/f5-toda-fluentd-1.31.12-10.0.12.tgz \ -f fluentd-values.yaml -n cnf-gateway
Verify the Helm CHART and REVISION have both incremented:
helm list -n cnf-gateway
In this example, the Helm CHART is now 1.31.12-10.0.12 and the REVISION is now 2.
NAME NAMESPACE REVISION STATUS CHART f5-fluentd cnf-gateway 2 deployed f5-toda-fluentd-1.31.12-10.0.12
Verify the Fluentd Pod is Running:
kubectl get pods -n cnf-gateway | grep fluent
In this example, the Fluentd Pod is Running.
f5-toda-fluentd-5c4876d88f-99n94 1/1 Running
CNFs Software Upgrade Compatibility Matrix¶
The CNFs can be upgraded from an earlier version to the latest versions. Also, a same version upgrade can be acheived by using helm upgrade.
To upgrade the CNFs AON to a latest version, choose a version compatible with the exisitng version.
Following table depicts the supported upgrade paths for CNF releases.
———————Upgrade to versions——————–>
| CNF version | v1.2.0 | v1.2.1 | v1.3.0 | v1.3.1 | v1.3.2 | v1.4.0 | 2.0.0 |
|---|---|---|---|---|---|---|---|
| v1.2.0 | - | Y | Y | Y | Y | Y | Y |
| v1.2.1 | X | - | Y | Y | Y | Y | Y |
| v1.3.0 | X | X | - | Y | Y | Y | Y |
| v1.3.1 | X | X | X | - | Y | Y | Y |
| v1.3.2 | X | X | X | X | - | Y | Y |
| v1.4.0 | X | X | X | X | X | - | Y |
| v2.0.0 | X | X | X | X | X | X | - |
- Y Indicates - Yes
- X Indicates - Not Applicable
- - Indicates - Same version
Note: The version number on the x-axis indicates the upgrade to version and the y-axis indicates the upgrade from version of the CNF software.
CNFs Software Image Versions for OCP Releases¶
The table below lists the software image versions for OCP releases.
| IMAGE | CNF v1.2.0 | CNF v1.2.1 | CNF v1.3.0 | CNF v1.3.1 | CNF v1.3.2 | CNF v1.4.0 | CNF v2.0.0 |
|---|---|---|---|---|---|---|---|
| f5ingress | v0.434.1-0.0.92 | v0.434.1-0.2.19 | v0.480.0-0.1.30 | v0.480.0-0.1.52 | v150.480.0-0.1.52 | v0.542.0-0.0.154 | v0.761.1-0.0.216 |
| f5-nsec-ips-daemon | v1.7.6-0.0.4 | v1.7.6-0.0.7 | v3.0.6 | v3.0.6 | v3.0.6 | v3.0.29-0.0.3 | v3.4.8-0.0.6 |
| crd-conversion | v1.31.3-0.0.1 | v1.31.3-0.0.3 | v1.53.3 | v1.53.3 | v1.53.3 | v1.60.5-0.1.0 | 0.16.15-0.0.12 |
| f5-downloader | v1.6.4 | v1.6.4 | v1.6.17 | v1.6.17 | v1.6.17 | v1.6.25-0.1.1 | v0.8.1-0.0.10 |
| init-certmgr | v0.22.9-0.0.3 | v0.22.9-0.0.3 | v0.22.22-0.0.2 | v0.22.22-0.0.4 | v0.22.22-0.0.4 | v0.23.14-0.0.1 | 0.23.28-0.0.11 |
| f5-cert-client | v2.3.4 | v2.3.4 | v2.3.8 | v2.3.8 | v2.3.8 | v2.3.24-0.10.2 | v3.0.17-0.0.5 |
| crdupdater | v0.4.0-0.0.4 | v0.4.0-0.0.4 | v0.4.12 | v0.4.12 | v0.4.12 | v0.4.18-0.0.4 | v0.4.26-0.0.3 |
| tmm-img | v0.893.0-0.0.21 | v0.893.0-0.0.1.1 | v0.950.0-0.1.0 | v0.950.0-0.1.1 | v1000.950.0-0.0.1 | v0.1029.0-0.1.41 | v10.14.2-0.1.27 |
| f5-fluentd | v1.5.6 | v1.5.6 | v1.5.11 | v1.5.11 | v1.5.11 | v1.5.21-0.0.6 | v2.0.6-10.0.2 |
| rabbit | v0.4.1 | v0.4.1 | v0.4.12 | v0.4.12 | v0.4.12 | v0.4.23 | v0.5.9-0.0.1 |
| f5-license-helper | v0.10.0-0.0.2 | v0.10.0-0.0.2 | v0.11.0-0.0.1 | v0.11.0-0.0.2 | v0.11.0-0.0.2 | v0.11.0-0.0.2 | v0.12.5-0.0.5 |
| f5-fluentbit | v0.8.1-0.0.4 | v0.8.1-0.0.4 | v0.8.8 | v0.8.8 | v0.8.8 | v0.8.18-0.0.1 | v1.0.5-0.0.3 |
| spk-cwc | v0.30.3-0.0.8 | v0.30.3-0.0.11 | v0.32.6-0.0.2 | v0.32.6-0.0.2 | v0.32.6-0.0.2 | v0.32.23-0.0.4 | v0.34.14-10.0.8 |
| f5-dssm-store | v1.25.18 | v1.25.18 | v1.26.6 | v1.26.6 | v1.26.6 | v1.26.23-0.0.2 | v5.0.7-10.0.2 |
| tmrouted-img | v0.12.0 | v0.12.0 | v0.12.4 | v0.12.4 | v0.12.4 | v0.13.15-0.0.5 | v2.1.7-0.1.1 |
| f5-l4p-engine | v1.100.27 | v1.100.27 | v1.100.30-0.0.2 | v1.100.30-0.0.4 | v1.100.30-0.0.4 | v1.109.2-0.0.7 | v1.120.3-10.0.2 |
| f5-blobd | v0.12.3 | v0.12.3 | v0.12.10 | v0.12.10 | v0.12.10 | v0.12.26-0.0.13 | v1.10.0-10.0.5 |
| f5dr-img-init | v0.10.9 | v0.10.9 | v0.12.4-0.0.3 | v0.12.4-0.0.3 | v0.12.4-0.0.3 | v0.14.2-0.0.6 | v3.2.1-0.0.6 |
| f5dr-img | v0.10.9 | v0.10.9 | v0.12.4-0.0.3 | v0.12.4-0.0.3 | v0.12.4-0.0.3 | v0.14.2-0.0.6 | v3.2.1-0.0.6 |
| f5-toda-tmstatsd | v1.9.9-0.0.1 | v1.9.9-0.0.1 | v1.9.28 | v1.9.28 | v1.9.28 | v1.11.3-0.0.1 | v1.11.12-10.0.1 |
| f5-dssm-upgrader | 1.2.4 | 1.2.4 | v1.2.10 | v1.2.10 | v1.2.10 | v1.2.15-0.0.4 | v2.0.9-10.0.3 |
| cert-manager-ctl | 2.2.3 | 2.2.3 | 2.2.3 | 2.2.3 | 2.2.3 | 2.2.3 | 2.3.0 |
| cert-manager-webhook | 2.2.3 | 2.2.3 | 2.2.3 | 2.2.3 | 2.2.3 | 2.2.3 | 2.3.0 |
| cert-manager-cainjector | 2.2.3 | 2.2.3 | 2.2.3 | 2.2.3 | 2.2.3 | 2.2.3 | 2.3.0 |
| cert-manager-controller | 2.2.3 | 2.2.3 | 2.2.3 | 2.2.3 | 2.2.3 | 2.2.3 | 2.3.0 |
| f5-debug-sidecar | v7.217.1 | v7.217.1 | v7.298.1-0.0.4 | v7.298.1-0.0.4 | v7.298.1-0.0.4 | v7.401.0-0.0.24 | v8.57.0-0.2.21 |
| f5-csm-qkview | v26.18.1 | v26.18.1 | v27.2.10-0.1.0 | v27.2.10-0.1.0 | v27.2.10-0.1.0 | v27.10.2-0.0.4 | v0.10.23-0.0.2 |
| opentelemetry-collector-contrib | 0.75.0 | 0.75.0 | 0.75.0 | 0.75.0 | 0.75.0 | 0.75.0 | 0.123.0 |
| f5ing-tmm-pod-manager | NA | NA | v0.17.18-0.0.2 | v0.17.18-0.0.4 | v0.17.18-0.0.4 | v0.17.39-0.0.3 | v1.0.8-0.1.6 |
| f5-core-file-manager | NA | NA | v0.0.4 | v0.0.4 | v0.0.4 | v0.0.4 | v0.0.4 |
| spk-csrc | NA | NA | v0.3.6 | v0.3.6 | v0.3.6 | NA | NA |
Feedback¶
Provide feedback to improve this document by emailing cnfdocs@f5.com.