CNFs CWC

Overview

The Cloud-Native Network Functions (CNFs) Cluster Wide Controller (CWC) enables CNFs’s software licensing and billing capabilities. Once the CNFs software is installed and licensed, the CWC collects and reports software usage telemetry statistics based on the number of CNFs CRs used by the licensed BIG-IP Controller instances in the cluster. CNFs uses F5’s flexible consumption software licensing model, billing only for the CNFs features used.

_images/spk_info.png Note: CNFs Licensing applies to the cluster level, and is performed prior to installing the BIG-IP Controller instances.

This document guides you through installing the CWC controller.

CPCL module

The CWC contains the Common Product Component and Libraries (CPCL) module that helps with license activation, and with generating and maintaining the monthly license reports. The CPCL requires these two important licensing objects:

  • A JWKS (JSON Web Key Set) that must be installed prior to installing the CWC Pod. The JWKS can be downloaded and installed using the Install the JWKS procedure.
  • A JWT (JSON Web Token) that is associated with your unique CAT (Customer Association Token). The JWT can be obtained from your MyF5 account and will be installed using the Install the CWC procedure.

Installing the CWC Pod is demonstrated in this overview, and licensing the cluster will demonstrated in the CNFs Licensing overview.

CPCL modes

The CPCL module supports two licensing modes:

  • disconnected - When the CWC does not have access to the internet, each licensing task must be performed manually.
  • connected - When the CWC has access the internet, it can automatically perform each of the licensing tasks.

The CWC configurations required to enable each mode are available in the Procedures section of this document.

Cluster namespace

The CWC Pod can install to any cluster namespace. In this document, the CWC will install to the cnf-telemetry namespace. As mentioned previously, CWC licensing applies to the entire cluster, not a single namespace (namespace).

RabbitMQ

The CWC and BIG-IP Controller Pod communicate through the RabbitMQ open source message broker to determine the cluster licensing status. Ensure connectivity is permitted for the service ports listed in the sections below.

CWC Service

After installing the CWC, a CWC Service object is created that receives REST API data on TCP service port 30881, and forwards the data to the CWC Pod on TCP service port 3.0.7. Ensure the Service ports are available, and the cluster has CoreDNS enabled. In this example, the CNFs components will need to resolve the f5-cnf-cwc.cnf-telemetry DNS hostname.

Name:              f5-cnf-cwc
Namespace:         cnf-telemetry
IP:                10.109.102.215
Port:              cwc-rest  30881/TCP
Endpoints:         10.244.1.75:3.0.7

RabbitMQ Service

After installing the RabbitMQ Pod, a RabbitMQ Service object is created, to pass messages between the BIG-IP Controllers and the CWC on TCP service port 5671. Ensure the Service port is available, and the cluster’s core DNS is enabled. In this example, the CNFs components will need to resolve the rabbitmq-server.cnf-telemetry hostname.

Name:              rabbitmq-server
Namespace:         cnf-telemetry
IP:                10.109.105.210
Port:              ampqst  5671/TCP
Endpoints:         10.244.1.80:5671

CWC capabilities

The CWC supports the following capabilities:

  • Licensing. Refer to the CNFs Licensing guide for more information.
  • Debugging. Refer to the Debug API guide for more information.

Requirements

Ensure you have:

Procedures

Create API certificates

Use this procedure to create the SSL/TLS certificates required to authenticate the CWC REST API when using CWC in disconnected mode.

  1. Change into the directory containing the latest CNFs Software, and obtain the f5-cert-gen utility version:

    In this example, the CNF files are in the cnfinstall directory:

    cd cnfinstall
    
    ls -1 tar | grep cert-gen
    

    The example output should appear similar to the following:

    f5-cert-gen-0.9.2.tgz
    
  2. Extract the cert-gen utility:

    tar xvf tar/<helm-chart>.tgz
    

    For example:

    tar xvf tar/f5-cert-gen-0.9.2.tgz
    
  3. Create a new Project for the CWC and Rabbit Pods using the following command syntax:

    Note: A new Project is not required, and used only for easier Pod management.

    oc create ns <project name>
    

    For example:

    oc create ns cnf-telemetry
    
  4. Generate the SSL/TLS certificates and Secret for the CWC REST API:

    _images/spk_info.png Note: The certificates will be used in the CNFs Licensing guide.

    sh cert-gen/gen_cert.sh -s=api-server -a=f5-cnf-cwc.<namespace> -n=1
    

    In this example, the CWC installs to the cnf-telemetry namespace.

    sh cert-gen/gen_cert.sh -s=api-server -a=f5-cnf-cwc.cnf-telemetry -n=1
    

    The command output indicates the Secret has been created:

    Generating /path/cwc-license-certs.yaml
    
  5. Install the CWC REST API Secret:

    In this example, the CWC installs to the cnf-telemetry Project.

    oc apply -f cwc-license-certs.yaml -n cnf-telemetry
    

    The command output indicates the Secret was created successfully:

    secret/cwc-license-certs created
    
  6. Continue to the next procedure.

Install RabbitMQ

Use these steps to install the RabbitMQ Pod.

  1. While in the directory with the CNFs Software files, obtain the rabbitmq Helm chart version:

    ls -1 tar | grep rabbitmq
    

    The example output should appear similar to the following:

    rabbitmq-0.2.8-0.0.3.tgz
    
  2. To obtain the RabbitMQ software image from the local software registry, create a rabbitmq-values.yaml file, and set the image.repository parameter:

    image:
      repository: "local.registry.com"
    
  3. Install the RabbitMQ Pod using the following command syntax:

    helm install <release> tar/<helm-chart>.tgz \
    -f <values>.yaml -n <namespace>
    

    For example:

    helm install cnf-rabbit tar/rabbitmq-0.2.8-0.0.3.tgz \
    -f rabbitmq-values.yaml -n cnf-telemetry
    
  4. Verify the RabbitMQ Pod STATUS:

    oc get pods -n cnf-telemetry
    

    In this example, the RabbitMQ Pod STATUS is Running.

    NAME                         READY   STATUS  
    f5-rabbit-5688f9c8c7-f7d9d   1/1     Running 
    
  5. Continue to the next section.

Install the JWKS

Use these steps to download and install the JWKS ConfigMap.

  1. Download the JWKS cpcl-key-cm (key) ConfigMap here.

  2. Install the JWKS cpcl-key-cm ConfigMap:

    In this example, the ConfigMap installs to the cnf-telemetry namespace:

    oc apply -f cpcl-key.yaml -n cnf-telemetry
    
  3. Continue to either the Install CWC - connected or the Install CWC - disconnected procedure.

Install CWC - connected

Use these steps to install the CWC Pod using connected mode.

_images/spk_warn.png Important: Ensure the CWC Pod has access to the product.apis.f5.com licensing server over TCP service port 443.

  1. While in the directory with the CNFs software files, obtain the cwc Helm chart version:

    ls -1 tar | grep cwc
    

    The example output should appear similar to the following:

    cwc-0.14.15-0.0.8.tgz
    
  2. To obtain the CWC software image from the local software registry, create a cwc-values.yaml file, and set the image.repository parameter:

    cwc:
      image:
        repository: "local.registry.com"
        name: spk-cwc
    orch:
      image:
        repository: "local.registry.com"
        name: f5-csm-qkview
    fluentbit_sidecar:
      image:
        repository: "local.registry.com"
        name: fluentbit  
    
  3. Set the rabbitmqNamespace parameter to the CWC namespace in the cwc-values.yaml file:

    rabbitmqNamespace: "cnf-telemetry"
    
  4. To automatically obtain the cluster license from the F5 license server, add the F5 provided JWT to the jwt parameter in the cwc-values.yaml file:

    Note: The jwt value “eyJhbGciOiJSUzUxMiIsInR5cCI6” has been shortened for readability.

    cpclConfig:
      operationMode: "connected"
      jwt: "eyJhbGciOiJSUzUxMiIsInR5cCI6"
      teemCertUrl: "https://product.apis.f5.com/ee/v1/entitlements/telemetry"
      teemEntitlementUrl: "https://product.apis.f5.com/ee/v1/entitlements/telemetry"
      teemInitialConfigUrl: "https://product.apis.f5.com/ee/v1/entitlements/telemetry"
      friendlyName: "CNF Cluster"
    
    service:
      name: f5-cnf-cwc
    
  5. Add the CNFs CWC serviceAccount to the Project’s privileged security context constraint (SCC):

    _images/spk_info.png Note: The cnf-cwc serviceAccount name is based on the Helm release name. See Step 7.

    oc adm policy add-scc-to-user privileged -n <project> -z <serviceaccount>
    

    In this example, the cnf-cwc serviceAccount is added to the cnf-telemetry Project’s privileged SCC:

    oc adm policy add-scc-to-user privileged -n cnf-telemetry -z cnf-cwc
    
  6. Install the CWC Pod using the following command syntax:

    helm install <release> tar/<helm-chart>.tgz \
    -f <values>.yaml -n <namespace>
    

    For example:

    helm install cnf-cwc tar/cwc-0.14.15-0.0.8.tgz \
    -f cwc-values.yaml -n cnf-telemetry
    
  7. Verify the STATUS of the CWC Pod:

    oc get pods -n cnf-telemetry 
    

    In this example, the CWC Pod STATUS is Running.

    NAME                         READY   STATUS  
    f5-rabbit-5688f9c8c7-lv49b   1/1     Running 
    f5-cnf-cwc-94bcd64bd-42xdc   1/1     Running 
    
  8. Continue to Next steps section.

Install CWC - disconnected

Use these steps to install the CWC Pod using disconnected mode.

  1. While in the directory with the CNFs software files, obtain the cwc Helm chart version:

    ls -1 tar | grep cwc
    

    The example output should appear similar to the following:

    cwc-0.14.15-0.0.8.tgz
    
  2. To pull the CWC software image from the local software registry, create a cwc-values.yaml file, and set the image.repository parameter:

    cwc:
      image:
        repository: "local.registry.com"
        name: spk-cwc
    orch:
      image:
        repository: "local.registry.com"
        name: f5-csm-qkview
    fluentbit_sidecar:
      image:
        repository: "local.registry.com"
        name: fluentbit  
    
  3. Set the rabbitmqNamespace parameter to the CWC namespace in the cwc-values.yaml file:

    rabbitmqNamespace: "cnf-telemetry"
    
  4. Set the friendlyName and service parameters to the following values:

    cpclConfig:
      friendlyName: "CNF Cluster"
    
    service:
      name: f5-cnf-cwc
    
  5. Add the CNF CWC serviceAccount to the Project’s privileged security context constraint (SCC):

    _images/spk_info.png Note: The cnf-cwc serviceAccount name is based on the Helm release name. See Step 7.

    oc adm policy add-scc-to-user privileged -n <project> -z <serviceaccount>
    

    In this example, the cnf-cwc serviceAccount is added to the cnf-telemetry Project’s privileged SCC:

    oc adm policy add-scc-to-user privileged -n cnf-telemetry -z cnf-cwc
    
  6. Install the CWC Pod using the following command syntax. Ensure you configure the cpclConfig.jwt parameter to the reference the JWT:

    helm install <release> tar/<helm-chart>.tgz -f <values>.yaml \
    --set cpclConfig.jwt=<jwt-string> -n <namespace>
    

    In this example, the JWT string eyJhbGciOiJSUzUxMiIsInR5cCI6 has been truncated for readability

    helm install cnf-cwc tar/cwc-0.14.15-0.0.8.tgz -f cwc-values.yaml \
    --set cpclConfig.jwt=eyJhbGciOiJSUzUxMiIsInR5cCI6 -n cnf-telemetry
    
  7. Verify the STATUS of the CWC Pod:

    oc get pods -n cnf-telemetry 
    

    In this example, the CWC Pod STATUS is Running.

    NAME                         READY   STATUS 
    f5-rabbit-5688f9c8c7-lv49b   1/1     Running 
    f5-cnf-cwc-94bcd64bd-42xdc   1/1     Running
    
  8. Continue to Next steps section.

Next steps

  • If the CPCL is running in connected mode, continue to the CNFs Licensing guide to license the cluster.
  • If the CPCL is running in disconnected mode, continue to the CNFs Licensing guide to license the cluster.

Feedback

Provide feedback to improve this document by emailing cnfdocs@f5.com.

Supplemental