CNFs Artifacts through F5 Artifact Registry¶
Overview¶
The Cloud-Native Network Functions (CNFs) helm charts, docker images, and other utilities are now available through F5 Artifact Registry (FAR) at repo.f5.com. FAR is accessible to all, but only users with a valid Service Account Key can download and install the artifacts.
This document details the procedures for downloading a Service Account Key, and using the Service Account Key to download the CNF Manifest file and install Helm charts, docker images, and other utilities into the cluster from FAR (repo.f5.com).
Procedures¶
1. Download Service Account Key¶
To download Service Account Key, do the following:
Login to MyF5.
Note: You must have a MyF5 account to login.Navigate to Support Resources and click Downloads.
Check the box for the End User License Agreement and Program Terms, then click Next.
Choose BIG-IP_Next from the Select a Product Family Group drop-down.
Select Cloud-Native Network Functions (CNF) from the Product Line drop-down.
Choose the desired version from the Product Version drop-down.
Select the f5-far-auth-key.tgz file from the download file list. Choose a download location from the drop-down menu and click Download.
The TGZ file contains a Service Account Key. This is Service Account Key in base64 format, used for logging into FAR.
2. Download Manifest File¶
Download manifest.yaml file for the current release or the specific release you are looking for.
To download Manifest file, do the following:
Perform Helm Login to download Manifest file from FAR:
cat <service_account_key_base64 file> | helm registry login -u _json_key_base64 --password-stdin https://repo.f5.com
In this example, cne_pull-base64.json is the Service Account Key.
cat cne_pull_64.json | helm registry login -u _json_key_base64 --password-stdin https://repo.f5.com
Perform Helm Pull to pull the Manifest file from FAR:
helm pull oci://repo.f5.com/<path of Manifest file> --version <version of Manifest file>
In this example, release/f5-bigip-k8s-manifest is the path for pulling manifest.yaml file and its version is 2.2.0-3.2226.0+0.0.385.
helm pull oci://repo.f5.com/release/f5-bigip-k8s-manifest --version 2.2.0-3.2226.0+0.0.385
The f5-bigip-k8s-manifest-2.2.0-3.2226.0+0.0.385.tgz file is now pulled.
Run list command to see newly downloaded Manifest tar file:
lsThe file list shows the service_account_key_base64 file and Manifest file named f5-bigip-k8s-manifest-2.2.0-3.2226.0+0.0.385.tgz:
Extract the Manifest file:
tar xvf f5-bigip-k8s-manifest-2.2.0-3.2226.0+0.0.385.tgz
Run list command on the f5-bigip-k8s-manifest-2.2.0-3.2226.0+0.0.385 directory. It shall list bigip-k8s-manifest-2.2.0-3.2226.0+0.0.385.yaml file:
ls f5-bigip-k8s-manifest-2.2.0-3.2226.0+0.0.385
The file list shows a bigip-k8s-manifest-2.2.0-3.2226.0+0.0.385.yaml file:
The bigip-k8s-manifest-2.2.0-3.2226.0+0.0.385.yaml file: Contains names and version numbers of all cnf Helm charts and docker images.
Example of bigip-k8s-manifest-2.2.0-3.2226.0+0.0.385.yaml file:
f5_helm_repo: oci://repo.f5.com f5_docker_repo: repo.f5.com releases: - version: 2.2.0-3.2226.0-0.0.385 helm_charts: - name: charts/cwc version: 0.49.7-0.0.16 - name: utils/f5-cert-gen version: 0.9.3 - name: charts/f5-cert-manager version: 0.23.48-0.1.5 - name: charts/f5-crdconversion version: 0.61.4-0.0.44 - name: charts/f5-dssm version: 1.46.0-0.24.0 - name: charts/f5-cnf-crds-n6lan version: 14.19.4-0.1.11 - name: charts/f5-spk-crds-common version: 14.19.4-0.1.11 - name: charts/f5-spk-crds-deprecated version: 14.19.4-0.1.11 - name: charts/f5-spk-crds-service-proxy version: 14.19.4-0.1.11 - name: charts/f5-toda-fluentd version: 2.3.2-0.0.6 - name: charts/f5ingress version: v15.82.0-0.2.50 - name: charts/rabbitmq version: 0.8.9-0.0.6 - name: charts/csrc version: 0.11.5-0.0.11 - name: charts/coremond version: 0.10.0-0.2.3 - name: charts/f5-toda-observer version: 5.22.10-0.2.4 - name: utils/log-doc-f5ingress version: 14.19.4+0.1.11 - name: utils/dnat-util version: v0.5.10+0.0.2 - name: charts/f5-lifecycle-operator version: v2.9.27-0.2.10 - name: charts/f5-ipam-controller version: v1.1.48-0.0.8 - name: charts/node-labeler version: 0.6.9-0.0.3 - name: charts/f5-license-proxy version: 1.29.0-0.10.22 - name: utils/flp-setup version: 1.29.0-0.10.22 - name: charts/f5-stats_collector version: 1.0.21-0.0.3 - name: charts/f5-tmm version: 15.82.0-0.2.50 - name: charts/coremond version: 0.10.0-0.2.3 docker_images: - name: images/cert-manager-cainjector version: v2.5.2 - name: images/cert-manager-controller version: v2.5.2 - name: images/cert-manager-startupapicheck version: v2.5.2 - name: images/cert-manager-webhook version: v2.5.2 - name: images/crd-conversion version: v1.212.9-0.7.2 - name: images/crdupdater version: v0.5.8-0.0.6 - name: images/f5-blobd version: v1.23.14-0.0.8 - name: images/f5-cert-client version: v3.5.9-0.0.2 - name: images/f5-csm-qkview version: v0.13.20-0.0.3 - name: images/f5-debug-sidecar version: v10.32.4-0.0.38 - name: images/f5-downloader version: v0.31.3-0.0.15 - name: images/f5-dssm-store version: v5.1.32-0.0.8 - name: images/f5-dssm-upgrader version: v2.0.27-0.0.5 - name: images/f5-fluentbit version: v1.3.9-0.0.4 - name: images/f5-fluentd version: v2.3.2-0.0.6 - name: images/f5-l4p-engine version: v1.128.7-0.0.5 - name: images/f5-license-helper version: v0.12.20-0.0.9 - name: images/f5-nsec-ips-daemon version: v3.5.18-0.0.4 - name: images/f5-toda-tmstatsd version: v1.11.24-0.0.5 - name: images/f5dr-img version: v3.16.0-0.0.13 - name: images/f5dr-img-init version: v3.16.0-0.0.13 - name: images/f5ing-tmm-pod-manager version: v1.2.8-0.0.3 - name: images/f5ingress version: v14.19.4-0.1.11 - name: images/init-certmgr version: v0.23.48-0.1.5 - name: images/opentelemetry-collector-contrib version: 0.142.0 - name: images/rabbit version: v0.5.15-0.0.3 - name: images/spk-cwc version: v0.37.2-0.0.9 - name: images/tmm-img version: v10.98.3-0.11.9 - name: images/tmrouted-img version: v2.15.3-0.1.0 - name: images/spk-csrc version: v0.7.11-0.0.7 - name: images/f5-dwbld version: v1.175.3-0.0.11 - name: images/f5-coremond version: v0.10.0-0.2.3 - name: images/f5-toda-observer version: v5.22.10-0.2.4 - name: images/f5-bdosd version: v0.145.0-0.0.4 - name: images/dnsx-img version: v0.10.29-0.0.3 - name: images/f5-lifecycle-operator version: v2.9.27-0.2.10 - name: images/f5-ipam-controller version: v1.1.48-0.0.8 - name: images/f5-node-labeler version: v0.0.20-0.0.3 - name: images/f5-eowyn-install version: v0.5.4-10.0.3 - name: images/crd-installer version: v14.19.4-0.1.11 - name: images/postgresql version: 1.29.0-0.10.22 - name: images/vault version: 1.21.1 - name: images/vault-init version: 1.29.0-0.10.22 - name: images/f5-license-proxy version: 1.29.0-0.10.22 - name: images/f5-env-discovery version: v2.9.27-0.2.10 - name: images/f5-fqdn-resolver version: v0.9.5-0.0.3 - name: images/gslb-engine version: v0.118.4-0.0.5 - name: images/gslb-probe-agent version: v0.31.16-0.0.3 - name: images/f5-analyzer version: v0.0.10-0.0.9 - name: images/f5-urlcat version: v0.1.3 - name: images/ocnos-img version: v0.5.2-0.2.3 - name: images/ocnos-img-init version: v0.5.2-0.2.3
3. Install Helm charts¶
Following are the two different procedures described to install the Helm charts. Perform the steps mentioned in either Procedure 1 or Procedure 2 to complete the installation.
Note: Perform any one of the following procedures.
Procedure 1: Download CNF Helm charts, Docker Images and other Utilities¶
Do the following steps to download CNF Helm charts, Docker Images and other Utilities:
Perform Helm Login to download Helm charts from FAR:
cat <service_account_key_base64 file> | helm registry login -u _json_key_base64 --password-stdin https://repo.f5.com
In this example, cne_pull-base64.json is the Service Account Key.
cat cne_pull_64.json | helm registry login -u _json_key_base64 --password-stdin https://repo.f5.com
Perform Helm Pull to pull the Helm charts from FAR:
helm pull oci://repo.f5.com/<path of Helm chart> --version <version of Helm chart>
In this example, charts/f5ingress is the path for pulling f5ingress Helm chart and its version is v14.19.4-0.1.11 as retrieved from the manifest.yaml file.
helm pull oci://repo.f5.com/charts/f5ingress --version v14.19.4-0.1.11
Perform Utilities Pull to pull the other utilities from FAR:
helm pull oci://repo.f5.com/<path of Utilities> --version <version of Utility>
In this example, utils/log-doc-f5ingress is the path for pulling log-doc-f5ingress utility and its version is 14.19.4-0.1.11 as retrieved from the manifest.yaml file.
helm pull oci://repo.f5.com/utils/log-doc-f5ingress --version 14.19.4-0.1.11
Perform Docker Login to download docker images from FAR:
cat <service_account_key_base64 file> | docker login -u _json_key_base64 --password-stdin <URL of F5 Artifact Registry>
In this example, cne_pull_64.json is the same Service Account Key.
cat cne_pull_64.json | docker login -u _json_key_base64 --password-stdin https://repo.f5.com
Perform Docker Pull to pull the docker images from FAR:
docker pull repo.f5.com/<path of Docker Image>:<version of Docker Image>
In this example, images/rabbit is the path for pulling rabbit docker image and its version is 0.5.15-0.0.3 as retrieved from the manifest.yaml file.
docker pull repo.f5.com/images/rabbit:v0.5.15-0.0.3
Procedure 2: Installing helm chart via imagePullSecrets¶
The imagePullSecrets feature is used to securely install helm chart from a FAR directly into a cluster by using the Service Account Key from the TGZ file as authentication credentials.
Use the following steps to install helm chart directly from FAR into a cluster:
Perform Helm Login, as shown in Step 1 of Procedure 1: Download cnf Helm charts, Docker Images and other Utilities section.
Perform Docker Login to download docker images as shown in step 4 of Procedure 1: Download cnf Helm charts, Docker Images and other Utilities section.
Copy and paste the below bash script into a .sh file and run.
Note: The bash script here is using cne_pull_64.json as a Service Account Key. This script is written for Linux. Remove -w 0as arguments to base64 from the script when using on Mac.#!/bin/bash # Read the content of pipeline.json into the SERVICE_ACCOUNT_KEY variable SERVICE_ACCOUNT_KEY=$(cat cne_pull_64.json) # Create the SERVICE_ACCOUNT_K8S_SECRET variable by appending "_json_key_base64:" to the base64 encoded SERVICE_ACCOUNT_KEY SERVICE_ACCOUNT_K8S_SECRET=$(echo "_json_key_base64:${SERVICE_ACCOUNT_KEY}" | base64 -w 0) # Create the secret.yaml file with the provided content cat << EOF > far-secret.yaml --- apiVersion: v1 kind: Secret metadata: name: far-secret data: .dockerconfigjson: $(echo "{\"auths\": {\ \"repo.f5.com\":\ {\"auth\": \"$SERVICE_ACCOUNT_K8S_SECRET\"}}}" | base64 -w 0) type: kubernetes.io/dockerconfigjson EOF
The far-secret.yaml secret file will be generated according to the secret name provided in the bash script.
Apply far-secret.yaml secret file to the namespace where you want to install the helm chart:
oc create -f far-secret.yaml -n <namespace>
In this example the far-secret.yaml secret is install to the demo-ns Project.
oc create -f far-secret.yaml -n demo-ns
To install the helm charts from FAR, set the
imageCredentialsandimage.repositoryparameters in the helm values files as shown in the following examples:a. Fluentd:
Configure the fluentd-values.yaml file with imageCredentials and image.repository parameters. For complete yaml file, see Fluend Logging.
```bash imageCredentials: name: far-secret image: repository: repo.f5.com/images ```
b. CWC:
Configure the cwc-values.yaml file with imageCredentials and image.repository parameters. For complete yaml file, see CNFs CWC.
cwc: image: repository: "local.registry.com" name: spk-cwc imageCredentials: name: far-secret orch: image: repository: "local.registry.com" name: f5-csm-qkview fluentbit_sidecar: image: repository: "local.registry.com" name: fluentbit
c. RabbitMQ:
Configure the rabbitmq-values.yaml file with imageCredentials and image.repository parameters. For complete yaml file, see CNFs CWC.
image: repository: "local.registry.com" imageCredentials: name: far-secret
d. CRD Conversion:
Configure the crd-conversion-values.yaml file with imageCredentials and image.repository parameters. For complete yaml file, see CRD Conversion Webhook.
crdconversion: enabled: true debug: false image: repository: pullPolicy: imageCredentials: name: far-secret
e. F5 Ingress:
Configure the f5ingress-values.yaml file with imageCredentials and image.repository parameters. For complete yaml file, see BIG-IP Controller.
controller: image: repository: pullPolicy: imageCredentials: name: far-secret global: serviceAccount: imageCredentials: name: far-secret
f. dSSM:
Configure the dssm-values.yaml file with imageCredentials and image.repository parameters. For complete yaml file, see dSSM Database.
fluentbit_sidecar: enabled: true image: repository: pullPolicy: imagePullSecrets: - name: far-secret
f. Cert Manager:
Configure the cert-manager-values.yaml file with imageCredentials and image.repository parameters. For complete yaml file, see Cert Manager.
global: imagePullSecrets: - name: far-secret image: repository: pullPolicy:
Note: Attribute imageCredentials name varies for different helm charts. To know the exact name defined for this field, please refer the document of that particular helm chart.
Install the helm chart:
helm install <release name> oci://repo.f5.com/<path of helm chart> --version <version number> -f <values>.yaml
In this example, charts/f5-toda-fluentd is the path for installing f5-toda-fluentd helm chart its version is 2.3.2-0.0.6, values file is fluentd_values.yaml (Created in Step 3).
helm install f5-fluentd oci://repo.f5.com/charts/f5-toda-fluentd --version 2.3.2-0.0.6 -f fluentd_values.yaml
Verify the status of the helm chart:
oc get pods -n demo-ns
In this example, the f5-toda-fluentd is Running.
NAME READY STATUS RESTARTS AGE f5-toda-fluentd-6fcdb48d8b-4dkcc 1/1 Running 0 9s
Feedback¶
Provide feedback to improve this document by emailing cnfdocs@f5.com.