Upgrading CNFs¶
Overview¶
This document discusses how to upgrade the various Cloud-Native Network Functions (CNFs) software components. Each section represents the independent upgradable components.
Important: F5 recommends that you perform software upgrades during a planned maintenance window.
Requirements¶
Ensure you have:
- Reviewed the CNF Release Notes
- Extracted the CNFs Software.
- A workstation with Helm installed.
BIG-IP Controller¶
The BIG-IP Controller installs using the f5ingress Helm chart, released as a versioned tarball, for example f5ingress-9.0.0.tgz. When extracted from the tarball, the f5ingress Helm chart also contains multiple subcharts that will in the future enable upgrading CNFs Pods independently. The table below lists the Pods and their charts or subcharts:
Charts/Subcharts¶
| Chart/Subchart | Pod | Containers |
|---|---|---|
| f5ingress | f5ingress | f5ingress and f5-license-helper |
| f5ingress | f5-tmm | f5-tmm and f5-debug-sidecar |
| f5-afm | f5-afm | f5-l4p-engine and f5-fluentbit |
| f5-ipsd | f5-ipds | f5-nsec-ips-daemon and f5-fluentbit |
| f5-stats_collector | otel-collector | opentelemetry-collector |
TMM RollingUpdate¶
When upgrading CNFs, installations with multiple f5-tmm replicas (Pods) running, CNFs uses the Kubernetes RollingUpdate feature; terminating and upgrading f5-tmm Pods at a time, leaving the remaining f5-tmm replicas available to process application traffic.
Since maxUnavailable and maxSurge parameters are not defined in TMM deployment, the k8s sets the default values as 25% for both fields. Hence, multiple TMM pods may upgrade at a time. To control this behaviour, manually set the maxUnavailable and maxSurge fields as required in TMM deployment.
Full upgrade¶
Use these steps to upgrade the BIG-IP Controller and all of the Pods listed in the Charts/Subcharts table above.
Change into the directory containing the latest CNFs Software, and list the f5ingress Helm chart:
cd cnfinstall; ls -1 tar | grep f5ingress
f5ingress-9.0.0.tgz
Obtain the Helm release name for the current CNFs installation:
In this example, the Helm release is in the cnf-gateway namespace.
helm list -n cnf-gateway
In this example, the Helm release is using CHART version f5ingress-8.0.0.
NAME NAMESPACE REVISION STATUS CHART f5ingress cnf-gateway 1 deployed f5ingress-8.0.0
Use the new Helm chart to upgrade the installation:
helm upgrade f5ingress tar/f5ingress-<version>.tgz \ -f <values>.yaml -n namespace
In this example, the Pods will be upgraded using the f5ingress-9.0.0.tgz Helm chart.
helm upgrade f5ingress tar/f5ingress-9.0.0.tgz \ -f values.yaml -n cnf-gateway
Verify the Helm CHART and REVISION have incremented:
helm list -n cnf-gateway
In this example, the Helm CHART is now 9.0.0 and the REVISION is now 2.
NAME NAMESPACE REVISION STATUS CHART f5ingress cnf-gateway 2 deployed f5ingress-9.0.0
Verify the Pods have a STATUS of Running:
oc get pods -n cnf-gateway
In this example, the upgraded Pods have a STATUS of Running.
NAME READY STATUS f5-afm-54d66946cd-5dmvs 2/2 Running f5-ipsd-54df45c9cf-tmvqv 2/2 Running f5-tmm-6fbbbcfb8-8jvkh 4/4 Running f5ingress-f5ingress-597894b455-4hglb 2/2 Running
Partial upgrade¶
The ability to perform parital, or single CNFs Pod upgrades is not yet supported.
CRDs¶
CRD upgrades should be performed after installing the latest BIG-IP Controller that came packaged with the CRD bundle. If the CRD bundle is newer than the BIG-IP Controller, it will not not recognize the newer CRD paramaters, and the expected configuration will not be applied to the Service Proxy TMM. Use these steps to upgrade the CRDs:
Full upgrade¶
Use these steps to upgrade all of the CNFs CRDs.
Change into the directory containing the latest CNFs Software, and list the CRD bundle:
cd cnfinstall; ls -1 | grep crds
f5-cnf-crds-n6lan-0.177.8-0.0.11.tgz
Extract the Helm subcharts from the f5ingress tarball:
tar xvf f5-cnf-crds-n6lan-0.177.8-0.0.11.tgz
Install the CRDs:
helm upgrade f5crds f5-cnf-crds-n6lan-0.177.8-0.0.11.tgz -n default
Partial upgrade¶
Use these steps to upgrade a single CNFs CRD.
Change into the directory containing the latest CNFs Software, and list the CRD bundle:
cd cnfinstall; ls -1 | grep crds
f5-cnf-crds-n6lan-0.177.8-0.0.11.tgz
Extract the Helm subcharts from the f5ingress tarball:
tar xvf f5-cnf-crds-n6lan-0.177.8-0.0.11.tgz
Install a specific CRD:
Note: In this example, only the f5-big-nat-policy.yaml CRD is upgraded.
oc apply -f f5-cnf-crds-n6lan/crds/f5-big-nat-policy.yaml
dSSM database¶
To ensure there is no loss of data or downtime, the dSSM Databases should be upgraded using the Upgrading dSSM guide.
Fluentd logging¶
Use these steps to upgrade the Fluentd Logging collector.
Change into the directory containing the latest CNFs Software, and list the f5-fluentd Helm chart:
cd cnfinstall; ls -1 tar | grep fluentd
f5-toda-fluentd-1.5.0.tgz
Obtain the Helm release name for the current CNFs installation:
helm list -n cnf-gateway
In this example, the release name is f5-fluentd.
NAME NAMESPACE REVISION STATUS CHART f5-fluentd cnf-gateway 1 deployed f5-toda-fluentd-1.0.0
Use the new Helm chart to upgrade the installation:
helm upgrade f5-fluentd tar/f5-toda-fluentd-<version>.tgz \ -f <values>.yaml -n cnf-gateway
In this example, the Fluend Pod will be upgraded using the f5-toda-fluentd-1.5.0.tgz Helm chart.
helm upgrade f5-fluentd tar/f5-toda-fluentd-1.5.0.tgz \ -f fluentd-values.yaml -n cnf-gateway
Verify the Helm CHART and REVISION have both incremented:
helm list -n cnf-gateway
In this example, the Helm CHART is now 1.5.0 and the REVISION is now 2.
NAME NAMESPACE REVISION STATUS CHART f5-fluentd cnf-gateway 2 deployed f5-toda-fluentd-1.5.0
Verify the Fluentd Pod is Running:
oc get pods -n cnf-gateway | grep fluent
In this example, the Fluentd Pod is Running.
f5-toda-fluentd-5c4876d88f-99n94 1/1 Running
CNFs Software Upgrade Compatibility Matrix¶
The CNFs can be upgraded from an earlier version to the latest versions. Also, a same version upgrade can be acheived by using helm upgrade.
To upgrade the CNFs openshift to a latest version, choose a version compatible with the exisitng version.
Following table depicts the supported upgrade paths for CNF releases.
———————Upgrade to versions——————–>
| CNF version | v1.2.0 | v1.2.1 | v1.3.0 | v1.3.1 | v1.3.2 | v1.4.0 |
|---|---|---|---|---|---|---|
| v1.2.0 | - | Y | Y | Y | Y | Y |
| v1.2.1 | X | - | Y | Y | Y | Y |
| v1.3.0 | X | X | - | Y | Y | Y |
| v1.3.1 | X | X | X | - | Y | Y |
| v1.3.2 | X | X | X | X | - | Y |
| v1.4.0 | X | X | X | X | X | - |
- Y Indicates - Yes
- X Indicates - Not Applicable
- - Indicates - Same version
Note: The version number on the x-axis indicates the upgrade to version and the y-axis indicates the upgrade from version of the CNF software.
CNFs Software Image Versions for OCP Releases¶
The table below lists the software image versions for OCP releases.
| IMAGE | CNF v1.2.0 | CNF v1.2.1 | CNF v1.3.0 | CNF v1.3.1 | CNF v1.3.2 | CNF v1.4.0 |
|---|---|---|---|---|---|---|
| f5ingress | v0.434.1-0.0.92 | v0.434.1-0.2.19 | v0.480.0-0.1.30 | v0.480.0-0.1.52 | v150.480.0-0.1.52 | v0.542.0-0.0.154 |
| f5-nsec-ips-daemon | v1.7.6-0.0.4 | v1.7.6-0.0.7 | v3.0.6 | v3.0.6 | v3.0.6 | v3.0.29-0.0.3 |
| crd-conversion | v1.31.3-0.0.1 | v1.31.3-0.0.3 | v1.53.3 | v1.53.3 | v1.53.3 | v1.60.5-0.1.0 |
| f5-downloader | v1.6.4 | v1.6.4 | v1.6.17 | v1.6.17 | v1.6.17 | v1.6.25-0.1.1 |
| init-certmgr | v0.22.9-0.0.3 | v0.22.9-0.0.3 | v0.22.22-0.0.2 | v0.22.22-0.0.4 | v0.22.22-0.0.4 | v0.23.14-0.0.1 |
| f5-cert-client | v2.3.4 | v2.3.4 | v2.3.8 | v2.3.8 | v2.3.8 | v2.3.24-0.10.2 |
| crdupdater | v0.4.0-0.0.4 | v0.4.0-0.0.4 | v0.4.12 | v0.4.12 | v0.4.12 | v0.4.18-0.0.4 |
| tmm-img | v0.893.0-0.0.21 | v0.893.0-0.0.1.1 | v0.950.0-0.1.0 | v0.950.0-0.1.1 | v1000.950.0-0.0.1 | v0.1029.0-0.1.41 |
| f5-fluentd | v1.5.6 | v1.5.6 | v1.5.11 | v1.5.11 | v1.5.11 | v1.5.21-0.0.6 |
| rabbit | v0.4.1 | v0.4.1 | v0.4.12 | v0.4.12 | v0.4.12 | v0.4.23 |
| f5-license-helper | v0.10.0-0.0.2 | v0.10.0-0.0.2 | v0.11.0-0.0.1 | v0.11.0-0.0.2 | v0.11.0-0.0.2 | v0.11.0-0.0.2 |
| f5-fluentbit | v0.8.1-0.0.4 | v0.8.1-0.0.4 | v0.8.8 | v0.8.8 | v0.8.8 | v0.8.18-0.0.1 |
| spk-cwc | v0.30.3-0.0.8 | v0.30.3-0.0.11 | v0.32.6-0.0.2 | v0.32.6-0.0.2 | v0.32.6-0.0.2 | v0.32.23-0.0.4 |
| f5-dssm-store | v1.25.18 | v1.25.18 | v1.26.6 | v1.26.6 | v1.26.6 | v1.26.23-0.0.2 |
| tmrouted-img | v0.12.0 | v0.12.0 | v0.12.4 | v0.12.4 | v0.12.4 | v0.13.15-0.0.5 |
| f5-l4p-engine | v1.100.27 | v1.100.27 | v1.100.30-0.0.2 | v1.100.30-0.0.4 | v1.100.30-0.0.4 | v1.109.2-0.0.7 |
| f5-blobd | v0.12.3 | v0.12.3 | v0.12.10 | v0.12.10 | v0.12.10 | v0.12.26-0.0.13 |
| f5dr-img-init | v0.10.9 | v0.10.9 | v0.12.4-0.0.3 | v0.12.4-0.0.3 | v0.12.4-0.0.3 | v0.14.2-0.0.6 |
| f5dr-img | v0.10.9 | v0.10.9 | v0.12.4-0.0.3 | v0.12.4-0.0.3 | v0.12.4-0.0.3 | v0.14.2-0.0.6 |
| f5-toda-tmstatsd | v1.9.9-0.0.1 | v1.9.9-0.0.1 | v1.9.28 | v1.9.28 | v1.9.28 | v1.11.3-0.0.1 |
| f5-dssm-upgrader | 1.2.4 | 1.2.4 | v1.2.10 | v1.2.10 | v1.2.10 | v1.2.15-0.0.4 |
| cert-manager-ctl | 2.2.3 | 2.2.3 | 2.2.3 | 2.2.3 | 2.2.3 | 2.2.3 |
| cert-manager-webhook | 2.2.3 | 2.2.3 | 2.2.3 | 2.2.3 | 2.2.3 | 2.2.3 |
| cert-manager-cainjector | 2.2.3 | 2.2.3 | 2.2.3 | 2.2.3 | 2.2.3 | 2.2.3 |
| cert-manager-controller | 2.2.3 | 2.2.3 | 2.2.3 | 2.2.3 | 2.2.3 | 2.2.3 |
| f5-debug-sidecar | v7.217.1 | v7.217.1 | v7.298.1-0.0.4 | v7.298.1-0.0.4 | v7.298.1-0.0.4 | v7.401.0-0.0.24 |
| f5-csm-qkview | v26.18.1 | v26.18.1 | v27.2.10-0.1.0 | v27.2.10-0.1.0 | v27.2.10-0.1.0 | v27.10.2-0.0.4 |
| opentelemetry-collector-contrib | 0.75.0 | 0.75.0 | 0.75.0 | 0.75.0 | 0.75.0 | 0.75.0 |
| f5ing-tmm-pod-manager | NA | NA | v0.17.18-0.0.2 | v0.17.18-0.0.4 | v0.17.18-0.0.4 | v0.17.39-0.0.3 |
| f5-core-file-manager | NA | NA | v0.0.4 | v0.0.4 | v0.0.4 | v0.0.4 |
| spk-csrc | NA | NA | v0.3.6 | v0.3.6 | v0.3.6 | NA |
Feedback¶
Provide feedback to improve this document by emailing cnfdocs@f5.com.