Upgrading CNFs

Overview

This document discusses how to upgrade the various Cloud-Native Network Functions (CNFs) software components. Each section represents the independent upgradable components.

Important: F5 recommends that you perform software upgrades during a planned maintenance window.

Requirements

Ensure you have:

• Reviewed the CNF Release Notes
• Extracted the CNFs Software.
• A workstation with Helm installed.

BIG-IP Controller

The BIG-IP Controller installs using the f5ingress Helm chart, released as a versioned tarball, for example f5ingress-9.0.0.tgz. When extracted from the tarball, the f5ingress Helm chart also contains multiple subcharts that will in the future enable upgrading CNFs Pods independently. The table below lists the Pods and their charts or subcharts:

Charts/Subcharts

Chart/Subchart	Pod	Containers
f5ingress	f5ingress	f5ingress and f5-license-helper
f5ingress	f5-tmm	f5-tmm and f5-debug-sidecar
f5-afm	f5-afm	f5-l4p-engine and f5-fluentbit
f5-ipsd	f5-ipds	f5-nsec-ips-daemon and f5-fluentbit
f5-stats_collector	otel-collector	opentelemetry-collector

TMM RollingUpdate

When upgrading CNFs installations with multiple f5-tmm replicas (Pods) running, CNFS uses the Kubernetes RollingUpdate feature; terminating and upgrading one f5-tmm Pod at a time, leaving the remaining f5-tmm replicas available to process application traffic.

Full upgrade

Use these steps to upgrade the BIG-IP Controller and all of the Pods listed in the Charts/Subcharts table above.

1. Change into the directory containing the latest CNFs Software, and list the f5ingress Helm chart:

   cd cnfinstall; ls -1 tar | grep f5ingress
   

   f5ingress-9.0.0.tgz
   

2. Obtain the Helm release name for the current CNFs installation:

   In this example, the Helm release is in the cnf-gateway namespace.

   helm list -n cnf-gateway
   

   In this example, the Helm release is using CHART version f5ingress-8.0.0.

   NAME        NAMESPACE     REVISION    STATUS     CHART
   f5ingress   cnf-gateway   1           deployed   f5ingress-8.0.0
   

3. Use the new Helm chart to upgrade the installation:

   helm upgrade f5ingress tar/f5ingress-<version>.tgz \
   -f <values>.yaml -n namespace
   

   In this example, the Pods will be upgraded using the f5ingress-9.0.0.tgz Helm chart.

   helm upgrade f5ingress tar/f5ingress-9.0.0.tgz \
   -f values.yaml -n cnf-gateway
   

4. Verify the Helm CHART and REVISION have incremented:

   helm list -n cnf-gateway
   

   In this example, the Helm CHART is now 9.0.0 and the REVISION is now 2.

   NAME         NAMESPACE      REVISION     STATUS     CHART
   f5ingress    cnf-gateway    2            deployed   f5ingress-9.0.0
   

5. Verify the Pods have a STATUS of Running:

   oc get pods -n cnf-gateway
   

   In this example, the upgraded Pods have a STATUS of Running.

   NAME                                   READY   STATUS
   f5-afm-54d66946cd-5dmvs                2/2     Running
   f5-ipsd-54df45c9cf-tmvqv               2/2     Running
   f5-tmm-6fbbbcfb8-8jvkh                 4/4     Running
   f5ingress-f5ingress-597894b455-4hglb   2/2     Running
   

Partial upgrade

The ability to perform parital, or single CNFs Pod upgrades is not yet supported.

CRDs

CRD upgrades should be performed after installing the latest BIG-IP Controller that came packaged with the CRD bundle. If the CRD bundle is newer than the BIG-IP Controller, it will not not recognize the newer CRD paramaters, and the expected configuration will not be applied to the Service Proxy TMM. Use these steps to upgrade the CRDs:

Full upgrade

Use these steps to upgrade all of the CNFs CRDs.

1. Change into the directory containing the latest CNFs Software, and list the CRD bundle:

   cd cnfinstall; ls -1 | grep crds
   

   f5-cnf-crds-n6lan-0.161.0-0.1.2.tgz
   

2. Extract the Helm subcharts from the f5ingress tarball:

   tar xvf f5-cnf-crds-n6lan-0.161.0-0.1.2.tgz
   

3. Install the CRDs:

   helm upgrade f5crds f5-cnf-crds-n6lan-0.161.0-0.1.2.tgz -n default
   

Partial upgrade

Use these steps to upgrade a single CNFs CRD.

1. Change into the directory containing the latest CNFs Software, and list the CRD bundle:

   cd cnfinstall; ls -1 | grep crds
   

   f5-cnf-crds-n6lan-0.161.0-0.1.2.tgz
   

2. Extract the Helm subcharts from the f5ingress tarball:

   tar xvf f5-cnf-crds-n6lan-0.161.0-0.1.2.tgz
   

3. Install a specific CRD:

   Note: In this example, only the f5-big-nat-policy.yaml CRD is upgraded.

   oc apply -f f5-cnf-crds-n6lan/crds/f5-big-nat-policy.yaml
   

dSSM database

To ensure there is no loss of data or downtime, the dSSM Databases should be upgraded using the Upgrading dSSM guide.

Fluentd logging

Use these steps to upgrade the Fluentd Logging collector.

1. Change into the directory containing the latest CNFs Software, and list the f5-fluentd Helm chart:

   cd cnfinstall; ls -1 tar | grep fluentd
   

   f5-toda-fluentd-1.5.0.tgz
   

2. Obtain the Helm release name for the current CNFs installation:

   helm list -n cnf-gateway
   

   In this example, the release name is f5-fluentd.

   NAME         NAMESPACE     REVISION    STATUS     CHART
   f5-fluentd   cnf-gateway   1           deployed   f5-toda-fluentd-1.0.0
   

3. Use the new Helm chart to upgrade the installation:

   helm upgrade f5-fluentd tar/f5-toda-fluentd-<version>.tgz \ 
   -f <values>.yaml -n cnf-gateway
   

   In this example, the Fluend Pod will be upgraded using the f5-toda-fluentd-1.5.0.tgz Helm chart.

   helm upgrade f5-fluentd tar/f5-toda-fluentd-1.5.0.tgz \
   -f fluentd-values.yaml -n cnf-gateway
   

4. Verify the Helm CHART and REVISION have both incremented:

   helm list -n cnf-gateway
   

   In this example, the Helm CHART is now 1.5.0 and the REVISION is now 2.

   NAME         NAMESPACE      REVISION    STATUS     CHART
   f5-fluentd   cnf-gateway    2           deployed   f5-toda-fluentd-1.5.0
   

5. Verify the Fluentd Pod is Running:

   oc get pods -n cnf-gateway | grep fluent
   

   In this example, the Fluentd Pod is Running.

   f5-toda-fluentd-5c4876d88f-99n94   1/1     Running
   

OpenShift Upgrade Compatibility Matrix

The table below lists the OpenShift upgrade compatibility matrix.

IMAGE	CNF v1.2.0	CNF v1.2.1	CNF v1.3.0
f5ingress	v0.434.1-0.0.92	v0.434.1-0.2.19	v0.480.0-0.1.30
f5-nsec-ips-daemon	v1.7.6-0.0.4	v1.7.6-0.0.7	v3.0.6
crd-conversion	v1.31.3-0.0.1	v1.31.3-0.0.3	v1.53.3
f5-downloader	v1.6.4	v1.6.4	v1.6.17
init-certmgr	v0.22.9-0.0.3	v0.22.9-0.0.3	v0.22.22-0.0.2
f5-cert-client	v2.3.4	v2.3.4	v2.3.8
crdupdater	v0.4.0-0.0.4	v0.4.0-0.0.4	v0.4.12
tmm-img	v0.893.0-0.0.21	v0.893.0-0.0.1.1	v0.950.0-0.1.0
f5-fluentd	v1.5.6	v1.5.6	v1.5.11
rabbit	v0.4.1	v0.4.1	v0.4.12
f5-license-helper	v0.10.0-0.0.2	v0.10.0-0.0.2	v0.11.0-0.0.1
f5-fluentbit	v0.8.1-0.0.4	v0.8.1-0.0.4	v0.8.8
spk-cwc	v0.30.3-0.0.8	v0.30.3-0.0.11	v0.32.6-0.0.2
f5-dssm-store	v1.25.18	v1.25.18	v1.26.6
tmrouted-img	v0.12.0	v0.12.0	v0.12.4
f5-l4p-engine	v1.100.27	v1.100.27	v1.100.30-0.0.2
f5-blobd	v0.12.3	v0.12.3	v0.12.10
f5dr-img-init	v0.10.9	v0.10.9	v0.12.4-0.0.3
f5dr-img	v0.10.9	v0.10.9	v0.12.4-0.0.3
f5-toda-tmstatsd	v1.9.9-0.0.1	v1.9.9-0.0.1	v1.9.28
f5-dssm-upgrader	1.2.4	1.2.4	v1.2.10
cert-manager-ctl	2.2.3	2.2.3	2.2.3
cert-manager-webhook	2.2.3	2.2.3	2.2.3
cert-manager-cainjector	2.2.3	2.2.3	2.2.3
cert-manager-controller	2.2.3	2.2.3	2.2.3
f5-debug-sidecar	v7.217.1	v7.217.1	v7.298.1-0.0.4
f5-csm-qkview	v26.18.1	v26.18.1	v27.2.10-0.1.0
opentelemetry-collector-contrib	0.75.0	0.75.0	0.75.0
f5ing-tmm-pod-manager	NA	NA	v0.17.18-0.0.2
f5-core-file-manager	NA	NA	v0.0.4
spk-csrc	NA	NA	v0.3.6

Feedback

Provide feedback to improve this document by emailing cnfdocs@f5.com.

Supplemental

• Helm package manager
• CNFs CRs.