F5 Cloud-Native Network Functions (CNFs) for OpenShift - 1.1.0
- The Edge Firewall (AFM), Intrusion Prevention System (IPSd), and Otel Collector Pods now install using separate Helm Sub-Charts. This is the first step in an effort to enable single Pod upgrades, however, it requires modifications to your existing BIG-IP Controller Helm values file. Refer to the BIG-IP Controller guide for the full set of installation instructions.
REDIS_AUTH_KEYHelm values used to reference dSSM Secrets have been replaced by the
SSL_TRUSTED_CA_STOREparameters. Refer to the dSSM Database guide for installation instruction.
New Features and Improvements¶
- The CNFs CWC (Cluster Wide Controller) introduces F5’s flexible consumption software licensing model, billing monthly only for the software features used.
- The CNFs Cert Manager auto-generates and rotates the SSL/TLS certificates (Secrets) used to secure CNFs Pod-to-Pod communication. Cert Manager replaces the manual CNFs Secret installation procedures required in previous releases.
- The Edge Firewall’s default firewall mode is now managed using the F5BigContextGlobal Custom Resource (CR), enabling configurations to be applied after the BIG-IP Controller has been installed.
- The CNFs CWC supports the debug API, enabling diagnostic commands on any targeted TMMs from a local desktop. Refer to the Debug API overview.
- The f5-tmm-routing container can now load native ZebOS.conf files, enabling BGP configuration changes while the container is running. For more info, refer to the ZebOS ConfigMaps How-to.
- Early access (EA): The QKView utility can be run on a local workstation to collect diagnostic data, and diagnostic file can be uploaded to F5’s iHealth website for analysis. Refer to the QKView and iHealth overview.
- The configview utility replaces the configviewer utility, displaying Custom Resource (CR) objects by their logged UUIDs. Refer to the Debug sidecar overview.
- CNFs CRs now provide installation status messages when viewing the installed CR with
oc get. Refer to the Installation status section of the CNFs CRs overview.
TMM Proxy Pods now always receive self-IP addresses when the F5BigNetVlan CR allocates the same number self-IPs as running TMM Proxy Pods.
When multiple TMMs are running in a single Namespace, the IP addresses allocated by the F5BigNatPolicy are not reclaimed and reallocated after scaling the TMM deployment down and back up. Client connections may fail due to NAT IP address exhaustion.
Workaround: Delete and reinstall the F5BigNatPolicy CR.
The TMM Proxy Pod is unable to process large files (~1GB) using the F5BigAlgPptp Custom Resource (CR).
Workaround: Set the PPTP client interface to a value of 1450 or less.
ip link set dev ppp0 mtu 1450
For assistance with software upgrades, refer to the Upgrading CNFs overview.
Continue to the Cluster Requirements guide to ensure the cluster has the required software components.