CNFs Software

Overview

The Cloud-Native Network Functions (CNFs) custom resource definitions (CRDs), software images and installation Helm charts are provided in a single TAR file. A CNFs public signing key, and two signature files are also provided to validate the TAR file’s integrity. Once validated and extracted, the software images can be uploaded to a local container registry, and integrated into the cluster using the CNFs Helm charts. Finally, the CNFs CRDs will be installed into the cluster.

This document describes the CNFs software, and guides you through validating, extracting and installing the CNF software components.

Software images

The table below lists and describes the software images for this software release. For a full list of software images by release, refer to the Software Releases guide.

_images/spk_info.png Note: The software image name and deployed container name may differ.

Image Version Description
f5ingress v0.480.0-0.1.52 The helm_release-f5ingress container is a custom CNF controller that watches the K8S API for CR updates, and configures either AFM or TMM based on the update.
f5ing-tmm-pod-manager v0.17.18-0.0.2 The tmm-pod-manager container is a part of f5ingress pod, which is mainly responsible for watching TMM pod events and propagating the TMM pod information to f5ingress main container and other control plane pods. These pods push configurations to TMM pods.
f5-core-file-manager v0.0.4 Runs as a daemonset in every node of the deployed cluster. Responsible for monitoring and detecting the core files of CNF subsystem, adding metadata to the CNF core files and moving them to a CNF controlled Persistence Storage.
spk-csrc v0.3.6 The spk-csrc containers (daemon-set) used to support the Calico Egress GW feature.
tmm-img v0.950.0-0.1.1 The f5-tmm container is a Traffic Management Microkernel (TMM) instance that proxies and load balances application traffic between the external and internal networks.
f5-l4p-engine v1.100.30-0.0.4 The f5-afm-pccd container is an Application Firewall Manager (AFM) instance that converts firewall rules and NAT policies into the binary large objects (BLOBs) used by TMM.
f5-nsec-ips-daemon v3.0.6 The f5-ipsd container is the intrusion detection and prevention instance, providing deep packet inspection and prevention of malignant network packets.
tmrouted-img v0.12.4 The f5-tmm-tmrouted container proxies and forwards information between the f5-tmm-routing and f5-tmm containers.
f5dr-img v0.12.4-0.0.3 The f5-tmm-routing container maintains the dynamic routing tables used by TMM.
f5-toda-tmstatsd v1.9.28 The f5-toda-stats container collects application traffic processing statistics from the f5-tmm container, and forwards the data to the Otel Collectors.
f5-dssm-store v1.26.6 Contains two sets of software images; The f5-dssm-db containers that store shared, persisted session state data, and the f5-dssm-sentinel containers to monitor the f5-dssm-db containers. For more info, refer to dSSM database.
spk-cwc v0.32.6-0.0.2 The cnf-cwc container enables software licensing, and reports telemetry statistics regarding monthly software usage. Refer to CNFs CWC.
f5-license-helper v0.11.0-0.0.2 The f5-lic-helper communicates with the spk-cwc to determine the current license status of the cluster.
rabbit v0.4.12 The rabbitmq-server container as a general message bus, integrating CNFs CWC with the BIG-IP Controller Pod(s) for licensing purposes.
cert-manager-controller 2.2.3 The cert-manager-controller manages the generation and rotation of the SSL/TLS certificate that are stored as Secrets, to secure communication between the various CNFs Pods.
cert-manager-cainjector 2.2.3 The cert-manager-cainjector assists the cert-manager-controller to configure the CA certificates used by the cert-manager-webhook and K8S API.
cert-manager-webhook 2.2.3 The cert-manager-webhook ensures that SSL/TLS certificate resources created or updated by the cert-manager-contoller conform to the API specifications.
f5-debug-sidecar v7.298.1-0.0.4 The debug container provides diagnostic tools for viewing TMM's configuration, traffic processing statistics and gathering TMM diagnostic data. For more info, refer to Debug Sidecar.
f5-fluentbit v0.8.8 The fluentbit container collects and forwards statistics to the f5-fluentd container. Multiple versions are included to support the different CNFs containers.
f5-fluentd v1.5.11 The f5-fluentd container collects statistics and logging data from the Controller, TMM and dSSM Pods. For more info, refer to Fluentd Logging.
opentelemetry-collecto-contib 0.75.0 The otel-collector container gathers metrics and statistics from the TMM Pods. Refer to OTEL Collector.
f5-dssm-upgrader 1.2.10 The dssm-upgrade-hook enables dSSM DBs upgrades without service interruption or data loss. Refer to Upgrading dSSM.
f5-csm-qkview v27.2.10-0.1.0 The f5-csm-qkview includes the qkview-orchestrator service, which manages requests from CWC to create or download qkview tar files. It communicates with qkview-collect, initiating the process of generating and downloading qkview tar files from containers within a designated namespace.
f5-cert-client v2.3.8 The f5-cert-client container provides an interface for CNF components to request certificates from f5-cert-manager. Additionally, f5-cert-client can provide certificate rotation functionality for those CNF components.
crd-conversion v1.53.3 The f5-crd-conversion container handles the automatic conversion of multiple CRD versions based on the specified namespace and version in the cluser, without affecting existing CRs.
f5-downloader v1.6.17 The f5-downloader pod is used for upgrading IM package for IPS feature. Enums of IPS CRD will be upgraded using this pod.
f5-blobd v0.12.10 The f5-blobd container allows loading binary large objects (BLOBs) into the TMM memory. It is required for AFM use-cases, like firewall and NAT.
f5nxtctl 0.1.19 The f5nxtctl is a BIGIP Next Control command line tool used to abstract and automate the installation and veritfication of f5 components and specific sevices in a short amount of time.

Requirements

Ensure you have:

  • Obtained the CNF software tarball.
  • A local container registry.
  • A workstation with Podman.

Procedures

Validate and extract

Use the following steps to validate the CNFs tarball, extract the software images, installation Helm charts, and CRDs.

  1. Create a new directory for the CNFs files:

    mkdir <directory>
    

    In this example, the new directory is named cnfinstall:

    mkdir cnfinstall
    
  2. Move the CNFs files into the directory:

    mv f5-cnf-tarball* f5-cnf-1.3.1.pem cnfinstall
    
  3. Change into the directory and list the files:

    cd cnfinstall; ls -1
    

    The files appear as:

    f5-cnf-1.3.1.pem
    f5-cnf-1.3.1.tgz
    f5-cnf-sha512.txt-1.3.1.sha512.sig
    f5-cnf.tgz-1.3.1.sha512.sig
    
  4. Use the PEM signing key and each SHA signature file to validate the CNFs TAR file:

    openssl dgst -verify <pem file>.pem -keyform PEM \
    -sha512 -signature <sig file>.sig <tar file>.tgz
    

    The command output states Verified OK for each signature file:

    openssl dgst -verify f5-cnf-1.3.1.pem -keyform PEM -sha512 \
    -signature f5-cnf.tgz-1.3.1.sha512.sig f5-cnf-1.3.1.tgz
    
    Verified OK
    
    openssl dgst -verify f5-cnf-1.3.1.pem -keyform PEM -sha512 \
    -signature f5-cnf--sha512.txt-1.3.1.sha512.sig f5-cnf-1.3.1.tgz
    
    Verified OK
    
  5. Extract the CNFs images, Helm charts, and CRDs from the TAR file:

    tar xvf f5-cnf-1.3.1.tgz
    
  6. List the newly extracted files:

    ls -1
    

    The file list shows the CRD bundless and the CNF image TAR file named f5-cnf-images-1.3.1.tgz:

    f5-cnf-crds-n6lan-0.161.0-0.1.2.tgz
    f5-cnf-images-1.3.1.tgz
    f5-cnf-1.3.1.tgz
    
  7. Extract the CNF Helm charts and software images:

    tar xvf f5-cnf-images-1.3.1.tgz
    
  8. List the extracted Helm charts and software images:

    ls -1R
    

    The file list shows a new tar directory with the following files:

    f5-cnf-crds-n6lan-0.161.0-0.1.2.tgz
    f5-cnf-images-1.3.1.tgz
    f5-cnf-1.3.1.tgz
    tar
    
    ./tar:   
    cnf-docker-images.tgz
    core-file-manager-0.0.8.tgz
    csrc-0.5.2-0.0.2.tgz
    cwc-0.14.15-0.0.8.tgz
    f5-cert-gen-0.9.2.tgz
    f5-cert-manager-0.22.22-0.0.4.tgz
    f5-crdconversion-0.9.4-0.0.3.tgz
    f5-dssm-0.67.7-0.0.4.tgz
    f5-toda-fluentd-1.23.36-0.0.1.tgz
    f5ingress-v0.480.0-0.1.52.tgz
    f5nxtctl-0.1.19.tgz
    rabbitmq-0.2.8-0.0.3.tgz
    

Install CRDs

Use the following steps to extract and install the new CNF CRDs.

  1. List the CNF CRD bundle:

    ls -1 | grep crd
    

    The file list shows CRD bundle:

    f5-cnf-crds-n6lan-0.161.0-0.1.2.tgz
    
  2. Install the CRD Conversion pod with latest version using Helm install:

    helm install f5-crd-conversion --version 0.9.4-0.0.3 -n cnf-crdconversion f5ingress-dev/f5-crdconversion -f crd-conversion-values.yaml  
    
  3. Verify the STATUS of the CRD Conversion pod:

    In this example, CRD Conversion Pod is installed in the cnf-crdconversion Project.

    oc get pod -n cnf-crdconversion 
    

    As we can see CRD Conversion pod is created.

    NAME                                  READY      STATUS       RESTARTS      AGE
    f5-crd-conversion-8478b9y96-asfd1     1/1        Running      0             30s
    
  4. Install the CRD using Helm install:

    helm install f5crds f5-cnf-crds-n6lan-0.161.0-0.1.2.tgz -f crd-values.yaml 
    

    Example: crd-values.yaml file (We only need to use this namespace parameter when CRD Conversion is deployed in a non-default namespace. The value of the namespace parameter should match the namespace in which CRD Conversion is deployed.)

    conversion:
       namespace: cnf-crdconversion 
    

    Note the command output: Newly installed CRDs will be indicated by created, and updated CRDs will be indicated by configured:

    customresourcedefinition.apiextensions.k8s.io/f5-big-alg-ftps.k8s.f5net.com unchanged
    customresourcedefinition.apiextensions.k8s.io/f5-big-alg-pptps.k8s.f5net.com configured
    customresourcedefinition.apiextensions.k8s.io/f5-big-alg-rtsps.k8s.f5net.com unchanged
    customresourcedefinition.apiextensions.k8s.io/f5-big-alg-tftps.k8s.f5net.com unchanged
    customresourcedefinition.apiextensions.k8s.io/f5-big-cne-addresslists.k8s.f5net.com unchanged
    customresourcedefinition.apiextensions.k8s.io/f5-big-cne-datagroups.k8s.f5net.com unchanged
    customresourcedefinition.apiextensions.k8s.io/f5-big-cne-portlists.k8s.f5net.com unchanged
    customresourcedefinition.apiextensions.k8s.io/f5-big-cne-snatpools.k8s.f5net.com unchanged
    customresourcedefinition.apiextensions.k8s.io/f5-big-context-globals.k8s.f5net.com unchanged
    customresourcedefinition.apiextensions.k8s.io/f5-big-context-secures.k8s.f5net.com unchanged
    customresourcedefinition.apiextensions.k8s.io/f5-big-ddos-policies.k8s.f5net.com unchanged
    customresourcedefinition.apiextensions.k8s.io/f5-big-dns-apps.k8s.f5net.com unchanged
    customresourcedefinition.apiextensions.k8s.io/f5-big-dns-caches.k8s.f5net.com unchanged
    customresourcedefinition.apiextensions.k8s.io/f5-big-fastl4-settings.k8s.f5net.com unchanged
    customresourcedefinition.apiextensions.k8s.io/f5-big-fw-policies.k8s.f5net.com unchanged
    customresourcedefinition.apiextensions.k8s.io/f5-big-ips-policies.k8s.f5net.com unchanged
    customresourcedefinition.apiextensions.k8s.io/f5-big-log-hslpubs.k8s.f5net.com unchanged
    customresourcedefinition.apiextensions.k8s.io/f5-big-log-profiles.k8s.f5net.com configured
    customresourcedefinition.apiextensions.k8s.io/f5-big-nat-policies.k8s.f5net.com unchanged
    customresourcedefinition.apiextensions.k8s.io/f5-big-net-staticroutes.k8s.f5net.com unchanged
    customresourcedefinition.apiextensions.k8s.io/f5-big-net-vlans.k8s.f5net.com unchanged
    customresourcedefinition.apiextensions.k8s.io/f5-big-tcp-settings.k8s.f5net.com unchanged
    customresourcedefinition.apiextensions.k8s.io/f5-big-udp-settings.k8s.f5net.com unchanged
    customresourcedefinition.apiextensions.k8s.io/f5-big-zerorating-policies.k8s.f5net.com unchanged
    customresourcedefinition.apiextensions.k8s.io/f5-big-certificaterequests.cm.f5co.k8s.f5net.com unchanged
    customresourcedefinition.apiextensions.k8s.io/f5-big-certificates.cm.f5co.k8s.f5net.com unchanged
    customresourcedefinition.apiextensions.k8s.io/f5-big-challenges.acme.cm.f5co.k8s.f5net.com unchanged
    customresourcedefinition.apiextensions.k8s.io/f5-big-clusterissuers.cm.f5co.k8s.f5net.com unchanged
    customresourcedefinition.apiextensions.k8s.io/f5-big-issuers.cm.f5co.k8s.f5net.com unchanged
    customresourcedefinition.apiextensions.k8s.io/f5-big-orders.acme.cm.f5co.k8s.f5net.com unchanged
    
  5. List the installed CNFs CRDs:

    oc get crds | grep f5
    

    The CRD listing will contain the full list of CRDs:

    certificaterequests.cm.f5co.k8s.f5net.com                         2024-01-24T19:03:03Z
    certificates.cm.f5co.k8s.f5net.com                                2024-01-24T19:03:03Z
    challenges.acme.cm.f5co.k8s.f5net.com                             2024-01-24T19:03:03Z
    clusterissuers.cm.f5co.k8s.f5net.com                              2024-01-24T19:03:03Z
    f5-big-alg-ftps.k8s.f5net.com                                     2024-01-24T19:03:03Z
    f5-big-alg-pptps.k8s.f5net.com                                    2024-01-24T19:03:03Z 
    f5-big-alg-rtsps.k8s.f5net.com                                    2024-01-24T19:03:03Z
    f5-big-alg-tftps.k8s.f5net.com                                    2024-01-24T19:03:03Z
    f5-big-cne-addresslists.k8s.f5net.com                             2024-01-24T19:03:03Z
    f5-big-cne-datagroups.k8s.f5net.com                               2024-01-24T19:03:03Z
    f5-big-cne-downloaders.k8s.f5net.com                              2024-01-24T19:03:03Z
    f5-big-cne-portlists.k8s.f5net.com                                2024-01-24T19:03:03Z
    f5-big-cne-snatpools.k8s.f5net.com                                2024-01-24T19:03:03Z
    f5-big-context-globals.k8s.f5net.com                              2024-01-24T19:03:03Z
    f5-big-context-secures.k8s.f5net.com                              2024-01-24T19:03:03Z
    f5-big-ddos-globals.k8s.f5net.com                                 2024-01-24T19:03:03Z
    f5-big-ddos-profiles.k8s.f5net.com                                2024-01-24T19:03:03Z
    f5-big-dns-apps.k8s.f5net.com                                     2024-01-24T19:03:03Z
    f5-big-dns-caches.k8s.f5net.com                                   2024-01-24T19:03:03Z
    f5-big-fastl4-settings.k8s.f5net.com                              2024-01-24T19:03:03Z
    f5-big-fw-policies.k8s.f5net.com                                  2024-01-24T19:03:03Z
    f5-big-fw-rulelists.k8s.f5net.com                                 2024-01-24T19:03:03Z
    f5-big-ips-policies.k8s.f5net.com                                 2024-01-24T19:03:03Z
    f5-big-log-hslpubs.k8s.f5net.com                                  2024-01-24T19:03:03Z
    f5-big-log-profiles.k8s.f5net.com                                 2024-01-24T19:03:03Z
    f5-big-nat-policies.k8s.f5net.com                                 2024-01-24T19:03:03Z
    f5-big-net-staticroutes.k8s.f5net.com                             2024-01-24T19:03:03Z
    f5-big-net-vlans.k8s.f5net.com                                    2024-01-24T19:03:03Z
    f5-big-tcp-settings.k8s.f5net.com                                 2024-01-24T19:03:03Z
    f5-big-udp-settings.k8s.f5net.com                                 2024-01-24T19:03:03Z
    f5-big-zerorating-policies.k8s.f5net.com                          2024-01-24T19:03:03Z
    issuers.cm.f5co.k8s.f5net.com                                     2024-01-24T19:03:03Z
    orders.acme.cm.f5co.k8s.f5net.com                                 2024-01-24T19:03:03Z   
    

Upload the images

Use the following steps to upload the CNFs software images to a local container registry.

  1. Install the CNFs images to your workstation’s Podman image store:

    podman load -i tar/cnf-docker-images.tgz
    
  2. List the CNF images to be tagged and pushed to the local container registry in the next step:

    podman images --format "table {{.Repository}} {{.Tag}} {{.ID}}"
    
    REPOSITORY                                    TAG                  IMAGE ID
    local.registry/f5ingress                      v0.480.0-0.1.52      fbb88c7f3233 
    local.registry/f5dr-img-init                  v0.12.4-0.0.3        ba4a9b7b6e8b
    local.registry/f5dr-img                       v0.12.4-0.0.3        a2d494b999ab
    local.registry/tmm-img                        v0.950.0-0.1.1       ad7b8eb385d3
    local.registry/f5-debug-sidecar               v7.298.1-0.0.4       ff47c77dbc98
    local.registry/spk-cwc                        v0.32.6-0.0.2        1b88e66689c9
    local.registry/rabbit                         v0.4.12              4fc710b2ff4a
    local.registry/f5-dssm-upgrader               1.2.10               b2f423831715
    local.registry/f5-toda-tmstatsd               v1.9.28              0ab667bee20e 
    local.registry/f5-fluentbit                   v0.8.8               6609127c909c
    local.registry/f5-license-helper              v0.11.0-0.0.2        501aa8e8686b
    local.registry/f5-dssm-store                  v1.26.6              fa2af62e5100 
    local.registry/f5-l4p-engine                  v1.100.30-0.0.4      5466e1ca72b5
    local.registry/f5-nsec-ips-daemon             v3.0.6               59a3a280db9c
    local.registry/f5-fluentd                     v1.5.11              9687c7b2c5ba
    local.registry/tmrouted-img                   v0.12.4              0c66111f5aa0
    local.registry/cert-manager-ctl               2.2.3                48f768b562b4
    local.registry/cert-manager-webhook           2.2.3                edec31deeece
    local.registry/cert-manager-cainjector        2.2.3                100c82bbf515
    local.registry/cert-manager-controller        2.2.3                86b90770dd0b
    local.registry/opentelemetry-collecto-contib  0.75.0               00fe8f105583
    local.registry/f5-csm-qkview                  v27.2.10-0.1.0       66d8e1a71c7c
    local.registry/crdupdater                     v0.4.12              fab96c54d69c
    local.registry/f5-downloader                  v1.6.17              61a9e3ca4100
    local.registry/init-certmgr                   v0.22.22-0.0.4       04cb2b5c952c
    local.registry/f5-cert-client                 v2.3.8               f41e350817e9
    local.registry/f5-blobd                       v0.12.10             378d687d8517 
    local.registry/crd-conversion                 v1.53.3              1518b0cc6ca5
    local.registry/f5ing-tmm-pod-manager          v0.17.18-0.0.4       795ff6a43525
    local.registry/spk-csrc                       v0.3.6               572de96b7cc3
    local.registry/f5-core-file-manager           v0.0.4               90fa31135ca9   
    
  3. Tag and push each image to the local container registry. For example:

    podman tag <local.registry/image name>:<version> <registry>/<image name>:<version>
    
    podman push <registry_name>/<image name>:<version>
    

    In this example, the f5ingress:v0.480.0-0.1.30 image is tagged and pushed to the remote registry registry.com:

    podman tag local.registry/f5ingress:v0.480.0-0.1.52 registry.com/f5ingress:v0.480.0-0.1.52
    
    podman push registry.com/f5ingress:v0.480.0-0.1.52
    

    _images/spk_info.png Note: If you encounter the “insufficient UIDs or GIDs available in user namespace” error while pushing the Docker image, kindly use the following command:

    A. If you are pushing an image, use this command:

    podman --storage-opt overlay.ignore_chown_errors=true push <registry>/<image name>:<version>
    

    Example:

    podman --storage-opt overlay.ignore_chown_errors=true push artifactory.f5net.com/f5-mbip-docker/f5-nsec-ips-daemon:v3.0.6
    

    B. If you still encounter the error while pushing the image, increase the subuids and subgids range to larger values. Make sure the subuids and subgids fit within the required range.

    Example:

    sudo usermod --add-subuids 200000-2010000000 <USERNAME> 
    
    sudo usermod --add-subgids 200000-2010000000 <USERNAME> 
    
  4. Once all of the images have uploaded, verify the images exist in the local container registry:

    curl -X GET https://<registry>/v2/_catalog -u <user:pass>
    

    For example:

    curl -X GET https://registry.com/v2/_catalog -u cnfadmin:cnfadmin
    
    "repositories":["f5-debug-sidecar","f5-dssm-store","f5-fluentbit","f5-fluentd","f5-toda-tmstatsd","f5dr-img","f5ingress","tmm-img","tmrouted-img"]}
    

Next step

Continue to the CNFs Cert Manager guide to secure CNFs communications.

Feedback

Provide feedback to improve this document by emailing cnfdocs@f5.com.

Supplemental