BIG-IP Controller¶
Overview¶
The Cloud-Native Network Functions (CNFs) BIG-IP Controller, Edge Firewall, and Traffic Management Microkernel (TMM) Proxy Pods are the primary CNFs software components, and install together using Helm. Once integrated, Edge Firewall and the TMM Proxy Pods can be configured to process and protect high-performance 5G workloads using CNFs CRs.
This document guides you through creating the CNFs installation Helm values file, installing the Pods, and creating TMM’s clientside (upstream) and serverside (downstream) F5BigNetVlan interfaces.
Requirements¶
Ensure you have:
- Installed the CNFs Software.
- Installed the CNFs Cert Manager.
- Completed the CNFs Licensing.
- A Linux based workstation with Helm installed.
Procedures¶
Defining the Platform type¶
While deploying the cluster on the Robin platform, set
platformType
parameter torobin
in ingress-values.yaml values file.global: platformType: "robin"
Helm values¶
The CNFs Helm values file requires a number of custom parameter values to successfully integrate the CNFs software. Use the steps below to obtain important cluster configuration data, and configure the CNFs parameter values for a successful installation.
TMM values
Use these steps to enable and configure the TMM Proxy Helm values for your environment.
To enable the TMM Proxy Helm values and to ensure Helm can obtain the image from the local image registry, add the following Helm values::
f5-tmm: enabled: true tmm: image: repository: "local.registry.com"
CNFs relies on Kubernetes Topology Manager to dynamically allocate and properly align TMM’s CPU cores. Create a new Helm values file named ingress-values.yaml and add the
tmm.topologyManager
parameter:f5-tmm: tmm: topologyManager: "true"
Robin ip-pools provide information required to discover and order TMM’s SR-IOV network interface list. The interface numbers will be required later when configuring and installing the F5BigNetVlan Custom Resource (CR). Use the steps below to obtain the Robin ip-pool information:
A. To configure the
tmm.cniNetworks
parameter, obtain the Names of the clientside (upstream) and serverside (downstream) ip-pools:robin ip-pool list
In this example, the clientside ip-pool Name is e801-180 and the serverside ip-pool Name is e810-181:
Name | Driver | Network | VLAN -----------+--------+-------------------+------- e810-180 | sriov | 192.168.10.100/24 | - e810-181 | sriov | 10.10.10.100/24 | -
B. To configure the
tmm.customEnvVars
parameters, obtain the NIC Tags value for the clientside ip-pool:robin ip-pool info e810-180 | grep NIC
In this example, the NIC Tags value is p1p1:
NIC Tags: [{'name': 'p1p1'}]
C. Obtain the NIC Tags value for the serverside ip-pool:
robin ip-pool info e810-181 | grep NIC
In this example, the NIC Tags value is p1p2:
NIC Tags: [{'name': 'p1p2'}]
D. Use the ip-pool Name and NIC Tags values to create TMM’s interface list, using the BIG-IP Controller’s Helm values. The interface maximum transmission unit (MTU) size can also be set here:
In this example, TMM’s clientside interface is 1.1, and the serverside interface is 1.2:
f5-tmm: tmm: cniNetworks: '[{"ippool": "e810-180", "mtu": 9000}, {"ippool": "e810-181", "mtu": 9000}]' robinNetworks: "true" customEnvVars: - name: ROBIN_VFIO_RESOURCE_1 value: "P1P1_VFIOPCI" - name: ROBIN_VFIO_RESOURCE_2 value: "P1P2_VFIOPCI"
CNFs supports Ethernet frames over 1500 bytes (Jumbo frames), up to a maximum transmission unit (MTU) size of 9000 bytes. To modify the MTU size, adapt the
TMM_DEFAULT_MTU
parameter:Important: The same MTU value must be set in each of the installed F5BigNetVlan CRs. CNFs does not currently support different MTU sizes.
f5-tmm: tmm: customEnvVars: - name: TMM_DEFAULT_MTU value: "9000"
To use the Calico CNI, set the
TMM_CALICO_ROUTER
parameter. If the CNI relies on a router to perform proxy ARP, set theTMM_IGNORE_GATEWAYS
parameter to ensure TMM does not configure a default gateway:Important: Enabling
TMM_IGNORE_GATEWAYS
may cause cluster (Pod-to-Pod) traffic to fail. To set routes for specific cluster IPs, review Cluster Traffic in the F5BigNetStaticroute CR guide.f5-tmm: tmm: customEnvVars: - name: TMM_CALICO_ROUTER value: "default" - name: TMM_IGNORE_GATEWAYS value: "TRUE"
To advertise routing information between networks, or to scale TMM beyond a single instance, the f5-tmm-routing container must be enabled, and a Border Gateway Protocol (BGP) session must be established with an external neighbor. The parameters below configure an external BGP peering session:
Note: For additional BGP configuration parameters, refer to the BGP Overview guide.
f5-tmm: tmm: dynamicRouting: enabled: true exportZebosLogs: true tmmRouting: image: repository: "local.registry.com" config: bgp: asn: 123 neighbors: - ip: "192.168.10.200" asn: 456 acceptsIPv4: true tmrouted: image: repository: "local.registry.com"
Set the TMM default Gateway either using BGP or the F5BigNetStaticroute Custom Resource (CR) and perform the following:
a. Set the
add_k8s_routes
paramter to true.Sample configuration:
f5-tmm: tmm: add_k8s_routes: true
b. Provide RBAC user permissions for the
ClusterRole
orkubeadm-config
configmaps.Sample configuration:
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cr-f5-5gc-cgnat-{{.user}} # "namespace" omitted since ClusterRoles are not namespaced rules: apiGroups: - "" # "" indicates the core API group resources: - configmaps resourceNames: - kubeadm-config - tmm-k8s-routes-configmap-{{.ns}} verbs: - get - update - patch - list - watch
Important: If you enable the default gateway using either BGP or the F5BigNetStaticroute Custom Resource (CR) without enabling the
add_k8s_routes
paramter, pod-to-pod communication will fail.Be default, the TMM container uses the default Kubernetes
serviceAccount
. Use the parameter below to modify theserviceAccount
used by TMM:f5-tmm: tmm: serviceAccount: create: false name: tmm_sa
The Fluentd Logging collector is enabled by default, and requires setting the
f5-toda-logging.fluentd.host
parameter:A. When Fluentd is enabled, ensure the
fluentd.host
parameter targets the Fluentd Pod’s namespace:In this example, the host value includes the Fluentd Pod’s cnf-gateway namespace.
f5-tmm: f5-toda-logging: enabled: true fluentd: host: "f5-toda-fluentd.cnf-gateway.svc.cluster.local." sidecar: image: repository: "local.registry.com"
B. When Fluentd is disabled, set the
f5-toda-logging.enabled
parameter tofalse
:f5-tmm: f5-toda-logging: enabled: false
AFM values
Use these steps to enable and configure the Edge Firewall Helm values for your environment.
To enable the Edge Firewall feature, and to ensure Helm can obtain the image from the local image registry, add the following Helm values:
global: afm: enabled: true pccd: enabled: true f5-afm: enabled: true cert-orchestrator: enabled: true afm: pccd: enabled: true image: repository: "local.registry.com"
The Edge Firewall’s default firewall mode accepts all network packets not matching an F5BigFwPolicy firewall rule. You can modify this behavior using the F5BigContextGlobal Custom Resource (CR). For addition details about the default firewall mode and logging parameters, refer to the Firewall mode section of the F5BigFwPolicy overview:
The Fluentd Logging collector is enabled by default, and requires setting the
f5-toda-logging.fluentd.host
parameter. If you installed Fluentd, ensure thehost
parameter targets the Fluentd Pod’s namespace:In this example, the host value includes the Fluentd Pod’s cnf-gateway Namespace.
f5-afm: afm: fluentbit_sidecar: fluentd: host: 'f5-toda-fluentd.cnf-gateway.svc.cluster.local.' image: repository: "registry.com"
IPSD values
Use these steps to enable and configure the Intrusion Prevention System Helm values for your environment.
To enable the IPSD Pod, and to ensure Helm can obtain the image from the local image registry, add the following Helm values:
f5-ipsd: enabled: true ipsd: image: repository: "local.registry.com"
The Fluentd Logging collector is enabled by default, and requires setting the
f5-toda-logging.fluentd.host
parameter. If you installed Fluentd, ensure thehost
parameter targets the Fluentd Pod’s namespace:In this example, the host value includes the cnf-gateway Namespace.
f5-ipsd: ipsd: fluentbit_sidecar: fluentd: host: "f5-toda-fluentd.cnf-gateway.svc.cluster.local." image: repository: "local.registry.com"
Downloader values
Use these steps to enable and configure the Downloader Helm values for your environment.
To connect to the RabbitMQ open source message broker and ensure proper functioning of the downloader pod, enable the RabbitMQ namespace in the values.yaml file.
downloader: name: f5-downloader debug: false rabbitmqNamespace: "cnf-telemetry" storage: enabled: true storageClassName: standard access: ReadWriteOnce
To enable the Downloader Pod, and to ensure Helm can obtain the image from the local image registry, add the following Helm values:
f5-downloader: enabled: true downloader: image: repository: "local.registry.com"
The Fluentd Logging collector is enabled by default, and requires setting the
f5-toda-logging.fluentd.host
parameter. If Fluentd is installed, ensure that thehost
parameter targets the Fluentd Pod’s Namespace:In this example, the host value includes the cnf-gateway Namespace.
f5-downloader: downloader: fluentbit_sidecar: image: repository: "local.registry.com" fluentd: host: "f5-toda-fluentd.cnf-gateway.svc.cluster.local."
If CNF is deployed on a cluster with multiple worker nodes, it is recommended to set the downloader persistent storage access to
ReadWriteMany
. The storage class must supportReadWriteMany
storage.The following is an example for the values needed.
f5-downloader: enabled: true downloader: … storage: enabled: true access: ReadWriteMany storageClassName: robin-rwx
Note: Along with this pod, CRD updater sidecar will come up in BIG-IP Controller pod.
Controller values
Use these steps to configure the BIG-IP Controller Helm values for your environment.
To ensure Helm can obtain the image from the local image registry, add the following Helm values:
The example below also includes the CNFs CWC values.
controller: image: repository: "local.registry.com" f5_lic_helper: enabled: true rabbitmqNamespace: "cnf-telemetry" image: repository: "local.registry.com"
The Fluentd Logging collector is enabled by default, and requires setting the
f5-toda-logging.fluentd.host
parameter. If you installed Fluentd, ensure thehost
parameter targets the Fluentd Pod’s namespace:In this example, the host value includes the cnf-gateway Namespace.
controller: fluentbit_sidecar: fluentd: host: 'f5-toda-fluentd.cnf-gateway.svc.cluster.local.' image: repository: "local.registry.com"
Completed values
The completed Helm values file should appear similar to the following:
f5-tmm:
enabled: true
tmm:
image:
repository: "local.registry.com"
hugepages:
enabled: true
sessiondb:
useExternalStorage: "true"
topologyManager: true
cniNetworks: '[{"ippool": "e810-180", "mtu": 9000}, {"ippool": "e810-181", "mtu": 9000}]'
robinNetworks: "true"
customEnvVars:
- name: ROBIN_VFIO_RESOURCE_1
value: "P1P1_VFIOPCI"
- name: ROBIN_VFIO_RESOURCE_2
value: "P1P2_VFIOPCI"
- name: TMM_DEFAULT_MTU
value: "9000"
- name: TMM_IGNORE_GATEWAYS
value: "TRUE"
- name: TMM_CALICO_ROUTER
value: "default"
- name: SESSIONDB_DISCOVERY_SENTINEL
value: "true"
- name: SESSIONDB_EXTERNAL_SERVICE
value: "f5-dssm-sentinel.cnf-gateway"
- name: SSL_SERVERSIDE_STORE
value: "/tls/tmm/mds/clt"
- name: SSL_TRUSTED_CA_STORE
value: "/tls/tmm/mds/clt"
dynamicRouting:
enabled: true
exportZebosLogs: true
tmmRouting:
image:
repository: "local.registry.com"
config:
bgp:
asn: 123
neighbors:
- ip: "192.168.10.200"
asn: 456
acceptsIPv4: true
tmrouted:
image:
repository: "local.registry.com"
blobd:
image:
repository: "local.registry.com"
f5-toda-logging:
enabled: true
fluentd:
host: "f5-toda-fluentd.cnf-gateway.svc.cluster.local."
sidecar:
image:
repository: "local.registry.com"
debug:
enabled: true
rabbitmqNamespace: "cnf-telemetry"
image:
repository: "local.registry.com"
global:
afm:
enabled: true
pccd:
enabled: true
f5-afm:
enabled: true
cert-orchestrator:
enabled: true
afm:
pccd:
enabled: true
image:
repository: "local.registry.com"
fluentbit_sidecar:
fluentd:
host: 'f5-toda-fluentd.cnf-gateway.svc.cluster.local.'
image:
repository: "local.registry.com"
f5-ipsd:
enabled: true
ipsd:
image:
repository: "local.registry.com"
fluentbit_sidecar:
fluentd:
host: 'f5-toda-fluentd.cnf-gateway.svc.cluster.local.'
image:
repository: "local.registry.com"
controller:
image:
repository: "local.registry.com"
f5_lic_helper:
enabled: true
rabbitmqNamespace: "cnf-telemetry"
image:
repository: "local.registry.com"
fluentbit_sidecar:
enabled: true
image:
repository: "local.registry.com"
fluentd:
host: 'f5-toda-fluentd.cnf-gateway.svc.cluster.local.'
Installation¶
Change into the directory containing the latest CNFs Software, and obtain the f5ingress Helm chart version:
In this example, the CNF files are in the cnfinstall directory:
cd cnfinstall
ls -1 tar | grep f5ingress
The example output should appear similar to the following:
f5ingress-v0.480.0-0.1.52.tgz
If you haven’t already, create a new namespace for the CNFs Pods using the following command syntax:
kubectl create ns <namespace>
For example:
kubectl create ns cnf-gateway
Install the BIG-IP Controller using the following command syntax:
helm install f5ingress tar/<helm chart> \ -f <values file> -n <namespace>
For example:
helm install f5ingress tar/f5ingress-v0.480.0-0.1.52.tgz \ -f ingress-values.yaml -n cnf-gateway
Verify the Pods have installed successfully, and all containers are Running:
kubectl get pods -n cnf-gateway
In this example, all containers have a STATUS of Running as expected:
NAME READY STATUS f5-afm-5bb5cd989b-b8qpf 2/2 Running f5-ingress-f5ingress-7965947785-b8f5c 2/2 Running f5-ipsd-74f5754b5d-kjzft 1/1 Running f5-tmm-576df78f88-mpzbq 4/4 Running
Verify the f5ingress Pod has successfully licensed:
kubectl logs f5ingress-f5ingress-7965947785-b8f5c -c f5-lic-helper \ -n cnf-gateway | grep -i LicenseVerified
In this example, the f5ingress Pod’s f5-lic-helper indicates Entitlement: paid.
2023-02-03 22:00:44.221|A|informational|1|Message="Payload type: ResponseCM20LicenseVerified Entitlement: paid Expiry Date: 2024-01-29T00:01:03Z"
Interfaces¶
The F5BigNetVlan Custom Resource (CR) applies TMM’s interface configuration; IP addresses, VLAN tags, MTU, etc. Use the steps below to configure and install clientside and serverside F5BigNetVlan CRs:
Configure external and internal F5BigNetVlan CRs. You can place both of the example CRs into a single YAML file:
Important: Set the
cmp_hash
parameter values to SRC_ADDR on the clientside (upstream) VLAN, and DST_ADDR on the serverside (downstream) VLAN.apiVersion: "k8s.f5net.com/v1" kind: F5BigNetVlan metadata: name: "subscriber-vlan" namespace: "cnf-gateway" spec: name: clientside interfaces: - "1.1" selfip_v4s: - 10.10.10.100 - 10.10.10.101 prefixlen_v4: 24 selfip_v6s: - 2002::10:10:10:100 - 2002::10:10:10:101 prefixlen_v6: 116 mtu: 9000 cmp_hash: SRC_ADDR --- apiVersion: "k8s.f5net.com/v1" kind: F5BigNetVlan metadata: name: "application-vlan" namespace: "cnf-gateway" spec: name: serverside interfaces: - "1.2" selfip_v4s: - 192.168.10.100 - 192.168.10.101 prefixlen_v4: 24 selfip_v6s: - 2002::192:168:10:100 - 2002::192:168:10:101 prefixlen_v6: 116 mtu: 9000 cmp_hash: DST_ADDR
Install the VLAN CRs:
kubectl apply -f cnf_vlans.yaml
List the VLAN CRs:
kubectl get f5-big-net-vlan -n cnf-gateway
In this example, the VLAN CRs are installed:
NAME vlan-client vlan-server
If the Debug Sidecar is enabled (the default), you can verify the f5-tmm container’s interface configuration:
kubectl exec -it deploy/f5-tmm -c debug -n cnf-gateway -- ip a
The interfaces should appear at the bottom of the list:
8: clientside: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 inet 10.10.10.100/24 brd 192.168.10.0 scope global client valid_lft forever preferred_lft forever inet6 2002::192:168:10:100/112 scope global valid_lft forever preferred_lft forever 9: serverside: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 link/ether 1e:80:c1:e8:81:15 brd ff:ff:ff:ff:ff:ff inet 192.168.10.100/24 brd 10.10.10.0 scope global server valid_lft forever preferred_lft forever inet6 2002::10:10:10:100/112 scope global valid_lft forever preferred_lft forever
Uninstallation¶
The following steps are mandatory for cleaning up product installations:
Delete all configured CRs:
kubectl delete -f <cr-file> -n <*namespace>
For example:
kubectl delete -f cnf_vlans.yaml -n cnf-gateway
Uninstall the product:
helm uninstall <helm-installation-name> -n <*namespace>
For example:
helm uninstall f5ingress -n cnf-gateway
Note: In the above commands, the namespace can be either tmmNamespace
or watchNamespace
.
Important: If the above order is missed, then below script can be used to clean up finalizers from CR’s and proceed with uninstallation of product and namespace.
#!/bin/sh
if [ $# -ne 1 ] ; then
echo "Invalid Arguments, provide namespace as argument"
exit 1
fi
echo "This will remove finalizers of all usecase CRs of namespace $1"
crs=$(kubectl api-resources --namespaced=true --verbs=list -o name | egrep 'f5-big|f5-cnf' | xargs -n 1 kubectl get --show-kind --ignore-not-found -n $1 | grep f5 | cut -d ' ' -f 1)
for cr in $crs; do
result=$(kubectl -n $1 patch $cr -p '{"metadata":{"finalizers":[]}}' --type=merge)
echo $result
done
echo ""
echo "Removed finalizers of all CRs of namespace $1"
For more details, refer to the Finalizers section in the CNF CRs guide.
Feedback¶
Provide feedback to improve this document by emailing cnfdocs@f5.com.