BIG-IP Controller

Overview

The Cloud-Native Network Functions (CNFs) BIG-IP Controller, Edge Firewall, and Traffic Management Microkernel (TMM) Proxy Pods are the primary CNFs software components, and install together using Helm. Once integrated, Edge Firewall and the TMM Proxy Pods can be configured to process and protect high-performance 5G workloads using CNFs CRs.

This document guides you through creating the CNFs installation Helm values file, installing the Pods, and creating TMM’s clientside (upstream) and serverside (downstream) F5BigNetVlan interfaces.

Requirements

Ensure you have:

Procedures

Defining the Platform type

  • While deploying the cluster on the Robin platform, set platformType parameter to robin in ingress-values.yaml values file.

     global: 
       platformType: "robin"   
    

Helm values

The CNFs Helm values file requires a number of custom parameter values to successfully integrate the CNFs software. Use the steps below to obtain important cluster configuration data, and configure the CNFs parameter values for a successful installation.

TMM values

Use these steps to enable and configure the TMM Proxy Helm values for your environment.

  1. To enable the TMM Proxy Helm values and to ensure Helm can obtain the image from the local image registry, add the following Helm values::

     f5-tmm:
       enabled: true 
       tmm:
         image:
           repository: "local.registry.com"
    
  2. CNFs relies on Kubernetes Topology Manager to dynamically allocate and properly align TMM’s CPU cores. Create a new Helm values file named ingress-values.yaml and add the tmm.topologyManager parameter:

     f5-tmm:
       tmm:
         topologyManager: "true"
    
  3. Robin ip-pools provide information required to discover and order TMM’s SR-IOV network interface list. The interface numbers will be required later when configuring and installing the F5BigNetVlan Custom Resource (CR). Use the steps below to obtain the Robin ip-pool information:

    A. To configure the tmm.cniNetworks parameter, obtain the Names of the clientside (upstream) and serverside (downstream) ip-pools:

    robin ip-pool list
    

    In this example, the clientside ip-pool Name is e801-180 and the serverside ip-pool Name is e810-181:

    Name       | Driver | Network           | VLAN 
    -----------+--------+-------------------+-------
    e810-180   | sriov  | 192.168.10.100/24 | -    
    e810-181   | sriov  | 10.10.10.100/24   | -   
    

    B. To configure the tmm.customEnvVars parameters, obtain the NIC Tags value for the clientside ip-pool:

    robin ip-pool info e810-180 | grep NIC
    

    In this example, the NIC Tags value is p1p1:

    NIC Tags: [{'name': 'p1p1'}]
    

    C. Obtain the NIC Tags value for the serverside ip-pool:

    robin ip-pool info e810-181 | grep NIC
    

    In this example, the NIC Tags value is p1p2:

    NIC Tags: [{'name': 'p1p2'}]
    

    D. Use the ip-pool Name and NIC Tags values to create TMM’s interface list, using the BIG-IP Controller’s Helm values. The interface maximum transmission unit (MTU) size can also be set here:

    In this example, TMM’s clientside interface is 1.1, and the serverside interface is 1.2:

     f5-tmm:
       tmm:
         cniNetworks: '[{"ippool": "e810-180", "mtu": 9000}, {"ippool": "e810-181", "mtu": 9000}]'
         robinNetworks: "true"
         customEnvVars:
           - name: ROBIN_VFIO_RESOURCE_1
             value: "P1P1_VFIOPCI"
           - name: ROBIN_VFIO_RESOURCE_2
             value: "P1P2_VFIOPCI"
    
  4. CNFs supports Ethernet frames over 1500 bytes (Jumbo frames), up to a maximum transmission unit (MTU) size of 9000 bytes. To modify the MTU size, adapt the TMM_DEFAULT_MTU parameter:

    _images/spk_warn.png Important: The same MTU value must be set in each of the installed F5BigNetVlan CRs. CNFs does not currently support different MTU sizes.

     f5-tmm:
       tmm:
         customEnvVars:
         - name: TMM_DEFAULT_MTU
           value: "9000"
    
  5. To use the Calico CNI, set the TMM_CALICO_ROUTER parameter. If the CNI relies on a router to perform proxy ARP, set the TMM_IGNORE_GATEWAYS parameter to ensure TMM does not configure a default gateway:

    _images/spk_warn.png Important: Enabling TMM_IGNORE_GATEWAYS may cause cluster (Pod-to-Pod) traffic to fail. To set routes for specific cluster IPs, review Cluster Traffic in the F5BigNetStaticroute CR guide.

     f5-tmm:
       tmm:
         customEnvVars:
         - name: TMM_CALICO_ROUTER
           value: "default"
         - name: TMM_IGNORE_GATEWAYS
           value: "TRUE"
         - name: TMM_MAPRES_HUGEPAGES
           value: "12288"
    
  6. To advertise routing information between networks, or to scale TMM beyond a single instance, the f5-tmm-routing container must be enabled, and a Border Gateway Protocol (BGP) session must be established with an external neighbor. The parameters below configure an external BGP peering session:

    _images/spk_info.png Note: For additional BGP configuration parameters, refer to the BGP Overview guide.

     f5-tmm:
       tmm:
         dynamicRouting:
           enabled: true
           exportZebosLogs: true
           tmmRouting:
             image:
               repository: "local.registry.com"
            resources:
              limits:
                cpu: "700m"
                memory: "1Gi"
              requests:
                cpu: "700m"
                memory: "1Gi"              
             config:
               bgp:
                 asn: 123
                 neighbors:
                   - ip: "192.168.10.200"
                     asn: 456
                     acceptsIPv4: true
    
           tmrouted:
             image:
               repository: "local.registry.com"
             resources:
               limits:
                 cpu: "300m"
                 memory: "512Mi"
               requests:
                 cpu: "300m"
                 memory: "512Mi"               
    
  7. Set the TMM default gateway either using BGP or the F5BigNetStaticroute Custom Resource (CR) and perform the following:

    a. Set the add_k8s_routes paramter to true.

    Sample configuration:

    f5-tmm:
      tmm:
        add_k8s_routes: true
    

    b. Provide RBAC user permissions for the ClusterRole or kubeadm-config configmaps.

    Sample configuration:

    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
      name: cr-f5-5gc-cgnat-{{.user}}
      # "namespace" omitted since ClusterRoles are not namespaced
    rules:
    apiGroups:
      - "" # "" indicates the core API group
      resources:
      - configmaps
      resourceNames:
      - kubeadm-config
      - tmm-k8s-routes-configmap-{{.ns}}
      verbs:
      - get
      - update
      - patch
      - list
      - watch
    

    _images/spk_warn.png Important: If you enable the default gateway using either BGP or the F5BigNetStaticroute Custom Resource (CR) without enabling the add_k8s_routes paramter, pod-to-pod communication fails.

  8. By default, the TMM container uses the default Kubernetes serviceAccount. Use the parameter below to modify the serviceAccount used by TMM:

     f5-tmm:
       tmm: 
         serviceAccount:
           create: true
           name: tmm_sa
    
  9. The Fluentd Logging collector is enabled by default, and requires setting the f5-toda-logging.fluentd.host parameter:

    A. When Fluentd is enabled, ensure the fluentd.host parameter targets the Fluentd Pod’s namespace:

    In this example, the host value includes the Fluentd Pod’s cnf-gateway namespace.

     f5-tmm:
       f5-toda-logging:
         enabled: true
         fluentd:
           host: "f5-toda-fluentd.cnf-gateway.svc.cluster.local."
         sidecar:
           image:
             repository: "local.registry.com"
    

    B. When Fluentd is disabled, set the f5-toda-logging.enabled parameter to false:

     f5-tmm:
       f5-toda-logging:
         enabled: false
    
  10. The default resources for the TMM Pod are as follows:

    f5-tmm:
      tmm:
        resources:  
          limits:
            cpu: 2
            hugepages-2Mi: "3Gi"
            memory: "2Gi"
          requests:
            cpu: 2
            hugepages-2Mi: "3Gi"
            memory: "2Gi"
    

    _images/spk_info.png Note: The CPU, memory, and hugepages-2Mi values between limits and requests must be the same for the TMM pod.

AFM values

Use these steps to enable and configure the Edge Firewall Helm values for your environment.

  1. To enable the Edge Firewall feature, and to ensure Helm can obtain the image from the local image registry, add the following Helm values:

    global:
       afm:
         enabled: true
         pccd:
           enabled: true 
    
    f5-afm:
       enabled: true
       cert-orchestrator:
         enabled: true
       afm:
         pccd:  
           enabled: true
           image:
            repository: "local.registry.com"
    
  2. The Edge Firewall’s default firewall mode accepts all network packets not matching an F5BigFwPolicy firewall rule. You can modify this behavior using the F5BigContextGlobal Custom Resource (CR). For addition details about the default firewall mode and logging parameters, refer to the Firewall mode section of the F5BigFwPolicy overview:

  3. The Fluentd Logging collector is enabled by default, and requires setting the f5-toda-logging.fluentd.host parameter. If you installed Fluentd, ensure the host parameter targets the Fluentd Pod’s namespace:

    In this example, the host value includes the Fluentd Pod’s cnf-gateway Namespace.

    f5-afm:
      afm:
        fluentbit_sidecar:
          fluentd:
            host: 'f5-toda-fluentd.cnf-gateway.svc.cluster.local.'
          image:
            repository: "local.registry.com"
          resources:
            limits:
              cpu: "0.5"
              memory: "512Mi"
            requests:
              cpu: "0.25"
              memory: "256Mi"             
    
  4. The default resources for the Edge Firewall are as follows:

    f5-afm:
      afm:
        pccd:
          resources:  
            limits:
              cpu: "1"
              memory: "512Mi"
            requests:
              cpu: "0.5"
    

IPSD values

Use these steps to enable and configure the Intrusion Prevention System Helm values for your environment.

  1. To enable the IPSD Pod, and to ensure Helm can obtain the image from the local image registry, add the following Helm values:

    f5-ipsd:
      enabled: true
      ipsd:
        image:
          repository: "local.registry.com"
    
  2. The Fluentd Logging collector is enabled by default, and requires setting the f5-toda-logging.fluentd.host parameter. If you installed Fluentd, ensure the host parameter targets the Fluentd Pod’s namespace:

    In this example, the host value includes the cnf-gateway Namespace.

    f5-ipsd:
      ipsd:
        fluentbit_sidecar:
          fluentd:
            host: "f5-toda-fluentd.cnf-gateway.svc.cluster.local."
          image:
              repository: "local.registry.com"
          resources:
            limits:
              cpu: "0.5"
              memory: "512Mi"
            requests:
              cpu: "0.25"
              memory: "256Mi"          
    
  3. The default resources for the IPSD are as follows:

    f5-ipsd:
      ipsd:
        resources:  
          limits:
            cpu: "1"
            memory: "512Mi"
          requests:
            cpu: "0.5"
            memory: "256Mi"
    

Downloader values

Use these steps to enable and configure the Downloader Helm values for your environment.

  1. To connect to the RabbitMQ open source message broker and ensure proper functioning of the downloader pod, enable the RabbitMQ namespace in the values.yaml file.

      downloader: 
      name: f5-downloader 
      debug: false
      rabbitmqNamespace: "cnf-telemetry" 
      storage: 
            enabled: true 
            storageClassName: standard 
            access: ReadWriteOnce
    
  2. To enable the Downloader Pod, and to ensure Helm can obtain the image from the local image registry, add the following Helm values:

    f5-downloader:
      enabled: true
      downloader:
        image:
          repository: "local.registry.com"
    
  3. The Fluentd Logging collector is enabled by default, and requires setting the f5-toda-logging.fluentd.host parameter. If Fluentd is installed, ensure that the host parameter targets the Fluentd Pod’s Namespace:

    In this example, the host value includes the cnf-gateway Namespace.

    f5-downloader:
      downloader:
        fluentbit_sidecar:
          image:
            repository: "local.registry.com"
          fluentd:
            host: "f5-toda-fluentd.cnf-gateway.svc.cluster.local."
          resources:
            limits:
              cpu: "0.5"
              memory: "512Mi"
            requests:
              cpu: "0.25"
              memory: "256Mi"
    
  4. If CNF is deployed on a cluster with multiple worker nodes, the downloader pod requires a persistent volume with a storage class that supports the ReadWriteMany access mode, and access: ReadWriteMany needs to be specified in the values file.

    The following is an example for the values needed.

    f5-downloader:
      enabled: true
      downloader:
                storage:
              enabled: true
              access: ReadWriteMany
              storageClassName: robin-rwx
    
  5. To enable the downloader, the CRD updater has to be enabled. To enable the CRD updater, add the following to the values.yaml file.

    crdupdater:
      name: crdupdater
      image:
        repository: "local.registry.com"
        pullPolicy: 
    
  6. The default resources for the Downloader Pod are as follows:

    f5-downloader:
      downloader:
        resources:  
          limits:
            cpu: "1"
            memory: "2000Mi"
          requests:
            cpu: "500m"
            memory: "1000Mi"
    

_images/spk_info.png Note: Along with this pod, CRD updater sidecar will come up in BIG-IP Controller pod.

Controller values

Use these steps to configure the BIG-IP Controller Helm values for your environment.

  1. To ensure Helm can obtain the image from the local image registry, add the following Helm values:

    The example below also includes the CNFs CWC values.

    controller:
      image:
        repository: "local.registry.com"
    
  2. The following section is needed for the controller to fetch the license information. It communicates with CWC via RabbitMQ to obtain the license. Additionally, it includes an alternative path to read the Kubernetes secret where CWC stores the license details. This alternative option is intended to minimize the impact of issues in CWC/RabbitMQ on the control plane and data plane:

    controller:
      f5_lic_helper:
        enabled: true
        rabbitmqNamespace: "cnf-telemetry"
        image:
          repository: "local.registry.com"
    
  3. To remove the singular reliance on RabbitMQ for fetching license information in the controller, do the following:

    • Install CNF with the CWC namespace:

      controller:
        cwcNamespace: default
      

      _images/spk_info.png Note: The default value of cwcNamespace parameter is default.

    • If using a default RBAC, no change is required. For custom RBAC, to allow the controller to access the license from CWC, create a ClusterRole and ClusterRoleBinding with the F5Ingress controller service account as shown in the example:

      kind: ClusterRole
      apiVersion: rbac.authorization.k8s.io/v1
      metadata:
        name: <ClusterRoleName>
      rules:
      - apiGroups: [" "]
        resources: ["secrets"]
        resourceNames: ["licensestatus"]
        verbs: ["list", "get", "watch"]
      
      kind: ClusterRoleBinding
      apiVersion: rbac.authorization.k8s.io/v1
      metadata:
        name: <ClusterRoleBindingName>
      roleRef:
        kind: ClusterRole
        name: <ClusterRoleName>
        apiGroup: rbac.authorization.k8s.io
      subjects:
      - kind: ServiceAccount
        name: <cnff5ingressServiceAccount>
        namespace: <cnff5ingressNamespace>
      
  4. To enable the TMM pod manager, add the following helm values to the values file.

    tmm_pod_manager:
      image:
        repository: repo.f5.com file path
        pullPolicy: always
    
  5. The Fluentd Logging collector is enabled by default, and requires setting the f5-toda-logging.fluentd.host parameter. If you installed Fluentd, ensure the host parameter targets the Fluentd Pod’s namespace:

    In this example, the host value includes the cnf-gateway Namespace.

    controller:
      fluentbit_sidecar:
        fluentd:
          host: 'f5-toda-fluentd.cnf-gateway.svc.cluster.local.'
        image:
          repository: "local.registry.com"
        resources:
          limits:
            cpu: 0.5
            memory: 512Mi
          requests:
            cpu: 0.25
            memory: 256Mi  
    
  6. The default resources for the Controller Pod are as follows:

    controller:
      resources:
        limits:
          cpu: 1
          memory: 1Gi
        requests:
          cpu: 0.5
          memory: 1Gi    
    

Completed values

The completed Helm values file should appear similar to the following:

f5-tmm:
  enabled: true

  tmm:
    image:
      repository: "local.registry.com"

    hugepages:
      enabled: true

    sessiondb:
      useExternalStorage: "true"

    topologyManager: true

    cniNetworks: '[{"ippool": "e810-180", "mtu": 9000}, {"ippool": "e810-181", "mtu": 9000}]'
    robinNetworks: "true"
    customEnvVars:
      - name: ROBIN_VFIO_RESOURCE_1
        value: "P1P1_VFIOPCI"
      - name: ROBIN_VFIO_RESOURCE_2
        value: "P1P2_VFIOPCI"
      - name: TMM_DEFAULT_MTU
        value: "9000"
      - name: TMM_IGNORE_GATEWAYS
        value: "TRUE"
      - name: TMM_CALICO_ROUTER
        value: "default"
      - name: SESSIONDB_DISCOVERY_SENTINEL
        value: "true"
      - name: SESSIONDB_EXTERNAL_SERVICE
        value: "f5-dssm-sentinel.cnf-gateway"
      - name: SSL_SERVERSIDE_STORE
        value: "/tls/tmm/mds/clt"
      - name: SSL_TRUSTED_CA_STORE
        value: "/tls/tmm/mds/clt"
      - name: TMM_MAPRES_HUGEPAGES
        value: "12288"

    dynamicRouting:
      enabled: true
      exportZebosLogs: true
      tmmRouting:
        image:
          repository: "local.registry.com"
        resources:
          limits:
            cpu: "700m"
            memory: "1Gi"
          requests:
            cpu: "700m"
            memory: "1Gi"  
        config:
          bgp:
            asn: 123
            neighbors:
              - ip: "192.168.10.200"
              asn: 456
              acceptsIPv4: true

      tmrouted:
        image:
          repository: "local.registry.com"
        resources:
          limits:
            cpu: "300m"
            memory: "512Mi"
          requests:
            cpu: "300m"
            memory: "512Mi"  

  blobd:
    image:
      repository: "local.registry.com"
    resources:
      limits:
        cpu: "1"
        memory: "4Gi"
      requests:
        cpu: "0.5"
        memory: "3.5Gi"
      
  f5-toda-logging:
    enabled: true
    fluentd:
      host: "f5-toda-fluentd.cnf-gateway.svc.cluster.local."
     sidecar:
      image:
        repository: "local.registry.com"

  debug:
    enabled: true
    rabbitmqNamespace: "cnf-telemetry"
      image: 
        repository: "local.registry.com"          
      resources:
        limits:
          cpu: "500m"
          memory: "1Gi"
        requests:
          cpu: "500m"
          memory: "1Gi"        

global:
  afm:
    enabled: true
    pccd:
      enabled: true
    imageCredentials:
      name: far-secret
    controller:
      crdupdater:
      enabled: true 

f5-afm:
  enabled: true
  cert-orchestrator:
    enabled: true
  afm:
    pccd:  
      enabled: true
      image:
        repository: "local.registry.com"
      resources:
        limits:
          cpu: "1"
          memory: "512Mi"
        requests:
          cpu: "0.5"  
    fluentbit_sidecar:
      fluentd:
        host: 'f5-toda-fluentd.cnf-gateway.svc.cluster.local.'
      image:
        repository: "local.registry.com"
      resources:
        limits:
          cpu: "0.5"
          memory: "512Mi"
        requests:
          cpu: "0.25"
          memory: "256Mi"  

f5-ipsd:
  enabled: true
  ipsd:
    image:
      repository: "local.registry.com"
    resources:  
      limits:
        cpu: "1"
        memory: "512Mi"
      requests:
        cpu: "0.5"
        memory: "256Mi"  
    fluentbit_sidecar:
      fluentd:
        host: 'f5-toda-fluentd.cnf-gateway.svc.cluster.local.'
      image:
         repository: "local.registry.com"
      resources:
        limits:
          cpu: "0.5"
          memory: "512Mi"
        requests:
          cpu: "0.25"
          memory: "256Mi"
         
f5-downloader:
  downloader:
  fluentbit_sidecar:
    image:
       repository: "local.registry.com"
    fluentd:
      host: "f5-toda-fluentd.cnf-gateway.svc.cluster.local."
    resources:
      limits:
        cpu: "0.5"
        memory: "512Mi"
      requests:
        cpu: "0.25"
        memory: "256Mi"
           
controller:
  image:
    repository: "local.registry.com"
  crdupdater:
      name: crdupdater
      image:
        repository: "local.registry.com"
        pullPolicy:
  resources:
    limits:
      cpu: 1
      memory: 1Gi
    requests:
      cpu: 0.5
      memory: 1Gi    

  f5_lic_helper:
    enabled: true
    rabbitmqNamespace: "cnf-telemetry"
    image:
      repository: "local.registry.com"
    resources:
      limits:
        cpu: 0.5
        memory: 512Mi
      requests:
        cpu: 0.25
        memory: 256Mi

  tmm_pod_manager:
    image:
      repository: repo.f5.com
      pullPolicy: always
    resources:
      limits:
        cpu: 0.5
        memory: 512Mi
      requests:
        cpu: 0.25
        memory: 256Mi      

  fluentbit_sidecar:
    enabled: true
    image:
      repository: "local.registry.com"
    fluentd:
      host: 'f5-toda-fluentd.cnf-gateway.svc.cluster.local.'
    resources:
      limits:
        cpu: 0.5
        memory: 512Mi
      requests:
        cpu: 0.25
        memory: 256Mi  

  crdupdater:
    resources:
      limits:
        cpu: 0.5
        memory: 512Mi
      requests:
        cpu: 0.25
        memory: 256Mi

  f5-stats_collector:
    enabled: true
    image:
      repository: "local.registry.com"
    stats_collector:
      resources:
        limits:
          cpu: 0.5
          memory: 512Mi
        requests:
          cpu: 0.25
          memory: 256Mi           

Installation

  1. Change into the directory containing the latest CNFs Software, and obtain the f5ingress Helm chart version:

    In this example, the CNF files are in the cnfinstall directory:

    cd cnfinstall
    
    ls -1 tar | grep f5ingress
    

    The example output should appear similar to the following:

    f5ingress-v0.542.0-0.0.154.tgz
    
  2. If you haven’t already, create a new namespace for the CNFs Pods using the following command syntax:

    kubectl create ns <namespace>
    

    For example:

    kubectl create ns cnf-gateway
    
  3. Install the BIG-IP Controller using the following command syntax:

    helm install f5ingress tar/<helm chart> \
    -f <values file> -n <namespace>
    

    For example:

    helm install f5ingress tar/f5ingress-v0.542.0-0.0.154.tgz \
    -f ingress-values.yaml -n cnf-gateway
    
  4. Verify the Pods have installed successfully, and all containers are Running:

    kubectl get pods -n cnf-gateway
    

    In this example, all containers have a STATUS of Running as expected:

    NAME                                    READY   STATUS    
    f5-afm-5bb5cd989b-b8qpf                 2/2     Running  
    f5-ingress-f5ingress-7965947785-b8f5c   2/2     Running
    f5-ipsd-74f5754b5d-kjzft                1/1     Running 
    f5-tmm-576df78f88-mpzbq                 4/4     Running
    
  5. Verify the f5ingress Pod has been been successfully licensed:

    kubectl logs f5ingress-f5ingress-7965947785-b8f5c  -c f5-lic-helper \
    -n cnf-gateway | grep -i LicenseVerified
    

    In this example, the f5ingress Pod’s f5-lic-helper indicates Entitlement: paid.

    2023-02-03 22:00:44.221|A|informational|1|Message="Payload type:
    ResponseCM20LicenseVerified Entitlement: paid Expiry Date: 2024-01-29T00:01:03Z"
    
  6. When the BIG-IP controller pod is deployed or restarted, and the status of the f5ingress pod changes to Running, wait for at least 15 seconds before applying any other CRs. If any CRs are applied during this time, they might be rejected with the following error:

    Internal error occurred: failed calling webhook "f5validate.f5net.com": failed to call webhook: Post "https://f5-validation-svc.cnf-gateway.svc:5000/f5-validator?timeout=10s": no endpoints available for service "f5-validation-svc
    

    Since the BIG-IP controller may not be ready to consume any CR, it may not serve the requests for f5-validation-svc service at the moment.

    _images/spk_info.pngNote: If this error occurs, re-apply the CRs after 15 seconds and they shall work without any errors related to validating webhook.

  7. Continue to the next procedure to configure the TMM interfaces.

Interfaces

The F5BigNetVlan Custom Resource (CR) applies TMM’s interface configuration; IP addresses, VLAN tags, MTU, etc. Use the steps below to configure and install clientside and serverside F5BigNetVlan CRs:

  1. Configure external and internal F5BigNetVlan CRs. You can place both of the example CRs into a single YAML file:

    _images/spk_warn.png Important: Set the cmp_hash parameter values to SRC_ADDR on the clientside (upstream) VLAN, and DST_ADDR on the serverside (downstream) VLAN.

    apiVersion: "k8s.f5net.com/v1"
    kind: F5BigNetVlan
    metadata:
      name: "subscriber-vlan"
      namespace: "cnf-gateway"
    spec:
      name: clientside
      interfaces:
        - "1.1"
      selfip_v4s:
        - 10.10.10.100
        - 10.10.10.101
      prefixlen_v4: 24
      selfip_v6s:
        - 2002::10:10:10:100
        - 2002::10:10:10:101
      prefixlen_v6: 116
      mtu: 9000
      cmp_hash: SRC_ADDR
    ---
    apiVersion: "k8s.f5net.com/v1"
    kind: F5BigNetVlan
    metadata:
      name: "application-vlan"
      namespace: "cnf-gateway"
    spec:
      name: serverside
      interfaces:
        - "1.2"
      selfip_v4s:
        - 192.168.10.100
        - 192.168.10.101
      prefixlen_v4: 24
      selfip_v6s:
        - 2002::192:168:10:100
        - 2002::192:168:10:101
      prefixlen_v6: 116
      mtu: 9000
      cmp_hash: DST_ADDR
    
  2. Install the VLAN CRs:

    kubectl apply -f cnf_vlans.yaml
    
  3. List the VLAN CRs:

    kubectl get f5-big-net-vlan -n cnf-gateway
    

    In this example, the VLAN CRs are installed:

    NAME           
    vlan-client
    vlan-server
    
  4. If the Debug Sidecar is enabled (the default), you can verify the f5-tmm container’s interface configuration:

    kubectl exec -it deploy/f5-tmm -c debug -n cnf-gateway -- ip a
    

    The interfaces should appear at the bottom of the list:

    8: clientside: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000
        inet 10.10.10.100/24 brd 192.168.10.0 scope global client
           valid_lft forever preferred_lft forever
        inet6 2002::192:168:10:100/112 scope global
           valid_lft forever preferred_lft forever
    9: serverside: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000
        link/ether 1e:80:c1:e8:81:15 brd ff:ff:ff:ff:ff:ff
        inet 192.168.10.100/24 brd 10.10.10.0 scope global server
           valid_lft forever preferred_lft forever
        inet6 2002::10:10:10:100/112 scope global
           valid_lft forever preferred_lft forever
    

Uninstallation

Following are the mandatory steps to perform for cleaning up the product installations:

_images/spk_info.png Note: The namespace in the delete and uninstall commands can be either tmmNamespace or watchNamespace.

The following steps are mandatory for cleaning up product installations:

  1. Delete all configured CRs:

    kubectl delete -f <cr-file> -n <*namespace>
    

    For example:

    kubectl delete -f cnf_vlans.yaml -n cnf-gateway
    
  2. Uninstall the product:

    helm uninstall <helm-installation-name> -n <*namespace>
    

    For example:

    helm uninstall f5ingress -n cnf-gateway
    

    _images/spk_warn.png Important: If the above order is missed, then below script can be used to clean up finalizers from CR’s and proceed with uninstallation of product and namespace.

      #!/bin/sh
    
      if [ $# -ne 1 ] ; then
          echo "Invalid Arguments, provide namespace as argument"
          exit 1
      fi
    
      echo "This will remove finalizers of all usecase CRs of namespace $1"
    
      crs=$(kubectl api-resources --namespaced=true --verbs=list -o name | egrep 'f5-big|f5-cnf' | xargs -n 1 kubectl get --show-kind --ignore-not-found -n $1 | grep f5 | cut -d ' ' -f 1)
    
      for cr in $crs; do
        result=$(kubectl -n $1 patch $cr -p '{"metadata":{"finalizers":[]}}' --type=merge)
        echo $result
      done
    
      echo ""
      echo "Removed finalizers of all CRs of namespace $1"
    

    For more details, refer to the Finalizers section in the CNF CRs guide.

  3. Clean up the cluster. For this, the CA secret should be deleted manually (the secret is located in the f5-cert-manager namespace with ca-key-pair name).

    kubectl delete secret <ca-key-pair> -n <F5-CERT-MANAGER-NAMESPACE>
    

    For example:

    kubectl delete secret ca-key-pair -n cnf-cert-manager
    

Next step

To begin processing application traffic, continue to the CNFs CRs guide.

Feedback

Provide feedback to improve this document by emailing cnfdocs@f5.com.

Supplemental