CNFs Software¶

Overview¶

The Cloud-Native Network Functions (CNFs) custom resource definitions (CRDs), software images and installation Helm charts are provided in a single TAR file. A CNFs public signing key, and two signature files are also provided to validate the TAR file’s integrity. Once validated and extracted, the software images can be uploaded to a local container registry, and integrated into the cluster using the CNFs Helm charts. Finally, the CNFs CRDs will be installed into the cluster.

This document describes the CNFs software, and guides you through validating, extracting and installing the CNF software components.

Software images¶

The table below lists and describes the software images for this software release. For a full list of software images by release, refer to the Software Releases guide.

Note: The software image name and deployed container name may differ.

Image	Version	Description
f5ingress	v13.7.1-0.3.22	The helm_release-f5ingress container is a custom CNF controller that watches the K8S API for CR updates, and configures either AFM or TMM based on the update.
f5ing-tmm-pod-manager	v1.0.18-0.0.7	The tmm-pod-manager container is a part of f5ingress pod, which is mainly responsible for watching TMM pod events and propagating the TMM pod information to f5ingress main container and other control plane pods. These pods push configurations to TMM pods.
f5-coremond	v0.7.56-0.0.5	Coremond runs as daemon set in every node and is responsible for processing core files generated by the operating system or third party.
tmm-img	v10.50.7-0.2.9	The f5-tmm container is a Traffic Management Microkernel (TMM) instance that proxies and load balances application traffic between the external and internal networks.
f5-l4p-engine	v1.127.13-0.0.5	The f5-afm-pccd container is an Application Firewall Manager (AFM) instance that converts firewall rules and NAT policies into the binary large objects (BLOBs) used by TMM.
f5-nsec-ips-daemon	v3.5.1-0.0.4	The f5-ipsd container is the intrusion detection and prevention instance, providing deep packet inspection and prevention of malignant network packets.
tmrouted-img	v2.3.0-0.0.3	The f5-tmm-tmrouted container proxies and forwards information between the f5-tmm-routing and f5-tmm containers.
f5dr-img	v3.2.14-0.0.4	The f5-tmm-routing container maintains the dynamic routing tables used by TMM.
f5-toda-tmstatsd	v1.11.12-10.0.2	The f5-toda-stats container collects application traffic processing statistics from the f5-tmm container, and forwards the data to the Otel Collectors.
f5-dssm-store	v5.0.7-10.0.3	Contains two sets of software images; The f5-dssm-db containers that store shared, persisted session state data, and the f5-dssm-sentinel containers to monitor the f5-dssm-db containers. For more info, refer to dSSM database.
cnf-cwc	v0.34.14-10.0.9	The cnf-cwc container enables software licensing, and reports telemetry statistics regarding monthly software usage. Refer to CNFs CWC.
f5-license-helper	v0.12.10-0.0.4	The f5-lic-helper communicates with the spk-cwc to determine the current license status of the cluster.
rabbit	v0.5.9-0.0.11	The rabbitmq-server container as a general message bus, integrating CNFs CWC with the BIG-IP Controller Pod(s) for licensing purposes.
cert-manager-controller	v2.3.0	The cert-manager-controller manages the generation and rotation of the SSL/TLS certificate that are stored as Secrets, to secure communication between the various CNFs Pods.
cert-manager-cainjector	v2.3.0	The cert-manager-cainjector assists the cert-manager-controller to configure the CA certificates used by the cert-manager-webhook and K8S API.
cert-manager-webhook	v2.3.0	The cert-manager-webhook ensures that SSL/TLS certificate resources created or updated by the cert-manager-contoller conform to the API specifications.
f5-debug-sidecar	v10.5.0-0.1.32	The debug container provides diagnostic tools for viewing TMM's configuration, traffic processing statistics and gathering TMM diagnostic data. For more info, refer to Debug Sidecar.
f5-fluentbit	v1.2.8-0.0.5	The fluentbit container collects and forwards statistics to the f5-fluentd container. Multiple versions are included to support the different CNFs containers.
f5-fluentd	v2.0.11-0.0.11	The f5-fluentd container collects statistics and logging data from the Controller, TMM and dSSM Pods. For more info, refer to Fluentd Logging.
opentelemetry-collector-contrib	0.123.0	The otel-collector container gathers metrics and statistics from the TMM Pods. Refer to OTEL Collector.
f5-dssm-upgrader	v2.0.17-0.0.3	The dssm-upgrade-hook enables dSSM DBs upgrades without service interruption or data loss. Refer to Upgrading dSSM.
f5-csm-qkview	v0.10.37-0.0.4	The f5-csm-qkview includes the qkview-orchestrator service, which manages requests from CWC to create or download qkview tar files. It communicates with qkview-collect, initiating the process of generating and downloading qkview tar files from containers within a designated namespace.
f5-cert-client	v3.1.2-0.0.3	The f5-cert-client container provides an interface for CNF components to request certificates from f5-cert-manager. Additionally, f5-cert-client can provide certificate rotation functionality for those CNF components.
crd-conversion	v1.69.3-0.0.5	The f5-crd-conversion container handles the automatic conversion of multiple CRD versions based on the specified namespace and version in the cluser, without affecting existing CRs.
f5-downloader	v0.27.9-0.0.12	The f5-downloader pod is used for upgrading IM package for IPS feature. Enums of IPS CRD will be upgraded using this pod.
f5-blobd	v1.23.1-0.0.5	The f5-blobd container allows loading binary large objects (BLOBs) into the TMM memory. It is required for AFM use-cases, like firewall and NAT.
f5-version-validator	v1.0.5-10.0.8	The `f5-version-validator` performs version compatibility checks to verify whether the cluster has the supported product versions.
f5-toda-observer	v5.7.5-0.1.0	The `f5-toda-observer` container handles the roles of Receiver, Observer Aggregator, Coordinator, and TMM Scraper for secure gRPC-based metric collection, aggregation and export.

Requirements¶

Ensure you have:

Obtained the CNF software tarball.
A local container registry.
A workstation with Podman.
(Optional) A compatible version of Open Source Cert Manager

Procedures¶

Validate and extract¶

Use the following steps to validate the CNFs tarball, extract the software images, installation Helm charts, and CRDs.

Create a new directory for the CNFs files:
```
mkdir <directory>
```
In this example, the new directory is named cnfinstall:
```
mkdir cnfinstall
```

Move the CNFs files into the directory:

mv f5-bigip-k8s* f5-bigip-k8s-2.1.0-3.1736.1-0.1.27.pem cnfinstall

Change into the directory and list the files:

cd cnfinstall; ls -1

The files appear as:

f5-bigip-k8s-2.1.0-3.1736.1-0.1.27.pem
f5-bigip-k8s-2.1.0-3.1736.1-0.1.27.tgz
f5-bigip-k8s-sha512.txt-2.1.0-3.1736.1-0.1.27.sha512.sig
f5-bigip-k8s.tgz-2.1.0-3.1736.1-0.1.27.sha512.sig

Use the PEM signing key and each SHA signature file to validate the CNFs TAR file:

openssl dgst -verify <pem file>.pem -keyform PEM \
-sha512 -signature <sig file>.sig <tar file>.tgz

The command output states Verified OK for each signature file:

openssl dgst -verify f5-bigip-k8s-2.1.0-3.1736.1-0.1.27.pem -keyform PEM -sha512 \
-signature f5-bigip-k8s.tgz-2.1.0-3.1736.1-0.1.27.sha512.sig \
f5-bigip-k8s-2.1.0-3.1736.1-0.1.27.tgz

Verified OK

Extract the CNFs images, Helm charts, and CRDs from the TAR file:
```
tar xvf f5-bigip-k8s-2.1.0-3.1736.1-0.1.27.tgz
```

List the newly extracted files:

ls -1

The file list shows the CRD bundless and the CNF image TAR file named f5-bigip-k8s-images-v2.1.0-3.1736.1-0.1.27.tgz:

f5-bigip-k8s-2.1.0-3.1736.1-0.1.27.pem
f5-cnf-crds-n6lan-13.7.1-0.3.22.tgz
f5-bigip-k8s-images-2.0.1-3.233.0+0.3.128.tgz
f5-bigip-k8s-2.1.0-3.1736.1-0.1.27.tgz
f5-bigip-k8s-sha512.txt-2.1.0-3.1736.1-0.1.27.sha512.sig
f5-bigip-k8s.tgz-2.1.0-3.1736.1-0.1.27.sha512.sig

Extract the CNF Helm charts and software images:

tar xvf f5-bigip-k8s-images-2.1.0-3.1736.1-0.1.27.tgz

List the extracted Helm charts and software images:

ls -1R

The file list shows a new tar directory with the following files:

f5-bigip-k8s-2.1.0-3.1736.1-0.1.27.pem
f5-cnf-crds-n6lan-13.7.1-0.3.22.tgz
f5-bigip-k8s-images-2.1.0-3.1736.1-0.1.27.tgz
f5-bigip-k8s-2.1.0-3.1736.1-0.1.278.tgz
f5-bigip-k8s-sha512.txt-2.1.0-3.1736.1-0.1.27.sha512.sig
f5-bigip-k8s.tgz-2.1.0-3.1736.1-0.1.27.sha512.sig
tar

./tar:
csrc-0.9.1-0.3.0.tgz
cwc-0.43.1-0.0.15.tgz
coremond-0.7.56-0.0.5.tgz
dnat-util-v0.5.6.tgz
f5-cert-gen-0.9.3.tgz
f5-cert-manager-0.23.35-0.0.10.tgz
f5-crdconversion-0.23.2-0.1.1.tgz
f5-dssm-1.27.1-0.0.20.tgz
f5-toda-fluentd-1.31.30-0.0.7.tgz
f5ingress-v13.7.1-0.3.22.tgz
log-doc-f5ingress-13.7.1+0.3.22.tgz
rabbitmq-0.6.1-0.0.13.tgz
f5-toda-observer-5.7.5-0.1.0.tgz
cne-docker-images.tgz

Install CRDs¶

Use the following steps to extract and install the new CNF CRDs.

List the CNF CRD bundle:

ls -1 | grep crd

The file list shows CRD bundle:

f5-cnf-crds-n6lan-13.7.1-0.3.22.tgz

Install the CRDs:

a. Install CRDs using Helm install:

helm install f5crds f5-cnf-crds-n6lan-13.7.1-0.3.22.tgz -f crd-values.yaml 

Example: crd-values.yaml file (We only need to use this namespace parameter when CRD Conversion is deployed in a non-default namespace. The value of the namespace parameter should match the namespace in which CRD Conversion is deployed.)

conversion:
   namespace: cnf-crdconversion 

Note: In the command output, newly installed CRDs will be indicated by created, and updated CRDs will be indicated by configured

customresourcedefinition.apiextensions.k8s.io/f5-big-alg-ftps.k8s.f5net.com unchanged
customresourcedefinition.apiextensions.k8s.io/f5-big-alg-pptps.k8s.f5net.com configured
customresourcedefinition.apiextensions.k8s.io/f5-big-alg-rtsps.k8s.f5net.com unchanged
customresourcedefinition.apiextensions.k8s.io/f5-big-alg-tftps.k8s.f5net.com unchanged
customresourcedefinition.apiextensions.k8s.io/f5-big-cne-addresslists.k8s.f5net.com unchanged
customresourcedefinition.apiextensions.k8s.io/f5-big-cne-datagroups.k8s.f5net.com unchanged
customresourcedefinition.apiextensions.k8s.io/f5-big-cne-portlists.k8s.f5net.com unchanged
customresourcedefinition.apiextensions.k8s.io/f5-big-cne-snatpools.k8s.f5net.com unchanged
customresourcedefinition.apiextensions.k8s.io/f5-big-context-globals.k8s.f5net.com unchanged
customresourcedefinition.apiextensions.k8s.io/f5-big-context-secures.k8s.f5net.com unchanged
customresourcedefinition.apiextensions.k8s.io/f5-big-ddos-policies.k8s.f5net.com unchanged
customresourcedefinition.apiextensions.k8s.io/f5-big-dns-apps.k8s.f5net.com unchanged
customresourcedefinition.apiextensions.k8s.io/f5-big-dns-caches.k8s.f5net.com unchanged
customresourcedefinition.apiextensions.k8s.io/f5-big-fastl4-settings.k8s.f5net.com unchanged
customresourcedefinition.apiextensions.k8s.io/f5-big-fw-policies.k8s.f5net.com unchanged
customresourcedefinition.apiextensions.k8s.io/f5-big-ips-policies.k8s.f5net.com unchanged
customresourcedefinition.apiextensions.k8s.io/f5-big-log-hslpubs.k8s.f5net.com unchanged
customresourcedefinition.apiextensions.k8s.io/f5-big-log-profiles.k8s.f5net.com configured
customresourcedefinition.apiextensions.k8s.io/f5-big-nat-policies.k8s.f5net.com unchanged
customresourcedefinition.apiextensions.k8s.io/f5-big-net-staticroutes.k8s.f5net.com unchanged
customresourcedefinition.apiextensions.k8s.io/f5-big-net-vlans.k8s.f5net.com unchanged
customresourcedefinition.apiextensions.k8s.io/f5-big-tcp-settings.k8s.f5net.com unchanged
customresourcedefinition.apiextensions.k8s.io/f5-big-udp-settings.k8s.f5net.com unchanged
customresourcedefinition.apiextensions.k8s.io/f5-big-zerorating-policies.k8s.f5net.com unchanged
customresourcedefinition.apiextensions.k8s.io/f5-big-certificaterequests.cm.f5co.k8s.f5net.com unchanged
customresourcedefinition.apiextensions.k8s.io/f5-big-certificates.cm.f5co.k8s.f5net.com unchanged
customresourcedefinition.apiextensions.k8s.io/f5-big-challenges.acme.cm.f5co.k8s.f5net.com unchanged
customresourcedefinition.apiextensions.k8s.io/f5-big-clusterissuers.cm.f5co.k8s.f5net.com unchanged
customresourcedefinition.apiextensions.k8s.io/f5-big-issuers.cm.f5co.k8s.f5net.com unchanged
customresourcedefinition.apiextensions.k8s.io/f5-big-orders.acme.cm.f5co.k8s.f5net.com unchanged

b. (Optional) If the customer wants to use the OSS cert-manager, add the following in the values.yaml file:

global:
  certmgr:
    external: true
versionValidator:
  name: f5-version-validator
  image:
    repository: "repo.f5.com/images

customresourcedefinition.apiextensions.k8s.io/f5-big-alg-ftps.k8s.f5net.com configured
customresourcedefinition.apiextensions.k8s.io/f5-big-alg-pptps.k8s.f5net.com configured
customresourcedefinition.apiextensions.k8s.io/f5-big-alg-rtsps.k8s.f5net.com configured
customresourcedefinition.apiextensions.k8s.io/f5-big-alg-tftps.k8s.f5net.com configured
customresourcedefinition.apiextensions.k8s.io/f5-big-cne-addresslists.k8s.f5net.com configured
customresourcedefinition.apiextensions.k8s.io/f5-big-cne-datagroups.k8s.f5net.com configured
customresourcedefinition.apiextensions.k8s.io/f5-big-cne-portlists.k8s.f5net.com configured
customresourcedefinition.apiextensions.k8s.io/f5-big-cne-snatpools.k8s.f5net.com configured
customresourcedefinition.apiextensions.k8s.io/f5-big-context-globals.k8s.f5net.com configured
customresourcedefinition.apiextensions.k8s.io/f5-big-context-secures.k8s.f5net.com configured
customresourcedefinition.apiextensions.k8s.io/f5-big-ddos-policies.k8s.f5net.com configured
customresourcedefinition.apiextensions.k8s.io/f5-big-dns-apps.k8s.f5net.com configured
customresourcedefinition.apiextensions.k8s.io/f5-big-dns-caches.k8s.f5net.com configured
customresourcedefinition.apiextensions.k8s.io/f5-big-fastl4-settings.k8s.f5net.com configured
customresourcedefinition.apiextensions.k8s.io/f5-big-fw-policies.k8s.f5net.com configured
customresourcedefinition.apiextensions.k8s.io/f5-big-ips-policies.k8s.f5net.com configured
customresourcedefinition.apiextensions.k8s.io/f5-big-log-hslpubs.k8s.f5net.com configured
customresourcedefinition.apiextensions.k8s.io/f5-big-log-profiles.k8s.f5net.com configured
customresourcedefinition.apiextensions.k8s.io/f5-big-nat-policies.k8s.f5net.com configured
customresourcedefinition.apiextensions.k8s.io/f5-big-net-staticroutes.k8s.f5net.com configured
customresourcedefinition.apiextensions.k8s.io/f5-big-net-vlans.k8s.f5net.com configured
customresourcedefinition.apiextensions.k8s.io/f5-big-tcp-settings.k8s.f5net.com configured
customresourcedefinition.apiextensions.k8s.io/f5-big-udp-settings.k8s.f5net.com configured
customresourcedefinition.apiextensions.k8s.io/f5-big-zerorating-policies.k8s.f5net.com configured

Note: If open source Cert-Manager is used, f5-cert-manager CRDs will not be installed. For more information, see Open Source Cert Manager section.

List the installed CNFs CRDs:

kubectl get crds | grep f5

The CRD listing will contain the full list of CRDs:

certificaterequests.cm.f5co.k8s.f5net.com                         2024-01-24T19:03:03Z
certificates.cm.f5co.k8s.f5net.com                                2024-01-24T19:03:03Z
challenges.acme.cm.f5co.k8s.f5net.com                             2024-01-24T19:03:03Z
clusterissuers.cm.f5co.k8s.f5net.com                              2024-01-24T19:03:03Z
f5-big-alg-ftps.k8s.f5net.com                                     2024-01-24T19:03:03Z
f5-big-alg-pptps.k8s.f5net.com                                    2024-01-24T19:03:03Z 
f5-big-alg-rtsps.k8s.f5net.com                                    2024-01-24T19:03:03Z
f5-big-alg-tftps.k8s.f5net.com                                    2024-01-24T19:03:03Z
f5-big-cne-addresslists.k8s.f5net.com                             2024-01-24T19:03:03Z
f5-big-cne-datagroups.k8s.f5net.com                               2024-01-24T19:03:03Z
f5-big-cne-downloaders.k8s.f5net.com                              2024-01-24T19:03:03Z
f5-big-cne-portlists.k8s.f5net.com                                2024-01-24T19:03:03Z
f5-big-cne-snatpools.k8s.f5net.com                                2024-01-24T19:03:03Z
f5-big-context-globals.k8s.f5net.com                              2024-01-24T19:03:03Z
f5-big-context-secures.k8s.f5net.com                              2024-01-24T19:03:03Z
f5-big-ddos-globals.k8s.f5net.com                                 2024-01-24T19:03:03Z
f5-big-ddos-profiles.k8s.f5net.com                                2024-01-24T19:03:03Z
f5-big-dns-apps.k8s.f5net.com                                     2024-01-24T19:03:03Z
f5-big-dns-caches.k8s.f5net.com                                   2024-01-24T19:03:03Z
f5-big-fastl4-settings.k8s.f5net.com                              2024-01-24T19:03:03Z
f5-big-fw-policies.k8s.f5net.com                                  2024-01-24T19:03:03Z
f5-big-fw-rulelists.k8s.f5net.com                                 2024-01-24T19:03:03Z
f5-big-ips-policies.k8s.f5net.com                                 2024-01-24T19:03:03Z
f5-big-log-hslpubs.k8s.f5net.com                                  2024-01-24T19:03:03Z
f5-big-log-profiles.k8s.f5net.com                                 2024-01-24T19:03:03Z
f5-big-nat-policies.k8s.f5net.com                                 2024-01-24T19:03:03Z
f5-big-net-staticroutes.k8s.f5net.com                             2024-01-24T19:03:03Z
f5-big-net-vlans.k8s.f5net.com                                    2024-01-24T19:03:03Z
f5-big-tcp-settings.k8s.f5net.com                                 2024-01-24T19:03:03Z
f5-big-udp-settings.k8s.f5net.com                                 2024-01-24T19:03:03Z
f5-big-zerorating-policies.k8s.f5net.com                          2024-01-24T19:03:03Z
issuers.cm.f5co.k8s.f5net.com                                     2024-01-24T19:03:03Z
orders.acme.cm.f5co.k8s.f5net.com                                 2024-01-24T19:03:03Z   

Install Cert Manager¶

Install the cert manager. For more information on how to install and configure Cert Manager, see Cert Manager guide.

Install CRD Conversion pod¶

Add the f5-crdconversion serviceAccount to the privileged security context constraints (SCC) of the project:
```
kubectl adm policy add-scc-to-user privileged -n <project> -z <serviceaccount>
```
In this example, the f5-crdconversion is added to the cnf-cert-manager project’s privileged SCC.

kubectl adm policy add-scc-to-user privileged -n cnf-crdconversion -z default

Install the CRD Conversion pod with latest version using Helm install:

helm install f5-crd-conversion --version 1.69.3-0.0.5 -n cnf-crdconversion f5ingress-dev/f5-crdconversion -f crd-conversion-values.yaml  

Verify the STATUS of the CRD Conversion pod:

In this example, CRD Conversion Pod is installed in the cnf-crdconversion Project.

kubectl get pod -n cnf-crdconversion 

As we can see CRD Conversion pod is created.

NAME                                  READY      STATUS       RESTARTS      AGE
f5-crd-conversion-8478b9y96-asfd1     1/1        Running      0             30s

Upload the images¶

Use the following steps to upload the CNFs software images to a local container registry.

Install the CNFs images to your workstation’s Podman image store:
```
podman load -i tar/cnf-docker-images.tgz
```

List the CNF images to be tagged and pushed to the local container registry in the next step:

podman images --format "table {{.Repository}} {{.Tag}} {{.ID}}"

 REPOSITORY                                          	 TAG                          IMAGE ID
 local.registry/crd-installer						v13.7.1-0.3.22 				f7f896bb1344
 local.registry/f5ingress 							v13.7.1-0.3.22  			2359d4cda5d5
 local.registry/tmm-img 								v10.50.7-0.2.9 				34943fe3ff7a
 local.registry/f5-analyzer 							v0.0.3-0.0.5 				de67393fb770
 local.registry/f5-debug-sidecar 					v10.5.0-0.1.32 				8bc999bc1414
 local.registry/f5-dwbld 							v1.161.0-0.2.11 			207b29dc1df9
 local.registry/f5-lifecycle-operator 				v1.198.4-0.1.36 			3a75eedfcd0a
 local.registry/f5-env-discovery 					v1.198.4-0.1.36 			3e2b45b81e12
 local.registry/init-certmgr 						v0.23.35-0.0.10 			5dbd66a91443
 local.registry/f5-downloader   						v0.27.9-0.0.12   			d342c1aa5240
 local.registry/f5-fluentd  							v2.0.11-0.0.11  			beadffcbc1ae
 local.registry/dnsx-img    							v0.10.21-0.0.4   			fc933ace082b
 local.registry/f5-coremond 							v0.7.56-0.0.5    			9cb9a186027f
 local.registry/f5-toda-observer						v5.7.5-0.1.0 				a5e839209ae5
 local.registry/f5dr-img-init   						v3.2.14-0.0.4    			4c00524e48fc
 local.registry/f5dr-img    							v3.2.14-0.0.4    			d008878f3410
 local.registry/tmrouted-img 						v2.3.0-0.0.3 				b1e2e55f3bec
 local.registry/f5-license-proxy 					1.29.0-0.10.12   			c01bfa468242
 local.registry/vault-init							1.29.0-0.10.12  			b9a17e37d944
 local.registry/spk-cwc 								v0.35.0-0.0.5   			c1ddcdef1a81
 local.registry/f5-cert-client 						v3.1.2-0.0.3 				e602cdd27967
 local.registry/f5-license-helper 					v0.12.10-0.0.4  			dc88c777701a
 local.registry/f5-fluentbit 						v1.2.8-0.0.590 				3f121a9198
 local.registry/f5-bdosd 							v0.72.0-0.1.3 				9290a9a50b7a
 local.registry/spk-csrc 							v0.6.1-0.0.5 				7804635e32a1
 local.registry/f5-nsec-ips-daemon 					v3.5.1-0.0.4 				37648ce82328
 local.registry/rabbit 								v0.5.9-0.0.11 				997fbc405b00
 local.registry/f5-blobd    							v1.23.1-0.0.5    			bf051e506625
 local.registry/f5-l4p-engine   						v1.127.13-0.0.5  			a89a004b432d
 local.registry/crd-conversion  						v1.69.3-0.0.5    			36d5b524408a
 local.registry/f5-toda-tmstatsd 					v1.11.19-0.0.3   			5650c2075de7
 local.registry/f5-csm-qkview   						v0.10.37-0.0.4   			20f5baf32842
 local.registry/f5-fqdn-resolver 					v0.8.1-0.0.3  				8f77fe15ab7d
 local.registry/gslb-engine 							v0.111.15-0.0.2  			142b5e1f988e
 local.registry/gslb-probe-agent 					v0.31.4-0.0.2    			cd929b134682
 local.registry/f5-ipam-controller 					v1.1.35-0.0.6    			21af729ae769
 local.registry/f5ing-tmm-pod-manager  				v1.0.18-0.0.7    			6dbbdd59be46
 local.registry/f5-dssm-upgrader 					v2.0.17-0.0.3    			4954ea6e93c1
 local.registry/f5-dssm-store   						v5.1.7-0.0.3 				ee761b0ef30c
 local.registry/vault  								1.20.1 						f6e935320759
 local.registry/crdupdater  							v0.4.32-0.0.2    			5b3de59f547e
 local.registry/f5-node-labeler 						v0.0.15-0.0.2    			6c8d8d50b1aa
 local.registry/postgresql  							17.5.0 						db9bc963e434
 local.registry/f5-eowyn-install 					v0.5.4 						a5b3f4d6f80e
 local.registry/cert-manager-startupapicheck 		v2.3.0 						b3bed6de8ba9
 local.registry/cert-manager-webhook   				v2.3.0 						4eb33f2045a9
 local.registry/cert-manager-cainjector 				v2.3.0 						f1fd7c702b40
 local.registry/cert-manager-controller 				v2.3.0 						da7a341236d4
 local.registry/opentelemetry-collector-contrib  	0.123.0 					f0eaa24275f0

Tag and push each image to the local container registry. For example:

podman tag <local.registry/image name>:<version> <registry>/<image name>:<version>

podman push <registry_name>/<image name>:<version>

In this example, the f5ingress:v13.7.1-0.3.22 image is tagged and pushed to the remote registry registry.com:

podman tag local.registry/f5ingress:v13.7.1-0.3.22 registry.com/f5ingress:v13.7.1-0.3.22

podman push registry.com/f5ingress:v13.7.1-0.3.22

Note: If you encounter the “insufficient UIDs or GIDs available in user namespace” error while pushing the Docker image, kindly use the following command:

A. If you are pushing an image, use this command:

podman --storage-opt overlay.ignore_chown_errors=true push <registry>/<image name>:<version>

Example:

podman --storage-opt overlay.ignore_chown_errors=true push artifactory.f5net.com/f5-mbip-docker/f5-nsec-ips-daemon:v3.5.1-0.0.4

B. If you still encounter the error while pushing the image, increase the subuids and subgids range to larger values. Make sure the subuids and subgids fit within the required range.

Example:

sudo usermod --add-subuids 200000-2010000000 <USERNAME> 

sudo usermod --add-subgids 200000-2010000000 <USERNAME> 

Once all of the images have uploaded, verify the images exist in the local container registry:

curl -X GET https://<registry>/v2/_catalog -u <user:pass>

For example:

curl -X GET https://registry.com/v2/_catalog -u cnfadmin:cnfadmin

"repositories":["f5-debug-sidecar","f5-dssm-store","f5-fluentbit","f5-fluentd","f5-toda-tmstatsd","f5dr-img","f5ingress","tmm-img","tmrouted-img"]}

Next step¶

Continue to the CNFs Cert Manager guide to secure CNFs communications.

Feedback¶

Provide feedback to improve this document by emailing cnfdocs@f5.com.

Supplemental¶

Using Podman load.

Previous Next