CNFs Software

Overview

The Cloud-Native Network Functions (CNFs) software images and installation Helm charts are provided in a single tape archive (TAR) file. A CNFs Custom Resource Definitions (CRD) TAR file is also provided. Once validated and extracted, the CNFs software images can be integrated into the cluster.

This document describes the CNFs software, and guides you through validating, extracting and installing the CNF software components.

Software images

The table below lists and describes the software images for this software release. For a full list of software images by release, refer to the Software Releases guide.

_images/spk_info.png Note: The software image name and deployed container name may differ.

Image Version Description
f5ingress v6.0.16 The helm_release-f5ingress container is a custom CNF controller that watches the K8S API for CR updates, and configures either AFM or TMM based on the update.
tmm-img v2.0.5 The f5-tmm container is a Traffic Management Microkernel (TMM) instance that proxies and load balances application traffic between the external and internal networks.
f5-l4p-engine v1.3.48 The f5-afm-pccd container is an Application Firewall Manager (AFM) instance that converts firewall rules and NAT policies into the binary large objects (BLOBs) used by TMM.
f5-nsec-ips-daemon v1.4.14 The f5-ipsd container is the intrusion detection and prevention instance, providing deep packet inspection and prevention of malignant network packets.
tmrouted-img v0.8.21 The f5-tmm-tmrouted container proxies and forwards information between the f5-tmm-routing and f5-tmm containers.
f5dr-img v0.5.7 The f5-tmm-routing container maintains the dynamic routing tables used by TMM.
f5-toda-tmstatsd v1.7.7 The f5-toda-stats container collects application traffic processing statistics from the f5-tmm container, and forwards the data to the f5-fluentbit container.
f5-dssm-store v1.21.0 Contains two sets of software images; The f5-dssm-db containers that store shared, persisted session state data, and the f5-dssm-sentinel containers to monitor the f5-dssm-db containers. For more info, refer to dSSM database.
f5-debug-sidecar v5.54.3 The debug container provides diagnostic tools for viewing TMM's configuration, traffic processing statistics and gathering TMM diagnostic data. For more info, refer to Debug Sidecar.
f5-fluentbit v0.2.0 The fluentbit container collects and forwards statistics to the f5-fluentd container.
f5-fluentd v1.4.9 The f5-fluentd container collects statistics and logging data from the Controller, TMM and dSSM Pods. For more info, refer to Fluentd Logging.
opentelemetry-collector 0.46.0 The otel-collector container gathers metrics and statistics from the TMM Pods. Refer to OTEL Collector.
f5-dssm-upgrader 1.0.0 The dssm-upgrade-hook enables dSSM DBs upgrades without service interruption or data loss. Refer to Upgrading dSSM.

Requirements

Ensure you have:

  • Obtained the CNF software tarball.
  • A local container registry.
  • A workstation with Podman and OpenSSL.

Procedures

Validate and extract

Use the following steps to extract the CNFs software images.

  1. Create a new directory for the CNFs files:

    mkdir <directory>
    

    In this example, the new directory is named cnfinstall:

    mkdir cnfinstall
    
  2. Move the CNFs files into the directory:

    mv f5-cnf-tarball* f5-cnf-1.0.2.pem cnfinstall
    
  3. Change into the directory and list the files:

    cd cnfinstall; ls -1
    

    The files appear as:

    f5-cnf-1.0.2.pem
    f5-cnf-tarball-1.0.2.tgz
    f5-cnf-tarball-sha512.txt-1.0.2.sha512.sig
    f5-cnf-tarball.tgz-1.0.2.sha512.sig
    
  4. Use the PEM signing key and each SHA signature file to validate the CNFs TAR file:

    openssl dgst -verify <pem file>.pem -keyform PEM \
    -sha512 -signature <sig file>.sig <tar file>.tgz
    

    The command output states Verified OK for each signature file:

    openssl dgst -verify f5-cnf-1.0.2.pem -keyform PEM -sha512 \
    -signature f5-cnf-tarball.tgz-1.0.2.sha512.sig f5-cnf-tarball-1.0.2.tgz
    
    Verified OK
    
    openssl dgst -verify f5-cnf-1.0.2.pem -keyform PEM -sha512 \
    -signature f5-cnf-tarball-sha512.txt-1.0.2.sha512.sig f5-cnf-tarball-1.0.2.tgz
    
    Verified OK
    
  5. Extract the CNFs images, Helm charts, and CRDs from the TAR file:

    tar xvf f5-cnf-tarball-1.0.2.tgz
    
  6. List the newly extracted files:

    ls -1
    

    The file list shows the CRD bundless and the SPK image TAR file named f5-cnf-images-1.0.2.tgz:

    f5-cnf-1.0.2.pem
    f5-cnf-crds-n6lan-0.36.7.tgz
    f5-cnf-images-1.0.2.tgz
    f5-cnf-tarball-1.0.2.tgz
    f5-cnf-tarball-sha512.txt-1.0.2.sha512.sig
    f5-cnf-tarball.tgz-1.0.2.sha512.sig
    
  7. Extract the CNF Helm charts and software images:

    tar xvf f5-cnf-images-1.0.2.tgz
    
  8. List the extracted Helm charts and software images:

    ls -1R
    

    _The file list shows a new tar directory with the following files:

    f5-cnf-1.0.2.pem
    f5-cnf-crds-n6lan-0.36.7.tgz
    f5-cnf-images-1.0.2.tgz
    f5-cnf-tarball-1.0.2.tgz
    f5-cnf-tarball-sha512.txt-1.0.2.sha512.sig
    f5-cnf-tarball.tgz-1.0.2.sha512.sig
    tar
    
    ./tar:
    cnf-docker-images.tgz
    f5-dssm-0.22.14.tgz
    f5-toda-fluentd-1.8.30.tgz
    f5ingress-6.0.16.tgz
    

Install the CRDs

Use the following steps to extract and install the new CNF CRDs.

  1. List the CNF CRD bundle:

    ls -1 | grep crd
    

    The file list shows three CRD bundles:

    f5-cnf-crds-n6lan-0.36.7.tgz
    
  2. Extract the CRDs from the bundle:

    tar xvf f5-cnf-crds-n6lan-0.36.7.tgz
    
  3. Install the CRDs:

    kubectl apply -f f5-cnf-crds-n6lan/crds
    
    kubectl apply -f f5-cnf-crds-n6lan/templates
    

    Note the command output: Newly installed CRDs will be indicated by created, and updated CRDs will be indicated by configured:

    customresourcedefinition.apiextensions.k8s.io/f5-big-alg-ftps.k8s.f5net.com created
    customresourcedefinition.apiextensions.k8s.io/f5-big-alg-pptps.k8s.f5net.com created
    customresourcedefinition.apiextensions.k8s.io/f5-big-alg-rtsps.k8s.f5net.com created
    customresourcedefinition.apiextensions.k8s.io/f5-big-alg-tftps.k8s.f5net.com created
    customresourcedefinition.apiextensions.k8s.io/f5-big-cec-pe-globaloptionses.k8s.f5net.com created
    customresourcedefinition.apiextensions.k8s.io/f5-big-classificationprofiles.k8s.f5net.com created
    customresourcedefinition.apiextensions.k8s.io/f5-big-cne-addresslists.k8s.f5net.com created
    customresourcedefinition.apiextensions.k8s.io/f5-big-cne-portlists.k8s.f5net.com created
    customresourcedefinition.apiextensions.k8s.io/f5-big-cne-snatpools.k8s.f5net.com created
    customresourcedefinition.apiextensions.k8s.io/f5-big-context-secures.k8s.f5net.com created
    customresourcedefinition.apiextensions.k8s.io/f5-big-datagroups.k8s.f5net.com created
    customresourcedefinition.apiextensions.k8s.io/f5-big-ddos-policies.dos.k8s.f5net.com created
    customresourcedefinition.apiextensions.k8s.io/f5-big-dns-apps.dns.k8s.f5net.com created
    customresourcedefinition.apiextensions.k8s.io/f5-big-dns-caches.k8s.f5net.com created
    customresourcedefinition.apiextensions.k8s.io/f5-big-dns-zones.k8s.f5net.com created
    customresourcedefinition.apiextensions.k8s.io/f5-big-dynamicappscategorieses.k8s.f5net.com created
    customresourcedefinition.apiextensions.k8s.io/f5-big-fastl4-settings.k8s.f5net.com created
    customresourcedefinition.apiextensions.k8s.io/f5-big-fw-policies.k8s.f5net.com created
    customresourcedefinition.apiextensions.k8s.io/f5-big-ips-policies.k8s.f5net.com created
    customresourcedefinition.apiextensions.k8s.io/f5-big-log-hslpubs.k8s.f5net.com created
    customresourcedefinition.apiextensions.k8s.io/f5-big-log-profiles.k8s.f5net.com created
    customresourcedefinition.apiextensions.k8s.io/f5-big-nat-policies.k8s.f5net.com created
    customresourcedefinition.apiextensions.k8s.io/f5-big-net-staticroutes.k8s.f5net.com created
    customresourcedefinition.apiextensions.k8s.io/f5-big-net-vlans.k8s.f5net.com created
    customresourcedefinition.apiextensions.k8s.io/f5-big-pe-policies.k8s.f5net.com created
    customresourcedefinition.apiextensions.k8s.io/f5-big-pe-profiles.k8s.f5net.com created
    customresourcedefinition.apiextensions.k8s.io/f5-big-tcp-settings.k8s.f5net.com created
    customresourcedefinition.apiextensions.k8s.io/f5-big-udp-settings.k8s.f5net.com created
    customresourcedefinition.apiextensions.k8s.io/f5-big-zeroratingirules.k8s.f5net.com created
    
    f5bigdynamicappscategories.k8s.f5net.com/cec-apps-categories created
    
  4. List the installed CNFs CRDs:

    kubectl get crds | grep f5-big
    

    The CRD listing will contain the full list of CRDs:

    f5-big-alg-ftps.k8s.f5net.com                  2022-06-14T18:03:26Z
    f5-big-alg-pptps.k8s.f5net.com                 2022-06-14T18:03:26Z
    f5-big-alg-rtsps.k8s.f5net.com                 2022-06-14T18:03:26Z
    f5-big-alg-tftps.k8s.f5net.com                 2022-06-14T18:03:26Z
    f5-big-cec-pe-globaloptionses.k8s.f5net.com    2022-06-14T18:03:26Z
    f5-big-classificationprofiles.k8s.f5net.com    2022-06-14T18:03:26Z
    f5-big-cne-addresslists.k8s.f5net.com          2022-06-14T18:03:26Z
    f5-big-cne-portlists.k8s.f5net.com             2022-06-14T18:03:26Z
    f5-big-cne-snatpools.k8s.f5net.com             2022-06-14T18:03:26Z
    f5-big-context-secures.k8s.f5net.com           2022-06-14T18:03:26Z
    f5-big-datagroups.k8s.f5net.com                2022-06-14T18:03:26Z
    f5-big-ddos-policies.dos.k8s.f5net.com         2022-06-14T18:03:26Z
    f5-big-dns-apps.dns.k8s.f5net.com              2022-06-14T18:03:26Z
    f5-big-dns-caches.k8s.f5net.com                2022-06-14T18:03:26Z
    f5-big-dns-zones.k8s.f5net.com                 2022-06-14T18:03:26Z
    f5-big-dynamicappscategorieses.k8s.f5net.com   2022-06-14T18:03:26Z
    f5-big-fastl4-settings.k8s.f5net.com           2022-06-14T18:03:26Z
    f5-big-fw-policies.k8s.f5net.com               2022-06-14T18:03:26Z
    f5-big-ips-policies.k8s.f5net.com              2022-06-14T18:03:26Z
    f5-big-log-hslpubs.k8s.f5net.com               2022-06-14T18:03:26Z
    f5-big-log-profiles.k8s.f5net.com              2022-06-14T18:03:26Z
    f5-big-nat-policies.k8s.f5net.com              2022-06-14T18:03:26Z
    f5-big-net-staticroutes.k8s.f5net.com          2022-06-14T18:03:26Z
    f5-big-net-vlans.k8s.f5net.com                 2022-06-14T18:03:26Z
    f5-big-pe-policies.k8s.f5net.com               2022-06-14T18:03:26Z
    f5-big-pe-profiles.k8s.f5net.com               2022-06-14T18:03:26Z
    f5-big-tcp-settings.k8s.f5net.com              2022-06-14T18:03:26Z
    f5-big-udp-settings.k8s.f5net.com              2022-06-14T18:03:26Z
    f5-big-zeroratingirules.k8s.f5net.com          2022-06-14T18:03:26Z
    

Upload the images

Use the following steps to upload the CNFs software images to a local container registry.

  1. Install the CNFs images to your workstation’s Podman image store:

    podman load -i tar/cnf-docker-images.tgz
    
  2. List the CNF images to be tagged and pushed to the local container registry in the next step:

    podman images local.registry/*
    
    REPOSITORY                              TAG         IMAGE ID
    local.registry/f5-debug-sidecar         v5.54.3     a48ab5c12f96
    local.registry/f5-dssm-store            v1.21.0     5037f6eced8d
    local.registry/f5-dssm-upgrader         1.0.5       09ef63c78f9a
    local.registry/f5-fluentbit             v0.1.29     9fb5608ff56c
    local.registry/f5-fluentbit             v0.2.0      c4a875a37273
    local.registry/f5-fluentd               v1.4.9      c76475173491
    local.registry/f5-l4p-engine            v1.3.48     79ac6ac14b7e
    local.registry/f5-nsec-ips-daemon       v1.4.14     dbbdd0fd7adc
    local.registry/f5-toda-tmstatsd         v1.7.7      3b98fcca9779
    local.registry/f5dr-img                 v0.5.7      c398809553fd
    local.registry/f5dr-img-init            v0.5.7      7463a23b1459
    local.registry/f5ingress                v6.0.16     386ba15b7e0e
    local.registry/opentelemetry-collector  0.46.0      81b28598879e
    local.registry/tmm-img                  v2.0.5      c984e4fce366
    local.registry/tmrouted-img             v0.8.21     3c7bcc79f890
    
  3. Tag and push each image to the local container registry. For example:

    podman tag <local.registry/image name>:<version> <registry>/<image name>:<version>
    
    podman push <registry_name>/<image name>:<version>
    

    In this example, the f5ingress:v6.0.16 image is tagged and pushed to the remote registry registry.com:

    podman tag local.registry/f5ingress:v6.0.16 registry.com/f5ingress:v6.0.16
    
    podman push registry.com/f5ingress:v6.0.16
    
  4. Once all of the images have uploaded, verify the images exist in the local container registry:

    curl -X GET https://<registry>/v2/_catalog -u <user:pass>
    

    For example:

    curl -X GET https://registry.com/v2/_catalog -u cnfadmin:cnfadmin
    
    "repositories":["f5-debug-sidecar","f5-dssm-store","f5-fluentbit","f5-fluentd","f5-toda-tmstatsd","f5dr-img","f5ingress","tmm-img","tmrouted-img"]}
    

Next step

Continue to the CNFs Secrets guide to secure CNFs communications.

Feedback

Provide feedback to improve this document by emailing cnfdocs@f5.com.

Supplemental