Migrating from AS3 ConfigMaps to CRDs

This page describes how to migrate from userdefined AS3 ConfigMaps to CRDs. The AS3 ConfigMap hosts AS3 extensions, in JSON format, as a configuration artifact. CIS can manage and orchestrate BIG-IP declaratively through this ConfigMap.

In agent AS3 mode, CIS handles Ingress or Route resources by converting them into AS3 declarations before posting to BIG-IP. When AS3 ConfigMap is configured along with Ingress or Routes, CIS manages ConfigMap and Ingress (or) Routes AS3 declarations separately. While sending an AS3 declaration to BIG-IP, CIS will combine both of these AS3 declarations as a single declaration and POST it to BIG-IP.

Note

  • CIS does not watch for Ingress/Routes/ConfigMaps when deployed in CRD Mode.
  • CIS does not support the combination of CRDs with any of Ingress/Routes and ConfigMaps. So the migration from AS3 CM to CRD can cause some downtime as well.

Below is an example of how to use AS3 CM and CRD for the same set of requirements.

as3configmap.yaml
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
 # Please edit the object below. Lines beginning with a '#' will be ignored,
 # and an empty file will terminate the edit. If an error occurs while saving this file will be
 # reopened with the relevant failures.
 apiVersion: v1
 data:
   template: |
     {"class": "AS3", "action": "deploy", "persist": true, "declaration": {"class": "ADC", "schemaVersion": "3.23.0", "id": "urn:uuid:33045210-3ab8-4636-9b2a-c98d22ab915d-as3configmap", "label": "as3configmap", "remark": "AS3 Declation for as3configmap", "as3configmap_tnt_0": {"class": "Tenant", "as3configmap_tnt_0_https0": {"class": "Application", "template": "https", "serviceMain": {"class": "Service_HTTPS", "virtualAddresses": ["172.16.3.9"], "pool": "as3configmap_tnt_0_https0_p0", "serverTLS": "as3configmap_tnt_0_https0_ssl_0", "persistenceMethods": []}, "as3configmap_tnt_0_https0_p0": {"class": "Pool", "monitors": ["http"], "members": [{"servicePort": 80, "shareNodes": false, "serverAddresses": []}]}, "as3configmap_tnt_0_https0_ssl_0": {"class": "TLS_Server", "certificates": [{"certificate": "as3configmap_tnt_0_https0_cert_0"}]}, "as3configmap_tnt_0_https0_cert_0": {"class": "Certificate", "remark": "in practice we recommend using a passphrase", "certificate": "", "privateKey": "", "passphrase": {"ciphertext": "ZjVmNQ==", "protected": "eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0", "ignoreChanges": true}}}}}}
 kind: ConfigMap
 metadata:
   labels:
     as3: "true"
     f5type: virtual-server
   name: as3configmap
   namespace: default

service.yaml
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
 # Please edit the object below. Lines beginning with a '#' will be ignored,
 # and an empty file will terminate the edit. If an error occurs while saving this file will be
 # reopened with the relevant failures.
 #
 apiVersion: v1
 kind: Service
 metadata:
   labels:
     cis.f5.com/as3-app: as3configmap_tnt_0_https0
     cis.f5.com/as3-pool: as3configmap_tnt_0_https0_p0
     cis.f5.com/as3-tenant: as3configmap_tnt_0
   name: as3configmap-tnt-0-https0-p0
   namespace: default
 spec:
   ports:
   - name: as3configmap-tnt-0-https0-p0-80
     port: 80
     protocol: TCP
     targetPort: 80
   selector:
     app: as3configmap-tnt-0-https0-p0
   type: NodePort

deployment.yaml
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
 # Please edit the object below. Lines beginning with a '#' will be ignored,
 # and an empty file will terminate the edit. If an error occurs while saving this file will be
 # reopened with the relevant failures.
 #
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
     app: as3configmap-tnt-0-https0-p0
   name: as3configmap-tnt-0-https0-p0
   namespace: default
 spec:
   replicas: 2
   selector:
     matchLabels:
       app: as3configmap-tnt-0-https0-p0
   template:
     metadata:
       labels:
         app: as3configmap-tnt-0-https0-p0
     spec:
       containers:
       - env:
         - name: service_name
           value: as3configmap-tnt-0-https0-p0
         image: f5networksdevel/test-nginx:latest
         imagePullPolicy: Always
         name: as3configmap-tnt-0-https0-p0
         ports:
         - containerPort: 80
           protocol: TCP

The CRD for the above ConfigMap is as below:


deployment.yaml
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
# Virtual Server
apiVersion: cis.f5.com/v1
kind: VirtualServer
metadata:
  labels:
    f5cr: "true"
  name: serviceMain
  namespace: default
spec:
  tlsProfileName: as3configmap_tnt_0_https0_ssl_0
  host: foo.com
  pools:
   - path: /
     service: as3configmap_tnt_0_https0_p0
     servicePort: 80
  virtualServerAddress: 172.16.3.9

deployment.yaml
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
# TLSProfile
apiVersion: cis.f5.com/v1
kind: TLSProfile
metadata:
  labels:
    f5cr: "true"
  name: as3configmap_tnt_0_https0_ssl_0
  namespace: default
spec:
 hosts:
   - foo.com
tls:
  clientSSL: pytest-example-secret
  reference: secret
  termination: edge

deployment.yaml
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
# K8s Secret
apiVersion: v1
data:
 tls.crt: <--PEM_FORMAT_CERTIFICATE-->
 tls.key: <--PEM_FORMAT_KEY-->
kind: Secret
metadata:
 name: pytest-example-secret
 namespace: default
type: kubernetes.io/tls

Note

To provide feedback on Container Ingress Services or this documentation, you can file a GitHub Issue.