Migrating from AS3 ConfigMaps to CRDs¶
This page describes how to migrate from userdefined AS3 ConfigMaps to CRDs. The AS3 ConfigMap hosts AS3 extensions, in JSON format, as a configuration artifact. CIS can manage and orchestrate BIG-IP declaratively through this ConfigMap.
In agent AS3 mode, CIS handles Ingress or Route resources by converting them into AS3 declarations before posting to BIG-IP. When AS3 ConfigMap is configured along with Ingress or Routes, CIS manages ConfigMap and Ingress (or) Routes AS3 declarations separately. While sending an AS3 declaration to BIG-IP, CIS will combine both of these AS3 declarations as a single declaration and POST it to BIG-IP.
Note
- CIS does not watch for Ingress/Routes/ConfigMaps when deployed in CRD Mode.
- CIS does not support the combination of CRDs with any of Ingress/Routes and ConfigMaps. So the migration from AS3 CM to CRD can cause some downtime as well.
Below is an example of how to use AS3 CM and CRD for the same set of requirements.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | # Please edit the object below. Lines beginning with a '#' will be ignored, # and an empty file will terminate the edit. If an error occurs while saving this file will be # reopened with the relevant failures. apiVersion: v1 data: template: | {"class": "AS3", "action": "deploy", "persist": true, "declaration": {"class": "ADC", "schemaVersion": "3.23.0", "id": "urn:uuid:33045210-3ab8-4636-9b2a-c98d22ab915d-as3configmap", "label": "as3configmap", "remark": "AS3 Declation for as3configmap", "as3configmap_tnt_0": {"class": "Tenant", "as3configmap_tnt_0_https0": {"class": "Application", "template": "https", "serviceMain": {"class": "Service_HTTPS", "virtualAddresses": ["172.16.3.9"], "pool": "as3configmap_tnt_0_https0_p0", "serverTLS": "as3configmap_tnt_0_https0_ssl_0", "persistenceMethods": []}, "as3configmap_tnt_0_https0_p0": {"class": "Pool", "monitors": ["http"], "members": [{"servicePort": 80, "shareNodes": false, "serverAddresses": []}]}, "as3configmap_tnt_0_https0_ssl_0": {"class": "TLS_Server", "certificates": [{"certificate": "as3configmap_tnt_0_https0_cert_0"}]}, "as3configmap_tnt_0_https0_cert_0": {"class": "Certificate", "remark": "in practice we recommend using a passphrase", "certificate": "", "privateKey": "", "passphrase": {"ciphertext": "ZjVmNQ==", "protected": "eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0", "ignoreChanges": true}}}}}} kind: ConfigMap metadata: labels: as3: "true" f5type: virtual-server name: as3configmap namespace: default |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 | # Please edit the object below. Lines beginning with a '#' will be ignored, # and an empty file will terminate the edit. If an error occurs while saving this file will be # reopened with the relevant failures. # apiVersion: v1 kind: Service metadata: labels: cis.f5.com/as3-app: as3configmap_tnt_0_https0 cis.f5.com/as3-pool: as3configmap_tnt_0_https0_p0 cis.f5.com/as3-tenant: as3configmap_tnt_0 name: as3configmap-tnt-0-https0-p0 namespace: default spec: ports: - name: as3configmap-tnt-0-https0-p0-80 port: 80 protocol: TCP targetPort: 80 selector: app: as3configmap-tnt-0-https0-p0 type: NodePort |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 | # Please edit the object below. Lines beginning with a '#' will be ignored, # and an empty file will terminate the edit. If an error occurs while saving this file will be # reopened with the relevant failures. # apiVersion: apps/v1 kind: Deployment metadata: labels: app: as3configmap-tnt-0-https0-p0 name: as3configmap-tnt-0-https0-p0 namespace: default spec: replicas: 2 selector: matchLabels: app: as3configmap-tnt-0-https0-p0 template: metadata: labels: app: as3configmap-tnt-0-https0-p0 spec: containers: - env: - name: service_name value: as3configmap-tnt-0-https0-p0 image: f5networksdevel/test-nginx:latest imagePullPolicy: Always name: as3configmap-tnt-0-https0-p0 ports: - containerPort: 80 protocol: TCP |
The CRD for the above ConfigMap is as below:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | # Virtual Server apiVersion: cis.f5.com/v1 kind: VirtualServer metadata: labels: f5cr: "true" name: serviceMain namespace: default spec: tlsProfileName: as3configmap_tnt_0_https0_ssl_0 host: foo.com pools: - path: / service: as3configmap_tnt_0_https0_p0 servicePort: 80 virtualServerAddress: 172.16.3.9 |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | # TLSProfile apiVersion: cis.f5.com/v1 kind: TLSProfile metadata: labels: f5cr: "true" name: as3configmap_tnt_0_https0_ssl_0 namespace: default spec: hosts: - foo.com tls: clientSSL: pytest-example-secret reference: secret termination: edge |
1 2 3 4 5 6 7 8 9 10 | # K8s Secret apiVersion: v1 data: tls.crt: <--PEM_FORMAT_CERTIFICATE--> tls.key: <--PEM_FORMAT_KEY--> kind: Secret metadata: name: pytest-example-secret namespace: default type: kubernetes.io/tls |
Note
To provide feedback on Container Ingress Services or this documentation, please file a GitHub Issue.