The F5 IngressLink solution addresses modern app delivery at scale. IngressLink is a resource definition defined between BIG-IP and NGINX using F5 Container Ingress Service and NGINX Ingress Service.
F5 IngressLink is the first true integration between BIG-IP and NGINX technologies. F5 IngressLink was built to support customers with modern, container application workloads that use both BIG-IP Container Ingress Services and NGINX Ingress Controller for Kubernetes. It’s an elegant control plane solution that offers a unified method of working with both technologies from a single interface—offering the best of BIG-IP and NGINX and fostering better collaboration across NetOps and DevOps teams. The diagram below demonstrates this use case.
This architecture diagram demonstrates the IngressLink solution:
Update the virtualServerAddress parameter in the ingresslink.yaml resource. This IP address will be used to configure the BIG-IP device. It will be used to accept traffic and load balance it among the NGINX Ingress Controller pods.
The name of the IngressLink resource should be the same which is defined during NGINX Ingress Controller installation.
The selector in the IngressLink resource is the same as the Service labels configured in nginx-ingress-ingresslink service during NGINX Ingress Controller installation.
The IngressLink must belong to the same namespace as the Ingress Controller pod -nginx-ingress or the namespace used for installing the Helm chart.
The Ingress Controller pods are behind the IP configured in Step 4 (virtualServerAddress parameter). Test the traffic (in this example we used 192.168.10.5 as our VirtualServerAddress) by running the following command:
$ curl --resolve cafe.example.com:443:192.168.10.5 https://cafe.example.com:443/coffee --insecure
Server address: 10.12.0.18:80
Server name: coffee-7586895968-r26zns
apiVersion:"cis.f5.com/v1"kind:IngressLinkmetadata:name:nginx-ingressnamespace:nginx-ingressspec:ipamLabel:"Dev".# `ipamLabel` option allows the user manage the virtual server address using the F5 IPAM controller.iRules:-/Common/Proxy_Protocol_iRuleselector:matchLabels:app:ingresslink
CRD now supports the MultiPartition feature for ingressLink CR, where the user can provision BIG-IP in multiple partitions. This helps to easily manage the bigipConfig among the partitions. The MultiPartition feature also helps to improve performance, as CIS processes only the partition when there is a change, instead of sending a unified AS3 declaration to all of the partitions on the BIG-IP every time a change/event is detected.
CIS processes multiple tenant information and still sends the single unified declaration to BIG-IP to avoid multiple posts to BIG-IP for the first time.
The AS3 post call is formed as mgmt/shared/appsvcs/declare/tenant1,tenant2.
Multiple VirtualServers do not share the same virtual server address across multiple partitions. F5 does not currently support VS sharing the same host group or host with the same address in multiple partitions. The following rules apply for all VS resources.
- Virtual servers with the same host group should be in one partition.
- Virtual servers with the same host should be in one partition.
- Virtual servers with the same VS address should be in one partition.
- Virtual servers cannot share the same VIP across multiple partitions, irrespective of port.
This feature is enabled by using ingress annotation virtual-server.f5.com/partition.
apiVersion:"cis.f5.com/v1"kind:IngressLinkmetadata:name:nginx-ingressnamespace:nginx-ingressspec:ipamLabel:"Dev".# `ipamLabel` option allows the user manage the virtual server address using the F5 IPAM controller.iRules:-/Common/Proxy_Protocol_iRulepartition:devselector:matchLabels:app:ingresslink