NextGenController¶
This page documents the behavior of NextGenController. See the Known Issues for more information on features not supported.
NextGenRoute Controller uses extended ConfigMap for extending the native resources (routes/ingress). Routes are extended using ConfigMap in this release. NextGen Routes also adds support for multi-partition, policy CR, and externalDNS CR.
Multiple VIP and Partition support for routes¶
- The current CIS implementation creates a single VIP and partition for all the routes configured. This is implemented to add support for creating multiple VIPs in BIG-IP mapping to route groups created per namespace/namespaceLabel.
- All the routes in the namespace/namespaceLabel are treated as part of one routegroup.
- One virtual server (VIP) is created for each routegroup and maps to each tenant on BIG-IP.
- CIS processes multiple tenant information and still sends the single unified declaration to BIG-IP to avoid multiple posts to BIG-IP.
Note
AS3 post call is formed as mgmt/shared/appsvcs/declare/tenant1,tenant2.
GSLB support for routes¶
- Prerequisite: You will need AS3 version 3.41.0 or newer to use the EDNS feature.
- For every EDNS resource created, CIS will add a virtual server with a matching domain as the Wide IP pool member.
Policy CR support for routes¶
Policy CR integration with nextGenRoutes extends to many BIG-IP features to the Openshift routes, including SNAT, custom TCP, HTTP and HTTPS profiles, iRules, HTTP2 profile, persistance profile, profileMultiplex, profileL4, logProfiles, WAF, botDefense, firewallPolicy, DOS, allowSourceRange, etc.
Note
Policy CR should be created in a namespace which CIS is monitoring.
WAF precedence¶
WAF can be specified either in route annotations or in policy CR. If specified in both, then WAF in policy CR has more precedence over annotation. However, if the allowOverride field is set to true in the route group in extended ConfigMap, WAF in route annotation will have more precedence. WAF specified in route annotations configures WAF at LTM Policy, whereas WAF in Policy CR configures WAF at VirtualServer (VIP) Level.
Allow source range precedence¶
Allow source range can be specified either in route annotations or in policy CR. If specified in both, then allow source range in policy CR has more precedence over annotation. However, if the allowOverride field is set to true in the route group in extended ConfigMap, allow source range in route annotation will have more precedence.
SSL Profiles precedence¶
- SSL can be specified in the route as certificate (spec certs), route annotation as BIG-IP reference/secret, or as default SSL profiles in extended ConfigMap.
- If the route is defined with both certificate (spec certs) and SSL annotation, then route annotation will have more precedence, followed by route certificate (spec certs).
- Default SSL profiles in extended ConfigMap will have the least precedence and will be applied to whole route group when there is a route without certificate (spec certs) and SSL annotations in the route group.
- If in a route group, all routes contains only certificate (spec certs) then only certificate (spec certs) are given precedence.
- If in a route group, routes are defined with the combination of both certificate (spec certs) and SSL annotation, then SSL annotation or default SSL profiles in extended ConfigMap will have more precedence then spec certs for a route group.
- It is recommended to use either only certificates (spec certs) or bigip profiles in both route group and extended ConfigMap. Combination of certificates (spec certs) and bigip profiles is not supported for a route group.
- Example of Route with SSL profiles annotation reference to BIG-IP
- Example of Route with SSL profiles annotation reference to secret
- Example of Extended ConfigMap with defaultTLS
Support for Health Monitors from pod liveness probe¶
CIS uses the liveness probe of the pods to form the health monitors whenever health annotations not provided in the route annotations.
Legacy vs Next Generation Routes feature comparison¶
| Features | Legacy Routes | Next-Gen Routes |
|---|---|---|
| Insecure | Yes | Yes |
| Secure | Yes | Yes |
| Health Monitors | Yes | Yes |
| WAF | Yes | Yes |
| iRules | Yes | Yes |
| iRuleList | No | Yes |
| Multiple VIP | No | Yes |
| Multiple Partition | No | Yes |
| SSL Profiles | Yes | Yes |
| Load Balancing Method | Yes | Yes |
| allow-source-range | Yes | Yes |
| URL-rewrite | Yes | Yes |
| App-rewrite | Yes | Yes |
| A/B Deployment | Yes | Yes |
| Policy CR | No | Yes |
See GitHub for more details.
Next Gen Route Guides¶
Note
To provide feedback on Container Ingress Services or this documentation, please file a GitHub Issue.