Last updated on: 2024-04-23 04:45:25.
Configuring NextGen Routes¶
Prerequisites¶
Clean up the partition in BIG-IP where the existing route config is deployed. Use the POST call below along with this AS3 Empty Declaration for cleanup.
mgmt/shared/appsvcs/declare
Note
Please update the “bigip-partition” name in the AS3 declaration with the partition name to be deleted.
To install F5 CRDs, run the following commands:
export CIS_VERSION=<cis-version> # For example # export CIS_VERSION=v2.12.0 kubectl create -f https://raw.githubusercontent.com/F5Networks/k8s-bigip-ctlr/${CIS_VERSION}/docs/config_examples/customResourceDefinitions/customresourcedefinitions.yml
Configuration¶
- Routegroup specific config for each namespace/namespaceLabel is provided as part of extendedSpec through ConfigMap.
- Extended ConfigMap can be set using CIS deployment argument:
--extended-spec-configmap="namespace/configmap-name" - Controller mode should be set to Openshift to enable multiple VIP support:
--controller-mode="openshift" - NextGen Route controller deployment parameters (–controller-mode=”openshift”) takes precedence over legacy route deployment parameters (–manage-routes)
- Recommendation is to avoid using legacy Route deployment parameters while using NextGen Route controller.
Extended ConfigMap¶
- Extended Confimap is used to provide common config for routegroup like virtualservername, virtualserveraddress, policyCR, etc., which is applied to all routes in the group.
- Routegroup specific config for each namespace/namespaceLabel is provided as part of extendedRouteSpec in extended ConfigMap.
Extended ConfigMap¶
- Extended ConfigMap provides control to the admin to create and maintain the resource configuration centrally.
- RBAC can be used to restrict modification of extended ConfigMap by users with tenant level access.
- If any specific tenant requires modify access for routeconfig of their namespace, the admin can grant access by setting allowOverride to true in the extendedRouteSpec of the namespace.
- Base route configuration can be defined in extended ConfigMap. This cannot be overridden using namespace based extended ConfigMap. This is an alternative to CIS deployment arguments.
Note
Extended ConfigMap should be created in a namespace which CIS is monitoring.
Extended Route Config Parameters¶
Base Route Config Parameters¶
Base route configuration can be defined in extended ConfigMap. This cannot be overridden from namespace based extended ConfigMap. This is an alternative to CIS deployment arguments.
| Parameter | Required | Default | Description |
|---|---|---|---|
| tlsCipher | Optional | N/A | Block to define TLS cipher parameters. |
| defaultTLS | Optional | /Common/f5-default | Configures a cipher group in BIG-IP and references it here. Cipher group and ciphers are mutually exclusive; only use one. |
tlsCipher:
tlsVersion: 1.3
cipherGroup: /Common/f5-default
tlsCipher Config Parameters
| Parameter | Required | Default | Description |
|---|---|---|---|
| tlsVersion | Optional | 1.2 | Configures TLS version to be enabled on BIG-IP. TLS 1.3 is only supported on TMOS version 14.0+. |
| ciphers | Optional | DEFAULT | Configures a ciphersuite selection string. Cipher-group and ciphers are mutually exclusive; only use one. |
| cipherGroup | Optional | /Common/f5-default | Configures a cipher group in BIG-IP and references it here. Cipher group and ciphers are mutually exclusive; only use one. |
Note
The parameters ciphers and cipherGroups are mutually exclusive. The cipherGroup is for TLS version 1.3 and ciphers is for TLS version 1.2.
defaultTLS Config Parameters
| Parameter | Required | Default | Description |
|---|---|---|---|
| clientSSL | Optional | The client SSL profile. | |
| serverSSL | Optional | The server SSL profile. | |
| reference | Required | The Profile Object type. |
defaultTLS schema:
defaultTLS:
clientSSL: /Common/clientssl
serverSSL: /Common/serverssl
reference: bigip
Route Group Parameters¶
| Parameter | Required | Default | Description |
|---|---|---|---|
| allowOverride | Optional | Allows users to override the namespace config. | |
| bigIpPartition | Optional | Partition for creating the virtual server. The default is the partition defined in CIS deployment parameter. | |
| namespaceLabel | Required | The namespace-label to group the routes. Note: namespaceLabel
is mutually exclusive with namespace parameter.
The --namespace-label parameter has to be defined in the CIS
deployment to use the namespaceLabel in extended ConfigMap. |
|
| policyCR | Optional | The name of the Policy CR to attach profiles/policies defined in it. | |
| httpServerPolicyCR | Optional | Name of Policy CR to attach profiles/policies defined in it to HTTP VS. | |
| namespace | Required | The namespace to group the routes. | |
| vsAddress | Required | The BIG-IP Virtual Server IP Address. | |
| vsName | Optional | auto | The name of the BIG-IP Virtual Server. |
Note
The parameters namespaceLabel and namespace are mutually exclusive. The --namespace-label parameter has to be defined in CIS deployment to use the namespaceLabel in extended ConfigMap.
Usage of policyCR and httpServerPolicyCR
- If only policyCR is used in a route group, then profiles/policies specified in it are applied to both HTTP and HTTPS virtual servers.
- If only httpServerPolicyCR is used in a route group, then profiles/policies specified in it are applied to only HTTP virtual server.
- If both policyCR and httpServerPolicyCR are used in a route group, then profiles/policies specified in policyCR are applied to HTTPS virtual server and profiles/policies specified in httpServerPolicyCR are applied to HTTP virtual server.
Overriding RouteGroups using namespace based extended ConfigMap¶
- Namespace based extended ConfigMap is used to specify route config for namespace and allows tenant users access to fine-tune the route config. It is processed by CIS only when allowOverride is set to true in extended ConfigMap for this namespace.
- Only one namespace based extended ConfigMap is allowed per namespace. Namespace based extended ConfigMap must have only one entry in the extendedRouteSpec list and that should be the current namespace only.
- Namespace based extended ConfigMap is only supported when extended ConfigMap defines the routeGroup using namespace.
| Parameter | Required | Default | Description |
|---|---|---|---|
| policyCR | Optional | The name of the Policy CR to attach profiles/policies defined in it. | |
| httpServerPolicyCR | Optional | Name of Policy CR to attach profiles/policies defined in it to HTTP VS. | |
| namespace | Required | The namespace to group the routes. | |
| vsAddress | Required | The BIG-IP Virtual Server IP Address. | |
| vsName | Optional | auto | The name of the BIG-IP Virtual Server. |
Note
To provide feedback on Container Ingress Services or this documentation, please file a GitHub Issue.