Last updated on: 2023-05-31 04:59:08.
Configuring NextGen Routes¶
Prerequisites¶
Clean up the partition in BIG-IP where the existing route config is deployed. Use the POST call below along with this AS3 Empty Declaration for cleanup.
mgmt/shared/appsvcs/declare
Note
Please update the “bigip-partition” name in the AS3 declaration with the partition name to be deleted.
Install the F5 CRDs using following command:
kubectl create -f https://raw.githubusercontent.com/F5Networks/k8s-bigip-ctlr/master/docs/config_examples/customResourceDefinitions/customresourcedefinitions.yml
Configuration¶
- Routegroup specific config for each namespace/namespaceLabel is provided as part of extendedSpec through ConfigMap.
- Global ConfigMap can be set using CIS deployment argument:
--route-spec-configmap="namespace/configmap-name" - Controller mode should be set to Openshift to enable multiple VIP support:
--controller-mode="openshift" - NextGen Route controller deployment parameters (–controller-mode=”openshift”) takes precedence over legacy route deployment parameters (–manage-routes)
- Recommendation is to avoid using legacy Route deployment parameters while using NextGen Route controller.
ExtendedSpecConfigmap¶
- ExtendedSpecificConfimap is used to provide common config for routegroup like virtualservername, virtualserveraddress, policyCR, etc., which is applied to all routes in the group.
- Routegroup specific config for each namespace/namespaceLabel is provided as part of extendedRouteSpec in global ConfigMap.
Global ConfigMap¶
- Global ConfigMap provides control to the admin to create and maintain the resource configuration centrally.
- RBAC can be used to restrict modification of global ConfigMap by users with tenant level access.
- If any specific tenant requires modify access for routeconfig of their namespace, the admin can grant access by setting allowOverride to true in the extendedRouteSpec of the namespace.
- Base route configuration can be defined in Global ConfigMap. This cannot be overridden from local ConfigMap. This is an alternative to CIS deployment arguments.
Note
Global ConfigMap should be created in a namespace which CIS is monitoring.
Local ConfigMap¶
- Local ConfigMap is used to specify route config for namespace and allows tenant users access to fine-tune the route config. It is processed by CIS only when allowOverride is set to true in global ConfigMap for this namespace.
- Only one local ConfigMap is allowed per namespace. Local ConfigMap must have only one entry in the extendedRouteSpec list and that should be the current namespace only.
- Local ConfigMap is only supported when global ConfigMap defines the routeGroup using namespace.
Extended Route Config Parameters¶
Base Route Config Parameters¶
Base route configuration can be defined in Global ConfigMap. This cannot be overridden from local ConfigMap. This is an alternative to CIS deployment arguments.
| Parameter | Required | Default | Description | ConfigMap |
|---|---|---|---|---|
| tlsCipher | Optional | N/A | Block to define TLS cipher parameters. | Global configMap |
| defaultTLS | Optional | /Common/f5-default | Configures a cipher group in BIG-IP and references it here. Cipher group and ciphers are mutually exclusive; only use one. | Global configMap |
tlsCipher:
tlsVersion: 1.3
cipherGroup: /Common/f5-default
tlsCipher Config Parameters
| Parameter | Required | Default | Description | ConfigMap |
|---|---|---|---|---|
| tlsVersion | Optional | 1.2 | Configures TLS version to be enabled on BIG-IP. TLS 1.3 is only supported on TMOS version 14.0+. | Global ConfigMap |
| ciphers | Optional | DEFAULT | Configures a ciphersuite selection string. Cipher-group and ciphers are mutually exclusive; only use one. | Global configMap |
| cipherGroup | Optional | /Common/f5-default | Configures a cipher group in BIG-IP and references it here. Cipher group and ciphers are mutually exclusive; only use one. | Global configMap |
Note
The parameters ciphers and cipherGroups are mutually exclusive. The cipherGroup is for TLS version 1.3 and ciphers is for TLS version 1.2.
defaultTLS Config Parameters
| Parameter | Required | Default | Description | ConfigMap |
|---|---|---|---|---|
| clientSSL | Optional | The client SSL profile. | Global ConfigMap | |
| serverSSL | Optional | The server SSL profile. | Global ConfigMap | |
| reference | Required | The Profile Object type. | Global ConfigMap |
defaultTLS schema:
defaultTLS:
clientSSL: /Common/clientssl
serverSSL: /Common/serverssl
reference: bigip
Route Group Parameters¶
| Parameter | Required | Default | Description | ConfigMap |
|---|---|---|---|---|
| allowOverride | Optional | Allows users to override the namespace config. | Global ConfigMap only | |
| bigIpPartition | Optional | Partition for creating the virtual server. The default is the partition defined in CIS deployment parameter. | Global ConfigMap only | |
| namespaceLabel | Required | The namespace-label to group the routes. Note: namespaceLabel
is mutually exclusive with namespace parameter.
The --namespace-label parameter has to be defined in the CIS
deployment to use the namespaceLabel in extended ConfigMap. |
Global ConfigMap only | |
| policyCR | Optional | The name of the Policy CR to attach profiles/policies defined in it. | Local and Global ConfigMap | |
| httpServerPolicyCR | Optional | Name of Policy CR to attach profiles/policies defined in it to HTTP VS. | Local and Global ConfigMap | |
| namespace | Required | The namespace to group the routes. | Local and Global ConfigMap | |
| vsAddress | Required | The BIG-IP Virtual Server IP Address. | Local and Global ConfigMap | |
| vsName | Optional | auto | The name of the BIG-IP Virtual Server. | Local and Global ConfigMap |
Note
The parameters namespaceLabel and namespace are mutually exclusive. The --namespace-label parameter has to be defined in CIS deployment to use the namespaceLabel in extended ConfigMap.
Usage of policyCR and httpServerPolicyCR
- If only policyCR is used in a route group, then profiles/policies specified in it are applied to both HTTP and HTTPS virtual servers.
- If only httpServerPolicyCR is used in a route group, then profiles/policies specified in it are applied to only HTTP virtual server.
- If both policyCR and httpServerPolicyCR are used in a route group, then profiles/policies specified in policyCR are applied to HTTPS virtual server and profiles/policies specified in httpServerPolicyCR are applied to HTTP virtual server.
Note
To provide feedback on Container Ingress Services or this documentation, please file a GitHub Issue.