Last updated on: 2024-02-02 07:01:42.

OpenShift 4.12 and F5 BIG-IP Container Ingress Services (CIS) User-Guide for High Availability BIG-IP using OVN-Kubernetes iCNI with NO Tunnels

This document demonstrates how to use OVN-Kubernetes with F5 BIG-IP HA Routes to Ingress traffic without using an Overlay. Using OVN-Kubernetes with F5 BIG-IP Routes removes the complexity of creating VXLAN tunnels or using Calico. This document demonstrates High Availability (HA) BIG-IP’s working with OVN-Kubernetes. The diagram below demonstrates an OpenShift Cluster with three master, and three worker nodes. Three applications: tea, coffee and mocha are deployed in the cafe namespace.

../../_images/openshift-4-12-cluster-1.png

Configuration Steps

Note

The configuration below has been validated on OCP versions 4.11 and 4.12.

Step 1: Deploy OpenShift using OVNKubernetes

Deploy the OpenShift Cluster with networkType set to OVNKubernetes. Change the default to OVNKubernetes in the install-config.yaml before creating the cluster. From OpenShift 4.12, by default networkType is OVNKubernetes.

Step 2: Deploy extended ConfigMap

Using extended ConfigMap

  • Extended ConfigMap provides control to the admin to create and maintain the resource configuration centrally.
  • namespace: cafe, vserverAddr: 10.192.125.65
apiVersion: v1
kind: ConfigMap
metadata:
    name: extended-cm
    namespace: kube-system
    labels:
        f5nr: "true"
data:
    extendedSpec: |
        extendedRouteSpec:
        - namespace: cafe
          vserverAddr: 10.192.125.65
          vserverName: cafe
          allowOverride: true

Deploy extended ConfigMap

oc create -f extended-cm.yaml

ConfigMap repo

Step 3: Deploy CIS for each BIG-IP

F5 BIG-IP Controller Ingress Services (CIS) is called the Next Generation Route Controller. The Next Generation Route Controller extended F5 CIS to use multiple Virtual IP addresses. Previously, F5 BIG-IP CIS could only manage one Virtual IP address per CIS instance.

Add the following parameters to the CIS deployment:

  • Routegroup specific config for each namespace is provided as part of extendedSpec through ConfigMap.
  • ConfigMap info is passed to CIS with the argument --extended-spec-configmap="namespace/configmap-name"
  • Controller mode should be set to openshift enabling multiple VIP support --controller-mode="openshift"
  • Static routing mode should be set to true allowing CIS to automate the static route creation or deletion.

Set --static-routing-mode=true and --orchestration-cni=ovn-k8s to enable this feature.

Note

This feature is supported beginning in CIS v2.13 with the default value of --static-routing-mode being false, and --orchestration-cni being flannel. For more details, refer to StaticRouteSupport.

See also

The k8s-bigip-ctlr documentation for information about all config options https://clouddocs.f5.com/containers/latest/

BIG-IP 01

args: [
  "--bigip-username=$(BIGIP_USERNAME)",
  "--bigip-password=$(BIGIP_PASSWORD)",
  "--bigip-url=10.192.125.60",
  "--bigip-partition=OpenShift",
  "--namespace=cafe",
  "--pool-member-type=cluster",
  "--insecure=true",
  "--extended-spec-configmap=kube-system/extended-cm",
  "--controller-mode=openshift",
  "--static-routing-mode=true",
  "--orchestration-cni=ovn-k8s",
  "--as3-validation=true",
  "--log-as3-response=true",
]

BIG-IP 02

args: [
  "--bigip-username=$(BIGIP_USERNAME)",
  "--bigip-password=$(BIGIP_PASSWORD)",
  "--bigip-url=10.192.125.61",
  "--bigip-partition=OpenShift",
  "--namespace=cafe",
  "--pool-member-type=cluster",
  "--insecure=true",
  "--extended-spec-configmap=kube-system/extended-cm",
  "--controller-mode=openshift",
  "--static-routing-mode=true",
  "--orchestration-cni=ovn-k8s",
  "--as3-validation=true",
  "--log-as3-response=true",
]

Deploy CIS in OpenShift

oc create secret generic bigip-login -n kube-system --from-literal=username=admin --from-literal=password=<secret>
oc create -f bigip-ctlr-clusterrole.yaml
oc create create -f f5-bigip-ctlr-01-deployment.yaml
oc create create -f f5-bigip-ctlr-02-deployment.yaml

CIS repo

Validate that both instances are running:

# oc get pod -n kube-system

Name Ready Status Restarts Age
k8s-bigip-ctlr-01-deployment-7cc8b7cf94-2csz7 1/1 Running 0 16s
k8s-bigip-ctlr-02-deployment-5c8d8c4676-hjwpr 1/1 Running 0 16s

Step 4: Verify BIG-IP Static Routes

CIS provisions static routes on BIG-IP using the deployment parameter. For example --static-routing-mode=true

View static routes created on BIG-IP with node subnets assigned for the three worker nodes in the OpenShift cluster.

The below image captures various static routes created on BIG-IP with CIS configuration --static-routing-mode=true and --shared-static-routes=true.

../../_images/openshift-4-12-static-route.png

Setup complete! Deploy CIS and create OpenShift Routes

Step 5: Creating OpenShift Routes for cafe.example.com

User-case for the OpenShift Routes:

  • Edge Termination
  • Backend listening on PORT 8080

Create OpenShift Routes:

oc create -f route-tea-edge.yaml
oc create -f route-coffee-edge.yaml
oc create -f route-mocha-edge.yaml

Routes repo

Validation

Step 1: Validate OpenShift Routes using the BIG-IP

../../_images/openshift-4-12-standalone-virtual-server-list.png

Step 2: Validate OpenShift Virtual IP using the BIG-IP

../../_images/openshift-4-12-standalone-cafe-443.png

Step 3: Validate OpenShift Routes policies on the BIG-IP

../../_images/openshift-4-12-standalone-cafe-443-policy-1.png

Step 4: Validate OpenShift Routes policies by connecting to the Public IP

../../_images/openshift-4-12-standalone-verify-1.png

Note

To provide feedback on Container Ingress Services or this documentation, please file a GitHub Issue.