SPK Software¶
Overview¶
The Service Proxy for Kubernetes (SPK) custom resource definitions (CRDs), software images and installation Helm charts are provided in a single TAR file. An SPK public signing key, and two signature files are also provided to validate the TAR file’s integrity. Once validated and extracted, the SPK CRDs and software images can be integrated into the cluster using SPK Helm charts.
This document describes the SPK software, and guides you through validating, extracting and installing the SPK software components.
Software images¶
The table below lists and describes the software images for this software release. For a full list of software images by release, refer to the Software Releases guide.
Note: The software image name and deployed container name may differ.
Image | Version | Description |
---|---|---|
f5ingress | v3.0.33 | The helm_release-f5ingress container is the custom SPK controller that watches the K8S API for CR updates, and configures the Service Proxy TMM based on the update. |
tmm-img | v1.4.9 | The f5-tmm container is a Traffic Management Microkernel (TMM) that proxies and load balances application traffic between the external and internal networks. |
tmrouted-img | v0.8.17 | The f5-tmm-tmrouted container proxies and forwards information between the f5-tmm-routing and f5-tmm containers. |
f5dr-img | v0.3.10 | The f5-tmm-routing container maintains the dynamic routing tables used by TMM. For more info, refer to BGP Overview. |
f5-toda-tmstatsd | v1.7.1 | The f5-toda-stats container collects application traffic processing statistics from the f5-tmm container, and forwards the data to the f5-fluentbit container. |
f5-fluentbit | v0.1.30 | The fluentbit container collects and forwards statistics to the f5-fluentd container. |
f5-fluentbit | v0.1.29 | The fluentbit container collects and forwards statistics to the f5-fluentd container. |
f5-fluentd | v1.4.9 | The f5-fluentd container collects statistics and logging data from the Controller, TMM and dSSM Pods. For more info, refer to Fluentd Logging. |
f5-dssm-store | v1.21.0 | Contains two sets of software images; The f5-dssm-db containers that store shared, persisted session state data, and the f5-dssm-sentinel containers to monitor the f5-dssm-db containers. For more info, refer to dSSM database. |
f5-debug-sidecar | v1.9.3 | The debug container provides diagnostic tools for viewing TMM's configuration, traffic processing statistica and gathering TMM diagnostic data. For more info, refer to Debug Sidecar. |
f5-dssm-upgrader | v1.0.4 | The dssm-upgrade-hook is used during the Upgrading dSSM procedure to ensure the process completes without service interruption. |
CRD Bundles¶
The tables below list the SPK CRD bundles, and describe the SPK CRs they support.
f5-spk-crds-service-proxy-1.0.6.tgz
CRD | CR |
---|---|
f5-spk-egress | F5SPKEgress - Enable egress traffic for Pods using SNAT or DNS/NAT46. |
f5-spk-ingresstcp | F5SPKIngressTCP - Layer 4 TCP application traffic management. |
f5-spk-ingressudp | F5SPKIngressUDP - Layer 4 UDP application traffic management. |
f5-spk-ingressngap | F5SPKIngressNGAP - Datagram load balancing for SCTP or NGAP signaling. |
f5-spk-ingressdiameter | F5SPKIngressDiameter - Diameter traffic management using TCP or SCTP. |
f5-spk-crds-common.1.0.6.tgz
CRD | CR |
---|---|
f5-spk-vlan | F5SPKVlan - TMM interface configuration: VLANs, Self IP addresses, MTU sizes, etc. |
f5-spk-dnscache | F5SPKDnscache - Referenced by the F5SPKEgress CR to provide DNS caching. |
f5-spk-snatpool | F5SPKSnatpool - Allocates IP addresses for egress Pod connections. |
f5-spk-staticroute | F5SPKStaticRoute - Provides TMM static routing table management. |
f5-spk-addresslist | Not currently in use. |
f5-spk-portlist | Not currently in use. |
f5-spk-crds-deprecated.1.0.6.tgz
A bundle containing the deprecated CRDs, beginning with SPK software version 1.4.3.
Requirements¶
Ensure you have:
Procedures¶
Extract the images¶
Use the following steps to validate the SPK tarball, and extract the CRDs and software images.
Create a new directory for the SPK files:
mkdir <directory>
In this example, the new directory is named spkinstall:
mkdir spkinstall
Move the SPK files into the directory:
mv f5-spk-tarball* f5-spk-1.4.13.pem spkinstall
Change into the directory and list the files:
cd spkinstall; ls -1
The file list appears as:
f5-spk-1.4.13.pem f5-spk-tarball-1.4.13.tgz f5-spk-tarball-sha512.txt-1.4.13.sha512.sig f5-spk-tarball.tgz-1.4.13.sha512.sig
Use the PEM signing key and each SHA signature file to validate the SPK TAR file:
openssl dgst -verify <pem file>.pem -keyform PEM \ -sha512 -signature <sig file>.sig <tar file>.tgz
The command output states Verified OK for each signature file:
openssl dgst -verify f5-spk-1.4.13.pem -keyform PEM -sha512 \ -signature f5-spk-tarball.tgz-1.4.13.sha512.sig f5-spk-tarball-1.4.13.tgz
Verified OK
openssl dgst -verify f5-spk-1.4.13.pem -keyform PEM -sha512 \ -signature f5-spk-tarball-sha512.txt-1.4.13.sha512.sig f5-spk-tarball-1.4.13.tgz
Verified OK
Extract the SPK CRD bundles and the software image TAR file:
tar xvf f5-spk-tarball-1.4.13.tgz
List the newly extracted files:
ls -1
The file list shows the CRD bundless and the SPK image TAR file named f5-spk-images-1.4.13.tgz:
f5-spk-1.4.13.pem f5-spk-crds-common-1.0.6.tgz f5-spk-crds-deprecated-1.0.6.tgz f5-spk-crds-service-proxy-1.0.6.tgz f5-spk-images-1.4.13.tgz f5-spk-tarball-1.4.13.tgz f5-spk-tarball-sha512.txt-1.4.13.sha512.sig f5-spk-tarball.tgz-1.4.13.sha512.sig
Extract the SPK software images and Helm charts:
tar xvf f5-spk-images-1.4.13.tgz
Recursively list the extracted software images and Helm charts:
ls -1R
The file list shows a new tar directory containing the software images and Helm charts:
f5-spk-1.4.13.pem f5-spk-crds-common-1.0.6.tgz f5-spk-crds-deprecated-1.0.6.tgz f5-spk-crds-service-proxy-1.0.6.tgz f5-spk-images-1.4.13.tgz f5-spk-tarball-1.4.13.tgz f5-spk-tarball-sha512.txt-1.4.13.sha512.sig f5-spk-tarball.tgz-1.4.13.sha512.sig tar ./tar: f5-dssm-0.22.12.tgz f5-toda-fluentd-1.8.31.tgz f5ingress-3.0.33.tgz spk-docker-images.tgz
Continue to the next section.
Install the CRDs¶
Use the following steps to extract and install the new SPK CRDs.
List the SPK CRD bundles:
ls -1 | grep crd
The file list shows three CRD bundles:
f5-spk-crds-common-1.0.6.tgz f5-spk-crds-deprecated-1.0.6.tgz f5-spk-crds-service-proxy-1.0.6.tgz
Extract the common CRDs from the bundle:
tar xvf f5-spk-crds-common-1.0.6.tgz
Install the full set of common CRDs:
oc apply -f f5-spk-crds-common/crds
Note the command output: Newly installed CRDs will be indicated by created, and updated CRDs will be indicated by configured:
f5-spk-addresslists.k8s.f5net.com configured f5-spk-dnscaches.k8s.f5net.com created f5-spk-portlists.k8s.f5net.com configured f5-spk-snatpools.k8s.f5net.com unchanged f5-spk-staticroutes.k8s.f5net.com unchanged f5-spk-vlans.k8s.f5net.com configured
Extract the service-proxy CRDs from the bundle:
tar xvf f5-spk-crds-service-proxy-1.0.6.tgz
Install the full set of service-proxy CRDs:
oc apply -f f5-spk-crds-service-proxy/crds
Note the command output: Newly installed CRDs will be indicated by created, and updated CRDs will be indicated by configured:
f5-spk-egresses.k8s.f5net.com configured f5-spk-ingressdiameters.k8s.f5net.com unchanged f5-spk-ingressngaps.k8s.f5net.com unchanged f5-spk-ingresstcps.ingresstcp.k8s.f5net.com unchanged f5-spk-ingressudps.ingressudp.k8s.f5net.com unchanged
List the installed SPK CRDs:
oc get crds | grep f5-spk
The CRD listing will contain the full list of CRDs:
f5-spk-addresslists.k8s.f5net.com 2021-12-23T18:38:45Z f5-spk-dnscaches.k8s.f5net.com 2021-12-23T18:41:54Z f5-spk-egresses.k8s.f5net.com 2021-12-23T18:38:45Z f5-spk-ingressdiameters.k8s.f5net.com 2021-12-23T18:38:45Z f5-spk-ingressgtps.k8s.f5net.com 2021-12-23T18:38:45Z f5-spk-ingresshttp2s.k8s.f5net.com 2021-12-23T18:38:45Z f5-spk-ingressngaps.k8s.f5net.com 2021-12-23T18:38:45Z f5-spk-ingresstcps.ingresstcp.k8s.f5net.com 2021-12-23T18:38:45Z f5-spk-ingressudps.ingressudp.k8s.f5net.com 2021-12-23T18:38:45Z f5-spk-portlists.k8s.f5net.com 2021-12-23T18:38:45Z f5-spk-snatpools.k8s.f5net.com 2021-12-23T18:38:45Z f5-spk-staticroutes.k8s.f5net.com 2021-12-23T18:38:45Z f5-spk-vlans.k8s.f5net.com 2021-12-23T18:38:45Z
Upload the images¶
Use the following steps to upload the SPK software images to a local container registry.
Install the SPK images to your workstation’s Docker image store:
podman load -i tar/spk-docker-images.tgz
List the SPK images to be tagged and pushed to the local container registry in the next step:
podman images local.registry/*
REPOSITORY TAG IMAGE ID local.registry/f5ingress v3.0.33 594270f98818 local.registry/tmm-img v1.4.9 e62a4a3aef24 local.registry/f5-fluentd v1.4.9 c76475173491 local.registry/f5-dssm-store v1.21.0 5037f6eced8d local.registry/f5-dssm-upgrader 1.0.4 cc986fd3d1ff local.registry/f5-debug-sidecar v1.9.3 919908771df1 local.registry/f5-fluentbit v0.1.30 db5a3313b22c local.registry/f5-fluentbit v0.1.29 9fb5608ff56c local.registry/tmrouted-img v0.8.17 8b89404abc3b local.registry/f5-toda-tmstatsd v1.7.1 54b716c40da3 local.registry/f5dr-img v0.3.10 53e891f6b850
Tag and push each image to the local container registry. For example:
podman tag <local.registry/image name>:<version> <registry>/<image name>:<version>
podman push <registry_name>/<image name>:<version>
In this example, the f5ingress:v3.0.33 image is tagged and pushed to the remote registry registry.com:
podman tag local.registry/f5ingress:v3.0.33 registry.com/f5ingress:v3.0.33
podman push registry.com/f5ingress:v3.0.33
Once all of the images have uploaded, verify the images exist in the local container registry:
curl -X GET https://<registry>/v2/_catalog -u <user:pass>
For example:
curl -X GET https://registry.com/v2/_catalog -u spkadmin:spkadmin
"repositories":["f5-debug-sidecar","f5-dssm-store","f5-fluentbit","f5-fluentd","f5-toda-tmstatsd","f5dr-img","f5ingress","tmm-img","tmrouted-img"]}
Next step¶
Continue to the gRPC Secrets guide to secure communications between the SPK Controller and Service Proxy Traffic Management Microkernel (TMM).
Feedback¶
Provide feedback to improve this document by emailing spkdocs@f5.com.