Release Notes¶
F5 Service Proxy for Kubernetes (SPK) - v1.7.0
Breaking changes¶
- The RabbitMQ Pod now installs independently of the SPK CWC Pod using a separate Helm Chart. To support this change, the
cwcNamespace
parameter has changed torabbitmqNamespace
. Refer to the SPK CWC and Debug API guides for installation instructions. - The
REDIS_CA_FILE
,REDIS_AUTH_CERT
, andREDIS_AUTH_KEY
Helm values used to reference dSSM Secrets have been replaced by theSSL_SERVERSIDE_STORE
andSSL_TRUSTED_CA_STORE
parameters. Refer to the dSSM Database guide for installation instruction. - The OTEL Collectors are now enabled using the
f5-stats_collector.enabled
parameter. Previously, the OTEL collectors used thestats_collector.enabled
parameter. Refer to the OTEL Collectors guide for configuration assistance.
New Features and Improvements¶
- Added support for OpenShift version 4.12.
- The SPK CWC CPCL module now supports
connected
mode, performing all of the required licensing steps automatically. Refer to the CPCL module section of the SPK CWC guide. - The SPK Cert Manager auto-generates and rotates the SSL/TLS certificates (Secrets) used to secure SPK Pod-to-Pod communication. Cert Manager replaces the manual SPK Secret installation procedures required in previous releases.
- The F5SPKServiceTypeLBIpPool Custom Resource (CR) enables ingress application traffic management based on K8S
LoadBalancer
type Service objects. - The F5SPKIngressSip Custom Resource (CR) processes both ingress and egress Session Initiation Protocol (SIP) subscriber traffic.
- The SPK CWC CPCL module no longer requires the cpcl-crt-cm certificate, only the cpcl-key-cm key is required to identify the cluster.
- The Top of Rack BGP feature enables TMM Pods to establish BGP peer relationships based on the cluster node the TMM Pod is running on.
- The f5-tmm-routing container can now load native ZebOS.conf files, enabling BGP configuration changes while the container is running. For more info, refer to the ZebOS ConfigMaps How-to.
- The configview utility replaces the older configviewer utility, and now displays Custom Resource (CR) configuration objects by their logged UUIDs. Refer to the Debug sidecar overview.
- The F5SPKIngressDiameter Custom Resource (CR) now supports enabling/disabling traffic on specified Vlans. Refer to the
spec.ingressVlans
andspec.egressVlans
sections of the F5SPKIngressDiameter Reference. - The Calico Egress GW feature can now watch multiple namespaces using the SPK Controller
watchNamespace
parameter. - The message logging format for the SPK Pods has been improved and standardized.
Limitations¶
- Jumbo Frames - The maximum transmission unit (MTU) must be the same size on both ingress and egress interfaces. Packets over 9000 bytes are dropped.
Bug Fixes¶
1184217 (TMM)
When TMM is configured to use the F5SPKEgress CR’s DNS46 feature, processing performance is now the same as earlier SPK software releases.
1183117 (TMM)
The F5SPKIngressHTTP2 CR now supports non-SSL/TLS traffic toward the service object endpoints.
1181729 (TMM)
Static routes created by the F5SPKIngressGTP CR now longer remain in the TMM configuration after the CR is deleted, or the service object endpoints are scaled down.
1075373 (Ingress)
When TMM processes application traffic using an F5SPKIngressTCP CR, the virtual server used to process application traffic is now removed from the configuration after the referenced service object is deleted.
1169185 (TMM)
TMM no longer sends traffic to unavailable service endpoints (pool members) when the F5SPKIngressUDP or F5SPKIngressTCP CRs have persist.mode
set to PERSIST_TYPE_SRCADDR, and serviceDownAction
set to POOLMBR_ACTION_RESELECT.
1145961 (dSSM)
When the F5SPKIngressTCP or F5SPKIngressUDP CR spec.persist.mode
parameter is set to PERSIST_TYPE_SRCADDR
, persistence records may be deleted from the dSSM database after the configured timeout period, even though the session is active. The database entry should reset to the timeout value when connection responses are received.
1091997 (TMM)
In dual-stack configurations, application traffic SPK CRs no longer remain in the TMM configuration when the watched application is scaled to 0.
Known Issues¶
1235861 (Ingress)
After uninstalling an F5SPKIngressHTTP2 Custom Resource (CR), Service Proxy TMM does not delete the routing table entries of the discovered Service object Endpoints. These routes may conflict with the creation of new static routes.
Workaround:
After deleting the CR, scale the TMM Pod down, ensure the Pod terminates (is no longer running), and then scale the Pod back up.
1. oc scale deploy/f5-tmm --replicas 0
2. oc get pods
3. oc scale deploy/f5-tmm --replicas 1
1182049 (TMM)
TMM may stop processing network packets after numerous DPDK buffer allocation or DPDK transmission errors.
1076457 (Ingress)
When the F5SPKEgress CR’s dnsNat46Enabled
parameter is set to enabled, the SPK Controller does not validate that a required F5SPKDnscache CR is referenced using the dnsCacheName
parameter.
1135237 (TMM)
When the F5SPKIngressHTTP2 CR’s sslFileWatchMode
parameter is set to SSL_FILE_WATCH_MODE_KUBERNETES_SECRET_STORE, TMM does not update the CR configuration after SSL/TLS key/certificate changes occur.
Workaround:
Set the sslFileWatchMode
parameter to SSL_FILE_WATCH_MODE_FILES_IN_SHARED_VOLUME to update TMM’s running configuration when Kubernetes Secret values change. This is the default setting.
Software upgrades¶
Use these steps to upgrade the SPK software components:
Important: Steps 2 through 5 should be performed together, and during a planned maintenance window.
- Review the New Features and Improvements section above, and integrate any updates into the existing configuration. Do not apply Custom Resource (CR) updates until after the SPK Controller has been upgraded (step 3).
- Follow Install the CRDs in the SPK Software guide to upgrade the CRDs. Be aware that newly applied CRDs will replace existing CRDs of the same name.
- Uninstall the previous version SPK Controller, and follow the Installation procedure in the SPK Controller guide to upgrade the Controller and TMM Pods. Upgrades have not yet been tested using Helm Upgrade.
- Once the SPK Controller and TMM Pods are available, apply any updated CR configurations (step 1) using the
oc apply -f <file>
command. - Follow the Upgrading DNS46 entries section of the F5SPKEgress CR guide to upgrade any entries created in versions 1.4.9 and earlier.
- Uninstall the previous version SPK CWC, and for 1.7.0 and later installations RabbitMQ, and follow the Install RabbitMQ and Install CWC procedures in the SPK CWC guide to upgrade the Pods. Upgrades have not yet been tested using Helm Upgrade.
- The dSSM Databases can be upgraded at anytime using the Upgrading dSSM guide.
- The Fluentd Logging collector can be upgraded anytime using Helm Upgrade. Review Extract the Images in the SPK Software guide for the new Fluentd Helm chart location.
Next step¶
Continue to the Cluster Requirements guide to ensure the OpenShift cluster has the required software components.