Release Notes

F5 Service Proxy for Kubernetes (SPK) - v1.7.0

Breaking changes

  • The RabbitMQ Pod now installs independently of the SPK CWC Pod using a separate Helm Chart. To support this change, the cwcNamespace parameter has changed to rabbitmqNamespace. Refer to the SPK CWC and Debug API guides for installation instructions.
  • The REDIS_CA_FILE, REDIS_AUTH_CERT, and REDIS_AUTH_KEY Helm values used to reference dSSM Secrets have been replaced by the SSL_SERVERSIDE_STORE and SSL_TRUSTED_CA_STORE parameters. Refer to the dSSM Database guide for installation instruction.
  • The OTEL Collectors are now enabled using the f5-stats_collector.enabled parameter. Previously, the OTEL collectors used the stats_collector.enabled parameter. Refer to the OTEL Collectors guide for configuration assistance.

New Features and Improvements

  • Added support for OpenShift version 4.12.
  • The SPK CWC CPCL module now supports connected mode, performing all of the required licensing steps automatically. Refer to the CPCL module section of the SPK CWC guide.
  • The SPK Cert Manager auto-generates and rotates the SSL/TLS certificates (Secrets) used to secure SPK Pod-to-Pod communication. Cert Manager replaces the manual SPK Secret installation procedures required in previous releases.
  • The F5SPKServiceTypeLBIpPool Custom Resource (CR) enables ingress application traffic management based on K8S LoadBalancer type Service objects.
  • The F5SPKIngressSip Custom Resource (CR) processes both ingress and egress Session Initiation Protocol (SIP) subscriber traffic.
  • The SPK CWC CPCL module no longer requires the cpcl-crt-cm certificate, only the cpcl-key-cm key is required to identify the cluster.
  • The Top of Rack BGP feature enables TMM Pods to establish BGP peer relationships based on the cluster node the TMM Pod is running on.
  • The f5-tmm-routing container can now load native ZebOS.conf files, enabling BGP configuration changes while the container is running. For more info, refer to the ZebOS ConfigMaps How-to.
  • The configview utility replaces the older configviewer utility, and now displays Custom Resource (CR) configuration objects by their logged UUIDs. Refer to the Debug sidecar overview.
  • The F5SPKIngressDiameter Custom Resource (CR) now supports enabling/disabling traffic on specified Vlans. Refer to the spec.ingressVlans and spec.egressVlans sections of the F5SPKIngressDiameter Reference.
  • The Calico Egress GW feature can now watch multiple namespaces using the SPK Controller watchNamespace parameter.
  • The message logging format for the SPK Pods has been improved and standardized.

Limitations

  • Jumbo Frames - The maximum transmission unit (MTU) must be the same size on both ingress and egress interfaces. Packets over 9000 bytes are dropped.

Bug Fixes

1184217 (TMM)

When TMM is configured to use the F5SPKEgress CR’s DNS46 feature, processing performance is now the same as earlier SPK software releases.

1183117 (TMM)

The F5SPKIngressHTTP2 CR now supports non-SSL/TLS traffic toward the service object endpoints.

1181729 (TMM)

Static routes created by the F5SPKIngressGTP CR now longer remain in the TMM configuration after the CR is deleted, or the service object endpoints are scaled down.

1075373 (Ingress)

When TMM processes application traffic using an F5SPKIngressTCP CR, the virtual server used to process application traffic is now removed from the configuration after the referenced service object is deleted.

1169185 (TMM)

TMM no longer sends traffic to unavailable service endpoints (pool members) when the F5SPKIngressUDP or F5SPKIngressTCP CRs have persist.mode set to PERSIST_TYPE_SRCADDR, and serviceDownAction set to POOLMBR_ACTION_RESELECT.

1145961 (dSSM)

When the F5SPKIngressTCP or F5SPKIngressUDP CR spec.persist.mode parameter is set to PERSIST_TYPE_SRCADDR, persistence records may be deleted from the dSSM database after the configured timeout period, even though the session is active. The database entry should reset to the timeout value when connection responses are received.

1091997 (TMM)

In dual-stack configurations, application traffic SPK CRs no longer remain in the TMM configuration when the watched application is scaled to 0.

Known Issues

1235861 (Ingress)

After uninstalling an F5SPKIngressHTTP2 Custom Resource (CR), Service Proxy TMM does not delete the routing table entries of the discovered Service object Endpoints. These routes may conflict with the creation of new static routes.

Workaround:

After deleting the CR, scale the TMM Pod down, ensure the Pod terminates (is no longer running), and then scale the Pod back up.

1. oc scale deploy/f5-tmm --replicas 0
2. oc get pods 
3. oc scale deploy/f5-tmm --replicas 1

1182049 (TMM)

TMM may stop processing network packets after numerous DPDK buffer allocation or DPDK transmission errors.

1076457 (Ingress)

When the F5SPKEgress CR’s dnsNat46Enabled parameter is set to enabled, the SPK Controller does not validate that a required F5SPKDnscache CR is referenced using the dnsCacheName parameter.

1135237 (TMM)

When the F5SPKIngressHTTP2 CR’s sslFileWatchMode parameter is set to SSL_FILE_WATCH_MODE_KUBERNETES_SECRET_STORE, TMM does not update the CR configuration after SSL/TLS key/certificate changes occur.

Workaround:

Set the sslFileWatchMode parameter to SSL_FILE_WATCH_MODE_FILES_IN_SHARED_VOLUME to update TMM’s running configuration when Kubernetes Secret values change. This is the default setting.

Software upgrades

Use these steps to upgrade the SPK software components:

_images/spk_warn.png Important: Steps 2 through 5 should be performed together, and during a planned maintenance window.

  1. Review the New Features and Improvements section above, and integrate any updates into the existing configuration. Do not apply Custom Resource (CR) updates until after the SPK Controller has been upgraded (step 3).
  2. Follow Install the CRDs in the SPK Software guide to upgrade the CRDs. Be aware that newly applied CRDs will replace existing CRDs of the same name.
  3. Uninstall the previous version SPK Controller, and follow the Installation procedure in the SPK Controller guide to upgrade the Controller and TMM Pods. Upgrades have not yet been tested using Helm Upgrade.
  4. Once the SPK Controller and TMM Pods are available, apply any updated CR configurations (step 1) using the oc apply -f <file> command.
  5. Follow the Upgrading DNS46 entries section of the F5SPKEgress CR guide to upgrade any entries created in versions 1.4.9 and earlier.
  6. Uninstall the previous version SPK CWC, and for 1.7.0 and later installations RabbitMQ, and follow the Install RabbitMQ and Install CWC procedures in the SPK CWC guide to upgrade the Pods. Upgrades have not yet been tested using Helm Upgrade.
  7. The dSSM Databases can be upgraded at anytime using the Upgrading dSSM guide.
  8. The Fluentd Logging collector can be upgraded anytime using Helm Upgrade. Review Extract the Images in the SPK Software guide for the new Fluentd Helm chart location.

Next step

Continue to the Cluster Requirements guide to ensure the OpenShift cluster has the required software components.