F5SPKIngressDiameter Reference

The F5SPKIngressDiameter Custom Resource (CR) configuration parameters. Each heading below represents the top-level parameter element. For example, to set the Kubernetes Service name, use service.name.

service

Parameter Description
name Name of the Kubernetes Service providing access to the Pods.
port The exposed port for the service.

clientssl

Parameter Description
name
enableTls13 Enables TLS 1.3 protocol support: true (default) or false.
enableTls12 Enables TLS 1.2 protocol support: true (default) or false.
enableTls11 Enables TLS 1.1 protocol support: true (default) or false.
ciphers Specifies OpenSSL-style cipher string: DEFAULT.
enableSessionTicket Enables Session Ticket support: true (default) or false.
enableRenegotiation Enables Renegotiation support: true or false (default).
renegotiationMode Specifies the secure renegotiation mode: SSL_SECURE_RENEGOTIATION_MODE_REQUIRE.
keyCertPairs.key Specifies the private key.
keyCertPairs.cert Specifies the content of certificate and intermediate CA(s) if any.

serverssl

Parameter Description
name
enableTls13 Enables TLS 1.3 protocol support: true (default) or false.
enableTls12 Enables TLS 1.2 protocol support: true (default) or false.
enableTls11 Enables TLS 1.1 protocol support: true (default) or false.
ciphers Specifies OpenSSL-style cipher string: DEFAULT.
enableSessionTicket Enables Session Ticket support: true (default) or false.
enableRenegotiation Enables Renegotiation support: true or false (default).
renegotiationMode Specifies the secure renegotiation mode: SSL_SECURE_RENEGOTIATION_MODE_REQUIRE.
trustedCa Specifies list of Root CAs in PEM format used for server certificate verification.
keyCertPairs.key Specifies the private key. Supported formats are Embedded PEM, Vault Path, or File Path.
keyCertPairs.cert Specifies the content of certificate and intermediate CA(s) if any. upported formats are Embedded PEM or File Path.

spec

Parameter Description
loadBalancingMethod The traffic load balancing algorithm used.
ipfamilies The IP version capabilities of the application: IPv4, IPv6, IPv4andIPv6.
egressSnatpool Specifies an F5SPKsnatpool CR to reference using the spec.name parameter.
router.enablePerPeerStats Enables additional statistics collection per pool member.
router.transactionTimeout The maximum expected time of a Diameter transaction.
router.enableForwardingEgress Enables connection to an external diameter peer from an internal diameter peer: true or false (default).
router.defaultEgressDestinations Specifies an array of IP address and port pairs to be used as a pool of external Diameter destinations for Diameter traffic egressing from the application pods. For example, the address/port of an external Diameter server or proxy.

spec.externalTCP

Parameter Description
enabled Create an external TCP virtual server on the TMM container. The default is enabled (true).
serviceName Selects the Service object name for the internal applications (Pods).
servicePort Selects the Service object port value.
destinationAddress The external TCP virtual server IPv4 address.
v6destinationAddress The external TCP virtual server IPv6 address.
destinationPort The external TCP virtual server destination service port.
idleTimeout The number of seconds a TCP connection can remain idle before deletion. The default value is 300 seconds.
outboundSnatEnabled Outbound external connections will be SNATed to the virtual server IP address: true (default) or false.

spec.internalTCP

Parameter Description
enabled Create an internal TCP virtual server on the TMM container. The default is enabled (true).
serviceName Selects the Service object name for the external applications (Pods).
servicePort Selects the Service object port value.
destinationAddress The internal TCP virtual server IPv4 address.
v6destinationAddress The internal TCP virtual server IPv6 address.
destinationPort The internal TCP virtual server destination service port.
idleTimeout The number of seconds a TCP connection can remain idle before deletion. The default value is 300 seconds.
outboundSnatEnabled Outbound external connections will be SNATed to the virtual server IP address: true (default) or false.

spec.externalSCTP

Parameter Description
enabled Create an external SCTP virtual server on the TMM container. The default is enabled (true).
destinationAddress The external SCTP virtual server IP address.
destinationPort The external SCTP virtual server destination service port.
idleTimeout The number of seconds a SCTP connection can remain idle before deletion. The default value is 300 seconds.
outboundSnatEnabled Outbound external connections will be SNATed to the virtual server IP address.
clientSideMultihoming Enable client side connection multihoming: true or false (default).
alternateAddressList Specifies a list of alternate IP addresses when clientsideMultihoming is enabled. Each TMM POD requires unique alternate IP address, and these IP address will be advertised via BGP to the upstream router. Each list defined will be allocated to TMMs in order: first list to first TMM, continuing through each list.
streamsCount Set the advertised number of streams the SCTP filter will accept.

spec.internalSCTP

Parameter Description
enabled Create an internal SCTP virtual server on the TMM container. The default is enabled (true).
destinationAddress The internal SCTP virtual server IP address.
destinationPort The nternal SCTP virtual server destination service port.
idleTimeout The number of seconds an SCTP connection can remain idle before deletion. The default value is 300 seconds.
outboundSnatEnabled Outbound internal connections will be SNATed to the virtual server IP address.
streamsCount Set the advertised number of streams the SCTP filter will accept.

spec.externalSession

Parameter Description
persistenceKey The diameter AVP to be used as a persistence key.
persistenceTimeout The length of time in seconds that an idle persistence entry will be kept.
originHost The diameter host name sent to external peers in capabilities exchange messages.
originRealm The diameter realm name sent to external peers in capabilities exchange messages.
alternateOriginHost The alternate diameter host for substituting origin host used by internal peers.
alternateOriginRealm The alternate origin realm for substituting origin realms used by internal peers.
vendorId The vendor ID sent to external peers in capabilities exchange messages.
productName The product name sent to external peers in capabilities exchange messages.
authorizationAppIds The list of authorization application IDs sent to external peers in capabilities exchange messages. Comma-seperated. For example; "id1,id2".
accountingAppIds The list of accounting application IDs sent to external peers in capabilities exchange messages. Comma-seperated. For example; "id1,id2".
dynamicRouteInsertion Enables inserting routes that route incoming messages toward connected peers using their origin-host AVP: enabled or disabled (default).
dynamicRouteLlookup Enables using the destination-host AVP for route lookups when the dynamic-route-insertion parameter is enabled: enabled or disabled (default).
dynamicRouteTimeout Specifies the period of time in seconds that dynamic routes will remain in the route table after a connection is closed. The default value is 300.

spec.internalSession

Parameter Description
persistenceKey The diameter AVP to be used as a persistence key.
persistenceTimeout The length of time in seconds that an idle persistence entry will be kept.
originHost The diameter host name sent to internal peers in capabilities exchange messages.
originRealm The diameter realm name sent to internal peers in capabilities exchange messages.
vendorId The vendor ID sent to internal peers in capabilities exchange messages.
productName The product name sent to internal peers in capabilities exchange messages.
authorizationAppIds The list of authorization application IDs sent to internal peers in capabilities exchange messages. Comma-seperated. For example; "id1,id2".
accountingAppIds The list of accounting application IDs sent to internal peers in capabilities exchange messages. Comma-seperated. For example; "id1,id2".
dynamicRouteInsertion Enables inserting routes that route incoming messages toward connected peers using their origin-host AVP: enabled or disabled (default).
dynamicRouteLlookup Enables using the destination-host AVP for route lookups when the dynamic-route-insertion parameter is enabled: enabled or disabled (default).
dynamicRouteTimeout Specifies the period of time in seconds that dynamic routes will remain in the route table after a connection is closed. The default value is 300.

spec.internalWCSession

Parameter Description
originHost The diameter host name sent to internal peers in capabilities exchange messages.
originRealm The diameter realm name sent to internal peers in capabilities exchange messages.
vendorId The vendor ID sent to internal peers in capabilities exchange messages.
productName The product name sent to internal peers in capabilities exchange messages.
authorizationAppIds The list of authorization application IDs sent to internal peers in capabilities exchange messages. Comma-seperated. For example; "id1,id2".
accountingAppIds The list of accounting application IDs sent to internal peers in capabilities exchange messages. Comma-seperated. For example; "id1,id2".

spec.ingressVlans

Parameter Description
vlanList Specifies a list of F5SPKVlan CRs to listen for ingress traffic, using the CR's metadata.name. The list can also be disabled using disableListedVlans.
category Specifies an F5SPKVlan CR category to listen for ingress traffic. The category can also be disabled using disableListedVlans.
disableListedVlans Whether to use all vlans on the ingress side except the listed ones true (default), or only the ones in the list false.

spec.egressVlans

Parameter Description
vlanList Specifies a list of F5SPKVlan CRs to listen for ingress traffic, using the CR's metadata.name. The list can also be disabled using disableListedVlans.
category Specifies an F5SPKVlan CR category to listen for ingress traffic. The category can also be disabled using disableListedVlans.
disableListedVlans Whether to use all vlans on the ingress side except the listed ones true (default), or only the ones in the list false.