Install BIG-IP Next for Kubernetes (Host) using Helm¶
Overview¶
The Service Proxy for Kubernetes (SPK) custom resource definitions (CRDs), software images and installation Helm charts are provided in a single TAR file. An SPK public signing key, and two signature files are also provided to validate the TAR file’s integrity. Once validated and extracted, the software images can be uploaded to a local container registry, and integrated into the cluster using the SPK Helm charts. Finally, the SPK CRDs will be installed into the cluster.
This document describes the SPK software, and guides you through validating, extracting and installing the SPK software components.
Software images¶
The table below lists and describes the software images for this software release. For a full list of software images by release, refer to the Software Releases guide.
Note: The software image name and deployed container name may differ.
| Image | Description |
|---|---|
| f5ingress | The helm_release-f5ingress container is the custom SPK controller that watches the K8S API for CR updates, and configures the Service Proxy TMM based on the update. |
| tmm-img | The f5-tmm container is a Traffic Management Microkernel (TMM) that proxies and load balances application traffic between the external and internal networks. |
| spk-cwc | The spk-cwc container enables software licensing, and reports telemetry statistics regarding monthly SPK software CRD usage summaries. Refer to SPK CWC. |
| f5-license-helper | The f5-lic-helper communicates with the spk-cwc to determine the current license status of the cluster. |
| rabbit | The rabbitmq-server container as a general message bus, integrating SPK CWC with the Controller Pod(s) for licensing purposes. |
| crd-conversion | The f5-crd-conversion container handles the automatic conversion of multiple CRD versions based on the specified namespace and version in the cluser, without affecting existing CRs. Refer to CRD Conversion Webhook. |
| tmrouted-img | The f5-tmm-tmrouted container proxies and forwards information between the f5-tmm-routing and f5-tmm containers. |
| f5dr-img | The f5-tmm-routing container maintains the dynamic routing tables used by TMM. Refer to BGP Overview. |
| f5-cert-client | The f5-cert-client container provides an interface for SPK components to request certificates from f5-cert-manager. Additionally, f5-cert-client can provide certificate rotation functionality for those SPK components. |
| f5-toda-tmstatsd | The f5-toda-stats container collects application traffic processing statistics from the f5-tmm container, and forwards the data to the f5-fluentbit container. |
| f5-toda-observer | The f5-toda-observer container image is used for three pods: f5-observer-receiver, f5-observer, and f5-observer-operator. These pods work together to efficiently manage the high volume of statistics by collecting, aggregating, and exporting them to the OTEL Collector pod. |
| cert-manager-controller | The cert-manager-controller manages the generation and rotation of the SSL/TLS certificate that are stored as Secrets, to secure communication between the various CNFs Pods. |
| cert-manager-cainjector | The cert-manager-cainjector assists the cert-manager-controller to configure the CA certificates used by the cert-manager-webhook and K8S API. |
| cert-manager-webhook | The cert-manager-webhook ensures that SSL/TLS certificate resources created or updated by the cert-manager-contoller conform to the API specifications. |
| f5-fluentbit | The fluentbit container collects and forwards statistics to the f5-fluentd container. Multiple versions are included to support the different SPK containers. |
| f5-fluentd | The f5-fluentd container collects statistics and logging data from the Controller, TMM and dSSM Pods. Refer to Fluentd Logging. |
| f5-dssm-store | Contains two sets of software images; The f5-dssm-db containers that store shared, persisted session state data, and the f5-dssm-sentinel containers to monitor the f5-dssm-db containers. Refer to dSSM database. |
| f5-debug-sidecar | The debug container provides diagnostic tools for viewing TMM's configuration, traffic processing statistica and gathering TMM diagnostic data. Refer to Debug Sidecar. |
| opentelemetry-collector-contrib | The otel-collector container gathers metrics and statistics from the TMM Pods. Refer to OTEL Collector. |
| f5-dssm-upgrader | The dssm-upgrade-hook enables dSSM DBs upgrades without service interruption or data loss. Refer to Upgrading dSSM. |
| f5-l4p-engine | The f5-afm-pccd container is an Application Firewall Manager (AFM) instance that converts firewall rules and NAT policies into the binary large objects (BLOBs) used by TMM. |
| f5-blobd | The f5-blobd container allows loading binary large objects (BLOBs) into the TMM memory. It is required for AFM use-cases, like firewall and NAT. |
| spk-csrc | The spk-csrc containers (daemon-set) used to support the Calico Egress GW feature. |
| f5-csm-qkview | The f5-csm-qkview includes the qkview-orchestrator service, which manages requests from CWC to create or download qkview tar files. It communicates with qkview-collect, initiating the process of generating and downloading qkview tar files from containers within a designated namespace. |
| f5-toda-observer | The f5-toda-observer container handles the roles of Receiver, Observer Aggregator, Coordinator, and TMM Scraper for secure gRPC-based metric collection, aggregation and export. |
CRD Bundles¶
The tables below list the SPK CRD bundles, and describe the SPK CRs they support.
F5 BNK CRDs (f5-spk-crds-service-proxy)
| CRD | CR |
|---|---|
| f5-spk-egress | F5SPKEgress - Enable egress traffic for Pods using SNAT or DNS/NAT46. |
| f5-spk-ingresstcp | F5SPKIngressTCP - Layer 4 TCP application traffic management. |
| f5-spk-ingressudp | F5SPKIngressUDP - Layer 4 UDP application traffic management. |
| f5-spk-ingressgtp | F5SPKIngressGTP - GTP traffic management. |
| f5-spk-ingressngap | F5SPKIngressNGAP - Datagram load balancing for SCTP or NGAP signaling. |
| f5-spk-ingresssip | F5SPKIngressSip - Ingress SIP application traffic management. |
| f5-spk-ingressHTTP2 | F5SPKIngressHTTP2 - HTTP/2 application traffic management. |
| f5-spk-ingressdiameter | F5SPKIngressDiameter - Diameter traffic management using TCP or SCTP. |
| f5-spk-ingressegressudp | F5SPKIngressEgressUDP - Ingress UDP traffic management, enabling VIP source address responses. |
F5 common CRDs (f5-spk-crds.common)
| CRD | CR |
|---|---|
| f5-spk-vlan | F5SPKVlan - TMM interface configuration: VLANs, Self IP addresses, MTU sizes, etc. |
| f5-spk-dnscache | F5SPKDnscache - Referenced by the F5SPKEgress CR to provide DNS caching. |
| f5-spk-snatpool | F5SPKSnatpool - Allocates IP addresses for egress Pod connections. |
| f5-spk-staticroute | F5SPKStaticRoute - Provides TMM static routing table management. |
| f5-spk-addresslist | Not currently in use. |
| f5-spk-portlist | Not currently in use. |
F5 common CRDs (f5-spk-crds-deprecated)
A bundle containing the deprecated CRDs, beginning with SPK software version 1.4.3.