SPK Software

Overview

The Service Proxy for Kubernetes (SPK) custom resource definitions (CRDs), software images and installation Helm charts are provided in a single TAR file. An SPK public signing key, and two signature files are also provided to validate the TAR file’s integrity. Once validated and extracted, the SPK CRDs and software images can be integrated into the cluster using SPK Helm charts.

This document describes the SPK software, and guides you through validating, extracting and installing the SPK software components.

Software images

The table below lists and describes the software images for this software release. For a full list of software images by release, refer to the Software Releases guide.

_images/spk_info.png Note: The software image name and deployed container name may differ.

Image Version Description
f5ingress v5.0.29 The helm_release-f5ingress container is the custom SPK controller that watches the K8S API for CR updates, and configures the Service Proxy TMM based on the update.
tmm-img v1.6.5 The f5-tmm container is a Traffic Management Microkernel (TMM) that proxies and load balances application traffic between the external and internal networks.
spk-cwc v0.19.12 The spk-cwc container enables software licensing, and reports telemetry statistics regarding monthly software usage. Refer to SPK CWC.
f5-license-helper v0.5.9 The f5-lic-helper communicates with the spk-cwc to determine the current license status of the cluster.
rabbit v0.1.5 The rabbitmq-server container as a general message bus, integrating SPK CWC with the Controller Pod(s) for licensing purposes.
tmrouted-img v0.8.21 The f5-tmm-tmrouted container proxies and forwards information between the f5-tmm-routing and f5-tmm containers.
f5dr-img v0.5.8 The f5-tmm-routing container maintains the dynamic routing tables used by TMM. Refer to BGP Overview.
f5-toda-tmstatsd v1.7.5 The f5-toda-stats container collects application traffic processing statistics from the f5-tmm container, and forwards the data to the f5-fluentbit container.
f5-fluentbit v0.1.29 The fluentbit container collects and forwards statistics to the f5-fluentd container.
f5-fluentd v1.4.8 The f5-fluentd container collects statistics and logging data from the Controller, TMM and dSSM Pods. Rrefer to Fluentd Logging.
f5-dssm-store v1.21.0 Contains two sets of software images; The f5-dssm-db containers that store shared, persisted session state data, and the f5-dssm-sentinel containers to monitor the f5-dssm-db containers. Refer to dSSM database.
f5-debug-sidecar v5.55.6 The debug container provides diagnostic tools for viewing TMM's configuration, traffic processing statistica and gathering TMM diagnostic data. Refer to Debug Sidecar.
opentelemetry-collector 0.46.0 The otel-collector container gathers metrics and statistics from the TMM Pods. Refer to OTEL Collector.
f5-dssm-upgrader 1.0.4 The dssm-upgrade-hook enables dSSM DBs upgrades without service interruption or data loss. Refer to Upgrading dSSM.

CRD Bundles

The tables below list the SPK CRD bundles, and describe the SPK CRs they support.

f5-spk-crds-service-proxy-3.0.2.tgz

CRD CR
f5-spk-egress F5SPKEgress - Enable egress traffic for Pods using SNAT or DNS/NAT46.
f5-spk-ingresstcp F5SPKIngressTCP - Layer 4 TCP application traffic management.
f5-spk-ingressudp F5SPKIngressUDP - Layer 4 UDP application traffic management.
f5-spk-ingressngap F5SPKIngressNGAP - Datagram load balancing for SCTP or NGAP signaling.
f5-spk-ingressdiameter F5SPKIngressDiameter - Diameter traffic management using TCP or SCTP.

f5-spk-crds-common.3.0.2.tgz

CRD CR
f5-spk-vlan F5SPKVlan - TMM interface configuration: VLANs, Self IP addresses, MTU sizes, etc.
f5-spk-dnscache F5SPKDnscache - Referenced by the F5SPKEgress CR to provide DNS caching.
f5-spk-snatpool F5SPKSnatpool - Allocates IP addresses for egress Pod connections.
f5-spk-staticroute F5SPKStaticRoute - Provides TMM static routing table management.
f5-spk-addresslist Not currently in use.
f5-spk-portlist Not currently in use.

f5-spk-crds-deprecated.3.0.2.tgz

A bundle containing the deprecated CRDs, beginning with SPK software version 1.4.3.

Requirements

Ensure you have:

  • Obtained the SPK software tarball.
  • A local container registry.
  • A workstation with Podman and OpenSSL.

Procedures

Extract the images

Use the following steps to validate the SPK tarball, and extract the CRDs and software images.

  1. Create a new directory for the SPK files:

    mkdir <directory>
    

    In this example, the new directory is named spkinstall:

    mkdir spkinstall
    
  2. Move the SPK files into the directory:

    mv f5-spk-tarball* f5-spk-1.5.0.pem spkinstall
    
  3. Change into the directory and list the files:

    cd spkinstall; ls -1
    

    The file list appears as:

    f5-spk-1.5.0.pem
    f5-spk-tarball-1.5.0.tgz
    f5-spk-tarball-sha512.txt-1.5.0.sha512.sig
    f5-spk-tarball.tgz-1.5.0.sha512.sig
    
  4. Use the PEM signing key and each SHA signature file to validate the SPK TAR file:

    openssl dgst -verify <pem file>.pem -keyform PEM \
    -sha512 -signature <sig file>.sig <tar file>.tgz
    

    The command output states Verified OK for each signature file:

    openssl dgst -verify f5-spk-1.5.0.pem -keyform PEM -sha512 \
    -signature f5-spk-tarball.tgz-1.5.0.sha512.sig \
    f5-spk-tarball-1.5.0.tgz
    
    Verified OK
    
    openssl dgst -verify f5-spk-1.5.0.pem -keyform PEM -sha512 \
    -signature f5-spk-tarball-sha512.txt-1.5.0.sha512.sig \
    f5-spk-tarball-1.5.0.tgz
    
    Verified OK
    
  5. Extract the SPK CRD bundles and the software image TAR file:

    tar xvf f5-spk-tarball-1.5.0.tgz
    
  6. List the newly extracted files:

    ls -1
    

    The file list shows the CRD bundless and the SPK image TAR file named f5-spk-images-1.5.0.tgz:

    f5-spk-1.5.0.pem
    f5-spk-crds-common-3.0.2.tgz
    f5-spk-crds-deprecated-3.0.2.tgz
    f5-spk-crds-service-proxy-3.0.2.tgz
    f5-spk-images-1.5.0.tgz
    f5-spk-tarball-1.5.0.tgz
    f5-spk-tarball-sha512.txt-1.5.0.sha512.sig
    f5-spk-tarball.tgz-1.5.0.sha512.sig
    
  7. Extract the SPK software images and Helm charts:

    tar xvf f5-spk-images-1.5.0.tgz
    
  8. Recursively list the extracted software images and Helm charts:

    ls -1R
    

    The file list shows a new tar directory containing the software images and Helm charts:

    f5-spk-1.5.0.pem
    f5-spk-crds-common-3.0.2.tgz
    f5-spk-crds-deprecated-3.0.2.tgz
    f5-spk-crds-service-proxy-3.0.2.tgz
    f5-spk-images-1.5.0.tgz
    f5-spk-tarball-1.5.0.tgz
    f5-spk-tarball-sha512.txt-1.5.0.sha512.sig
    f5-spk-tarball.tgz-1.5.0.sha512.sig
    tar
    
    ./tar:
    cwc-0.4.15.tgz
    f5-cert-gen-0.2.4.tgz
    f5-dssm-0.22.12.tgz
    f5-toda-fluentd-1.8.29.tgz
    f5ingress-5.0.29.tgz
    spk-docker-images.tgz
    
  9. Continue to the next section.

Install the CRDs

Use the following steps to extract and install the new SPK CRDs.

  1. List the SPK CRD bundles:

    ls -1 | grep crd
    

    The file list shows three CRD bundles:

    f5-spk-crds-common-3.0.2.tgz
    f5-spk-crds-deprecated-3.0.2.tgz
    f5-spk-crds-service-proxy-3.0.2.tgz
    
  2. Extract the common CRDs from the bundle:

    tar xvf f5-spk-crds-common-3.0.2.tgz
    
  3. Install the full set of common CRDs:

    oc apply -f f5-spk-crds-common/crds
    

    Note the command output: Newly installed CRDs will be indicated by created, and updated CRDs will be indicated by configured:

    f5-spk-addresslists.k8s.f5net.com configured
    f5-spk-dnscaches.k8s.f5net.com created
    f5-spk-portlists.k8s.f5net.com configured
    f5-spk-snatpools.k8s.f5net.com unchanged
    f5-spk-staticroutes.k8s.f5net.com unchanged
    f5-spk-vlans.k8s.f5net.com configured
    
  4. Extract the service-proxy CRDs from the bundle:

    tar xvf f5-spk-crds-service-proxy-3.0.2.tgz
    
  5. Install the full set of service-proxy CRDs:

    oc apply -f f5-spk-crds-service-proxy/crds
    

    Note the command output: Newly installed CRDs will be indicated by created, and updated CRDs will be indicated by configured:

    f5-spk-egresses.k8s.f5net.com configured
    f5-spk-ingressdiameters.k8s.f5net.com unchanged
    f5-spk-ingressngaps.k8s.f5net.com unchanged
    f5-spk-ingresstcps.ingresstcp.k8s.f5net.com unchanged
    f5-spk-ingressudps.ingressudp.k8s.f5net.com unchanged
    
  6. List the installed SPK CRDs:

    oc get crds | grep f5-spk
    

    The CRD listing will contain the full list of CRDs:

    f5-spk-addresslists.k8s.f5net.com             2021-12-23T18:38:45Z
    f5-spk-dnscaches.k8s.f5net.com                2021-12-23T18:41:54Z
    f5-spk-egresses.k8s.f5net.com                 2021-12-23T18:38:45Z
    f5-spk-ingressdiameters.k8s.f5net.com         2021-12-23T18:38:45Z
    f5-spk-ingressgtps.k8s.f5net.com              2021-12-23T18:38:45Z
    f5-spk-ingresshttp2s.k8s.f5net.com            2021-12-23T18:38:45Z
    f5-spk-ingressngaps.k8s.f5net.com             2021-12-23T18:38:45Z
    f5-spk-ingresstcps.ingresstcp.k8s.f5net.com   2021-12-23T18:38:45Z
    f5-spk-ingressudps.ingressudp.k8s.f5net.com   2021-12-23T18:38:45Z
    f5-spk-portlists.k8s.f5net.com                2021-12-23T18:38:45Z
    f5-spk-snatpools.k8s.f5net.com                2021-12-23T18:38:45Z
    f5-spk-staticroutes.k8s.f5net.com             2021-12-23T18:38:45Z
    f5-spk-vlans.k8s.f5net.com                    2021-12-23T18:38:45Z
    

Upload the images

Use the following steps to upload the SPK software images to a local container registry.

  1. Install the SPK images to your workstation’s Docker image store:

    podman load -i tar/spk-docker-images.tgz
    
  2. List the SPK images to be tagged and pushed to the local container registry in the next step:

    podman images local.registry/*
    
    REPOSITORY                              TAG
    local.registry/f5ingress                v5.0.29
    local.registry/spk-cwc                  v0.19.12
    local.registry/f5-license-helper        v0.5.9
    local.registry/f5-debug-sidecar         v5.55.6
    local.registry/tmm-img                  v1.6.5
    local.registry/f5-dssm-store            v1.21.0
    local.registry/rabbit                   v0.1.5
    local.registry/opentelemetry-collector  0.46.0
    local.registry/f5-fluentbit             v0.2.0
    local.registry/f5dr-img                 v0.5.8
    local.registry/f5dr-img-init            v0.5.8
    local.registry/f5-toda-tmstatsd         v1.7.5
    local.registry/f5-fluentbit             v0.1.29
    local.registry/f5-dssm-upgrader         1.0.4
    local.registry/tmrouted-img             v0.8.21
    local.registry/f5-fluentd               v1.4.8
    
  3. Tag and push each image to the local container registry. For example:

    podman tag <local.registry/image name>:<version> <registry>/<image name>:<version>
    
    podman push <registry_name>/<image name>:<version>
    

    In this example, the f5ingress:v5.0.10 image is tagged and pushed to the remote registry registry.com:

    podman tag local.registry/f5ingress:v5.0.10 registry.com/f5ingress:v5.0.10
    
    podman push registry.com/f5ingress:v5.0.10
    
  4. Once all of the images have uploaded, verify the images exist in the local container registry:

    curl -X GET https://<registry>/v2/_catalog -u <user:pass>
    

    For example:

    curl -X GET https://registry.com/v2/_catalog -u spkadmin:spkadmin
    
    "repositories":["f5-debug-sidecar","f5-dssm-store","f5-fluentbit","f5-fluentd","f5-toda-tmstatsd","f5dr-img","f5ingress","tmm-img","tmrouted-img"]}
    

Next step

Continue to the SPK Secrets guide to secure SPK communications.

Feedback

Provide feedback to improve this document by emailing spkdocs@f5.com.