SPK Software¶
Overview¶
The Service Proxy for Kubernetes (SPK) custom resource definitions (CRDs), software images and installation Helm charts are provided in a single TAR file. An SPK public signing key, and two signature files are also provided to validate the TAR file’s integrity. Once validated and extracted, the software images can be uploaded to a local container registry, and integrated into the cluster using the SPK Helm charts. Finally, the SPK CRDs will be installed into the cluster.
This document describes the SPK software, and guides you through validating, extracting and installing the SPK software components.
Software images¶
The table below lists and describes the software images for this software release. For a full list of software images by release, refer to the Software Releases guide.
Note: The software image name and deployed container name may differ.
| Image | Version | Description |
|---|---|---|
| f5ingress | v12.0.16 | The helm_release-f5ingress container is the custom SPK controller that watches the K8S API for CR updates, and configures the Service Proxy TMM based on the update. |
| tmm-img | v5.1.5 | The f5-tmm container is a Traffic Management Microkernel (TMM) that proxies and load balances application traffic between the external and internal networks. |
| spk-cwc | v5.0.8 | The spk-cwc container enables software licensing, and reports telemetry statistics regarding monthly SPK software CRD usage summaries. Refer to SPK CWC. |
| f5-license-helper | v0.10.1 | The f5-lic-helper communicates with the spk-cwc to determine the current license status of the cluster. |
| rabbit | v5.0.2 | The rabbitmq-server container as a general message bus, integrating SPK CWC with the Controller Pod(s) for licensing purposes. |
| crd-conversion | v1.30.2 | The f5-crd-conversion container handles the automatic conversion of multiple CRD versions based on the specified namespace and version in the cluser, without affecting existing CRs. Refer to CRD Conversion Webhook. |
| tmrouted-img | v0.11.7 | The f5-tmm-tmrouted container proxies and forwards information between the f5-tmm-routing and f5-tmm containers. |
| f5dr-img | v0.10.8 | The f5-tmm-routing container maintains the dynamic routing tables used by TMM. Refer to BGP Overview. |
| f5-cert-client | v2.3.4 | The f5-cert-client container provides an interface for SPK components to request certificates from f5-cert-manager. Additionally, f5-cert-client can provide certificate rotation functionality for those SPK components. |
| f5-toda-tmstatsd | v1.9.11 | The f5-toda-stats container collects application traffic processing statistics from the f5-tmm container, and forwards the data to the f5-fluentbit container. |
| cert-manager-controller | 2.2.3 | The cert-manager-controller manages the generation and rotation of the SSL/TLS certificate that are stored as Secrets, to secure communication between the various CNFs Pods. |
| cert-manager-cainjector | 2.2.3 | The cert-manager-cainjector assists the cert-manager-controller to configure the CA certificates used by the cert-manager-webhook and K8S API. |
| cert-manager-webhook | 2.2.3 | The cert-manager-webhook ensures that SSL/TLS certificate resources created or updated by the cert-manager-contoller conform to the API specifications. |
| f5-fluentbit | v0.8.3 | The fluentbit container collects and forwards statistics to the f5-fluentd container. Multiple versions are included to support the different SPK containers. |
| f5-fluentd | v1.5.6 | The f5-fluentd container collects statistics and logging data from the Controller, TMM and dSSM Pods. Refer to Fluentd Logging. |
| f5-dssm-store | v4.0.2 | Contains two sets of software images; The f5-dssm-db containers that store shared, persisted session state data, and the f5-dssm-sentinel containers to monitor the f5-dssm-db containers. Refer to dSSM database. |
| f5-debug-sidecar | v7.220.1-0.0.1 | The debug container provides diagnostic tools for viewing TMM's configuration, traffic processing statistica and gathering TMM diagnostic data. Refer to Debug Sidecar. |
| opentelemetry-collecto-contib | 0.75.0 | The otel-collector container gathers metrics and statistics from the TMM Pods. Refer to OTEL Collector. |
| f5-dssm-upgrader | v1.2.4 | The dssm-upgrade-hook enables dSSM DBs upgrades without service interruption or data loss. Refer to Upgrading dSSM. |
| f5-l4p-engine | v1.100.27 | The f5-afm-pccd container is an Application Firewall Manager (AFM) instance that converts firewall rules and NAT policies into the binary large objects (BLOBs) used by TMM. |
| spk-csrc | v0.2.17 | The spk-csrc containers (daemon-set) used to support the Calico Egress GW feature. |
| f5-csm-qkview | v26.37.21 | The f5-csm-qkview includes the qkview-orchestrator service, which manages requests from CWC to create or download qkview tar files. It communicates with qkview-collect, initiating the process of generating and downloading qkview tar files from containers within a designated namespace. |
CRD Bundles¶
The tables below list the SPK CRD bundles, and describe the SPK CRs they support.
f5-spk-crds-service-proxy-7.0.3.tgz
| CRD | CR |
|---|---|
| f5-spk-egress | F5SPKEgress - Enable egress traffic for Pods using SNAT or DNS/NAT46. |
| f5-spk-ingresstcp | F5SPKIngressTCP - Layer 4 TCP application traffic management. |
| f5-spk-ingressudp | F5SPKIngressUDP - Layer 4 UDP application traffic management. |
| f5-spk-ingressgtp | F5SPKIngressGTP - GTP traffic management. |
| f5-spk-ingressngap | F5SPKIngressNGAP - Datagram load balancing for SCTP or NGAP signaling. |
| f5-spk-ingresssip | F5SPKIngressSip - Ingress SIP application traffic management. |
| f5-spk-ingressHTTP2 | F5SPKIngressHTTP2 - HTTP/2 application traffic management. |
| f5-spk-ingressdiameter | F5SPKIngressDiameter - Diameter traffic management using TCP or SCTP. |
| f5-spk-ingressegressudp | F5SPKIngressEgressUDP - Ingress UDP traffic management, enabling VIP source address responses. |
f5-spk-crds-common.7.0.3.tgz
| CRD | CR |
|---|---|
| f5-spk-vlan | F5SPKVlan - TMM interface configuration: VLANs, Self IP addresses, MTU sizes, etc. |
| f5-spk-dnscache | F5SPKDnscache - Referenced by the F5SPKEgress CR to provide DNS caching. |
| f5-spk-snatpool | F5SPKSnatpool - Allocates IP addresses for egress Pod connections. |
| f5-spk-staticroute | F5SPKStaticRoute - Provides TMM static routing table management. |
| f5-spk-addresslist | Not currently in use. |
| f5-spk-portlist | Not currently in use. |
f5-spk-crds-deprecated.7.0.3.tgz
A bundle containing the deprecated CRDs, beginning with SPK software version 1.4.3.
Requirements¶
Ensure you have:
Procedures¶
Extract the images¶
Use the following steps to validate the SPK tarball, and extract the software images, installation Helm charts, and CRDs.
Create a new directory for the SPK files:
mkdir <directory>In this example, the new directory is named spkinstall:
mkdir spkinstallMove the SPK files into the directory:
mv f5-spk-tarball* f5-spk-1.9.1.pem spkinstall
Change into the directory and list the files:
cd spkinstall; ls -1
The file list appears as:
f5-spk-1.9.1.pem f5-spk-tarball-1.9.1.tgz f5-spk-tarball-sha512.txt-1.9.1.sha512.sig f5-spk-tarball.tgz-1.9.1.sha512.sig
Use the PEM signing key and each SHA signature file to validate the SPK TAR file:
openssl dgst -verify <pem file>.pem -keyform PEM \ -sha512 -signature <sig file>.sig <tar file>.tgz
The command output states Verified OK for each signature file:
openssl dgst -verify f5-spk-1.9.1.pem -keyform PEM -sha512 \ -signature f5-spk-tarball.tgz-1.9.1.sha512.sig \ f5-spk-tarball-1.9.1.tgz
Verified OKopenssl dgst -verify f5-spk-1.9.1.pem -keyform PEM -sha512 \ -signature f5-spk-tarball-sha512.txt-1.9.1.sha512.sig \ f5-spk-tarball-1.9.1.tgz
Verified OKExtract the SPK CRD bundles and the software image TAR file:
tar xvf f5-spk-tarball-1.9.1.tgz
List the newly extracted files:
ls -1The file list shows the CRD bundless and the SPK image TAR file named f5-spk-images-1.9.1.tgz:
f5-spk-1.9.1.pem f5-spk-crds-common-7.0.3.tgz f5-spk-crds-deprecated-7.0.3.tgz f5-spk-crds-service-proxy-7.0.3.tgz f5-spk-images-1.9.1.tgz f5-spk-tarball-1.9.1.tgz f5-spk-tarball-sha512.txt-1.9.1.sha512.sig f5-spk-tarball.tgz-1.9.1.sha512.sig
Extract the SPK software images and Helm charts:
tar xvf f5-spk-images-1.9.1.tgz
Recursively list the extracted software images and Helm charts:
ls -1RThe file list shows a new tar directory containing the software images and Helm charts:
f5-spk-1.9.1.pem f5-spk-crds-common-7.0.3.tgz f5-spk-crds-deprecated-7.0.3.tgz f5-spk-crds-service-proxy-7.0.3.tgz f5-spk-images-1.9.1.tgz f5-spk-tarball-1.9.1.tgz f5-spk-tarball-sha512.txt-1.9.1.sha512.sig f5-spk-tarball.tgz-1.9.1.sha512.sig tar ./tar: csrc-0.4.10.tgz cwc-5.0.8.tgz f5-cert-gen-0.9.2.tgz f5-cert-manager-0.22.10.tgz f5-crdconversion-0.4.14.tgz f5-dssm-4.0.5.tgz f5-toda-fluentd-7.0.5.tgz f5ingress-12.0.16.tgz log-doc-f5ingress-12.0.16.tgz rabbitmq-7.0.2.tgz spk-docker-images.tgz
Continue to the next section.
Install the CRDs¶
Use the following steps to extract and install the new SPK CRDs.
List the SPK CRD bundles:
ls -1 | grep crd
The file list shows three CRD bundles:
f5-spk-crds-common-7.0.3.tgz f5-spk-crds-deprecated-7.0.3.tgz f5-spk-crds-service-proxy-7.0.3.tgz
Install the full set of common CRDs using Helm install:
helm install crd-common tar/f5-spk-crds-common-7.0.3.tgz -f crd-values.yaml
Example: crd-values.yaml file (We only need to use this namespace parameter when CRD Conversion is deployed in a non-default namespace. The value of the namespace parameter should match the namespace in which CRD Conversion is deployed.)
conversion: namespace: spk-crdconversion
Note the command output: Newly installed CRDs will be indicated by created, and updated CRDs will be indicated by configured:
f5-spk-addresslists.k8s.f5net.com configured f5-spk-dnscaches.k8s.f5net.com created f5-spk-portlists.k8s.f5net.com configured f5-spk-snatpools.k8s.f5net.com unchanged f5-spk-staticroutes.k8s.f5net.com unchanged f5-spk-vlans.k8s.f5net.com configured
Install the full set of service-proxy CRDs using Helm install:
helm install crd-proxy tar/f5-spk-crds-service-proxy-7.0.3.tgz -f crd-values.yaml
Example: crd-values.yaml file (We only need to use this namespace parameter when CRD Conversion is deployed in a non-default namespace. The value of the namespace parameter should match the namespace in which CRD Conversion is deployed.)
conversion: namespace: spk-crdconversion
Note the command output: Newly installed CRDs will be indicated by created, and updated CRDs will be indicated by configured:
f5-spk-egresses.k8s.f5net.com configured f5-spk-ingressdiameters.k8s.f5net.com unchanged f5-spk-ingressngaps.k8s.f5net.com unchanged f5-spk-ingresstcps.ingresstcp.k8s.f5net.com unchanged f5-spk-ingressudps.ingressudp.k8s.f5net.com unchanged
List the installed SPK CRDs:
oc get crds | grep f5-spk
The CRD listing will contain the full list of CRDs:
f5-spk-addresslists.k8s.f5net.com 2021-12-23T18:38:45Z f5-spk-dnscaches.k8s.f5net.com 2021-12-23T18:41:54Z f5-spk-egresses.k8s.f5net.com 2021-12-23T18:38:45Z f5-spk-ingressdiameters.k8s.f5net.com 2021-12-23T18:38:45Z f5-spk-ingressgtps.k8s.f5net.com 2021-12-23T18:38:45Z f5-spk-ingresshttp2s.k8s.f5net.com 2021-12-23T18:38:45Z f5-spk-ingressngaps.k8s.f5net.com 2021-12-23T18:38:45Z f5-spk-ingresstcps.ingresstcp.k8s.f5net.com 2021-12-23T18:38:45Z f5-spk-ingressudps.ingressudp.k8s.f5net.com 2021-12-23T18:38:45Z f5-spk-portlists.k8s.f5net.com 2021-12-23T18:38:45Z f5-spk-snatpools.k8s.f5net.com 2021-12-23T18:38:45Z f5-spk-staticroutes.k8s.f5net.com 2021-12-23T18:38:45Z f5-spk-vlans.k8s.f5net.com 2021-12-23T18:38:45Z
Upload the images¶
Use the following steps to upload the SPK software images to a local container registry.
Install the SPK images to your workstation’s Docker image store:
podman load -i tar/spk-docker-images.tgz
List the SPK images to be tagged and pushed to the local container registry in the next step:
podman images --format "table {{.Repository}} {{.Tag}} {{.ID}}"
REPOSITORY TAG IMAGE ID local.registry/f5ingress v12.0.16 c448afdc3135 local.registry/f5-license-helper v0.10.1 0ef905f88a1c local.registry/spk-cwc v5.0.8 c51f2697e9e4 local.registry/rabbit v5.0.2 d6d36e450243 local.registry/tmm-img v5.1.5 a4945dcd1ffb local.registry/spk-csrc v0.2.17 7e66d82adc45 local.registry/f5-debug-sidecar v7.220.1-0.0.1 4233402f8d40 local.registry/f5dr-img-init v0.10.8 aee2d50b3b00 local.registry/f5-cert-client v2.3.4 6bcc294db104 local.registry/f5dr-img v0.10.8 ade683900ea8 local.registry/tmrouted-img v0.11.7 ab56eeb03990 local.registry/f5-fluentd v1.5.6 0bb4e5abb899 local.registry/crd-conversion v1.30.2 e9fa661b8852 local.registry/cert-manager-ctl 2.2.3 48f768b562b4 local.registry/cert-manager-webhook 2.2.3 edec31deeece local.registry/cert-manager-cainjector 2.2.3 100c82bbf515 local.registry/cert-manager-controller 2.2.3 86b90770dd0b local.registry/init-certmgr v0.22.10 f81e8552defa local.registry/f5-toda-tmstatsd v1.9.11 7b8aef1eb4b1 local.registry/f5-dssm-upgrader 1.2.4 f4958f6209f2 local.registry/f5-dssm-store v4.0.2 744f5a81dc10 local.registry/f5-l4p-engine v1.100.27 f8c32f4269ff local.registry/opentelemetry-collector-contrib 0.75.0 00fe8f105583 local.registry/f5-fluentbit v0.8.3 fd4bc327efb8 local.registry/f5-csm-qkview v26.37.21 1a7c5f3ab704
Tag and push each image to the local container registry. For example:
podman tag <local.registry/image name>:<version> <registry>/<image name>:<version>
podman push <registry_name>/<image name>:<version>
In this example, the f5ingress:v12.0.16 image is tagged and pushed to the remote registry registry.com:
podman tag local.registry/f5ingress:v12.0.16 registry.com/f5ingress:v12.0.16
podman push registry.com/f5ingress:v12.0.16
Once all of the images have uploaded, verify the images exist in the local container registry:
curl -X GET https://<registry>/v2/_catalog -u <user:pass>
For example:
curl -X GET https://registry.com/v2/_catalog -u spkadmin:spkadmin
"repositories":["f5-debug-sidecar","f5-dssm-store","f5-fluentbit","f5-fluentd","f5-toda-tmstatsd","f5dr-img","f5ingress","tmm-img","tmrouted-img"]}
Next step¶
Continue to the SPK Cert Manager guide to secure SPK communications.
Feedback¶
Provide feedback to improve this document by emailing spkdocs@f5.com.