SPK Software¶

Overview¶

The Service Proxy for Kubernetes (SPK) custom resource definitions (CRDs), software images and installation Helm charts are provided in a single TAR file. An SPK public signing key, and two signature files are also provided to validate the TAR file’s integrity. Once validated and extracted, the software images can be uploaded to a local container registry, and integrated into the cluster using the SPK Helm charts. Finally, the SPK CRDs will be installed into the cluster.

This document describes the SPK software, and guides you through validating, extracting and installing the SPK software components.

Software images¶

The table below lists and describes the software images for this software release. For a full list of software images by release, refer to the Software Releases guide.

Note: The software image name and deployed container name may differ.

Image	Version	Description
f5ingress	v13.7.1-0.3.22	The helm_release-f5ingress container is the custom SPK controller that watches the K8S API for CR updates, and configures the Service Proxy TMM based on the update.
tmm-img	v10.50.7-0.2.9	The f5-tmm container is a Traffic Management Microkernel (TMM) that proxies and load balances application traffic between the external and internal networks.
spk-cwc	v0.35.0-0.0.5	The spk-cwc container enables software licensing, and reports telemetry statistics regarding monthly SPK software CRD usage summaries. Refer to SPK CWC.
f5-license-helper	v0.12.10-0.0.4	The f5-lic-helper communicates with the spk-cwc to determine the current license status of the cluster.
rabbit	v0.5.9-0.0.11	The rabbitmq-server container as a general message bus, integrating SPK CWC with the Controller Pod(s) for licensing purposes.
crd-conversion	v1.69.3-0.0.5	The f5-crd-conversion container handles the automatic conversion of multiple CRD versions based on the specified namespace and version in the cluser, without affecting existing CRs. Refer to CRD Conversion Webhook.
tmrouted-img	v2.3.0-0.0.3	The f5-tmm-tmrouted container proxies and forwards information between the f5-tmm-routing and f5-tmm containers.
f5dr-img	v3.2.14-0.0.4	The f5-tmm-routing container maintains the dynamic routing tables used by TMM. Refer to BGP Overview.
f5-cert-client	v3.1.2-0.0.3	The f5-cert-client container provides an interface for SPK components to request certificates from f5-cert-manager. Additionally, f5-cert-client can provide certificate rotation functionality for those SPK components.
f5-toda-tmstatsd	v1.11.19-0.0.3	The f5-toda-stats container collects application traffic processing statistics from the f5-tmm container, and forwards the data to the f5-fluentbit container.
f5-toda-observer	v5.7.5-0.1.0	The f5-toda-observer container image is used for three pods: f5-observer-receiver, f5-observer, and f5-observer-operator. These pods work together to efficiently manage the high volume of statistics by collecting, aggregating, and exporting them to the OTEL Collector pod.
cert-manager-controller	v2.3.0	The cert-manager-controller manages the generation and rotation of the SSL/TLS certificate that are stored as Secrets, to secure communication between the various CNFs Pods.
cert-manager-cainjector	v2.3.0	The cert-manager-cainjector assists the cert-manager-controller to configure the CA certificates used by the cert-manager-webhook and K8S API.
cert-manager-webhook	v2.3.0	The cert-manager-webhook ensures that SSL/TLS certificate resources created or updated by the cert-manager-contoller conform to the API specifications.
f5-fluentbit	1.2.8-0.0.5	The fluentbit container collects and forwards statistics to the f5-fluentd container. Multiple versions are included to support the different SPK containers.
f5-fluentd	v2.0.11-0.0.11	The f5-fluentd container collects statistics and logging data from the Controller, TMM and dSSM Pods. Refer to Fluentd Logging.
f5-dssm-store	v5.1.7-0.0.3	Contains two sets of software images; The f5-dssm-db containers that store shared, persisted session state data, and the f5-dssm-sentinel containers to monitor the f5-dssm-db containers. Refer to dSSM database.
f5-debug-sidecar	v10.5.0-0.1.32	The debug container provides diagnostic tools for viewing TMM's configuration, traffic processing statistica and gathering TMM diagnostic data. Refer to Debug Sidecar.
opentelemetry-collector-contrib	0.123.0	The otel-collector container gathers metrics and statistics from the TMM Pods. Refer to OTEL Collector.
f5-dssm-upgrader	:v2.0.17-0.0.3	The dssm-upgrade-hook enables dSSM DBs upgrades without service interruption or data loss. Refer to Upgrading dSSM.
f5-l4p-engine	v1.120.3-10.0.3	The f5-afm-pccd container is an Application Firewall Manager (AFM) instance that converts firewall rules and NAT policies into the binary large objects (BLOBs) used by TMM.
f5-blobd	v1.23.1-0.0.5	The f5-blobd container allows loading binary large objects (BLOBs) into the TMM memory. It is required for AFM use-cases, like firewall and NAT.
spk-csrc	:v0.6.1-0.0.5	The spk-csrc containers (daemon-set) used to support the Calico Egress GW feature.
f5-csm-qkview	v0.10.37-0.0.4	The f5-csm-qkview includes the qkview-orchestrator service, which manages requests from CWC to create or download qkview tar files. It communicates with qkview-collect, initiating the process of generating and downloading qkview tar files from containers within a designated namespace.
f5-toda-observer	v5.7.5-0.1.0	The `f5-toda-observer` container handles the roles of Receiver, Observer Aggregator, Coordinator, and TMM Scraper for secure gRPC-based metric collection, aggregation and export.

CRD Bundles¶

The tables below list the SPK CRD bundles, and describe the SPK CRs they support.

f5-spk-crds-service-proxy-13.7.1-0.3.22.tgz

CRD	CR
f5-spk-egress	F5SPKEgress - Enable egress traffic for Pods using SNAT or DNS/NAT46.
f5-spk-ingresstcp	F5SPKIngressTCP - Layer 4 TCP application traffic management.
f5-spk-ingressudp	F5SPKIngressUDP - Layer 4 UDP application traffic management.
f5-spk-ingressgtp	F5SPKIngressGTP - GTP traffic management.
f5-spk-ingressngap	F5SPKIngressNGAP - Datagram load balancing for SCTP or NGAP signaling.
f5-spk-ingresssip	F5SPKIngressSip - Ingress SIP application traffic management.
f5-spk-ingressHTTP2	F5SPKIngressHTTP2 - HTTP/2 application traffic management.
f5-spk-ingressdiameter	F5SPKIngressDiameter - Diameter traffic management using TCP or SCTP.
f5-spk-ingressegressudp	F5SPKIngressEgressUDP - Ingress UDP traffic management, enabling VIP source address responses.

f5-spk-crds-common-13.7.1-0.3.22.tgz

CRD	CR
f5-spk-vlan	F5SPKVlan - TMM interface configuration: VLANs, Self IP addresses, MTU sizes, etc.
f5-spk-dnscache	F5SPKDnscache - Referenced by the F5SPKEgress CR to provide DNS caching.
f5-spk-snatpool	F5SPKSnatpool - Allocates IP addresses for egress Pod connections.
f5-spk-staticroute	F5SPKStaticRoute - Provides TMM static routing table management.
f5-spk-addresslist	Not currently in use.
f5-spk-portlist	Not currently in use.

f5-spk-crds-deprecated.13.7.1-0.3.22.tgz

A bundle containing the deprecated CRDs, beginning with SPK software version 1.4.3.

Requirements¶

Ensure you have:

Obtained the SPK software tarball.
A local container registry.
A workstation with Podman and OpenSSL.

Procedures¶

Extract the images¶

Use the following steps to validate the SPK tarball, and extract the software images, installation Helm charts, and CRDs.

Create a new directory for the SPK files:
```
mkdir <directory>
```
In this example, the new directory is named spkinstall:
```
mkdir spkinstall
```

Move the SPK files into the directory:

mv f5-bigip-k8s* f5-bigip-k8s-2.1.0-3.1736.1+0.1.27.pem spkinstall

Change into the directory and list the files:

cd spkinstall; ls -1

The file list appears as:

f5-bigip-k8s-2.1.0-3.1736.1+0.1.27.pem
f5-bigip-k8s-2.1.0-3.1736.1+0.1.27.tgz
f5-bigip-k8s-sha512.txt-2.1.0-3.1736.1+0.1.27.sha512.sig
f5-bigip-k8s.tgz-2.1.0-3.1736.1+0.1.27.sha512.sig

Use the PEM signing key and each SHA signature file to validate the SPK TAR file:

openssl dgst -verify <pem file>.pem -keyform PEM \
-sha512 -signature <sig file>.sig <tar file>.tgz

The command output states Verified OK for each signature file:

openssl dgst -verify f5-bigip-k8s-2.1.0-3.1736.1+0.1.27.pem -keyform PEM -sha512 \
-signature f5-bigip-k8s.tgz-2.1.0-3.1736.1+0.1.27.sha512.sig \
f5-bigip-k8s-2.1.0-3.1736.1-0.1.27.tgz

Verified OK

openssl dgst -verify f5-bigip-k8s-2.1.0-3.1736.1+0.1.27.pem -keyform PEM -sha512 \
-signature f5-bigip-k8se-sha512.txt-2.1.0-3.1736.1+0.1.27.sha512.sig \
f5-bigip-k8s-2.1.0-3.1736.1-0.1.27.tgz 

Verified OK

Extract the SPK CRD bundles and the software image TAR file:
```
tar xvf f5-bigip-k8s-2.1.0-3.1736.1+0.1.27.tgz
```

List the newly extracted files:

ls -1

The file list shows the CRD bundles and the SPK image TAR file named f5-bigip-k8s-images-2.1.0-3.1736.1+0.1.27.tgz:

f5-bigip-k8s-2.1.0-3.1736.1+0.1.27.pem
f5-spk-crds-common-13.7.1-0.3.22.tgz
f5-spk-crds-deprecated-13.7.1-0.3.22.tgz
f5-spk-crds-service-proxy-13.7.1-0.3.22.tgz
f5-bigip-k8s-images-2.1.0-3.1736.1+0.1.27.tgz
f5-bigip-k8s-2.1.0-3.1736.1+0.1.27.tgz
f5-cbigip-k8s-sha512.txt-2.1.0-3.1736.1+0.1.27.sha512.sig
f5-bigip-k8s.tgz-2.1.0-3.1736.1+0.1.27.sha512.sig

Extract the SPK software images and Helm charts:

tar xvf f5-bigip-k8s-images-2.1.0-3.1736.1+0.1.27.tgz

Recursively list the extracted software images and Helm charts:

ls -1R

The file list shows a new tar directory containing the software images and Helm charts:

f5-bigip-k8s-2.1.0-3.1736.1+0.1.27.pem
f5-spk-crds-common-13.7.1-0.3.22.tgz
f5-spk-crds-deprecated-13.7.1-0.3.22.tgz
f5-spk-crds-service-proxy-13.7.1-0.3.22.tgz
f5-bigip-k8s-images-2.1.0-3.1736.1+0.1.27.tgz
f5-bigip-k8s-2.1.0-3.1736.1+0.1.27.tgz
f5-bigip-k8s-sha512.txt-2.1.0-3.1736.1+0.1.27.sha512.sig
f5-bigip-k8s.tgz-2.1.0-3.1736.1+0.1.27.sha512.sig
tar

./tar:
csrc-0.9.1-0.3.0.tgz
cwc-0.43.1-0.0.15.tgz
coremond-0.7.56-0.0.5.tgz
dnat-util-v0.5.6.tgz
f5-cert-gen-0.9.3.tgz
f5-cert-manager-0.23.35-0.0.10.tgz
f5-crdconversion-0.23.2-0.1.1.tgz
f5-dssm-1.27.1-0.0.20.tgz
f5-toda-fluentd-1.31.30-0.0.7.tgz
f5ingress-v13.7.1-0.3.22.tgz
log-doc-f5ingress-13.7.1+0.3.22.tgz
rabbitmq-0.6.1-0.0.13.tgz
f5-toda-observer-5.7.5-0.1.0.tgz
cne-docker-images.tgz

Continue to the next section.

Install the CRDs¶

Use the following steps to extract and install the new SPK CRDs.

List the SPK CRD bundles:

ls -1 | grep crd

The file list shows three CRD bundles:

f5-spk-crds-common-13.7.1-0.3.22.tgz
f5-spk-crds-deprecated-13.7.1-0.3.22.tgz
f5-spk-crds-service-proxy-13.7.1-0.3.22.tgz

Install the full set of common CRDs using Helm install:
```
helm install crd-common tar/f5-spk-crds-common-13.7.1-0.3.22.tgz -f crd-values.yaml 
```
Example: crd-values.yaml file (We only need to use this namespace parameter when CRD Conversion is deployed in a non-default namespace. The value of the namespace parameter should match the namespace in which CRD Conversion is deployed.)
```
conversion:
  namespace: spk-crdconversion
```
Note the command output: Newly installed CRDs will be indicated by created, and updated CRDs will be indicated by configured:
```
f5-spk-addresslists.k8s.f5net.com configured
f5-spk-dnscaches.k8s.f5net.com created
f5-spk-portlists.k8s.f5net.com configured
f5-spk-snatpools.k8s.f5net.com unchanged
f5-spk-staticroutes.k8s.f5net.com unchanged
f5-spk-vlans.k8s.f5net.com configured
```
Install the full set of service-proxy CRDs using Helm install:
```
helm install crd-proxy tar/f5-spk-crds-service-proxy-13.7.1-0.3.22.tgz -f crd-values.yaml 
```
Example: crd-values.yaml file (We only need to use this namespace parameter when CRD Conversion is deployed in a non-default namespace. The value of the namespace parameter should match the namespace in which CRD Conversion is deployed.)
```
conversion:
  namespace: spk-crdconversion
```
Note the command output: Newly installed CRDs will be indicated by created, and updated CRDs will be indicated by configured:
```
f5-spk-egresses.k8s.f5net.com configured
f5-spk-ingressdiameters.k8s.f5net.com unchanged
f5-spk-ingressngaps.k8s.f5net.com unchanged
f5-spk-ingresstcps.ingresstcp.k8s.f5net.com unchanged
f5-spk-ingressudps.ingressudp.k8s.f5net.com unchanged
```

List the installed SPK CRDs:

oc get crds | grep f5-spk

The CRD listing will contain the full list of CRDs:

f5-spk-addresslists.k8s.f5net.com             2021-12-23T18:38:45Z
f5-spk-dnscaches.k8s.f5net.com                2021-12-23T18:41:54Z
f5-spk-egresses.k8s.f5net.com                 2021-12-23T18:38:45Z
f5-spk-ingressdiameters.k8s.f5net.com         2021-12-23T18:38:45Z
f5-spk-ingressgtps.k8s.f5net.com              2021-12-23T18:38:45Z
f5-spk-ingresshttp2s.k8s.f5net.com            2021-12-23T18:38:45Z
f5-spk-ingressngaps.k8s.f5net.com             2021-12-23T18:38:45Z
f5-spk-ingresstcps.ingresstcp.k8s.f5net.com   2021-12-23T18:38:45Z
f5-spk-ingressudps.ingressudp.k8s.f5net.com   2021-12-23T18:38:45Z
f5-spk-portlists.k8s.f5net.com                2021-12-23T18:38:45Z
f5-spk-snatpools.k8s.f5net.com                2021-12-23T18:38:45Z
f5-spk-staticroutes.k8s.f5net.com             2021-12-23T18:38:45Z
f5-spk-vlans.k8s.f5net.com                    2021-12-23T18:38:45Z

Upload the images¶

Use the following steps to upload the SPK software images to a local container registry.

Install the SPK images to your workstation’s Docker image store:
```
podman load -i tar/cne-docker-images.tgz
```

List the SPK images to be tagged and pushed to the local container registry in the next step:

podman images --format "table {{.Repository}} {{.Tag}} {{.ID}}"

REPOSITORY                                           TAG                          IMAGE ID
local.registry/f5ingress                             v13.7.1-0.3.22              2359d4cda5d5 
local.registry/f5-license-helper                     v0.12.10-0.0.4              dc88c777701a
local.registry/spk-cwc                               v0.35.0-0.0.5               c1ddcdef1a81
local.registry/rabbit                                v0.5.9-0.0.11               997fbc405b00 
local.registry/tmm-img                               v10.50.7-0.2.9              34943fe3ff7a 
local.registry/spk-csrc                              v0.6.1-0.0.5                7804635e32a1 
local.registry/f5-debug-sidecar                      v10.5.0-0.1.32              8bc999bc1414 
local.registry/f5dr-img-init                         v3.2.14-0.0.4               4c00524e48fc
local.registry/f5-cert-client                        v3.1.2-0.0.3                e602cdd27967
local.registry/f5dr-img                              v3.2.14-0.0.4               4c00524e48fc
local.registry/tmrouted-img                          v2.3.0-0.0.3                b1e2e55f3bec
local.registry/f5-toda-observer                      v5.7.5-0.1.0                a5e839209ae5
local.registry/f5-fluentd                            v2.0.11-0.0.11              beadffcbc1ae
local.registry/crd-conversion                        v1.69.3-0.0.5               36d5b524408a 
local.registry/cert-manager-ctl                      2.2.3                       48f768b562b4
local.registry/cert-manager-webhook                  v2.3.0                      4eb33f2045a9
local.registry/cert-manager-cainjector               v2.3.0                      f1fd7c702b40
local.registry/cert-manager-controller               v2.3.0                      da7a341236d4
local.registry/init-certmgr                          v0.23.35-0.0.10             5dbd66a91443
local.registry/f5-toda-tmstatsd                      v1.11.19-0.0.3              5650c2075de7
local.registry/f5-dssm-upgrader                      v2.0.17-0.0.3               4954ea6e93c1
local.registry/f5-dssm-store                         v5.1.7-0.0.3                ee761b0ef30c
local.registry/f5-l4p-engine                         v1.127.13-0.0.5             a89a004b432d
local.registry/opentelemetry-collector-contrib       0.123.0                     f0eaa24275f0 
local.registry/f5-fluentbit                          v1.2.8-0.0.5                903f121a9198
local.registry/f5-blobd                              v1.23.1-0.0.5               bf051e506625
local.registry/f5-csm-qkview                         v0.10.37-0.0.4              20f5baf32842
local.registry/f5-bdosd                              v0.72.0-0.1.3               9290a9a50b7a
local.registry/f5-version-validator                  v1.0.5-10.0.8               e747d5b73150
local.registry/f5-dwbld                              v1.161.0-0.2.11             207b29dc1df9
local.registry/f5ing-tmm-pod-manager                 v1.0.18-0.0.7               6dbbdd59be46
local.registry/f5-coremond                           v0.7.56-0.0.5               9cb9a186027f 
local.registry/dnsx-img                              v0.10.21-0.0.4              fc933ace082b
local.registry/f5-nsec-ips-daemon                    v3.5.1-0.0.4                37648ce82328
local.registry/cert-manager-startupapicheck          v2.3.0                      b3bed6de8ba9 
local.registry/crdupdater                            v0.4.32-0.0.2               5b3de59f547e
local.registry/f5-downloader                         v0.27.9-0.0.12              d342c1aa5240

Tag and push each image to the local container registry. For example:

podman tag <local.registry/image name>:<version> <registry>/<image name>:<version>

podman push <registry_name>/<image name>:<version>

In this example, the f5ingress:v13.7.1-0.3.22 image is tagged and pushed to the remote registry registry.com:

podman tag local.registry/f5ingress:v13.7.1-0.3.22 registry.com/f5ingress:v13.7.1-0.3.22

podman push registry.com/f5ingress:v13.7.1-0.3.22

Once all of the images have uploaded, verify the images exist in the local container registry:

curl -X GET https://<registry>/v2/_catalog -u <user:pass>

For example:

curl -X GET https://registry.com/v2/_catalog -u spkadmin:spkadmin

"repositories":["f5-debug-sidecar","f5-dssm-store","f5-fluentbit","f5-fluentd","f5-toda-tmstatsd","f5dr-img","f5ingress","tmm-img","tmrouted-img"]}

Next step

Continue to the SPK Cert Manager guide to secure SPK communications.

Supplemental

Feedback

Provide feedback to improve this document by emailing spkdocs@f5.com.

Previous Next