Install BIG-IP Next for Kubernetes (Host) using Helm¶
Overview¶
The Service Proxy for Kubernetes (SPK) custom resource definitions (CRDs), software images and installation Helm charts are provided in a single TAR file. An SPK public signing key, and two signature files are also provided to validate the TAR file’s integrity. Once validated and extracted, the software images can be uploaded to a local container registry, and integrated into the cluster using the SPK Helm charts. Finally, the SPK CRDs will be installed into the cluster.
This document describes the SPK software, and guides you through validating, extracting and installing the SPK software components.
Software images¶
The table below lists and describes the software images for this software release. For a full list of software images by release, refer to the Software Releases guide.
Note: The software image name and deployed container name may differ.
| Image | Version | Description |
|---|---|---|
| f5ingress | v14.19.4-0.1.11 | The helm_release-f5ingress container is the custom SPK controller that watches the K8S API for CR updates, and configures the Service Proxy TMM based on the update. |
| tmm-img | v10.98.3-0.11.9 | The f5-tmm container is a Traffic Management Microkernel (TMM) that proxies and load balances application traffic between the external and internal networks. |
| spk-cwc | v0.37.2-0.0.9 | The spk-cwc container enables software licensing, and reports telemetry statistics regarding monthly SPK software CRD usage summaries. Refer to SPK CWC. |
| f5-license-helper | v0.12.20-0.0.9 | The f5-lic-helper communicates with the spk-cwc to determine the current license status of the cluster. |
| rabbit | v0.5.15-0.0.3 | The rabbitmq-server container as a general message bus, integrating SPK CWC with the Controller Pod(s) for licensing purposes. |
| crd-conversion | v1.212.9-0.7.2 | The f5-crd-conversion container handles the automatic conversion of multiple CRD versions based on the specified namespace and version in the cluser, without affecting existing CRs. Refer to CRD Conversion Webhook. |
| tmrouted-img | v2.15.3-0.1.0 | The f5-tmm-tmrouted container proxies and forwards information between the f5-tmm-routing and f5-tmm containers. |
| f5dr-img | v3.16.0-0.0.13 | The f5-tmm-routing container maintains the dynamic routing tables used by TMM. Refer to BGP Overview. |
| f5-cert-client | v3.5.9-0.0.2 | The f5-cert-client container provides an interface for SPK components to request certificates from f5-cert-manager. Additionally, f5-cert-client can provide certificate rotation functionality for those SPK components. |
| f5-toda-tmstatsd | v1.11.24-0.0.5 | The f5-toda-stats container collects application traffic processing statistics from the f5-tmm container, and forwards the data to the f5-fluentbit container. |
| f5-toda-observer | v5.22.10-0.2.4 | The f5-toda-observer container image is used for three pods: f5-observer-receiver, f5-observer, and f5-observer-operator. These pods work together to efficiently manage the high volume of statistics by collecting, aggregating, and exporting them to the OTEL Collector pod. |
| cert-manager-controller | v2.5.2 | The cert-manager-controller manages the generation and rotation of the SSL/TLS certificate that are stored as Secrets, to secure communication between the various CNFs Pods. |
| cert-manager-cainjector | v2.5.2 | The cert-manager-cainjector assists the cert-manager-controller to configure the CA certificates used by the cert-manager-webhook and K8S API. |
| cert-manager-webhook | v2.5.2 | The cert-manager-webhook ensures that SSL/TLS certificate resources created or updated by the cert-manager-contoller conform to the API specifications. |
| f5-fluentbit | v1.3.9-0.0.4 | The fluentbit container collects and forwards statistics to the f5-fluentd container. Multiple versions are included to support the different SPK containers. |
| f5-fluentd | v2.3.2-0.0.6 | The f5-fluentd container collects statistics and logging data from the Controller, TMM and dSSM Pods. Refer to Fluentd Logging. |
| f5-dssm-store | v5.1.32-0.0.8 | Contains two sets of software images; The f5-dssm-db containers that store shared, persisted session state data, and the f5-dssm-sentinel containers to monitor the f5-dssm-db containers. Refer to dSSM database. |
| f5-debug-sidecar | v10.5.0-0.1.32 | The debug container provides diagnostic tools for viewing TMM's configuration, traffic processing statistica and gathering TMM diagnostic data. Refer to Debug Sidecar. |
| opentelemetry-collector-contrib | 0.142.0 | The otel-collector container gathers metrics and statistics from the TMM Pods. Refer to OTEL Collector. |
| f5-dssm-upgrader | v2.0.27-0.0.5 | The dssm-upgrade-hook enables dSSM DBs upgrades without service interruption or data loss. Refer to Upgrading dSSM. |
| f5-l4p-engine | v1.128.7-0.0.5 | The f5-afm-pccd container is an Application Firewall Manager (AFM) instance that converts firewall rules and NAT policies into the binary large objects (BLOBs) used by TMM. |
| f5-blobd | v1.23.14-0.0.8 | The f5-blobd container allows loading binary large objects (BLOBs) into the TMM memory. It is required for AFM use-cases, like firewall and NAT. |
| spk-csrc | v0.7.11-0.0.7 | The spk-csrc containers (daemon-set) used to support the Calico Egress GW feature. |
| f5-csm-qkview | v0.13.20-0.0.3 | The f5-csm-qkview includes the qkview-orchestrator service, which manages requests from CWC to create or download qkview tar files. It communicates with qkview-collect, initiating the process of generating and downloading qkview tar files from containers within a designated namespace. |
| f5-toda-observer | v5.22.10-0.2.4 | The f5-toda-observer container handles the roles of Receiver, Observer Aggregator, Coordinator, and TMM Scraper for secure gRPC-based metric collection, aggregation and export. |
CRD Bundles¶
The tables below list the SPK CRD bundles, and describe the SPK CRs they support.
f5-spk-crds-service-proxy-14.19.4-0.1.11.tgz
| CRD | CR |
|---|---|
| f5-spk-egress | F5SPKEgress - Enable egress traffic for Pods using SNAT or DNS/NAT46. |
| f5-spk-ingresstcp | F5SPKIngressTCP - Layer 4 TCP application traffic management. |
| f5-spk-ingressudp | F5SPKIngressUDP - Layer 4 UDP application traffic management. |
| f5-spk-ingressgtp | F5SPKIngressGTP - GTP traffic management. |
| f5-spk-ingressngap | F5SPKIngressNGAP - Datagram load balancing for SCTP or NGAP signaling. |
| f5-spk-ingresssip | F5SPKIngressSip - Ingress SIP application traffic management. |
| f5-spk-ingressHTTP2 | F5SPKIngressHTTP2 - HTTP/2 application traffic management. |
| f5-spk-ingressdiameter | F5SPKIngressDiameter - Diameter traffic management using TCP or SCTP. |
| f5-spk-ingressegressudp | F5SPKIngressEgressUDP - Ingress UDP traffic management, enabling VIP source address responses. |
f5-spk-crds-common-14.19.4-0.1.11.tgz
| CRD | CR |
|---|---|
| f5-spk-vlan | F5SPKVlan - TMM interface configuration: VLANs, Self IP addresses, MTU sizes, etc. |
| f5-spk-dnscache | F5SPKDnscache - Referenced by the F5SPKEgress CR to provide DNS caching. |
| f5-spk-snatpool | F5SPKSnatpool - Allocates IP addresses for egress Pod connections. |
| f5-spk-staticroute | F5SPKStaticRoute - Provides TMM static routing table management. |
| f5-spk-addresslist | Not currently in use. |
| f5-spk-portlist | Not currently in use. |
f5-spk-crds-deprecated-14.19.4-0.1.11.tgz
A bundle containing the deprecated CRDs, beginning with SPK software version 1.4.3.
Requirements¶
Ensure you have:
Procedures¶
Extract the images¶
Use the following steps to validate the SPK tarball, and extract the software images, installation Helm charts, and CRDs.
Create a new directory for the SPK files:
mkdir <directory>In this example, the new directory is named spkinstall:
mkdir spkinstallMove the SPK files into the directory:
mv f5-bigip-k8s* f5-bigip-k8s-2.2.0-3.2226.0-0.0.385.pem spkinstall
Change into the directory and list the files:
cd spkinstall; ls -1
The file list appears as:
f5-bigip-k8s-2.2.0-3.2226.0-0.0.385.pem f5-bigip-k8s-2.2.0-3.2226.0-0.0.385.tgz f5-bigip-k8s-sha512.txt-2.2.0-3.2226.0-0.0.385.sha512.sig f5-bigip-k8s.tgz-2.2.0-3.2226.0-0.0.385.sha512.sig
Use the PEM signing key and each SHA signature file to validate the SPK TAR file:
openssl dgst -verify <pem file>.pem -keyform PEM \ -sha512 -signature <sig file>.sig <tar file>.tgz
The command output states Verified OK for each signature file:
openssl dgst -verify f5-bigip-k8s-2.2.0-3.2226.0-0.0.385.pem -keyform PEM -sha512 \ -signature f5-bigip-k8s.tgz-2.2.0-3.2226.0-0.0.385.sha512.sig \ f5-bigip-k8s-2.1.0-3.1736.1-0.1.27.tgz
Verified OKopenssl dgst -verify f5-bigip-k8s-2.2.0-3.2226.0-0.0.385.pem -keyform PEM -sha512 \ -signature f5-bigip-k8se-sha512.txt-2.2.0-3.2226.0-0.0.385.sha512.sig \ f5-bigip-k8s-2.1.0-3.1736.1-0.1.27.tgz
Verified OKExtract the SPK CRD bundles and the software image TAR file:
tar xvf f5-bigip-k8s-2.2.0-3.2226.0-0.0.385.tgz
List the newly extracted files:
ls -1The file list shows the CRD bundles and the SPK image TAR file named f5-bigip-k8s-images-2.2.0-3.2226.0-0.0.385.tgz:
f5-bigip-k8s-2.2.0-3.2226.0-0.0.385.pem f5-spk-crds-common-14.19.4-0.1.11.tgz f5-spk-crds-deprecated-14.19.4-0.1.11.tgz f5-spk-crds-service-proxy-14.19.4-0.1.11.tgz f5-bigip-k8s-images-2.2.0-3.2226.0-0.0.385.tgz f5-bigip-k8s-2.2.0-3.2226.0-0.0.385.tgz f5-cbigip-k8s-sha512.txt-2.2.0-3.2226.0-0.0.385.sha512.sig f5-bigip-k8s.tgz-2.2.0-3.2226.0-0.0.385.sha512.sig
Extract the SPK software images and Helm charts:
tar xvf f5-bigip-k8s-images-2.2.0-3.2226.0-0.0.385.tgz
Recursively list the extracted software images and Helm charts:
ls -1RThe file list shows a new tar directory containing the software images and Helm charts:
f5-bigip-k8s-2.2.0-3.2226.0-0.0.385.pem f5-spk-crds-common-14.19.4-0.1.11.tgz f5-spk-crds-deprecated-14.19.4-0.1.11.tgz f5-spk-crds-service-proxy-14.19.4-0.1.11.tgz f5-bigip-k8s-images-2.2.0-3.2226.0-0.0.385.tgz f5-bigip-k8s-2.2.0-3.2226.0-0.0.385.tgz f5-bigip-k8s-sha512.txt-2.2.0-3.2226.0-0.0.385.sha512.sig f5-bigip-k8s.tgz-2.2.0-3.2226.0-0.0.385.sha512.sig tar ./tar: coremond-0.10.0-0.2.3.tgz csrc-0.11.5-0.0.11.tgz cwc-0.49.7-0.0.16.tgz dnat-util-v0.5.10+0.0.2.tgz f5-cert-gen-0.9.3.tgz f5-cert-manager-0.23.48-0.1.5.tgz f5-crdconversion-0.61.4-0.0.44.tgz f5-dssm-1.46.0-0.24.0.tgz f5-ipam-controller-v1.1.48-0.0.8.tgz f5-license-proxy-1.29.0-0.10.22.tgz f5-lifecycle-operator-v2.9.27-0.2.10.tgz f5-stats_collector-1.0.21-0.0.3.tgz f5-tmm-15.82.0-0.2.50.tgz f5-toda-fluentd-2.3.2-0.0.6.tgz f5-toda-observer-5.22.10-0.2.4.tgz f5ingress-v15.82.0-0.2.50.tgz flp-setup-1.29.0-0.10.22.tgz log-doc-f5ingress-14.19.4+0.1.11.tgz node-labeler-0.6.9-0.0.3.tgz rabbitmq-0.8.9-0.0.6.tgzContinue to the next section.
Install the CRDs¶
Use the following steps to extract and install the new SPK CRDs.
List the SPK CRD bundles:
ls -1 | grep crd
The file list shows three CRD bundles:
f5-spk-crds-common-14.19.4-0.1.11.tgz f5-spk-crds-deprecated-14.19.4-0.1.11.tgz f5-spk-crds-service-proxy-14.19.4-0.1.11.tgz
Install the full set of common CRDs using Helm install:
helm install crd-common tar/f5-spk-crds-common-14.19.4-0.1.11.tgz -f crd-values.yaml
Example: crd-values.yaml file (We only need to use this namespace parameter when CRD Conversion is deployed in a non-default namespace. The value of the namespace parameter should match the namespace in which CRD Conversion is deployed.)
conversion: namespace: spk-crdconversion
Note the command output: Newly installed CRDs will be indicated by created, and updated CRDs will be indicated by configured:
f5-spk-addresslists.k8s.f5net.com configured f5-spk-dnscaches.k8s.f5net.com created f5-spk-portlists.k8s.f5net.com configured f5-spk-snatpools.k8s.f5net.com unchanged f5-spk-staticroutes.k8s.f5net.com unchanged f5-spk-vlans.k8s.f5net.com configured
Install the full set of service-proxy CRDs using Helm install:
helm install crd-proxy tar/f5-spk-crds-service-proxy-14.19.4-0.1.11.tgz -f crd-values.yaml
Example: crd-values.yaml file (We only need to use this namespace parameter when CRD Conversion is deployed in a non-default namespace. The value of the namespace parameter should match the namespace in which CRD Conversion is deployed.)
conversion: namespace: spk-crdconversion
Note the command output: Newly installed CRDs will be indicated by created, and updated CRDs will be indicated by configured:
f5-spk-egresses.k8s.f5net.com configured f5-spk-ingressdiameters.k8s.f5net.com unchanged f5-spk-ingressngaps.k8s.f5net.com unchanged f5-spk-ingresstcps.ingresstcp.k8s.f5net.com unchanged f5-spk-ingressudps.ingressudp.k8s.f5net.com unchanged
List the installed SPK CRDs:
oc get crds | grep f5-spk
The CRD listing will contain the full list of CRDs:
f5-spk-addresslists.k8s.f5net.com 2021-12-23T18:38:45Z f5-spk-dnscaches.k8s.f5net.com 2021-12-23T18:41:54Z f5-spk-egresses.k8s.f5net.com 2021-12-23T18:38:45Z f5-spk-ingressdiameters.k8s.f5net.com 2021-12-23T18:38:45Z f5-spk-ingressgtps.k8s.f5net.com 2021-12-23T18:38:45Z f5-spk-ingresshttp2s.k8s.f5net.com 2021-12-23T18:38:45Z f5-spk-ingressngaps.k8s.f5net.com 2021-12-23T18:38:45Z f5-spk-ingresstcps.ingresstcp.k8s.f5net.com 2021-12-23T18:38:45Z f5-spk-ingressudps.ingressudp.k8s.f5net.com 2021-12-23T18:38:45Z f5-spk-portlists.k8s.f5net.com 2021-12-23T18:38:45Z f5-spk-snatpools.k8s.f5net.com 2021-12-23T18:38:45Z f5-spk-staticroutes.k8s.f5net.com 2021-12-23T18:38:45Z f5-spk-vlans.k8s.f5net.com 2021-12-23T18:38:45Z
Upload the images¶
Use the following steps to upload the SPK software images to a local container registry.
Install the SPK images to your workstation’s Docker image store:
podman load -i tar/cne-docker-images.tgz
List the SPK images to be tagged and pushed to the local container registry in the next step:
podman images --format "table {{.Repository}} {{.Tag}} {{.ID}}"
REPOSITORY TAG IMAGE ID local.registry/postgresql 1.29.0-0.10.22 33146b478101 local.registry/ocnos-img-init v0.5.2-0.2.3 3ed421dd7072 local.registry/ocnos-img v0.5.2-0.2.3 dc0f0fea261f local.registry/crd-installer v14.19.4-0.1.11 f420d0a19877 local.registry/f5ingress v14.19.4-0.1.11 82355b5c7658 local.registry/tmm-img v10.98.3-0.11.9 9490dd619dce local.registry/f5-env-discovery v2.9.27-0.2.10 2591fecd35b2 local.registry/f5-lifecycle-operator v2.9.27-0.2.10 695a40596e03 local.registry/spk-csrc v0.7.11-0.0.7 a11192114ec7 local.registry/f5-debug-sidecar v10.32.4-0.0.38 48413ed33bef local.registry/f5-coremond v0.10.0-0.2.3 d79bcd17d156 local.registry/f5dr-img-init v3.16.0-0.0.13 f5483b36a145 local.registry/f5dr-img v3.16.0-0.0.13 b5b316b9d38c local.registry/f5-l4p-engine v1.128.7-0.0.5 a5aea2addd10 local.registry/f5-downloader v0.31.3-0.0.15 b40d16249863 local.registry/f5-license-helper v0.12.20-0.0.9 c8184a4999d4 local.registry/crd-conversion v1.212.9-0.7.2 770870838adf local.registry/tmrouted-img v2.15.3-0.1.0 ef9f278dfab2 local.registry/spk-cwc v0.37.2-0.0.9 51fd9b2ae504 local.registry/f5-analyzer v0.0.10-0.0.9 711f15d57574 local.registry/gslb-engine v0.118.4-0.0.5 c117ae8634c8 local.registry/f5-dssm-store v5.1.32-0.0.8 319d509f059f local.registry/crdupdater v0.5.8-0.0.6 7668d63595dd local.registry/f5-license-proxy 1.29.0-0.10.22 860dbb315936 local.registry/vault-init 1.29.0-0.10.22 619d0eeca6a4 local.registry/f5-ipam-controller v1.1.48-0.0.8 3e2cd59f38dd local.registry/f5-blobd v1.23.14-0.0.8 640690cc4937 local.registry/f5-urlcat v0.1.3 928574093319 local.registry/f5-toda-observer v5.22.10-0.2.4 747afbeb8939 local.registry/f5-csm-qkview v0.13.20-0.0.3 245818e3facf local.registry/init-certmgr v0.23.48-0.1.5 4a52ca218a31 local.registry/f5-dwbld v1.175.3-0.0.11 9533ae7c0842 local.registry/f5-dssm-upgrader v2.0.27-0.0.5 095a2c22f16d local.registry/cert-manager-startupapicheck v2.5.2 853938930d44 local.registry/cert-manager-webhook v2.5.2 5433789dd400 local.registry/cert-manager-cainjector v2.5.2 c5dd61881611 local.registry/cert-manager-controller v2.5.2 68a5c9b1edd2 local.registry/f5-fqdn-resolver v0.9.5-0.0.3 5a14b599f58d local.registry/f5-fluentd v2.3.2-0.0.6 38282e68b8cf local.registry/f5-toda-tmstatsd v1.11.24-0.0.5 ed2a1e6da934 local.registry/f5-nsec-ips-daemon v3.5.18-0.0.4 012a7653f71e local.registry/dnsx-img v0.10.29-0.0.3 f9e829b104d1 local.registry/f5-bdosd v0.145.0-0.0.4 e8f104b0fdbc local.registry/gslb-probe-agent v0.31.16-0.0.3 8509ddb4312d local.registry/f5-cert-client v3.5.9-0.0.2 2640249fdf81 local.registry/f5-fluentbit v1.3.9-0.0.4 ea9c7b89e03a local.registry/rabbit v0.5.15-0.0.3 564977e0f482 local.registry/f5-eowyn-install v0.5.4-10.0.3 0fadd135a818 local.registry/f5-node-labeler v0.0.20-0.0.3 fbbb3e394290 local.registry/f5ing-tmm-pod-manager v1.2.8-0.0.3 eaa4a988f6ca local.registry/opentelemetry-collector-contrib 0.142.0 3dcd68bb0726 local.registry/vault 1.21.1 8e5be7f70e02
Tag and push each image to the local container registry. For example:
podman tag <local.registry/image name>:<version> <registry>/<image name>:<version>
podman push <registry_name>/<image name>:<version>
In this example, the f5ingress:v14.19.4-0.1.11 image is tagged and pushed to the remote registry registry.com:
podman tag local.registry/f5ingress:v14.19.4-0.1.11 registry.com/f5ingress:v14.19.4-0.1.11
podman push registry.com/f5ingress:v14.19.4-0.1.11
Once all of the images have uploaded, verify the images exist in the local container registry:
curl -X GET https://<registry>/v2/_catalog -u <user:pass>
For example:
curl -X GET https://registry.com/v2/_catalog -u spkadmin:spkadmin
"repositories":["f5-debug-sidecar","f5-dssm-store","f5-fluentbit","f5-fluentd","f5-toda-tmstatsd","f5dr-img","f5ingress","tmm-img","tmrouted-img"]}
Next step
Continue to the SPK Cert Manager guide to secure SPK communications.
Supplemental
Feedback
Provide feedback to improve this document by emailing spkdocs@f5.com.