Forum Discussion

kunalpuriii's avatar
kunalpuriii
Icon for Altocumulus rankAltocumulus
Mar 17, 2020

NGINX(ingress controller)-F5 integration

Hello Team

 

I am working on integrating F5 and NGINX(ingress controller) as per below article

https://devcentral.f5.com/s/articles/Better-together-F5-Container-Ingress-Services-and-Nginx-Ingress-Controller-Integration  

 

I have created F5 Container Ingress Services as per the link and have couple of questions

- --bigip-username=$(root) --> this is GUI or CLI username and does it have to bracket, like mentioned

    - --bigip-password=$(shivshiv) --> this is GUI or CLI username and does it have to bracket, like mentioned

    - --bigip-url=https://192.168.178.44:8443 --> do we need port 8443 to be mentioned or can i just put https://192.168.178.44:

Also added 

 envFrom:

    - configMapRef:

      name: as3-template ->> do we need to call config map here, its not part of yaml file in the above link

    - secretRef: --> i have created using imperative model, does this is OK as opaque or we need to refer kubernetes.io/service-account.name: bigip-ctlr created for CIS controller

      name: bigip-login

--insecure=true ( i understand this will allow the session to be established without exchanging certificate, or is this the requirement)

 

Once CIS controller been created and AS3 been defined, I understand i will be to connect with F5 and initial config can be done as specified in AS3. Is my understanding correct?

 

Also i have installed following package, is this requirement?

f5-appsvcs-3.17.1-1.noarch

 

Most importantly: Does this integration supported between open source NGINX or do we NGINX+ as ingress controller ?

 

Looking forward to the response.

 

Thanks a lot in advance

 

Kind Regards

Kunal

  • Hey Kunal,

     

    Regarding user/pass, you need to create a secret within k8s and reference that secret in the form of variables in the yaml file. - the references are already in place, so please create a secret per this article ( https://clouddocs.f5.com/containers/v2/kubernetes/kctlr-app-install.html#kctlr-initial-setup-bigip ), step 3.

     

    For "--bigip-url=<ip_address-or-hostname>", if your BIG-IP has a single interface, the management by default is on port 8443. Use the address that you use to administer the appliance.

     

    You do not need to add anything to the ConfigMap as related to your question. If you follow the referenced article, all the prerequisites should be setup and ready to go.

     

    --insecure=true means CIS will not validate certificate presented by the BIG-IP. All traffic is still SSL encrypted.

     

    Install a recent version of f5-appsvcs on the BIG-IP, otherwise it won't understand AS3 embedded within the ConfigMap.

     

    Once the CIS is able to communicate with the BIG-IP, the AS3 within the ConfigMap will set up everything in the BIG-IP. You do not have to configure anything manually inside the BIG-IP.

     

    The integration is meant for NGINX Plus Ingress Controller, the Open Source Nginx might work as well, but I have not tested it at all.

     

    Thanks,

    Chris

    • kunalpuriii's avatar
      kunalpuriii
      Icon for Altocumulus rankAltocumulus

      Thanks  for your response, It worked.

       

      There are few things i tweaked, username and password i mentioned as absolute value then variables and the called secret.

       

      I removed 8443 from the url of F5.

       

      Also if you can share working example for nodeport, it will be great. I got this working once but after the nodes disappeared and never worked again. I followed couple of links

      https://clouddocs.f5.com/training/community/containers/html/class2/module1/lab3.html

      but no luck.

      what is the best way to troubleshoot it.

      Also can you please share data plane forwarding information.

       

      In our setup we have create VIP on F5 which points to the pool which has IP address of worker nodes which is different from this integration, in this integration NGINX POD IP's are getting added.

      Normally POD address are not advertised out of kubernetes cluster.

       

      Do we need to setup a routing from F5 to reach to the POD space via worker nodes?

       

      Thanks

      Kunal

       

       

      • Chris_Zhang's avatar
        Chris_Zhang
        Ret. Employee

        For NodePort, change 'type: ClusterIP' to 'type: NodePort' in Service definition. - It is a k8s construct

         

        Try to delete the AS3 Tenant on the BIG-IP and recreate the CIS pod and apply ConfigMap again. - The new AS3 will usually apply.

         

        If you are using NodePort, there is nothing else to do be done as there is no CNI. If you are using a CNI, either VXLAN (Flannel) or BGP (Calico), then follow this article ( https://clouddocs.f5.com/containers/v2/ ).