Better together - F5 Container Ingress Services and NGINX Plus Ingress Controller Integration

Introduction The F5 Container Ingress Services (CIS) can be integrated with the NGINX Plus Ingress Controllers (NIC) within a Kubernetes (k8s) environment. The benefits are getting the best of both...
Published Mar 05, 2020
Version 1.0
cloud
ingress controller
kubernetes
NGINX Plus
Ali_M's avatar
Ali_M
Icon for Nimbostratus rankNimbostratus
Jun 16, 2020

Hey  ,

Thanks for the article, it's helpful. I'm trying to run through this setup and unfortunately I'm running into problems. I want to preface this by saying I am using the open-source version of NGINX. I know that this tutorial is based off of nginx-plus but I don't see anything obvious why this wouldn't work with the open source version. Please correct me if I'm wrong.

So I am able to get to the point where the big-ip controller on my Kubernetes cluster creates a virtual server, node pool and my nodes. The nodes created on the F5 are created using the NGINX pod's Cluster IP's. The nodes are shown as "down" -- as expected, as I see in your screenshot they're also down and the F5 doesn't know how to ping the pods.

When trying to hit my website via web browser, I get "ERR_CONNECTION_TIMED_OUT".

Here are the configuration args I am setting on my big-ip-controller:

- --credentials-directory=/var/run/secrets/credentials
          - --bigip-url=xxxxx
          - --pool-member-type=cluster
          - --bigip-partition=$(BIGIP_PARTITION)
          - --insecure=true
          - --manage-ingress=false
          - --as3-validation=true
          - --manage-configmaps=true
          - --log-as3-response=true

My ConfigMap for the AS3 declaration is the same as yours except that I changed the client certificate. I have tried the original ConfigMap as well, no luck there.

Here is what my NGINX Service looks like:

apiVersion: v1
kind: Service
metadata:
 name: ali-service
 namespace: xxx
 labels:
   cis.f5.com/as3-tenant: Nginx_IC
   cis.f5.com/as3-app: Nginx_IC_vs
   cis.f5.com/as3-pool: Nginx_IC_pool
spec:
 type: ClusterIP
 ports:
   - port: 443
     targetPort: 443
     protocol: TCP
     name: https
 selector:
    app: nginx-ingress
    component: controller
    release: nginx-ingress

And finally, I did try making my service a `NodePort` (instead of ClusterIP) to make sure that I can reach my service via NGINX. This works. I've reverted the change back to ClusterIP.

I'm not exactly sure what I'm doing wrong and I would appreciate some guidance on what to check.

My company does have a F5 support plan so if you think a ticket would be better, I can get one going. Alternatively, if you have a moment to respond here or on a phone call that would work for me as well.

Thanks Chris!

Edit: One thing I want to point out is my nodes on the F5 are created in the "Common" partition, not in the "NGINX_IC" partition. It's hard to tell whether it should be created in the NGINX_IC partition. Either way, the Node Pool is referencing the nodes. But I don't know if this is contributing to my problem.

Edit 2: I think I understand where I'm going wrong, now that I think of it. My cluster CNI is flannel and I'm using host-gw. When running the big-ip controller in "cluster" mode, you're essentially integrating the F5 within the overlay network, which means I need to be running VXLAN. Can I confirm with you, Chris, that host-gw won't work? I think this is an obvious no because then the big-ip controller adds your actual Kubernetes VM nodes to the F5 node pool, not the pods of the nginx controller. I've tried setting the controller mode to "nodeport" which also doesn't seem to work. Thanks!