Cascading Configs Tool for F5 Distributed Cloud Managed Service Provider (MSP) and Delegated Access Customers
A new tool has been released that enables F5 Distributed Cloud Managed Service Provider customers or customers with Delegated Access to push and maintain shared configurations to any of their Child Tenants.
Managing configurations for multiple Child Tenants can be a time consuming effort and introduce human error for large environments. Using the new XC-Cascading-Configs Tool can simply this effort and help enforce good configuration integrity when used with a source code repository.
F5 Distributed Cloud supports access models for Managed Service Providers and similarly Delegated Access. These features allow customers to manage the configuration of multiple Child Tenants without the need to authenticate directly to each tenant. When managing multiple tenants there could be a need to provide a configuration standard for certain objects. These managed configuration files could be used to help the Child Tenant users with initial object setup, or they could be used for the managing tenant to deploy needed objects, like a log receiver that sends all Child Tenant logs to a SIEM. Managing these configuration objects from the F5 Distributed Cloud Console is time consuming and does not currently scale.
To help MSP and Delegated Access customers manage global configurations, the 'xc-cascading-configs' tool was created. This tool is written in Python and is publicly available on GitHub.
https://github.com/f5devcentral/xc-cascading-configs
The README file contains detailed instructions on environment setup and usage. Below is a quick overview of a few of the usages of the tool to help demonstrate its features.
Example Use Cases
List Child Tenants
Listing all Child Tenants is a good way to confirm the API Token is correct and MSP or DA is setup correctly. The resulting output is all Child Tenants the root tenant has access to.
python3 config-sync/config-sync.py --config config/prod-config.json --listChildTenants
Replicate Global Log Receiver to all Child Tenants
This example syncs a config object stored in the root tenant, named 'global-template' to all Child Tenants. This is useful if the managing root tenant contains the object that should be shared with all the Child Tenants.
python3 config-sync/config-sync.py --config config/prod-config.json --configType log_receiver --namedConfig 'global-template'
Replicate Global Log Receiver to specific Child Tenant
This example does the same as the previous example except it will only deploy the configuration to the listed Child Tenants. This would be helpful for onboarding a new Child Tenant so the existing tenants are not changed. A similar effect is possible by setting the tool configuration setting Overwrite to False.
python3 config-sync/config-sync.py --config config/prod-config.json --configType log_receiver --namedConfig 'root-test' --childTenants 'f5-msp-eu'
Replicate local Log Receiver to all Child Tenants
This example shows using a local JSON configuration for the object. This is helpful if a code repository is used to maintain global configs. The file could be stored in the code repository and on file change a pipeline runner could execute a variation of the command below to push the changes. The usage does not require the root tenant to contain the configuration object itself. Large Managed Service Providers would likely enjoy this usage due to the accountability and tracking provided by maintaining their global F5 Distributed Cloud configurations files in a code repository.
python3 config-sync/config-sync.py --config config/prod-config.json --configType log_receiver --namedConfigJSON config/log-root.json --namedConfig 'root-test'