My first CRD deployment with CIS
F5 Container Ingress Services (CIS) now supports the use of Custom Resource Definitions (CRD's) in Kubernetes (K8s) as a method for configuring services on the BIG-IP. This article walks through my first time deploying and what I learned.
Goal of this article
The goal of this article is to demonstrate that you can easily configure services on BIG-IP using CRD's, and this makes the configuration of services on F5 BIG-IP feel like a native Kubernetes experience, since you are creating Kubernetes resources.
Other ways to configure BIG-IP from K8s
Before F5 CIS supported CRD's, you could already use Ingress resources or ConfigMap resources to create VIPs and pool members on F5. Using CRD's now gives us a new way.
As I found in my first deployment, the advantage of CRDs over Ingress resources is that F5 can develop their own CRD and have more attributes that can map to configurations in BIG-IP. And again based on my first impressions, the advantage of CRDs over ConfigMaps is that you don't need to create an AS3 declaration yourself. You now get to do that via a Kubernetes resource. This table summarizes my opinion only:
Overview of my demo architecture
Here's an image of the cloud infrastructure I built. Basically I have a pair of BIG-IP devices in Active/Standby config, and the K8s cluster is integrated via CIS.
Here's a more application-focused image of what is deployed. NGINX Ingress Controller (open source version) is used here as an ingress controller running inside Kubernetes.
What is this resource of kind VirtualServer doing?
Here is the definition of my VirtualServer resource and the related TLSProfile resource:
apiVersion: "cis.f5.com/v1" kind: VirtualServer metadata: name: hello-world-virtual-server namespace: nginx-ingress labels: f5cr: "true" spec: tlsProfileName: hello-world-tls # --> This will attach hello-world-tls TLSProfile virtualServerAddress: "10.0.2.100" pools: - path: / service: nginx-ingress servicePort: 80 monitor: type: http interval: 10 timeout: 31 send: "/" --- apiVersion: cis.f5.com/v1 kind: TLSProfile metadata: name: hello-world-tls namespace: nginx-ingress labels: f5cr: "true" spec: tls: termination: edge clientSSL: /Common/clientssl reference: bigip # --> reference profiles created in BIG-IP by User hosts: - hello-world.example.com
Now, the above resources will create objects in the BIG-IP config. I'll take a screenshot of what's created in BIG-IP and highlight some fields that you can see were configured by the resources above.
Run this demo yourself (code not supported)
Here's a link to my Github repo if you want to see the resources created. I've included instructions for deploying this demo environment, for educational purposes only. I'll use this as a tool for showing others but this will not be a supported solution long term.
You can use CRD's to configure F5 services from within Kubernetes. This means the Kubernetes admins can configure BIG-IP themselves, without the traditional network admin who normally "owns" F5 being involved. This was possible before CRD's (with Ingress, ConfigMap, or Routes in OpenShift) but with CRD's we have a more native-feeling resource that F5 can now extend with future CIS development.