My first CRD deployment with CIS

Summary

F5 Container Ingress Services (CIS) now supports the use of Custom Resource Definitions (CRD's) in Kubernetes (K8s) as a method for configuring services on the BIG-IP. This article walks through my first time deploying and what I learned.

Goal of this article

The goal of this article is to demonstrate that you can easily configure services on BIG-IP using CRD's, and this makes the configuration of services on F5 BIG-IP feel like a native Kubernetes experience, since you are creating Kubernetes resources.

Other ways to configure BIG-IP from K8s

Before F5 CIS supported CRD's, you could already use Ingress resources or ConfigMap resources to create VIPs and pool members on F5. Using CRD's now gives us a new way.

As I found in my first deployment, the advantage of CRDs over Ingress resources is that F5 can develop their own CRD and have more attributes that can map to configurations in BIG-IP. And again based on my first impressions, the advantage of CRDs over ConfigMaps is that you don't need to create an AS3 declaration yourself. You now get to do that via a Kubernetes resource. This table summarizes my opinion only:

Overview of my demo architecture

Here's an image of the cloud infrastructure I built. Basically I have a pair of BIG-IP devices in Active/Standby config, and the K8s cluster is integrated via CIS.

Here's a more application-focused image of what is deployed. NGINX Ingress Controller (open source version) is used here as an ingress controller running inside Kubernetes.

What is this resource of kind VirtualServer doing?

Here is the definition of my VirtualServer resource and the related TLSProfile resource:

apiVersion: "cis.f5.com/v1"
kind: VirtualServer
metadata:
  name: hello-world-virtual-server
  namespace: nginx-ingress
  labels:
    f5cr: "true"
spec:
  tlsProfileName: hello-world-tls  # --> This will attach hello-world-tls TLSProfile
  virtualServerAddress: "10.0.2.100"
  pools:
  - path: /
    service: nginx-ingress
    servicePort: 80
    monitor:
      type: http
      interval: 10
      timeout: 31
      send: "/"
---
 apiVersion: cis.f5.com/v1
 kind: TLSProfile
 metadata:
   name: hello-world-tls
   namespace: nginx-ingress
   labels:
     f5cr: "true"
 spec:
   tls:
     termination: edge
     clientSSL: /Common/clientssl
     reference: bigip             # --> reference profiles created in BIG-IP by User
   hosts:
   - hello-world.example.com

Now, the above resources will create objects in the BIG-IP config. I'll take a screenshot of what's created in BIG-IP and highlight some fields that you can see were configured by the resources above.

Run this demo yourself (code not supported)

Here's a link to my Github repo if you want to see the resources created. I've included instructions for deploying this demo environment, for educational purposes only. I'll use this as a tool for showing others but this will not be a supported solution long term.

Conclusion

You can use CRD's to configure F5 services from within Kubernetes. This means the Kubernetes admins can configure BIG-IP themselves, without the traditional network admin who normally "owns" F5 being involved. This was possible before CRD's (with Ingress, ConfigMap, or Routes in OpenShift) but with CRD's we have a more native-feeling resource that F5 can now extend with future CIS development.