HashiCorp tools can provide service discovery, monitoring, configuration templates, and secrets for F5 BIG-IP services. We’ll look at an example of using these tools to deploy BIG-IP services to provide high-availability, global server load balancing, and security. In this example we will
Register Services: Add Pool Member #1 and #2 to Consul
Define Services: Store AS3 Template in Consul (define BIG-IP LTM, DNS, ASM services)
Extract Secrets: Use Consul Template to extract Certificate passphrase from Vault
Generate Config: Combine Pool Member, AS3 Template, and Secret
Deploy Services: Consul Template will push AS3 declaration (configurations) to BIG-IP devices
The HashiCorp tools that we will leverage are:
Consul: Service Discovery, Monitoring, Key/Value Store
Consul will provide an inventory of services (pool members) that the BIG-IP will be using. We will also store configuration information like IP addresses, SSL certificates/keys, and use Consul to monitor the health of the services.
Vault is a “secret” store. It is responsible for keeping sensitive data, like passwords, in encrypted formats. In this example we will store the certificate passphrase, used to encrypt the SSL certificate, in vault for safe keeping.
Consul Template is a tool that can read data from both Consul and Vault to generate configuration files. This is useful for generating F5 Application Services 3 (AS3) declarations that define the BIG-IP LTM, DNS, and ASM services that we would like to deploy.
Building Out the Demo Environment
1. Register Services
First we need to populate the services that we will use. Here we have deployed two Consul agents and each agent is responsible for registering and monitoring a NGINX service.
2. Define Services
We also want to use the Consul key/value store to store additional information about IP addresses, SSL certificates, and custom AS3 declaration.
The AS3 declaration defines the services that we want (LTM and ASM), but omits details like pool members and certificate passphrases that we will populate later.
3. Extract Secrets
In the previous example we did not store the passphrase for the SSL certificate key in Consul. Without the passphrase the certificate is securely encrypted.
We use Vault to store the passphrase and Consul Template to extract the secret value.
This results in the secret value being encoded in the JSON declaration (base64) that will be sent to the BIG-IP.
4. Generate Config
To populate the pool members, we use a Consul template that looks like the following
And outputs the following AS3 declaration
Observe that Consul Template has pulled the pool member IPs from Consul service registry. We are also updating the state of the pool member based on the health reported by Consul.
We make use of a separate template for BIG-IP DNS services (GSLB).
5. Deploying Services
Once Consul Template has generated the AS3 declaration we send these declarations to the BIG-IP to generate the services.
Browsing the BIG-IP devices you can see the services deployed.
Pools are populated by pool members that are registered in Consul.
Status is updated if you disable the service on one of the nodes.
Template updates pool member to “disabled” state.
ASM Policy and Logging Profile.
Wide IP deployed.
Fetching the AS3 declaration from the BIG-IP you can see that the passphrase is encrypted using the SecureVault feature of BIG-IP and is no longer in a reversible format.
Templating from 1 to 2 is Easy
In this example we deployed to two applications and two BIG-IP devices. Using these same templates we can easily expand this to four applications and 4 BIG-IP devices by updating our deployment.
The following shows where we have added a second Data Center to Consul and configured a second BIG-IP device to respond to requests for app001.