Help
Technical Articles
F5 SMEs share good practice.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Consul Templating BIG-IP Services

Eric_Chen
F5 Employee
F5 Employee

on ‎30-Oct-2019 10:48

Introduction

HashiCorp tools can provide service discovery, monitoring, configuration templates, and secrets for F5 BIG-IP services. We’ll look at an example of using these tools to deploy BIG-IP services to provide high-availability, global server load balancing, and security. In this example we will

  1. Register Services: Add Pool Member #1 and #2 to Consul
  2. Define Services: Store AS3 Template in Consul (define BIG-IP LTM, DNS, ASM services)
  3. Extract Secrets: Use Consul Template to extract Certificate passphrase from Vault
  4. Generate Config: Combine Pool Member, AS3 Template, and Secret
  5. Deploy Services: Consul Template will push AS3 declaration (configurations) to BIG-IP devices




HashiCorp Tools

The HashiCorp tools that we will leverage are:

Consul

Consul will provide an inventory of services (pool members) that the BIG-IP will be using. We will also store configuration information like IP addresses, SSL certificates/keys, and use Consul to monitor the health of the services.

0151T000003l8clQAA.jpg

Vault

Vault is a “secret” store. It is responsible for keeping sensitive data, like passwords, in encrypted formats. In this example we will store the certificate passphrase, used to encrypt the SSL certificate, in vault for safe keeping.

Consul Template

Consul Template is a tool that can read data from both Consul and Vault to generate configuration files. This is useful for generating F5 Application Services 3 (AS3) declarations that define the BIG-IP LTM, DNS, and ASM services that we would like to deploy.

Building Out the Demo Environment

1. Register Services

First we need to populate the services that we will use. Here we have deployed two Consul agents and each agent is responsible for registering and monitoring a NGINX service.

0151T000003l8vTQAQ.jpg


2. Define Services

We also want to use the Consul key/value store to store additional information about IP addresses, SSL certificates, and custom AS3 declaration.

0151T000003l8cgQAA.jpg


The AS3 declaration defines the services that we want (LTM and ASM), but omits details like pool members and certificate passphrases that we will populate later.

3. Extract Secrets

In the previous example we did not store the passphrase for the SSL certificate key in Consul. Without the passphrase the certificate is securely encrypted.

0151T000003l8crQAA.png

We use Vault to store the passphrase and Consul Template to extract the secret value.

0151T000003l8chQAA.png

This results in the secret value being encoded in the JSON declaration (base64) that will be sent to the BIG-IP.

0151T000003l8cdQAA.png


4. Generate Config

To populate the pool members, we use a Consul template that looks like the following

0151T000003l8cqQAA.jpg

And outputs the following AS3 declaration

0151T000003l8cbQAA.jpg

Observe that Consul Template has pulled the pool member IPs from Consul service registry. We are also updating the state of the pool member based on the health reported by Consul.

We make use of a separate template for BIG-IP DNS services (GSLB).

5. Deploying Services

Once Consul Template has generated the AS3 declaration we send these declarations to the BIG-IP to generate the services.

Browsing the BIG-IP devices you can see the services deployed.

LTM Services

Pools are populated by pool members that are registered in Consul.

0151T000003l8ctQAA.png

Status is updated if you disable the service on one of the nodes.

0151T000003l8d0QAA.png

Template updates pool member to “disabled” state.

0151T000003l8ceQAA.png

ASM Services

ASM Policy and Logging Profile.

0151T000003l8cvQAA.png

DNS Services

Wide IP deployed.

0151T000003l8csQAA.png

AS3 Declaration

Fetching the AS3 declaration from the BIG-IP you can see that the passphrase is encrypted using the SecureVault feature of BIG-IP and is no longer in a reversible format.


0151T000003l8dKQAQ.png


Templating from 1 to 2 is Easy

In this example we deployed to two applications and two BIG-IP devices. Using these same templates we can easily expand this to four applications and 4 BIG-IP devices by updating our deployment.

0151T000003l8dAQAQ.png

The following shows where we have added a second Data Center to Consul and configured a second BIG-IP device to respond to requests for app001.


0151T000003l8cfQAA.png

In review we leveraged a basket of HashiCorp tools to deploy BIG-IP services. If you liked this article please be sure to also look at “Increase CI/CD velocity through automation integration”. {{ end }}


Labels:
Version history
Last update:
‎30-Oct-2019 10:48
Updated by:
F5 Employee
Contributors
Copyright © 2023 Khoros, LLC