This article reviews my first experience deploying IngressLink, which is a F5 CRD (Custom Resource Definition) in Kubernetes that can automatically configure a Virtual Server on BIG-IP. I have already deployed F5 CIS and NGINX KIC independently, as I did in this previous article. But the IngressLink resource can then quickly configure a VS on BIG-IP where the pool members are the KIC pods running in K8s.
My first impression of IngressLink CRD vs TransportServer CRD
In my previous article I summarized why I feel like CRD's are the way to go. However there are multiple types of CRD's. What makes IngressLink unique? Here's what I can tell so far:
I'll assume you already have a K8s cluster running. If you don't, you can deploy one along with me. I've written a demo to use Azure Kubernetes Service (AKS), and this accompanying demo will set up all the infrastructure you'll need: a VNET in Azure with a pair of F5 VM's, and an AKS cluster with 3 nodes. After this initial set up, whether you deploy an environment yourself or follow this demo, your environment should look like the image below. You have a pair of F5 BIG-IP devices, and an AKS cluster.
A note on Proxy Protocol
In this demo, we'll use Proxy protocol to preserve true source IP all the way to the K8s pod. This is optional, but I've written about it previously and its a handy way to get true source IP when you need it. So in this demo, we'll have an iRule configured within BIG-IP called "Proxy_Protocol_iRule" and we will attach this iRule to the Virtual Server created by the IngressLink resource. We'll then configure NGINX to expect to receive a Proxy protocol header.
I'll admit, I just followed the steps of this online class, but I'll outline the procedure again for this article.
Deploy F5 CIS. If you follow the accompanying demo, you can do this by following the instructions in the Readme. This will set up the F5 CIS instance, which runs inside K8s, to be ready to configure the BIG-IP VE, which runs outside of K8s.
Deploy NGINX Ingress Controller (KIC). Again, if you follow the accompanying demo, you can follow the instructions. Note that the configMap resource called "nginx-config" includes configuration to inform KIC to expect a proxy protocol header appended to incoming connections.
Deploy IngressLink. This means installing the CRD for IngressLink, and then creating a resource of type IngressLink. F5 CIS will notice this and configure a Virtual Server on BIG-IP that matches the configuration you specified in the IngressLink resource, which will include attaching the iRule mentioned above.
Here is a depiction of what IngressLink achieves:
Configuring an application in K8s
You can configure your own, of course, but if you'd like to follow along with the demo, you can configure a simple NGINX "hello world" app by following the instructions in the Readme file.
Putting this all together
After all the above, you should have the following set up:
a K8s cluster and a BIG-IP VE (or pair of VE's).
an application running inside the k8s cluster
NGINX KIC installed and configured, exposing the app within the cluster
F5 CIS installed and configured, configuring the BIG-IP VE(s).
IngressLink resource created for F5 CIS to notice and configure the BIG-IP VE(s) accordingly.
At this point, your environment will look like this. You can send a request to the Virtual Server on F5 BIG-IP and it will be delivered to the app inside K8s via NGINX KIC.
Conclusion - should I use F5 IngressLink?
Hopefully the table above summarizes this nicely, but I think CRD's are the way to go when deploying CIS. As for IngressLink, it's slightly more simple than other CRD types, like TransportServer. So I'd recommend IngressLink if you're looking for the most simple way possible to configure BIG-IP via CIS. Please do reach out if you have questions or comments, thanks!