cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

NGINX(ingress controller)-F5 integration

kunalpuriii
Altocumulus
Altocumulus

Hello Team

 

I am working on integrating F5 and NGINX(ingress controller) as per below article

https://devcentral.f5.com/s/articles/Better-together-F5-Container-Ingress-Services-and-Nginx-Ingress...  

 

I have created F5 Container Ingress Services as per the link and have couple of questions

- --bigip-username=$(root) --> this is GUI or CLI username and does it have to bracket, like mentioned

    - --bigip-password=$(shivshiv) --> this is GUI or CLI username and does it have to bracket, like mentioned

    - --bigip-url=https://192.168.178.44:8443 --> do we need port 8443 to be mentioned or can i just put https://192.168.178.44:

Also added 

 envFrom:

    - configMapRef:

      name: as3-template ->> do we need to call config map here, its not part of yaml file in the above link

    - secretRef: --> i have created using imperative model, does this is OK as opaque or we need to refer kubernetes.io/service-account.name: bigip-ctlr created for CIS controller

      name: bigip-login

--insecure=true ( i understand this will allow the session to be established without exchanging certificate, or is this the requirement)

 

Once CIS controller been created and AS3 been defined, I understand i will be to connect with F5 and initial config can be done as specified in AS3. Is my understanding correct?

 

Also i have installed following package, is this requirement?

f5-appsvcs-3.17.1-1.noarch

 

Most importantly: Does this integration supported between open source NGINX or do we NGINX+ as ingress controller ?

 

Looking forward to the response.

 

Thanks a lot in advance

 

Kind Regards

Kunal

3 REPLIES 3

Chris_Zhang
F5 Employee
F5 Employee

Hey Kunal,

 

Regarding user/pass, you need to create a secret within k8s and reference that secret in the form of variables in the yaml file. - the references are already in place, so please create a secret per this article ( https://clouddocs.f5.com/containers/v2/kubernetes/kctlr-app-install.html#kctlr-initial-setup-bigip ), step 3.

 

For "--bigip-url=<ip_address-or-hostname>", if your BIG-IP has a single interface, the management by default is on port 8443. Use the address that you use to administer the appliance.

 

You do not need to add anything to the ConfigMap as related to your question. If you follow the referenced article, all the prerequisites should be setup and ready to go.

 

--insecure=true means CIS will not validate certificate presented by the BIG-IP. All traffic is still SSL encrypted.

 

Install a recent version of f5-appsvcs on the BIG-IP, otherwise it won't understand AS3 embedded within the ConfigMap.

 

Once the CIS is able to communicate with the BIG-IP, the AS3 within the ConfigMap will set up everything in the BIG-IP. You do not have to configure anything manually inside the BIG-IP.

 

The integration is meant for NGINX Plus Ingress Controller, the Open Source Nginx might work as well, but I have not tested it at all.

 

Thanks,

Chris

Thanks  for your response, It worked.

 

There are few things i tweaked, username and password i mentioned as absolute value then variables and the called secret.

 

I removed 8443 from the url of F5.

 

Also if you can share working example for nodeport, it will be great. I got this working once but after the nodes disappeared and never worked again. I followed couple of links

https://clouddocs.f5.com/training/community/containers/html/class2/module1/lab3.html

but no luck.

what is the best way to troubleshoot it.

Also can you please share data plane forwarding information.

 

In our setup we have create VIP on F5 which points to the pool which has IP address of worker nodes which is different from this integration, in this integration NGINX POD IP's are getting added.

Normally POD address are not advertised out of kubernetes cluster.

 

Do we need to setup a routing from F5 to reach to the POD space via worker nodes?

 

Thanks

Kunal

 

 

For NodePort, change 'type: ClusterIP' to 'type: NodePort' in Service definition. - It is a k8s construct

 

Try to delete the AS3 Tenant on the BIG-IP and recreate the CIS pod and apply ConfigMap again. - The new AS3 will usually apply.

 

If you are using NodePort, there is nothing else to do be done as there is no CNI. If you are using a CNI, either VXLAN (Flannel) or BGP (Calico), then follow this article ( https://clouddocs.f5.com/containers/v2/ ).