The purpose of this lab guide is to demonstrate Kubernetes Ingress using IngressLink. Ingresslink provides you with modern container application workloads that use both BIG-IP Container Ingress Services and NGINX Ingress Controller for Kubernetes. This control plane solution offers a unified method of working with both technologies from a single interface offering the best of BIG-IP and NGINX.
This architecture diagram demonstrates IngressLink using NodePort.
Minimum version to use IngressLink:
CIS | BIGIP | NGINX+ IC | AS3 |
---|---|---|---|
2.4+ | v13.1+ | 1.10+ | 3.18+ |
- Recommend AS3 version 3.25 repo
- CIS 2.3 private build repo
- NGINX+ IC repo
- Product Documentation documentation
Proxy Protocol is required by NGINX to provide the applications PODs with the original client IPs.
- Login to BIG-IP GUI
username: admin
password: Freiburg123
- On the Main tab, click Local Traffic > iRules.
- View the rule Proxy_Protocol_iRule and verify that the definition matches what is listed below.
when SERVER_CONNECTED {
TCP::respond "PROXY TCP[IP::version] [IP::client_addr] [clientside {IP::local_addr}] [TCP::client_port] [clientside {TCP::local_port}]\r\n"
}
- Click Update.
- Clone the github repo with our example files
git clone https://github.com/kamieliz/IngressLink-Demo.git
- Login to the OpenShift container platform from console:
oc login -u f5admin -p f5admin
- Change directory to project folder
cd IngressLink-Demo/
Container Ingress Services (CIS) can be deployed on Kubernetes and OpenShift platform. CIS installation may differ based on the resources (for example: ConfigMap, Ingress, Routes, and CRD) used to expose the Kubernetes services. CIS Installation also depends on BIG-IP deployment and Kubernetes cluster networking. To find out more about installing CIS, check out the documentation here.
- Create IngressLink Custom Resource definition schema:
oc apply -f https://raw.githubusercontent.com/F5Networks/k8s-bigip-ctlr/master/docs/config_examples/customResourceDefinitions/customresourcedefinitions.yml
- Create a cluster role and cluster role binding on the OpenShift cluster. You can narrow the permissions down to specific resources, namespaces, and more to suit your needs.
oc apply -f cis/openshift_rbac.yaml
- For Openshift, you need to create the Cluster admin privileges for the BIG-IP service account user with the following command:
oc adm policy add-cluster-role-to-user cluster-admin -z bigip-ctlr -n kube-system
- Review the bigip address, partition, and other details in CIS deployment file. Custom resource mode needs to be set to true for IngressLink. We are also deploying in nodeport mode so we want to set our pool members to nodeport type.
nano cis/deployment-k8s-bigip-ctlr-deployment.yaml
"—bigip-url=https://10.1.1.12:8443"
"—bigip-partition=ocp"
"—pool-member-type=nodeport"
"—custom-resource-mode=true"
- Verify CIS Deployment
oc get pods -n kube-system
NAME READY STATUS RESTARTS AGE
k8s-bigip-ctlr-deployment-fd86c54bb-w6phz 1/1 Running 0 41s
In phase I, we configured NGINX Ingress Controller and the following components are already installed in this lab:
- a namespace and a service account for Ingress Controller
- cluster role and cluster role binding for the IC service account
- a secret with a TLS certificate and a key for the default server
- Custom resource definitions for Virtual Server and Virtual ServerRoute, TransportServer, Policy and GlobalConfiguration resources.
You can review these yaml files in the NGINX config folder and find additional documentation here on the installation process.
- View the config map created for NGINX Ingress Controller. In the ConfigMap, enable the Proxy protocol, which the BIG-IP system will use to pass the client IP and port information to NGINX. For the
set-real-ip-from
key, use the subnet of the IP, which the BIG-IP system uses to send traffic to NGINX:
nano ~/3_demo/webapp_OIDC/8_nginx-config.yaml
- Verify that the following is located under the data section:
data:
proxy-protocol: "True"
real-ip-header: "proxy_protocol"
set-real-ip-from:"0.0.0.0/0"
- Apply the config map resource for customizing NGINX configuration
oc apply -f ~/3_demo/webapp_OIDC/8_nginx-config.yaml
- Edit the ingress controller deployment to add ingresslink arguments. Ingresslink references the name of the IngressLink resource and report-ingress-status enables reporting Ingress statuses
nano nginx-config/deployment-nginx-ingress.yaml
Under the args section, uncomment the following:
- -ingresslink=nginx-ingress
- -report-ingress-status
Note: the label app: ingresslink
is also used in the Ingress Controller service.
- Create an IngressClass resource (for Kubernetes >= 1.18):
oc apply -f nginx-config/ingress-class.yaml
Note: The Ingress Controller will fail to start without an IngressClass resource
- Review Nodeport service for the Ingress Controller pods. This service is used to access the Ingress Controller from ports 80 and 443.
nano nginx-config/service-nginx-ingress.yaml
- Verify NGINX ingress deployment. When you run the Ingress Controller by using a Deployment, by default, Kubernetes will create one Ingress Controller pod.
oc get pods -n nginx-ingress
NAME READY STATUS RESTARTS AGE
nginx-ingress-744d95cb86-xk2vx 1/1 Running 0 16s
- Update the
virtualServerAddress
parameter in the ingresslink.yaml resource. This IP address will be used to configure the BIG-IP device. It will be used to accept traffic and load balance it among the NGINX Ingress Controller pods.
nano ingresslink.yaml
virtualServerAddress: "10.1.1.12"
Note: The name of the app label selector in IngressLink resource should match the labels of the nginx-ingress service from section 4.
- Apply updates to the IngressLink resource
oc apply -f ingresslink.yaml
- To test the integration, deploy a sample application:
oc apply -f ingress-example/cafe.yaml
- Create a secret with an SSL certificate and a key:
oc apply -f ingress-example/cafe-secret.yaml
- Create an Ingress resource:
oc apply -f ingress-example/cafe-ingress.yaml
- The Ingress Controller pods are behind the IP configured in step 1. Access the coffee service to test traffic by running the following command
$ curl --resolve cafe.example.com:443:10.1.1.12 https://cafe.example.com:443/coffee --insecure
Server address: 10.244.0.18:80
Server name: coffee-7586895968-r26zn
...
- Access the tea service similarly:
$ curl --resolve cafe.example.com:443:10.1.1.12 https://cafe.example.com:443/tea --insecure
Server address: 10.244.5.15:8080
Server name: tea-6fb46d899f-9j4zj
...
- You can also access the application from the browser
- View the requests in the NGINX dashboard under cafe.example.com
Using with F5 BIG-IP Container Ingress Services | NGINX Ingress Controller
OpenShift - Installing CIS manually