Using the F5 Router Plug-in

You are viewing documentation for a release that is no longer supported. The latest supported version of version 3 is [3.11]. For the most recent version 4, see

The F5 router plug-in is provided as a container image and run as a pod, just like the default HAProxy router.

Support relationships between F5 and Red Hat provide a full scope of support for both models of F5 integration, F5 router plug-in and the F5 BIG-IP Controller for OpenShift. If you are currently using the F5 router plug-in, Red Hat support will provide the initial support and work with F5 support if necessary. If you are currently using the F5 BIG-IP Controller for OpenShift, F5 will provide the inital support and work with Red Hat if necessary.

When deploying the F5 router plug-in, ensure you meet the following requirements:

A F5 host IP with:
- Credentials for API access
- SSH access via a private key
An F5 user with Advanced Shell access
A virtual server for HTTP routes:
- HTTP profile must be http.
A virtual server with HTTP profile routes:
- HTTP profile must be http
- SSL Profile (client) must be clientssl
- SSL Profile (server) must be serverssl
For edge integration (not recommended):
- A working ramp node
- A working tunnel to the ramp node
For native integration:
- A host-internal IP capable of communicating with all nodes on the port 4789/UDP
- The sdn-services add-on license installed on the F5 host.
Ensure you have .

The F5 router plug-in for OKD supports only the following F5 BIG-IP versions:

11.x
12.x

The F5 BIG-IP Controller for OpenShift supports the OKD versions found in the F5 BIG-IP Controller for OpenShift releases and versioningpage in the F5 documentation.

The following features are not supported with F5 BIG-IP using the F5 router plug-in:

A pool is created for all services, even for the ones with no associated route.
Unencrypted HTTP traffic in redirect mode, with edge TLS termination. ()
Sharding, that is, having multiple vservers on the F5.
SSL cipher (ROUTER_CIPHERS=modern/old)
Customizing the endpoint health checks for time-intervals and the type of checks.
Serving F5 metrics by using a metrics server.
Specifying a different target port (PreferPort/TargetPort) rather than the ones specified in the service.
Customizing the source IP whitelists, that is, allowing traffic for a route only from specific IP addresses.
Customizing timeout values, such as max connect time, or tcp FIN timeout.
HA mode for the F5 BIG-IP.

As a prerequisite to working with the F5 router plug-in, two virtual servers (one virtual server each for HTTP and HTTPS profiles, respectively) need to be set up in the F5 BIG-IP appliance.

To set up a virtual server in the F5 BIG-IP appliance, follow the .

While creating the virtual server, ensure the following settings are in place:

For the HTTP server, set the ServicePort to 'http'/80.
For the HTTPS server, set the ServicePort to 'https'/443.
In the basic configuration, set the HTTP profile to /Common/http for both of the virtual servers.
For the HTTPS server, create a default client-ssl profile and select it for the SSL Profile (Client).
- To create the default client SSL profile, follow the instructions from F5, especially the Configuring the fallback (default) client SSL profile section, which discusses that the certificate/key pair is the default that will be served in the case that custom certificates are not provided for a route or server name.

Deploy the F5 router plug-in with the oc adm router command, but provide additional flags (or environment variables) specifying the following parameters for the F5 BIG-IP host:

Flag	Description
`—type=f5-router`	Specifies to launch an F5 router plug-in instead of the default haproxy-router. (the default `—type` is haproxy-router).
`—external-host`	Specifies the F5 BIG-IP host’s management interface’s host name or IP address.
`—external-host-username`	Specifies the F5 BIG-IP user name (typically admin). The F5 BIG-IP user account must have access to the Advanced Shell (Bash) on the F5 BIG-IP system.
`—external-host-password`	Specifies the F5 BIG-IP password.
`—external-host-http-vserver`	Specifies the name of the F5 virtual server for HTTP connections. This must be configured by the user prior to launching the router pod.
	Specifies the name of the F5 virtual server for HTTPS connections. This must be configured by the user prior to launching the router pod.
`—external-host-private-key`	Specifies the path to the SSH private key file for the F5 BIG-IP host. Required to upload and delete key and certificate files for routes.
	A Boolean flag that indicates that the F5 router plug-in does not use strict certificate verification with the F5 BIG-IP host.
`—external-host-partition-path`	Specifies the F5 BIG-IP® (the default is /Common).

For example:

$ oc adm router \
    --type=f5-router \
    --external-host=10.0.0.2 \
    --external-host-username=admin \
    --external-host-password=mypassword \
    --external-host-http-vserver=ose-vserver \
    --external-host-https-vserver=https-ose-vserver \
    --external-host-private-key=/path/to/key \
    --host-network=false \

As with the HAProxy router, the oc adm router command creates the service and deployment configuration objects, and thus the replication controllers and pod(s) in which the F5 router plug-in itself runs. The replication controller restarts the F5 router plug-in in case of crashes. Because the F5 router plug-in is watching routes, endpoints, and nodes and configuring F5 BIG-IP accordingly, running the F5 router in this way, along with an appropriately configured F5 BIG-IP deployment, satisfies high-availability requirements.

Partition paths allow you to store your OKD routing configuration in a custom F5 BIG-IP administrative partition, instead of the default /Common partition. You can use custom administrative partitions to secure F5 BIG-IP environments. This means that an OKD-specific configuration stored in F5 BIG-IP system objects reside within a logical container, allowing administrators to define access control policies on that specific administrative partition.

See the F5 BIG-IP documentation for more information about administrative partitions.

To configure your OKD for partition paths:

Optionally, perform some cleaning steps:
1. Ensure F5 is configured to be able to switch to the /Common and /Custom paths.
2. Delete the static FDB of vxlan5000. See the for more information.
Configure a virtual server for the custom partition.
To specify a partition path, deploy the F5 router plug-in using the --external-host-partition-path flag:

This section reviews how to set up F5 native integration with OKD. The concepts of the F5 appliance and OKD connection and data flow of the F5 router plug-in are discussed in the section of the Routes topic.

With F5 router plug-in for OKD, you do not need to configure a ramp node for F5 to be able to reach the pods on the overlay network as created by OpenShift SDN.

The F5 router plug-in pod needs to be launched with enough information so that it can successfully directly connect to pods.

Create a ghost hostsubnet on the OKD cluster:

$ cat > f5-hostsubnet.yaml << EOF
{
    "kind": "HostSubnet",
    "apiVersion": "v1",
    "metadata": {
        "annotations": {
        "pod.network.openshift.io/assign-subnet": "true",
    "pod.network.openshift.io/fixed-vnid-host": "0"  (1)
        }
    },
    "host": "openshift-f5-node",
    "hostIP": "10.3.89.213"  (2)
} EOF
$ oc create -f f5-hostsubnet.yaml

1	Make F5 global.
2	The internal IP of the F5 appliance.

Determine the subnet allocated for the ghost hostsubnet just created:
Check the SUBNET for the newly created hostsubnet. In this example, 10.131.0.0/23.
Get the entire pod network’s CIDR:
```
$ oc get clusternetwork
```
This value will be something like 10.128.0.0/14, noting the mask (14 in this example).
Launch the F5 router plug-in pod, following these instructions. Additionally, allow the access to ‘node’ cluster resource for the service account and use the two new additional options for VXLAN native integration.