Merge pull request #6 from f5devcentral/haproxyfixes-and-newexample

Using embedded https monitors when using HA-proxy and new example dem…

crds/demo-sc-twotier-haproxy-l7-noshards-ipam/README.md

@@ -0,0 +1,110 @@
+# Overview
+
+Creates a single-cluster L7 two-tier deployment where OpenShift's router (HA-proxy) default instance is used is in the second tier.
+
+L7 routes created in HA-proxy and in BIG-IP:
+
+```
+www.sc-twotier.com/
+www.sc-twotier.com/shop
+www.sc-twotier.com/checkout
+account.sc-twotier.com/
+```
+
+In the second tier (HA-proxy), these L7 routes are exposed with the Route resource type.
+
+In the first tier (BIG-IP), these same L7 routes are exposed with the VirtualServer resource type. That is, there is a 1:1 mapping between the L7 routes in the first and second tier. There is one Service definition for each L7 route in the second tier, where the service definition is the same selecting always to the same HA-proxy instances, but with diferent names for each Service. These duplicated Service definitions allow to have a separate pool for each L7 route and per service monitoring.
+
+The L7 routes are exposed in both BIG-IP and HA-proxy as HTTPS only
+
+# Prerequisites
+
+It is needed to pre-create a server-side SSL profile with SNI for the following domains: www.sc-twotier.com and account.sc-twotier.com
+
+It is needed to pre-create an HTTPs monitors using these server-side SSL profiles for the L7 above. 
+
+These configurations are shown next
+
+```
+ltm profile server-ssl www.sc-twotier.com {
+    app-service none
+    defaults-from serverssl
+    server-name www.sc-twotier.com
+    sni-default true
+}
+ltm profile server-ssl account.sc-twotier.com {
+    app-service none
+    defaults-from serverssl
+    server-name account.sc-twotier.com
+}
+ltm monitor https www.sc-twotier.com {
+    defaults-from https
+    recv "^HTTP/1.1 200"
+    send "GET / HTTP/1.1\r\nHost: www.sc-twotier.com\r\nConnection: close\r\n\r\n"
+    ssl-profile /Common/www.sc-twotier.com
+}
+ltm monitor https www.sc-twotier.com-shop {
+    recv "^HTTP/1.1 200"
+    send "GET /shop HTTP/1.1\r\nHost: www.sc-twotier.com\r\nConnection: close\r\n\r\n"
+    ssl-profile /Common/www.sc-twotier.com
+}
+ltm monitor https www.sc-twotier.com-checkout {
+    recv "^HTTP/1.1 200"
+    send "GET /checkout HTTP/1.1\r\nHost: www.sc-twotier.com\r\nConnection: close\r\n\r\n"
+    ssl-profile /Common/www.sc-twotier.com
+}
+ltm monitor https account.sc-twotier.com {
+    recv "^HTTP/1.1 200"
+    send "GET / HTTP/1.1\r\nHost: account.sc-twotier.com\r\nConnection: close\r\n\r\n"
+    ssl-profile /Common/account.sc-twotier.com
+}
+```
+
+# Install and Run the demo
+
+Run the script ./create-demo.sh which will:
+
+- Install CIS without IPAM controller in the namespace cis-sc-twotier
+- Create Route resources for HA-proxy in the namespace sc-twotier
+- Create VirtualServer resources in the openshift-ingress namespace to expose HA-proxy in BIG-IP
+
+The L7 routes will be exposed in both the HA-proxy controller and in the BIG-IP, you should see something alike the next respectively
+
+```
+$ oc -n sc-twotier get route
+NAME      HOST/PORT                PATH        SERVICES   PORT   TERMINATION   WILDCARD
+route-a   www.sc-twotier.com       /           route-a    8080   edge          None
+route-b   www.sc-twotier.com       /shop       route-b    8080   edge          None
+route-c   www.sc-twotier.com       /checkout   route-c    8080   edge          None
+route-d   account.sc-twotier.com   /           route-d    8080   edge          None
+
+$ oc -n openshift-ingress get vs,svc
+NAME                               HOST                     TLSPROFILENAME   HTTPTRAFFIC   IPADDRESS     IPAMLABEL   IPAMVSADDRESS   STATUS   AGE
+virtualserver.cis.f5.com/route-a   www.sc-twotier.com       reencrypt-tls                  10.1.10.104               10.1.10.104     Ok       14m
+virtualserver.cis.f5.com/route-b   www.sc-twotier.com       reencrypt-tls                  10.1.10.104               10.1.10.104     Ok       14m
+virtualserver.cis.f5.com/route-c   www.sc-twotier.com       reencrypt-tls                  10.1.10.104               10.1.10.104     Ok       14m
+virtualserver.cis.f5.com/route-d   account.sc-twotier.com   reencrypt-tls                  10.1.10.104               10.1.10.104     Ok       14m
+
+NAME                              TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                   AGE
+service/router-default-route-a    ClusterIP   172.30.241.140   <none>        80/TCP,443/TCP            14m
+service/router-default-route-b    ClusterIP   172.30.36.203    <none>        80/TCP,443/TCP            14m
+service/router-default-route-c    ClusterIP   172.30.159.196   <none>        80/TCP,443/TCP            14m
+service/router-default-route-d    ClusterIP   172.30.115.20    <none>        80/TCP,443/TCP            14m
+service/router-internal-default   ClusterIP   172.30.158.83    <none>        80/TCP,443/TCP,1936/TCP   113d
+
+```
+
+Edit the DNS to match the IP address in the BIG-IP (reported by the virtualserver resource). Next is an example when using dnsmasq:
+
+```
+$ sudo bash -c 'echo "address=/sc-twotier.com/10.1.10.104" > /etc/dnsmasq.d/sc-twotier.com.conf'
+$ sudo systemctl restart dnsmasq
+```
+
+And run the ./test-demo.sh to verify the deployment works as expected
+
+# Delete the demo
+
+Run the script ./delete-demo.sh
+
+

crds/demo-sc-twotier-haproxy-l7-noshards-ipam/cis-config/bigip-ctlr-clusterrole.yaml

@@ -0,0 +1,46 @@
+# for reference only
+# Should be changed as per your cluster requirements
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: bigip-ctlr-clusterrole
+rules:
+  - apiGroups: ["", "extensions", "networking.k8s.io", "route.openshift.io"]
+    resources: ["nodes", "services", "endpoints", "namespaces", "ingresses", "pods", "ingressclasses", "policies", "routes"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["", "extensions", "networking.k8s.io", "route.openshift.io"]
+    resources: ["configmaps", "events", "ingresses/status", "services/status", "routes/status"]
+    verbs: ["get", "list", "watch", "update", "create", "patch"]
+  - apiGroups: ["cis.f5.com"]
+    resources: ["virtualservers","virtualservers/status", "tlsprofiles", "transportservers", "transportservers/status", "ingresslinks", "ingresslinks/status", "externaldnses", "policies"]
+    verbs: ["get", "list", "watch", "update", "patch"]
+  - apiGroups: ["fic.f5.com"]
+    resources: ["ipams", "ipams/status"]
+    verbs: ["get", "list", "watch", "update", "create", "patch", "delete"]
+  - apiGroups: ["apiextensions.k8s.io"]
+    resources: ["customresourcedefinitions"]
+    verbs: ["get", "list", "watch", "update", "create", "patch"]
+  - apiGroups: ["", "extensions"]
+    resources: ["secrets"]
+    verbs: ["get", "list", "watch"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: bigip-ctlr-clusterrole-binding
+  namespace: cis-sc-twotier
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: bigip-ctlr-clusterrole
+subjects:
+  - apiGroup: ""
+    kind: ServiceAccount
+    name: bigip-ctlr
+    namespace: cis-sc-twotier
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: bigip-ctlr
+  namespace: cis-sc-twotier

crds/demo-sc-twotier-haproxy-l7-noshards-ipam/cis-config/deploy-cis.sh

@@ -0,0 +1,18 @@
+#!/bin/bash
+
+POOLMEMBER_TYPE=clusterip
+
+oc create ns cis-sc-twotier
+
+kubectl apply -f bigip-ctlr-clusterrole.yaml
+oc adm policy add-cluster-role-to-user cluster-admin -z bigip-ctlr -n cis-sc-twotier
+
+kubectl create -f https://raw.githubusercontent.com/F5Networks/k8s-bigip-ctlr/master/docs/config_examples/customResourceDefinitions/incubator/customresourcedefinitions.yml
+
+oc create secret generic bigip-login --namespace cis-sc-twotier --from-literal=username=admin --from-literal=password=OpenShiftMC
+
+for BIGIP in 1; do
+
+	oc apply -f f5-bigip${BIGIP}-ctlr-deployment.${POOLMEMBER_TYPE}.yaml 
+done
+

crds/demo-sc-twotier-haproxy-l7-noshards-ipam/cis-config/deploy-ipam.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+
+oc apply -f ipam-pv.yaml
+oc apply -f ipam-pvc.yaml
+
+helm install -n cis-sc-twotier -f values.yaml f5-ipam-controller f5-ipam-controller-0.0.4.tgz 
+

crds/demo-sc-twotier-haproxy-l7-noshards-ipam/cis-config/f5-bigip1-ctlr-deployment.clusterip.yaml

@@ -0,0 +1,61 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: k8s-bigip1-ctlr-deployment
+  namespace: cis-sc-twotier
+spec:
+  # DO NOT INCREASE REPLICA COUNT
+  replicas: 1
+  selector:
+    matchLabels:
+      app: k8s-bigip1-ctlr-deployment
+  template:
+    metadata:
+      labels:
+        app: k8s-bigip1-ctlr-deployment
+    spec:
+      # Name of the Service Account bound to a Cluster Role with the required
+      # permissions
+      containers:
+        - name: k8s-bigip-ctlr
+          # securityContext:
+          #   allowPrivilegeEscalation: false
+          #   capabilities:
+          #     drop: ["ALL"]
+          #   runAsNonRoot: true
+          #   seccompProfile:
+          #     type: RuntimeDefault
+          image: registry.connect.redhat.com/f5networks/cntr-ingress-svcs:latest
+          env:
+            - name: BIGIP_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  # Replace with the name of the Secret containing your login
+                  # credentials
+                  name: bigip-login
+                  key: username
+            - name: BIGIP_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  # Replace with the name of the Secret containing your login
+                  # credentials
+                  name: bigip-login
+                  key: password
+          command: ["/app/bin/k8s-bigip-ctlr"]
+          args: [
+              "--bigip-username=$(BIGIP_USERNAME)",
+              "--bigip-password=$(BIGIP_PASSWORD)",
+              "--bigip-url=10.1.1.5",
+              "--ipam=true",
+              "--namespace=openshift-ingress",
+              "--bigip-partition=sc-twotier",
+              "--pool-member-type=cluster",
+              "--share-nodes=true",
+              "--log-level=INFO",
+              "--insecure=true",
+              "--custom-resource-mode=true",
+              "--orchestration-cni=ovn-k8s",
+              "--as3-validation=true",
+              "--log-as3-response=true"
+          ]
+      serviceAccountName: bigip-ctlr

crds/demo-sc-twotier-haproxy-l7-noshards-ipam/cis-config/f5-bigip2-ctlr-deployment.clusterip.yaml

@@ -0,0 +1,61 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: k8s-bigip2-ctlr-deployment
+  namespace: cis-sc-twotier
+spec:
+  # DO NOT INCREASE REPLICA COUNT
+  replicas: 1
+  selector:
+    matchLabels:
+      app: k8s-bigip2-ctlr-deployment
+  template:
+    metadata:
+      labels:
+        app: k8s-bigip2-ctlr-deployment
+    spec:
+      # Name of the Service Account bound to a Cluster Role with the required
+      # permissions
+      containers:
+        - name: k8s-bigip-ctlr
+          # securityContext:
+          #   allowPrivilegeEscalation: false
+          #   capabilities:
+          #     drop: ["ALL"]
+          #   runAsNonRoot: true
+          #   seccompProfile:
+          #     type: RuntimeDefault
+          image: registry.connect.redhat.com/f5networks/cntr-ingress-svcs:latest
+          env:
+            - name: BIGIP_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  # Replace with the name of the Secret containing your login
+                  # credentials
+                  name: bigip-login
+                  key: username
+            - name: BIGIP_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  # Replace with the name of the Secret containing your login
+                  # credentials
+                  name: bigip-login
+                  key: password
+          command: ["/app/bin/k8s-bigip-ctlr"]
+          args: [
+              "--bigip-username=$(BIGIP_USERNAME)",
+              "--bigip-password=$(BIGIP_PASSWORD)",
+              "--bigip-url=10.1.1.8",
+              "--ipam=true",
+              "--namespace=openshift-ingress",
+              "--bigip-partition=sc-twotier",
+              "--pool-member-type=cluster",
+              "--share-nodes=true",
+              "--log-level=INFO",
+              "--insecure=true",
+              "--custom-resource-mode=true",
+              "--orchestration-cni=ovn-k8s",
+              "--as3-validation=true",
+              "--log-as3-response=true"
+          ]
+      serviceAccountName: bigip-ctlr

crds/demo-sc-twotier-haproxy-l7-noshards-ipam/cis-config/ipam-pv.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: ipam-nfs
+spec:
+  storageClassName: openebs-hostpath
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteMany
+  persistentVolumeReclaimPolicy:
+  nfs:
+    path: /nfs/ipam
+    server: 10.1.10.4
+    readOnly: false
+

crds/demo-sc-twotier-haproxy-l7-noshards-ipam/cis-config/ipam-pvc.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: ipam-pvc
+  namespace: cis-sc-twotier
+spec:
+  accessModes:
+    - ReadWriteMany
+  volumeName: ipam-nfs
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 10Mi

crds/demo-sc-twotier-haproxy-l7-noshards-ipam/cis-config/undeploy-cis.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+oc delete -f https://raw.githubusercontent.com/F5Networks/k8s-bigip-ctlr/master/docs/config_examples/customResourceDefinitions/incubator/customresourcedefinitions.yml
+oc delete ns cis-sc-twotier
+
+

crds/demo-sc-twotier-haproxy-l7-noshards-ipam/cis-config/undeploy-ipam.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+helm -n cis-sc-twotier uninstall f5-ipam-controller
+
+oc delete -f ipam-pvc.yaml
+oc delete -f ipam-pv.yaml
+
+