The F5 router plug-in is provided as a container image and run as a pod, just like
the default HAProxy router. Deploying the F5 router is
done similarly as well, using the oadm router command but providing additional
flags (or environment variables) to specify the following parameters for the F5
BIG-IP® host:
| Flag | Description |
|---|---|
|
Specifies that an F5 router should be launched (the default |
|
Specifies the F5 BIG-IP® host’s management interface’s host name or IP address. |
|
Specifies the F5 BIG-IP® user name (typically admin). |
|
Specifies the F5 BIG-IP® password. |
|
Specifies the name of the F5 virtual server for HTTP connections. |
|
Specifies the name of the F5 virtual server for HTTPS connections. |
|
Specifies the path to the SSH private key file for the F5 BIG-IP® host. Required to upload and delete key and certificate files for routes. |
|
A Boolean flag that indicates that the F5 router should skip strict certificate verification with the F5 BIG-IP® host. |
|
Specifies the F5 BIG-IP® partition path (the default is /Common). |
As with the HAProxy router, the oadm router command creates the service and
deployment configuration objects, and thus the replication controllers and
pod(s) in which the F5 router itself runs. The replication controller restarts
the F5 router in case of crashes. Because the F5 router is only watching routes
and endpoints and configuring F5 BIG-IP® accordingly, running the F5 router in
this way along with an appropriately configured F5 BIG-IP® deployment should
satisfy high-availability requirements.
The F5 router must be run in privileged mode because route certificates get
copied using scp:
$ oadm policy remove-scc-from-user hostnetwork -z router $ oadm policy add-scc-to-user privileged -z router
To deploy the F5 router:
-
First, establish a tunnel using a ramp node, which allows for the routing of traffic to pods through the {product-title} SDN.
-
Run the
oadm routercommand with the appropriate flags. For example:-
--credentialsis the path to the CLI configuration file for the openshift-router. It is recommended using an openshift-router specific profile with appropriate permissions.
-
Partition paths allow you to store your {product-title} routing configuration in a custom F5 BIG-IP® administrative partition, instead of the default /Common partition. You can use custom administrative partitions to secure F5 BIG-IP® environments. This means that an {product-title}-specific configuration stored in F5 BIG-IP® system objects reside within a logical container, allowing administrators to define access control policies on that specific administrative partition.
See the F5 BIG-IP® documentation for more information about administrative partitions.
Use the --external-host-partition-path flag when
deploying the F5 router to specify a partition
path:
$ oadm router --external-host-partition-path=/OpenShift/zone1 ...