From f7688ba25a9f992de1fa809001b275dcc5159120 Mon Sep 17 00:00:00 2001 From: Ben Dronen Date: Wed, 25 Sep 2024 22:46:13 -0400 Subject: [PATCH 1/3] feat(f5): incept CIS and IPAM Signed-off-by: Ben Dronen --- .../applications/f5-ipam-controller.yaml | 18 + .../applications/k8s-bigip-ctlr.yaml | 18 + .../manifests/applications/kustomization.yaml | 2 + .../f5-ipam-controller/create_manifests.sh | 44 + .../workloads/f5-ipam-controller/ipam.yaml | 9 + .../manifests/base/clusterrole.yaml | 39 + .../manifests/base/clusterrolebinding.yaml | 23 + .../manifests/base/deployment.yaml | 58 + .../manifests/base/kustomization.yaml | 11 + .../manifests/base/namespace.yaml | 7 + .../manifests/base/persistentvolumeclaim.yaml | 22 + .../manifests/base/serviceaccount.yaml | 15 + .../manifests/overlays/fh/kustomization.yaml | 5 + .../workloads/f5-ipam-controller/values.yaml | 81 + .../k8s-bigip-ctlr/create_manifests.sh | 44 + .../manifests/base/clusterrole.yaml | 109 ++ .../manifests/base/clusterrolebinding.yaml | 23 + .../base/customresourcedefinition.yaml | 1426 +++++++++++++++++ .../manifests/base/deployment.yaml | 82 + .../manifests/base/kustomization.yaml | 12 + .../manifests/base/namespace.yaml | 7 + .../manifests/base/serviceaccount.yaml | 15 + .../manifests/overlays/fh/kustomization.yaml | 5 + .../workloads/k8s-bigip-ctlr/values.yaml | 77 + 24 files changed, 2152 insertions(+) create mode 100644 kubernetes/workloads/argocd-olm/manifests/applications/f5-ipam-controller.yaml create mode 100644 kubernetes/workloads/argocd-olm/manifests/applications/k8s-bigip-ctlr.yaml create mode 100755 kubernetes/workloads/f5-ipam-controller/create_manifests.sh create mode 100644 kubernetes/workloads/f5-ipam-controller/ipam.yaml create mode 100644 kubernetes/workloads/f5-ipam-controller/manifests/base/clusterrole.yaml create mode 100644 kubernetes/workloads/f5-ipam-controller/manifests/base/clusterrolebinding.yaml create mode 100644 kubernetes/workloads/f5-ipam-controller/manifests/base/deployment.yaml create mode 100644 kubernetes/workloads/f5-ipam-controller/manifests/base/kustomization.yaml create mode 100644 kubernetes/workloads/f5-ipam-controller/manifests/base/namespace.yaml create mode 100644 kubernetes/workloads/f5-ipam-controller/manifests/base/persistentvolumeclaim.yaml create mode 100644 kubernetes/workloads/f5-ipam-controller/manifests/base/serviceaccount.yaml create mode 100644 kubernetes/workloads/f5-ipam-controller/manifests/overlays/fh/kustomization.yaml create mode 100644 kubernetes/workloads/f5-ipam-controller/values.yaml create mode 100755 kubernetes/workloads/k8s-bigip-ctlr/create_manifests.sh create mode 100644 kubernetes/workloads/k8s-bigip-ctlr/manifests/base/clusterrole.yaml create mode 100644 kubernetes/workloads/k8s-bigip-ctlr/manifests/base/clusterrolebinding.yaml create mode 100644 kubernetes/workloads/k8s-bigip-ctlr/manifests/base/customresourcedefinition.yaml create mode 100644 kubernetes/workloads/k8s-bigip-ctlr/manifests/base/deployment.yaml create mode 100644 kubernetes/workloads/k8s-bigip-ctlr/manifests/base/kustomization.yaml create mode 100644 kubernetes/workloads/k8s-bigip-ctlr/manifests/base/namespace.yaml create mode 100644 kubernetes/workloads/k8s-bigip-ctlr/manifests/base/serviceaccount.yaml create mode 100644 kubernetes/workloads/k8s-bigip-ctlr/manifests/overlays/fh/kustomization.yaml create mode 100644 kubernetes/workloads/k8s-bigip-ctlr/values.yaml diff --git a/kubernetes/workloads/argocd-olm/manifests/applications/f5-ipam-controller.yaml b/kubernetes/workloads/argocd-olm/manifests/applications/f5-ipam-controller.yaml new file mode 100644 index 0000000..205a22f --- /dev/null +++ b/kubernetes/workloads/argocd-olm/manifests/applications/f5-ipam-controller.yaml @@ -0,0 +1,18 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: f5-ipam-controller + namespace: argocd +spec: + project: default + source: + repoURL: "https://github.com/dronenb/HomeLab.git" + targetRevision: HEAD + path: kubernetes/workloads/f5-ipam-controller/manifests/overlays/fh + destination: + server: "https://kubernetes.default.svc" + namespace: f5-ipam-controller + syncPolicy: + automated: + prune: true + selfHeal: false diff --git a/kubernetes/workloads/argocd-olm/manifests/applications/k8s-bigip-ctlr.yaml b/kubernetes/workloads/argocd-olm/manifests/applications/k8s-bigip-ctlr.yaml new file mode 100644 index 0000000..9917d54 --- /dev/null +++ b/kubernetes/workloads/argocd-olm/manifests/applications/k8s-bigip-ctlr.yaml @@ -0,0 +1,18 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: k8s-bigip-ctlr + namespace: argocd +spec: + project: default + source: + repoURL: "https://github.com/dronenb/HomeLab.git" + targetRevision: HEAD + path: kubernetes/workloads/k8s-bigip-ctlr/manifests/overlays/fh + destination: + server: "https://kubernetes.default.svc" + namespace: k8s-bigip-ctlr + syncPolicy: + automated: + prune: true + selfHeal: false diff --git a/kubernetes/workloads/argocd-olm/manifests/applications/kustomization.yaml b/kubernetes/workloads/argocd-olm/manifests/applications/kustomization.yaml index c98645d..89cb440 100644 --- a/kubernetes/workloads/argocd-olm/manifests/applications/kustomization.yaml +++ b/kubernetes/workloads/argocd-olm/manifests/applications/kustomization.yaml @@ -4,7 +4,9 @@ apiVersion: kustomize.config.k8s.io/v1beta1 resources: - argocd.yaml - cilium.yaml + - f5-ipam-controller.yaml - gateway-api.yaml + - k8s-bigip-ctlr.yaml - kube-vip.yaml - nfs-subdir-external-provisioner.yaml - olm.yaml diff --git a/kubernetes/workloads/f5-ipam-controller/create_manifests.sh b/kubernetes/workloads/f5-ipam-controller/create_manifests.sh new file mode 100755 index 0000000..161085d --- /dev/null +++ b/kubernetes/workloads/f5-ipam-controller/create_manifests.sh @@ -0,0 +1,44 @@ +#!/usr/bin/env bash + +set -o errexit +set -o nounset +set -o pipefail +shopt -s failglob + +NAMESPACE=f5-ipam-controller + +mkdir -p manifests/base +pushd manifests/base > /dev/null || exit 1 + +helm repo add f5-ipam-stable https://f5networks.github.io/f5-ipam-controller/helm-charts/stable +helm repo update +helm template --include-crds f5-ipam-stable f5-ipam-stable/f5-ipam-controller -f ../../values.yaml | \ + yq --no-colors --prettyPrint '... comments=""' | \ + kubectl-slice -o . --template "{{ .kind | lower }}.yaml" + +echo "---" >> namespace.yaml +kubectl create namespace "${NAMESPACE}" -o yaml --dry-run=client | \ + kubectl neat \ + >> namespace.yaml + +# Iterate over each yaml file +files=() +for file in *.yaml; do + if [[ "${file}" == "kustomization.yaml" ]]; then + continue + fi + files+=("${file}") + contents="$(cat "${file}")" + printf -- "---\n# yamllint disable rule:line-length\n%s" "${contents}" > "${file}" +done + +cat < kustomization.yaml +--- +kind: Kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +namespace: ${NAMESPACE} +resources: +$(printf " - %s\n" "${files[@]}") +EOF + +prettier --write . diff --git a/kubernetes/workloads/f5-ipam-controller/ipam.yaml b/kubernetes/workloads/f5-ipam-controller/ipam.yaml new file mode 100644 index 0000000..123aada --- /dev/null +++ b/kubernetes/workloads/f5-ipam-controller/ipam.yaml @@ -0,0 +1,9 @@ +apiVersion: fic.f5.com/v1 +kind: IPAM +metadata: + name: testing + namespace: kube-system +spec: + hostSpecs: + - ipamLabel: test + key: test diff --git a/kubernetes/workloads/f5-ipam-controller/manifests/base/clusterrole.yaml b/kubernetes/workloads/f5-ipam-controller/manifests/base/clusterrole.yaml new file mode 100644 index 0000000..927e5e0 --- /dev/null +++ b/kubernetes/workloads/f5-ipam-controller/manifests/base/clusterrole.yaml @@ -0,0 +1,39 @@ +--- +# yamllint disable rule:line-length +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: f5-ipam-stable-f5-ipam-controller + labels: + app.kubernetes.io/instance: f5-ipam-stable + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: f5-ipam-controller + app: f5-ipam-controller + chart: f5-ipam-controller-0.0.5 + release: f5-ipam-stable + heritage: Helm +rules: + - verbs: + - get + - list + - watch + - update + - create + - patch + - delete + apiGroups: + - fic.f5.com + resources: + - ipams + - ipams/status + - verbs: + - get + - list + - watch + - update + - create + - patch + apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions diff --git a/kubernetes/workloads/f5-ipam-controller/manifests/base/clusterrolebinding.yaml b/kubernetes/workloads/f5-ipam-controller/manifests/base/clusterrolebinding.yaml new file mode 100644 index 0000000..93dadff --- /dev/null +++ b/kubernetes/workloads/f5-ipam-controller/manifests/base/clusterrolebinding.yaml @@ -0,0 +1,23 @@ +--- +# yamllint disable rule:line-length +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: f5-ipam-stable-f5-ipam-controller + namespace: f5-ipam-controller + labels: + app.kubernetes.io/instance: f5-ipam-stable + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: f5-ipam-controller + app: f5-ipam-controller + chart: f5-ipam-controller-0.0.5 + release: f5-ipam-stable + heritage: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: f5-ipam-stable-f5-ipam-controller +subjects: + - kind: ServiceAccount + name: f5-ipam-stable-f5-ipam-controller + namespace: f5-ipam-controller diff --git a/kubernetes/workloads/f5-ipam-controller/manifests/base/deployment.yaml b/kubernetes/workloads/f5-ipam-controller/manifests/base/deployment.yaml new file mode 100644 index 0000000..379738e --- /dev/null +++ b/kubernetes/workloads/f5-ipam-controller/manifests/base/deployment.yaml @@ -0,0 +1,58 @@ +--- +# yamllint disable rule:line-length +apiVersion: apps/v1 +kind: Deployment +metadata: + name: f5-ipam-stable-f5-ipam-controller + namespace: f5-ipam-controller + labels: + app.kubernetes.io/instance: f5-ipam-stable + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: f5-ipam-controller + app: f5-ipam-controller + chart: f5-ipam-controller-0.0.5 + release: f5-ipam-stable + heritage: Helm +spec: + replicas: 1 + selector: + matchLabels: + app: f5-ipam-controller + template: + metadata: + labels: + app.kubernetes.io/instance: f5-ipam-stable + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: f5-ipam-controller + app: f5-ipam-controller + release: f5-ipam-stable + spec: + serviceAccountName: f5-ipam-stable-f5-ipam-controller + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + containers: + - name: f5-ipam-controller + image: f5networks/f5-ipam-controller:0.1.11 + volumeMounts: + - name: fic-volume-mount + mountPath: /app/ipamdb + imagePullPolicy: Always + command: + - /app/bin/f5-ipam-controller + args: + - --orchestration=kubernetes + - --ipam-provider=f5-ip-provider + - --ip-range={"test":"172.16.1.1-172.16.1.5", "prod":"172.16.1.50-172.16.1.55"} + resources: + limits: + cpu: 100m + memory: 512Mi + requests: + cpu: 100m + memory: 512Mi + volumes: + - name: fic-volume-mount + persistentVolumeClaim: + claimName: f5-ipam-stable-f5-ipam-controller diff --git a/kubernetes/workloads/f5-ipam-controller/manifests/base/kustomization.yaml b/kubernetes/workloads/f5-ipam-controller/manifests/base/kustomization.yaml new file mode 100644 index 0000000..8fd3a4b --- /dev/null +++ b/kubernetes/workloads/f5-ipam-controller/manifests/base/kustomization.yaml @@ -0,0 +1,11 @@ +--- +kind: Kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +namespace: f5-ipam-controller +resources: + - clusterrole.yaml + - clusterrolebinding.yaml + - deployment.yaml + - namespace.yaml + - persistentvolumeclaim.yaml + - serviceaccount.yaml diff --git a/kubernetes/workloads/f5-ipam-controller/manifests/base/namespace.yaml b/kubernetes/workloads/f5-ipam-controller/manifests/base/namespace.yaml new file mode 100644 index 0000000..c14eb5b --- /dev/null +++ b/kubernetes/workloads/f5-ipam-controller/manifests/base/namespace.yaml @@ -0,0 +1,7 @@ +--- +# yamllint disable rule:line-length +--- +apiVersion: v1 +kind: Namespace +metadata: + name: f5-ipam-controller diff --git a/kubernetes/workloads/f5-ipam-controller/manifests/base/persistentvolumeclaim.yaml b/kubernetes/workloads/f5-ipam-controller/manifests/base/persistentvolumeclaim.yaml new file mode 100644 index 0000000..dfbe34d --- /dev/null +++ b/kubernetes/workloads/f5-ipam-controller/manifests/base/persistentvolumeclaim.yaml @@ -0,0 +1,22 @@ +--- +# yamllint disable rule:line-length +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: f5-ipam-stable-f5-ipam-controller + namespace: f5-ipam-controller + labels: + app.kubernetes.io/instance: f5-ipam-stable + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: f5-ipam-controller + app: f5-ipam-controller + chart: f5-ipam-controller-0.0.5 + release: f5-ipam-stable + heritage: Helm +spec: + storageClassName: nfs-client + accessModes: + - ReadWriteMany + resources: + requests: + storage: 2Gi diff --git a/kubernetes/workloads/f5-ipam-controller/manifests/base/serviceaccount.yaml b/kubernetes/workloads/f5-ipam-controller/manifests/base/serviceaccount.yaml new file mode 100644 index 0000000..fa590b2 --- /dev/null +++ b/kubernetes/workloads/f5-ipam-controller/manifests/base/serviceaccount.yaml @@ -0,0 +1,15 @@ +--- +# yamllint disable rule:line-length +apiVersion: v1 +kind: ServiceAccount +metadata: + name: f5-ipam-stable-f5-ipam-controller + namespace: f5-ipam-controller + labels: + app.kubernetes.io/instance: f5-ipam-stable + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: f5-ipam-controller + app: f5-ipam-controller + chart: f5-ipam-controller-0.0.5 + release: f5-ipam-stable + heritage: Helm diff --git a/kubernetes/workloads/f5-ipam-controller/manifests/overlays/fh/kustomization.yaml b/kubernetes/workloads/f5-ipam-controller/manifests/overlays/fh/kustomization.yaml new file mode 100644 index 0000000..25bafda --- /dev/null +++ b/kubernetes/workloads/f5-ipam-controller/manifests/overlays/fh/kustomization.yaml @@ -0,0 +1,5 @@ +--- +kind: Kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +resources: + - ../../base diff --git a/kubernetes/workloads/f5-ipam-controller/values.yaml b/kubernetes/workloads/f5-ipam-controller/values.yaml new file mode 100644 index 0000000..f383f7b --- /dev/null +++ b/kubernetes/workloads/f5-ipam-controller/values.yaml @@ -0,0 +1,81 @@ +rbac: + create: true +serviceAccount: + # Specifies whether a service account should be created + create: true + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: +# This namespace is where the Controller lives +namespace: f5-ipam-controller +args: + # NOTE: helm has difficulty with values using `-`; `_` are used for naming + # and are replaced with `-` during rendering. + # REQUIRED Params + orchestration: "kubernetes" + provider: "f5-ip-provider" + # provider: "infoblox" + + # REQUIRED Params if provider is infoblox + #if you want to set infoblox access credentials through secret uncomment below line. + #infoblox_login_secret: infoblox-credentials + # REQUIRED Params if provider is f5-ip-provider + ip_range: '{"test":"172.16.1.1-172.16.1.5", "prod":"172.16.1.50-172.16.1.55"}' + + # OPTIONAL PARAMS -- uncomment and provide values for those you wish to use. + log-level: DEBUG + # version + + # OPTIONAL PARAMS if provider is infoblox + # infoblox_wapi_port: "443" + # insecure + +image: + # Use the tag to target a specific version of the Controller + user: f5networks + repo: f5-ipam-controller + pullPolicy: Always + version: 0.1.11 +# affinity: +# nodeAffinity: +# requiredDuringSchedulingIgnoredDuringExecution: +# nodeSelectorTerms: +# - matchExpressions: +# - key: kubernetes.io/arch +# operator: Exists +# securityContext: +# runAsUser: 1000 +# runAsGroup: 3000 +# fsGroup: 2000 +# If you want to specify resources, uncomment the following +# limits_cpu: 100m +# limits_memory: 512Mi +# requests_cpu: 100m +# requests_memory: 512Mi + +# updateStrategy is used to set the update strategy for f5-ipam-controller deployment. +# The default update strategy is RollingUpdate, however if you want to set it to Recreate then uncomment the following line. +# Note: Setting updateStrategy to Recreate may have some downtime during the update. +#updateStrategy: Recreate + +pvc: + # set create tag to true to create new persistent volume claim and set storageClassName,accessMode and storage + create: true + + #name of the persistent volume claim to be used + # If not set and create is true, a name is generated using the fullname template + + #if create set to false below parameters will be ignored + storageClassName: nfs-client + accessMode: ReadWriteMany + storage: 2Gi + +volume: + mountPath: /app/ipamdb + mountName: fic-volume-mount +# To enable tolerations, uncomment below block and customize key,effect,operator. +# Below is just an example and different key,value and operators are also supported +#tolerations: +# - key: "node-role.kubernetes.io/master" +# effect: "NoSchedule" +# operator: "Exists" diff --git a/kubernetes/workloads/k8s-bigip-ctlr/create_manifests.sh b/kubernetes/workloads/k8s-bigip-ctlr/create_manifests.sh new file mode 100755 index 0000000..d38edf8 --- /dev/null +++ b/kubernetes/workloads/k8s-bigip-ctlr/create_manifests.sh @@ -0,0 +1,44 @@ +#!/usr/bin/env bash + +set -o errexit +set -o nounset +set -o pipefail +shopt -s failglob + +NAMESPACE=k8s-bigip-ctlr + +mkdir -p manifests/base +pushd manifests/base > /dev/null || exit 1 + +helm repo add f5-stable https://f5networks.github.io/charts/stable +helm repo update +helm template --include-crds f5-bigip-ctlr f5-stable/f5-bigip-ctlr -f ../../values.yaml | \ + yq --no-colors --prettyPrint '... comments=""' | \ + kubectl-slice -o . --template "{{ .kind | lower }}.yaml" + +echo "---" >> namespace.yaml +kubectl create namespace "${NAMESPACE}" -o yaml --dry-run=client | \ + kubectl neat \ + >> namespace.yaml + +# Iterate over each yaml file +files=() +for file in *.yaml; do + if [[ "${file}" == "kustomization.yaml" ]]; then + continue + fi + files+=("${file}") + contents="$(cat "${file}")" + printf -- "---\n# yamllint disable rule:line-length\n%s" "${contents}" > "${file}" +done + +cat < kustomization.yaml +--- +kind: Kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +namespace: ${NAMESPACE} +resources: +$(printf " - %s\n" "${files[@]}") +EOF + +prettier --write . diff --git a/kubernetes/workloads/k8s-bigip-ctlr/manifests/base/clusterrole.yaml b/kubernetes/workloads/k8s-bigip-ctlr/manifests/base/clusterrole.yaml new file mode 100644 index 0000000..43a27a1 --- /dev/null +++ b/kubernetes/workloads/k8s-bigip-ctlr/manifests/base/clusterrole.yaml @@ -0,0 +1,109 @@ +--- +# yamllint disable rule:line-length +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: f5-bigip-ctlr + labels: + app.kubernetes.io/instance: f5-bigip-ctlr + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: f5-bigip-ctlr + app: f5-bigip-ctlr + chart: f5-bigip-ctlr-0.0.32 + release: f5-bigip-ctlr + heritage: Helm +rules: + - apiGroups: + - "" + - extensions + - networking.k8s.io + - route.openshift.io + resources: + - nodes + - services + - endpoints + - namespaces + - ingresses + - pods + - ingressclasses + - policies + - routes + verbs: + - get + - list + - watch + - apiGroups: + - "" + - extensions + - networking.k8s.io + - route.openshift.io + resources: + - configmaps + - events + - ingresses/status + - services/status + - routes/status + verbs: + - get + - list + - watch + - update + - create + - patch + - apiGroups: + - cis.f5.com + resources: + - virtualservers + - virtualservers/status + - tlsprofiles + - transportservers + - transportservers/status + - ingresslinks + - ingresslinks/status + - externaldnses + - policies + verbs: + - get + - list + - watch + - update + - patch + - apiGroups: + - "" + - extensions + resources: + - secrets + verbs: + - get + - list + - watch + - apiGroups: + - config.openshift.io/v1 + resources: + - network + verbs: + - list + - apiGroups: + - fic.f5.com + resources: + - ipams + - ipams/status + verbs: + - get + - list + - watch + - update + - create + - patch + - delete + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch + - update + - create + - patch diff --git a/kubernetes/workloads/k8s-bigip-ctlr/manifests/base/clusterrolebinding.yaml b/kubernetes/workloads/k8s-bigip-ctlr/manifests/base/clusterrolebinding.yaml new file mode 100644 index 0000000..751b070 --- /dev/null +++ b/kubernetes/workloads/k8s-bigip-ctlr/manifests/base/clusterrolebinding.yaml @@ -0,0 +1,23 @@ +--- +# yamllint disable rule:line-length +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: f5-bigip-ctlr + namespace: kube-system + labels: + app.kubernetes.io/instance: f5-bigip-ctlr + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: f5-bigip-ctlr + app: f5-bigip-ctlr + chart: f5-bigip-ctlr-0.0.32 + release: f5-bigip-ctlr + heritage: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: f5-bigip-ctlr +subjects: + - kind: ServiceAccount + name: k8s-bigip-ctlr + namespace: kube-system diff --git a/kubernetes/workloads/k8s-bigip-ctlr/manifests/base/customresourcedefinition.yaml b/kubernetes/workloads/k8s-bigip-ctlr/manifests/base/customresourcedefinition.yaml new file mode 100644 index 0000000..4aff50a --- /dev/null +++ b/kubernetes/workloads/k8s-bigip-ctlr/manifests/base/customresourcedefinition.yaml @@ -0,0 +1,1426 @@ +--- +# yamllint disable rule:line-length +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/instance: f5-bigip-ctlr + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: f5-bigip-ctlr + name: virtualservers.cis.f5.com +spec: + group: cis.f5.com + names: + kind: VirtualServer + plural: virtualservers + shortNames: + - vs + singular: virtualserver + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + partition: + type: string + pattern: ^[a-zA-Z]+[-A-z0-9_.]+$ + host: + type: string + pattern: ^(([a-zA-Z0-9\*]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$ + hostAliases: + type: array + items: + type: string + pattern: ^(([a-zA-Z0-9\*]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$ + hostGroup: + type: string + pattern: ^[a-zA-Z]+[-A-z0-9_.:]*[A-z0-9]*$ + hostGroupVirtualServerName: + type: string + pattern: ^[a-zA-Z]+([A-z0-9-_+])*([A-z0-9])$ + httpTraffic: + type: string + enum: + - allow + - none + - redirect + ipamLabel: + type: string + pattern: ^[a-zA-Z]+[-A-z0-9_.:]+[A-z0-9]+$ + bigipRouteDomain: + type: integer + minimum: 0 + maximum: 65535 + default: 0 + snat: + type: string + pattern: ^$|^\/?[a-zA-Z]+([-A-z0-9_+]+\/)*([-A-z0-9_.:]+\/?)+$ + connectionMirroring: + type: string + enum: + - none + - L4 + tlsProfileName: + type: string + pattern: ^[a-zA-Z]+[-A-z0-9_.:]+[A-z0-9]+$ + persistenceProfile: + type: string + pattern: ^\/?[a-zA-Z]+([-A-z0-9_+]+\/)*([-A-z0-9_.:]+\/?)*$ + hostPersistence: + type: object + properties: + method: + type: string + enum: + - sourceAddress + - destinationAddress + - cookieInsert + - cookieRewrite + - cookiePassive + - cookieHash + - universal + - hash + - carp + - none + metaData: + type: object + properties: + name: + type: string + key: + type: string + netmask: + type: string + pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])|(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))$ + timeout: + type: integer + minimum: 1 + maximum: 65535 + offset: + type: integer + minimum: 1 + maximum: 65535 + length: + type: integer + minimum: 1 + maximum: 65535 + expiry: + type: string + pattern: ^((?:(?:[0-9]+d))|(?:(?:[0-9]+d)?((?:[01]?[0-9]|2[0-3]):[0-5][0-9](?::[0-5][0-9])?)))$ + required: + - method + htmlProfile: + type: string + pattern: ^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$ + profiles: + type: object + properties: + tcp: + type: object + properties: + client: + type: string + pattern: ^\/([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$ + server: + type: string + pattern: ^\/([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$ + http2: + type: object + properties: + client: + type: string + pattern: ^\/([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$ + server: + type: string + pattern: ^\/([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$ + dos: + type: string + pattern: ^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$ + profileAccess: + type: string + pattern: ^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$ + policyPerRequestAccess: + type: string + pattern: ^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$ + botDefense: + type: string + pattern: ^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$ + policyName: + type: string + pattern: ^[a-zA-Z]+[-A-z0-9_.:]+[A-z0-9]+$ + rewriteAppRoot: + type: string + pattern: ^\/[a-zA-Z]+([A-z0-9-_+]+\/)*([-A-z0-9_.:]+\/?)*$ + waf: + type: string + pattern: ^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$ + profileMultiplex: + type: string + pattern: ^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$ + profileAdapt: + type: object + properties: + request: + type: string + pattern: ^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$ + response: + type: string + pattern: ^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$ + allowVlans: + items: + type: string + pattern: ^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.]+\/?)*$ + type: array + allowSourceRange: + items: + type: string + type: array + httpMrfRoutingEnabled: + type: boolean + iRules: + type: array + items: + type: string + pattern: ^none$|^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$ + serviceAddress: + type: array + maxItems: 1 + items: + type: object + properties: + arpEnabled: + type: boolean + icmpEcho: + type: string + enum: + - enable + - disable + - selective + routeAdvertisement: + type: string + enum: + - enable + - disable + - selective + - always + - any + - all + spanningEnabled: + type: boolean + trafficGroup: + type: string + pattern: ^\/([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$ + defaultPool: + type: object + properties: + name: + type: string + pattern: ^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$ + service: + type: string + pattern: "[a-z]([-a-z0-9]*[a-z0-9])?" + servicePort: + x-kubernetes-int-or-string: true + anyOf: + - type: integer + - type: string + serviceNamespace: + type: string + pattern: ^[a-zA-Z]+([-A-z0-9_.+:])*([A-z0-9])+$ + loadBalancingMethod: + type: string + pattern: ^[a-z]+[a-z_-]+[a-z]+$ + nodeMemberLabel: + type: string + pattern: ^[a-zA-Z0-9][-A-Za-z0-9_.\/]{0,61}[a-zA-Z0-9]=[a-zA-Z0-9][-A-Za-z0-9_.]{0,61}[a-zA-Z0-9]$ + monitors: + type: array + items: + type: object + properties: + type: + type: string + enum: + - tcp + - udp + - http + - https + interval: + type: integer + timeout: + type: integer + targetPort: + type: integer + name: + type: string + pattern: ^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$ + reference: + type: string + enum: + - bigip + send: + type: string + recv: + type: string + sslProfile: + type: string + pattern: ^\/([A-z0-9-_+]+\/)+([A-z0-9]+\/?)*$ + reference: + type: string + enum: + - bigip + - service + reselectTries: + type: integer + minimum: 0 + maximum: 65535 + serviceDownAction: + type: string + required: + - reference + pools: + type: array + items: + type: object + properties: + name: + type: string + pattern: ^[a-zA-Z]+([-A-z0-9_.+:])*([A-z0-9])+$ + path: + type: string + pattern: ^\/([A-z0-9-_+]+\/)*([-A-z0-9_.:]+\/?)*$ + service: + type: string + pattern: "[a-z]([-a-z0-9]*[a-z0-9])?" + weight: + type: integer + minimum: 0 + maximum: 256 + alternateBackends: + type: array + items: + type: object + properties: + service: + type: string + pattern: "[a-z]([-a-z0-9]*[a-z0-9])?" + serviceNamespace: + type: string + pattern: ^[a-zA-Z]+([-A-z0-9_.+:])*([A-z0-9])+$ + weight: + type: integer + minimum: 0 + maximum: 256 + required: + - service + loadBalancingMethod: + type: string + pattern: ^[a-z]+[a-z_-]+[a-z]+$ + nodeMemberLabel: + type: string + pattern: ^[a-zA-Z0-9][-A-Za-z0-9_.\/]{0,61}[a-zA-Z0-9]=[a-zA-Z0-9][-A-Za-z0-9_.]{0,61}[a-zA-Z0-9]$ + servicePort: + x-kubernetes-int-or-string: true + anyOf: + - type: integer + - type: string + rewrite: + type: string + pattern: ^\/([A-z0-9-_+]+\/)*([-A-z0-9_.:]+\/?)*$ + hostRewrite: + type: string + pattern: ^(([a-zA-Z0-9\*]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$ + waf: + type: string + pattern: ^\/([A-z0-9-_+]+\/)+([A-z0-9]+\/?)*$ + serviceNamespace: + type: string + pattern: ^[a-zA-Z]+([-A-z0-9_.+:])*([A-z0-9])+$ + monitor: + type: object + properties: + type: + type: string + enum: + - http + - https + - tcp + send: + type: string + recv: + type: string + interval: + type: integer + timeout: + type: integer + targetPort: + type: integer + name: + type: string + pattern: ^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$ + reference: + type: string + enum: + - bigip + sslProfile: + type: string + pattern: ^\/([A-z0-9-_+]+\/)+([A-z0-9]+\/?)*$ + monitors: + type: array + items: + type: object + properties: + type: + type: string + enum: + - http + - https + - tcp + send: + type: string + recv: + type: string + interval: + type: integer + timeout: + type: integer + targetPort: + type: integer + name: + type: string + pattern: ^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$ + reference: + type: string + enum: + - bigip + sslProfile: + type: string + pattern: ^\/([A-z0-9-_+]+\/)+([A-z0-9]+\/?)*$ + minimumMonitors: + x-kubernetes-int-or-string: true + anyOf: + - type: integer + - type: string + reselectTries: + type: integer + minimum: 0 + maximum: 65535 + serviceDownAction: + type: string + extendedServiceReferences: + type: array + items: + type: object + properties: + clusterName: + type: string + service: + type: string + pattern: "[a-z]([-a-z0-9]*[a-z0-9])?" + namespace: + type: string + servicePort: + x-kubernetes-int-or-string: true + anyOf: + - type: integer + - type: string + weight: + type: integer + minimum: 0 + maximum: 256 + required: + - service + - servicePort + virtualServerAddress: + type: string + pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])|(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))$ + additionalVirtualServerAddresses: + type: array + items: + type: string + pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])|(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))$ + virtualServerName: + type: string + pattern: ^[a-zA-Z]+([A-z0-9-_+])*([A-z0-9])$ + virtualServerHTTPPort: + type: integer + minimum: 1 + maximum: 65535 + virtualServerHTTPSPort: + type: integer + minimum: 1 + maximum: 65535 + x-kubernetes-validations: + - rule: "!has(self.partition) || self.partition != 'Common'" + message: The partition cannot be 'Common' if specified. + status: + type: object + properties: + vsAddress: + type: string + default: None + status: + type: string + default: Pending + additionalPrinterColumns: + - name: host + type: string + description: hostname + jsonPath: .spec.host + - name: tlsProfileName + type: string + description: TLS Profile attached + jsonPath: .spec.tlsProfileName + - name: httpTraffic + type: string + description: Http Traffic Termination + jsonPath: .spec.httpTraffic + - name: IPAddress + type: string + description: IP address of virtualServer + jsonPath: .spec.virtualServerAddress + - name: ipamLabel + type: string + description: ipamLabel for virtual server + jsonPath: .spec.ipamLabel + - name: IPAMVSAddress + type: string + description: IP address of virtualServer + jsonPath: .status.vsAddress + - name: STATUS + type: string + description: status of VirtualServer + jsonPath: .status.status + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/instance: f5-bigip-ctlr + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: f5-bigip-ctlr + name: tlsprofiles.cis.f5.com +spec: + group: cis.f5.com + names: + kind: TLSProfile + plural: tlsprofiles + shortNames: + - tls + singular: tlsprofile + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + tlsCipher: + type: object + properties: + tlsVersion: + type: string + enum: + - "1.0" + - "1.1" + - "1.2" + - "1.3" + disableTLSVersions: + type: array + items: + type: string + enum: + - "1.0" + - "1.1" + - "1.2" + - "1.3" + ciphers: + type: string + cipherGroup: + type: string + hosts: + type: array + items: + type: string + pattern: ^(([a-zA-Z0-9\*]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$ + tls: + type: object + properties: + termination: + type: string + enum: + - edge + - reencrypt + - passthrough + clientSSL: + type: string + pattern: ^\/?[a-zA-Z]+([-A-z0-9_+]+\/)*([-A-z0-9_.:]+\/?)*$ + clientSSLs: + type: array + items: + type: string + pattern: ^\/?[a-zA-Z]+([-A-z0-9_+]+\/)*([-A-z0-9_.:]+\/?)*$ + serverSSL: + type: string + pattern: ^\/?[a-zA-Z]+([-A-z0-9_+]+\/)*([-A-z0-9_.:]+\/?)*$ + serverSSLs: + type: array + items: + type: string + pattern: ^\/?[a-zA-Z]+([-A-z0-9_+]+\/)*([-A-z0-9_.:]+\/?)*$ + reference: + type: string + enum: + - bigip + - secret + - hybrid + clientSSLParams: + type: object + properties: + renegotiationEnabled: + type: boolean + default: true + profileReference: + type: string + enum: + - bigip + - secret + serverSSLParams: + type: object + properties: + renegotiationEnabled: + type: boolean + default: true + profileReference: + type: string + enum: + - bigip + - secret + required: + - termination +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/instance: f5-bigip-ctlr + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: f5-bigip-ctlr + name: transportservers.cis.f5.com +spec: + group: cis.f5.com + names: + kind: TransportServer + plural: transportservers + shortNames: + - ts + singular: transportserver + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + partition: + type: string + pattern: ^[a-zA-Z]+[-A-z0-9_.]+$ + virtualServerAddress: + type: string + pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])|(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))$ + virtualServerPort: + type: integer + minimum: 1 + maximum: 65535 + virtualServerName: + type: string + pattern: ^[a-zA-Z]+([A-z0-9-_+])*([A-z0-9])$ + host: + type: string + pattern: ^(([a-zA-Z0-9\*]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$ + hostGroup: + type: string + pattern: ^[a-zA-Z]+[-A-z0-9_.:]*[A-z0-9]*$ + policyName: + type: string + pattern: ^([A-z0-9-_+])*([A-z0-9])$ + mode: + type: string + enum: + - standard + - performance + type: + type: string + enum: + - tcp + - udp + - sctp + snat: + type: string + pattern: ^$|^\/?[a-zA-Z]+([-A-z0-9_+]+\/)*([-A-z0-9_.:]+\/?)+$ + connectionMirroring: + type: string + enum: + - none + - L4 + profiles: + type: object + properties: + tcp: + type: object + properties: + client: + type: string + pattern: ^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$ + server: + type: string + pattern: ^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$ + persistenceProfile: + type: string + pattern: ^\/?[a-zA-Z]+([-A-z0-9_+]+\/)*([-A-z0-9_.:]+\/?)*$ + dos: + type: string + pattern: ^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$ + profileL4: + type: string + pattern: ^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$ + allowVlans: + items: + type: string + pattern: ^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.]+\/?)*$ + type: array + iRules: + type: array + items: + type: string + pattern: ^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$ + ipamLabel: + type: string + pattern: ^[a-zA-Z]+[-A-z0-9_.:]+[A-z0-9]+$ + bigipRouteDomain: + type: integer + minimum: 0 + maximum: 65535 + default: 0 + serviceAddress: + type: array + maxItems: 1 + items: + type: object + properties: + arpEnabled: + type: boolean + icmpEcho: + type: string + enum: + - enable + - disable + - selective + routeAdvertisement: + type: string + enum: + - enable + - disable + - selective + - always + - any + - all + spanningEnabled: + type: boolean + trafficGroup: + type: string + pattern: ^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$ + pool: + type: object + properties: + name: + type: string + pattern: ^[a-zA-Z]+([-A-z0-9_.+:])*([A-z0-9])+$ + service: + type: string + pattern: "[a-z]([-a-z0-9]*[a-z0-9])?" + servicePort: + x-kubernetes-int-or-string: true + anyOf: + - type: integer + - type: string + weight: + type: integer + minimum: 0 + maximum: 100 + alternateBackends: + type: array + items: + type: object + properties: + service: + type: string + pattern: "[a-z]([-a-z0-9]*[a-z0-9])?" + serviceNamespace: + type: string + pattern: ^[a-zA-Z]+([-A-z0-9_.+:])*([A-z0-9])+$ + weight: + type: integer + minimum: 0 + maximum: 100 + required: + - service + serviceNamespace: + type: string + pattern: ^[a-zA-Z]+([-A-z0-9_.+:])*([A-z0-9])+$ + loadBalancingMethod: + type: string + pattern: ^[a-z]+[a-z_-]+[a-z]+$ + nodeMemberLabel: + type: string + pattern: ^[a-zA-Z0-9][-A-Za-z0-9_.\/]{0,61}[a-zA-Z0-9]=[a-zA-Z0-9][-A-Za-z0-9_.]{0,61}[a-zA-Z0-9]$ + monitor: + type: object + properties: + type: + type: string + enum: + - tcp + - udp + - http + - https + interval: + type: integer + timeout: + type: integer + targetPort: + type: integer + name: + type: string + pattern: ^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$ + reference: + type: string + enum: + - bigip + send: + type: string + recv: + type: string + monitors: + type: array + items: + type: object + properties: + type: + type: string + enum: + - tcp + - udp + - http + - https + interval: + type: integer + timeout: + type: integer + targetPort: + type: integer + name: + type: string + pattern: ^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$ + reference: + type: string + enum: + - bigip + send: + type: string + recv: + type: string + reselectTries: + type: integer + minimum: 0 + maximum: 65535 + serviceDownAction: + type: string + extendedServiceReferences: + type: array + items: + type: object + properties: + clusterName: + type: string + service: + type: string + pattern: "[a-z]([-a-z0-9]*[a-z0-9])?" + namespace: + type: string + servicePort: + x-kubernetes-int-or-string: true + anyOf: + - type: integer + - type: string + weight: + type: integer + minimum: 0 + maximum: 100 + required: + - service + - servicePort + required: + - virtualServerPort + - pool + - mode + x-kubernetes-validations: + - rule: "!has(self.partition) || self.partition != 'Common'" + message: The partition cannot be 'Common' if specified. + status: + type: object + properties: + vsAddress: + type: string + default: None + status: + type: string + default: Pending + additionalPrinterColumns: + - name: virtualServerAddress + type: string + description: IP address of virtualServer + jsonPath: .spec.virtualServerAddress + - name: virtualServerPort + type: integer + description: Port of virtualServer + jsonPath: .spec.virtualServerPort + - name: pool + type: string + description: Name of service + jsonPath: .spec.pool.service + - name: poolPort + type: string + description: Port of service + jsonPath: .spec.pool.servicePort + - name: ipamLabel + type: string + description: ipamLabel for transport server + jsonPath: .spec.ipamLabel + - name: IPAMVSAddress + type: string + description: IP address of transport server + jsonPath: .status.vsAddress + - name: STATUS + type: string + description: status of TransportServer + jsonPath: .status.status + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/instance: f5-bigip-ctlr + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: f5-bigip-ctlr + name: externaldnses.cis.f5.com +spec: + group: cis.f5.com + names: + kind: ExternalDNS + plural: externaldnses + shortNames: + - edns + singular: externaldns + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + domainName: + type: string + pattern: ^(([a-zA-Z0-9\*]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$ + dnsRecordType: + type: string + pattern: A + loadBalanceMethod: + type: string + pattern: ^[a-z]+[a-z_-]+[a-z]+$ + clientSubnetPreferred: + type: boolean + persistenceEnabled: + type: boolean + persistCidrIpv4: + type: integer + minimum: 0 + maximum: 32 + persistCidrIpv6: + type: integer + minimum: 0 + maximum: 128 + ttlPersistence: + type: integer + format: int64 + minimum: 0 + maximum: 4294967295 + pools: + type: array + items: + type: object + properties: + dataServerName: + type: string + pattern: ^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$ + dnsRecordType: + type: string + pattern: A + loadBalanceMethod: + type: string + pattern: ^[a-z]+[a-z_-]+[a-z]+$ + lbModeFallback: + type: string + pattern: ^[a-z]+[a-z_-]+[a-z]+$ + order: + type: integer + ratio: + type: integer + monitor: + type: object + properties: + type: + type: string + enum: + - http + - https + - tcp + send: + type: string + recv: + type: string + interval: + type: integer + timeout: + type: integer + required: + - type + - interval + monitors: + type: array + items: + type: object + properties: + type: + type: string + enum: + - http + - https + - tcp + send: + type: string + recv: + type: string + interval: + type: integer + timeout: + type: integer + required: + - type + - interval + required: + - dataServerName + required: + - domainName + additionalPrinterColumns: + - name: domainName + type: string + description: Domain name of virtual server resource + jsonPath: .spec.domainName + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + - name: CREATED ON + type: string + jsonPath: .metadata.creationTimestamp +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/instance: f5-bigip-ctlr + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: f5-bigip-ctlr + name: ingresslinks.cis.f5.com +spec: + group: cis.f5.com + names: + kind: IngressLink + shortNames: + - il + singular: ingresslink + plural: ingresslinks + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + partition: + type: string + pattern: ^[a-zA-Z]+[-A-z0-9_.]+$ + virtualServerAddress: + type: string + pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$ + host: + type: string + pattern: ^(([a-zA-Z0-9\*]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$ + ipamLabel: + type: string + pattern: ^[a-zA-Z]+[-A-z0-9_.:]+[A-z0-9]+$ + bigipRouteDomain: + type: integer + minimum: 0 + maximum: 65535 + default: 0 + iRules: + type: array + items: + type: string + pattern: ^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$ + selector: + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-validations: + - rule: "!has(self.partition) || self.partition != 'Common'" + message: The partition cannot be 'Common' if specified. + status: + type: object + properties: + vsAddress: + type: string + additionalPrinterColumns: + - name: IPAMVSAddress + type: string + description: IP address of virtualServer + jsonPath: .status.vsAddress + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/instance: f5-bigip-ctlr + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: f5-bigip-ctlr + name: policies.cis.f5.com +spec: + group: cis.f5.com + names: + kind: Policy + shortNames: + - plc + singular: policy + plural: policies + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + l7Policies: + type: object + properties: + waf: + type: string + pattern: ^\/([A-z0-9-_+]+\/)+([A-z0-9]+\/?)*$ + profileAccess: + type: string + pattern: ^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$ + policyPerRequestAccess: + type: string + pattern: ^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$ + profileAdapt: + type: object + properties: + request: + type: string + pattern: ^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$ + response: + type: string + pattern: ^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$ + l3Policies: + type: object + properties: + dos: + type: string + pattern: ^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$ + botDefense: + type: string + pattern: ^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$ + firewallPolicy: + type: string + pattern: ^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([A-z0-9]+\/?)*$ + ipIntelligencePolicy: + type: string + pattern: ^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$ + allowSourceRange: + items: + type: string + type: array + allowVlans: + items: + type: string + pattern: ^\/[a-zA-Z]+([A-z0-9-_+]+\/)*([A-z0-9-_.\s]+\/?)*$ + type: array + ltmPolicies: + type: object + properties: + insecure: + type: string + pattern: ^\/[a-zA-Z]+([-A-z0-9_+:]+\/)+([A-z0-9]+\/?)*$ + secure: + type: string + pattern: ^\/[a-zA-Z]+([-A-z0-9_+:]+\/)+([A-z0-9]+\/?)*$ + priority: + type: string + enum: + - low + - high + iRules: + type: object + properties: + insecure: + type: string + pattern: ^none$|^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$ + secure: + type: string + pattern: ^none$|^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$ + priority: + type: string + enum: + - low + - high + iRuleList: + type: array + items: + type: string + pattern: ^none$|^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$ + defaultPool: + type: object + properties: + name: + type: string + pattern: ^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$ + service: + type: string + pattern: "[a-z]([-a-z0-9]*[a-z0-9])?" + servicePort: + x-kubernetes-int-or-string: true + anyOf: + - type: integer + - type: string + serviceNamespace: + type: string + pattern: ^[a-zA-Z]+([-A-z0-9_.+:])*([A-z0-9])+$ + loadBalancingMethod: + type: string + pattern: ^[a-z]+[a-z_-]+[a-z]+$ + nodeMemberLabel: + type: string + pattern: ^[a-zA-Z0-9][-A-Za-z0-9_.\/]{0,61}[a-zA-Z0-9]=[a-zA-Z0-9][-A-Za-z0-9_.]{0,61}[a-zA-Z0-9]$ + monitors: + type: array + items: + type: object + properties: + type: + type: string + enum: + - tcp + - udp + - http + - https + interval: + type: integer + timeout: + type: integer + targetPort: + type: integer + name: + type: string + pattern: ^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$ + reference: + type: string + enum: + - bigip + send: + type: string + recv: + type: string + sslProfile: + type: string + pattern: ^\/([A-z0-9-_+]+\/)+([A-z0-9]+\/?)*$ + reference: + type: string + enum: + - bigip + - service + reselectTries: + type: integer + minimum: 0 + maximum: 65535 + serviceDownAction: + type: string + required: + - reference + profiles: + type: object + properties: + tcp: + type: object + properties: + client: + type: string + pattern: ^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$ + server: + type: string + pattern: ^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$ + udp: + type: string + pattern: ^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$ + http: + type: string + pattern: ^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$ + http2: + type: object + properties: + client: + type: string + pattern: ^\/([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$ + server: + type: string + pattern: ^\/([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$ + persistenceProfile: + type: string + pattern: ^\/?[a-zA-Z]+([-A-z0-9_+]+\/)*([-A-z0-9_.:]+\/?)*$ + profileL4: + type: string + pattern: ^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$ + profileWebSocket: + type: string + pattern: ^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$ + profileMultiplex: + type: string + pattern: ^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$ + rewriteProfile: + type: string + pattern: ^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([A-z0-9]+\/?)*$ + logProfiles: + items: + type: string + pattern: ^\/[a-zA-Z]+([A-z0-9-_+]+\/)*([-A-z0-9._\s]+\/?)*$ + type: array + httpMrfRoutingEnabled: + type: boolean + sslProfiles: + type: object + properties: + clientProfiles: + items: + type: string + pattern: ^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$ + type: array + serverProfiles: + items: + type: string + pattern: ^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$ + type: array + analyticsProfiles: + type: object + properties: + http: + type: string + pattern: ^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$ + htmlProfile: + type: string + pattern: ^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$ + ftpProfile: + type: string + pattern: ^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$ + autoLastHop: + type: string + enum: + - default + - auto + - disable + snat: + type: string + pattern: ^$|^\/?[a-zA-Z]+([-A-z0-9_+]+\/)*([-A-z0-9_.:]+\/?)+$ + poolSettings: + type: object + properties: + reselectTries: + type: integer + minimum: 0 + maximum: 65535 + serviceDownAction: + type: string + slowRampTime: + type: integer + minimum: 0 + maximum: 900 + multiPoolPersistence: + type: object + properties: + method: + type: string + enum: + - uieSourceAddress + - hashSourceAddress + timeOut: + type: integer + minimum: 1 + default: 180 diff --git a/kubernetes/workloads/k8s-bigip-ctlr/manifests/base/deployment.yaml b/kubernetes/workloads/k8s-bigip-ctlr/manifests/base/deployment.yaml new file mode 100644 index 0000000..b1b10ac --- /dev/null +++ b/kubernetes/workloads/k8s-bigip-ctlr/manifests/base/deployment.yaml @@ -0,0 +1,82 @@ +--- +# yamllint disable rule:line-length +apiVersion: apps/v1 +kind: Deployment +metadata: + name: f5-bigip-ctlr + namespace: kube-system + labels: + app.kubernetes.io/instance: f5-bigip-ctlr + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: f5-bigip-ctlr + app: f5-bigip-ctlr + chart: f5-bigip-ctlr-0.0.32 + release: f5-bigip-ctlr + heritage: Helm +spec: + replicas: 1 + selector: + matchLabels: + app: f5-bigip-ctlr + template: + metadata: + labels: + app.kubernetes.io/instance: f5-bigip-ctlr + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: f5-bigip-ctlr + app: f5-bigip-ctlr + release: f5-bigip-ctlr + spec: + serviceAccountName: k8s-bigip-ctlr + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + containers: + - name: f5-bigip-ctlr + image: f5networks/k8s-bigip-ctlr:2.18.0 + livenessProbe: + failureThreshold: 3 + httpGet: + path: /health + port: 8080 + scheme: HTTP + initialDelaySeconds: 15 + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 15 + readinessProbe: + failureThreshold: 3 + httpGet: + path: /health + port: 8080 + scheme: HTTP + initialDelaySeconds: 30 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 15 + volumeMounts: + - name: bigip-creds + mountPath: /tmp/creds + readOnly: true + imagePullPolicy: Always + command: + - /app/bin/k8s-bigip-ctlr + args: + - --ingress-class=f5 + - --credentials-directory + - /tmp/creds + - --bigip-partition=ben + - --bigip-url=10.91.1.11 + - --ipam=true + resources: + limits: + cpu: 100m + memory: 512Mi + requests: + cpu: 100m + memory: 512Mi + volumes: + - name: bigip-creds + secret: + secretName: f5-bigip-ctlr-login diff --git a/kubernetes/workloads/k8s-bigip-ctlr/manifests/base/kustomization.yaml b/kubernetes/workloads/k8s-bigip-ctlr/manifests/base/kustomization.yaml new file mode 100644 index 0000000..f2c633f --- /dev/null +++ b/kubernetes/workloads/k8s-bigip-ctlr/manifests/base/kustomization.yaml @@ -0,0 +1,12 @@ +--- +kind: Kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +namespace: k8s-bigip-ctlr +resources: + - clusterrole.yaml + - clusterrolebinding.yaml + - customresourcedefinition.yaml + - deployment.yaml + - namespace.yaml + - secret.yaml + - serviceaccount.yaml diff --git a/kubernetes/workloads/k8s-bigip-ctlr/manifests/base/namespace.yaml b/kubernetes/workloads/k8s-bigip-ctlr/manifests/base/namespace.yaml new file mode 100644 index 0000000..70b063c --- /dev/null +++ b/kubernetes/workloads/k8s-bigip-ctlr/manifests/base/namespace.yaml @@ -0,0 +1,7 @@ +--- +# yamllint disable rule:line-length +--- +apiVersion: v1 +kind: Namespace +metadata: + name: k8s-bigip-ctlr diff --git a/kubernetes/workloads/k8s-bigip-ctlr/manifests/base/serviceaccount.yaml b/kubernetes/workloads/k8s-bigip-ctlr/manifests/base/serviceaccount.yaml new file mode 100644 index 0000000..6a10e52 --- /dev/null +++ b/kubernetes/workloads/k8s-bigip-ctlr/manifests/base/serviceaccount.yaml @@ -0,0 +1,15 @@ +--- +# yamllint disable rule:line-length +apiVersion: v1 +kind: ServiceAccount +metadata: + name: k8s-bigip-ctlr + namespace: kube-system + labels: + app.kubernetes.io/instance: f5-bigip-ctlr + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: f5-bigip-ctlr + app: f5-bigip-ctlr + chart: f5-bigip-ctlr-0.0.32 + release: f5-bigip-ctlr + heritage: Helm diff --git a/kubernetes/workloads/k8s-bigip-ctlr/manifests/overlays/fh/kustomization.yaml b/kubernetes/workloads/k8s-bigip-ctlr/manifests/overlays/fh/kustomization.yaml new file mode 100644 index 0000000..25bafda --- /dev/null +++ b/kubernetes/workloads/k8s-bigip-ctlr/manifests/overlays/fh/kustomization.yaml @@ -0,0 +1,5 @@ +--- +kind: Kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +resources: + - ../../base diff --git a/kubernetes/workloads/k8s-bigip-ctlr/values.yaml b/kubernetes/workloads/k8s-bigip-ctlr/values.yaml new file mode 100644 index 0000000..18471ac --- /dev/null +++ b/kubernetes/workloads/k8s-bigip-ctlr/values.yaml @@ -0,0 +1,77 @@ +bigip_login_secret: f5-bigip-ctlr-login +bigip_secret: + create: false +rbac: + create: true +serviceAccount: + # Specifies whether a service account should be created + create: true + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: k8s-bigip-ctlr + # This namespace is where the Controller lives; +namespace: kube-system +ingressClass: + create: false + ingressClassName: f5 + isDefaultIngressController: false +args: + # See https://clouddocs.f5.com/containers/latest/userguide/config-parameters.html + # NOTE: helm has difficulty with values using `-`; `_` are used for naming + # and are replaced with `-` during rendering. + # REQUIRED Params + bigip_url: 10.91.1.11 + bigip_partition: ben + # OPTIONAL PARAMS -- uncomment and provide values for those you wish to use. + # verify_interval: + # node-poll_interval: + # log_level: + # python_basedir: ~ + # VXLAN + # openshift_sdn_name: + # flannel_name: + # KUBERNETES + # default_ingress_ip: + # kubeconfig: + # namespaces: ["foo", "bar"] + # namespace_label: + # node_label_selector: + # pool_member_type: nodeport + # resolve_ingress_names: + # running_in_cluster: + # use_node_internal: + # use_secrets: + # insecure: true + # custom-resource-mode: true + # log-as3-response: true + # gtm-bigip-password + # gtm-bigip-url + # gtm-bigip-username + ipam: true +image: + # Use the tag to target a specific version of the Controller + user: f5networks + repo: k8s-bigip-ctlr + pullPolicy: Always +version: 2.18.0 +# affinity: +# nodeAffinity: +# requiredDuringSchedulingIgnoredDuringExecution: +# nodeSelectorTerms: +# - matchExpressions: +# - key: kubernetes.io/arch +# operator: Exists +# securityContext: +# runAsUser: 1000 +# runAsGroup: 3000 +# fsGroup: 2000 +# If you want to specify resources, uncomment the following +# limits_cpu: 100m +# limits_memory: 512Mi +# requests_cpu: 100m +# requests_memory: 512Mi +# Set podSecurityContext for Pod Security Admission and Pod Security Standards +# podSecurityContext: +# runAsUser: 1000 +# runAsGroup: 1000 +# privileged: true From c0cd0d3d55d0ed17dcdcdc55876e509167897c9e Mon Sep 17 00:00:00 2001 From: Ben Dronen Date: Sun, 12 Jan 2025 11:57:18 -0500 Subject: [PATCH 2/3] feat(f5-ve): working on adding F5 VE VM's Signed-off-by: Ben Dronen --- f5/README.md | 11 ++ f5/tofu/.bitwarden/data.json | 3 + f5/tofu/.terraform.lock.hcl | 64 ++++++++++ f5/tofu/backend.tf | 32 +++++ f5/tofu/f5_ve_vm/f5_ve_vm.tf | 154 +++++++++++++++++++++++++ f5/tofu/f5_ve_vm/required_providers.tf | 9 ++ f5/tofu/f5_ve_vm/variables.tf | 55 +++++++++ f5/tofu/main.tf | 30 +++++ 8 files changed, 358 insertions(+) create mode 100644 f5/README.md create mode 100644 f5/tofu/.bitwarden/data.json create mode 100644 f5/tofu/.terraform.lock.hcl create mode 100644 f5/tofu/backend.tf create mode 100644 f5/tofu/f5_ve_vm/f5_ve_vm.tf create mode 100644 f5/tofu/f5_ve_vm/required_providers.tf create mode 100644 f5/tofu/f5_ve_vm/variables.tf create mode 100644 f5/tofu/main.tf diff --git a/f5/README.md b/f5/README.md new file mode 100644 index 0000000..03fba28 --- /dev/null +++ b/f5/README.md @@ -0,0 +1,11 @@ +# F5 BIG-IP Virtual Edition + +## Refs + +- Cloud Init - +- Image types - +- Sizing requirements - +- BIG-IP in proxmox - +- License with `tmsh` - +- Declarative onboarding - +- Declarative onboarding demo - diff --git a/f5/tofu/.bitwarden/data.json b/f5/tofu/.bitwarden/data.json new file mode 100644 index 0000000..b1df8fd --- /dev/null +++ b/f5/tofu/.bitwarden/data.json @@ -0,0 +1,3 @@ +{ + "stateVersion": 68 +} diff --git a/f5/tofu/.terraform.lock.hcl b/f5/tofu/.terraform.lock.hcl new file mode 100644 index 0000000..c3ff06a --- /dev/null +++ b/f5/tofu/.terraform.lock.hcl @@ -0,0 +1,64 @@ +# This file is maintained automatically by "tofu init". +# Manual edits may be lost in future updates. + +provider "registry.opentofu.org/bpg/proxmox" { + version = "0.69.0" + constraints = "0.69.0" + hashes = [ + "h1:qPVErcPtYkDNRCPVL32eUaEW1HKJpfjSr03t5c1EAqM=", + "zh:046713ab723f4aecc2886263b3e2fc79f2391c821a81a5346f7ff185edd17f68", + "zh:05c19166978a8a81031e502d3934bae5daac17fe44d8f397bb6a67f9bade337b", + "zh:12327ed39e85680cfd086bcb0d7ebefd15d352c1cd857e5164d4729122821489", + "zh:4f833932192a136dbafc54ee98dcfeb612dc7b679ba5bcb59f7d430721b58f80", + "zh:6c5547ee42a6ed6ae40a707c97fd1bf22b082feed8d31f34bcc9447018b7a2c5", + "zh:6ee9fe5d73fe283cc4c6cb551b7a5ccd857be65f91872446b772f75f75a2a272", + "zh:8a4d23aa38298286bee221db01a8f02492679e5ab877eaa793df4f16af4ed714", + "zh:982011abf6ce4499d6b8e00aa7d7ba92229ae641fa8e631b14ced37343f443cc", + "zh:a46683898b8d193f40de3837c6ea2bbf8a68ac59e6d4463c307a9931cccb5e42", + "zh:ce3ea79bd1b4f3d881e7de8d2e9e0bf86f0c48ad1b71ff4ce48f0ba09b732106", + "zh:d20d861810452ee57670d0389e8409644f7b61888c8c9cc67f65cdb06fc3456d", + "zh:d6169bdacfc2f88decf2c8f3af47bbf411de914120e128cd53af639a707b6d13", + "zh:e8690a35444bfdd3899fef16afcce1ccf4ab9b7140f53e23ba96aa623f84e6c5", + "zh:f26e0763dbe6a6b2195c94b44696f2110f7f55433dc142839be16b9697fa5597", + "zh:f9c0df46f852e241eb6342d684466dd9de4b8a1058f1453fbe1ec0ffb6d1fe1a", + ] +} + +provider "registry.opentofu.org/hashicorp/http" { + version = "3.4.5" + hashes = [ + "h1:P3NFKZbtHuQ6mmoDVpg4WYlDJ+yK4cchzkjTPzBWG3Y=", + "zh:055a4431d33bb89b9848193152433eaead7cc2e6746d3436a5922419de2112bf", + "zh:0bfabafea9f5e36802fcfc5a800831ec1767d896af889abc610014d02b09bdc2", + "zh:300b4983fe1b43bd0a7dac1f94b30b3814f11c824224dd83fb45a521c02cea60", + "zh:68f6958314ca5dc0868be70e37ec123b99b8828aa49f27fd2fdd13df05d31ab1", + "zh:c29f098a597250adc2a7d9f99acbce3c9e07d37f1c5cfded5df4309738cf613c", + "zh:c33607397f9c9302c0cd797c8b7484c9c6cfa09c3489d4b55af17df20b204368", + "zh:d519ca364a224110428b390ee06e963a3ec4dfdd1ac816c9f32e647567957cf5", + "zh:e4a9c7c0ac31a0192362ef43449390cdf00d2cf6f13061ef730b177eaf00ac45", + "zh:f25223c062f274d8f89bb96017e73586030a205bc91cdad266a9954d0def2a23", + "zh:fd4dc824ebae2f3a66318df364bec83b88e9a52e7f66b00dafa29a796d9a94ab", + ] +} + +provider "registry.opentofu.org/maxlaverse/bitwarden" { + version = "0.12.1" + constraints = "0.12.1" + hashes = [ + "h1:EJ6epDEl5gTf6xENZr1+F4NVSIM4a5AAE1wBUXxL2x8=", + "zh:0b01f9e07a169b63121799043b7a1c431c198073e629193dced9365649367b25", + "zh:13c8589eacd000c0f4de66012f0426acf4727cd5ac1527514a40192390846012", + "zh:6065f9e8eea47cb0e2102b4bab258374e2113893e720a07aec9fe6198bd5e4ce", + "zh:6375c5cb207fb9f972a487062368386767970c9fd8175f177ea16d391bf7c802", + "zh:74ac084fb3d86e2d4422d08c493d732ec375c5392d48b1cd405eef367ee4f621", + "zh:923db6be3387dc75ee8481e6d923903e3c11cf9fe8137f6c0ec540c8f1adfb8c", + "zh:92caab75a46a62ae9d80e9672823689f3299d5d143a4aebb9c6c99016454e59f", + "zh:aa63a2986f1f54cb5b161da15f1820f6b25560d0657223103945b3be9398563f", + "zh:aca8a6e3b012ac3158a57fbcc7d5891b0d9fbb46bbbd67e9f3edfe6e83802605", + "zh:db4a93c5d023e515da5554951e9a13fcab3709bb48774f892026b10d23c6ba5c", + "zh:e10f5a97a3741a93bff75429aee70f93aa8439355ef11ae2bafdd483ee092212", + "zh:e2b272e88274cd4c921a27f0bd65f9fac3fd18d5913b6431cfbc77cb04dc201c", + "zh:ebaedc720eb82bfc4c072e24bd064499803526bb0469886740e83f34e6e7dd6e", + "zh:f5e4d61336298c77eb0956ec59f3cbb9fa8f274d2f1d5cb9ec5ea4c216983faf", + ] +} diff --git a/f5/tofu/backend.tf b/f5/tofu/backend.tf new file mode 100644 index 0000000..494a90f --- /dev/null +++ b/f5/tofu/backend.tf @@ -0,0 +1,32 @@ +terraform { + backend "gcs" { + bucket = "homelab-state" + prefix = "tofu/f5/state" + } + required_providers { + bitwarden = { + source = "maxlaverse/bitwarden" + version = "0.12.1" + } + proxmox = { + source = "bpg/proxmox" + version = "0.69.0" + } + } +} +provider "bitwarden" {} +data "bitwarden_item_login" "proxmox_credentials" { + #checkov:skip=CKV_SECRET_6:This is pulling the secret from Bitwarden + id = "d96bdd64-86fb-438f-81a7-afae0117ec76" +} + +provider "proxmox" { + endpoint = data.bitwarden_item_login.proxmox_credentials.uri[0].value + username = "${data.bitwarden_item_login.proxmox_credentials.username}@pam" + password = data.bitwarden_item_login.proxmox_credentials.password + insecure = true + ssh { + agent = true + username = data.bitwarden_item_login.proxmox_credentials.username + } +} diff --git a/f5/tofu/f5_ve_vm/f5_ve_vm.tf b/f5/tofu/f5_ve_vm/f5_ve_vm.tf new file mode 100644 index 0000000..9752785 --- /dev/null +++ b/f5/tofu/f5_ve_vm/f5_ve_vm.tf @@ -0,0 +1,154 @@ +# https://clouddocs.f5.com/cloud/public/v1/shared/cloudinit.html +# https://registry.terraform.io/providers/bpg/proxmox/latest/docs/resources/virtual_environment_file +resource "proxmox_virtual_environment_file" "f5-ve-cloud-init" { + content_type = "snippets" + datastore_id = "local" + node_name = "fh-proxmox0" + + source_raw { + data = format("#cloud-config\n%s", yamlencode({ + chpasswd = { + list = "root:${var.root_password}\nadmin:${var.root_password}" + expire = false + } + write_files = [ + { + path = "/config/revoke-license.sh" + permissions = 0755 + owner = "root:root" + content = < Date: Fri, 17 Jan 2025 15:51:08 -0500 Subject: [PATCH 3/3] feat(f5): working F5 vm's Signed-off-by: Ben Dronen --- f5/tofu/f5_ve_vm/f5_ve_vm.tf | 4 +++- f5/tofu/main.tf | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/f5/tofu/f5_ve_vm/f5_ve_vm.tf b/f5/tofu/f5_ve_vm/f5_ve_vm.tf index 9752785..077d5c9 100644 --- a/f5/tofu/f5_ve_vm/f5_ve_vm.tf +++ b/f5/tofu/f5_ve_vm/f5_ve_vm.tf @@ -37,6 +37,8 @@ tmsh save /sys config tmsh modify sys global-settings mgmt-dhcp disabled tmsh create sys management-ip ${var.ipv4_addr.addr}/${var.ipv4_addr.mask} tmsh create sys management-route default gateway ${var.ipv4_gw} +tmsh create net self self_1nic address ${var.ipv4_addr.addr}/${var.ipv4_addr.mask} vlan internal allow-service default traffic-group traffic-group-local-only +tmsh create net route default network default gw ${var.ipv4_gw} tmsh save /sys config EOF }, @@ -77,7 +79,7 @@ EOF } } })) - file_name = "f5-ve-cloud-init.yaml" + file_name = "f5-ve-cloud-init-${var.vm_hostname}.yaml" } } diff --git a/f5/tofu/main.tf b/f5/tofu/main.tf index 9141994..fc2a580 100644 --- a/f5/tofu/main.tf +++ b/f5/tofu/main.tf @@ -27,4 +27,4 @@ module "f5-ve-server" { "fh.dronen.house" ] vm_os = "f5-big-ip-ve" -} \ No newline at end of file +}