dronenb · dronenb · Sep 26, 2024 · Jan 12, 2025 · Jan 17, 2025
diff --git a/f5/README.md b/f5/README.md
@@ -0,0 +1,11 @@
+# F5 BIG-IP Virtual Edition
+
+## Refs
+
+- Cloud Init - <https://clouddocs.f5.com/cloud/public/v1/shared/cloudinit.html>
+- Image types - <https://my.f5.com/manage/s/article/K14946>
+- Sizing requirements - <https://my.f5.com/manage/s/article/K15796>
+- BIG-IP in proxmox - <https://my.f5.com/manage/s/article/K85183351>
+- License with `tmsh` - <https://my.f5.com/manage/s/article/K15055>
+- Declarative onboarding - <https://clouddocs.f5.com/products/extensions/f5-declarative-onboarding/latest/>
+- Declarative onboarding demo - <https://www.youtube.com/watch?v=zNlLVZA6Aic>
diff --git a/f5/tofu/.bitwarden/data.json b/f5/tofu/.bitwarden/data.json
@@ -0,0 +1,3 @@
+{
+  "stateVersion": 68
+}
diff --git a/f5/tofu/.terraform.lock.hcl b/f5/tofu/.terraform.lock.hcl
diff --git a/f5/tofu/backend.tf b/f5/tofu/backend.tf
@@ -0,0 +1,32 @@
+terraform {
+  backend "gcs" {
+    bucket = "homelab-state"
+    prefix = "tofu/f5/state"
+  }
+  required_providers {
+    bitwarden = {
+      source  = "maxlaverse/bitwarden"
+      version = "0.12.1"
+    }
+    proxmox = {
+      source  = "bpg/proxmox"
+      version = "0.69.0"
+    }
+  }
+}
+provider "bitwarden" {}
+data "bitwarden_item_login" "proxmox_credentials" {
+  #checkov:skip=CKV_SECRET_6:This is pulling the secret from Bitwarden
+  id = "d96bdd64-86fb-438f-81a7-afae0117ec76"
+}
+
+provider "proxmox" {
+  endpoint = data.bitwarden_item_login.proxmox_credentials.uri[0].value
+  username = "${data.bitwarden_item_login.proxmox_credentials.username}@pam"
+  password = data.bitwarden_item_login.proxmox_credentials.password
+  insecure = true
+  ssh {
+    agent    = true
+    username = data.bitwarden_item_login.proxmox_credentials.username
+  }
+}
diff --git a/f5/tofu/f5_ve_vm/f5_ve_vm.tf b/f5/tofu/f5_ve_vm/f5_ve_vm.tf
@@ -0,0 +1,156 @@
+# https://clouddocs.f5.com/cloud/public/v1/shared/cloudinit.html
+# https://registry.terraform.io/providers/bpg/proxmox/latest/docs/resources/virtual_environment_file
+resource "proxmox_virtual_environment_file" "f5-ve-cloud-init" {
+  content_type = "snippets"
+  datastore_id = "local"
+  node_name    = "fh-proxmox0"
+
+  source_raw {
+    data = format("#cloud-config\n%s", yamlencode({
+      chpasswd = {
+        list = "root:${var.root_password}\nadmin:${var.root_password}"
+        expire = false
+      }
+      write_files = [
+        {
+          path = "/config/revoke-license.sh"
+          permissions = 0755
+          owner = "root:root"
+          content = <<EOF
+#!/usr/bin/env bash
+# Wait for MCPD to be up before running tmsh commands
+source /usr/lib/bigstart/bigip-ready-functions
+wait_bigip_ready
+echo "Y" | tmsh revoke sys license
+EOF
+        },
+        {
+          path = "/config/management-ip.sh"
+          permissions = 0755
+          owner = "root:root"
+          content = <<EOF
+#!/usr/bin/env bash
+# Wait for MCPD to be up before running tmsh commands
+source /usr/lib/bigstart/bigip-ready-functions
+wait_bigip_ready
+tmsh save /sys config
+tmsh modify sys global-settings mgmt-dhcp disabled
+tmsh create sys management-ip ${var.ipv4_addr.addr}/${var.ipv4_addr.mask}
+tmsh create sys management-route default gateway ${var.ipv4_gw}
+tmsh create net self self_1nic address ${var.ipv4_addr.addr}/${var.ipv4_addr.mask} vlan internal allow-service default traffic-group traffic-group-local-only
+tmsh create net route default network default gw ${var.ipv4_gw}
+tmsh save /sys config
+EOF
+        },
+      ]
+      runcmd = [
+        "/config/management-ip.sh &",
+      ]
+      tmos_declared = {
+        enabled = true
+        # Unfortunately seems like these packages are not appropriate signed, thus has to be disabled
+        icontrollx_trusted_sources = false
+        icontrollx_package_urls = [
+          "https://github.com/F5Networks/f5-declarative-onboarding/releases/download/v1.46.0/f5-declarative-onboarding-1.46.0-7.noarch.rpm",
+          "https://github.com/F5Networks/f5-appsvcs-extension/releases/download/v3.53.0/f5-appsvcs-3.53.0-7.noarch.rpm"
+        ]
+        # https://clouddocs.f5.com/products/extensions/f5-declarative-onboarding/latest/
+        do_declaration = {
+          schemaVersion= "1.46.0"
+          class = "Device"
+          async = true
+          label = "Cloudinit Onboarding"
+          Common = {
+            class = "Tenant"
+            hostname = "${var.vm_hostname}.${var.search_domains[0]}"
+            # myLicense = {
+            #   class = "License"
+            #   licenseType = "regKey"
+            #   regKey = "${data.bitwarden_item_login.f5-ve-info.field[0].hidden}"
+            # }
+            myDns = {
+              class = "DNS"
+              nameServers = [
+                var.nameserver
+              ]
+              search = var.search_domains
+            }
+          }
+        }
+      }
+    }))
+    file_name = "f5-ve-cloud-init-${var.vm_hostname}.yaml"
+  }
+}
+
+data "proxmox_virtual_environment_vms" "existing_vms" {}
+
+resource "proxmox_virtual_environment_vm" "f5_ve_server" {
+  initialization {
+    user_data_file_id = proxmox_virtual_environment_file.f5-ve-cloud-init.id
+    ip_config {
+      ipv4 {
+        address = "${var.ipv4_addr.addr}%{if var.ipv4_addr.mask != ""}/${var.ipv4_addr.mask}%{endif}"
+        gateway = var.ipv4_gw
+      }
+    }
+  }
+  agent {
+    enabled = false # this will cause terraform operations to hang if the Qemu agent doesn't install correctly!
+  }
+  name = var.vm_hostname
+  tags = sort(
+    concat(
+      ["${var.vm_os}", "tofu"],
+      var.vm_tags,
+    )
+  )
+  bios      = "seabios"
+  node_name = "fh-proxmox0"
+  machine   = "q35"
+  memory {
+    dedicated = var.vm_memory_mb
+  }
+
+  cpu {
+    type  = "host"
+    cores = "2"
+  }
+
+  disk {
+    interface = "scsi0"
+    size      = var.vm_disksize_gb
+  }
+  efi_disk {
+    type        = "4m"
+    file_format = "raw"
+  }
+  clone {
+    vm_id = lookup(
+      zipmap(
+        data.proxmox_virtual_environment_vms.existing_vms.vms[*].name,
+        data.proxmox_virtual_environment_vms.existing_vms.vms[*].vm_id
+      ),
+      "${var.vm_os}-latest"
+    )
+    full = true
+  }
+
+  network_device {
+    bridge = "vmbr0"
+    model  = "virtio"
+  }
+
+  operating_system {
+    type = "l26"
+  }
+
+  tpm_state {
+    version = "v2.0"
+  }
+  vga {
+    memory = 16
+    type   = "std"
+  }
+  serial_device {}
+}
diff --git a/f5/tofu/f5_ve_vm/required_providers.tf b/f5/tofu/f5_ve_vm/required_providers.tf
@@ -0,0 +1,9 @@
+terraform {
+  required_providers {
+    # https://registry.terraform.io/providers/bpg/proxmox/latest
+    proxmox = {
+      source  = "bpg/proxmox"
+      version = "0.69.0"
+    }
+  }
+}
diff --git a/f5/tofu/f5_ve_vm/variables.tf b/f5/tofu/f5_ve_vm/variables.tf
@@ -0,0 +1,55 @@
+variable "root_password" {
+  type      = string
+  sensitive = true
+}
+
+variable "ipv4_addr" {
+  type = object({
+    addr = string
+    mask = string
+  })
+  default = {
+    addr = "dhcp"
+    mask = ""
+  }
+}
+
+variable "ipv4_gw" {
+  type    = string
+  default = ""
+}
+
+variable "nameserver" {
+  type    = string
+  default = "10.91.1.1"
+}
+
+variable "search_domains" {
+  type    = list(string)
+}
+
+variable "proxmox_node" {
+  type = string
+}
+
+variable "vm_hostname" {
+  type = string
+}
+
+variable "vm_memory_mb" {
+  type    = number
+  default = 1024
+}
+
+variable "vm_disksize_gb" {
+  type    = number
+  default = 10
+}
+
+variable "vm_tags" {
+  type = list(string)
+}
+
+variable "vm_os" {
+  type = string
+}
diff --git a/f5/tofu/main.tf b/f5/tofu/main.tf
@@ -0,0 +1,30 @@
+locals {
+  proxmox_node = "fh-proxmox0"
+}
+
+data "bitwarden_item_login" "f5-ve-info" {
+  #checkov:skip=CKV_SECRET_6:This is pulling the secret from Bitwarden
+  id = "d44d43f6-8d15-4fae-a651-b25a013fe8c9"
+}
+
+data "http" "ssh_keys" {
+  url = "https://github.com/dronenb.keys"
+}
+
+module "f5-ve-server" {
+  count          = 2
+  source         = "./f5_ve_vm"
+  vm_hostname    = "f5-bigip-ve-${count.index}"
+  proxmox_node   = local.proxmox_node
+  vm_memory_mb   = 4096
+  vm_disksize_gb = 100
+  vm_tags        = ["k3s", "k3s-server"]
+  root_password  = data.bitwarden_item_login.f5-ve-info.password
+  ipv4_addr      = { addr = format("%s%s", "10.91.1.", tostring(sum([12, count.index]))), mask = 24 }
+  ipv4_gw        = "10.91.1.1"
+  nameserver     = "10.91.1.1"
+  search_domains = [
+    "fh.dronen.house"
+  ]
+  vm_os = "f5-big-ip-ve"
+}
diff --git a/kubernetes/workloads/argocd-olm/manifests/applications/f5-ipam-controller.yaml b/kubernetes/workloads/argocd-olm/manifests/applications/f5-ipam-controller.yaml
@@ -0,0 +1,18 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: f5-ipam-controller
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: "https://github.com/dronenb/HomeLab.git"
+    targetRevision: HEAD
+    path: kubernetes/workloads/f5-ipam-controller/manifests/overlays/fh
+  destination:
+    server: "https://kubernetes.default.svc"
+    namespace: f5-ipam-controller
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: false