github.com/nginxinc/kubernetes-ingress@v1.12.5/docs-web/integration-with-cis.md

github.com/nginxinc/kubernetes-ingress@v1.12.5/docs-web/integration-with-cis.md (about)

     1  # Integration with F5 Container Ingress Services
     2  
     3  The integration with [F5 Container Ingress Services](https://clouddocs.f5.com/containers/v2/) (CIS) configures an F5 BIG-IP device as a load balancer for NGINX Ingress Controller pods.
     4  
     5  > **Feature Status**: The integration with F5 CIS is available as a preview feature: it is suitable for experimenting and testing; however, it must be used with caution in production environments. Additionally, while the feature is in preview, we might introduce some backward-incompatible changes in the next releases.
     6  
     7  ## Prerequisites
     8  
     9  To enable the integration, the F5 CIS must be deployed in the cluster and configured to support the integration. Follow the instructions on the [CIS documentation portal](#link-to-be-added-later).
    10  
    11  ## Configuration
    12  
    13  ### 1. Install the Ingress Controller with the Integration Enabled
    14  
    15  This step depends on how you install the Ingress Controller: using [Manifests](/nginx-ingress-controller/installation/installation-with-manifests) or the [Helm chart](/nginx-ingress-controller/installation/installation-with-helm).
    16  
    17  #### Manifests Installation
    18  
    19  1. Create a service for the Ingress Controller pods for ports 80 and 443. For example:
    20      ```yaml
    21      apiVersion: v1
    22      kind: Service
    23      metadata:
    24        name: nginx-ingress-ingresslink
    25        namespace: nginx-ingress
    26        labels:
    27          app: ingresslink
    28      spec:
    29        ports:
    30        - port: 80
    31          targetPort: 80
    32          protocol: TCP
    33          name: http
    34        - port: 443
    35          targetPort: 443
    36          protocol: TCP
    37          name: https
    38        selector:
    39          app: nginx-ingress
    40      ```
    41      Note the label `app: ingresslink`. We will use it in the Step 2.
    42  1. In the [ConfigMap](/nginx-ingress-controller/configuration/global-configuration/configmap-resource), enable the PROXY protocol, which the BIG-IP system will use to pass the client IP and port information to NGINX. For the  `set-real-ip-from` key, use the subnet of the IP, which the BIG-IP system uses to send traffic to NGINX:
    43      ```yaml
    44      proxy-protocol: "True"
    45      real-ip-header: "proxy_protocol"
    46      set-real-ip-from: "0.0.0.0/0"
    47      ```
    48  1. Deploy the Ingress Controller with additional [command-line arguments](/nginx-ingress-controller/configuration/global-configuration/command-line-arguments):
    49      ```yaml
    50      args:
    51      - -ingresslink=nginx-ingress
    52      - -report-ingress-status
    53      . . .
    54      ```
    55      where `ingresslink` references the name of the IngressLink resource from Step 2, and `report-ingress-status` enables [reporting Ingress statuses](/nginx-ingress-controller/configuration/global-configuration/reporting-resources-status#ingress-resources).
    56  
    57  #### Helm Installation
    58  
    59  Install a helm release with the following values that replicate the Manifest installation above:
    60  ```yaml
    61  controller:
    62    config:
    63      entries:
    64        proxy-protocol: "True"
    65        real-ip-header: "proxy_protocol"
    66        set-real-ip-from: "0.0.0.0/0"
    67    reportIngressStatus:
    68      ingressLink: nginx-ingress
    69    service:
    70      type: ClusterIP
    71      externalTrafficPolicy: Cluster
    72      extraLabels:
    73        app: ingresslink
    74  ```
    75  We will use the values for the parameters `ingressLink` and `extraLabels` in Step 2. For the  `set-real-ip-from` key, use the subnet of the IP, which the BIG-IP system uses to send traffic to NGINX.
    76  
    77  ### 2. Create an IngressLink Resource
    78  
    79  To configure the BIG-IP device to load balance among the Ingress Controller pods, create an IngressLink resource. For example, the following resource will expose the Ingress Controller pods via `192.168.10.5`:
    80  ```yaml
    81  apiVersion: "cis.f5.com/v1"
    82  kind: IngressLink
    83  metadata:
    84    name: nginx-ingress
    85    namespace: nginx-ingress
    86  spec:
    87    virtualServerAddress: "192.168.10.5"
    88    iRules:
    89    - /Common/Proxy_Protocol_iRule
    90    selector:
    91      matchLabels:
    92        app: ingresslink
    93  ```
    94  
    95  The name of the resource and the labels in the selector must match the values you configured in Step 1. The resource must belong to the same namespace as the Ingress Controller pod.
    96  
    97  ### 3. Test the Integration
    98  
    99  Now the Ingress Controller pods are behind the IP configured in Step 2.
   100  
   101  If you deploy the [cafe example](https://github.com/nginxinc/kubernetes-ingress/tree/v1.11.0/examples/complete-example), you will be able to send requests to the Ingress Controller pods using the following command:
   102  ```
   103  $ curl --resolve cafe.example.com:192.168.10.5:443 https://cafe.example.com:443/coffee --insecure
   104  Server address: 10.12.0.18:80
   105  Server name: coffee-7586895968-r26zn
   106  ...
   107  ```
   108  
   109  Also, if you check the status of the cafe-ingress, you will see the IP of the BIG-IP system:
   110  ```
   111  $ kubectl get ing cafe-ingress
   112  NAME           HOSTS              ADDRESS         PORTS     AGE
   113  cafe-ingress   cafe.example.com   192.168.10.5    80, 443   115s
   114  ```