diff --git a/build-tools/version-tool b/build-tools/version-tool index 16b224730..6f2b200bd 100755 --- a/build-tools/version-tool +++ b/build-tools/version-tool @@ -169,8 +169,9 @@ class VersionInfo(object): self._ver_file = Version(data) if self._ver_file.pre or self._ver_file.build: - raise Exception("{} contains more than major.minor.patch" - .format(version_file.name)) + if self._ver_file.pre not in ["alpha","beta","rc"]: + raise Exception("{} contains more than major.minor.patch" + .format(version_file.name)) self._vers = { 'major': self._ver_file.major, 'minor': self._ver_file.minor, diff --git a/docs/cis-3.x/RELEASE-NOTES.rst b/docs/cis-3.x/RELEASE-NOTES.rst new file mode 100644 index 000000000..15a95a18f --- /dev/null +++ b/docs/cis-3.x/RELEASE-NOTES.rst @@ -0,0 +1,16 @@ +Release Notes for Container Ingress Services for Kubernetes & OpenShift +======================================================================= + +3.0.0-beta +------------- + +Added Functionality +``````````````````` +**What's new:** + * Support for Central Manager and BigIP-Next + * Support for following resources: + * Transport Server CR + * Service Type Load balancer + * IngressLink CR + * Integration with FIC + * Support for Nodeport Mode diff --git a/docs/cis-3.x/config_examples/customResource/CustomResource.md b/docs/cis-3.x/config_examples/customResource/CustomResource.md new file mode 100644 index 000000000..da273642b --- /dev/null +++ b/docs/cis-3.x/config_examples/customResource/CustomResource.md @@ -0,0 +1,97 @@ +# Custom Resource Definitions + +This page is created to document the behaviour of CIS in CRD Mode. + +## What are CRDs? + +* Custom resources are extensions of the Kubernetes API. +* A resource is an endpoint in the Kubernetes API that stores a collection of API objects of a certain kind; for example, the built-in pods resource contains a collection of Pod objects. +* A custom resource is an extension of the Kubernetes API that is not necessarily available in a default Kubernetes installation. It represents a customization of a particular Kubernetes installation. However, many core Kubernetes functions are now built using custom resources, making Kubernetes more modular. +* Custom resources can appear and disappear in a running cluster through dynamic registration, and cluster admins can update custom resources independently of the cluster itself. Once a custom resource is installed, users can create and access its objects using kubectl, just as they do for built-in resources like Pods. + +## How CIS works with CRDs + +* CIS registers to the kubernetes client-go using informers to retrieve Transport Server, Service, Endpoint and Node creation, updation and deletion events. Resources identified from such events will be pushed to a Resource Queue maintained by CIS. +* Resource Queue holds the resources to be processed. +* Transport Server is the Primary citizen. Any changes in Service, Endpoint, Node will process their affected Transport Servers. For Example, If svc-a is part of foo-TransportServer and bar-TransportServer, Any changes in svc-a will put foo-TransportServer and bar-TransportServer in resource queue. +* Worker fetches the affected Transport Servers from Resource Queue to populate a common structure which holds the configuration of all the Transport Servers such as Virtual Server IP, Pool Members etc. +* LTM Configuration(using AS3) will be created in CIS Managed Partition defined by the User. + + +## Label +* CIS will only process custom resources with f5cr Label as true. +``` + labels: + f5cr: "true" +``` + +## Contents +* CIS supports following Custom Resources at this point of time. + - TransportServer + - IngressLink + +## TransportServer + * TransportServer resource expose non-HTTP traffic configuration for a virtual server address in BIG-IP. + * Schema Validation + - OpenAPI Schema Validation + + https://raw.githubusercontent.com/F5Networks/k8s-bigip-ctlr/master/docs/cis-3.x/config_examples/customResourceDefinitions/customresourcedefinitions.yml + + +**TransportServer Components** + +| PARAMETER | TYPE | REQUIRED | DEFAULT | DESCRIPTION | +|----------------------|-------------------------|----------|------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| pool | pool | Required | NA | BIG-IP Pool member | +| virtualServerAddress | String | Optional | NA | IPv4/IPv6 IP Address of BIG-IP Virtual Server. IP address can also be replaced by a reference to a Service_Address. | +| ipamLabel | String | Optional | NA | IPAM label name for IP address management which is map to ip-range in IPAM controller deployment. | +| hostGroup | String | Optional | NA | To leverage the IP from VS CR using the same VS HostGroup name and Vice-versa. | +| policyName | String | Optional | NA | Name of Policy CRD to attach profiles/policies defined in it. | +| serviceAddress | List of service address | Optional | NA | Service address definition allows you to add a number of properties to your (virtual) server address | +| virtualServerPort | String | Required | NA | Port Address of BIG-IP Virtual Server | +| virtualServerName | String | Optional | NA | Custom name of BIG-IP Virtual Server | +| type | String | Optional | tcp | "tcp", "udp" or "sctp" L4 transport server type | +| mode | String | Required | NA | "standard" or "performance". A Standard mode transport server processes connections using the full proxy architecture. A Performance mode transport server uses FastL4 packet-by-packet TCP behavior. | +| snat | String | Optional | auto | | +| host | String | Optional | NA | HostName of the Virtual Server | +| partition | String | Optional | NA | bigip partition | + +**Pool Components** + +| PARAMETER | TYPE | REQUIRED | DEFAULT | DESCRIPTION | +| ------ |---------| ------ | ------ |----------------------------------------------------| +| service | String | Required | NA | Service deployed in kubernetes cluster | +| servicePort | Integer or String | Required | NA | Port to access Service.Could be service port, service port name or targetPort of the service| +| monitor | monitor | Optional | NA | Health Monitor to check the health of Pool Members | +| loadBalancingMethod | String | Optional | round-robin | Allowed values are existing BIG-IP Load Balancing methods for pools.| +| nodeMemberLabel | String | Optional | NA | List of Nodes to consider in NodePort Mode as BIG-IP pool members. This Option is only applicable for NodePort Mode | +| serviceNamespace | String | Optional | NA | Namespace of service, define it if service is present in a namespace other than the one where transport Server Custom Resource is present | + + + +**Health Monitor** + +| PARAMETER | TYPE | REQUIRED | DEFAULT | DESCRIPTION | +| ------ | ------ | ------ | ------ | ------ | +| type | String | Required | NA | http or https | +| interval | Int | Required | 5 | Seconds between health queries | +| timeout | Int | Optional | 16 | Seconds before query fails | + +### Examples + + https://github.com/F5Networks/k8s-bigip-ctlr/tree/master/docs/cis-3.x/config_examples/customResource/TransportServer + +## IngressLink + +Refer https://github.com/F5Networks/k8s-bigip-ctlr/tree/master/docs/cis-3.x/config_examples/customResource/IngressLink/README.md + + +# IP address management using the IPAM controller + +CIS can manage the virtual server address for VS and TS using the IPAM controller. The IPAM controller is a container provided by F5 for IP address management and it runs in parallel to the F5 ingress controller a pod in the Kubernetes/Openshift cluster. You can use the F5 IPAM controller to automatically allocate IP addresses to Virtual Servers, Transport Servers from a specified IP address range. You can specify this IP range in the IPAM Controller deployment file while deploying the IPAM controller. + +Specify the IPAM label `--ipamLabel` as an argument in VS and TS CRD. +Example: `--ipamLabel="Prod"` + +[See Documentation](https://clouddocs.f5.com/containers/latest/userguide/ipam/) + diff --git a/docs/cis-3.x/config_examples/customResource/IngressLink/Proxy_Protocol_iRule b/docs/cis-3.x/config_examples/customResource/IngressLink/Proxy_Protocol_iRule new file mode 100644 index 000000000..0339f8cc3 --- /dev/null +++ b/docs/cis-3.x/config_examples/customResource/IngressLink/Proxy_Protocol_iRule @@ -0,0 +1,3 @@ +when SERVER_CONNECTED { + TCP::respond "PROXY TCP[IP::version] [IP::client_addr] [clientside {IP::local_addr}] [TCP::client_port] [clientside {TCP::local_port}]\r\n" +} \ No newline at end of file diff --git a/docs/cis-3.x/config_examples/customResource/IngressLink/README.md b/docs/cis-3.x/config_examples/customResource/IngressLink/README.md new file mode 100644 index 000000000..bcf45cc19 --- /dev/null +++ b/docs/cis-3.x/config_examples/customResource/IngressLink/README.md @@ -0,0 +1,86 @@ +# Integration with Nginx Ingress Controller + +Using this integration, CIS can be used to configure the F5 BIG-IP device as a load balancer for [Nginx Ingress Controller](https://docs.nginx.com/nginx-ingress-controller/) pods. + +> **Feature Status**: The integration between CIS and Nginx Controller is available as a preview feature. It is suitable for experimenting and testing; however, it must be used with caution in production environments. Additionally, while the feature is in preview, we might introduce some backward-incompatible changes in the next releases. *The preview of the IngressLink solution requires a dedicated Container Ingress Services instance.* + +## IngressLink Compatibility Matrix +Minimum version to use IngressLink: + +| CIS | BIGIP | NGINX+ IC | AS3 | +| ------ | ------ | ------ | ------ | +| 2.3+ | v13.1+ | 1.10+ | 3.18+ | + +With CIS 3.x: + +| CIS 3.x | BIGIP-Next | CM | NGINX+ IC | +| ------ |------------------|----------------|-----------| +| 3.0.0-beta | v20.2.0-2.375.1+ | 20.2.0-0.5.41+ | 1.10+ | + + +## Configuration + +### 1. Create IngressLink Custom Resource Definition + +Create IngressLink Custom Resource definition as follows: + + ``` + kubectl create -f https://raw.githubusercontent.com/F5Networks/k8s-bigip-ctlr/master/docs/cis-3.x/config_examples/customResourceDefinitions/customresourcedefinitions.yml + ``` + + +### 2. Create the Proxy iRule on BIG-IP. + +* Login to the BIG-IP GUI. +* On the Main tab, click **Local Traffic > iRules**. +* Click **Create**. +* In the Name field, type name as "Proxy_Protocol_iRule". +* In the Definition field, Copy the definition from [Proxy_Protocol_iRule](https://raw.githubusercontent.com/F5Networks/k8s-bigip-ctlr/master/docs/config_examples/customResource/IngressLink/Proxy_Protocol_iRule) file. +* Click **Finished**. + +### 3. Install the CIS Controller. + +* Refer to [CIS Installation guide](https://clouddocs.f5.com/containers/latest/userguide/cis-helm.html) to install Container Ingress Services on Kubernetes or Openshift. +* Make sure that you deploy CIS in CRD mode (use "--custom-resource-mode=true" in your CIS Configuration). + +### 4. Install the Nginx Ingress Controller. + +* Refer to [Integration with F5 Container Ingress Services](https://docs.nginx.com/nginx-ingress-controller/installation/integrations/f5-ingresslink/) to deploy NGINX Ingress Controller. + +### 5. Create an IngressLink Resource. + +* Download the sample IngressLink Resource: + + ```curl -OL https://raw.githubusercontent.com/F5Networks/k8s-bigip-ctlr/master/docs/cis-3.x/config_examples/customResource/IngressLink/ingresslink.yaml``` + +* Update the "virtualServerAddress" parameter in the ingresslink.yaml resource. This IP address will be used to configure the BIG-IP device. It will be used to accept traffic and load balance it among the NGINX Ingress Controller pods. + + ```kubectl apply -f ingresslink.yaml``` + +##### Note: +1. The name of the app label selector in IngressLink resource should match the labels of the service which exposes the NGINX Ingress Controller. +2. The service which exposes the NGINX Ingress Controller should be of type ``nodeport``. + +### 6. Test the Integration. + +To test the integration, deploy a sample application: + + kubectl apply -f https://raw.githubusercontent.com/F5Networks/k8s-bigip-ctlr/master/docs/cis-3.x/config_examples/customResource/IngressLink/ingress-example/cafe.yaml + kubectl apply -f https://raw.githubusercontent.com/F5Networks/k8s-bigip-ctlr/master/docs/cis-3.x/config_examples/customResource/IngressLink/ingress-example/cafe-secret.yaml + kubectl apply -f https://raw.githubusercontent.com/F5Networks/k8s-bigip-ctlr/master/docs/cis-3.x/config_examples/customResource/IngressLink/ingress-example/cafe-ingress.yaml + +The Ingress Controller pods are behind the IP configured in Step 5 (virtualServerAddress parameter). + +To test the traffic (in this example we used 192.168.10.5 as our VirtualServerAddress): + + $ curl --resolve cafe.example.com:443:192.168.10.5 https://cafe.example.com:443/coffee --insecure + Server address: 10.12.0.18:80 + Server name: coffee-7586895968-r26zn + ... + +If you check the status of the cafe-ingress, you will see the IP of the VirtualServerAddress (in this example we used 192.168.10.5 as our VirtualServerAddress): +``` +$ kubectl get ing cafe-ingress +NAME HOSTS ADDRESS PORTS AGE +cafe-ingress cafe.example.com 192.168.10.5 80, 443 115s +``` diff --git a/docs/cis-3.x/config_examples/customResource/IngressLink/ingress-example/cafe-ingress.yaml b/docs/cis-3.x/config_examples/customResource/IngressLink/ingress-example/cafe-ingress.yaml new file mode 100644 index 000000000..fbab813f4 --- /dev/null +++ b/docs/cis-3.x/config_examples/customResource/IngressLink/ingress-example/cafe-ingress.yaml @@ -0,0 +1,31 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: cafe-ingress + # use annotations with k8s version < 1.18.0 + annotations: + #kubernetes.io/ingress.class: nginx +spec: + ingressClassName: nginx # use only with k8s version >= 1.18.0 + tls: + - hosts: + - cafe.example.com + secretName: cafe-secret + rules: + - host: cafe.example.com + http: + paths: + - path: /tea + pathType: ImplementationSpecific + backend: + service: + name: tea-svc + port: + number: 80 + - path: /coffee + pathType: ImplementationSpecific + backend: + service: + name: coffee-svc + port: + number: 80 diff --git a/docs/cis-3.x/config_examples/customResource/IngressLink/ingress-example/cafe-secret.yaml b/docs/cis-3.x/config_examples/customResource/IngressLink/ingress-example/cafe-secret.yaml new file mode 100644 index 000000000..8f9fd8485 --- /dev/null +++ b/docs/cis-3.x/config_examples/customResource/IngressLink/ingress-example/cafe-secret.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Secret +metadata: + name: cafe-secret +type: kubernetes.io/tls +data: + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURMakNDQWhZQ0NRREFPRjl0THNhWFdqQU5CZ2txaGtpRzl3MEJBUXNGQURCYU1Rc3dDUVlEVlFRR0V3SlYKVXpFTE1Ba0dBMVVFQ0F3Q1EwRXhJVEFmQmdOVkJBb01HRWx1ZEdWeWJtVjBJRmRwWkdkcGRITWdVSFI1SUV4MApaREViTUJrR0ExVUVBd3dTWTJGbVpTNWxlR0Z0Y0d4bExtTnZiU0FnTUI0WERURTRNRGt4TWpFMk1UVXpOVm9YCkRUSXpNRGt4TVRFMk1UVXpOVm93V0RFTE1Ba0dBMVVFQmhNQ1ZWTXhDekFKQmdOVkJBZ01Ba05CTVNFd0h3WUQKVlFRS0RCaEpiblJsY201bGRDQlhhV1JuYVhSeklGQjBlU0JNZEdReEdUQVhCZ05WQkFNTUVHTmhabVV1WlhoaApiWEJzWlM1amIyMHdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFDcDZLbjdzeTgxCnAwanVKL2N5ayt2Q0FtbHNmanRGTTJtdVpOSzBLdGVjcUcyZmpXUWI1NXhRMVlGQTJYT1N3SEFZdlNkd0kyaloKcnVXOHFYWENMMnJiNENaQ0Z4d3BWRUNyY3hkam0zdGVWaVJYVnNZSW1tSkhQUFN5UWdwaW9iczl4N0RsTGM2SQpCQTBaalVPeWwwUHFHOVNKZXhNVjczV0lJYTVyRFZTRjJyNGtTa2JBajREY2o3TFhlRmxWWEgySTVYd1hDcHRDCm42N0pDZzQyZitrOHdnemNSVnA4WFprWldaVmp3cTlSVUtEWG1GQjJZeU4xWEVXZFowZXdSdUtZVUpsc202OTIKc2tPcktRajB2a29QbjQxRUUvK1RhVkVwcUxUUm9VWTNyemc3RGtkemZkQml6Rk8yZHNQTkZ4MkNXMGpYa05MdgpLbzI1Q1pyT2hYQUhBZ01CQUFFd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFLSEZDY3lPalp2b0hzd1VCTWRMClJkSEliMzgzcFdGeW5acS9MdVVvdnNWQTU4QjBDZzdCRWZ5NXZXVlZycTVSSWt2NGxaODFOMjl4MjFkMUpINnIKalNuUXgrRFhDTy9USkVWNWxTQ1VwSUd6RVVZYVVQZ1J5anNNL05VZENKOHVIVmhaSitTNkZBK0NuT0Q5cm4yaQpaQmVQQ0k1ckh3RVh3bm5sOHl3aWozdnZRNXpISXV5QmdsV3IvUXl1aTlmalBwd1dVdlVtNG52NVNNRzl6Q1Y3ClBwdXd2dWF0cWpPMTIwOEJqZkUvY1pISWc4SHc5bXZXOXg5QytJUU1JTURFN2IvZzZPY0s3TEdUTHdsRnh2QTgKN1dqRWVxdW5heUlwaE1oS1JYVmYxTjM0OWVOOThFejM4Zk9USFRQYmRKakZBL1BjQytHeW1lK2lHdDVPUWRGaAp5UkU9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBcWVpcCs3TXZOYWRJN2lmM01wUHJ3Z0pwYkg0N1JUTnBybVRTdENyWG5LaHRuNDFrCkcrZWNVTldCUU5semtzQndHTDBuY0NObzJhN2x2S2wxd2k5cTIrQW1RaGNjS1ZSQXEzTVhZNXQ3WGxZa1YxYkcKQ0pwaVJ6ejBza0lLWXFHN1BjZXc1UzNPaUFRTkdZMURzcGRENmh2VWlYc1RGZTkxaUNHdWF3MVVoZHErSkVwRwp3SStBM0kreTEzaFpWVng5aU9WOEZ3cWJRcCt1eVFvT05uL3BQTUlNM0VWYWZGMlpHVm1WWThLdlVWQ2cxNWhRCmRtTWpkVnhGbldkSHNFYmltRkNaYkp1dmRySkRxeWtJOUw1S0Q1K05SQlAvazJsUkthaTAwYUZHTjY4NE93NUgKYzMzUVlzeFR0bmJEelJjZGdsdEkxNURTN3lxTnVRbWF6b1Z3QndJREFRQUJBb0lCQVFDUFNkU1luUXRTUHlxbApGZlZGcFRPc29PWVJoZjhzSStpYkZ4SU91UmF1V2VoaEp4ZG01Uk9ScEF6bUNMeUw1VmhqdEptZTIyM2dMcncyCk45OUVqVUtiL1ZPbVp1RHNCYzZvQ0Y2UU5SNThkejhjbk9SVGV3Y290c0pSMXBuMWhobG5SNUhxSkpCSmFzazEKWkVuVVFmY1hackw5NGxvOUpIM0UrVXFqbzFGRnM4eHhFOHdvUEJxalpzVjdwUlVaZ0MzTGh4bndMU0V4eUZvNApjeGI5U09HNU9tQUpvelN0Rm9RMkdKT2VzOHJKNXFmZHZ5dGdnOXhiTGFRTC94MGtwUTYyQm9GTUJEZHFPZVBXCktmUDV6WjYvMDcvdnBqNDh5QTFRMzJQem9idWJzQkxkM0tjbjMyamZtMUU3cHJ0V2wrSmVPRmlPem5CUUZKYk4KNHFQVlJ6NWhBb0dCQU50V3l4aE5DU0x1NFArWGdLeWNrbGpKNkY1NjY4Zk5qNUN6Z0ZScUowOXpuMFRsc05ybwpGVExaY3hEcW5SM0hQWU00MkpFUmgySi9xREZaeW5SUW8zY2czb2VpdlVkQlZHWTgrRkkxVzBxZHViL0w5K3l1CmVkT1pUUTVYbUdHcDZyNmpleHltY0ppbS9Pc0IzWm5ZT3BPcmxEN1NQbUJ2ek5MazRNRjZneGJYQW9HQkFNWk8KMHA2SGJCbWNQMHRqRlhmY0tFNzdJbUxtMHNBRzR1SG9VeDBlUGovMnFyblRuT0JCTkU0TXZnRHVUSnp5K2NhVQprOFJxbWRIQ2JIelRlNmZ6WXEvOWl0OHNaNzdLVk4xcWtiSWN1YytSVHhBOW5OaDFUanNSbmU3NFowajFGQ0xrCmhIY3FIMHJpN1BZU0tIVEU4RnZGQ3haWWRidUI4NENtWmlodnhicFJBb0dBSWJqcWFNWVBUWXVrbENkYTVTNzkKWVNGSjFKelplMUtqYS8vdER3MXpGY2dWQ0thMzFqQXdjaXowZi9sU1JxM0hTMUdHR21lemhQVlRpcUxmZVpxYwpSMGlLYmhnYk9jVlZrSkozSzB5QXlLd1BUdW14S0haNnpJbVpTMGMwYW0rUlk5WUdxNVQ3WXJ6cHpjZnZwaU9VCmZmZTNSeUZUN2NmQ21mb09oREN0enVrQ2dZQjMwb0xDMVJMRk9ycW40M3ZDUzUxemM1em9ZNDR1QnpzcHd3WU4KVHd2UC9FeFdNZjNWSnJEakJDSCtULzZzeXNlUGJKRUltbHpNK0l3eXRGcEFOZmlJWEV0LzQ4WGY2ME54OGdXTQp1SHl4Wlp4L05LdER3MFY4dlgxUE9ucTJBNWVpS2ErOGpSQVJZS0pMWU5kZkR1d29seHZHNmJaaGtQaS80RXRUCjNZMThzUUtCZ0h0S2JrKzdsTkpWZXN3WEU1Y1VHNkVEVXNEZS8yVWE3ZlhwN0ZjanFCRW9hcDFMU3crNlRYcDAKWmdybUtFOEFSek00NytFSkhVdmlpcS9udXBFMTVnMGtKVzNzeWhwVTl6WkxPN2x0QjBLSWtPOVpSY21Vam84UQpjcExsSE1BcWJMSjhXWUdKQ2toaVd4eWFsNmhZVHlXWTRjVmtDMHh0VGwvaFVFOUllTktvCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== diff --git a/docs/cis-3.x/config_examples/customResource/IngressLink/ingress-example/cafe.yaml b/docs/cis-3.x/config_examples/customResource/IngressLink/ingress-example/cafe.yaml new file mode 100644 index 000000000..67803bc13 --- /dev/null +++ b/docs/cis-3.x/config_examples/customResource/IngressLink/ingress-example/cafe.yaml @@ -0,0 +1,66 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: coffee +spec: + replicas: 2 + selector: + matchLabels: + app: coffee + template: + metadata: + labels: + app: coffee + spec: + containers: + - name: coffee + image: nginxdemos/nginx-hello:plain-text + ports: + - containerPort: 8080 +--- +apiVersion: v1 +kind: Service +metadata: + name: coffee-svc +spec: + ports: + - port: 80 + targetPort: 8080 + protocol: TCP + name: http + selector: + app: coffee +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: tea +spec: + replicas: 3 + selector: + matchLabels: + app: tea + template: + metadata: + labels: + app: tea + spec: + containers: + - name: tea + image: nginxdemos/nginx-hello:plain-text + ports: + - containerPort: 8080 +--- +apiVersion: v1 +kind: Service +metadata: + name: tea-svc + labels: +spec: + ports: + - port: 80 + targetPort: 8080 + protocol: TCP + name: http + selector: + app: tea diff --git a/docs/cis-3.x/config_examples/customResource/IngressLink/ingressLink-with-iRule-reference-from-cm/ingresslink-with-iRule-reference-from-cm.yaml b/docs/cis-3.x/config_examples/customResource/IngressLink/ingressLink-with-iRule-reference-from-cm/ingresslink-with-iRule-reference-from-cm.yaml new file mode 100644 index 000000000..14522d950 --- /dev/null +++ b/docs/cis-3.x/config_examples/customResource/IngressLink/ingressLink-with-iRule-reference-from-cm/ingresslink-with-iRule-reference-from-cm.yaml @@ -0,0 +1,16 @@ +# Example of iRule reference from Central Manager +# In order to reference an iRule created on Central Manager, provide the iRule in the following format +# :, for example: proxyProtocolIrule:v1 +apiVersion: "cis.f5.com/v1" +kind: IngressLink +metadata: + name: nginx-ingress + namespace: nginx-ingress +spec: + virtualServerAddress: "192.168.10.5" + host: cafe.example.com + iRules: + - "proxyProtocolIrule:v1" + selector: + matchLabels: + app: ingresslink \ No newline at end of file diff --git a/docs/cis-3.x/config_examples/customResource/IngressLink/ingressLink-with-ipamLabel/README.md b/docs/cis-3.x/config_examples/customResource/IngressLink/ingressLink-with-ipamLabel/README.md new file mode 100644 index 000000000..7178b755a --- /dev/null +++ b/docs/cis-3.x/config_examples/customResource/IngressLink/ingressLink-with-ipamLabel/README.md @@ -0,0 +1,14 @@ +#IngressLink with IPAM Label + +This section demonstrates the option to configure ingressLink using IPAM label to manage the virtual server address. This is optional to use. +CRD allows the user manage the virtual server addresss using the F5 IPAM controller. + + +Option which can be used to configure is : + `ipamLabel` + +## ingresslink-with-ipamLabel.yaml + +By deploying this yaml file in your cluster, CIS will create a IngressLink on BIG-IP with virtual server address provided by IPAM controller. + +This is optional to use. We can use `virtualServerAddress` parameter as well. \ No newline at end of file diff --git a/docs/cis-3.x/config_examples/customResource/IngressLink/ingressLink-with-ipamLabel/ingresslink-with-ipamLabel.yaml b/docs/cis-3.x/config_examples/customResource/IngressLink/ingressLink-with-ipamLabel/ingresslink-with-ipamLabel.yaml new file mode 100644 index 000000000..97e86ddd5 --- /dev/null +++ b/docs/cis-3.x/config_examples/customResource/IngressLink/ingressLink-with-ipamLabel/ingresslink-with-ipamLabel.yaml @@ -0,0 +1,12 @@ +apiVersion: "cis.f5.com/v1" +kind: IngressLink +metadata: + name: nginx-ingress + namespace: nginx-ingress +spec: + ipamLabel: "Dev" + iRules: + - "proxyProtocolIrule:v1" + selector: + matchLabels: + app: ingresslink \ No newline at end of file diff --git a/docs/cis-3.x/config_examples/customResource/IngressLink/ingresslink.yaml b/docs/cis-3.x/config_examples/customResource/IngressLink/ingresslink.yaml new file mode 100644 index 000000000..e9d67ffa8 --- /dev/null +++ b/docs/cis-3.x/config_examples/customResource/IngressLink/ingresslink.yaml @@ -0,0 +1,11 @@ +apiVersion: "cis.f5.com/v1" +kind: IngressLink +metadata: + name: nginx-ingress + namespace: nginx-ingress +spec: + virtualServerAddress: "192.168.10.5" + host: cafe.example.com + selector: + matchLabels: + app: ingresslink \ No newline at end of file diff --git a/docs/cis-3.x/config_examples/customResource/IngressLink/partition/README.md b/docs/cis-3.x/config_examples/customResource/IngressLink/partition/README.md new file mode 100644 index 000000000..032665f8c --- /dev/null +++ b/docs/cis-3.x/config_examples/customResource/IngressLink/partition/README.md @@ -0,0 +1,19 @@ +# Ingress Link with partition + +This section demonstrates the option to configure partition in Ingress Link. + +Option which can be used to partition: + +``` +partition: +``` +* Create Ingress Link on the respective partition on BIG-IP + +``` +#Example +partition: dev +``` + +## ingresslink-with-partition.yaml + +By deploying this yaml file in your cluster, CIS will create Ingress Link VS in dev partition on BIG-IP diff --git a/docs/cis-3.x/config_examples/customResource/IngressLink/partition/ingresslink-with-partition.yaml b/docs/cis-3.x/config_examples/customResource/IngressLink/partition/ingresslink-with-partition.yaml new file mode 100644 index 000000000..38f9d79f2 --- /dev/null +++ b/docs/cis-3.x/config_examples/customResource/IngressLink/partition/ingresslink-with-partition.yaml @@ -0,0 +1,14 @@ +apiVersion: cis.f5.com/v1 +kind: IngressLink +metadata: + name: nginx-ingress + namespace: nginx-ingress +spec: + host: cafe.example.com + partition: dev + iRules: + - /Common/Proxy_Protocol_iRule + selector: + matchLabels: + app: ingresslink + virtualServerAddress: 10.8.3.201 \ No newline at end of file diff --git a/docs/cis-3.x/config_examples/customResource/TransportServer/README.md b/docs/cis-3.x/config_examples/customResource/TransportServer/README.md new file mode 100644 index 000000000..8175268c2 --- /dev/null +++ b/docs/cis-3.x/config_examples/customResource/TransportServer/README.md @@ -0,0 +1,31 @@ +# Unsecured Transport Server + +This section demonstrates the deployment of unsecured Transport Servers. + +## TCP Transport Server + +* TCP mode is the default type of transport server. +* By deploying `tcp-transport-server.yaml` yaml file in your cluster, CIS will create a TCP Virtual Server on BIG-IP with VIP "172.16.3.9" and port "8544". It will forward traffic to specified pool. + +### Health Monitor + +This section demonstrates the option to configure health monitors for pools in a transport server of type TCP. +You can define the health monitors for each pool members as follows: + +#### Single Health Monitor + +Option which can be used to configure health monitor: + +type `tcp` monitor +``` +monitor: + type: + interval: + timeout: +``` +* type and interval are required fields. + +## UDP Transport Server + +* For UDP type transport servers, yaml spec should contain a `type` parameter. Refer `udp-transport-server.yaml` example for more details +* By deploying `udp-transport-server.yaml` yaml file in your cluster, CIS will create a UDP Virtual Server on BIG-IP with VIP "172.16.3.10" and port "8444". It will forward traffic to specified pool. diff --git a/docs/cis-3.x/config_examples/customResource/TransportServer/partition/README.md b/docs/cis-3.x/config_examples/customResource/TransportServer/partition/README.md new file mode 100644 index 000000000..698db0112 --- /dev/null +++ b/docs/cis-3.x/config_examples/customResource/TransportServer/partition/README.md @@ -0,0 +1,19 @@ +# Transport Server with partition + +This section demonstrates the option to configure partition in transport server. + +Option which can be used to partition: + +``` +partition: +``` +* Create Transport Server on the respective partition on BIG-IP + +``` +#Example +partition: dev +``` + +## ts-with-partition.yaml + +By deploying this yaml file in your cluster, CIS will create Transport Server in dev partition on BIG-IP diff --git a/docs/cis-3.x/config_examples/customResource/TransportServer/partition/ts-with-partition.yaml b/docs/cis-3.x/config_examples/customResource/TransportServer/partition/ts-with-partition.yaml new file mode 100644 index 000000000..811fae703 --- /dev/null +++ b/docs/cis-3.x/config_examples/customResource/TransportServer/partition/ts-with-partition.yaml @@ -0,0 +1,24 @@ +apiVersion: cis.f5.com/v1 +kind: TransportServer +metadata: + labels: + f5cr: "true" + name: cr-transport-server + namespace: default +spec: + allowVlans: [] + iRules: + - /Common/test_rule2 + mode: standard + partition: dev + pool: + monitor: + interval: 20 + timeout: 10 + type: udp + service: pytest-svc-1 + servicePort: 1344 + snat: auto + type: udp + virtualServerAddress: 10.8.3.11 + virtualServerPort: 1344 \ No newline at end of file diff --git a/docs/cis-3.x/config_examples/customResource/TransportServer/tcp-transport-server.yaml b/docs/cis-3.x/config_examples/customResource/TransportServer/tcp-transport-server.yaml new file mode 100644 index 000000000..eca6d19a9 --- /dev/null +++ b/docs/cis-3.x/config_examples/customResource/TransportServer/tcp-transport-server.yaml @@ -0,0 +1,21 @@ +apiVersion: "cis.f5.com/v1" +kind: TransportServer +metadata: + labels: + f5cr: "true" + name: svc1-tcp-transport-server + namespace: default +spec: + virtualServerAddress: "172.16.3.9" + virtualServerPort: 8544 + virtualServerName: svc1-tcp-ts + mode: standard + snat: auto + pool: + service: svc-1 + servicePort: 8181 + loadBalancingMethod: round-robin + monitor: + type: tcp + interval: 10 + timeout: 10 diff --git a/docs/cis-3.x/config_examples/customResource/TransportServer/transport-server-with-ipamLabel/README.md b/docs/cis-3.x/config_examples/customResource/TransportServer/transport-server-with-ipamLabel/README.md new file mode 100644 index 000000000..6cfa359ef --- /dev/null +++ b/docs/cis-3.x/config_examples/customResource/TransportServer/transport-server-with-ipamLabel/README.md @@ -0,0 +1,14 @@ +# Transport Server with IPAM Label + +This section demonstrates the option to configure transport server using IPAM label to manage the virtual server address. This is optional to use. +CRD allows the user manage the virtual server addresss using the F5 IPAM controller. + + +Option which can be used to configure is : + `ipamLabel` + +## transport-with-ipam-label.yaml + +By deploying this yaml file in your cluster, CIS will create a Transport Server on BIG-IP with virtual server address provided by IPAM controller. + +This is optional to use. We can use `virtualServerAddress` parameter as well. \ No newline at end of file diff --git a/docs/cis-3.x/config_examples/customResource/TransportServer/transport-server-with-ipamLabel/transport-with-ipamLabel.yaml b/docs/cis-3.x/config_examples/customResource/TransportServer/transport-server-with-ipamLabel/transport-with-ipamLabel.yaml new file mode 100644 index 000000000..e514c36b4 --- /dev/null +++ b/docs/cis-3.x/config_examples/customResource/TransportServer/transport-server-with-ipamLabel/transport-with-ipamLabel.yaml @@ -0,0 +1,20 @@ +apiVersion: "cis.f5.com/v1" +kind: TransportServer +metadata: + labels: + f5cr: "true" + name: svc1-tcp-transport-server + namespace: default +spec: + ipamLabel: "Dev" + virtualServerPort: 8544 + virtualServerName: svc1-tcp-ts + mode: standard + snat: auto + pool: + service: svc-1 + servicePort: 8181 + monitor: + type: tcp + interval: 10 + timeout: 10 diff --git a/docs/cis-3.x/config_examples/customResource/TransportServer/ts-with-hostname.yaml b/docs/cis-3.x/config_examples/customResource/TransportServer/ts-with-hostname.yaml new file mode 100644 index 000000000..ca2e5c3a2 --- /dev/null +++ b/docs/cis-3.x/config_examples/customResource/TransportServer/ts-with-hostname.yaml @@ -0,0 +1,22 @@ +apiVersion: "cis.f5.com/v1" +kind: TransportServer +metadata: + labels: + f5cr: "true" + name: svc1-tcp-transport-server + namespace: default +spec: + virtualServerAddress: "172.16.3.9" + virtualServerPort: 8544 + virtualServerName: svc1-tcp-ts + host: cafe.example.com + mode: standard + snat: auto + pool: + service: svc-1 + servicePort: 8181 + loadBalancingMethod: round-robin + monitor: + type: tcp + interval: 10 + timeout: 10 diff --git a/docs/cis-3.x/config_examples/customResource/serviceTypeLB/README.md b/docs/cis-3.x/config_examples/customResource/serviceTypeLB/README.md new file mode 100644 index 000000000..aca973639 --- /dev/null +++ b/docs/cis-3.x/config_examples/customResource/serviceTypeLB/README.md @@ -0,0 +1,25 @@ +# ServiceType LoadBalancer Support + +This section demonstrates the option to configure ServiceType LoadBalancer to be used as Transport server. + +## example-service-type-lb.yaml.yaml + +By deploying this yaml file in your cluster, CIS will create a Transport Server using the options configured in the svcTypeLB on BIG-IP. + +# Health Monitor + +This section demonstrates the option to configure health monitor for pools in virtual server. +Health monitor is supported for each pool members. + +Options which can be used to configure health monitor: + +``` +monitor: + interval: + timeout: +``` +* interval is a required field. + +## healthMonitor-serviceTypeLB.yaml + +By deploying this yaml file in your cluster, CIS will create a Virtual Server containing health monitored pool on BIG-IP. \ No newline at end of file diff --git a/docs/cis-3.x/config_examples/customResource/serviceTypeLB/example-service-type-lb-staic-ip.yaml b/docs/cis-3.x/config_examples/customResource/serviceTypeLB/example-service-type-lb-staic-ip.yaml new file mode 100644 index 000000000..11d52a695 --- /dev/null +++ b/docs/cis-3.x/config_examples/customResource/serviceTypeLB/example-service-type-lb-staic-ip.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + cis.f5.com/ip: 10.8.3.1 + labels: + app: pytest-svc-1 + name: pytest-svc-1 + namespace: default +spec: + allocateLoadBalancerNodePorts: true + clusterIP: 10.98.30.14 + clusterIPs: + - 10.98.30.14 + externalTrafficPolicy: Cluster + internalTrafficPolicy: Cluster + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: pytest-svc-1-1344 + nodePort: 32574 + port: 1344 + protocol: TCP + targetPort: 1344 + selector: + app: pytest-svc-1 + sessionAffinity: None + type: LoadBalancer \ No newline at end of file diff --git a/docs/cis-3.x/config_examples/customResource/serviceTypeLB/example-service-type-lb.yaml b/docs/cis-3.x/config_examples/customResource/serviceTypeLB/example-service-type-lb.yaml new file mode 100644 index 000000000..f6d5c30d3 --- /dev/null +++ b/docs/cis-3.x/config_examples/customResource/serviceTypeLB/example-service-type-lb.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + cis.f5.com/ipamLabel: test + labels: + app: svc-lb1 + name: svc-lb1 + namespace: default +spec: + ports: + - name: svc-lb1-80 + port: 80 + protocol: TCP + targetPort: 80 + selector: + app: svc-lb1 + type: LoadBalancer diff --git a/docs/cis-3.x/config_examples/customResource/serviceTypeLB/healthMonitor-serviceTypeLB.yaml b/docs/cis-3.x/config_examples/customResource/serviceTypeLB/healthMonitor-serviceTypeLB.yaml new file mode 100644 index 000000000..b26a181fc --- /dev/null +++ b/docs/cis-3.x/config_examples/customResource/serviceTypeLB/healthMonitor-serviceTypeLB.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + cis.f5.com/health: '{"interval": 5, "timeout": 10}' + cis.f5.com/ipamLabel: prod + labels: + app: svc1 + name: svc1 + namespace: default +spec: + ports: + - name: svc1-8080 + port: 8080 + protocol: TCP + targetPort: 8080 + selector: + app: svc1 + type: LoadBalancer \ No newline at end of file diff --git a/docs/cis-3.x/config_examples/customResource/serviceTypeLB/multiport-serviceTypeLB.yaml b/docs/cis-3.x/config_examples/customResource/serviceTypeLB/multiport-serviceTypeLB.yaml new file mode 100644 index 000000000..6d120a9fa --- /dev/null +++ b/docs/cis-3.x/config_examples/customResource/serviceTypeLB/multiport-serviceTypeLB.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + cis.f5.com/ipamLabel: prod + labels: + app: svc1 + name: svc1 + namespace: default +spec: + ports: + - name: svc1-8080 + port: 8080 + protocol: TCP + targetPort: 8080 + - name: svc1-8443 + port: 8443 + protocol: TCP + targetPort: 8443 + selector: + app: svc1 + type: LoadBalancer \ No newline at end of file diff --git a/docs/cis-3.x/config_examples/customResource/serviceTypeLB/service-type-lb-with-hostname.yaml b/docs/cis-3.x/config_examples/customResource/serviceTypeLB/service-type-lb-with-hostname.yaml new file mode 100644 index 000000000..cfbd3a75b --- /dev/null +++ b/docs/cis-3.x/config_examples/customResource/serviceTypeLB/service-type-lb-with-hostname.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + cis.f5.com/ipamLabel: test + cis.f5.com/host: foo.com + labels: + app: svc-lb1 + name: svc-lb1 + namespace: default +spec: + ports: + - name: svc-lb1-80 + port: 80 + protocol: TCP + targetPort: 80 + selector: + app: svc-lb1 + type: LoadBalancer \ No newline at end of file diff --git a/docs/cis-3.x/config_examples/customResourceDefinitions/customresourcedefinitions.yml b/docs/cis-3.x/config_examples/customResourceDefinitions/customresourcedefinitions.yml new file mode 100644 index 000000000..a668c40c1 --- /dev/null +++ b/docs/cis-3.x/config_examples/customResourceDefinitions/customresourcedefinitions.yml @@ -0,0 +1,685 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: transportservers.cis.f5.com +spec: + group: cis.f5.com + names: + kind: TransportServer + plural: transportservers + shortNames: + - ts + singular: transportserver + scope: Namespaced + versions: + - + name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + partition: + type: string + pattern: '^[a-zA-Z]+[-A-z0-9_.]+$' + x-kubernetes-validations: + - message: "Transport Server partition can not be changed. Please delete and recreate the Transport Server to change the partition." + rule: self == oldSelf + virtualServerAddress: + type: string + pattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])|(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))$' + virtualServerPort: + type: integer + minimum: 1 + maximum: 65535 + virtualServerName: + type: string + pattern: '^[a-zA-Z]+([A-z0-9-_+])*([A-z0-9])$' + host: + type: string + pattern: '^(([a-zA-Z0-9\*]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$' + hostGroup: + type: string + pattern: '^[a-zA-Z]+[-A-z0-9_.:]*[A-z0-9]*$' + policyName: + type: string + pattern: '^([A-z0-9-_+])*([A-z0-9])$' + mode: + type: string + enum: [standard, performance] + type: + type: string + enum: [tcp, udp, sctp] + snat: + type: string + pattern: '^$|^\/?[a-zA-Z]+([-A-z0-9_+]+\/)*([-A-z0-9_.:]+\/?)+$' + connectionMirroring: + type: string + enum: [ none, L4 ] + profiles: + type: object + properties: + tcp: + type: object + properties: + client: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + server: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + persistenceProfile: + type: string + pattern: '^\/?[a-zA-Z]+([-A-z0-9_+]+\/)*([-A-z0-9_.:]+\/?)*$' + dos: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + profileL4: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + allowVlans: + items: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.]+\/?)*$' + type: array + iRules: + type: array + items: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + ipamLabel: + type: string + pattern: '^[a-zA-Z]+[-A-z0-9_.:]+[A-z0-9]+$' + serviceAddress: + type: array + maxItems: 1 + items: + type: object + properties: + arpEnabled: + type: boolean + icmpEcho: + type: string + enum: [enable, disable, selective] + routeAdvertisement: + type: string + enum: [enable, disable, selective, always, any, all] + spanningEnabled: + type: boolean + trafficGroup: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + pool: + type: object + properties: + name: + type: string + pattern: '^[a-zA-Z]+([-A-z0-9_.+:])*([A-z0-9])+$' + service: + type: string + pattern: '[a-z]([-a-z0-9]*[a-z0-9])?' + servicePort: + x-kubernetes-int-or-string: true + anyOf: + - type: integer + - type: string + serviceNamespace: + type: string + pattern: '^[a-zA-Z]+([-A-z0-9_.+:])*([A-z0-9])+$' + loadBalancingMethod: + type: string + pattern: '^[a-z]+[a-z_-]+[a-z]+$' + nodeMemberLabel: + type: string + pattern: '^[a-zA-Z0-9][-A-Za-z0-9_.\/]{0,61}[a-zA-Z0-9]=[a-zA-Z0-9][-A-Za-z0-9_.]{0,61}[a-zA-Z0-9]$' + monitor: + type: object + properties: + type: + type: string + enum: [tcp, udp, http, https] + interval: + type: integer + timeout: + type: integer + targetPort: + type: integer + name: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + reference: + type: string + enum: [bigip] + send: + type: string + recv: + type: string + monitors: + type: array + items: + type: object + properties: + type: + type: string + enum: [ tcp, udp, http, https ] + interval: + type: integer + timeout: + type: integer + targetPort: + type: integer + name: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + reference: + type: string + enum: [bigip] + send: + type: string + recv: + type: string + reselectTries: + type: integer + minimum: 0 + maximum: 65535 + serviceDownAction: + type: string + extendedServiceReferences: + type: array + items: + type: object + properties: + clusterName: + type: string + serviceName: + type: string + pattern: '[a-z]([-a-z0-9]*[a-z0-9])?' + namespace: + type: string + port: + x-kubernetes-int-or-string: true + anyOf: + - type: integer + - type: string + required: + - service + - servicePort + required: + - virtualServerPort + - pool + - mode + status: + type: object + properties: + vsAddress: + type: string + default: None + status: + type: string + default: Pending + lastUpdated: + type: string + error: + type: string + additionalPrinterColumns: + - name: virtualServerAddress + type: string + description: IP address of virtualServer + jsonPath: .spec.virtualServerAddress + - name: virtualServerPort + type: integer + description: Port of virtualServer + jsonPath: .spec.virtualServerPort + - name: pool + type: string + description: Name of service + jsonPath: .spec.pool.service + - name: poolPort + type: string + description: Port of service + jsonPath: .spec.pool.servicePort + - name: ipamLabel + type: string + description: ipamLabel for transport server + jsonPath: .spec.ipamLabel + - name: IPAMVSAddress + type: string + description: IP address of transport server + jsonPath: .status.vsAddress + - name: STATUS + type: string + description: status of TransportServer + jsonPath: .status.status + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + subresources: + status: { } +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: ingresslinks.cis.f5.com +spec: + group: cis.f5.com + names: + kind: IngressLink + shortNames: + - il + singular: ingresslink + plural: ingresslinks + scope: Namespaced + versions: + - + name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + partition: + type: string + pattern: '^[a-zA-Z]+[-A-z0-9_.]+$' + x-kubernetes-validations: + - message: "Ingress Link partition can not be changed. Please delete and recreate the Ingress Link to change the partition." + rule: self == oldSelf + virtualServerAddress: + type: string + pattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$' + host: + type: string + pattern: '^(([a-zA-Z0-9\*]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$' + ipamLabel: + type: string + pattern: '^[a-zA-Z]+[-A-z0-9_.:]+[A-z0-9]+$' + iRules: + type: array + items: + type: string + pattern: '(^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$)|(^[a-zA-Z]+([A-z0-9-_+])*:[a-zA-Z]+([A-z0-9-_+])*$)' + selector: + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + status: + type: object + properties: + vsAddress: + type: string + status: + type: string + default: pending + lastUpdated: + type: string + error: + type: string + additionalPrinterColumns: + - name: IPAMVSAddress + type: string + description: IP address of virtualServer + jsonPath: .status.vsAddress + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + subresources: + status: { } +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: policies.cis.f5.com +spec: + group: cis.f5.com + names: + kind: Policy + shortNames: + - plc + singular: policy + plural: policies + scope: Namespaced + versions: + - + name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + l7Policies: + type: object + properties: + waf: + type: string + pattern: '^\/([A-z0-9-_+]+\/)+([A-z0-9]+\/?)*$' + l3Policies: + type: object + properties: + dos: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + botDefense: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + firewallPolicy: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([A-z0-9]+\/?)*$' + ipIntelligencePolicy: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + allowSourceRange: + items: + type: string + type: array + allowVlans: + items: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)*([A-z0-9-_.\s]+\/?)*$' + type: array + ltmPolicies: + type: object + properties: + insecure: + type: string + pattern: '^\/[a-zA-Z]+([-A-z0-9_+:]+\/)+([A-z0-9]+\/?)*$' + secure: + type: string + pattern: '^\/[a-zA-Z]+([-A-z0-9_+:]+\/)+([A-z0-9]+\/?)*$' + priority: + type: string + enum: [low, high] + iRules: + type: object + properties: + insecure: + type: string + pattern: '^none$|^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + secure: + type: string + pattern: '^none$|^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + priority: + type: string + enum: [ low, high ] + iRuleList: + type: array + items: + type: string + pattern: '^none$|^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + profiles: + type: object + properties: + tcp: + type: object + properties: + client: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + server: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + udp: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + http: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + http2: + type: object + properties: + client: + type: string + pattern: '^\/([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + server: + type: string + pattern: '^\/([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + persistenceProfile: + type: string + pattern: '^\/?[a-zA-Z]+([-A-z0-9_+]+\/)*([-A-z0-9_.:]+\/?)*$' + profileL4: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + profileWebSocket: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + profileMultiplex: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + rewriteProfile: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([A-z0-9]+\/?)*$' + logProfiles: + items: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)*([-A-z0-9._\s]+\/?)*$' + type: array + httpMrfRoutingEnabled: + type: boolean + sslProfiles: + type: object + properties: + clientProfiles: + items: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + type: array + serverProfiles: + items: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + type: array + analyticsProfiles: + type: object + properties: + http: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + autoLastHop: + type: string + enum: [ default, auto, disable ] + snat: + type: string + pattern: '^$|^\/?[a-zA-Z]+([-A-z0-9_+]+\/)*([-A-z0-9_.:]+\/?)+$' + poolSettings: + type: object + properties: + reselectTries: + type: integer + minimum: 0 + maximum: 65535 + serviceDownAction: + type: string + slowRampTime: + type: integer + minimum: 0 + maximum: 900 + multiPoolPersistence: + type: object + properties: + method: + type: string + enum: [ uieSourceAddress, hashSourceAddress ] + timeOut: + type: integer + minimum: 1 + default: 180 + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: deployconfigs.cis.f5.com +spec: + group: cis.f5.com + names: + kind: DeployConfig + listKind: DeployConfigList + plural: deployconfigs + singular: deployconfig + shortNames: + - dc + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + description: DeployConfig defines the DeployConfig + resource. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + as3Config: + properties: + debugAS3: + type: boolean + description: "Debug AS3 is used to enable or disable logging AS3 declaration being sent to BIG-IP" + postDelayAS3: + type: integer + description: "time (in seconds) that CIS waits to post the available AS3 declaration to BIG-IP" + type: object + description: AS3 Configuration for CIS + baseConfig: + properties: + controllerIdentifier: + type: string + description: "Controller identifier is used to uniquely identify the CIS controller deployed in the cluster" + x-kubernetes-validations: + - message: "Controller identifier can not be changed. Please delete and recreate the CIS controller and deploy config CR." + rule: self == oldSelf + namespaceLabel: + type: string + pattern: '^[a-zA-Z0-9][-A-Za-z0-9_.\/]{0,61}[a-zA-Z0-9]=[a-zA-Z0-9][-A-Za-z0-9_.]{0,61}[a-zA-Z0-9]$' + description: "CIS watches namespaces with this label" + nodeLabel: + type: string + pattern: '^[a-zA-Z0-9][-A-Za-z0-9_.\/]{0,61}[a-zA-Z0-9]=[a-zA-Z0-9][-A-Za-z0-9_.]{0,61}[a-zA-Z0-9]$' + description: "CIS watches nodes only with this label, if not provided, CIS watches all nodes" + type: object + required: + - controllerIdentifier + networkConfig: + properties: + orchestrationCNI: + type: string + enum: [ovn-k8s,cilium,flannel,antrea] + description: "Orchestration CNI is used to specify the CNI plugin used in the cluster" + metaData: + type: object + properties: + poolMemberType: + type: string + enum: [cluster, nodeport, nodeportlocal, auto] + description: "Pool member type is used to specify the type of pool member used in the cluster" + staticRoutingMode: + type: boolean + description: "Static routing mode is used to enable or disable configuration of static routes on bigip for pod network subnets" + tunnelName: + type: string + description: "Tunnel name is used to specify the tunnel name configured on the BIG-IP for cluster mode routing" + networkCIDR: + type: string + pattern: '(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){2}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/(3[0-2]|[12]?[0-9])$' + description: "flag to specify node network cidr to be used for static routing when node has multiple interfaces.This is supported only with CNI ovn-k8s" + type: object + bigIpConfig: + items: + properties: + bigIpAddress: + type: string + pattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])|(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))$' + description: "IP address of BIG-IP" + bigIpLabel: + type: string + description: "To uniquely identify bigip ha pair" + defaultPartition: + type: string + description: "partition for the Big-IP kubernetes objects" + required: + - bigIpAddress + - bigIpLabel + - defaultPartition + type: object + type: array + extendedSpec: + properties: + externalClustersConfig: + items: + properties: + adminState: + type: string + clusterName: + type: string + ratio: + type: integer + secret: + type: string + type: object + type: array + highAvailabilityCIS: + properties: + primaryCluster: + properties: + adminState: + type: string + clusterName: + type: string + ratio: + type: integer + secret: + type: string + type: object + primaryEndPoint: + description: HAMode + type: string + probeInterval: + type: integer + retryInterval: + type: integer + secondaryCluster: + properties: + adminState: + type: string + clusterName: + type: string + ratio: + type: integer + secret: + type: string + type: object + type: object + localClusterAdminState: + type: string + localClusterRatio: + type: integer + mode: + type: string + type: object + type: object + type: object \ No newline at end of file diff --git a/docs/cis-3.x/config_examples/customResourceDefinitions/incubator/crd_incubator.md b/docs/cis-3.x/config_examples/customResourceDefinitions/incubator/crd_incubator.md new file mode 100644 index 000000000..668e4eed2 --- /dev/null +++ b/docs/cis-3.x/config_examples/customResourceDefinitions/incubator/crd_incubator.md @@ -0,0 +1 @@ +This CRD Schema Definition is used for development purpose only. \ No newline at end of file diff --git a/docs/cis-3.x/config_examples/customResourceDefinitions/incubator/customresourcedefinitions.yml b/docs/cis-3.x/config_examples/customResourceDefinitions/incubator/customresourcedefinitions.yml new file mode 100644 index 000000000..75552995a --- /dev/null +++ b/docs/cis-3.x/config_examples/customResourceDefinitions/incubator/customresourcedefinitions.yml @@ -0,0 +1,1255 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: virtualservers.cis.f5.com +spec: + group: cis.f5.com + names: + kind: VirtualServer + plural: virtualservers + shortNames: + - vs + singular: virtualserver + scope: Namespaced + versions: + - + name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + partition: + type: string + pattern: '^[a-zA-Z]+[-A-z0-9_.]+$' + x-kubernetes-validations: + - message: "Virtual Server partition can not be changed. Please delete and recreate the Virtual Server to change the partition." + rule: self == oldSelf + host: + type: string + pattern: '^(([a-zA-Z0-9\*]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$' + hostGroup: + type: string + pattern: '^[a-zA-Z]+[-A-z0-9_.:]*[A-z0-9]*$' + httpTraffic: + type: string + enum: [allow, none, redirect] + ipamLabel: + type: string + pattern: '^[a-zA-Z]+[-A-z0-9_.:]+[A-z0-9]+$' + snat: + type: string + pattern: '^$|^\/?[a-zA-Z]+([-A-z0-9_+]+\/)*([-A-z0-9_.:]+\/?)+$' + connectionMirroring: + type: string + enum: [ none, L4 ] + tlsProfileName: + type: string + pattern: '^[a-zA-Z]+[-A-z0-9_.:]+[A-z0-9]+$' + persistenceProfile: + type: string + pattern: '^\/?[a-zA-Z]+([-A-z0-9_+]+\/)*([-A-z0-9_.:]+\/?)*$' + profiles: + type: object + properties: + tcp: + type: object + properties: + client: + type: string + pattern: '^\/([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + server: + type: string + pattern: '^\/([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + http2: + type: object + properties: + client: + type: string + pattern: '^\/([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + server: + type: string + pattern: '^\/([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + dos: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + botDefense: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + policyName: + type: string + pattern: '^[a-zA-Z]+[-A-z0-9_.:]+[A-z0-9]+$' + rewriteAppRoot: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)*([-A-z0-9_.:]+\/?)*$' + waf: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + profileMultiplex: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + allowVlans: + items: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.]+\/?)*$' + type: array + allowSourceRange: + items: + type: string + type: array + httpMrfRoutingEnabled: + type: boolean + iRules: + type: array + items: + type: string + pattern: '^none$|^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + serviceAddress: + type: array + maxItems: 1 + items: + type: object + properties: + arpEnabled: + type: boolean + icmpEcho: + type: string + enum: [enable, disable, selective] + routeAdvertisement: + type: string + enum: [enable, disable, selective, always, any, all] + spanningEnabled: + type: boolean + trafficGroup: + type: string + pattern: '^\/([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + defaultPool: + type: object + properties: + name: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + service: + type: string + pattern: '[a-z]([-a-z0-9]*[a-z0-9])?' + servicePort: + x-kubernetes-int-or-string: true + anyOf: + - type: integer + - type: string + serviceNamespace: + type: string + pattern: '^[a-zA-Z]+([-A-z0-9_.+:])*([A-z0-9])+$' + loadBalancingMethod: + type: string + pattern: '^[a-z]+[a-z_-]+[a-z]+$' + nodeMemberLabel: + type: string + pattern: '^[a-zA-Z0-9][-A-Za-z0-9_.\/]{0,61}[a-zA-Z0-9]=[a-zA-Z0-9][-A-Za-z0-9_.]{0,61}[a-zA-Z0-9]$' + monitors: + type: array + items: + type: object + properties: + type: + type: string + enum: [ tcp, udp, http, https ] + interval: + type: integer + timeout: + type: integer + targetPort: + type: integer + name: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + reference: + type: string + enum: [ bigip ] + send: + type: string + recv: + type: string + reference: + type: string + enum: [ bigip, service ] + reselectTries: + type: integer + minimum: 0 + maximum: 65535 + serviceDownAction: + type: string + required: + - reference + pools: + type: array + items: + type: object + properties: + name: + type: string + pattern: '^[a-zA-Z]+([-A-z0-9_.+:])*([A-z0-9])+$' + path: + type: string + pattern: '^\/([A-z0-9-_+]+\/)*([-A-z0-9_.:]+\/?)*$' + service: + type: string + pattern: '[a-z]([-a-z0-9]*[a-z0-9])?' + weight: + type: integer + minimum: 0 + maximum: 256 + alternateBackends: + type: array + items: + type: object + properties: + service: + type: string + pattern: '[a-z]([-a-z0-9]*[a-z0-9])?' + serviceNamespace: + type: string + pattern: '^[a-zA-Z]+([-A-z0-9_.+:])*([A-z0-9])+$' + weight: + type: integer + minimum: 0 + maximum: 256 + required: + - service + loadBalancingMethod: + type: string + pattern: '^[a-z]+[a-z_-]+[a-z]+$' + nodeMemberLabel: + type: string + pattern: '^[a-zA-Z0-9][-A-Za-z0-9_.\/]{0,61}[a-zA-Z0-9]=[a-zA-Z0-9][-A-Za-z0-9_.]{0,61}[a-zA-Z0-9]$' + servicePort: + x-kubernetes-int-or-string: true + anyOf: + - type: integer + - type: string + rewrite: + type: string + pattern: '^\/([A-z0-9-_+]+\/)*([-A-z0-9_.:]+\/?)*$' + hostRewrite: + type: string + pattern: '^(([a-zA-Z0-9\*]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$' + waf: + type: string + pattern: '^\/([A-z0-9-_+]+\/)+([A-z0-9]+\/?)*$' + serviceNamespace: + type: string + pattern: '^[a-zA-Z]+([-A-z0-9_.+:])*([A-z0-9])+$' + monitor: + type: object + properties: + type: + type: string + enum: [http, https, tcp] + send: + type: string + recv: + type: string + interval: + type: integer + timeout: + type: integer + targetPort: + type: integer + name: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + reference: + type: string + enum: [bigip] + monitors: + type: array + items: + type: object + properties: + type: + type: string + enum: [ http, https, tcp ] + send: + type: string + recv: + type: string + interval: + type: integer + timeout: + type: integer + targetPort: + type: integer + name: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + reference: + type: string + enum: [bigip] + minimumMonitors: + x-kubernetes-int-or-string: true + anyOf: + - type: integer + - type: string + reselectTries: + type: integer + minimum: 0 + maximum: 65535 + serviceDownAction: + type: string + extendedServiceReferences: + type: array + items: + type: object + properties: + clusterName: + type: string + serviceName: + type: string + pattern: '[a-z]([-a-z0-9]*[a-z0-9])?' + namespace: + type: string + port: + x-kubernetes-int-or-string: true + anyOf: + - type: integer + - type: string + weight: + type: integer + minimum: 0 + maximum: 256 + virtualServerAddress: + type: string + pattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])|(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))$' + additionalVirtualServerAddresses: + type: array + items: + type: string + pattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])|(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))$' + virtualServerName: + type: string + pattern: '^[a-zA-Z]+([A-z0-9-_+])*([A-z0-9])$' + virtualServerHTTPPort: + type: integer + minimum: 1 + maximum: 65535 + virtualServerHTTPSPort: + type: integer + minimum: 1 + maximum: 65535 + status: + type: object + properties: + vsAddress: + type: string + default: None + status: + type: string + default: Pending + additionalPrinterColumns: + - name: host + type: string + description: hostname + jsonPath: .spec.host + - name: tlsProfileName + type: string + description: TLS Profile attached + jsonPath: .spec.tlsProfileName + - name: httpTraffic + type: string + description: Http Traffic Termination + jsonPath: .spec.httpTraffic + - name: IPAddress + type: string + description: IP address of virtualServer + jsonPath: .spec.virtualServerAddress + - name: ipamLabel + type: string + description: ipamLabel for virtual server + jsonPath: .spec.ipamLabel + - name: IPAMVSAddress + type: string + description: IP address of virtualServer + jsonPath: .status.vsAddress + - name: STATUS + type: string + description: status of VirtualServer + jsonPath: .status.status + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: tlsprofiles.cis.f5.com +spec: + group: cis.f5.com + names: + kind: TLSProfile + plural: tlsprofiles + shortNames: + - tls + singular: tlsprofile + scope: Namespaced + versions: + - + name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + hosts: + type: array + items: + type: string + pattern: '^(([a-zA-Z0-9\*]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$' + tls: + type: object + properties: + termination: + type: string + enum: [edge, reencrypt, passthrough] + clientSSL: + type: string + pattern: '^\/?[a-zA-Z]+([-A-z0-9_+]+\/)*([-A-z0-9_.:]+\/?)*$' + clientSSLs: + type: array + items: + type: string + pattern: '^\/?[a-zA-Z]+([-A-z0-9_+]+\/)*([-A-z0-9_.:]+\/?)*$' + serverSSL: + type: string + pattern: '^\/?[a-zA-Z]+([-A-z0-9_+]+\/)*([-A-z0-9_.:]+\/?)*$' + serverSSLs: + type: array + items: + type: string + pattern: '^\/?[a-zA-Z]+([-A-z0-9_+]+\/)*([-A-z0-9_.:]+\/?)*$' + reference: + type: string + enum: [bigip, secret] + required: + - termination + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: transportservers.cis.f5.com +spec: + group: cis.f5.com + names: + kind: TransportServer + plural: transportservers + shortNames: + - ts + singular: transportserver + scope: Namespaced + versions: + - + name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + partition: + type: string + pattern: '^[a-zA-Z]+[-A-z0-9_.]+$' + x-kubernetes-validations: + - message: "Transport Server partition can not be changed. Please delete and recreate the Transport Server to change the partition." + rule: self == oldSelf + virtualServerAddress: + type: string + pattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])|(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))$' + virtualServerPort: + type: integer + minimum: 1 + maximum: 65535 + virtualServerName: + type: string + pattern: '^[a-zA-Z]+([A-z0-9-_+])*([A-z0-9])$' + host: + type: string + pattern: '^(([a-zA-Z0-9\*]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$' + hostGroup: + type: string + pattern: '^[a-zA-Z]+[-A-z0-9_.:]*[A-z0-9]*$' + policyName: + type: string + pattern: '^([A-z0-9-_+])*([A-z0-9])$' + mode: + type: string + enum: [standard, performance] + type: + type: string + enum: [tcp, udp, sctp] + snat: + type: string + pattern: '^$|^\/?[a-zA-Z]+([-A-z0-9_+]+\/)*([-A-z0-9_.:]+\/?)+$' + connectionMirroring: + type: string + enum: [ none, L4 ] + profiles: + type: object + properties: + tcp: + type: object + properties: + client: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + server: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + persistenceProfile: + type: string + pattern: '^\/?[a-zA-Z]+([-A-z0-9_+]+\/)*([-A-z0-9_.:]+\/?)*$' + dos: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + profileL4: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + allowVlans: + items: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.]+\/?)*$' + type: array + iRules: + type: array + items: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + ipamLabel: + type: string + pattern: '^[a-zA-Z]+[-A-z0-9_.:]+[A-z0-9]+$' + serviceAddress: + type: array + maxItems: 1 + items: + type: object + properties: + arpEnabled: + type: boolean + icmpEcho: + type: string + enum: [enable, disable, selective] + routeAdvertisement: + type: string + enum: [enable, disable, selective, always, any, all] + spanningEnabled: + type: boolean + trafficGroup: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + pool: + type: object + properties: + name: + type: string + pattern: '^[a-zA-Z]+([-A-z0-9_.+:])*([A-z0-9])+$' + service: + type: string + pattern: '[a-z]([-a-z0-9]*[a-z0-9])?' + servicePort: + x-kubernetes-int-or-string: true + anyOf: + - type: integer + - type: string + serviceNamespace: + type: string + pattern: '^[a-zA-Z]+([-A-z0-9_.+:])*([A-z0-9])+$' + loadBalancingMethod: + type: string + pattern: '^[a-z]+[a-z_-]+[a-z]+$' + nodeMemberLabel: + type: string + pattern: '^[a-zA-Z0-9][-A-Za-z0-9_.\/]{0,61}[a-zA-Z0-9]=[a-zA-Z0-9][-A-Za-z0-9_.]{0,61}[a-zA-Z0-9]$' + monitor: + type: object + properties: + type: + type: string + enum: [tcp, udp, http, https] + interval: + type: integer + timeout: + type: integer + targetPort: + type: integer + name: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + reference: + type: string + enum: [bigip] + send: + type: string + recv: + type: string + monitors: + type: array + items: + type: object + properties: + type: + type: string + enum: [ tcp, udp, http, https ] + interval: + type: integer + timeout: + type: integer + targetPort: + type: integer + name: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + reference: + type: string + enum: [bigip] + send: + type: string + recv: + type: string + reselectTries: + type: integer + minimum: 0 + maximum: 65535 + serviceDownAction: + type: string + extendedServiceReferences: + type: array + items: + type: object + properties: + clusterName: + type: string + serviceName: + type: string + pattern: '[a-z]([-a-z0-9]*[a-z0-9])?' + namespace: + type: string + port: + x-kubernetes-int-or-string: true + anyOf: + - type: integer + - type: string + required: + - service + - servicePort + required: + - virtualServerPort + - pool + - mode + status: + type: object + properties: + vsAddress: + type: string + default: None + status: + type: string + default: Pending + lastUpdated: + type: string + error: + type: string + additionalPrinterColumns: + - name: virtualServerAddress + type: string + description: IP address of virtualServer + jsonPath: .spec.virtualServerAddress + - name: virtualServerPort + type: integer + description: Port of virtualServer + jsonPath: .spec.virtualServerPort + - name: pool + type: string + description: Name of service + jsonPath: .spec.pool.service + - name: poolPort + type: string + description: Port of service + jsonPath: .spec.pool.servicePort + - name: ipamLabel + type: string + description: ipamLabel for transport server + jsonPath: .spec.ipamLabel + - name: IPAMVSAddress + type: string + description: IP address of transport server + jsonPath: .status.vsAddress + - name: STATUS + type: string + description: status of TransportServer + jsonPath: .status.status + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + subresources: + status: { } +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: externaldnses.cis.f5.com +spec: + group: cis.f5.com + names: + kind: ExternalDNS + plural: externaldnses + shortNames: + - edns + singular: externaldns + scope: Namespaced + versions: + - + name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + domainName: + type: string + pattern: '^(([a-zA-Z0-9\*]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$' + dnsRecordType: + type: string + pattern: 'A' + loadBalanceMethod: + type: string + pattern: '^[a-z]+[a-z_-]+[a-z]+$' + clientSubnetPreferred: + type: boolean + persistenceEnabled: + type: boolean + persistCidrIpv4: + type: integer + minimum: 0 + maximum: 32 + persistCidrIpv6: + type: integer + minimum: 0 + maximum: 128 + ttlPersistence: + type: integer + format: int64 + minimum: 0 + maximum: 4294967295 + pools: + type: array + items: + type: object + properties: + dataServerName: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + dnsRecordType: + type: string + pattern: 'A' + loadBalanceMethod: + type: string + pattern: '^[a-z]+[a-z_-]+[a-z]+$' + lbModeFallback: + type: string + pattern: '^[a-z]+[a-z_-]+[a-z]+$' + order: + type: integer + ratio: + type: integer + monitor: + type: object + properties: + type: + type: string + enum: [http, https, tcp] + send: + type: string + recv: + type: string + interval: + type: integer + timeout: + type: integer + required: + - type + - interval + monitors: + type: array + items: + type: object + properties: + type: + type: string + enum: [http, https, tcp] + send: + type: string + recv: + type: string + interval: + type: integer + timeout: + type: integer + required: + - type + - interval + required: + - dataServerName + required: + - domainName + additionalPrinterColumns: + - name: domainName + type: string + description: Domain name of virtual server resource + jsonPath: .spec.domainName + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + - name: CREATED ON + type: string + jsonPath: .metadata.creationTimestamp +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: ingresslinks.cis.f5.com +spec: + group: cis.f5.com + names: + kind: IngressLink + shortNames: + - il + singular: ingresslink + plural: ingresslinks + scope: Namespaced + versions: + - + name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + partition: + type: string + pattern: '^[a-zA-Z]+[-A-z0-9_.]+$' + x-kubernetes-validations: + - message: "Ingress Link partition can not be changed. Please delete and recreate the Ingress Link to change the partition." + rule: self == oldSelf + virtualServerAddress: + type: string + pattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$' + host: + type: string + pattern: '^(([a-zA-Z0-9\*]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$' + ipamLabel: + type: string + pattern: '^[a-zA-Z]+[-A-z0-9_.:]+[A-z0-9]+$' + iRules: + type: array + items: + type: string + pattern: '(^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$)|(^[a-zA-Z]+([A-z0-9-_+])*:[a-zA-Z]+([A-z0-9-_+])*$)' + selector: + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + status: + type: object + properties: + vsAddress: + type: string + status: + type: string + default: pending + lastUpdated: + type: string + error: + type: string + additionalPrinterColumns: + - name: IPAMVSAddress + type: string + description: IP address of virtualServer + jsonPath: .status.vsAddress + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + subresources: + status: { } +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: policies.cis.f5.com +spec: + group: cis.f5.com + names: + kind: Policy + shortNames: + - plc + singular: policy + plural: policies + scope: Namespaced + versions: + - + name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + l7Policies: + type: object + properties: + waf: + type: string + pattern: '^\/([A-z0-9-_+]+\/)+([A-z0-9]+\/?)*$' + l3Policies: + type: object + properties: + dos: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + botDefense: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + firewallPolicy: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([A-z0-9]+\/?)*$' + ipIntelligencePolicy: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + allowSourceRange: + items: + type: string + type: array + allowVlans: + items: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)*([A-z0-9-_.\s]+\/?)*$' + type: array + ltmPolicies: + type: object + properties: + insecure: + type: string + pattern: '^\/[a-zA-Z]+([-A-z0-9_+:]+\/)+([A-z0-9]+\/?)*$' + secure: + type: string + pattern: '^\/[a-zA-Z]+([-A-z0-9_+:]+\/)+([A-z0-9]+\/?)*$' + priority: + type: string + enum: [low, high] + iRules: + type: object + properties: + insecure: + type: string + pattern: '^none$|^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + secure: + type: string + pattern: '^none$|^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + priority: + type: string + enum: [ low, high ] + iRuleList: + type: array + items: + type: string + pattern: '^none$|^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + profiles: + type: object + properties: + tcp: + type: object + properties: + client: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + server: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + udp: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + http: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + http2: + type: object + properties: + client: + type: string + pattern: '^\/([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + server: + type: string + pattern: '^\/([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + persistenceProfile: + type: string + pattern: '^\/?[a-zA-Z]+([-A-z0-9_+]+\/)*([-A-z0-9_.:]+\/?)*$' + profileL4: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + profileWebSocket: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + profileMultiplex: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + rewriteProfile: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([A-z0-9]+\/?)*$' + logProfiles: + items: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)*([-A-z0-9._\s]+\/?)*$' + type: array + httpMrfRoutingEnabled: + type: boolean + sslProfiles: + type: object + properties: + clientProfiles: + items: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + type: array + serverProfiles: + items: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + type: array + analyticsProfiles: + type: object + properties: + http: + type: string + pattern: '^\/[a-zA-Z]+([A-z0-9-_+]+\/)+([-A-z0-9_.:]+\/?)*$' + autoLastHop: + type: string + enum: [ default, auto, disable ] + snat: + type: string + pattern: '^$|^\/?[a-zA-Z]+([-A-z0-9_+]+\/)*([-A-z0-9_.:]+\/?)+$' + poolSettings: + type: object + properties: + reselectTries: + type: integer + minimum: 0 + maximum: 65535 + serviceDownAction: + type: string + slowRampTime: + type: integer + minimum: 0 + maximum: 900 + multiPoolPersistence: + type: object + properties: + method: + type: string + enum: [ uieSourceAddress, hashSourceAddress ] + timeOut: + type: integer + minimum: 1 + default: 180 + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: deployconfigs.cis.f5.com +spec: + group: cis.f5.com + names: + kind: DeployConfig + listKind: DeployConfigList + plural: deployconfigs + singular: deployconfig + shortNames: + - dc + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + description: DeployConfig defines the DeployConfig + resource. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + as3Config: + properties: + debugAS3: + type: boolean + description: "Debug AS3 is used to enable or disable logging AS3 declaration being sent to BIG-IP" + postDelayAS3: + type: integer + description: "time (in seconds) that CIS waits to post the available AS3 declaration to BIG-IP" + type: object + description: AS3 Configuration for CIS + baseConfig: + properties: + controllerIdentifier: + type: string + description: "Controller identifier is used to uniquely identify the CIS controller deployed in the cluster" + x-kubernetes-validations: + - message: "Controller identifier can not be changed. Please delete and recreate the CIS controller and deploy config CR." + rule: self == oldSelf + namespaceLabel: + type: string + pattern: '^[a-zA-Z0-9][-A-Za-z0-9_.\/]{0,61}[a-zA-Z0-9]=[a-zA-Z0-9][-A-Za-z0-9_.]{0,61}[a-zA-Z0-9]$' + description: "CIS watches namespaces with this label" + nodeLabel: + type: string + pattern: '^[a-zA-Z0-9][-A-Za-z0-9_.\/]{0,61}[a-zA-Z0-9]=[a-zA-Z0-9][-A-Za-z0-9_.]{0,61}[a-zA-Z0-9]$' + description: "CIS watches nodes only with this label, if not provided, CIS watches all nodes" + type: object + required: + - controllerIdentifier + networkConfig: + properties: + orchestrationCNI: + type: string + enum: [ovn-k8s,cilium,flannel,antrea] + description: "Orchestration CNI is used to specify the CNI plugin used in the cluster" + metaData: + type: object + properties: + poolMemberType: + type: string + enum: [cluster, nodeport, nodeportlocal, auto] + description: "Pool member type is used to specify the type of pool member used in the cluster" + staticRoutingMode: + type: boolean + description: "Static routing mode is used to enable or disable configuration of static routes on bigip for pod network subnets" + tunnelName: + type: string + description: "Tunnel name is used to specify the tunnel name configured on the BIG-IP for cluster mode routing" + networkCIDR: + type: string + pattern: '(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){2}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/(3[0-2]|[12]?[0-9])$' + description: "flag to specify node network cidr to be used for static routing when node has multiple interfaces.This is supported only with CNI ovn-k8s" + type: object + bigIpConfig: + items: + properties: + bigIpAddress: + type: string + pattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])|(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))$' + description: "IP address of BIG-IP" + bigIpLabel: + type: string + description: "To uniquely identify bigip ha pair" + defaultPartition: + type: string + description: "partition for the Big-IP kubernetes objects" + required: + - bigIpAddress + - bigIpLabel + - defaultPartition + type: object + type: array + extendedSpec: + properties: + externalClustersConfig: + items: + properties: + adminState: + type: string + clusterName: + type: string + ratio: + type: integer + secret: + type: string + type: object + type: array + highAvailabilityCIS: + properties: + primaryCluster: + properties: + adminState: + type: string + clusterName: + type: string + ratio: + type: integer + secret: + type: string + type: object + primaryEndPoint: + description: HAMode + type: string + probeInterval: + type: integer + retryInterval: + type: integer + secondaryCluster: + properties: + adminState: + type: string + clusterName: + type: string + ratio: + type: integer + secret: + type: string + type: object + type: object + localClusterAdminState: + type: string + localClusterRatio: + type: integer + mode: + type: string + type: object + type: object + type: object \ No newline at end of file diff --git a/docs/cis-3.x/deploy-config/cis-deploy-config-cr.yaml b/docs/cis-3.x/deploy-config/cis-deploy-config-cr.yaml index 3afa905a8..c3bbba394 100644 --- a/docs/cis-3.x/deploy-config/cis-deploy-config-cr.yaml +++ b/docs/cis-3.x/deploy-config/cis-deploy-config-cr.yaml @@ -19,10 +19,10 @@ spec: metaData: # poolMemberType is optional parameter, and it is used to specify the pool member type in CIS default value is nodeport # allowed values are auto, cluster, nodeport and nodeportlocal - poolMemberType: cluster + poolMemberType: nodeport # network CIDR is optional parameter and required if your nodes are using multiple network interfaces # networkCIDR: "10.1.0.0/16" - staticRoutingMode: true + # staticRoutingMode: true as3Config: # debugAS3 is a optional parameter, and it is used to enable the debug logs for AS3 debugAS3: true diff --git a/next-version.txt b/next-version.txt index 4a36342fc..0f982fffe 100644 --- a/next-version.txt +++ b/next-version.txt @@ -1 +1 @@ -3.0.0 +3.0.0-beta