├── chen-k8s-demo ├── .gitignore ├── docs │ ├── .gitignore │ ├── Makefile │ ├── index.rst │ └── make.bat ├── requirements.txt ├── deployment │ ├── f5demo-delete.sh │ ├── helm-install.sh │ ├── f5demo-basic.sh │ ├── helm-empty.sh │ ├── f5demo-empty.sh │ ├── f5demo-enhanced.sh │ ├── helm-http.sh │ ├── f5demo-operator │ │ ├── deploy │ │ │ ├── service_account.yaml │ │ │ ├── role_binding.yaml │ │ │ ├── crds │ │ │ │ ├── charts_v1alpha1_f5demo_cr.empty.yaml │ │ │ │ ├── charts_v1alpha1_f5demo_cr.yaml │ │ │ │ ├── charts_v1alpha1_f5demo_crd.yaml │ │ │ │ └── charts_v1alpha1_f5demo_cr.basic.yaml │ │ │ ├── operator.yaml │ │ │ └── role.yaml │ │ ├── watches.yaml │ │ ├── helm-charts │ │ │ └── F5Demo │ │ │ │ ├── Chart.yaml │ │ │ │ ├── values.yaml │ │ │ │ ├── iRules │ │ │ │ ├── proxy_protocol_send.irule │ │ │ │ └── host_header_to_sni.irule │ │ │ │ ├── .helmignore │ │ │ │ ├── istio-values-vanilla.yaml │ │ │ │ ├── http-values.yaml │ │ │ │ ├── istio-values-mtls.yaml │ │ │ │ ├── istio-values.yaml │ │ │ │ ├── proxy-protocol.values.yaml │ │ │ │ ├── templates │ │ │ │ └── configmap.yaml │ │ │ │ ├── nginx-plus.ds.yaml │ │ │ │ ├── istio-values-jwt.yaml │ │ │ │ └── istio-values-v2.yaml │ │ └── build │ │ │ └── Dockerfile │ ├── helm-enhanced.sh │ ├── nginx │ │ ├── nginx-config.yaml │ │ ├── nginx-ingress.wrapper │ │ ├── ns-and-sa.yaml │ │ ├── remove_health.sh │ │ ├── remove_ds.sh │ │ ├── appprotect-log.yaml │ │ ├── add_health.sh │ │ ├── appprotect-basic.yaml │ │ ├── nginx-configuration-configmap.yaml │ │ ├── add_ds.sh │ │ ├── healthprobe.conf │ │ ├── crd │ │ │ ├── cafe-virtual-server.yaml │ │ │ └── cafe.yaml │ │ ├── ingress-nginx-service.yaml │ │ ├── ingress-nginx-health-service.yaml │ │ ├── ingress-nginx-dashboard-service.yaml │ │ ├── ingress-nginx-service-tls.yaml │ │ ├── nginx-configuration-configmap.ds.yaml │ │ ├── custom-resource-definitions.yaml │ │ ├── nginx_health.js │ │ ├── rbac.yaml │ │ ├── nginx-ingress.yaml │ │ ├── crds │ │ │ └── globalconfiguration.yaml │ │ └── localhost.conf.template │ ├── all_good.irule │ ├── cheese │ │ ├── cheese-default-ingress.yaml │ │ ├── cheese-ingress.yaml │ │ ├── cheese-services.yaml │ │ └── cheese-deployments.yaml │ ├── my-frontend-service.yaml │ ├── nginx-helm.sh │ ├── teardown_istio.sh │ ├── my-echo-service.yaml │ ├── as3-helm │ │ └── README.txt │ ├── istio-jwt-policy-bigip.sh │ ├── my-frontend-service-as3.yaml │ ├── green-ingress-nginx.yaml │ ├── echo-deployment.yaml │ ├── istio-jwt-policy.sh │ ├── istio-virtualservice.sh │ ├── my-backend-deployment.yaml │ ├── my-backend-service.yaml │ ├── f5-ingress.yaml │ ├── as3-configmap-empty.yaml │ ├── istio-gateway.sh │ ├── istio-gateway-mtls.sh │ ├── as3-configmap-override.yaml │ ├── my-frontend-deployment.yaml │ ├── bigip1-node.yaml │ ├── bigip2-node.yaml │ ├── my-website-deployment.yaml │ ├── my-website-service.yaml │ ├── my-website-configmap.yaml │ ├── istio-service.yaml │ ├── blue-ingress-nginx.yaml │ ├── blue-green-ingress.yaml │ ├── f5-k8s-sample-rbac.yaml │ ├── blue-green-ingress-tls.yaml │ ├── httpbin.yaml │ ├── setup_istio.sh │ ├── node-blue.yaml │ ├── iapps │ │ ├── sample_http.json │ │ ├── k8s_http.json │ │ ├── k8s_http_8080.json │ │ └── k8s_http_8090.json │ ├── node-green.yaml │ └── f5-cc-deployment-cluster.yaml ├── scripts │ ├── secret.sh │ ├── bad-hacker.sh │ ├── logs.sh │ ├── delete.sh │ ├── logs-tail.sh │ ├── template-empty.sh │ ├── template-http.sh │ ├── annotate-app1.sh │ ├── template-enhanced.sh │ ├── annotate-my-frontend.sh │ ├── kubeadm-init.sh │ ├── nginx-ingress.sh │ ├── decode_cert.py │ ├── setup_tiller.sh │ ├── annotate-my-website.sh │ ├── setup_adv_demo.sh │ └── refresh_nodes.sh ├── istio │ ├── bookinfo-demo.sh │ ├── istio-demo.sh │ ├── my-certs │ │ ├── load.sh │ │ ├── root-cert.pem │ │ ├── ca-cert.pem │ │ └── cert-chain.pem │ └── install.sh ├── README.md ├── onboard │ └── dashboard-admin.yaml └── teardown │ └── teardown_demo.Jenkinsfile ├── ocp4 ├── docs │ ├── .gitignore │ ├── demo │ │ ├── fast │ │ │ ├── bigip-fast.png │ │ │ ├── bigip-iapplx.png │ │ │ ├── bigip-fast-apps.png │ │ │ ├── postman-as3-get.png │ │ │ ├── bigip-fast-shared.png │ │ │ ├── bigip-network-map.png │ │ │ ├── postman-fast-apps.png │ │ │ ├── bigip-fast-dns-rendered.png │ │ │ └── index.rst │ │ ├── dns │ │ │ ├── bigip-wideip.png │ │ │ ├── bigip-dns-pool.png │ │ │ ├── bigip-external-monitor.png │ │ │ └── index.rst │ │ ├── oidc │ │ │ ├── bigip-oauth-ap.png │ │ │ ├── ocp4-console-oidc.png │ │ │ ├── bigip-oauth-profile.png │ │ │ ├── bigip-oauth-client-application.png │ │ │ └── index.rst │ │ ├── nginx │ │ │ ├── chrome-blue-ingress.png │ │ │ └── ocp4-console-ingresses.png │ │ ├── routes │ │ │ ├── chrome-my-frontend.png │ │ │ ├── bigip-partition-ocp-as3.png │ │ │ ├── ocp4-console-cis-routes.png │ │ │ ├── bigip-local-traffic-policy.png │ │ │ ├── ocp4-console-cis-routes-yaml.png │ │ │ ├── ocp4-console-cis-routes-status.png │ │ │ └── index.rst │ │ ├── configmap │ │ │ ├── bigip-my-frontend2.png │ │ │ ├── bigip-security-policy.png │ │ │ ├── ocp4-console-configmap-f5demo.png │ │ │ ├── ocp4-console-configmap-nginx.png │ │ │ ├── ocp4-console-configmap-as3-true.png │ │ │ └── ocp4-console-services-my-frontend2.png │ │ ├── index.rst │ │ └── waf │ │ │ └── index.rst │ ├── walkthrough │ │ ├── operatorhub.png │ │ ├── putty-cd-ocp4.png │ │ ├── windows-putty.png │ │ ├── console-secret.png │ │ ├── putty-teardown.png │ │ ├── console-create-cis.png │ │ ├── console-f5-server.png │ │ ├── console-cis-all-good.png │ │ ├── console-create-route.png │ │ ├── console-route-status.png │ │ ├── console-cis-delete-pod.png │ │ ├── console-operator-overview.png │ │ ├── console-create-subscription.png │ │ ├── console-install-cis-operator.png │ │ ├── console-installed-operators.png │ │ ├── index.rst │ │ └── reset.rst │ ├── _templates │ │ └── head.html │ ├── requirements.txt │ ├── index.rst │ ├── Makefile │ └── make.bat ├── helm-values │ ├── cis-crd.sh │ ├── nginx-cis.sh │ ├── cis-configmap.sh │ ├── cis-ingresslink.sh │ ├── nginx-cis.yaml │ ├── cis-crd.yaml │ ├── cis-configmap.yaml │ └── cis-ingresslink.yaml ├── cis-subscription.yaml ├── README.md ├── appprotect-log.yaml ├── www-service.yaml ├── as3-configmap-override-empty.yaml ├── appprotect-basic.yaml ├── my-frontend-service.yaml ├── teardown_nginxcisconnector.sh ├── my-route.yaml ├── www-route.yaml ├── nginx-configuration-configmap.yaml ├── my-frontend-service3-as3.yaml ├── nginx-subscription.yaml ├── nginx-cis-connector.yaml ├── tmsh.txt ├── host.yaml ├── cis-operator.yaml ├── nginx-operator.yaml ├── setup_nginxcisconnector.sh ├── my-frontend-service-as3.yaml ├── my-frontend-service2-as3.yaml ├── green-ingress-nginx.yaml ├── my-route-tls.yaml ├── ingress-nginx-service.yaml ├── cis-ingress.yaml ├── as3-configmap-override-route-sso.yaml ├── ingress-nginx-service-tls.yaml ├── as3-configmap-empty.yaml ├── my-frontend-deployment.yaml ├── my-frontend-deployment2.yaml ├── my-frontend-deployment3.yaml ├── www-deployment.yaml ├── nginx-ingress-controller.yaml ├── f5-server.yaml ├── blue-ingress-nginx.yaml ├── as3-configmap-override-both.yaml ├── as3-configmap-override-ingress.yaml ├── as3-configmap-override-route.yaml ├── as3-configmap-basic.yaml ├── node-blue.yaml ├── node-green.yaml └── as3-config-c3d.yaml ├── mytypelb ├── requirements.txt ├── data.json ├── Dockerfile ├── chenpam.yaml └── chenpam_rbac.yaml ├── nginx-ingress-controller-cis ├── sphinx-docs │ ├── containthedocs-image │ ├── buildhtml.bat │ ├── docs │ │ ├── _static │ │ │ ├── newvs.png │ │ │ ├── pools.png │ │ │ ├── NISguide.png │ │ │ ├── image001.png │ │ │ ├── image002.png │ │ │ ├── k8network.png │ │ │ ├── class1-module3-lab1-view-vs.png │ │ │ ├── class1-module3-lab1-view-pool.png │ │ │ ├── nginx-plus-bigip-better-together.png │ │ │ ├── class1-module3-lab1-create-partition.png │ │ │ ├── class1-module3-lab1-create-partition2.png │ │ │ ├── class1-module2-lab2-nginx-plus-nodeport.png │ │ │ ├── class1-module3-lab1-select-as3-partition.png │ │ │ ├── class1-module3-lab2-view-illegal-request.png │ │ │ └── css │ │ │ │ └── custom.css │ │ ├── class1 │ │ │ ├── module2 │ │ │ │ ├── module2.rst │ │ │ │ └── lab1.rst.skip │ │ │ ├── class1.rst │ │ │ ├── module3 │ │ │ │ ├── module3.rst │ │ │ │ └── lab3.rst │ │ │ └── module1 │ │ │ │ └── module1.rst │ │ ├── Makefile │ │ ├── make.bat │ │ ├── _templates │ │ │ └── breadcrumb.html │ │ ├── preamble.tex │ │ └── index.rst │ ├── .gitignore │ ├── wordlist │ ├── requirements.txt │ ├── containthedocs-wget │ ├── scripts │ │ ├── convertdocx.sh │ │ └── server │ ├── containthedocs-bash.sh │ ├── containthedocs-clean.sh │ ├── containthedocs-spelling.sh │ ├── containthedocs-cleanbuild.sh │ ├── containthedocs-singlehtml.sh │ ├── containthedocs-build.sh │ └── containthedocs-convert.sh ├── f5-cis │ ├── secret.sh │ ├── cis-sa.yaml │ ├── nodeport-cis-80.yaml │ ├── nodeport-cis-443.yaml │ ├── nodeport-cis-8080.yaml │ ├── cis-empty-configmap.yaml │ ├── cis-rbac.yaml │ └── cis-deployment.yaml ├── TBD.md └── demo │ └── demo-scale.sh ├── ocp4-aws-upi ├── terraform │ ├── admin-shadow.sh │ ├── outputs.tf │ ├── wait_for_bigip.sh │ ├── vars.tf │ ├── web.tf │ ├── main.tf │ └── bigip.tf ├── deploy │ ├── vars.tf │ ├── terraform.tfvars.example │ ├── main.tf │ ├── bootstrap.tf │ ├── control-plane.tf │ └── node1.tf └── README.md ├── README.md └── LICENSE.md /chen-k8s-demo/.gitignore: -------------------------------------------------------------------------------- 1 | *~ 2 | *.pyc -------------------------------------------------------------------------------- /ocp4/docs/.gitignore: -------------------------------------------------------------------------------- 1 | _build 2 | 3 | -------------------------------------------------------------------------------- /mytypelb/requirements.txt: -------------------------------------------------------------------------------- 1 | kubernetes 2 | -------------------------------------------------------------------------------- /chen-k8s-demo/docs/.gitignore: -------------------------------------------------------------------------------- 1 | _build 2 | 3 | -------------------------------------------------------------------------------- /chen-k8s-demo/requirements.txt: -------------------------------------------------------------------------------- 1 | pykube 2 | f5-sdk 3 | pexpect 4 | urllib3[secure] 5 | -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/f5demo-delete.sh: -------------------------------------------------------------------------------- 1 | kubectl delete f5demo -n ingress-bigip --all 2 | -------------------------------------------------------------------------------- /chen-k8s-demo/scripts/secret.sh: -------------------------------------------------------------------------------- 1 | kubectl create secret tls tls-secret --key tls.key --cert tls.crt 2 | -------------------------------------------------------------------------------- /chen-k8s-demo/scripts/bad-hacker.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | curl -H "X-Hacker:I am bad\ncat /etc/passwd" http://10.1.10.81/ 3 | -------------------------------------------------------------------------------- /mytypelb/data.json: -------------------------------------------------------------------------------- 1 | {"ranges":["10.1.10.0/24"], 2 | "allocated":[], 3 | "conflict":[], 4 | "next":"10.1.10.80"} 5 | -------------------------------------------------------------------------------- /nginx-ingress-controller-cis/sphinx-docs/containthedocs-image: -------------------------------------------------------------------------------- 1 | : ${DOC_IMG:=f5devcentral/containthedocs:latest} 2 | -------------------------------------------------------------------------------- /chen-k8s-demo/istio/bookinfo-demo.sh: -------------------------------------------------------------------------------- 1 | kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml -n istio-demo 2 | 3 | -------------------------------------------------------------------------------- /ocp4/docs/demo/fast/bigip-fast.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f5devcentral/f5-k8s-demo/HEAD/ocp4/docs/demo/fast/bigip-fast.png -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/helm-install.sh: -------------------------------------------------------------------------------- 1 | helm install --name f5demo f5demo-operator/helm-charts/F5Demo --namespace ingress-bigip 2 | -------------------------------------------------------------------------------- /ocp4/docs/demo/dns/bigip-wideip.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f5devcentral/f5-k8s-demo/HEAD/ocp4/docs/demo/dns/bigip-wideip.png -------------------------------------------------------------------------------- /ocp4/docs/demo/fast/bigip-iapplx.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f5devcentral/f5-k8s-demo/HEAD/ocp4/docs/demo/fast/bigip-iapplx.png -------------------------------------------------------------------------------- /chen-k8s-demo/istio/istio-demo.sh: -------------------------------------------------------------------------------- 1 | kubectl create ns istio-demo 2 | kubectl label namespace istio-demo istio-injection=enabled 3 | 4 | -------------------------------------------------------------------------------- /ocp4/docs/demo/dns/bigip-dns-pool.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f5devcentral/f5-k8s-demo/HEAD/ocp4/docs/demo/dns/bigip-dns-pool.png -------------------------------------------------------------------------------- /ocp4/docs/demo/fast/bigip-fast-apps.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f5devcentral/f5-k8s-demo/HEAD/ocp4/docs/demo/fast/bigip-fast-apps.png -------------------------------------------------------------------------------- /ocp4/docs/demo/fast/postman-as3-get.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f5devcentral/f5-k8s-demo/HEAD/ocp4/docs/demo/fast/postman-as3-get.png -------------------------------------------------------------------------------- /ocp4/docs/demo/oidc/bigip-oauth-ap.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f5devcentral/f5-k8s-demo/HEAD/ocp4/docs/demo/oidc/bigip-oauth-ap.png -------------------------------------------------------------------------------- /ocp4/docs/walkthrough/operatorhub.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f5devcentral/f5-k8s-demo/HEAD/ocp4/docs/walkthrough/operatorhub.png -------------------------------------------------------------------------------- /ocp4/docs/walkthrough/putty-cd-ocp4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f5devcentral/f5-k8s-demo/HEAD/ocp4/docs/walkthrough/putty-cd-ocp4.png -------------------------------------------------------------------------------- /ocp4/docs/walkthrough/windows-putty.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f5devcentral/f5-k8s-demo/HEAD/ocp4/docs/walkthrough/windows-putty.png -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/f5demo-basic.sh: -------------------------------------------------------------------------------- 1 | kubectl apply -f f5demo-operator/deploy/crds/charts_v1alpha1_f5demo_cr.basic.yaml -n ingress-bigip 2 | -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/helm-empty.sh: -------------------------------------------------------------------------------- 1 | helm upgrade f5demo --set common=false --set applications=false f5demo-operator/helm-charts/F5Demo 2 | -------------------------------------------------------------------------------- /chen-k8s-demo/scripts/logs.sh: -------------------------------------------------------------------------------- 1 | kubectl logs -n kube-system $(kubectl get po -n kube-system |grep bigip1-f5-bigip-ctlr |awk '{print $1}') 2 | -------------------------------------------------------------------------------- /ocp4/docs/demo/fast/bigip-fast-shared.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f5devcentral/f5-k8s-demo/HEAD/ocp4/docs/demo/fast/bigip-fast-shared.png -------------------------------------------------------------------------------- /ocp4/docs/demo/fast/bigip-network-map.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f5devcentral/f5-k8s-demo/HEAD/ocp4/docs/demo/fast/bigip-network-map.png -------------------------------------------------------------------------------- /ocp4/docs/demo/fast/postman-fast-apps.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f5devcentral/f5-k8s-demo/HEAD/ocp4/docs/demo/fast/postman-fast-apps.png -------------------------------------------------------------------------------- /ocp4/docs/demo/oidc/ocp4-console-oidc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f5devcentral/f5-k8s-demo/HEAD/ocp4/docs/demo/oidc/ocp4-console-oidc.png -------------------------------------------------------------------------------- /ocp4/docs/walkthrough/console-secret.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f5devcentral/f5-k8s-demo/HEAD/ocp4/docs/walkthrough/console-secret.png -------------------------------------------------------------------------------- /ocp4/docs/walkthrough/putty-teardown.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f5devcentral/f5-k8s-demo/HEAD/ocp4/docs/walkthrough/putty-teardown.png -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/f5demo-empty.sh: -------------------------------------------------------------------------------- 1 | kubectl replace -f f5demo-operator/deploy/crds/charts_v1alpha1_f5demo_cr.empty.yaml -n ingress-bigip 2 | -------------------------------------------------------------------------------- /chen-k8s-demo/scripts/delete.sh: -------------------------------------------------------------------------------- 1 | kubectl delete po -n kube-system $(kubectl get po -n kube-system |grep bigip1-f5-bigip-ctlr |awk '{print $1}') 2 | -------------------------------------------------------------------------------- /ocp4/docs/demo/nginx/chrome-blue-ingress.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f5devcentral/f5-k8s-demo/HEAD/ocp4/docs/demo/nginx/chrome-blue-ingress.png -------------------------------------------------------------------------------- /ocp4/docs/demo/oidc/bigip-oauth-profile.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f5devcentral/f5-k8s-demo/HEAD/ocp4/docs/demo/oidc/bigip-oauth-profile.png -------------------------------------------------------------------------------- /ocp4/docs/demo/routes/chrome-my-frontend.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f5devcentral/f5-k8s-demo/HEAD/ocp4/docs/demo/routes/chrome-my-frontend.png -------------------------------------------------------------------------------- /ocp4/docs/walkthrough/console-create-cis.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f5devcentral/f5-k8s-demo/HEAD/ocp4/docs/walkthrough/console-create-cis.png -------------------------------------------------------------------------------- /ocp4/docs/walkthrough/console-f5-server.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f5devcentral/f5-k8s-demo/HEAD/ocp4/docs/walkthrough/console-f5-server.png -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/f5demo-enhanced.sh: -------------------------------------------------------------------------------- 1 | kubectl apply -f f5demo-operator/deploy/crds/charts_v1alpha1_f5demo_cr.enhanced.yaml -n ingress-bigip 2 | -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/helm-http.sh: -------------------------------------------------------------------------------- 1 | helm upgrade f5demo -f f5demo-operator/helm-charts/F5Demo/http-values.yaml f5demo-operator/helm-charts/F5Demo 2 | -------------------------------------------------------------------------------- /chen-k8s-demo/scripts/logs-tail.sh: -------------------------------------------------------------------------------- 1 | kubectl logs -f -n kube-system $(kubectl get po -n kube-system |grep k8s-bigip-ctlr-deployment |awk '{print $1}') 2 | -------------------------------------------------------------------------------- /ocp4/docs/demo/dns/bigip-external-monitor.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f5devcentral/f5-k8s-demo/HEAD/ocp4/docs/demo/dns/bigip-external-monitor.png -------------------------------------------------------------------------------- /ocp4/docs/walkthrough/console-cis-all-good.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f5devcentral/f5-k8s-demo/HEAD/ocp4/docs/walkthrough/console-cis-all-good.png -------------------------------------------------------------------------------- /ocp4/docs/walkthrough/console-create-route.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f5devcentral/f5-k8s-demo/HEAD/ocp4/docs/walkthrough/console-create-route.png -------------------------------------------------------------------------------- /ocp4/docs/walkthrough/console-route-status.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f5devcentral/f5-k8s-demo/HEAD/ocp4/docs/walkthrough/console-route-status.png -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/f5demo-operator/deploy/service_account.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: f5demo-operator 5 | -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/helm-enhanced.sh: -------------------------------------------------------------------------------- 1 | helm upgrade f5demo -f f5demo-operator/helm-charts/F5Demo/many-values.yaml f5demo-operator/helm-charts/F5Demo 2 | -------------------------------------------------------------------------------- /chen-k8s-demo/scripts/template-empty.sh: -------------------------------------------------------------------------------- 1 | helm template --name f5demo -f f5demo-operator/helm-charts/F5Demo/values.yaml f5demo-operator/helm-charts/F5Demo 2 | -------------------------------------------------------------------------------- /nginx-ingress-controller-cis/sphinx-docs/buildhtml.bat: -------------------------------------------------------------------------------- 1 | docker run --rm -it -v %cd%:/data -w /data f5devcentral/containthedocs:latest make -C docs html 2 | -------------------------------------------------------------------------------- /ocp4/docs/demo/configmap/bigip-my-frontend2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f5devcentral/f5-k8s-demo/HEAD/ocp4/docs/demo/configmap/bigip-my-frontend2.png -------------------------------------------------------------------------------- /ocp4/docs/demo/fast/bigip-fast-dns-rendered.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f5devcentral/f5-k8s-demo/HEAD/ocp4/docs/demo/fast/bigip-fast-dns-rendered.png -------------------------------------------------------------------------------- /ocp4/docs/demo/nginx/ocp4-console-ingresses.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f5devcentral/f5-k8s-demo/HEAD/ocp4/docs/demo/nginx/ocp4-console-ingresses.png -------------------------------------------------------------------------------- /ocp4/docs/demo/routes/bigip-partition-ocp-as3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f5devcentral/f5-k8s-demo/HEAD/ocp4/docs/demo/routes/bigip-partition-ocp-as3.png -------------------------------------------------------------------------------- /ocp4/docs/demo/routes/ocp4-console-cis-routes.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f5devcentral/f5-k8s-demo/HEAD/ocp4/docs/demo/routes/ocp4-console-cis-routes.png -------------------------------------------------------------------------------- /ocp4/docs/walkthrough/console-cis-delete-pod.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f5devcentral/f5-k8s-demo/HEAD/ocp4/docs/walkthrough/console-cis-delete-pod.png -------------------------------------------------------------------------------- /ocp4/helm-values/cis-crd.sh: -------------------------------------------------------------------------------- 1 | helm template cis-crd --values cis-crd.yaml ~/k8s-bigip-ctlr/operator/helm-charts/f5-bigip-ctlr > cis-crd-generated.yaml 2 | -------------------------------------------------------------------------------- /chen-k8s-demo/scripts/template-http.sh: -------------------------------------------------------------------------------- 1 | helm template --name f5demo -f f5demo-operator/helm-charts/F5Demo/http-values.yaml f5demo-operator/helm-charts/F5Demo 2 | -------------------------------------------------------------------------------- /ocp4/docs/demo/configmap/bigip-security-policy.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f5devcentral/f5-k8s-demo/HEAD/ocp4/docs/demo/configmap/bigip-security-policy.png -------------------------------------------------------------------------------- /ocp4/docs/walkthrough/console-operator-overview.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f5devcentral/f5-k8s-demo/HEAD/ocp4/docs/walkthrough/console-operator-overview.png -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/nginx/nginx-config.yaml: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: nginx-config 5 | namespace: nginx-ingress 6 | data: 7 | -------------------------------------------------------------------------------- /chen-k8s-demo/scripts/annotate-app1.sh: -------------------------------------------------------------------------------- 1 | replace="s/%IPADDR%/`kubectl get svc app1 -o json |jq ".spec.clusterIP" -r`/g" 2 | sed -e $replace $1 | kubectl replace -f - 3 | -------------------------------------------------------------------------------- /chen-k8s-demo/scripts/template-enhanced.sh: -------------------------------------------------------------------------------- 1 | helm template --name f5demo -f f5demo-operator/helm-charts/F5Demo/many-values.yaml f5demo-operator/helm-charts/F5Demo 2 | -------------------------------------------------------------------------------- /ocp4/docs/demo/oidc/bigip-oauth-client-application.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f5devcentral/f5-k8s-demo/HEAD/ocp4/docs/demo/oidc/bigip-oauth-client-application.png -------------------------------------------------------------------------------- /ocp4/docs/demo/routes/bigip-local-traffic-policy.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f5devcentral/f5-k8s-demo/HEAD/ocp4/docs/demo/routes/bigip-local-traffic-policy.png -------------------------------------------------------------------------------- /ocp4/docs/demo/routes/ocp4-console-cis-routes-yaml.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f5devcentral/f5-k8s-demo/HEAD/ocp4/docs/demo/routes/ocp4-console-cis-routes-yaml.png -------------------------------------------------------------------------------- /ocp4/docs/walkthrough/console-create-subscription.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f5devcentral/f5-k8s-demo/HEAD/ocp4/docs/walkthrough/console-create-subscription.png -------------------------------------------------------------------------------- /ocp4/docs/walkthrough/console-install-cis-operator.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f5devcentral/f5-k8s-demo/HEAD/ocp4/docs/walkthrough/console-install-cis-operator.png -------------------------------------------------------------------------------- /ocp4/docs/walkthrough/console-installed-operators.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f5devcentral/f5-k8s-demo/HEAD/ocp4/docs/walkthrough/console-installed-operators.png -------------------------------------------------------------------------------- /ocp4/helm-values/nginx-cis.sh: -------------------------------------------------------------------------------- 1 | helm template my --values nginx-cis.yaml -n nginx-ingress ~/kubernetes-ingress/deployments/helm-chart/ > nginx-cis-generated.yaml 2 | -------------------------------------------------------------------------------- /ocp4/docs/demo/routes/ocp4-console-cis-routes-status.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f5devcentral/f5-k8s-demo/HEAD/ocp4/docs/demo/routes/ocp4-console-cis-routes-status.png -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/f5demo-operator/watches.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | - version: v1alpha1 3 | group: charts.helm.k8s.io 4 | kind: F5Demo 5 | chart: /opt/helm/helm-charts/F5Demo 6 | -------------------------------------------------------------------------------- /nginx-ingress-controller-cis/f5-cis/secret.sh: -------------------------------------------------------------------------------- 1 | kubectl create secret generic bigip-login --namespace kube-system --from-literal=username=admin --from-literal=password=admin 2 | -------------------------------------------------------------------------------- /ocp4-aws-upi/terraform/admin-shadow.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # generate sha512 encrypted password 3 | openssl passwd -6 -salt f5f5 -in ../upi/auth/kubeadmin-password > admin.shadow 4 | -------------------------------------------------------------------------------- /ocp4/docs/demo/configmap/ocp4-console-configmap-f5demo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f5devcentral/f5-k8s-demo/HEAD/ocp4/docs/demo/configmap/ocp4-console-configmap-f5demo.png -------------------------------------------------------------------------------- /ocp4/docs/demo/configmap/ocp4-console-configmap-nginx.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f5devcentral/f5-k8s-demo/HEAD/ocp4/docs/demo/configmap/ocp4-console-configmap-nginx.png -------------------------------------------------------------------------------- /ocp4/helm-values/cis-configmap.sh: -------------------------------------------------------------------------------- 1 | helm template cis-configmap --values cis-configmap.yaml ~/k8s-bigip-ctlr/operator/helm-charts/f5-bigip-ctlr > cis-configmap-generated.yaml 2 | -------------------------------------------------------------------------------- /ocp4/docs/demo/configmap/ocp4-console-configmap-as3-true.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f5devcentral/f5-k8s-demo/HEAD/ocp4/docs/demo/configmap/ocp4-console-configmap-as3-true.png -------------------------------------------------------------------------------- /nginx-ingress-controller-cis/sphinx-docs/docs/_static/newvs.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f5devcentral/f5-k8s-demo/HEAD/nginx-ingress-controller-cis/sphinx-docs/docs/_static/newvs.png -------------------------------------------------------------------------------- /nginx-ingress-controller-cis/sphinx-docs/docs/_static/pools.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f5devcentral/f5-k8s-demo/HEAD/nginx-ingress-controller-cis/sphinx-docs/docs/_static/pools.png -------------------------------------------------------------------------------- /ocp4/cis-subscription.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: operators.coreos.com/v1alpha1 2 | kind: ClusterServiceVersion 3 | metadata: 4 | name: f5-bigip-ctlr-operator.v1.2.0 5 | namespace: default 6 | -------------------------------------------------------------------------------- /ocp4/docs/demo/configmap/ocp4-console-services-my-frontend2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f5devcentral/f5-k8s-demo/HEAD/ocp4/docs/demo/configmap/ocp4-console-services-my-frontend2.png -------------------------------------------------------------------------------- /ocp4/helm-values/cis-ingresslink.sh: -------------------------------------------------------------------------------- 1 | helm template cis-ngresslink --values cis-ingresslink.yaml ~/k8s-bigip-ctlr/operator/helm-charts/f5-bigip-ctlr > cis-ingresslink-generated.yaml 2 | -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/f5demo-operator/helm-charts/F5Demo/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | appVersion: "1.0" 3 | description: A Helm chart for Kubernetes 4 | name: F5Demo 5 | version: 0.3.0 6 | -------------------------------------------------------------------------------- /chen-k8s-demo/scripts/annotate-my-frontend.sh: -------------------------------------------------------------------------------- 1 | kubectl annotate configmap my-frontend virtual-server.f5.com/ip=`kubectl get svc my-frontend -o json |jq ".spec.clusterIP" -r` --overwrite; 2 | -------------------------------------------------------------------------------- /nginx-ingress-controller-cis/sphinx-docs/docs/_static/NISguide.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f5devcentral/f5-k8s-demo/HEAD/nginx-ingress-controller-cis/sphinx-docs/docs/_static/NISguide.png -------------------------------------------------------------------------------- /nginx-ingress-controller-cis/sphinx-docs/docs/_static/image001.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f5devcentral/f5-k8s-demo/HEAD/nginx-ingress-controller-cis/sphinx-docs/docs/_static/image001.png -------------------------------------------------------------------------------- /nginx-ingress-controller-cis/sphinx-docs/docs/_static/image002.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f5devcentral/f5-k8s-demo/HEAD/nginx-ingress-controller-cis/sphinx-docs/docs/_static/image002.png -------------------------------------------------------------------------------- /nginx-ingress-controller-cis/sphinx-docs/docs/_static/k8network.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f5devcentral/f5-k8s-demo/HEAD/nginx-ingress-controller-cis/sphinx-docs/docs/_static/k8network.png -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/f5demo-operator/helm-charts/F5Demo/values.yaml: -------------------------------------------------------------------------------- 1 | # Default values for f5demo. 2 | # This is a YAML-formatted file. 3 | # Declare variables to be passed into your templates. 4 | -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/f5demo-operator/build/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM quay.io/operator-framework/helm-operator:v0.7.0 2 | 3 | COPY watches.yaml ${HOME}/watches.yaml 4 | COPY helm-charts/ ${HOME}/helm-charts/ 5 | -------------------------------------------------------------------------------- /mytypelb/Dockerfile: -------------------------------------------------------------------------------- 1 | From python:3.8 2 | WORKDIR /code 3 | COPY requirements.txt . 4 | RUN pip install -r requirements.txt 5 | COPY crdtypelb.py . 6 | CMD [ "python", "./crdtypelb.py", "--incluster"] 7 | 8 | -------------------------------------------------------------------------------- /nginx-ingress-controller-cis/sphinx-docs/.gitignore: -------------------------------------------------------------------------------- 1 | docs/_build/* 2 | media/ 3 | .DS_Store 4 | pdf/* 5 | ../../.vscode/ 6 | *.sublime-* 7 | .terraform* 8 | terraform.tfstate* 9 | *.rpm 10 | *.swp 11 | -------------------------------------------------------------------------------- /ocp4/docs/_templates/head.html: -------------------------------------------------------------------------------- 1 | {%- block analytics %} 2 | {# GoogleAnalytics #} 3 | 4 | 5 | 6 | {%- endblock %} 7 | -------------------------------------------------------------------------------- /chen-k8s-demo/istio/my-certs/load.sh: -------------------------------------------------------------------------------- 1 | kubectl create secret generic cacerts -n istio-system --from-file=ca-cert.pem \ 2 | --from-file=ca-key.pem --from-file=root-cert.pem \ 3 | --from-file=cert-chain.pem 4 | 5 | -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/nginx/nginx-ingress.wrapper: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -e 3 | 4 | sed -e s/\$POD_IP/$POD_IP/g /etc/nginx/conf.d/localhost.conf.template > /etc/nginx/conf.d/localhost.conf 5 | 6 | exec /nginx-ingress "$@" 7 | -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/all_good.irule: -------------------------------------------------------------------------------- 1 | when HTTP_REQUEST { 2 | if { [HTTP::header exists "X-GOOD"] } { 3 | log local0. "All Good" 4 | } else { 5 | log local0. "Not good" 6 | reject 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/cheese/cheese-default-ingress.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: extensions/v1beta1 2 | kind: Ingress 3 | metadata: 4 | name: cheese-default 5 | spec: 6 | backend: 7 | serviceName: stilton 8 | servicePort: 80 9 | -------------------------------------------------------------------------------- /chen-k8s-demo/scripts/kubeadm-init.sh: -------------------------------------------------------------------------------- 1 | sudo kubeadm init --apiserver-advertise-address 10.1.10.11 --pod-network-cidr 10.244.0.0/16 --service-cidr 10.166.0.0/16 --token-ttl 0 --node-name ip-10-1-10-11.us-west-2.compute.internal 2 | -------------------------------------------------------------------------------- /nginx-ingress-controller-cis/sphinx-docs/docs/_static/class1-module3-lab1-view-vs.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f5devcentral/f5-k8s-demo/HEAD/nginx-ingress-controller-cis/sphinx-docs/docs/_static/class1-module3-lab1-view-vs.png -------------------------------------------------------------------------------- /ocp4/README.md: -------------------------------------------------------------------------------- 1 | # Eric Chen's OpenShift 4 Demo 2 | 3 | ## docs 4 | 5 | This has a lab guide. 6 | 7 | ## other files 8 | 9 | These are the scripts/files used to 10 | build my OpenShift 4 Lab Environment. 11 | 12 | 13 | -------------------------------------------------------------------------------- /nginx-ingress-controller-cis/sphinx-docs/docs/_static/class1-module3-lab1-view-pool.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f5devcentral/f5-k8s-demo/HEAD/nginx-ingress-controller-cis/sphinx-docs/docs/_static/class1-module3-lab1-view-pool.png -------------------------------------------------------------------------------- /nginx-ingress-controller-cis/sphinx-docs/docs/_static/nginx-plus-bigip-better-together.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f5devcentral/f5-k8s-demo/HEAD/nginx-ingress-controller-cis/sphinx-docs/docs/_static/nginx-plus-bigip-better-together.png -------------------------------------------------------------------------------- /nginx-ingress-controller-cis/sphinx-docs/docs/_static/class1-module3-lab1-create-partition.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f5devcentral/f5-k8s-demo/HEAD/nginx-ingress-controller-cis/sphinx-docs/docs/_static/class1-module3-lab1-create-partition.png -------------------------------------------------------------------------------- /nginx-ingress-controller-cis/sphinx-docs/docs/_static/class1-module3-lab1-create-partition2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f5devcentral/f5-k8s-demo/HEAD/nginx-ingress-controller-cis/sphinx-docs/docs/_static/class1-module3-lab1-create-partition2.png -------------------------------------------------------------------------------- /ocp4/docs/requirements.txt: -------------------------------------------------------------------------------- 1 | Sphinx 2 | git+git://github.com/f5devcentral/f5-sphinx-theme@v2.0.1#egg=f5_sphinx_theme 3 | recommonmark 4 | sphinxcontrib-googleanalytics 5 | sphinxcontrib-addmetahtml 6 | sphinxcontrib-nwdiag 7 | sphinxcontrib-blockdiag 8 | -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/nginx/ns-and-sa.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: nginx-ingress 5 | --- 6 | apiVersion: v1 7 | kind: ServiceAccount 8 | metadata: 9 | name: nginx-ingress 10 | namespace: nginx-ingress -------------------------------------------------------------------------------- /nginx-ingress-controller-cis/sphinx-docs/docs/_static/class1-module2-lab2-nginx-plus-nodeport.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f5devcentral/f5-k8s-demo/HEAD/nginx-ingress-controller-cis/sphinx-docs/docs/_static/class1-module2-lab2-nginx-plus-nodeport.png -------------------------------------------------------------------------------- /nginx-ingress-controller-cis/sphinx-docs/docs/_static/class1-module3-lab1-select-as3-partition.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f5devcentral/f5-k8s-demo/HEAD/nginx-ingress-controller-cis/sphinx-docs/docs/_static/class1-module3-lab1-select-as3-partition.png -------------------------------------------------------------------------------- /nginx-ingress-controller-cis/sphinx-docs/docs/_static/class1-module3-lab2-view-illegal-request.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/f5devcentral/f5-k8s-demo/HEAD/nginx-ingress-controller-cis/sphinx-docs/docs/_static/class1-module3-lab2-view-illegal-request.png -------------------------------------------------------------------------------- /nginx-ingress-controller-cis/TBD.md: -------------------------------------------------------------------------------- 1 | # TBD 2 | 3 | 1. install 'pv' package on the K8S Master 4 | 2. Clean local repo for YAML 5 | 2. Update lab guide with new paths 6 | 3. populate demo-script.sh with new lab guide commands 7 | 4. properly attribute example content -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/nginx/remove_health.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | kubectl delete cm -n nginx-ingress healthprobe.conf 3 | kubectl delete cm nginx-health -n nginx-ingress 4 | kubectl apply -f nginx-ingress.yaml 5 | kubectl apply -f ingress-nginx-dashboard-service.yaml 6 | -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/f5demo-operator/helm-charts/F5Demo/iRules/proxy_protocol_send.irule: -------------------------------------------------------------------------------- 1 | when SERVER_CONNECTED { 2 | TCP::respond "PROXY TCP[IP::version] [IP::client_addr] [clientside {IP::local_addr}] [TCP::client_port] [clientside {TCP::local_port}]\r\n" 3 | } 4 | -------------------------------------------------------------------------------- /nginx-ingress-controller-cis/sphinx-docs/wordlist: -------------------------------------------------------------------------------- 1 | todo 2 | username 3 | iWorkflow 4 | webserver 5 | hypervisor 6 | tmsh 7 | hyperlinks 8 | callouts 9 | xubuntu 10 | ubuntu 11 | datacenter 12 | jumphost 13 | rackmount 14 | rst 15 | pre 16 | reStructuredText 17 | rST 18 | -------------------------------------------------------------------------------- /ocp4/appprotect-log.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: appprotect.f5.com/v1beta1 2 | kind: APLogConf 3 | metadata: 4 | name: logconf 5 | spec: 6 | filter: 7 | request_type: all 8 | content: 9 | format: default 10 | max_request_size: any 11 | max_message_size: 5k 12 | -------------------------------------------------------------------------------- /ocp4/www-service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: www 5 | labels: 6 | app: www 7 | 8 | spec: 9 | ports: 10 | - name: www 11 | port: 443 12 | protocol: TCP 13 | targetPort: 8443 14 | selector: 15 | app: www 16 | -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/nginx/remove_ds.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | kubectl delete cm -n nginx-ingress localhost.conf.template 3 | kubectl delete cm nginx-to-as3 -n nginx-ingress 4 | kubectl delete cm -n nginx-ingress nginx-ingress.wrapper 5 | kubectl delete -f nginx-plus-ingress.ds.yaml 6 | -------------------------------------------------------------------------------- /nginx-ingress-controller-cis/sphinx-docs/requirements.txt: -------------------------------------------------------------------------------- 1 | Sphinx<2.0 2 | git+git://github.com/f5devcentral/f5-sphinx-theme@master#egg=f5_sphinx_theme 3 | recommonmark 4 | sphinxcontrib-googleanalytics 5 | sphinxcontrib-addmetahtml 6 | sphinxcontrib-nwdiag 7 | sphinxcontrib-blockdiag 8 | -------------------------------------------------------------------------------- /chen-k8s-demo/scripts/nginx-ingress.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/mandatory.yaml 3 | kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/provider/baremetal/service-nodeport.yaml 4 | -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/nginx/appprotect-log.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: appprotect.f5.com/v1beta1 2 | kind: APLogConf 3 | metadata: 4 | name: logconf 5 | spec: 6 | filter: 7 | request_type: all 8 | content: 9 | format: default 10 | max_request_size: any 11 | max_message_size: 5k 12 | -------------------------------------------------------------------------------- /ocp4-aws-upi/terraform/outputs.tf: -------------------------------------------------------------------------------- 1 | output "Web_Public_IP" { 2 | value = "${aws_instance.web.public_ip}" 3 | } 4 | output "Bigip1_Public_IP" { 5 | value = "${aws_instance.bigip1.public_ip}" 6 | } 7 | 8 | output "Workspace_Public_IP" { 9 | value = "${aws_instance.workspace.public_ip}" 10 | } 11 | -------------------------------------------------------------------------------- /ocp4/as3-configmap-override-empty.yaml: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: f5-as3-override 5 | namespace: default 6 | labels: 7 | f5type: virtual-server 8 | overrideAS3: "true" 9 | data: 10 | template: | 11 | { 12 | "declaration": {} 13 | } 14 | -------------------------------------------------------------------------------- /ocp4/appprotect-basic.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: appprotect.f5.com/v1beta1 2 | kind: APPolicy 3 | metadata: 4 | name: basic-block 5 | spec: 6 | policy: 7 | name: basic-block 8 | template: 9 | name: POLICY_TEMPLATE_NGINX_BASE 10 | applicationLanguage: utf-8 11 | enforcementMode: blocking 12 | -------------------------------------------------------------------------------- /ocp4/my-frontend-service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: my-frontend 5 | labels: 6 | app: my-frontend 7 | 8 | spec: 9 | ports: 10 | - name: my-frontend 11 | port: 80 12 | protocol: TCP 13 | targetPort: 8080 14 | selector: 15 | app: my-frontend 16 | -------------------------------------------------------------------------------- /ocp4/teardown_nginxcisconnector.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | oc delete -f f5-server-nginx-helm-template.yaml 3 | oc create -f f5-server.yaml 4 | 5 | oc delete -f nginx-ingress-cis.yaml 6 | oc create -f nginx-ingress-controller.yaml 7 | 8 | oc delete -f nginx-cis-connector.yaml 9 | source ~/venv/bin/activate 10 | -------------------------------------------------------------------------------- /nginx-ingress-controller-cis/sphinx-docs/containthedocs-wget: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -x 4 | 5 | . ../../containthedocs-image 6 | 7 | exec docker run --rm -it \ 8 | -v "$PWD":"$PWD" --workdir "$PWD" \ 9 | ${DOCKER_RUN_ARGS} \ 10 | -e "LOCAL_USER_ID=$(id -u)" \ 11 | ${DOC_IMG} wget -x -nH $1 12 | -------------------------------------------------------------------------------- /ocp4/my-route.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: route.openshift.io/v1 2 | kind: Route 3 | metadata: 4 | name: cisroute 5 | namespace: default 6 | spec: 7 | host: my-frontend.cisroutes.dc1.example.com 8 | path: / 9 | to: 10 | kind: Service 11 | name: my-frontend 12 | port: 13 | targetPort: 80 14 | 15 | -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/my-frontend-service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: my-frontend 5 | labels: 6 | app: my-frontend 7 | spec: 8 | ports: 9 | - port: 80 10 | protocol: TCP 11 | targetPort: 80 12 | type: NodePort 13 | selector: 14 | app: my-frontend 15 | -------------------------------------------------------------------------------- /ocp4/www-route.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: route.openshift.io/v1 2 | kind: Route 3 | metadata: 4 | name: wwwroute 5 | namespace: default 6 | spec: 7 | host: www.apps.dc1.example.com 8 | to: 9 | kind: Service 10 | name: www 11 | port: 12 | targetPort: 443 13 | tls: 14 | termination: passthrough 15 | 16 | -------------------------------------------------------------------------------- /ocp4/nginx-configuration-configmap.yaml: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: my-nginx-ingress-controller 5 | data: 6 | proxy-protocol: "True" 7 | real-ip-header: "proxy_protocol" 8 | set-real-ip-from: "10.130.0.0/23" 9 | # main-snippets: | 10 | # load_module modules/ngx_http_js_module.so; 11 | -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/nginx/add_health.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | kubectl create configmap nginx-health -n nginx-ingress --from-file=nginx_health.js 3 | kubectl create configmap healthprobe.conf -n nginx-ingress --from-file=healthprobe.conf 4 | kubectl apply -f nginx-ingress.health.yaml 5 | kubectl apply -f ingress-nginx-health-service.yaml 6 | -------------------------------------------------------------------------------- /ocp4/my-frontend-service3-as3.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: my-frontend3 5 | labels: 6 | run: my-frontend3 7 | spec: 8 | ports: 9 | - name: my-frontend3 10 | port: 80 11 | protocol: TCP 12 | targetPort: 8080 13 | type: NodePort 14 | selector: 15 | run: my-frontend3 16 | -------------------------------------------------------------------------------- /ocp4/nginx-subscription.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: operators.coreos.com/v1alpha1 2 | kind: Subscription 3 | metadata: 4 | name: nginx-ingress-operator 5 | namespace: openshift-operators 6 | spec: 7 | channel: alpha 8 | name: nginx-ingress-operator 9 | source: redhat-operators 10 | sourceNamespace: openshift-marketplace 11 | -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/nginx/appprotect-basic.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: appprotect.f5.com/v1beta1 2 | kind: APPolicy 3 | metadata: 4 | name: basic-block 5 | spec: 6 | policy: 7 | name: basic-block 8 | template: 9 | name: POLICY_TEMPLATE_NGINX_BASE 10 | applicationLanguage: utf-8 11 | enforcementMode: blocking 12 | -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/nginx/nginx-configuration-configmap.yaml: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: nginx-config 5 | data: 6 | proxy-protocol: "True" 7 | real-ip-header: "proxy_protocol" 8 | set-real-ip-from: "10.233.125.0/24" 9 | main-snippets: | 10 | load_module modules/ngx_http_js_module.so; 11 | -------------------------------------------------------------------------------- /chen-k8s-demo/scripts/decode_cert.py: -------------------------------------------------------------------------------- 1 | import sys 2 | import os 3 | import ssl 4 | import tempfile 5 | from urllib.parse import unquote 6 | cert = input('Paste in encoded cert: ') 7 | output = input('Output filename: ') 8 | decoded_cert = unquote(cert) 9 | print(decoded_cert) 10 | f = open(output,'w') 11 | f.write(decoded_cert) 12 | 13 | -------------------------------------------------------------------------------- /ocp4/nginx-cis-connector.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: "cis.f5.com/v1" 2 | kind: NginxCisConnector 3 | metadata: 4 | name: nginx-ingress 5 | namespace: nginx-ingress 6 | spec: 7 | virtualServerAddress: "10.1.10.102" 8 | iRules: 9 | - /Common/Proxy_Protocol_iRule 10 | selector: 11 | matchLabels: 12 | app: nginx-ingress-cis 13 | -------------------------------------------------------------------------------- /chen-k8s-demo/scripts/setup_tiller.sh: -------------------------------------------------------------------------------- 1 | kubectl create serviceaccount --namespace kube-system tiller 2 | kubectl create clusterrolebinding tiller-cluster-rule --clusterrole=cluster-admin --serviceaccount=kube-system:tiller 3 | kubectl patch deploy --namespace kube-system tiller-deploy -p '{"spec":{"template":{"spec":{"serviceAccount":"tiller"}}}}' 4 | -------------------------------------------------------------------------------- /nginx-ingress-controller-cis/sphinx-docs/scripts/convertdocx.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -x 4 | 5 | 6 | DOCNAME=${1%.docx} 7 | echo $1 8 | echo $DOCNAME 9 | 10 | pandoc -f docx $1 -t rst -o $DOCNAME.rst 11 | mkdir -p tmp media 12 | cd tmp 13 | unzip ../$1 14 | cp -Rf ./word/media/* ../media 15 | cd .. 16 | rm -Rf tmp 17 | 18 | -------------------------------------------------------------------------------- /chen-k8s-demo/README.md: -------------------------------------------------------------------------------- 1 | F5 Kubernetes Demo 2 | ====================== 3 | 4 | ### About 5 | 6 | Scripts/Examples for Eric's K8s demos. 7 | 8 | ### Authored By 9 | 10 | Nicolas Ménant | [@nmenant](https://github.com/nmenant) 11 | 12 | [Eric Chen](https://devcentral.f5.com/users/123940) | [@chen23](https://github.com/chen23) 13 | 14 | 15 | -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/f5demo-operator/deploy/role_binding.yaml: -------------------------------------------------------------------------------- 1 | kind: RoleBinding 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | metadata: 4 | name: f5demo-operator 5 | subjects: 6 | - kind: ServiceAccount 7 | name: f5demo-operator 8 | roleRef: 9 | kind: Role 10 | name: f5demo-operator 11 | apiGroup: rbac.authorization.k8s.io 12 | -------------------------------------------------------------------------------- /nginx-ingress-controller-cis/sphinx-docs/containthedocs-bash.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -x 4 | 5 | COMMAND="/bin/bash" 6 | 7 | . ./containthedocs-image 8 | 9 | exec sudo docker run --rm -it \ 10 | -v "$PWD":"$PWD" --workdir "$PWD" \ 11 | ${DOCKER_RUN_ARGS} \ 12 | -e "LOCAL_USER_ID=$(id -u)" \ 13 | ${DOC_IMG} ${COMMAND} 14 | -------------------------------------------------------------------------------- /nginx-ingress-controller-cis/sphinx-docs/docs/class1/module2/module2.rst: -------------------------------------------------------------------------------- 1 | Module 2: Deploying NGINX+ Ingress 2 | ================================== 3 | 4 | In this module you will deploy the NGINX+ ingress controller and expose the 5 | controller outside the cluster. 6 | 7 | .. toctree:: 8 | :maxdepth: 1 9 | :glob: 10 | 11 | lab* 12 | -------------------------------------------------------------------------------- /nginx-ingress-controller-cis/f5-cis/cis-sa.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # Source: f5-bigip-ctlr/templates/f5-bigip-ctlr-serviceaccount.yaml 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | name: bigip1-f5-bigip-ctlr 7 | labels: 8 | app: f5-bigip-ctlr 9 | chart: f5-bigip-ctlr-0.0.6 10 | release: bigip1 11 | heritage: Tiller 12 | 13 | -------------------------------------------------------------------------------- /nginx-ingress-controller-cis/sphinx-docs/containthedocs-clean.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -x 4 | 5 | COMMAND="make -C docs clean" 6 | 7 | . ./containthedocs-image 8 | 9 | exec docker run --rm -it \ 10 | -v "$PWD":"$PWD" --workdir "$PWD" \ 11 | ${DOCKER_RUN_ARGS} \ 12 | -e "LOCAL_USER_ID=$(id -u)" \ 13 | ${DOC_IMG} ${COMMAND} 14 | -------------------------------------------------------------------------------- /nginx-ingress-controller-cis/sphinx-docs/containthedocs-spelling.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -x 4 | 5 | COMMAND="make -C docs spelling" 6 | 7 | . ./containthedocs-image 8 | 9 | exec docker run --rm -it \ 10 | -v "$PWD":"$PWD" --workdir "$PWD" \ 11 | ${DOCKER_RUN_ARGS} \ 12 | -e "LOCAL_USER_ID=$(id -u)" \ 13 | ${DOC_IMG} ${COMMAND} 14 | -------------------------------------------------------------------------------- /nginx-ingress-controller-cis/sphinx-docs/containthedocs-cleanbuild.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -x 4 | 5 | COMMAND="make -C docs clean html" 6 | 7 | . ./containthedocs-image 8 | 9 | exec docker run --rm -it \ 10 | -v "$PWD":"$PWD" --workdir "$PWD" \ 11 | ${DOCKER_RUN_ARGS} \ 12 | -e "LOCAL_USER_ID=$(id -u)" \ 13 | ${DOC_IMG} ${COMMAND} 14 | -------------------------------------------------------------------------------- /nginx-ingress-controller-cis/sphinx-docs/containthedocs-singlehtml.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -x 4 | 5 | COMMAND="make -C docs singlehtml" 6 | 7 | . ./containthedocs-image 8 | 9 | exec docker run --rm -it \ 10 | -v "$PWD":"$PWD" --workdir "$PWD" \ 11 | ${DOCKER_RUN_ARGS} \ 12 | -e "LOCAL_USER_ID=$(id -u)" \ 13 | ${DOC_IMG} ${COMMAND} 14 | -------------------------------------------------------------------------------- /ocp4/tmsh.txt: -------------------------------------------------------------------------------- 1 | create /auth partition ocp 2 | create net tunnels vxlan ose-vxlan flooding-type multipoint 3 | create net tunnels tunnel openshift_vxlan key 0 profile ose-vxlan local-address 192.168.131.240 4 | create net self 10.128.0.3/14 allow-service none vlan openshift_vxlan 5 | create net self 10.128.0.4/14 allow-service none vlan openshift_vxlan traffic-group traffic-group-1 6 | 7 | -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/nginx/add_ds.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | kubectl create configmap nginx-to-as3 -n nginx-ingress --from-file=nginx_to_as3.js 3 | kubectl create configmap localhost.conf.template -n nginx-ingress --from-file=localhost.conf.template 4 | kubectl create configmap nginx-ingress.wrapper -n nginx-ingress --from-file=nginx-ingress.wrapper 5 | kubectl create -f nginx-plus-ingress.ds.yaml 6 | -------------------------------------------------------------------------------- /nginx-ingress-controller-cis/sphinx-docs/containthedocs-build.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -x 4 | 5 | COMMAND="make -C docs html" 6 | 7 | . ./containthedocs-image 8 | 9 | sudo rm -rf docs/_build/ 10 | 11 | exec sudo docker run --rm -it \ 12 | -v "$PWD":"$PWD" --workdir "$PWD" \ 13 | ${DOCKER_RUN_ARGS} \ 14 | -e "LOCAL_USER_ID=$(id -u)" \ 15 | ${DOC_IMG} ${COMMAND} 16 | -------------------------------------------------------------------------------- /ocp4/host.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: HostSubnet 3 | metadata: 4 | name: bigip1 5 | annotations: 6 | pod.network.openshift.io/fixed-vnid-host: "0" 7 | pod.network.openshift.io/assign-subnet: "true" 8 | # provide a name for the BIG-IP device's host Node 9 | host: bigip1 10 | # Provide an IP address to serve as the BIG-IP VTEP in the OpenShift SDN 11 | hostIP: 10.1.20.240 12 | -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/nginx-helm.sh: -------------------------------------------------------------------------------- 1 | helm template my-release --set controller.image.repository=myregistry.example.com/nginx-plus-ingress --set controller.nginxplus=true --set controller.appprotect.enable=true --set controller.config.name=nginx-config --set controller.defaultTLS.secret=\$\(POD_NAMESPACE\)/default-server-secret --set controller.nginxStatus.allowCidrs=0.0.0.0/0 --namespace nginx-ingress . 2 | -------------------------------------------------------------------------------- /ocp4-aws-upi/deploy/vars.tf: -------------------------------------------------------------------------------- 1 | variable bigip1_ip {} 2 | variable prefix {} 3 | variable ssh_key {} 4 | variable aws_region {} 5 | variable rhcos_ami {} 6 | variable subnet_id {} 7 | variable security_group {} 8 | variable iam_instance_profile_bootstrap {} 9 | variable iam_instance_profile_control-plane {} 10 | variable iam_instance_profile_worker {} 11 | variable s3_bucket {} 12 | variable cluster_id {} -------------------------------------------------------------------------------- /ocp4/cis-operator.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: operators.coreos.com/v1alpha1 2 | kind: Subscription 3 | metadata: 4 | name: f5-bigip-ctlr-operator 5 | namespace: default 6 | spec: 7 | channel: beta 8 | installPlanApproval: Manual 9 | name: f5-bigip-ctlr-operator 10 | source: certified-operators 11 | sourceNamespace: openshift-marketplace 12 | startingCSV: f5-bigip-ctlr-operator.v1.4.0 13 | 14 | -------------------------------------------------------------------------------- /ocp4/nginx-operator.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: operators.coreos.com/v1alpha1 2 | kind: Subscription 3 | metadata: 4 | name: nginx-ingress-operator 5 | namespace: nginx-ingress 6 | spec: 7 | channel: alpha 8 | installPlanApproval: Manual 9 | name: nginx-ingress-operator 10 | source: certified-operators 11 | sourceNamespace: openshift-marketplace 12 | startingCSV: nginx-ingress-operator.v0.0.7 13 | -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/teardown_istio.sh: -------------------------------------------------------------------------------- 1 | kubectl delete -f istio-service.yaml -n istio-system 2 | kubectl delete -f echo-deployment.yaml 3 | kubectl delete -f my-echo-service.yaml 4 | kubectl delete -f httpbin.yaml -n istio-demo 5 | sleep 30 6 | kubectl delete -f ../istio/istio-1.2.2.yaml 7 | sleep 30 8 | kubectl delete -f ../istio/istio-1.2.2-crd.yaml 9 | kubectl delete ns istio-demo 10 | 11 | 12 | 13 | -------------------------------------------------------------------------------- /ocp4/setup_nginxcisconnector.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | oc delete -f f5-server.yaml 3 | oc create -f f5-server-nginx-helm-template.yaml 4 | oc delete -f nginx-ingress-controller.yaml 5 | oc create -f nginx-ingress-cis.yaml 6 | oc create -f nginx-cis-connector.yaml 7 | source ~/venv/bin/activate 8 | python ~/as3-client.py -a delete -t ConfigMap 9 | sleep 30 10 | python ~/as3-client.py -a delete -t ConfigMapNginx 11 | -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/my-echo-service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: my-echo 5 | labels: 6 | run: my-echo 7 | cis.f5.com/as3-tenant: AS3 8 | cis.f5.com/as3-app: MyApps 9 | cis.f5.com/as3-pool: echo_pool 10 | spec: 11 | ports: 12 | - port: 9000 13 | protocol: TCP 14 | targetPort: 9000 15 | type: NodePort 16 | selector: 17 | run: my-echo 18 | -------------------------------------------------------------------------------- /chen-k8s-demo/onboard/dashboard-admin.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: kubernetes-dashboard 5 | labels: 6 | k8s-app: kubernetes-dashboard 7 | roleRef: 8 | apiGroup: rbac.authorization.k8s.io 9 | kind: ClusterRole 10 | name: cluster-admin 11 | subjects: 12 | - kind: ServiceAccount 13 | name: kubernetes-dashboard 14 | namespace: kube-system 15 | -------------------------------------------------------------------------------- /mytypelb/chenpam.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: extensions/v1beta1 2 | kind: Deployment 3 | metadata: 4 | name: chenpam 5 | spec: 6 | replicas: 1 7 | template: 8 | metadata: 9 | labels: 10 | run: chenpam 11 | spec: 12 | serviceAccountName: chenpam 13 | containers: 14 | - image: "registry.dc1.example.com/chenpam:0.0.5" 15 | imagePullPolicy: IfNotPresent 16 | name: chenpam 17 | -------------------------------------------------------------------------------- /ocp4/docs/walkthrough/index.rst: -------------------------------------------------------------------------------- 1 | Walkthrough 2 | =========== 3 | 4 | Introduction 5 | ~~~~~~~~~~~~ 6 | 7 | The "Basic Demo" is more or less a "read-only" of the environment. The 8 | following takes the approach of resetting the environment and walking 9 | through the steps to get up to the "Basic Demo". 10 | 11 | .. toctree:: 12 | :maxdepth: 1 13 | 14 | reset 15 | addapps 16 | deploycis 17 | 18 | 19 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # F5 Kubernetes/OpenShift Demo 2 | 3 | 4 | ## About 5 | 6 | These have files that have been used 7 | in Kubernetes/OpenShift demos at F5. 8 | 9 | ### chen-k8s-demo 10 | 11 | Eric Chen's K8s Demo using Flannel. 12 | 13 | ### nginx-ingress-controller-cis 14 | 15 | Kevin Reynolds' NGINX Ingress Controller and Container Ingress Services Lab. 16 | 17 | ### ocp4 18 | 19 | Eric Chen's OpenShift 4 Demo 20 | 21 | 22 | -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/as3-helm/README.txt: -------------------------------------------------------------------------------- 1 | helm demo: 2 | 3 | # just L4 4 | helm install f5-as3 --name f5demo 5 | 6 | # DNS 7 | helm upgrade f5demo f5-as3 --set f5demo.dns=true 8 | 9 | # WAF 10 | helm upgrade f5demo f5-as3 --set f5demo.dns=true --set f5demo.http=true --set f5demo.waf=true 11 | 12 | # delete AS3 13 | helm upgrade f5demo f5-as3 --set f5demo.delete=true 14 | 15 | # delete configmap 16 | helm delete f5demo 17 | -------------------------------------------------------------------------------- /chen-k8s-demo/scripts/annotate-my-website.sh: -------------------------------------------------------------------------------- 1 | kubectl annotate configmap my-website virtual-server.f5.com/ip=`kubectl get svc my-website -o json |jq ".spec.clusterIP" -r` --overwrite; 2 | #kubectl annotate configmap my-website virtual-server.f5.com/ip=10.100.253.168 --overwrite; 3 | kubectl annotate configmap my-website custom_dns=www.f5demo.com --overwrite; 4 | kubectl annotate configmap my-website custom_translate_ip=10.1.10.80 --overwrite; 5 | -------------------------------------------------------------------------------- /ocp4-aws-upi/terraform/wait_for_bigip.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | S3_BUCKET=$1 3 | #echo "Waiting for /info endpoint to be available" 4 | for x in `seq 1 60`; do 5 | aws s3 ls ${S3_BUCKET}/admin.shadow &> /dev/null; 6 | if [ $? == 1 ]; then 7 | rm -f admin.shadow; 8 | touch admin.shadow; 9 | exit 0; # all done 10 | break 11 | fi 12 | #echo $?; 13 | sleep 10; 14 | done 15 | echo "did not finish BIG-IP" 16 | exit 1 17 | -------------------------------------------------------------------------------- /nginx-ingress-controller-cis/sphinx-docs/containthedocs-convert.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -x 4 | 5 | if [ "$#" -ne 1 ]; then 6 | echo "Usage $0 " 7 | exit 1 8 | fi 9 | 10 | COMMAND="scripts/convertdocx.sh $1" 11 | 12 | . ./containthedocs-image 13 | 14 | exec docker run --rm -it \ 15 | -v "$PWD":"$PWD" --workdir "$PWD" \ 16 | ${DOCKER_RUN_ARGS} \ 17 | -e "LOCAL_USER_ID=$(id -u)" \ 18 | ${DOC_IMG} ${COMMAND} 19 | -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/istio-jwt-policy-bigip.sh: -------------------------------------------------------------------------------- 1 | cat </helm-charts/F5Demo/values.yaml 7 | 8 | # Default values for f5-as3. 9 | # This is a YAML-formatted file. 10 | # Declare variables to be passed into your templates. 11 | common: 12 | applications: 13 | -------------------------------------------------------------------------------- /ocp4/my-frontend-service2-as3.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: my-frontend2 5 | labels: 6 | app: my-frontend2 7 | cis.f5.com/as3-tenant: ConfigMap 8 | cis.f5.com/as3-app: MyApps 9 | cis.f5.com/as3-pool: frontend2_pool 10 | 11 | spec: 12 | ports: 13 | - name: my-frontend2 14 | port: 80 15 | protocol: TCP 16 | targetPort: 8080 17 | type: NodePort 18 | selector: 19 | app: my-frontend2 20 | -------------------------------------------------------------------------------- /nginx-ingress-controller-cis/f5-cis/nodeport-cis-80.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: nginx-ingress 5 | namespace: nginx-ingress 6 | labels: 7 | cis.f5.com/as3-tenant: AS3 8 | cis.f5.com/as3-app: MyApps 9 | cis.f5.com/as3-pool: ingress_pool 10 | spec: 11 | type: NodePort 12 | ports: 13 | - port: 80 14 | targetPort: 80 15 | protocol: TCP 16 | name: http 17 | selector: 18 | app: nginx-ingress 19 | -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/f5demo-operator/deploy/crds/charts_v1alpha1_f5demo_cr.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: charts.helm.k8s.io/v1alpha1 2 | kind: F5Demo 3 | metadata: 4 | name: example-f5demo 5 | spec: 6 | # Default values copied from /helm-charts/F5Demo/values.yaml 7 | 8 | # Default values for f5demo. 9 | # This is a YAML-formatted file. 10 | # Declare variables to be passed into your templates. 11 | #common: 12 | 13 | #applications: 14 | 15 | -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/my-frontend-service-as3.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: my-frontend 5 | labels: 6 | app: my-frontend 7 | cis.f5.com/as3-tenant: AS3 8 | cis.f5.com/as3-app: MyApps 9 | cis.f5.com/as3-pool: frontend_pool 10 | 11 | spec: 12 | ports: 13 | - name: my-frontend 14 | port: 80 15 | protocol: TCP 16 | targetPort: 80 17 | type: LoadBalancer 18 | selector: 19 | app: my-frontend 20 | -------------------------------------------------------------------------------- /ocp4/green-ingress-nginx.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: extensions/v1beta1 2 | kind: Ingress 3 | metadata: 4 | name: green-ingress 5 | annotations: 6 | kubernetes.io/ingress.class: "nginx" 7 | nginx.org/server-snippets: | 8 | add_header x-nginx-ingress $hostname; 9 | spec: 10 | rules: 11 | - host: green.ingress.dc1.example.com 12 | http: 13 | paths: 14 | - backend: 15 | serviceName: node-green 16 | servicePort: 80 17 | -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/green-ingress-nginx.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: extensions/v1beta1 2 | kind: Ingress 3 | metadata: 4 | name: green-ingress 5 | annotations: 6 | kubernetes.io/ingress.class: "nginx" 7 | nginx.org/server-snippets: | 8 | add_header x-nginx-ingress $hostname; 9 | spec: 10 | rules: 11 | - host: green.f5demo.com 12 | http: 13 | paths: 14 | - backend: 15 | serviceName: node-green 16 | servicePort: 80 17 | -------------------------------------------------------------------------------- /nginx-ingress-controller-cis/f5-cis/nodeport-cis-443.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: nginx-ingress-tls 5 | namespace: nginx-ingress 6 | labels: 7 | cis.f5.com/as3-tenant: AS3 8 | cis.f5.com/as3-app: MyApps 9 | cis.f5.com/as3-pool: ingresstls_pool 10 | spec: 11 | type: NodePort 12 | ports: 13 | - port: 443 14 | targetPort: 443 15 | protocol: TCP 16 | name: https 17 | selector: 18 | app: nginx-ingress 19 | -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/echo-deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: extensions/v1beta1 2 | kind: Deployment 3 | metadata: 4 | name: my-echo 5 | spec: 6 | replicas: 1 7 | template: 8 | metadata: 9 | labels: 10 | run: my-echo 11 | spec: 12 | containers: 13 | - image: "chen23/echo9000:latest" 14 | imagePullPolicy: IfNotPresent 15 | name: my-echo 16 | ports: 17 | - containerPort: 9000 18 | protocol: TCP 19 | 20 | -------------------------------------------------------------------------------- /nginx-ingress-controller-cis/f5-cis/nodeport-cis-8080.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: nginx-ingress-dashboard 5 | namespace: nginx-ingress 6 | labels: 7 | cis.f5.com/as3-tenant: AS3 8 | cis.f5.com/as3-app: MyApps 9 | cis.f5.com/as3-pool: dashboard_pool 10 | spec: 11 | type: NodePort 12 | ports: 13 | - port: 8181 14 | targetPort: 8181 15 | protocol: TCP 16 | name: http 17 | selector: 18 | app: nginx-ingress 19 | -------------------------------------------------------------------------------- /ocp4/my-route-tls.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: route.openshift.io/v1 2 | kind: Route 3 | metadata: 4 | name: cisroute 5 | namespace: default 6 | annotations: 7 | virtual-server.f5.com/clientssl: /Common/cisroutes-clientssl 8 | spec: 9 | host: my-frontend.cisroutes.dc1.example.com 10 | path: / 11 | to: 12 | kind: Service 13 | name: my-frontend 14 | port: 15 | targetPort: 80 16 | tls: 17 | termination: edge 18 | insecureEdgeTerminationPolicy: Redirect 19 | -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/nginx/healthprobe.conf: -------------------------------------------------------------------------------- 1 | js_include conf.d/nginx_health.js; 2 | 3 | server { 4 | listen 8245; 5 | server_name api.example.com; 6 | root /usr/share/nginx/html; 7 | location /version { 8 | js_content version; 9 | } 10 | location = /dashboard.html { 11 | } 12 | location /api/ { 13 | api write=on; 14 | # allow 127.0.0.1; 15 | allow 10.0.0.0/8; # for demo 16 | deny all; 17 | } 18 | location /health { 19 | js_content StatusByFqdn; 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /ocp4/ingress-nginx-service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: nginx-ingress 5 | namespace: nginx-ingress 6 | labels: 7 | cis.f5.com/as3-tenant: ConfigMapNginx 8 | cis.f5.com/as3-app: MyApps 9 | cis.f5.com/as3-pool: ingress_pool 10 | spec: 11 | type: NodePort 12 | ports: 13 | - name: http 14 | port: 80 15 | targetPort: 80 16 | protocol: TCP 17 | selector: 18 | app: my-nginx-ingress-controller 19 | 20 | --- 21 | 22 | -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/f5demo-operator/helm-charts/F5Demo/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *~ 18 | # Various IDEs 19 | .project 20 | .idea/ 21 | *.tmproj 22 | -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/istio-jwt-policy.sh: -------------------------------------------------------------------------------- 1 | cat < to stop the server..." 12 | cd _build 13 | for i in `cat ../../server-dependencies` 14 | do 15 | ../../containthedocs-wget $i; 16 | done 17 | python -mSimpleHTTPServer $PORT 18 | else 19 | echo "The _build directory doesn't exist... try running 'script/setup'" 20 | exit 1 21 | fi 22 | -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/nginx/ingress-nginx-dashboard-service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: nginx-ingress-dashboard 5 | namespace: nginx-ingress 6 | labels: 7 | cis.f5.com/as3-tenant: ConfigMapNginx 8 | cis.f5.com/as3-app: MyApps 9 | cis.f5.com/as3-pool: nginxplusapi_pool 10 | spec: 11 | type: NodePort 12 | ports: 13 | - name: dashboard 14 | port: 8080 15 | targetPort: 8080 16 | protocol: TCP 17 | selector: 18 | app: nginx-ingress 19 | 20 | --- 21 | 22 | -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/f5demo-operator/deploy/crds/charts_v1alpha1_f5demo_crd.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apiextensions.k8s.io/v1beta1 2 | kind: CustomResourceDefinition 3 | metadata: 4 | name: f5demos.charts.helm.k8s.io 5 | spec: 6 | group: charts.helm.k8s.io 7 | names: 8 | kind: F5Demo 9 | listKind: F5DemoList 10 | plural: f5demos 11 | singular: f5demo 12 | scope: Namespaced 13 | subresources: 14 | status: {} 15 | version: v1alpha1 16 | versions: 17 | - name: v1alpha1 18 | served: true 19 | storage: true 20 | -------------------------------------------------------------------------------- /ocp4/cis-ingress.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1beta1 2 | kind: Ingress 3 | metadata: 4 | name: cisingress 5 | namespace: default 6 | annotations: 7 | # kubernetes.io/ingress.class: "f5" 8 | virtual-server.f5.com/ip: "10.1.10.102" 9 | virtual-server.f5.com/http-port: "80" 10 | spec: 11 | rules: 12 | - host: my-frontend3.ingress.dc1.example.com 13 | http: 14 | paths: 15 | - path: / 16 | backend: 17 | serviceName: my-frontend3 18 | servicePort: 80 19 | 20 | -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/istio-virtualservice.sh: -------------------------------------------------------------------------------- 1 | kubectl apply -n istio-demo -f - <NUL 2>NUL 16 | if errorlevel 9009 ( 17 | echo. 18 | echo.The 'sphinx-build' command was not found. Make sure you have Sphinx 19 | echo.installed, then set the SPHINXBUILD environment variable to point 20 | echo.to the full path of the 'sphinx-build' executable. Alternatively you 21 | echo.may add the Sphinx directory to PATH. 22 | echo. 23 | echo.If you don't have Sphinx installed, grab it from 24 | echo.http://sphinx-doc.org/ 25 | exit /b 1 26 | ) 27 | 28 | %SPHINXBUILD% -M %1 %SOURCEDIR% %BUILDDIR% %SPHINXOPTS% %O% 29 | goto end 30 | 31 | :help 32 | %SPHINXBUILD% -M help %SOURCEDIR% %BUILDDIR% %SPHINXOPTS% %O% 33 | 34 | :end 35 | popd 36 | -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/istio-service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: istiogwcis 5 | labels: 6 | run: my-website 7 | cis.f5.com/as3-tenant: AS3 8 | cis.f5.com/as3-app: MyApps 9 | cis.f5.com/as3-pool: istiogwcis_pool 10 | spec: 11 | ports: 12 | - port: 80 13 | protocol: TCP 14 | targetPort: 80 15 | type: NodePort 16 | selector: 17 | app: istio-ingressgateway 18 | istio: ingressgateway 19 | release: istio 20 | --- 21 | apiVersion: v1 22 | kind: Service 23 | metadata: 24 | name: istiogwcistls 25 | labels: 26 | run: istiogwcistls 27 | cis.f5.com/as3-tenant: AS3 28 | cis.f5.com/as3-app: MyApps 29 | cis.f5.com/as3-pool: istiogwcistls_pool 30 | spec: 31 | ports: 32 | - port: 443 33 | protocol: TCP 34 | targetPort: 443 35 | type: NodePort 36 | selector: 37 | app: istio-ingressgateway 38 | istio: ingressgateway 39 | release: istio 40 | 41 | -------------------------------------------------------------------------------- /chen-k8s-demo/docs/make.bat: -------------------------------------------------------------------------------- 1 | @ECHO OFF 2 | 3 | pushd %~dp0 4 | 5 | REM Command file for Sphinx documentation 6 | 7 | if "%SPHINXBUILD%" == "" ( 8 | set SPHINXBUILD=sphinx-build 9 | ) 10 | set SOURCEDIR=. 11 | set BUILDDIR=_build 12 | 13 | if "%1" == "" goto help 14 | 15 | %SPHINXBUILD% >NUL 2>NUL 16 | if errorlevel 9009 ( 17 | echo. 18 | echo.The 'sphinx-build' command was not found. Make sure you have Sphinx 19 | echo.installed, then set the SPHINXBUILD environment variable to point 20 | echo.to the full path of the 'sphinx-build' executable. Alternatively you 21 | echo.may add the Sphinx directory to PATH. 22 | echo. 23 | echo.If you don't have Sphinx installed, grab it from 24 | echo.http://sphinx-doc.org/ 25 | exit /b 1 26 | ) 27 | 28 | %SPHINXBUILD% -M %1 %SOURCEDIR% %BUILDDIR% %SPHINXOPTS% %O% 29 | goto end 30 | 31 | :help 32 | %SPHINXBUILD% -M help %SOURCEDIR% %BUILDDIR% %SPHINXOPTS% %O% 33 | 34 | :end 35 | popd 36 | -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/f5demo-operator/deploy/operator.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: f5demo-operator 5 | spec: 6 | replicas: 1 7 | selector: 8 | matchLabels: 9 | name: f5demo-operator 10 | template: 11 | metadata: 12 | labels: 13 | name: f5demo-operator 14 | spec: 15 | serviceAccountName: f5demo-operator 16 | containers: 17 | - name: f5demo-operator 18 | # Replace this with the built image name 19 | image: chen23/f5demo-operator:v0.0.3 20 | imagePullPolicy: Always 21 | env: 22 | - name: WATCH_NAMESPACE 23 | valueFrom: 24 | fieldRef: 25 | fieldPath: metadata.namespace 26 | - name: POD_NAME 27 | valueFrom: 28 | fieldRef: 29 | fieldPath: metadata.name 30 | - name: OPERATOR_NAME 31 | value: "f5demo-operator" 32 | -------------------------------------------------------------------------------- /nginx-ingress-controller-cis/sphinx-docs/docs/make.bat: -------------------------------------------------------------------------------- 1 | @ECHO OFF 2 | 3 | pushd %~dp0 4 | 5 | REM Command file for Sphinx documentation 6 | 7 | if "%SPHINXBUILD%" == "" ( 8 | set SPHINXBUILD=sphinx-build 9 | ) 10 | set SOURCEDIR=. 11 | set BUILDDIR=_build 12 | set SPHINXPROJ=F5AgilityLabs 13 | 14 | if "%1" == "" goto help 15 | 16 | %SPHINXBUILD% >NUL 2>NUL 17 | if errorlevel 9009 ( 18 | echo. 19 | echo.The 'sphinx-build' command was not found. Make sure you have Sphinx 20 | echo.installed, then set the SPHINXBUILD environment variable to point 21 | echo.to the full path of the 'sphinx-build' executable. Alternatively you 22 | echo.may add the Sphinx directory to PATH. 23 | echo. 24 | echo.If you don't have Sphinx installed, grab it from 25 | echo.http://sphinx-doc.org/ 26 | exit /b 1 27 | ) 28 | 29 | %SPHINXBUILD% -M %1 %SOURCEDIR% %BUILDDIR% %SPHINXOPTS% 30 | goto end 31 | 32 | :help 33 | %SPHINXBUILD% -M help %SOURCEDIR% %BUILDDIR% %SPHINXOPTS% 34 | 35 | :end 36 | popd 37 | -------------------------------------------------------------------------------- /ocp4/f5-server.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cis.f5.com/v1 2 | kind: F5BigIpCtlr 3 | metadata: 4 | name: f5-server 5 | namespace: default 6 | spec: 7 | args: 8 | log_as3_response: true 9 | manage_routes: true 10 | manage_ingress: true 11 | manage_configmaps: true 12 | agent: as3 13 | log_level: INFO 14 | route_vserver_addr: 10.1.10.100 15 | bigip_partition: ocp 16 | openshift_sdn_name: /Common/openshift_vxlan 17 | bigip_url: 10.1.20.240 18 | insecure: true 19 | pool-member-type: cluster 20 | #namespace: default 21 | namespace-label: use_cis=true 22 | override-as3-declaration: default/f5-as3-override 23 | share-nodes: true 24 | bigip_login_secret: bigip-login 25 | image: 26 | pullPolicy: IfNotPresent 27 | repo: k8s-bigip-ctlr 28 | user: f5networks 29 | namespace: kube-system 30 | rbac: 31 | create: true 32 | resources: {} 33 | serviceAccount: 34 | create: true 35 | name: null 36 | version: 2.2.0 37 | -------------------------------------------------------------------------------- /ocp4-aws-upi/deploy/node1.tf: -------------------------------------------------------------------------------- 1 | 2 | 3 | resource "aws_instance" "node1" { 4 | ami = "${var.rhcos_ami}" 5 | instance_type = "m4.xlarge" 6 | private_ip = "10.1.20.31" 7 | subnet_id = "${var.subnet_id}" 8 | vpc_security_group_ids = ["${var.security_group}"] 9 | key_name = "${var.ssh_key}" 10 | 11 | #user_data = "${data.template_file.node1_init.rendered}" 12 | user_data = "${file("../upi/worker.ign")}" 13 | root_block_device { 14 | delete_on_termination = true 15 | volume_type = "gp2" 16 | volume_size = 120 17 | } 18 | 19 | iam_instance_profile = "${var.iam_instance_profile_worker}" 20 | 21 | tags = { 22 | Name = "${var.prefix}-f5-ocp4-demo-node1" 23 | "kubernetes.io/cluster/${var.cluster_id}" = "shared" 24 | } 25 | } 26 | 27 | #data "template_file" "node1_init" { 28 | # template = "${file("node.tpl")}" 29 | # 30 | # vars = { 31 | # machine_config_url = "https://api-int.dc1.example.com:22623/config/master" 32 | # } 33 | #} 34 | -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/blue-ingress-nginx.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: extensions/v1beta1 2 | kind: Ingress 3 | metadata: 4 | name: blue-ingress 5 | annotations: 6 | kubernetes.io/ingress.class: "nginx" 7 | nginx.org/server-snippets: | 8 | add_header x-nginx-ingress $hostname; 9 | appprotect.f5.com/app-protect-policy: "nginx-ingress/basic-block" 10 | appprotect.f5.com/app-protect-enable: "True" 11 | appprotect.f5.com/app-protect-security-log-enable: "True" 12 | appprotect.f5.com/app-protect-security-log: "nginx-ingress/logconf" 13 | appprotect.f5.com/app-protect-security-log-destination: "syslog:server=10.1.1.6:514" 14 | spec: 15 | tls: 16 | - hosts: 17 | - blue.f5demo.com 18 | # This assumes tls-secret exists and the SSL 19 | # certificate contains a CN for foo.bar.com 20 | secretName: tls-secret 21 | rules: 22 | - host: blue.f5demo.com 23 | http: 24 | paths: 25 | - backend: 26 | serviceName: node-blue 27 | servicePort: 80 28 | -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/f5demo-operator/helm-charts/F5Demo/istio-values-mtls.yaml: -------------------------------------------------------------------------------- 1 | # Default values for f5-as3. 2 | # This is a YAML-formatted file. 3 | # Declare variables to be passed into your templates. 4 | common: 5 | template: f5demo.common.basic.v1 6 | irules: 7 | Host_Header_To_Sni: "iRules/host_header_to_sni.irule" 8 | 9 | applications: 10 | - istiotgwcis: 11 | name: istiogwcis 12 | template: f5demo.tcp.v1 13 | virtualAddress: "10.1.10.80" 14 | virtualPort: 80 15 | - istiotgwcistls: 16 | name: istiogwcistls 17 | template: f5demo.tcp.v1 18 | virtualAddress: "10.1.10.80" 19 | virtualPort: 443 20 | - istiotgwcismtls: 21 | name: istiogwcismtls 22 | template: f5demo.waf.sni.https.v1 23 | virtualAddress: "10.1.10.80" 24 | pool: istiogwcistls_pool 25 | serverTLS: "{\"bigip\":\"/Common/httpbin.example.com_clientssl_c3d\"}" 26 | clientTLS: "{\"bigip\":\"/Common/istio_serverssl_c3d\"}" 27 | virtualPort: 8443 28 | 29 | 30 | -------------------------------------------------------------------------------- /ocp4/blue-ingress-nginx.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: extensions/v1beta1 2 | kind: Ingress 3 | metadata: 4 | name: blue-ingress 5 | annotations: 6 | kubernetes.io/ingress.class: "nginx" 7 | nginx.org/location-snippets: | 8 | add_header X-nginx-ingress $hostname; 9 | appprotect.f5.com/app-protect-policy: "nginx-ingress/basic-block" 10 | appprotect.f5.com/app-protect-enable: "True" 11 | appprotect.f5.com/app-protect-security-log-enable: "True" 12 | appprotect.f5.com/app-protect-security-log: "nginx-ingress/logconf" 13 | appprotect.f5.com/app-protect-security-log-destination: "syslog:server=10.1.1.4:514" 14 | spec: 15 | tls: 16 | - hosts: 17 | - blue.ingress.dc1.example.com 18 | # This assumes tls-secret exists and the SSL 19 | # certificate contains a CN for foo.bar.com 20 | secretName: tls-secret 21 | rules: 22 | - host: blue.ingress.dc1.example.com 23 | http: 24 | paths: 25 | - backend: 26 | serviceName: node-blue 27 | servicePort: 80 28 | -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/f5demo-operator/deploy/role.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: Role 3 | metadata: 4 | creationTimestamp: null 5 | name: f5demo-operator 6 | rules: 7 | - apiGroups: 8 | - "" 9 | resources: 10 | - pods 11 | - services 12 | - endpoints 13 | - persistentvolumeclaims 14 | - events 15 | - configmaps 16 | - secrets 17 | verbs: 18 | - '*' 19 | - apiGroups: 20 | - "" 21 | resources: 22 | - namespaces 23 | verbs: 24 | - get 25 | - apiGroups: 26 | - apps 27 | resources: 28 | - deployments 29 | - daemonsets 30 | - replicasets 31 | - statefulsets 32 | verbs: 33 | - '*' 34 | - apiGroups: 35 | - monitoring.coreos.com 36 | resources: 37 | - servicemonitors 38 | verbs: 39 | - get 40 | - create 41 | - apiGroups: 42 | - apps 43 | resourceNames: 44 | - f5demo-operator 45 | resources: 46 | - deployments/finalizers 47 | verbs: 48 | - update 49 | - apiGroups: 50 | - charts.helm.k8s.io 51 | resources: 52 | - '*' 53 | verbs: 54 | - '*' 55 | -------------------------------------------------------------------------------- /ocp4/docs/demo/waf/index.rst: -------------------------------------------------------------------------------- 1 | WAF Security Policies 2 | ===================== 3 | 4 | Introduction 5 | ~~~~~~~~~~~~ 6 | 7 | The environment is setup with BOTH BIG-IP ASM and NGINX App Protect. 8 | 9 | You may want to apply policies at one or both locations. Used together you could apply a "broad" policy at BIG-IP vs. "app-specific" policy with NGINX App Protect. 10 | 11 | Demo 12 | ~~~~ 13 | 14 | Postman is configured with 3 sets of requests under the "OpenShift Demo" 15 | collection. 16 | 17 | - Via OCP Router: Via default OCP Router (shows output using default) 18 | - Attack! via OCP Router: There is an "X-Hacker" header that is permitted by default router. 19 | - Via BIG-IP Route: via route defined on BIG-IP (shows output) 20 | - Attack! via BIG-IP Route: There is an "X-Hacker" header that is blocked by BIG-IP ASM 21 | - via BIG-IP and NGINX: via Ingress (shows output via NGINX) 22 | - Attack! via BIG-IP and NGINX: There is an "X-Hacker" header that is blocked by NGINX App Protect. Logs are sent to syslog on the "web" host. 23 | 24 | -------------------------------------------------------------------------------- /nginx-ingress-controller-cis/sphinx-docs/docs/class1/module3/module3.rst: -------------------------------------------------------------------------------- 1 | Module 3: Container Ingress Services 2 | ==================================== 3 | 4 | In this module you will deploy `Container Ingress Services`_ (CIS) to provide 5 | basic L4 TCP Load Balancing, then make it better together with NGINX+ 6 | by applying L7 WAF policies. 7 | 8 | Container Ingress Services will be responsible for communicating with 9 | the Kubernetes API to keep track of the NGINX+ Ingress service. 10 | 11 | During this excercise you will first configure CIS to use L4 TCP Load 12 | Balancing. Then you will configure CIS to use L7 WAF policies. These 13 | configurations will be pushed to an F5 BIG-IP that is sitting outside the 14 | Kubernetes cluster. 15 | 16 | | 17 | | 18 | 19 | .. image:: /_static/nginx-plus-bigip-better-together.png 20 | :align: center 21 | :scale: 65 22 | 23 | | 24 | | 25 | 26 | .. toctree:: 27 | :maxdepth: 1 28 | :glob: 29 | 30 | lab* 31 | 32 | .. _`Container Ingress Services`: https://github.com/F5Networks/k8s-bigip-ctlr -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/f5demo-operator/helm-charts/F5Demo/istio-values.yaml: -------------------------------------------------------------------------------- 1 | # Default values for f5-as3. 2 | # This is a YAML-formatted file. 3 | # Declare variables to be passed into your templates. 4 | common: 5 | template: f5demo.common.basic.v1 6 | irules: 7 | Host_Header_To_Sni: "iRules/host_header_to_sni.irule" 8 | 9 | applications: 10 | - echo: 11 | name: echo 12 | template: f5demo.tcp.v1 13 | virtualAddress: "10.1.10.80" 14 | virtualPort: 9000 15 | - website: 16 | name: website 17 | template: f5demo.waf.http.v1 18 | virtualAddress: "10.1.10.80" 19 | virtualPort: 80 20 | - istiotgwcistls: 21 | name: istiogwcistls 22 | template: f5demo.tcp.v1 23 | virtualAddress: "10.1.10.80" 24 | virtualPort: 443 25 | - istiotgwcismtls: 26 | name: istiogwcismtls 27 | template: f5demo.sni.https.v1 28 | virtualAddress: "10.1.10.81" 29 | pool: istiogwcistls_pool 30 | clientTLS: "{\"bigip\":\"/Common/istio_serverssl\"}" 31 | virtualPort: 443 32 | 33 | 34 | -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) Copyright (c) 2015, F5 Networks, Inc. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/f5demo-operator/helm-charts/F5Demo/iRules/host_header_to_sni.irule: -------------------------------------------------------------------------------- 1 | when HTTP_REQUEST { 2 | #Set the SNI value (e.g. HTTP::host) 3 | set sni_value [getfield [HTTP::host] ":" 1] 4 | } 5 | when SERVERSSL_CLIENTHELLO_SEND { 6 | 7 | # SNI extension record as defined in RFC 3546/3.1 8 | # 9 | # - TLS Extension Type = int16( 0 = SNI ) 10 | # - TLS Extension Length = int16( $sni_length + 5 byte ) 11 | # - SNI Record Length = int16( $sni_length + 3 byte) 12 | # - SNI Record Type = int8( 0 = HOST ) 13 | # - SNI Record Value Length = int16( $sni_length ) 14 | # - SNI Record Value = str( $sni_value ) 15 | # 16 | 17 | # Calculate the length of the SNI value, Compute the SNI Record / TLS extension fields and add the result to the SERVERSSL_CLIENTHELLO 18 | 19 | SSL::extensions insert [binary format SSScSa* 0 [expr { [set sni_length [string length $sni_value]] + 5 }] [expr { $sni_length + 3 }] 0 $sni_length $sni_value] 20 | 21 | } 22 | -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/blue-green-ingress.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: extensions/v1beta1 2 | kind: Ingress 3 | metadata: 4 | name: blue-green-ingress 5 | annotations: 6 | virtual-server.f5.com/ip: "10.1.10.82" 7 | virtual-server.f5.com/http-port: "80" 8 | virtual-server.f5.com/partition: "kubernetes" 9 | virtual-server.f5.com/health: | 10 | [ 11 | { 12 | "path": "blue.f5demo.com/", 13 | "send": "HTTP GET /", 14 | "interval": 5, 15 | "timeout": 15 16 | }, { 17 | "path": "green.f5demo.com/", 18 | "send": "HTTP GET /", 19 | "interval": 5, 20 | "timeout": 15 21 | } 22 | ] 23 | kubernetes.io/ingress.class: "f5" 24 | spec: 25 | rules: 26 | - host: blue.f5demo.com 27 | http: 28 | paths: 29 | - backend: 30 | serviceName: node-blue 31 | servicePort: 80 32 | - host: green.f5demo.com 33 | http: 34 | paths: 35 | - backend: 36 | serviceName: node-green 37 | servicePort: 80 38 | -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/f5demo-operator/helm-charts/F5Demo/proxy-protocol.values.yaml: -------------------------------------------------------------------------------- 1 | # Default values for f5-as3. 2 | # This is a YAML-formatted file. 3 | # Declare variables to be passed into your templates. 4 | common: 5 | template: f5demo.common.basic.v1 6 | irules: 7 | Proxy_Protocol_Send: "iRules/proxy_protocol_send.irule" 8 | 9 | 10 | applications: 11 | ingress: 12 | name: ingress 13 | template: f5demo.proxyprotocol.tcp.v1 14 | virtualAddress: "10.1.10.82" 15 | virtualPort: 80 16 | ingresstls: 17 | name: ingresstls 18 | template: f5demo.proxyprotocol.tcp.v1 19 | virtualAddress: "10.1.10.82" 20 | virtualPort: 8443 21 | snirouter: 22 | name: snirouter 23 | template: f5demo.snirouter.tcp.v1 24 | virtualAddress: "10.1.10.82" 25 | virtualPort: 443 26 | targets: 27 | - website.f5demo.com: websitetls 28 | - "*.f5demo.com": ingresstls 29 | websitetls: 30 | name: websitetls 31 | template: f5demo.waf.https.v1 32 | virtualAddress: "10.1.10.80" 33 | serverTLS: '{"bigip":"/Common/_wildcard_.f5demo.com_clientssl"}' 34 | -------------------------------------------------------------------------------- /mytypelb/chenpam_rbac.yaml: -------------------------------------------------------------------------------- 1 | # for reference only 2 | # Should be changed as per your cluster requirements 3 | kind: ClusterRole 4 | apiVersion: rbac.authorization.k8s.io/v1 5 | metadata: 6 | name: chenpam-clusterrole 7 | rules: 8 | - apiGroups: ["", "extensions"] 9 | resources: ["services", "namespaces"] 10 | verbs: ["get", "list", "watch"] 11 | - apiGroups: ["", "extensions"] 12 | resources: ["configmaps", "events", "services/status"] 13 | verbs: ["get", "list", "watch", "update", "create", "patch","delete"] 14 | - apiGroups: ["cis.f5.com"] 15 | resources: ["virtualservers", "tlsprofiles", "transportservers", "nginxcisconnectors"] 16 | verbs: ["create", "get", "list", "watch", "update"] 17 | --- 18 | 19 | kind: ClusterRoleBinding 20 | apiVersion: rbac.authorization.k8s.io/v1 21 | metadata: 22 | name: chenpam-clusterrole-binding 23 | namespace: default 24 | roleRef: 25 | apiGroup: rbac.authorization.k8s.io 26 | kind: ClusterRole 27 | name: chenpam-clusterrole 28 | subjects: 29 | - apiGroup: "" 30 | kind: ServiceAccount 31 | name: chenpam 32 | namespace: default 33 | -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/f5-k8s-sample-rbac.yaml: -------------------------------------------------------------------------------- 1 | # for use in k8s clusters using RBAC 2 | # for Openshift use the openshift specific examples 3 | kind: ClusterRole 4 | apiVersion: rbac.authorization.k8s.io/v1beta1 5 | metadata: 6 | name: bigip-ctlr-clusterrole 7 | rules: 8 | - apiGroups: 9 | - "" 10 | - "extensions" 11 | resources: 12 | - nodes 13 | - services 14 | - endpoints 15 | - namespaces 16 | - ingresses 17 | - secrets 18 | - pods 19 | verbs: 20 | - get 21 | - list 22 | - watch 23 | - apiGroups: 24 | - "" 25 | - "extensions" 26 | resources: 27 | - configmaps 28 | - events 29 | - ingresses/status 30 | verbs: 31 | - get 32 | - list 33 | - watch 34 | - update 35 | - create 36 | - patch 37 | 38 | --- 39 | 40 | kind: ClusterRoleBinding 41 | apiVersion: rbac.authorization.k8s.io/v1beta1 42 | metadata: 43 | name: bigip-ctlr-clusterrole-binding 44 | namespace: kube-system 45 | roleRef: 46 | apiGroup: rbac.authorization.k8s.io 47 | kind: ClusterRole 48 | name: bigip-ctlr-clusterrole 49 | subjects: 50 | - kind: ServiceAccount 51 | name: bigip-ctlr 52 | namespace: kube-system 53 | -------------------------------------------------------------------------------- /nginx-ingress-controller-cis/sphinx-docs/docs/_templates/breadcrumb.html: -------------------------------------------------------------------------------- 1 | 2 |
3 | {%- if master_doc == pagename %} 4 | F5 Community Training & Labs 5 | {%- else %} 6 | {{ project|striptags|e }} 7 | {%- endif %} 8 | {%- if parents|length > 0 %} 9 | {%- for parent in parents %} 10 | > {{ parents[loop.index0].title|striptags|e }} 11 | {%- endfor %} 12 | {%- endif %} 13 | 14 | 15 | {%- if show_source and has_source and sourcename %} 16 | Source | 17 | {%- endif %} 18 | {%- if github_url is defined %} 19 | Edit on 20 | {%- endif %} 21 | 22 |
23 | 24 | -------------------------------------------------------------------------------- /nginx-ingress-controller-cis/sphinx-docs/docs/class1/module2/lab1.rst.skip: -------------------------------------------------------------------------------- 1 | Lab – Build a NGINX+ Container [OPTIONAL] 2 | ========================================= 3 | 4 | When deploying NGINX+ in a Kubernetes cluster you will need to build a local 5 | container that has NGINX+. 6 | 7 | The following is an optional lab exercise. We have pre-built an image for your 8 | use in the lab environment and made the necessary modifications to pull from 9 | the pre-built repository. 10 | 11 | Retrieve NGINX License Cert/Key 12 | ------------------------------- 13 | 14 | On the K8S Cluster in the directory ``~/kubernetes-ingress`` you will need to 15 | place a copy of ``nginx-repo.crt`` and ``nginx-repo.key`` that you obtain from 16 | the NGINX Customer portal. 17 | 18 | Build an image and push to a private repo 19 | ----------------------------------------- 20 | 21 | The following resource should be used when pushing to a private repo: 22 | 23 | https://github.com/nginxinc/kubernetes-ingress/tree/master/build 24 | 25 | In the UDF demo environment the address of the internal registry is 26 | ``registry.internal:30500`` and the user credentials are "registry:registry". 27 | -------------------------------------------------------------------------------- /ocp4/docs/walkthrough/reset.rst: -------------------------------------------------------------------------------- 1 | Resetting the environment 2 | ========================= 3 | 4 | You will need to SSH to the "web" host to reset the environment. 5 | 6 | On the Windows desktop you will want to click on the Putty icon. You will 7 | then select the "web" host and click on "open". 8 | 9 | .. image:: windows-putty.png 10 | :scale: 50 % 11 | 12 | You will next want to change you directory to `/home/centos/f5-k8s-demo/ocp4`. 13 | This directory is from the following GitHub repo: https://github.com/f5devcentral/f5-k8s-demo/tree/ocp4/ocp4 14 | 15 | You will then run the command `teardown_demo.sh`. This will RESET the environment. 16 | 17 | .. code-block:: shell 18 | 19 | $ cd ~/f5-k8s-demo/ocp4 20 | $ ./teardown_demo.sh 21 | 22 | .. image:: putty-cd-ocp4.png 23 | :scale: 50 % 24 | 25 | It will take a few minutes to complete. 26 | 27 | .. image:: putty-teardown.png 28 | :scale: 50 % 29 | 30 | After it completes you will have an "empty" OpenShift environment and a "fresh" 31 | BIG-IP that has not been configured to use Container Ingress Services. 32 | 33 | You may want to restart the BIG-IP at this point to ensure that it is properly reset. 34 | -------------------------------------------------------------------------------- /nginx-ingress-controller-cis/sphinx-docs/docs/_static/css/custom.css: -------------------------------------------------------------------------------- 1 | img { 2 | margin-bottom: 12px; 3 | } 4 | 5 | table { 6 | margin-bottom: 12px; 7 | } 8 | 9 | .section ol.loweralpha > li { 10 | list-style: lower-alpha; 11 | padding-bottom: 5px; 12 | } 13 | 14 | .section ol.upperalpha > li { 15 | list-style: upper-alpha; 16 | padding-bottom: 5px; 17 | } 18 | 19 | .section ol.arabic > li { 20 | list-style: decimal; 21 | padding-bottom: 5px; 22 | } 23 | 24 | .section ol.lowerroman > li { 25 | list-style: lower-roman; 26 | padding-bottom: 5px; 27 | } 28 | 29 | .section ol.upperroman > li { 30 | list-style: upper-roman; 31 | padding-bottom: 5px; 32 | } 33 | 34 | .align-center { 35 | display: block; 36 | margin-left: auto; 37 | margin-right: auto; 38 | } 39 | 40 | .align-right { 41 | display: block; 42 | margin-left: auto; 43 | margin-right: 0; 44 | } 45 | 46 | .red { 47 | color: rgb(192, 0, 0); 48 | } 49 | 50 | .bred { 51 | color: rgb(192, 0, 0); 52 | font-weight: bold; 53 | } 54 | 55 | ul { 56 | padding-left: 20px; 57 | padding-top: 5px; 58 | padding-bottom: 5px; 59 | } 60 | 61 | ul.simple { 62 | padding-left: 20px; 63 | padding-top: 5px; 64 | padding-bottom: 5px; 65 | } 66 | -------------------------------------------------------------------------------- /ocp4/as3-configmap-override-both.yaml: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: f5-as3-override 5 | namespace: default 6 | labels: 7 | f5type: virtual-server 8 | overrideAS3: "true" 9 | data: 10 | template: | 11 | { 12 | "declaration": { 13 | "ocp_AS3": { 14 | "Shared": { 15 | "ingress_10_1_10_102_80": { 16 | "securityLogProfiles": [ 17 | { 18 | "bigip": "/Common/Log all requests" 19 | } 20 | ], 21 | "policyWAF": { 22 | "bigip": "/Common/linux-low" 23 | } 24 | }, 25 | "ose_vserver": { 26 | "securityLogProfiles": [ 27 | { 28 | "bigip": "/Common/Log all requests" 29 | } 30 | ], 31 | "policyWAF": { 32 | "bigip": "/Common/linux-low" 33 | } 34 | } 35 | } 36 | } 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /ocp4/as3-configmap-override-ingress.yaml: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: f5-as3-override 5 | namespace: default 6 | labels: 7 | f5type: virtual-server 8 | overrideAS3: "true" 9 | data: 10 | template: | 11 | { 12 | "declaration": { 13 | "ocp_AS3": { 14 | "Shared": { 15 | "ingress_10_1_10_102_80": { 16 | "securityLogProfiles": [ 17 | { 18 | "bigip": "/Common/Log all requests" 19 | } 20 | ], 21 | "policyWAF": { 22 | "bigip": "/Common/linux-low" 23 | } 24 | }, 25 | "ose_vserver": { 26 | "securityLogProfiles": [ 27 | { 28 | "bigip": "/Common/Log all requests" 29 | } 30 | ], 31 | "policyWAF": { 32 | "bigip": "/Common/linux-low" 33 | } 34 | } 35 | } 36 | } 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /ocp4/as3-configmap-override-route.yaml: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: f5-as3-override 5 | namespace: default 6 | labels: 7 | f5type: virtual-server 8 | overrideAS3: "true" 9 | data: 10 | template: | 11 | { 12 | "declaration": { 13 | "ocp": { 14 | "Shared": { 15 | "ose_vserver": { 16 | "securityLogProfiles": [ 17 | { 18 | "bigip": "/Common/Log all requests" 19 | } 20 | ], 21 | "policyWAF": { 22 | "bigip": "/Common/linux-low" 23 | }, 24 | "persistenceMethods": [], 25 | "profileMultiplex": { 26 | "bigip": "/Common/oneconnect" 27 | }, 28 | "profileHTTP":{"use": "XFF_HTTP_Profile"} 29 | }, 30 | "XFF_HTTP_Profile": { 31 | "class": "HTTP_Profile", 32 | "xForwardedFor": true 33 | } 34 | } 35 | } 36 | } 37 | } 38 | -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/nginx/nginx_health.js: -------------------------------------------------------------------------------- 1 | function StatusByFqdn(r) { 2 | r.subrequest("/api/5/http/upstreams", { 3 | method: "GET" 4 | }, (res) => { 5 | var myRe = /[a-zA-Z0-9]+\.f5demo\.com/; 6 | var needle = r.args["fqdn"]; 7 | function filterUp(item) { 8 | if (item.state === "up") { 9 | return true; 10 | } 11 | return false; 12 | } 13 | 14 | if (res.status == 200) { 15 | var input = JSON.parse(res.responseBody); 16 | for (var u in input) { 17 | var tmp = myRe.exec(u); 18 | if (tmp && tmp[0] === needle) { 19 | var cnt = input[u].peers.filter(filterUp).length; 20 | if (cnt) { 21 | r.return(res.status, JSON.stringify({ "status": true })); 22 | return; 23 | } else { 24 | r.return(res.status, JSON.stringify({ "status": false })); 25 | return; 26 | } 27 | 28 | } 29 | } 30 | r.return(res.status, JSON.stringify({ "status": false })); 31 | return; 32 | } 33 | r.return(500); 34 | }); 35 | 36 | } 37 | -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/nginx/crd/cafe.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: coffee 5 | spec: 6 | replicas: 2 7 | selector: 8 | matchLabels: 9 | app: coffee 10 | template: 11 | metadata: 12 | labels: 13 | app: coffee 14 | spec: 15 | containers: 16 | - name: coffee 17 | image: nginxdemos/hello:plain-text 18 | ports: 19 | - containerPort: 80 20 | --- 21 | apiVersion: v1 22 | kind: Service 23 | metadata: 24 | name: coffee-svc 25 | spec: 26 | ports: 27 | - port: 80 28 | targetPort: 80 29 | protocol: TCP 30 | name: http 31 | selector: 32 | app: coffee 33 | --- 34 | apiVersion: apps/v1 35 | kind: Deployment 36 | metadata: 37 | name: tea 38 | spec: 39 | replicas: 1 40 | selector: 41 | matchLabels: 42 | app: tea 43 | template: 44 | metadata: 45 | labels: 46 | app: tea 47 | spec: 48 | containers: 49 | - name: tea 50 | image: nginxdemos/hello:plain-text 51 | ports: 52 | - containerPort: 80 53 | --- 54 | apiVersion: v1 55 | kind: Service 56 | metadata: 57 | name: tea-svc 58 | spec: 59 | ports: 60 | - port: 80 61 | targetPort: 80 62 | protocol: TCP 63 | name: http 64 | selector: 65 | app: tea -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/f5demo-operator/helm-charts/F5Demo/templates/configmap.yaml: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: {{ .Release.Name }}-as3-configmap 5 | labels: 6 | f5type: virtual-server 7 | as3: "true" 8 | data: 9 | template: | 10 | { 11 | "class": "AS3", 12 | "declaration": { 13 | "class": "ADC", 14 | "schemaVersion": "3.1.0", 15 | "id": "{{ .Release.Name }}", 16 | "label": "CIS AS3 Example", 17 | "remark": "Example of using CIS",{{ if .Values.common }} 18 | {{- include .Values.common.template . }}{{ end }} 19 | "AS3": { 20 | "class": "Tenant"{{- if .Values.applications }}, 21 | "MyApps": { 22 | "class": "Application", 23 | "template": "generic" 24 | {{- $local := dict "first" true }} 25 | {{- $local := dict "cnt" 8000 }} 26 | {{- range $items := .Values.applications }} 27 | {{- range $app, $val := $items }} 28 | {{- $_ := set $val "cnt" $local.cnt }} 29 | {{- if not $local.first }},{{- end }} 30 | {{- $_ := set $local "first" false }} 31 | {{- $_ := set $local "cnt" ($local.cnt |add1) }} 32 | {{- include $val.template $val }} 33 | {{- end }} 34 | {{- end }} 35 | } 36 | {{- end }} 37 | } 38 | } 39 | } 40 | -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/f5demo-operator/helm-charts/F5Demo/nginx-plus.ds.yaml: -------------------------------------------------------------------------------- 1 | # Default values for f5-as3. 2 | # This is a YAML-formatted file. 3 | # Declare variables to be passed into your templates. 4 | common: 5 | template: f5demo.common.dns.v3 6 | devices: 7 | 0: 8 | address: "10.1.10.240" 9 | addressTranslation: "10.1.10.240" 10 | 11 | virtualServers: 12 | 0: 13 | address: 10.1.10.11 14 | port: 8245 15 | addressTranslation: 10.1.10.11 16 | addressTranslationPort: 8245 17 | 1: 18 | address: 10.1.10.21 19 | port: 8245 20 | addressTranslation: 10.1.10.21 21 | addressTranslationPort: 8245 22 | 2: 23 | address: 10.1.10.22 24 | port: 8245 25 | addressTranslation: 10.1.10.22 26 | addressTranslationPort: 8245 27 | 28 | applications: 29 | - blue: 30 | name: blue 31 | template: f5demo.sni.dns.v3 32 | fqdn: blue.f5demo.com 33 | virtualServers: 34 | - 0 35 | - 1 36 | - 2 37 | send: "GET /health?fqdn=blue.f5demo.com" 38 | receive: "status\":true" 39 | - green: 40 | name: green 41 | template: f5demo.sni.dns.v3 42 | fqdn: green.f5demo.com 43 | virtualServers: 44 | - 0 45 | - 1 46 | - 2 47 | send: "GET /health?fqdn=green.f5demo.com" 48 | receive: "status\":true" 49 | -------------------------------------------------------------------------------- /ocp4-aws-upi/README.md: -------------------------------------------------------------------------------- 1 | # Eric Chen's OpenShift 4 AWS UPI Demo 2 | 3 | ## summary 4 | 5 | This will install OpenShift 4 in AWS with Terraform. 6 | 7 | This will use the BIG-IP instead of NLB for the edge 8 | load balancer 9 | 10 | ## requirements 11 | 12 | -Linux box 13 | -recent version of openssl 14 | -aws CLI 15 | 16 | ## setup 17 | 18 | Obtain the "pull secret" from: https://cloud.redhat.com/openshift/install/aws/user-provisioned 19 | 20 | Copy the value into "install-config.yaml" and add your ssh key. 21 | 22 | Create a directory "upi" and copy install-config.yaml into that directory. 23 | 24 | Download the OpenShift installer (currently using 4.3.x) from: https://mirror.openshift.com/pub/openshift-v4/clients/ocp/4.3.22/ 25 | 26 | Run 27 | ``` 28 | ./openshift-install --dir ocp4 create ignition-configs 29 | ``` 30 | 31 | Go into the terraform directory and create a file terraform.tfvars 32 | ``` 33 | # example 34 | prefix="erchen" 35 | # ssh key in the region that you specified 36 | ssh_key="erchen" 37 | aws_region="us-west-2" 38 | # AMI id for RHOCS in that region 39 | rhcos_ami = "ami-0d231993dddc5cd2e" 40 | # only if you use platform aws 41 | cluster_id = "dc1-cb85p" 42 | # your IP address 43 | allow_ip = "192.0.2.10/32" 44 | ``` 45 | 46 | ``` 47 | terraform init 48 | terraform plan 49 | terraform apply -auto-approve 50 | ``` 51 | 52 | -------------------------------------------------------------------------------- /nginx-ingress-controller-cis/sphinx-docs/docs/class1/module3/lab3.rst: -------------------------------------------------------------------------------- 1 | Lab 3.3 - Deploy Better L7 WAF Policies 2 | ======================================= 3 | 4 | This lab will deploy L7 WAF policies to protect NGINX+ and the applications 5 | that are running behind it. 6 | 7 | In the previous lab the BIG-IP was acting as a L4 TCP proxy similar to a cloud 8 | proxy like an AWS NLB, Azure ALB, or Google Regional TCP Load Balancer. 9 | 10 | The BIG-IP is capable of providing advanced DDoS and Web 11 | Application Firewall (WAF) protection. 12 | 13 | Deploying a WAF Policy 14 | ---------------------- 15 | 16 | On the K8S Master Node run the specified ``kubectl`` command. 17 | 18 | This will update the ConfigMap and trigger the F5 BIG-IP Controller for 19 | Kubernetes to push a new updated configuration to the BIG-IP that is sitting 20 | outside the Kubernetes cluster. 21 | 22 | .. code:: shell 23 | 24 | kubectl apply -f ~/f5-cis/cis-better-together-configmap.yaml 25 | .. 26 | 27 | Now you should be able to trigger the WAF policy by sending a contrived attack 28 | to steal coffee. 29 | 30 | .. code:: shell 31 | 32 | curl -k https://cafe.example.com/coffee -v -H "X-Hacker: cat /etc/paswd" 33 | 34 | On the BIG-IP go to Security -> Event Logs and you should see the blocked request. 35 | 36 | .. image:: /_static/class1-module3-lab2-view-illegal-request.png 37 | -------------------------------------------------------------------------------- /ocp4/docs/demo/dns/index.rst: -------------------------------------------------------------------------------- 1 | BIG-IP DNS 2 | ========== 3 | 4 | Introduction 5 | ~~~~~~~~~~~~ 6 | 7 | In this demo environment we have deployed some examples of using BIG-IP DNS with OpenShift. These include: 8 | 9 | * Wildcard DNS for *.apps.[base domain] 10 | * Individual DNS for [specific app].apps.[base domain] 11 | * Caching/Static DNS resolver to support OpenShift DNS infrastructure requirements 12 | 13 | Demo 14 | ~~~~ 15 | 16 | Start by selecting the "OpenShiftDNS" partition on the BIG-IP. Take a look at the Wide-IPs that were created. 17 | 18 | .. image:: bigip-wideip.png 19 | :scale: 50 % 20 | 21 | Note that we have created several DNS records to support this lab environment. 22 | 23 | Next change to the "OpenShiftDNSPerApp" 24 | 25 | Drill down to the DNS pool "www_route_pool". This is an example of where BIG-IP DNS is monitoring the 26 | OpenShift Router directly. Note that an external monitor is being used. In this scenario we are emulating 27 | a situation where you are monitoring a service that is using a "passthrough" OpenShift route. When "passthrough" 28 | is enabled it requires that BIG-IP DNS use ServerName Indication (SNI) when sending health checks to the OpenShift 29 | Router. 30 | 31 | .. image:: bigip-dns-pool.png 32 | :scale: 25 % 33 | :align: left 34 | 35 | .. image:: bigip-external-monitor.png 36 | :scale: 25 % 37 | :align: right -------------------------------------------------------------------------------- /nginx-ingress-controller-cis/f5-cis/cis-rbac.yaml: -------------------------------------------------------------------------------- 1 | # Source: f5-bigip-ctlr/templates/f5-bigip-ctlr-clusterrole.yaml 2 | kind: ClusterRole 3 | apiVersion: rbac.authorization.k8s.io/v1beta1 4 | metadata: 5 | name: bigip1-f5-bigip-ctlr 6 | labels: 7 | app: f5-bigip-ctlr 8 | chart: f5-bigip-ctlr-0.0.6 9 | release: bigip1 10 | heritage: Tiller 11 | rules: 12 | - apiGroups: 13 | - "" 14 | - "extensions" 15 | resources: 16 | - nodes 17 | - services 18 | - endpoints 19 | - namespaces 20 | - ingresses 21 | - secrets 22 | - pods 23 | verbs: 24 | - get 25 | - list 26 | - watch 27 | - apiGroups: 28 | - "" 29 | - "extensions" 30 | resources: 31 | - configmaps 32 | - events 33 | - ingresses/status 34 | verbs: 35 | - get 36 | - list 37 | - watch 38 | - update 39 | - create 40 | - patch 41 | --- 42 | # Source: f5-bigip-ctlr/templates/f5-bigip-ctlr-clusterrolebinding.yaml 43 | kind: ClusterRoleBinding 44 | apiVersion: rbac.authorization.k8s.io/v1beta1 45 | metadata: 46 | name: bigip1-f5-bigip-ctlr 47 | labels: 48 | app: f5-bigip-ctlr 49 | chart: f5-bigip-ctlr-0.0.6 50 | release: bigip1 51 | heritage: Tiller 52 | roleRef: 53 | apiGroup: rbac.authorization.k8s.io 54 | kind: ClusterRole 55 | name: bigip1-f5-bigip-ctlr 56 | subjects: 57 | - kind: ServiceAccount 58 | name: bigip1-f5-bigip-ctlr 59 | namespace: "kube-system" 60 | 61 | -------------------------------------------------------------------------------- /nginx-ingress-controller-cis/sphinx-docs/docs/class1/module1/module1.rst: -------------------------------------------------------------------------------- 1 | Module 1: Deploying and Exposing a Kubernetes Service using NodePort 2 | ==================================================================== 3 | 4 | In this module you will learn how to deploy and expose an application 5 | service in Kubernetes. 6 | 7 | Kubernetes normally makes use of a private overlay network and uses a 8 | Container Network Interface (CNI) that abstracts the technology that 9 | is being used (i.e. VXLAN with the CNI Flannel or BGP with the CNI Calico). 10 | 11 | To access a container (also referred to as a "pod") you either need to 12 | participate in the overlay network and/or make use of two methods of exposing 13 | services. 14 | 15 | **Method 1: Node Port** 16 | 17 | This method exposes an ephemeral port (i.e. 31345) and maps it to a service via 18 | a host-based load balancer, kube-proxy. Typically kube-proxy will either use 19 | IP Tables or IPVS to route traffic to the final destination. 20 | 21 | **Method 2: Load Balancer** 22 | 23 | The second method is to use an external load balancer that will either make use 24 | of Node Port to connect to a service or route directly to the pod via the CNI 25 | (participates in the VXLAN, BGP, or cloud provider network). 26 | 27 | .. image:: /_static/k8network.png 28 | :scale: 50 29 | 30 | .. toctree:: 31 | :maxdepth: 1 32 | :glob: 33 | 34 | lab* 35 | -------------------------------------------------------------------------------- /ocp4/as3-configmap-basic.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # Source: F5Demo/templates/configmap.yaml 3 | kind: ConfigMap 4 | apiVersion: v1 5 | metadata: 6 | name: f5demo-as3-configmap 7 | labels: 8 | f5type: virtual-server 9 | as3: "true" 10 | data: 11 | template: | 12 | { 13 | "class": "AS3", 14 | "declaration": { 15 | "class": "ADC", 16 | "schemaVersion": "3.1.0", 17 | "id": "f5demo", 18 | "label": "CIS AS3 Example", 19 | "remark": "Example of using CIS ConfigMap", 20 | "ConfigMap": { 21 | "class": "Tenant", 22 | "MyApps": { 23 | "class": "Application", 24 | "template": "generic", 25 | "frontend": { 26 | "class": "Service_TCP", 27 | "virtualAddresses": ["10.1.10.101"], 28 | "remark":"frontend: f5demo.tcp.v1", 29 | "persistenceMethods":[], 30 | "virtualPort": 80, 31 | "pool": "frontend2_pool" 32 | }, 33 | "frontend2_pool": { 34 | "class": "Pool", 35 | "monitors": [ "tcp" ], 36 | "members": [{ 37 | "servicePort": 8080, 38 | "serverAddresses": [], 39 | "shareNodes": true 40 | }] 41 | } 42 | } 43 | } 44 | } 45 | } 46 | 47 | 48 | -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/f5demo-operator/helm-charts/F5Demo/istio-values-jwt.yaml: -------------------------------------------------------------------------------- 1 | # Default values for f5-as3. 2 | # This is a YAML-formatted file. 3 | # Declare variables to be passed into your templates. 4 | common: 5 | template: f5demo.common.basic.v1 6 | irules: 7 | Host_Header_To_Sni: "iRules/host_header_to_sni.irule" 8 | 9 | applications: 10 | - istiotgwcis: 11 | name: istiogwcis 12 | template: f5demo.tcp.v1 13 | virtualAddress: "10.1.10.80" 14 | virtualPort: 80 15 | - istiotgwcistls: 16 | name: istiogwcistls 17 | template: f5demo.tcp.v1 18 | virtualAddress: "10.1.10.80" 19 | virtualPort: 443 20 | - istiotgwcismtls: 21 | name: istiogwcismtls 22 | template: f5demo.waf.sni.https.v1 23 | virtualAddress: "10.1.10.80" 24 | pool: istiogwcistls_pool 25 | serverTLS: "{\"bigip\":\"/Common/httpbin.example.com_clientssl_c3d\"}" 26 | clientTLS: "{\"bigip\":\"/Common/istio_serverssl_c3d\"}" 27 | virtualPort: 8443 28 | - istiotgwcismtlsidentity: 29 | name: istiogwcismtlsidentity 30 | template: f5demo.identity.sni.https.v1 31 | virtualAddress: "10.1.10.80" 32 | pool: istiogwcistls_pool 33 | serverTLS: "{\"bigip\":\"/Common/httpbin.example.com_clientssl\"}" 34 | clientTLS: "{\"bigip\":\"/Common/istio_serverssl\"}" 35 | identityPolicy: /Common/istio-ap 36 | virtualPort: 9443 37 | 38 | 39 | -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/f5demo-operator/helm-charts/F5Demo/istio-values-v2.yaml: -------------------------------------------------------------------------------- 1 | # Default values for f5-as3. 2 | # This is a YAML-formatted file. 3 | # Declare variables to be passed into your templates. 4 | common: 5 | template: f5demo.common.basic.v1 6 | irules: 7 | Host_Header_To_Sni: "iRules/host_header_to_sni.irule" 8 | 9 | applications: 10 | - istiotgwcis: 11 | name: istiogwcis 12 | template: f5demo.tcp.v1 13 | virtualAddress: "10.1.10.80" 14 | virtualPort: 80 15 | - istiotgwcistls: 16 | name: istiogwcistls 17 | template: f5demo.tcp.v1 18 | virtualAddress: "10.1.10.80" 19 | virtualPort: 443 20 | - istiotgwcismtls: 21 | name: istiogwcismtls 22 | template: f5demo.waf.sni.https.v1 23 | virtualAddress: "10.1.10.80" 24 | pool: istiogwcistls_pool 25 | serverTLS: "{\"bigip\":\"/Common/httpbin.example.com_clientssl_c3d\"}" 26 | clientTLS: "{\"bigip\":\"/Common/istio_serverssl_c3d\"}" 27 | virtualPort: 8443 28 | - istiotgwcismtlsidentity: 29 | name: istiogwcismtlsidentity 30 | template: f5demo.identity.sni.https.v1 31 | virtualAddress: "10.1.10.80" 32 | pool: istiogwcistls_pool 33 | serverTLS: "{\"bigip\":\"/Common/httpbin.example.com_clientssl\"}" 34 | clientTLS: "{\"bigip\":\"/Common/istio_serverssl\"}" 35 | identityPolicy: /Common/istio-ap 36 | virtualPort: 9443 37 | 38 | 39 | -------------------------------------------------------------------------------- /chen-k8s-demo/istio/my-certs/root-cert.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIDpjCCAo6gAwIBAgIUSpuabxnXu19oLF0fLKu17PNAtqEwDQYJKoZIhvcNAQEL 3 | BQAwWTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcT 4 | B1NlYXR0bGUxFDASBgNVBAoTC0Y1IE5ldHdvcmtzMQ0wCwYDVQQLEwREZW1vMB4X 5 | DTE4MDQyMDA2NDMwMFoXDTIzMDQxOTA2NDMwMFowWTELMAkGA1UEBhMCVVMxEzAR 6 | BgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1NlYXR0bGUxFDASBgNVBAoTC0Y1 7 | IE5ldHdvcmtzMQ0wCwYDVQQLEwREZW1vMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A 8 | MIIBCgKCAQEA5B7v5d/xsEWcmLfhtHDZAE8vAn3qmiEMLT5lFSdxzCg6h0JkqeDF 9 | iv50OGW00h2almjgEDMW+ldmjW+bSlWz5kpqdmzTXLnmw6/UN4Da+8odsw0abplS 10 | 6DNz/xjWcdw4YiLFY167AmtDUNXaJ/jTBAgWGYJy/rl2u1vpi1CWiJozpR/g/Jsb 11 | bAxPXG54ZZi2yUbCVh12DmjAqBfU3LFCvvOQHYyjCon76sLnXifrWSjb8EOVJZc8 12 | Vw3IdRq0vf74Q62RgQXNAd1G5hme7kl/RdrrWqxlxCK8XXU2RSVnAX5baVxY/HC0 13 | lvXKsfFbJec+DkTAaZLZN4KJLfkvoylLXQIDAQABo2YwZDAOBgNVHQ8BAf8EBAMC 14 | AQYwEgYDVR0TAQH/BAgwBgEB/wIBAjAdBgNVHQ4EFgQUZMweOHhEJSxmmNQsG7ol 15 | UTP3D4owHwYDVR0jBBgwFoAUZMweOHhEJSxmmNQsG7olUTP3D4owDQYJKoZIhvcN 16 | AQELBQADggEBAN0914undNu7bLOk+wVOTvfkL14jAoRCmv/rQBwvJoWNuU7d7TKk 17 | D0SZ/GME8kNg9RIAY/POCTiISrORIkoMwt4eLv0bDejualvJ7MwqOvgdFby6BuGg 18 | 5dVioFfcwQA/i4L0smHX8QY+w8+RlD7DZnHKcx/C7sPHCkrqmLYLDQSalvv8KgwF 19 | mBB/SBS/yACKpaJPCC3Vlj7aPt5aS6GmH25LpAeDM7LLrDHLj+osLbhkGou0ifYy 20 | 8RelfbJlI37NjVMJRWF1EsuSG0xYJPFg9/nqM6UPUHxLx+MmSJ6ibBj6MF6cYkKQ 21 | 5Okq/kt3E65/mPltGVmGYPFzwfqLIJFx13E= 22 | -----END CERTIFICATE----- 23 | -------------------------------------------------------------------------------- /chen-k8s-demo/istio/my-certs/ca-cert.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIDuTCCAqGgAwIBAgIUMWh/MN1Zal85jTnvcLDxMLqzEzMwDQYJKoZIhvcNAQEL 3 | BQAwWTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcT 4 | B1NlYXR0bGUxFDASBgNVBAoTC0Y1IE5ldHdvcmtzMQ0wCwYDVQQLEwREZW1vMB4X 5 | DTE5MDQwNjA1MDIwMFoXDTI0MDQwNDA1MDIwMFowbDELMAkGA1UEBhMCVVMxEzAR 6 | BgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1NlYXR0bGUxFDASBgNVBAoTC0Y1 7 | IE5ldHdvcmtzMQ0wCwYDVQQLEwREZW1vMREwDwYDVQQDEwhJc3RpbyBDQTCCASIw 8 | DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZEOzulmtKcW3PNlWh5upCJz/iR 9 | wZUXUfaQ/tktMfMyt1dzfvxGz+VlTblxPlKt98PYsdzdhz4abczjk0fSJ3FzUYp9 10 | CDR/Tf8iTUj+XloZvwR+meZLtX32hhKzVe4uLe1bcF5VUOfRSBQq3UWGOA9ZGn8o 11 | 1d2KIiz+4vGQ8M7PQaQ4L6NQ4KpCOeflHF2I/g68C5WDpnbh/jwZIz18kIPr/0vy 12 | 7eTTgmf7bIpT6anZdW0OgJLvuqNEU/tHpt4XfZ4Zk+Ogt2jc0P3i1dk8JSypaVrb 13 | l28WeKTSHj0YHqYuARuwvmYZabKhw4JUutwC6EhxdhIQBhgSbrhBeJ/AS+sCAwEA 14 | AaNmMGQwDgYDVR0PAQH/BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0O 15 | BBYEFCHe3/dXDHW2ICj8jY2RsjnhvathMB8GA1UdIwQYMBaAFGTMHjh4RCUsZpjU 16 | LBu6JVEz9w+KMA0GCSqGSIb3DQEBCwUAA4IBAQDTu4UoobTFa5qljHYGTuLA58I2 17 | AlazQHqZ2lfsGq2Mik4wxF/GxdOskjAVgr50c6IN+ijxWHtnmzHb1QXkGSrp1saM 18 | 8zx7d26Sqfa5Lr5QBIalcZrEARYBq/PI3dMInM6okPC0l31fWqgacfT+q362heKS 19 | p2vWE73ORvvor7lZ4VlYU1FR6G2me2aJJv5R4HrThDSF4ysjj2i7axskhzaAQ8HU 20 | XK7dChldbMKXFPnQHjs3/XqTNleqDheXr9UmeNzdmESKl3a1nPUYJxpE/pB0/M5a 21 | T6STTHlSNLhAUziBmsMDA0g458YwJUvBxSD7VPxjGzyYAjirKeCREvUbuFWI 22 | -----END CERTIFICATE----- 23 | -------------------------------------------------------------------------------- /nginx-ingress-controller-cis/f5-cis/cis-deployment.yaml: -------------------------------------------------------------------------------- 1 | # Source: f5-bigip-ctlr/templates/f5-bigip-ctlr-deploy.yaml 2 | apiVersion: extensions/v1beta1 3 | kind: Deployment 4 | metadata: 5 | name: bigip1-f5-bigip-ctlr 6 | labels: 7 | app: f5-bigip-ctlr 8 | chart: f5-bigip-ctlr-0.0.6 9 | release: bigip1 10 | heritage: Tiller 11 | spec: 12 | replicas: 1 13 | template: 14 | metadata: 15 | labels: 16 | app: f5-bigip-ctlr 17 | release: bigip1 18 | spec: 19 | serviceAccountName: bigip1-f5-bigip-ctlr 20 | imagePullSecrets: 21 | - name: f5-docker-images 22 | - name: bigip-login 23 | containers: 24 | - name: f5-bigip-ctlr 25 | image: "f5networks/k8s-bigip-ctlr:1.9.0" 26 | volumeMounts: 27 | - name: bigip-creds 28 | mountPath: "/tmp/creds" 29 | readOnly: true 30 | imagePullPolicy: IfNotPresent 31 | command: 32 | - /app/bin/k8s-bigip-ctlr 33 | args: 34 | - --credentials-directory 35 | - /tmp/creds 36 | - --bigip-partition 37 | - "kubernetes" 38 | - --bigip-url 39 | - "10.1.20.10" 40 | - --flannel-name 41 | - "flannel_vxlan" 42 | - --insecure 43 | - "true" 44 | - --pool-member-type 45 | - "cluster" 46 | volumes: 47 | - name: bigip-creds 48 | secret: 49 | secretName: bigip-login 50 | 51 | -------------------------------------------------------------------------------- /chen-k8s-demo/istio/my-certs/cert-chain.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIDuTCCAqGgAwIBAgIUMWh/MN1Zal85jTnvcLDxMLqzEzMwDQYJKoZIhvcNAQEL 3 | BQAwWTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcT 4 | B1NlYXR0bGUxFDASBgNVBAoTC0Y1IE5ldHdvcmtzMQ0wCwYDVQQLEwREZW1vMB4X 5 | DTE5MDQwNjA1MDIwMFoXDTI0MDQwNDA1MDIwMFowbDELMAkGA1UEBhMCVVMxEzAR 6 | BgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1NlYXR0bGUxFDASBgNVBAoTC0Y1 7 | IE5ldHdvcmtzMQ0wCwYDVQQLEwREZW1vMREwDwYDVQQDEwhJc3RpbyBDQTCCASIw 8 | DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZEOzulmtKcW3PNlWh5upCJz/iR 9 | wZUXUfaQ/tktMfMyt1dzfvxGz+VlTblxPlKt98PYsdzdhz4abczjk0fSJ3FzUYp9 10 | CDR/Tf8iTUj+XloZvwR+meZLtX32hhKzVe4uLe1bcF5VUOfRSBQq3UWGOA9ZGn8o 11 | 1d2KIiz+4vGQ8M7PQaQ4L6NQ4KpCOeflHF2I/g68C5WDpnbh/jwZIz18kIPr/0vy 12 | 7eTTgmf7bIpT6anZdW0OgJLvuqNEU/tHpt4XfZ4Zk+Ogt2jc0P3i1dk8JSypaVrb 13 | l28WeKTSHj0YHqYuARuwvmYZabKhw4JUutwC6EhxdhIQBhgSbrhBeJ/AS+sCAwEA 14 | AaNmMGQwDgYDVR0PAQH/BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0O 15 | BBYEFCHe3/dXDHW2ICj8jY2RsjnhvathMB8GA1UdIwQYMBaAFGTMHjh4RCUsZpjU 16 | LBu6JVEz9w+KMA0GCSqGSIb3DQEBCwUAA4IBAQDTu4UoobTFa5qljHYGTuLA58I2 17 | AlazQHqZ2lfsGq2Mik4wxF/GxdOskjAVgr50c6IN+ijxWHtnmzHb1QXkGSrp1saM 18 | 8zx7d26Sqfa5Lr5QBIalcZrEARYBq/PI3dMInM6okPC0l31fWqgacfT+q362heKS 19 | p2vWE73ORvvor7lZ4VlYU1FR6G2me2aJJv5R4HrThDSF4ysjj2i7axskhzaAQ8HU 20 | XK7dChldbMKXFPnQHjs3/XqTNleqDheXr9UmeNzdmESKl3a1nPUYJxpE/pB0/M5a 21 | T6STTHlSNLhAUziBmsMDA0g458YwJUvBxSD7VPxjGzyYAjirKeCREvUbuFWI 22 | -----END CERTIFICATE----- 23 | -------------------------------------------------------------------------------- /chen-k8s-demo/teardown/teardown_demo.Jenkinsfile: -------------------------------------------------------------------------------- 1 | stage('clone git repo') { 2 | node { 3 | git url: 'https://github.com/f5devcentral/f5-k8s-demo.git', branch:'1.3.0' 4 | } 5 | } 6 | 7 | stage('Delete BACKEND') { 8 | node { 9 | sh 'kubectl delete -f my-backend-service.yaml' 10 | sh 'kubectl delete -f my-backend-deployment.yaml' 11 | } 12 | } 13 | 14 | stage('Delete FRONTEND App') { 15 | node { 16 | sh 'kubectl delete -f my-frontend-configmap.yaml' 17 | sh 'kubectl delete -f my-frontend-service.yaml' 18 | sh 'kubectl delete -f my-frontend-deployment.yaml' 19 | } 20 | } 21 | stage('Delete Ingress') { 22 | node { 23 | sh 'kubectl delete -f blue-green-ingress.yaml' 24 | sh 'kubectl delete -f node-blue.yaml' 25 | sh 'kubectl delete -f node-green.yaml' 26 | } 27 | } 28 | 29 | stage('Delete F5 Container Connector') { 30 | node { 31 | sh 'sleep 30' 32 | sh 'kubectl delete -f f5-cc-deployment.yaml' 33 | sh 'kubectl delete secret bigip-login -n kube-system' 34 | sh 'kubectl delete serviceaccount bigip-ctlr -n kube-system' 35 | sh 'kubectl delete -f f5-k8s-sample-rbac.yaml' 36 | 37 | } 38 | } 39 | 40 | stage('delete kubernetes partition') { 41 | node { 42 | sh 'sleep 30' 43 | sh 'curl -k -u admin:admin -H "Content-Type: application/json" -X DELETE https://10.1.10.60/mgmt/tm/sys/folder/~kubernetes' 44 | } 45 | } 46 | -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/nginx/rbac.yaml: -------------------------------------------------------------------------------- 1 | kind: ClusterRole 2 | apiVersion: rbac.authorization.k8s.io/v1beta1 3 | metadata: 4 | name: nginx-ingress 5 | rules: 6 | - apiGroups: 7 | - "" 8 | resources: 9 | - services 10 | - endpoints 11 | verbs: 12 | - get 13 | - list 14 | - watch 15 | - apiGroups: 16 | - "" 17 | resources: 18 | - secrets 19 | verbs: 20 | - get 21 | - list 22 | - watch 23 | - apiGroups: 24 | - "" 25 | resources: 26 | - configmaps 27 | verbs: 28 | - get 29 | - list 30 | - watch 31 | - update 32 | - create 33 | - apiGroups: 34 | - "" 35 | resources: 36 | - pods 37 | verbs: 38 | - list 39 | - watch 40 | - apiGroups: 41 | - "" 42 | resources: 43 | - events 44 | verbs: 45 | - create 46 | - patch 47 | - apiGroups: 48 | - extensions 49 | resources: 50 | - ingresses 51 | verbs: 52 | - list 53 | - watch 54 | - get 55 | - apiGroups: 56 | - "extensions" 57 | resources: 58 | - ingresses/status 59 | verbs: 60 | - update 61 | - apiGroups: 62 | - k8s.nginx.org 63 | resources: 64 | - virtualservers 65 | - virtualserverroutes 66 | verbs: 67 | - list 68 | - watch 69 | - get 70 | --- 71 | kind: ClusterRoleBinding 72 | apiVersion: rbac.authorization.k8s.io/v1beta1 73 | metadata: 74 | name: nginx-ingress 75 | subjects: 76 | - kind: ServiceAccount 77 | name: nginx-ingress 78 | namespace: nginx-ingress 79 | roleRef: 80 | kind: ClusterRole 81 | name: nginx-ingress 82 | apiGroup: rbac.authorization.k8s.io 83 | -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/blue-green-ingress-tls.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: extensions/v1beta1 2 | kind: Ingress 3 | metadata: 4 | name: blue-green-ingress-tls 5 | annotations: 6 | virtual-server.f5.com/ip: "10.1.10.82" 7 | virtual-server.f5.com/https-port: "443" 8 | virtual-server.f5.com/http-port: "8080" 9 | virtual-server.f5.com/ssl-redirect: "false" 10 | ingress.kubernetes.io/allow-http: "true" 11 | virtual-server.f5.com/clientssl: "/Common/_wildcard_.f5demo.com_clientssl" 12 | virtual-server.f5.com/serverssl: "/Common/serverssl" 13 | virtual-server.f5.com/secure-serverssl: "false" 14 | virtual-server.f5.com/partition: "kubernetes" 15 | virtual-server.f5.com/health: | 16 | [ 17 | { 18 | "path": "blue.f5demo.com/", 19 | "send": "GET / HTTP/1.0", 20 | "interval": 5, 21 | "timeout": 15 22 | }, { 23 | "path": "green.f5demo.com/", 24 | "send": "GET / HTTP/1.0", 25 | "interval": 5, 26 | "timeout": 15 27 | } 28 | ] 29 | kubernetes.io/ingress.class: "f5" 30 | spec: 31 | tls: 32 | - secretName: /Common/_wildcard_.f5demo.com_clientssl 33 | 34 | rules: 35 | - host: blue.f5demo.com 36 | http: 37 | paths: 38 | - backend: 39 | serviceName: node-blue-tls 40 | servicePort: 443 41 | - host: green.f5demo.com 42 | http: 43 | paths: 44 | - backend: 45 | serviceName: node-green-tls 46 | servicePort: 443 47 | -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/httpbin.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2017 Istio Authors 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | ################################################################################################## 16 | # httpbin service 17 | ################################################################################################## 18 | apiVersion: v1 19 | kind: Service 20 | metadata: 21 | name: httpbin 22 | labels: 23 | app: httpbin 24 | spec: 25 | ports: 26 | - name: http 27 | port: 8000 28 | targetPort: 80 29 | selector: 30 | app: httpbin 31 | --- 32 | apiVersion: extensions/v1beta1 33 | kind: Deployment 34 | metadata: 35 | name: httpbin 36 | spec: 37 | replicas: 1 38 | template: 39 | metadata: 40 | labels: 41 | app: httpbin 42 | version: v1 43 | spec: 44 | containers: 45 | - image: docker.io/kennethreitz/httpbin 46 | imagePullPolicy: IfNotPresent 47 | name: httpbin 48 | ports: 49 | - containerPort: 80 50 | -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/setup_istio.sh: -------------------------------------------------------------------------------- 1 | kubectl apply -f ../istio/istio-1.2.2-crd.yaml 2 | sleep 30 3 | kubectl apply -f ../istio/istio-1.2.2.yaml 4 | kubectl create ns istio-demo 5 | kubectl label namespace istio-demo istio-injection=enabled 6 | kubectl apply -f echo-deployment.yaml 7 | kubectl apply -f my-echo-service.yaml 8 | kubectl apply -f httpbin.yaml -n istio-demo 9 | kubectl apply -f istio-service.yaml -n istio-system 10 | kubectl -n istio-demo apply -f - < Global Configurations -> OAuth 15 | 16 | If you click on YAML you will see the existing configuration. 17 | 18 | .. code-block:: YAML 19 | 20 | spec: 21 | identityProviders: 22 | - mappingMethod: claim 23 | name: openid 24 | openID: 25 | ca: 26 | name: openid-ca-gxfzz 27 | claims: 28 | email: [] 29 | name: [] 30 | preferredUsername: 31 | - sub 32 | clientID: 8fd6a8c7fb056963c65a2b80473b5254005845adacf1e05e 33 | clientSecret: 34 | name: openid-client-secret-l4jkv 35 | extraScopes: [] 36 | issuer: 'https://f5oauth.dc1.example.com/f5-oauth2/v1' 37 | type: OpenID 38 | 39 | Click on "Add" and "OIDC" and you will see how this config was populated. 40 | 41 | .. image:: ocp4-console-oidc.png 42 | :scale: 50 % 43 | 44 | On the BIG-IP under the Common partition click on Access -> Federation -> OAuth Authorization Server -> Client Application 45 | 46 | .. image:: bigip-oauth-client-application.png 47 | :scale: 50% 48 | 49 | Next click on the profile (should be on the previous screen where you clicked on the application). 50 | 51 | .. image:: bigip-oauth-profile.png 52 | :scale: 50% 53 | 54 | You can also view the Access Policy as well. 55 | 56 | .. image:: bigip-oauth-ap.png 57 | :scale: 50 % 58 | 59 | The OpenShift Console is using this BIG-IP configuration to authenticate. -------------------------------------------------------------------------------- /nginx-ingress-controller-cis/sphinx-docs/docs/index.rst: -------------------------------------------------------------------------------- 1 | Welcome to the NGINX Ingress Controller Lab 2 | =========================================== 3 | 4 | The goal of this lab is to introduce you to NGINX+ as a Kubernetes Ingress 5 | Controller and F5 Container Ingress Services. The BIG-IP can act as the 6 | "front door" to the Kubernetes cluster and bring services to NGINX+ that is 7 | running inside the cluster. 8 | 9 | Together NGINX+ and BIG-IP will secure traffic to the Kubernetes applications. 10 | 11 | | 12 | | 13 | 14 | .. image:: /_static/nginx-plus-bigip-better-together.png 15 | :align: center 16 | :scale: 65 17 | 18 | | 19 | | 20 | 21 | The UDF Blueprint called **NGINX Ingress Controller Lab** will give you access 22 | to the following infrastructure: 23 | 24 | ============== ================== ============================================== 25 | System Hostame Description 26 | ============== ================== ============================================== 27 | BIG-IP1 ip-10-1-1-4 F5 BIG-IP 28 | k8S Master ip-10-1-1-9 Kubernetes Master node (where lab files are) 29 | k8S Node1 ip-10-1-1-10 Kubernetes Minion 30 | k8S Node2 ip-10-1-1-11 Kubernetes Minion 31 | Windows RDP ip-10-1-1-8 Windows JumpHost 32 | ============== ================== ============================================== 33 | 34 | .. note:: The entire lab can be performed from the Windows Jumphost 35 | (if you've not set up SSH keys for UDF). 36 | 37 | .. note:: The Lab Guide is available from UDF or on the Windows Jumphost. 38 | 39 | .. image:: /_static/NISguide.png 40 | :scale: 50 41 | 42 | .. toctree:: 43 | :maxdepth: 2 44 | :glob: 45 | 46 | class*/class* 47 | -------------------------------------------------------------------------------- /ocp4/docs/demo/fast/index.rst: -------------------------------------------------------------------------------- 1 | F5 Application Services Template (FAST) 2 | ======================================= 3 | 4 | Introduction 5 | ~~~~~~~~~~~~ 6 | 7 | FAST is being used to templatize the deployment. 8 | 9 | Demo 10 | ~~~~ 11 | 12 | You can view fast under iApps -> Applications LX 13 | 14 | .. image:: bigip-iapplx.png 15 | 16 | Next click on "F5 Application Services Templates" 17 | 18 | You will see a basic auth prompt. Login using admin/admin. 19 | 20 | The first page will show a list of the applications that have been deployed using fast. 21 | 22 | .. image:: bigip-fast-apps.png 23 | 24 | Click on the first one. 25 | 26 | This represents the first set of configurations used for OpenShift. They consist of "Shared" resources that 27 | are deployed in the Common partition. Some of the objects are: 28 | 29 | - DNS Data Center 30 | - DNS Server 31 | - DNS Virtual Server 32 | - Shared Virtual Addresses 33 | 34 | .. image:: bigip-fast-shared.png 35 | :scale: 25 % 36 | 37 | The next set of resources are for provisioning DNS resources. These are created in the partition OpenShiftDNS. 38 | 39 | You can view the AS3 declaration that will be used to generate the DNS resources by clicking on "View Rendered". 40 | 41 | .. image:: bigip-fast-dns-rendered.png 42 | :scale: 50 % 43 | 44 | Open up Postman and run the "GET" request under the Fast collection. 45 | 46 | .. image:: postman-fast-apps.png 47 | :scale: 50 % 48 | 49 | Note that the output is succint (short). 50 | 51 | Now run the "GET" request under the AS3 collection. It is very verbose! 52 | 53 | .. image:: postman-as3-get.png 54 | :scale: 50 % 55 | 56 | Compare this to the configuration on the BIG-IP. FAST made it fast to deploy. [slow clap]. 57 | 58 | .. image:: bigip-network-map.png 59 | :scale: 50 % 60 | -------------------------------------------------------------------------------- /chen-k8s-demo/scripts/refresh_nodes.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # update nodes if VTEP Mac Addr changes 3 | curl curl --stderr /dev/null -k -u admin:admin -H "Content-Type: application/json" "https://10.1.10.240/mgmt/tm/sys" | jq .selfLink -r | grep -E ver=1[23] 4 | if [ $? != 0 ] 5 | then 6 | macAddr1=$(curl --stderr /dev/null -k -u admin:admin -H "Content-Type: application/json" "https://10.1.10.240/mgmt/tm/net/tunnels/tunnel/~Common~flannel_vxlan/stats?options=all-properties"|jq '.entries."https://localhost/mgmt/tm/net/tunnels/tunnel/~Common~flannel_vxlan/stats"."nestedStats".entries.macAddr.description' -r) 7 | macAddr2=$(curl --stderr /dev/null -k -u admin:admin -H "Content-Type: application/json" "https://10.1.10.241/mgmt/tm/net/tunnels/tunnel/~Common~flannel_vxlan/stats?options=all-properties"|jq '.entries."https://localhost/mgmt/tm/net/tunnels/tunnel/~Common~flannel_vxlan/stats"."nestedStats".entries.macAddr.description' -r) 8 | else 9 | macAddr1=$(curl --stderr /dev/null -k -u admin:admin -H "Content-Type: application/json" "https://10.1.10.240/mgmt/tm/net/tunnels/tunnel/~Common~flannel_vxlan/stats?options=all-properties"|jq '.entries."https://localhost/mgmt/tm/net/tunnels/tunnel/~Common~flannel_vxlan/~Common~flannel_vxlan/stats"."nestedStats".entries.macAddr.description' -r) 10 | macAddr2=$(curl --stderr /dev/null -k -u admin:admin -H "Content-Type: application/json" "https://10.1.10.241/mgmt/tm/net/tunnels/tunnel/~Common~flannel_vxlan/stats?options=all-properties"|jq '.entries."https://localhost/mgmt/tm/net/tunnels/tunnel/~Common~flannel_vxlan/~Common~flannel_vxlan/stats"."nestedStats".entries.macAddr.description' -r) 11 | fi 12 | 13 | sed -e "s/MAC_ADDR/$macAddr1/g" bigip1-node.yaml |kubectl replace -f - 14 | sed -e "s/MAC_ADDR/$macAddr2/g" bigip2-node.yaml |kubectl replace -f - 15 | -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/iapps/k8s_http.json: -------------------------------------------------------------------------------- 1 | { 2 | "parent":"iapps/sample_defaults.json", 3 | "strings":[ 4 | { "pool__port":"80" }, 5 | { "pool__mask":"any"}, 6 | { "vs__AdvOptions":"translate-address=enabled"}, 7 | { "vs__ProfileHTTP":"create:type=http;defaults-from=/Common/http/;insert-xforwarded-for=enabled;accept-xff=enabled" }, 8 | { "feature__insertXForwardedFor":"enabled" }, 9 | { "feature__redirectToHTTPS":"disabled" }, 10 | { "vs__ProfileClientProtocol":"create:type=tcp;idle-timeout=60;defaults-from=/Common/tcp-mobile-optimized" } 11 | ], 12 | "tables":[ 13 | { 14 | "name":"pool__Pools", 15 | "columnNames": [ "Index", "Name", "Description", "LbMethod", "Monitor", "AdvOptions" ], 16 | "rows" : [ 17 | { "row": [ "0", "", "", "round-robin", "", "none"] } 18 | ] 19 | }, 20 | { 21 | "name":"pool__Members", 22 | "columnNames": [ "Index" ,"IPAddress", "Port", "ConnectionLimit", "Ratio", "PriorityGroup", "State", "AdvOptions" ], 23 | "rows" : [ ] 24 | }, 25 | { 26 | "name":"monitor__Monitors", 27 | "columnNames": ["Index", "Name", "Type", "Options"], 28 | "rows" : [ 29 | { "row": [ "0", "/Common/tcp", "none", "none" ] } 30 | ] 31 | }, 32 | { 33 | "name":"l7policy__rulesMatch", 34 | "columnNames": ["Index","Operand","Negate","Condition","Value","CaseSensitive","Missing"], 35 | "rows" : [ ] 36 | }, 37 | { 38 | "name":"l7policy__rulesAction", 39 | "columnNames": ["Index","Target","Parameter"], 40 | "rows" : [ ] 41 | }, 42 | { 43 | "name":"vs__BundledItems", 44 | "columnNames": ["Resource"], 45 | "rows" : [ 46 | { "row": [ "irule:url=http://10.1.10.100/catch_all.irule" ] } 47 | ] 48 | } 49 | 50 | ] 51 | } 52 | 53 | 54 | -------------------------------------------------------------------------------- /ocp4-aws-upi/terraform/main.tf: -------------------------------------------------------------------------------- 1 | resource "aws_s3_bucket" "s3_bucket" { 2 | bucket_prefix = "${var.prefix}-f5-ocp4-demo-s3bucket" 3 | } 4 | resource "aws_s3_bucket_object" "bootstrap" { 5 | bucket = "${aws_s3_bucket.s3_bucket.id}" 6 | key = "bootstrap.ign" 7 | source = "../upi/bootstrap.ign" 8 | } 9 | # encrypt password sha512 10 | resource "null_resource" "admin-shadow" { 11 | provisioner "local-exec" { 12 | command = "./admin-shadow.sh" 13 | } 14 | } 15 | 16 | resource "aws_s3_bucket_object" "password" { 17 | bucket = "${aws_s3_bucket.s3_bucket.id}" 18 | key = "admin.shadow" 19 | source = "admin.shadow" 20 | depends_on = ["null_resource.admin-shadow"] 21 | } 22 | resource "null_resource" "wait_for_bigip" { 23 | provisioner "local-exec" { 24 | command = "./wait_for_bigip.sh ${aws_s3_bucket.s3_bucket.id}" 25 | } 26 | depends_on = ["aws_instance.bigip1"] 27 | } 28 | data "template_file" "tfvars" { 29 | template = "${file("../deploy/terraform.tfvars.example")}" 30 | vars = { 31 | bigip_ip = "${aws_instance.bigip1.public_ip}" 32 | prefix = "${var.prefix}" 33 | ssh_key = "${var.ssh_key}" 34 | aws_region = "${var.aws_region}" 35 | rhcos_ami = "${var.rhcos_ami}" 36 | subnet_id = "${module.vpc.private_subnets[1]}" 37 | security_group = "${aws_security_group.f5-ocp4-demo.id}" 38 | iam_instance_profile_bigip = aws_iam_instance_profile.bigip_profile.name 39 | iam_instance_profile_bootstrap = aws_iam_instance_profile.bigip_profile.name 40 | iam_instance_profile_control-plane = aws_iam_instance_profile.control-plane_profile.name 41 | iam_instance_profile_worker = aws_iam_instance_profile.bigip_profile.name 42 | s3_bucket = "${aws_s3_bucket.s3_bucket.id}" 43 | cluster_id = "${var.cluster_id}" 44 | } 45 | } 46 | 47 | resource "local_file" "tfvars-deploy" { 48 | content = "${data.template_file.tfvars.rendered}" 49 | filename = "../deploy/terraform.tfvars" 50 | } -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/nginx/nginx-ingress.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: nginx-ingress 5 | namespace: nginx-ingress 6 | spec: 7 | replicas: 1 8 | selector: 9 | matchLabels: 10 | app: nginx-ingress 11 | template: 12 | metadata: 13 | labels: 14 | app: nginx-ingress 15 | #annotations: 16 | #prometheus.io/scrape: "true" 17 | #prometheus.io/port: "9113" 18 | spec: 19 | serviceAccountName: nginx-ingress 20 | containers: 21 | - image: myregistry.example.com/nginx-plus-ingress:1.8.1 22 | imagePullPolicy: IfNotPresent 23 | name: nginx-plus-ingress 24 | ports: 25 | - name: http 26 | containerPort: 80 27 | - name: https 28 | containerPort: 443 29 | #- name: prometheus 30 | #containerPort: 9113 31 | securityContext: 32 | allowPrivilegeEscalation: true 33 | runAsUser: 101 #nginx 34 | capabilities: 35 | drop: 36 | - ALL 37 | add: 38 | - NET_BIND_SERVICE 39 | env: 40 | - name: POD_NAMESPACE 41 | valueFrom: 42 | fieldRef: 43 | fieldPath: metadata.namespace 44 | - name: POD_NAME 45 | valueFrom: 46 | fieldRef: 47 | fieldPath: metadata.name 48 | args: 49 | - -nginx-plus 50 | - -nginx-configmaps=$(POD_NAMESPACE)/nginx-config 51 | - -default-server-tls-secret=$(POD_NAMESPACE)/default-server-secret 52 | #- -v=3 # Enables extensive logging. Useful for troubleshooting. 53 | #- -report-ingress-status 54 | #- -external-service=nginx-ingress 55 | #- -enable-leader-election 56 | #- -enable-prometheus-metrics 57 | - -enable-custom-resources 58 | # - -nginx-status-allow-cidrs=10.0.0.0/8 59 | - -nginx-status-allow-cidrs=0.0.0.0/0 #Wide open for status page DEMO ONLY 60 | 61 | -------------------------------------------------------------------------------- /ocp4/docs/demo/routes/index.rst: -------------------------------------------------------------------------------- 1 | OpenShift Routes 2 | ================ 3 | 4 | Introduction 5 | ~~~~~~~~~~~~ 6 | 7 | Container Ingress Services can be used to deploy a OpenShift Route. This can be used either as an 8 | auxilary to the OpenShift Router or a replacement. The following will walk through looking at 9 | the Route resource in the OpenShift Console and comparing it to the generated configuration on the BIG-IP. 10 | 11 | Demo 12 | ~~~~ 13 | 14 | Under the "default" namespace expand "Networking" and click on "Routes". You should see the following 15 | two routes. 16 | 17 | .. image:: ocp4-console-cis-routes.png 18 | :scale: 50 % 19 | 20 | These routes have been deployed on the BIG-IP. We will look closer at the "cisroute" by clicking on it. 21 | 22 | After clicking on the "YAML" tab you should see the route itself. Take note of the host name and service. 23 | 24 | .. image:: ocp4-console-cis-routes-yaml.png 25 | :scale: 50 % 26 | 27 | Go back to the previous "Overview" page. Scroll down and take note that the route status is both using the 28 | "default" OCP router and "F5 BIG-IP". 29 | 30 | .. image:: ocp4-console-cis-routes-status.png 31 | :scale: 50 % 32 | 33 | Click on the route `http://my-frontend.cisroutes.dc1.example.com `_ 34 | 35 | Observe the source IP address of the connection. 36 | 37 | .. image:: chrome-my-frontend.png 38 | :scale: 50 % 39 | 40 | Click on the BIG-IP bookmark and look at the Local Traffic Policy for the route. 41 | 42 | Login using the username "admin" and password "admin". 43 | 44 | You will need to select the partition "ocp_AS3" from the top right. 45 | 46 | .. image:: bigip-partition-ocp-as3.png 47 | :scale: 50 % 48 | 49 | Inspect the Local Traffic Policy that is being used for the route. 50 | 51 | `Local Traffic Manager -> Policies -> openshift_insecure_routes -> osr_default_cisroutes` 52 | 53 | .. image:: bigip-local-traffic-policy.png 54 | :scale: 50 % 55 | 56 | This matches the route that you saw earlier. 57 | 58 | 59 | 60 | -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/f5-cc-deployment-cluster.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: extensions/v1beta1 2 | kind: Deployment 3 | metadata: 4 | name: k8s-bigip-ctlr-deployment 5 | namespace: kube-system 6 | spec: 7 | replicas: 1 8 | template: 9 | metadata: 10 | name: k8s-bigip-ctlr 11 | labels: 12 | app: k8s-bigip-ctlr 13 | spec: 14 | serviceAccountName: bigip-ctlr 15 | containers: 16 | - name: k8s-bigip-ctlr 17 | # replace the version as needed 18 | image: "f5networks/k8s-bigip-ctlr:1.5.1" 19 | env: 20 | - name: BIGIP_USERNAME 21 | valueFrom: 22 | secretKeyRef: 23 | name: bigip-login 24 | key: username 25 | - name: BIGIP_PASSWORD 26 | valueFrom: 27 | secretKeyRef: 28 | name: bigip-login 29 | key: password 30 | command: ["/app/bin/k8s-bigip-ctlr"] 31 | args: [ 32 | "--bigip-username=$(BIGIP_USERNAME)", 33 | "--bigip-password=$(BIGIP_PASSWORD)", 34 | "--bigip-url=10.1.10.60", 35 | "--bigip-partition=kubernetes", 36 | # The Controller can use local DNS to resolve hostnames; 37 | # defaults to LOOKUP; can be replaced with custom DNS server IP 38 | # or left blank (introduced in v1.3.0) 39 | "--resolve-ingress-names=LOOKUP", 40 | "--pool-member-type=cluster", 41 | "--flannel-name=flannel_vxlan" 42 | # The Controller can access Secrets by default; 43 | # set to "false" if you only want to use preconfigured 44 | # BIG-IP SSL profiles 45 | #"--use-secrets=false", 46 | # The Controller watches all namespaces by default. 47 | # To manage a single namespace, or multiple namespaces, provide a 48 | # single entry for each. For example: 49 | # "--namespace=test", 50 | # "--namespace=prod" 51 | ] 52 | imagePullSecrets: 53 | - name: f5-docker-images 54 | - name: bigip-login 55 | -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/nginx/crds/globalconfiguration.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apiextensions.k8s.io/v1beta1 2 | kind: CustomResourceDefinition 3 | metadata: 4 | name: globalconfigurations.k8s.nginx.org 5 | labels: 6 | app.kubernetes.io/name: "nginx-ingress" 7 | spec: 8 | group: k8s.nginx.org 9 | versions: 10 | - name: v1alpha1 11 | served: true 12 | storage: true 13 | scope: Namespaced 14 | names: 15 | plural: globalconfigurations 16 | singular: globalconfiguration 17 | kind: GlobalConfiguration 18 | shortNames: 19 | - gc 20 | preserveUnknownFields: false 21 | validation: 22 | openAPIV3Schema: 23 | description: GlobalConfiguration defines the GlobalConfiguration resource. 24 | type: object 25 | properties: 26 | apiVersion: 27 | description: 'APIVersion defines the versioned schema of this representation 28 | of an object. Servers should convert recognized schemas to the latest 29 | internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 30 | type: string 31 | kind: 32 | description: 'Kind is a string value representing the REST resource this 33 | object represents. Servers may infer this from the endpoint the client 34 | submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 35 | type: string 36 | metadata: 37 | type: object 38 | spec: 39 | description: GlobalConfigurationSpec is the spec of the GlobalConfiguration 40 | resource. 41 | type: object 42 | properties: 43 | listeners: 44 | type: array 45 | items: 46 | description: Listener defines a listener. 47 | type: object 48 | properties: 49 | name: 50 | type: string 51 | port: 52 | type: integer 53 | protocol: 54 | type: string 55 | -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/nginx/localhost.conf.template: -------------------------------------------------------------------------------- 1 | upstream 127.0.0.1 { 2 | zone 127.0.0.1 64k; 3 | server 127.0.0.1:8245; 4 | } 5 | upstream bigip { 6 | server 10.1.1.5:443; 7 | } 8 | upstream cloud { 9 | server api.cloudservices.f5.com:443; 10 | } 11 | 12 | keyval_zone zone=pools:32k state=pools.keyval sync timeout=300; 13 | keyval "10.1.20.54" $pool zone=pools; 14 | 15 | js_include conf.d/nginx_to_as3.js; 16 | 17 | server { 18 | subrequest_output_buffer_size 200k; 19 | listen 8245; 20 | server_name api.example.com; 21 | root /usr/share/nginx/html; 22 | set $data_center 'dc1'; 23 | 24 | location /health { 25 | js_content StatusByFqdn; 26 | } 27 | 28 | location /version { 29 | js_content Version; 30 | } 31 | 32 | location = /dashboard.html { 33 | } 34 | location /api/ { 35 | api write=on; 36 | # allow 127.0.0.1; 37 | allow 10.0.0.0/8; # for demo 38 | deny all; 39 | } 40 | location /pool { 41 | return 200 $pool; 42 | } 43 | location /pools { 44 | js_content Summarize; 45 | } 46 | location /pools/update { 47 | js_content UpdatePools; 48 | } 49 | location /pools/push { 50 | js_content GenerateAS3; 51 | } 52 | 53 | location /pools/push/dns { 54 | js_content GenerateAS3Dns; 55 | } 56 | location /pools/push/cloud_dns { 57 | js_content GenerateCloudDns; 58 | } 59 | 60 | location /poll { 61 | internal; 62 | proxy_pass http://127.0.0.1/pools/update; 63 | health_check uri=/pools/update interval=30; 64 | } 65 | 66 | location /mgmt/shared/appsvcs/declare { 67 | internal; 68 | proxy_pass https://bigip; 69 | } 70 | location /v1/svc-subscription/subscriptions { 71 | internal; 72 | proxy_pass https://cloud; 73 | } 74 | } 75 | -------------------------------------------------------------------------------- /ocp4-aws-upi/terraform/bigip.tf: -------------------------------------------------------------------------------- 1 | resource "random_string" "password" { 2 | length = 10 3 | special = false 4 | } 5 | 6 | data "aws_ami" "f5_ami" { 7 | most_recent = true 8 | owners = ["679593333241"] 9 | 10 | filter { 11 | name = "name" 12 | values = ["${var.f5_ami_search_name}"] 13 | } 14 | } 15 | # resource "aws_network_interface" "bigip1_mgmt" { 16 | # subnet_id = "${module.vpc.private_subnets[0]}" 17 | # security_groups = ["${aws_security_group.f5.id}"] 18 | # private_ips = ["10.1.1.6"] 19 | # attachment { 20 | # instance = "${aws_instance.bigip1.id}" 21 | # device_index = 0 22 | # } 23 | # } 24 | 25 | resource "aws_network_interface" "bigip1_external" { 26 | subnet_id = "${module.vpc.private_subnets[0]}" 27 | security_groups = ["${aws_security_group.f5-ocp4-demo.id}"] 28 | # private_ips_count = 3 29 | private_ips = ["10.1.10.240", "10.1.10.242", "10.1.10.10","10.1.10.100","10.1.10.101","10.1.10.102"] 30 | attachment { 31 | instance = "${aws_instance.bigip1.id}" 32 | device_index = 1 33 | } 34 | } 35 | 36 | resource "aws_network_interface" "bigip1_internal" { 37 | subnet_id = "${module.vpc.private_subnets[1]}" 38 | security_groups = ["${aws_security_group.f5-ocp4-demo.id}"] 39 | # private_ips_count = 1 40 | private_ips = ["10.1.20.240", "10.1.20.242"] 41 | attachment { 42 | instance = "${aws_instance.bigip1.id}" 43 | device_index = 2 44 | } 45 | } 46 | 47 | resource "aws_eip" "bigip_mgmt_eip" { 48 | vpc = true 49 | instance = "${aws_instance.bigip1.id}" 50 | } 51 | 52 | resource "aws_instance" "bigip1" { 53 | availability_zone = "${var.aws_region}a" 54 | ami = "${data.aws_ami.f5_ami.id}" 55 | instance_type = "m5.xlarge" 56 | subnet_id = "${module.vpc.public_subnets[0]}" 57 | vpc_security_group_ids = ["${aws_security_group.f5-ocp4-demo.id}"] 58 | private_ip = "10.1.1.6" 59 | 60 | user_data = "${data.template_file.bigip_init.rendered}" 61 | key_name = "${var.ssh_key}" 62 | root_block_device { delete_on_termination = true } 63 | 64 | iam_instance_profile = aws_iam_instance_profile.bigip_profile.name 65 | 66 | tags = { 67 | Name = "${var.prefix}-bigip1" 68 | } 69 | 70 | } 71 | -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/cheese/cheese-deployments.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | kind: Deployment 3 | apiVersion: extensions/v1beta1 4 | metadata: 5 | name: stilton 6 | labels: 7 | app: cheese 8 | cheese: stilton 9 | spec: 10 | replicas: 2 11 | selector: 12 | matchLabels: 13 | app: cheese 14 | task: stilton 15 | template: 16 | metadata: 17 | labels: 18 | app: cheese 19 | task: stilton 20 | version: v0.0.1 21 | spec: 22 | containers: 23 | - name: cheese 24 | image: errm/cheese:stilton 25 | resources: 26 | requests: 27 | cpu: 100m 28 | memory: 50Mi 29 | limits: 30 | cpu: 100m 31 | memory: 50Mi 32 | ports: 33 | - containerPort: 80 34 | --- 35 | kind: Deployment 36 | apiVersion: extensions/v1beta1 37 | metadata: 38 | name: cheddar 39 | labels: 40 | app: cheese 41 | cheese: cheddar 42 | spec: 43 | replicas: 2 44 | selector: 45 | matchLabels: 46 | app: cheese 47 | task: cheddar 48 | template: 49 | metadata: 50 | labels: 51 | app: cheese 52 | task: cheddar 53 | version: v0.0.1 54 | spec: 55 | containers: 56 | - name: cheese 57 | image: errm/cheese:cheddar 58 | resources: 59 | requests: 60 | cpu: 100m 61 | memory: 50Mi 62 | limits: 63 | cpu: 100m 64 | memory: 50Mi 65 | ports: 66 | - containerPort: 80 67 | --- 68 | kind: Deployment 69 | apiVersion: extensions/v1beta1 70 | metadata: 71 | name: wensleydale 72 | labels: 73 | app: cheese 74 | cheese: wensleydale 75 | spec: 76 | replicas: 2 77 | selector: 78 | matchLabels: 79 | app: cheese 80 | task: wensleydale 81 | template: 82 | metadata: 83 | labels: 84 | app: cheese 85 | task: wensleydale 86 | version: v0.0.1 87 | spec: 88 | containers: 89 | - name: cheese 90 | image: errm/cheese:wensleydale 91 | resources: 92 | requests: 93 | cpu: 100m 94 | memory: 50Mi 95 | limits: 96 | cpu: 100m 97 | memory: 50Mi 98 | ports: 99 | - containerPort: 80 100 | -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/iapps/k8s_http_8080.json: -------------------------------------------------------------------------------- 1 | { 2 | "parent":"iapps/sample_defaults.json", 3 | "strings":[ 4 | { "pool__port":"8080" }, 5 | { "pool__mask":"any"}, 6 | { "vs__AdvOptions":"translate-address=enabled"}, 7 | { "vs__ProfileHTTP":"create:type=http;defaults-from=/Common/http/;insert-xforwarded-for=enabled;accept-xff=enabled" }, 8 | { "feature__insertXForwardedFor":"enabled" }, 9 | { "feature__redirectToHTTPS":"disabled" }, 10 | { "vs__ProfileSecurityLogProfiles":"/Common/log_all" }, 11 | { "vs__ProfileClientProtocol":"create:type=tcp;idle-timeout=60;defaults-from=/Common/tcp-mobile-optimized" } 12 | ], 13 | "tables":[ 14 | { 15 | "name":"pool__Pools", 16 | "columnNames": [ "Index", "Name", "Description", "LbMethod", "Monitor", "AdvOptions" ], 17 | "rows" : [ 18 | { "row": [ "0", "", "", "round-robin", "", "none"] } 19 | ] 20 | }, 21 | { 22 | "name":"pool__Members", 23 | "columnNames": [ "Index" ,"IPAddress", "Port", "ConnectionLimit", "Ratio", "PriorityGroup", "State", "AdvOptions" ], 24 | "rows" : [ ] 25 | }, 26 | { 27 | "name":"monitor__Monitors", 28 | "columnNames": ["Index", "Name", "Type", "Options"], 29 | "rows" : [ 30 | { "row": [ "0", "/Common/tcp", "none", "none" ] } 31 | ] 32 | }, 33 | { 34 | "name":"l7policy__rulesMatch", 35 | "columnNames": ["Group","Operand","Negate","Condition","Value","CaseSensitive","Missing"], 36 | "rows" : [ 37 | { "row": ["0","http-host/request/all","no","equals","app1.svc.k8s.chen23.com","yes","yes"] }, 38 | { "row": ["default","","no","","","no","no"]} 39 | ] 40 | }, 41 | { 42 | "name":"l7policy__rulesAction", 43 | "columnNames": ["Group","Target","Parameter"], 44 | "rows" : [ 45 | { "row": ["0","asm/request/enable/policy","bundled:linux_low"] }, 46 | { "row": ["default","asm/request/enable/policy","bundled:linux_low"]} 47 | ] 48 | }, 49 | { 50 | "name":"vs__BundledItems", 51 | "columnNames": ["Resource"], 52 | "rows" : [ 53 | { "row": [ "irule:url=http://cloud.chen23.com/catch_all.irule" ] }, 54 | { "row": [ "asm:url=http://13.90.250.250/appsvcs/linux_low.xml" ] } 55 | ] 56 | } 57 | 58 | ] 59 | } 60 | 61 | 62 | -------------------------------------------------------------------------------- /chen-k8s-demo/deployment/iapps/k8s_http_8090.json: -------------------------------------------------------------------------------- 1 | { 2 | "parent":"iapps/sample_defaults.json", 3 | "partition":"kubernetes", 4 | "strings":[ 5 | { "pool__port":"8090" }, 6 | { "vs__Name":"default_kops_vs" }, 7 | { "pool__mask":"any"}, 8 | { "vs__AdvOptions":"translate-address=enabled"}, 9 | { "vs__ProfileHTTP":"create:type=http;defaults-from=/Common/http/;insert-xforwarded-for=enabled;accept-xff=enabled" }, 10 | { "feature__insertXForwardedFor":"enabled" }, 11 | { "feature__redirectToHTTPS":"disabled" }, 12 | { "vs__ProfileSecurityLogProfiles":"/Common/log_all" }, 13 | { "vs__ProfileClientProtocol":"create:type=tcp;idle-timeout=60;defaults-from=/Common/tcp-mobile-optimized" } 14 | ], 15 | "tables":[ 16 | { 17 | "name":"pool__Pools", 18 | "columnNames": [ "Index", "Name", "Description", "LbMethod", "Monitor", "AdvOptions" ], 19 | "rows" : [ 20 | { "row": [ "0", "", "", "round-robin", "", "none"] } 21 | ] 22 | }, 23 | { 24 | "name":"pool__Members", 25 | "columnNames": [ "Index" ,"IPAddress", "Port", "ConnectionLimit", "Ratio", "PriorityGroup", "State", "AdvOptions" ], 26 | "rows" : [ ] 27 | }, 28 | { 29 | "name":"monitor__Monitors", 30 | "columnNames": ["Index", "Name", "Type", "Options"], 31 | "rows" : [ 32 | { "row": [ "0", "/Common/tcp", "none", "none" ] } 33 | ] 34 | }, 35 | { 36 | "name":"l7policy__rulesMatch", 37 | "columnNames": ["Group","Operand","Negate","Condition","Value","CaseSensitive","Missing"], 38 | "rows" : [ 39 | { "row": ["0","http-host/request/all","no","equals","app1.svc.k8s.chen23.com","yes","yes"] }, 40 | { "row": ["default","","no","","","no","no"]} 41 | ] 42 | }, 43 | { 44 | "name":"l7policy__rulesAction", 45 | "columnNames": ["Group","Target","Parameter"], 46 | "rows" : [ 47 | { "row": ["0","asm/request/enable/policy","bundled:linux_low"] }, 48 | { "row": ["default","asm/request/enable/policy","bundled:linux_low"]} 49 | ] 50 | }, 51 | { 52 | "name":"vs__BundledItems", 53 | "columnNames": ["Resource"], 54 | "rows" : [ 55 | 56 | { "row": [ "asm:url=http://13.90.250.250/appsvcs/linux_low.xml" ] } 57 | ] 58 | } 59 | 60 | ] 61 | } 62 | 63 | 64 | --------------------------------------------------------------------------------