Install F5 CIS in KLAB - Githubissues

BCDevOps / developer-experience

This repository is used to track all work for the BCGov Platform Services Team (This includes work for: 1. Platform Experience, 2. Developer Experience 3. Platform Operations/OCP 3)

Apache License 2.0

8 stars 17 forks source link

Install F5 CIS in KLAB #1163

Closed StevenBarre closed 3 years ago

StevenBarre commented 3 years ago

Describe the issue Revisit the previous work on F5 CIS now that it supports non-http port balancing. Install the deployment into KLAB and work with Network team to get the F5 configured to connect.

Definition of done

[x] F5 CIS installed in KLAB
[x] TransportServer CR tested against some non-http service
[ ] Install playbooks updated

StevenBarre commented 3 years ago

Tested a Django in CLAB connecting to a Postgress in KLAB.

wmhutchison commented 3 years ago

Moving to backlog for now, aim to push it back in as a priority once other issues are back under control.

wmhutchison commented 3 years ago

Doing some dumping in here regarding what Steven previously set up, will evolve as we learn more about what's been created.

Found this in CLAB regarding Django.

[root@mcs-clab-util ~]# oc -n steve-test describe dc django-psql-persistent
Name:           django-psql-persistent
Namespace:      steve-test
Created:        4 weeks ago
Labels:         app=django-psql-persistent
                template=django-psql-persistent
Description:    Defines how to deploy the application server
Annotations:    template.alpha.openshift.io/wait-for-ready=true
Latest Version: 1
Selector:       name=django-psql-persistent
Replicas:       1
Triggers:       Image(django-psql-persistent@latest, auto=true), Config
Strategy:       Recreate
Template:
Pod Template:
  Labels:       name=django-psql-persistent
  Containers:
   django-psql-persistent:
    Image:      image-registry.openshift-image-registry.svc:5000/steve-test/django-psql-persistent@sha256:001b2658e4c3340be1b8c6807f91a93f6d274e4a376c3f72a809216cefb85a61
    Port:       8080/TCP
    Host Port:  0/TCP
    Limits:
      memory:   512Mi
    Liveness:   http-get http://:8080/health delay=30s timeout=3s period=10s #success=1 #failure=3
    Readiness:  http-get http://:8080/health delay=3s timeout=3s period=10s #success=1 #failure=3
    Environment:
      DATABASE_SERVICE_NAME:    foo
      FOO_SERVICE_HOST:         142.34.151.117
      FOO_SERVICE_PORT:         5432

Looking up to see what the mentioned IP near the end is.

wmhutchison commented 3 years ago

Said IP belongs to the vserver IP as defined in our playbook used for the initial cluster configuration post-install.

https://github.com/bcgov-c/platform-ops/blob/7e08ddd57f3b3e15f237907b7092acad7123e448/ocp4/inventory/klab#L47

wmhutchison commented 3 years ago

[root@mcs-klab-util ~]# oc get crd | grep f5
externaldnss.cis.f5.com                                     2021-05-06T19:04:45Z
ingresslinks.cis.f5.com                                     2021-05-06T19:04:45Z
tlsprofiles.cis.f5.com                                      2021-05-06T19:04:45Z
transportservers.cis.f5.com                                 2021-05-06T19:04:45Z
virtualservers.cis.f5.com                                   2021-05-06T19:04:45Z

[root@mcs-clab-util ~]# for CRD in externaldnss ingresslinks tlsprofiles transportservers virtualservers ; do echo $CRD;oc get $CRD --all-namespaces ; done
externaldnss
error: the server doesn't have a resource type "externaldnss"
ingresslinks
error: the server doesn't have a resource type "ingresslinks"
tlsprofiles
error: the server doesn't have a resource type "tlsprofiles"
transportservers
error: the server doesn't have a resource type "transportservers"
virtualservers
error: the server doesn't have a resource type "virtualservers"

[root@mcs-klab-util ~]# for CRD in externaldnss ingresslinks tlsprofiles transportservers virtualservers ; do echo $CRD;oc get $CRD --all-namespaces ; done
externaldnss
No resources found
ingresslinks
No resources found
tlsprofiles
No resources found
transportservers
NAMESPACE          NAME                           VIRTUALSERVERADDRESS   VIRTUALSERVERPORT   POOL                     POOLPORT   AGE
stevenbarre-test   postgresql-transport-server    142.34.151.117         5432                postgresql               5432       33d
stevenbarre-test   postgresql-transport-server2   142.34.151.117         15432               django-psql-persistent   8080       33d
virtualservers
No resources found

wmhutchison commented 3 years ago

No custom CRD objects on CLAB, two in KLAB for the test namespace.

[root@mcs-klab-util ~]# oc -n stevenbarre-test get transportservers
NAME                           VIRTUALSERVERADDRESS   VIRTUALSERVERPORT   POOL                     POOLPORT   AGE
postgresql-transport-server    142.34.151.117         5432                postgresql               5432       33d
postgresql-transport-server2   142.34.151.117         15432               django-psql-persistent   8080       33d

jleach commented 3 years ago

@wmhutchison Curious where 117 comes from? I don't think that's the ingress IP.

jleach commented 3 years ago

@StevenBarre I think we can close this one now - no? Op is installed in klab and working. Only un-checked task above is to make sure the playbooks are updated.

StevenBarre commented 3 years ago

@jleach still need to "Install playbooks updated" and commit my changes to github.

StevenBarre commented 3 years ago

Playbook PR https://github.com/bcgov-c/platform-ops/pull/378

Also ran the playbook in CLAB to test and verify. I've submitted a request to the network team to configure the F5 side of the VXLAN tunnel so they can connect to the OCP SDN. Once that's completed we can verify everything is working in CLAB and merge the PR.

jleach commented 3 years ago

I've done some load testing on this. Was able to create a replicates with a node in klab and another in clab. Then restore the prod Rocket Chat database (2.4G). No issues. Works as advertised.