Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you about the integration of F5 and Openshift how to achieve grayscale release, the article is rich in content and professional analysis and description for you, I hope you can get something after reading this article.

First, why to use grayscale publishing

What is grayscale publishing?

Grayscale publishing refers to a release way that can make a smooth transition between black and white. ABtest is a grayscale publishing method that allows some users to continue to use An and some users to start using B. if users have no objection to B, then gradually expand the scope and migrate all users to B. The grayscale release can ensure the stability of the whole system, and the problem can be found and adjusted at the initial gray level to ensure its influence.

The value of grayscale publishing

The use of grayscale release can be open to specific target users before the product is officially launched, get feedback from these target users, find problems as early as possible, fix problems, and improve the shortcomings of the product. If you find that the new version is of little value, you can change your ideas as soon as possible to avoid bad effects after the product is launched directly.

Grayscale publishing function of Openshift Route

The grayscale release of Openshift Route is to "mount" two or more Service under Route and adjust the weight of each Service to control the distribution of traffic.

For example, the application has two services, service-v1 and service-v2, where service-v2 is the new version. By constantly magnifying the weight of service-v2, observing the feedback of users, finding the problems in service-v2 in time, and improving the repair, the final service-v2 carries all service-v1 traffic to achieve service upgrade. In this way, the impact of problems in service-v2 on customers can be greatly reduced.

Openshift Route is very convenient for Service shunting, and some ordinary businesses can use this feature for testing purposes. However, its simplicity also brings some shortcomings, that is, it can only divide the traffic of the request in probability, and can not be directed to the user.

For example, the following requirements Openshift Route are not yet available. Before the new version of the product is officially released, we want to test the product so that only a specified group of users or users under the ip of some network segments can access the new version.

Second, F5 and Openshift are integrated to achieve grayscale release.

When the traffic reaches F5, F5 will first check the match of the request under iRule and direct it to the corresponding Pool.

If there is no match under iRule, the Polices rules bound under vs will be controlled to match.

In the previous article, we know that the F5 controller on Openshift will automatically generate Polices rules on F5 to meet the functionality of Openshift Route. Then we only need to combine it with custom iRule to achieve not only to meet the diversion of services, but also to control users' directed access to services.

F5 and Openshift integrated configuration and deployment (to achieve grayscale release)

Preparatory work (see the previous section: Openshift-F5 integration (north-south traffic F5))

Create a new HostSub

Local Traffic-> Virtual Servers

Name:VS name

IP address of Destination Address/Mask:VS

Service Port:HTTP

HTTP Profile:http

Source Address Translation:Auto Map

HTTPS

Name:VS name

IP address of Destination Address/Mask:VS

Service Port:HTTPS

HTTP Profile:http

SSL Profile (Client): / Common/clientssl

Source Address Translation:Auto Map

Set cccl-whitelist in VS to 1

Create a Deployment for each F5 device

In Deployment-- bigip-url is the IP of the device

The-- bigip-partition in Deployment is the Partition,Openshift created under F5 before.

The-- route-http-vserver in Deployment is a manually created HTTP VS

The-- route-https-vserver in Deployment is a manually created HTTPS VS

The-- route-label in Deployment is the label for Controller (no configuration is required for a group of F5s, multiple groups of F5s use it to type Label, and set label f5type:label in Route to specify which F5 to use)

ApiVersion: extensions/v1beta1kind: Deploymentmetadata: name: f5-bigip-ctlr-01spec: replicas: 1 template: metadata: name: k8s-bigip-ctlr labels: app: k8s-bigip-ctlr spec: # Name of the Service Account bound to a Cluster Role with the required # permissions serviceAccountName: bigip-ctlr containers:-name: k8s-bigip-ctlr # replace the version as needed image: "f5networks/k8s-bigip-ctlr:1.5.1" env:-name: BIGIP_USERNAME valueFrom: secretKeyRef: # Replace with the name of the Secret containing your login # credentials name: bigip-login key: username-name: BIGIP_PASSWORD ValueFrom: secretKeyRef: # Replace with the name of the Secret containing your login # credentials name: bigip-login key: password command: ["/ app/bin/k8s-bigip-ctlr"] args: [# See the k8s-bigip-ctlr documentation for information about # all config options # http://clouddocs.f5.com/products/connectors/k8s-bigip-ctlr/latest "--bigip-username=$ (BIGIP_USERNAME)" "bigip-password=$ (BIGIP_PASSWORD)", "--bigip-url=192.168.200.82", "--bigip-partition=OpenShift", "--pool-member-type=cluster", "--openshift-sdn-name=/Common/openshift_vxlan" '--manage-routes=true''-- route-http-vserver=testroute''--route-https-vserver=testroute_https']-- apiVersion: extensions/v1beta1kind: Deploymentmetadata: name: f5-bigip-ctlr-02spec: replicas: 1 template: metadata: name: k8s-bigip-ctlr labels: app: k8s-bigip-ctlr spec: # Name of the Service Account bound to a Cluster Role with the required # permissions serviceAccountName: bigip-ctlr containers:-name: k8s-bigip-ctlr # replace the version as needed image: "f5networks/k8s-bigip-ctlr:1.5.1" env:-name: BIGIP_USERNAME valueFrom: secretKeyRef: # Replace with the Name of the Secret containing your login # credentials name: bigip-login key: username-name: BIGIP_PASSWORD valueFrom: secretKeyRef: # Replace with the name of the Secret containing your login # credentials name: bigip-login Key: password command: ["/ app/bin/k8s-bigip-ctlr"] args: [# See the k8s-bigip-ctlr documentation for information about # all config options # http://clouddocs.f5.com/products/connectors/k8s-bigip-ctlr/latest "--bigip-username=$ (BIGIP_USERNAME)" "bigip-password=$ (BIGIP_PASSWORD)", "--bigip-url=192.168.200.83", "--bigip-partition=OpenShift", "--pool-member-type=cluster", "--openshift-sdn-name=/Common/openshift_vxlan" '--manage-routes=true''-- route-http-vserver=testroute''--route-https-vserver=testroute_https']

Manually bind Policies to vs

After the Openshift F5 controller is created, two Policies are automatically created on F5: openshift_insecure_routes and openshift_secure_routes.

Openshift_insecure_routes serves HTTP applications

Openshift_secure_routes serves HTTPS applications.

Bind Policies and iRule

Create an application (Project named testapp,Service, named f5-nginx-v1 and f5-nginx-v2)

Oc new-project testappoc new-app harbor.example.com/public/nginx:1.14-name=f5-nginx-v1-allow-missing-imagesoc expose dc/f5-test-v1-port=8080oc expose svc/f5-test-v1 test1.apps.openshift.comoc new-app harbor.example.com/public/nginx:1.14-name=f5-nginx-v2-allow-missing-imagesoc expose dc/f5-test-v2-port=8080

Create iRule and bind to VS F5

Note: when requesting the domain name test1.apps.openshift.com, if the client IP is 192.168.100.23, then access the f5-nginx-v2 service under the testapp project, otherwise access the f5-nginx-v1 service under the testapp project

Note: iRule rules need to be created under the Partition of Common

When HTTP_REQUEST {if {[HTTP::host] equals "test1.apps.openshift.com"} {log local0.info [HTTP::host] if {[IP::addr [IP::client_addr] equals 192.168.100.23 equals 32]} {log local0.info "enter 2 pool before" log local0.info [HTTP::host] pool / f5-openShift/openshift_testapp_f5-nginx-v2 log local0.info "enter 2 pool later"} else { Log local0.info "enter 3" pool / f5-openShift/openshift_testapp_f5-nginx-v1}

Test access service

Bind hosts locally (192.168.100.23) to another machine that is not 192.168.100.23

IP address of VS test1.apps.openshift.com

Then visit test1.apps.openshift.com, view the page display, and visit different Service.

The above is the editor for you to share F5 and Openshift integration how to achieve grayscale release, if you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.