No, i wasn't aware of any Ansible Tower requirements. I will ask PM.
@BAMFPodcast16 күн бұрын
@@MarkDittmer looks like it’s bad information from an old doc.
@MarkDittmer11 күн бұрын
let me know if you want to setup a meeting with the PM from OpenShift side.
@Egungon18 күн бұрын
Do you happen to have json declarations for creating wideIPs and/or GSLB pools via AS3?
@MarkDittmer17 күн бұрын
thanks for the recommendation. I will work on this tomorrow. You ok with Generic Host instead of Virtual Server Discovery?
@Egungon16 күн бұрын
@@MarkDittmer that should be fine! Thanks!
@bernardocarcacheguerrero229719 күн бұрын
Mark, can I manage only the WAF policies with this? I don’t want AS3 to manage my LTM objects.
@MarkDittmer17 күн бұрын
AS3 can create a WAF policy from an external REPO as shown in the document. You could then add that policy to the LTM Virtual via the UI etc clouddocs.f5.com/training/fas-ansible-workshop-101/3.3-as3-asm.html --- This what you had in mind?
@bernardocarcacheguerrero229715 күн бұрын
I am only looking to maintain the WAF policy, regardless of its Virtual Server assignment. I looked at the link and that creates the policy, but also assigns it to the Virtual Server. I don’t want that to happen. Can I use the “new_asm_policy” alone in an AS3 declaration?
@V.Z.69Ай бұрын
I just stumbled upon this page. Is the reference to "AS3" referring to "ActionScript 3" Adobe? And if so, are you using Flash with BIG-IP? Flash and AS3 was a game changer, too bad it's gone!!!
@MarkDittmer17 күн бұрын
lol no AS3 is F5 BIG-IP Application Services 3 and has nothing todo with ActionScript 3.
@mohanbasava21152 ай бұрын
Can you explain from network connectivity’l persistive , big ip connects to physical switch and nodes are VM’s
@MarkDittmer2 ай бұрын
Can we schedule a meeting? I can demo the networking etc.
@mohanbasava2115Ай бұрын
@@MarkDittmer Sure Mark.. Let me know your availability we can sync up. I can explain my use case..
@arjund37722 ай бұрын
Hi Mark, Can we configure Service Type LoadBalancer with OpenShift OVN-Kubernetes using F5 BIG-IP with NO Tunnels?
@MarkDittmer2 ай бұрын
yes, for Service Type LoadBalancer the CRD will require iPAM or a static IP to be populated for the public IP. Let me know if you need help setting this up. Contact me at [email protected]
@user-zu1kd7pr2w2 ай бұрын
very informative
@MarkDittmer17 күн бұрын
Glad you liked it
@Grzegorz_Wilczek2 ай бұрын
Hi Mark, I can't find any info about schema version in NEXT, in Classic it'e easy as of plugin version, 3.0.0 is pretty old, how to get something newer in NEXT?
@MarkDittmer2 ай бұрын
Looking into this on Monday. Will message my team. Great question btw!!
@MarkDittmer2 ай бұрын
Just like with classic we don't actually use schema version other than to ensure a user doesn't send a declaration with a schema version newer than the latest supported on the given device. So just a matter of updating our examples which i will get posted in Clouddocs
@Grzegorz_Wilczek2 ай бұрын
@@MarkDittmer Many thanks, I ask it in other way with an example. How do we know what version of AS3 we use in NEXT? Real example from last couple days.. We used 3.43 globally, but I started using Policy Endpoint with a new option "hostHeader" which was introduced in 3.47. In Classic I just need to roll out new rpm. How this work in NEXT and how do I know what AS3 version is installed?
@JohnSmith-dg3rd2 ай бұрын
Thanks for the Postman Collection!
@MarkDittmer17 күн бұрын
Any time!
@JeffMorello2 ай бұрын
Thanks for this video. Are you planning to do another one using an active/standby configuration?
@MarkDittmer17 күн бұрын
Yes published here kzread.info/dash/bejne/d6OLx6-SmLG6drw.html -- Look at the weight in the route or CRD
@sh1k4maru2 ай бұрын
Great video as always
@MarkDittmer17 күн бұрын
Appreciate that
@JohnSmith-dg3rd2 ай бұрын
Acces to Journeys over Browser is being refused.
@MarkDittmer2 ай бұрын
Try browser from the same next where you installed Journeys. I think this is a limitation of the OS. I will review emails to see if i can find a solution. I believe somebody figured it out
@GopalRoy-nn6ft2 ай бұрын
What is cis?
@MarkDittmer2 ай бұрын
CIS is F5 BIG-IP Ingress Controller clouddocs.f5.com/containers/latest/
@sliddjur3 ай бұрын
Testing in AS3 v3.50, For anyone interested, perAppDeploymentAllowed is now a setting straight under settings and not nested under "betaOptions" {{baseUrl}}/mgmt/shared/appsvcs/settings { "asyncTaskStorage": "data-group", "perAppDeploymentAllowed": true, "burstHandlingEnabled": false, "performanceTracingEnabled": false, "performanceTracingEndpoint": "", "serializeFileUploads": false, "serviceDiscoveryEnabled": true, "webhook": "" }
@MarkDittmer3 ай бұрын
Enabled by default. Let me know your feedback and any improvements
@vagdemarrs4 ай бұрын
Congrats, thanks for the good work
@MarkDittmer4 ай бұрын
thank you!
@sliddjur4 ай бұрын
🎉😊
@MarkDittmer4 ай бұрын
Thank you!!
@sliddjur3 ай бұрын
@@MarkDittmer what happened to v3.50? How about relasing binary, or giving us build instructions from source :)
@sliddjur4 ай бұрын
Ive been following your videos about as3 per app api, and now you suddenly changed your wording to resource group (aka tenant, aka partition) is the legacy way of doing everything? :) So you can not use /declare/tenant123/app and declare a single app, when tenant123 is not declared already? Also, how do you delete a single app?
@MarkDittmer4 ай бұрын
thank you. No Per-app declaration must contain at least one application Declare one app in tenant123 and then you can POST to /declare/tenant123/applications/ with updates
@sliddjur4 ай бұрын
What about deleting a specific app?
@MarkDittmer4 ай бұрын
Currently DELETE is not their. Something that could be added. Use POST Declare to remove any apps
@sliddjur4 ай бұрын
What is the reasoning why not per-app deployment was not the "best practice" and enabled by default from the beginning?
@MarkDittmer4 ай бұрын
Good point. Because its only got added in AS3-50 coming next week.
@sliddjur4 ай бұрын
so if youre working on tenant2, and you forget to add to the URI declare/tenant2, you mess up all your other tenants?
@MarkDittmer4 ай бұрын
Declarative. Declare the changes. Best to use via GitHub or Bitbucket
@aquabat1044 ай бұрын
When using AS3, should I have a separate tenant for each wide IP? So If I have 250 wide-ip's will I have 250 tenants? thank you
@MarkDittmer4 ай бұрын
Wide-IPs are different when using AS3. I think generic-host for Wide-IPs is the way to go. Maybe common. I need to post a Best practice AS3 video for GSLB.
@aquabat1043 ай бұрын
@@MarkDittmerYes please we are migrating DNS module from on-prem to azure and want to use AS3 and frontend with terraform. About 500 wide-ip's
@arjund37724 ай бұрын
Hi Mark, We can do this implementation with Openshift 4.12, right?
@MarkDittmer4 ай бұрын
Yes, absolutely, OpenShift 4.12 is perfectly fine!!
@arjund37722 ай бұрын
@@MarkDittmer Hi Mark, Can we configure Service Type LoadBalancer with OpenShift OVN-Kubernetes using F5 BIG-IP with NO Tunnels?
@user-mc2rp1ty7u4 ай бұрын
About 26:10 you say that if pool member is not unique then it has to be shared and placed to Common. In my case where have 2 partitions with own route-domains and own IP spaces and it happened that both uses 10.x.x.x and there are occasionally same pool members, does it mean that with AS3 I cannot have such setup and have to re-address the conflicting pool members? Adding them to Common is out of question as that uses route-domain 0...
@MarkDittmer2 ай бұрын
use share-nodes=true in the CIS deployment. This will create the pools members in the common partition. Example clouddocs.f5.com/containers/latest/userguide/config-parameters.html
@user-mc2rp1ty7u2 ай бұрын
@@MarkDittmer as I mentioned, we use partitions with own routing domain, so placing pool member to Common will not make it work
@user-mc2rp1ty7u2 ай бұрын
@@MarkDittmer I know this is not official communication channel, but I would appreciate answer to my question. Thanks
@kevinbrown71714 ай бұрын
I want to move our management of F5 to gitops, but we. have multiple vendors who currently request manual configuration of sets of Virtual servers for their respective API''s and each vendor has their own pipelines. I want to integrate each vendor to control their own API virtual servers into their respective pipelines, so no one vendor changes the entire config, but only a subset of virtual services, and also we have an operations team that need to control traffic management parameters between data centres. We have a common git repository. The most optimal pipeline is built with tecton and argocd, other are still with Jenkins but will migrate over time to a common set of pipelines using tecton and argocd. Is this possible using per app changes?
@quickref5 ай бұрын
We are currently preparing to migrate our existing f5 applications to AS3 and since we have some clusters with a lot of virtual servers, Per App will be helpful to keep a better control of our applications. Will there be an option to transform a ucs file with ACC to AS3 Per App? I'm planning to attend the Berlin App world. Will you be there, too?
@MarkDittmer5 ай бұрын
Journey's can consume the UCS file and represent the configuration as a per-app. But Journey's wont POST the the App back to BIG-IP using Per-APP. However this could be better implemented in the VScode extenetion. I am working with that team to get the Per-App API added to VScode
@JohnSmith-dg3rd5 ай бұрын
I'm excited for BIG-IP Next. Finally something new.
@MarkDittmer5 ай бұрын
definitely. Lots of new content coming.
@amarganta57295 ай бұрын
Do we need to configure routing table on BIG-IP manually to direct traffic from BIG-IP to pods via Nodes?
@MarkDittmer2 ай бұрын
CIS will automate the routing table if you using OpenShift and some other CNIs.
@surrendermohan65206 ай бұрын
Thanks for the part2 video. How to have the AS3 API call work to apply only the incremental changes or per app changes where we have BIGIP-CIS controller running on kubernetes clusters which auto triggers these POST AS3 calls whenever there's changes on clusters.
@MarkDittmer6 ай бұрын
This is a change i want to get into CIS. We are waiting for AS3 Per APP API to go GA in AS3.50. This is planned in the upcoming months.
@surrendermohan65206 ай бұрын
@@MarkDittmer thank you
@KickstonesBitcoin6 ай бұрын
How do you manage permissions per app? i only want admin from app team 1 to access API endpoint to make changes for app 1 and not app 2,3,4 etc
@MarkDittmer6 ай бұрын
Cant because the BIG-IP API doesnt provide the permission. This will be possible on BIG-IP Next using Per APP API.
@KickstonesBitcoin6 ай бұрын
How can we control API user permissions to limit POSTS to per tenant or even better per app?
@MarkDittmer5 ай бұрын
AS3 has no RBAC on Classic. API user permissions to limit POSTS for AS3 is coming in BIG-IP Next. Please subscribe. I will create a demo for this in a month once the code is complete.
@shaikzoheb34306 ай бұрын
You are just amazing Content is pure gold
@MarkDittmer6 ай бұрын
Thank you!!
@shaikzoheb34306 ай бұрын
Amazing video. However I’m planning to use below tech stack. Is it possible to? Istio Ingress Gateway as Ingress Controller Calico/Cilium CNI Instead of nginx ingress, I wanted to use Istio as an ingress controller
@MarkDittmer6 ай бұрын
yes this is possible. i have seen some Istio. CIS just needs to monitor the Istio service. Calico or Cilium CNIs are both good options. Ping me if you need help
@shaikzoheb34306 ай бұрын
@@MarkDittmer I’ve sent you an email for this. As I’m planning to use F5 BIG-IP, CIS for OpenShift Active Active Multi data centre deployment. Need to create an architecture and plan for this setup. Is there a way I can have a word with you?
@MarkDittmer6 ай бұрын
We are about to publish a document "F5 BIG-IP deployment with OpenShift - multi-cluster architectures" for your solution. Please contact me at [email protected] so we can schedule a zoom call
@shaikzoheb34306 ай бұрын
How about OpenShift Ingress in a multi cluster with Istio ingress as a gateway. For those who are heavily using Istio. Is it possible ?
@mohanbasava21157 ай бұрын
One question, why would External BIGIP needs to know Kubes routes in the routing table of BIGIP, assume since not directly connected to any of cluster, it can just follow the default route and upstream can handle routing part. ?
@mohanbasava21157 ай бұрын
This looks Cool. :-), We can properly segregate Apps within the tenants.
@backcountryFLcyclist7 ай бұрын
Calico BGP, CRD, CIS Ingress Link with NGINX+ transport server and virtualserver is what I am seeing in production
@MarkDittmer7 ай бұрын
Thanks for your feedback. Definitely a sweet solution been able to use the best of both technology.
@growthandprogress6897 ай бұрын
I have one question, can ASM setting be adjusted in the AS3 declaration file or how can ASM setting be adjusted using AS3 on Vserver_tenant ?
@MarkDittmer7 ай бұрын
ASM policy should be modified in the ASM module or ASM API. AS3 will pull the latest policy and apply. AS3 simply references the profile/policy on the virtual for that tenant.
@growthandprogress6897 ай бұрын
@@MarkDittmer thanks for the reply, please can you make a video to demonstrate this setting or configuration thanks 🙏
@MarkDittmer6 ай бұрын
Will do. Per App Api will be GA in AS3 50. I will create another video for the release
@growthandprogress6897 ай бұрын
Thanks, for the updates.
@vagdemarrs7 ай бұрын
Thank you for the explanation even if in my case it's no use since GTM and LTM are different hardwares, I guess I still have to orchestrate the way I send the manifests :)
@MarkDittmer7 ай бұрын
Let me know if you need help with your GTM AS3 declaration
@Nikoolayy18 ай бұрын
Nice video. I saw the git repo but where is the config to subscribe to informer events as from the repo I see 2 CIS deployments in the 2 two clusters, not just one?
@MarkDittmer8 ай бұрын
Informer configuration is coming in the new two days with a new video using A/B deployment across the two clusters.
@babycutezz56659 ай бұрын
Is F5 CIS similar to F5 SPK? Thanks
@MarkDittmer9 ай бұрын
F5 CIS is focused on getting traffic into the K8S clusters. CIS configures BIG-IP to steer interesting to the correct Service in a specific cluster. CIS also requires BIG-IP where SPK is independent. SPK is mostly focused on the Service Provider use-case while CIS is traditionally enterprises
@samuelo89769 ай бұрын
Promo-SM 😝
@MarkDittmer9 ай бұрын
@samuelo8976 not sure what you mean by Promo-SM
@surrendermohan652010 ай бұрын
Thanks for the great video. Is incremental update API is released in recent AS3 version?
@MarkDittmer10 ай бұрын
I plan todo Part 2 soon.
@multiversewithin10 ай бұрын
That’s very cool . I am just curious the AS3 best practices suggest POST over PATCH for better performance . Incremental update is so cool , but is it similar to PATCH ing internally or merging the json payloads and sending a POST with merged json ?
@MarkDittmer10 ай бұрын
Don’t recommend using JSON PATCH now with pet-app API. You right it’s similar but now you can POST your updates. After POSTing you can get the declaration and update your source of trough. We will be doing performance once we gather all the feedback from the beta. Let me know if you want to test this new feature. Send me a email at [email protected]
@multiversewithin10 ай бұрын
@@MarkDittmer thanks Mark . I work for charter . Will reach out from official id as we are already using your product .
@kdmagicman10 ай бұрын
Very handy! Nice to eliminate the need to repost a potentially huge declaration and instead just post an incremental application within a specified tenant. Super cool. Well done!
@MarkDittmer10 ай бұрын
Thank you very much. I believe per-application simplifies AS3 usage. However it’s still best to GET the entire declaration which will be the source of truth. This could be POSTed as part of the your pipeline
@leonseng793910 ай бұрын
Thanks for this, Mark. Would this provide performance improvements? Consider the case of POSTing 1 app to a tenant which already has 9 other apps (with per-app API), vs POSTing a tenant with all 10 apps in it (with the old way) - does using the Per-App API mean AS3 only process the 1 additional app, hence can respond quicker?
@MarkDittmer10 ай бұрын
Definitely. We also plan to focus on performance improvements after the beta. The hope is that POSTing a small update to the API would be less impactful than posting an entire declaration. Look forward to getting lots of amazing feedback on September 12th when AS3-47 is posted.
@user-nu6py9cy7y10 ай бұрын
will LB the service with policy in the feature, e.g., LB with multi pools with LTM policy/iRules.
@MarkDittmer10 ай бұрын
You can assign a policy CRD to the extended ConfigMap which includes any LTM policy/iRules
@user-nu6py9cy7y10 ай бұрын
@@MarkDittmer I saw the endpoints from 2 clusters are put into the single one LTM-pool, how can add policy CRD to do weighted LB for the different cluster. For example, I want do weighted traffic for 2 pools (pool1 represent the cluster 1, pool2 represent the cluster2).
Пікірлер
In a actual Project im planning a architecture concept for multi-cluster setup in active-active. Would nice to be have ure mind on it.
Please email me at [email protected] so we can setup a call
Great Presentation
Thank you!
did you find that Ansible Tower was required?
No, i wasn't aware of any Ansible Tower requirements. I will ask PM.
@@MarkDittmer looks like it’s bad information from an old doc.
let me know if you want to setup a meeting with the PM from OpenShift side.
Do you happen to have json declarations for creating wideIPs and/or GSLB pools via AS3?
thanks for the recommendation. I will work on this tomorrow. You ok with Generic Host instead of Virtual Server Discovery?
@@MarkDittmer that should be fine! Thanks!
Mark, can I manage only the WAF policies with this? I don’t want AS3 to manage my LTM objects.
AS3 can create a WAF policy from an external REPO as shown in the document. You could then add that policy to the LTM Virtual via the UI etc clouddocs.f5.com/training/fas-ansible-workshop-101/3.3-as3-asm.html --- This what you had in mind?
I am only looking to maintain the WAF policy, regardless of its Virtual Server assignment. I looked at the link and that creates the policy, but also assigns it to the Virtual Server. I don’t want that to happen. Can I use the “new_asm_policy” alone in an AS3 declaration?
I just stumbled upon this page. Is the reference to "AS3" referring to "ActionScript 3" Adobe? And if so, are you using Flash with BIG-IP? Flash and AS3 was a game changer, too bad it's gone!!!
lol no AS3 is F5 BIG-IP Application Services 3 and has nothing todo with ActionScript 3.
Can you explain from network connectivity’l persistive , big ip connects to physical switch and nodes are VM’s
Can we schedule a meeting? I can demo the networking etc.
@@MarkDittmer Sure Mark.. Let me know your availability we can sync up. I can explain my use case..
Hi Mark, Can we configure Service Type LoadBalancer with OpenShift OVN-Kubernetes using F5 BIG-IP with NO Tunnels?
yes, for Service Type LoadBalancer the CRD will require iPAM or a static IP to be populated for the public IP. Let me know if you need help setting this up. Contact me at [email protected]
very informative
Glad you liked it
Hi Mark, I can't find any info about schema version in NEXT, in Classic it'e easy as of plugin version, 3.0.0 is pretty old, how to get something newer in NEXT?
Looking into this on Monday. Will message my team. Great question btw!!
Just like with classic we don't actually use schema version other than to ensure a user doesn't send a declaration with a schema version newer than the latest supported on the given device. So just a matter of updating our examples which i will get posted in Clouddocs
@@MarkDittmer Many thanks, I ask it in other way with an example. How do we know what version of AS3 we use in NEXT? Real example from last couple days.. We used 3.43 globally, but I started using Policy Endpoint with a new option "hostHeader" which was introduced in 3.47. In Classic I just need to roll out new rpm. How this work in NEXT and how do I know what AS3 version is installed?
Thanks for the Postman Collection!
Any time!
Thanks for this video. Are you planning to do another one using an active/standby configuration?
Yes published here kzread.info/dash/bejne/d6OLx6-SmLG6drw.html -- Look at the weight in the route or CRD
Great video as always
Appreciate that
Acces to Journeys over Browser is being refused.
Try browser from the same next where you installed Journeys. I think this is a limitation of the OS. I will review emails to see if i can find a solution. I believe somebody figured it out
What is cis?
CIS is F5 BIG-IP Ingress Controller clouddocs.f5.com/containers/latest/
Testing in AS3 v3.50, For anyone interested, perAppDeploymentAllowed is now a setting straight under settings and not nested under "betaOptions" {{baseUrl}}/mgmt/shared/appsvcs/settings { "asyncTaskStorage": "data-group", "perAppDeploymentAllowed": true, "burstHandlingEnabled": false, "performanceTracingEnabled": false, "performanceTracingEndpoint": "", "serializeFileUploads": false, "serviceDiscoveryEnabled": true, "webhook": "" }
Enabled by default. Let me know your feedback and any improvements
Congrats, thanks for the good work
thank you!
🎉😊
Thank you!!
@@MarkDittmer what happened to v3.50? How about relasing binary, or giving us build instructions from source :)
Ive been following your videos about as3 per app api, and now you suddenly changed your wording to resource group (aka tenant, aka partition) is the legacy way of doing everything? :) So you can not use /declare/tenant123/app and declare a single app, when tenant123 is not declared already? Also, how do you delete a single app?
thank you. No Per-app declaration must contain at least one application Declare one app in tenant123 and then you can POST to /declare/tenant123/applications/ with updates
What about deleting a specific app?
Currently DELETE is not their. Something that could be added. Use POST Declare to remove any apps
What is the reasoning why not per-app deployment was not the "best practice" and enabled by default from the beginning?
Good point. Because its only got added in AS3-50 coming next week.
so if youre working on tenant2, and you forget to add to the URI declare/tenant2, you mess up all your other tenants?
Declarative. Declare the changes. Best to use via GitHub or Bitbucket
When using AS3, should I have a separate tenant for each wide IP? So If I have 250 wide-ip's will I have 250 tenants? thank you
Wide-IPs are different when using AS3. I think generic-host for Wide-IPs is the way to go. Maybe common. I need to post a Best practice AS3 video for GSLB.
@@MarkDittmerYes please we are migrating DNS module from on-prem to azure and want to use AS3 and frontend with terraform. About 500 wide-ip's
Hi Mark, We can do this implementation with Openshift 4.12, right?
Yes, absolutely, OpenShift 4.12 is perfectly fine!!
@@MarkDittmer Hi Mark, Can we configure Service Type LoadBalancer with OpenShift OVN-Kubernetes using F5 BIG-IP with NO Tunnels?
About 26:10 you say that if pool member is not unique then it has to be shared and placed to Common. In my case where have 2 partitions with own route-domains and own IP spaces and it happened that both uses 10.x.x.x and there are occasionally same pool members, does it mean that with AS3 I cannot have such setup and have to re-address the conflicting pool members? Adding them to Common is out of question as that uses route-domain 0...
use share-nodes=true in the CIS deployment. This will create the pools members in the common partition. Example clouddocs.f5.com/containers/latest/userguide/config-parameters.html
@@MarkDittmer as I mentioned, we use partitions with own routing domain, so placing pool member to Common will not make it work
@@MarkDittmer I know this is not official communication channel, but I would appreciate answer to my question. Thanks
I want to move our management of F5 to gitops, but we. have multiple vendors who currently request manual configuration of sets of Virtual servers for their respective API''s and each vendor has their own pipelines. I want to integrate each vendor to control their own API virtual servers into their respective pipelines, so no one vendor changes the entire config, but only a subset of virtual services, and also we have an operations team that need to control traffic management parameters between data centres. We have a common git repository. The most optimal pipeline is built with tecton and argocd, other are still with Jenkins but will migrate over time to a common set of pipelines using tecton and argocd. Is this possible using per app changes?
We are currently preparing to migrate our existing f5 applications to AS3 and since we have some clusters with a lot of virtual servers, Per App will be helpful to keep a better control of our applications. Will there be an option to transform a ucs file with ACC to AS3 Per App? I'm planning to attend the Berlin App world. Will you be there, too?
Journey's can consume the UCS file and represent the configuration as a per-app. But Journey's wont POST the the App back to BIG-IP using Per-APP. However this could be better implemented in the VScode extenetion. I am working with that team to get the Per-App API added to VScode
I'm excited for BIG-IP Next. Finally something new.
definitely. Lots of new content coming.
Do we need to configure routing table on BIG-IP manually to direct traffic from BIG-IP to pods via Nodes?
CIS will automate the routing table if you using OpenShift and some other CNIs.
Thanks for the part2 video. How to have the AS3 API call work to apply only the incremental changes or per app changes where we have BIGIP-CIS controller running on kubernetes clusters which auto triggers these POST AS3 calls whenever there's changes on clusters.
This is a change i want to get into CIS. We are waiting for AS3 Per APP API to go GA in AS3.50. This is planned in the upcoming months.
@@MarkDittmer thank you
How do you manage permissions per app? i only want admin from app team 1 to access API endpoint to make changes for app 1 and not app 2,3,4 etc
Cant because the BIG-IP API doesnt provide the permission. This will be possible on BIG-IP Next using Per APP API.
How can we control API user permissions to limit POSTS to per tenant or even better per app?
AS3 has no RBAC on Classic. API user permissions to limit POSTS for AS3 is coming in BIG-IP Next. Please subscribe. I will create a demo for this in a month once the code is complete.
You are just amazing Content is pure gold
Thank you!!
Amazing video. However I’m planning to use below tech stack. Is it possible to? Istio Ingress Gateway as Ingress Controller Calico/Cilium CNI Instead of nginx ingress, I wanted to use Istio as an ingress controller
yes this is possible. i have seen some Istio. CIS just needs to monitor the Istio service. Calico or Cilium CNIs are both good options. Ping me if you need help
@@MarkDittmer I’ve sent you an email for this. As I’m planning to use F5 BIG-IP, CIS for OpenShift Active Active Multi data centre deployment. Need to create an architecture and plan for this setup. Is there a way I can have a word with you?
We are about to publish a document "F5 BIG-IP deployment with OpenShift - multi-cluster architectures" for your solution. Please contact me at [email protected] so we can schedule a zoom call
How about OpenShift Ingress in a multi cluster with Istio ingress as a gateway. For those who are heavily using Istio. Is it possible ?
One question, why would External BIGIP needs to know Kubes routes in the routing table of BIGIP, assume since not directly connected to any of cluster, it can just follow the default route and upstream can handle routing part. ?
This looks Cool. :-), We can properly segregate Apps within the tenants.
Calico BGP, CRD, CIS Ingress Link with NGINX+ transport server and virtualserver is what I am seeing in production
Thanks for your feedback. Definitely a sweet solution been able to use the best of both technology.
I have one question, can ASM setting be adjusted in the AS3 declaration file or how can ASM setting be adjusted using AS3 on Vserver_tenant ?
ASM policy should be modified in the ASM module or ASM API. AS3 will pull the latest policy and apply. AS3 simply references the profile/policy on the virtual for that tenant.
@@MarkDittmer thanks for the reply, please can you make a video to demonstrate this setting or configuration thanks 🙏
Will do. Per App Api will be GA in AS3 50. I will create another video for the release
Thanks, for the updates.
Thank you for the explanation even if in my case it's no use since GTM and LTM are different hardwares, I guess I still have to orchestrate the way I send the manifests :)
Let me know if you need help with your GTM AS3 declaration
Nice video. I saw the git repo but where is the config to subscribe to informer events as from the repo I see 2 CIS deployments in the 2 two clusters, not just one?
Informer configuration is coming in the new two days with a new video using A/B deployment across the two clusters.
Is F5 CIS similar to F5 SPK? Thanks
F5 CIS is focused on getting traffic into the K8S clusters. CIS configures BIG-IP to steer interesting to the correct Service in a specific cluster. CIS also requires BIG-IP where SPK is independent. SPK is mostly focused on the Service Provider use-case while CIS is traditionally enterprises
Promo-SM 😝
@samuelo8976 not sure what you mean by Promo-SM
Thanks for the great video. Is incremental update API is released in recent AS3 version?
I plan todo Part 2 soon.
That’s very cool . I am just curious the AS3 best practices suggest POST over PATCH for better performance . Incremental update is so cool , but is it similar to PATCH ing internally or merging the json payloads and sending a POST with merged json ?
Don’t recommend using JSON PATCH now with pet-app API. You right it’s similar but now you can POST your updates. After POSTing you can get the declaration and update your source of trough. We will be doing performance once we gather all the feedback from the beta. Let me know if you want to test this new feature. Send me a email at [email protected]
@@MarkDittmer thanks Mark . I work for charter . Will reach out from official id as we are already using your product .
Very handy! Nice to eliminate the need to repost a potentially huge declaration and instead just post an incremental application within a specified tenant. Super cool. Well done!
Thank you very much. I believe per-application simplifies AS3 usage. However it’s still best to GET the entire declaration which will be the source of truth. This could be POSTed as part of the your pipeline
Thanks for this, Mark. Would this provide performance improvements? Consider the case of POSTing 1 app to a tenant which already has 9 other apps (with per-app API), vs POSTing a tenant with all 10 apps in it (with the old way) - does using the Per-App API mean AS3 only process the 1 additional app, hence can respond quicker?
Definitely. We also plan to focus on performance improvements after the beta. The hope is that POSTing a small update to the API would be less impactful than posting an entire declaration. Look forward to getting lots of amazing feedback on September 12th when AS3-47 is posted.
will LB the service with policy in the feature, e.g., LB with multi pools with LTM policy/iRules.
You can assign a policy CRD to the extended ConfigMap which includes any LTM policy/iRules
@@MarkDittmer I saw the endpoints from 2 clusters are put into the single one LTM-pool, how can add policy CRD to do weighted LB for the different cluster. For example, I want do weighted traffic for 2 pools (pool1 represent the cluster 1, pool2 represent the cluster2).
really helpful Mark thanks
Glad it was helpful!