Switching to enterprise F5 NGINX Plus Ingress Controller

Starting with BMC Helix IT Operations Management (BMC Helix ITOM)   version 24.3, we support the F5 NGINX Plus Ingress Controller.

To learn more about the F5 NGINX Plus Ingress Controller, see NGINX Ingress Controller.

You can use either the enterprise version of the F5 NGINX Plus Ingress Controller or the open-source version. Use the instructions in this topic to switch to enterprise F5 NGINX Plus Ingress Controller.

Related topics

Deploying-and-configuring-the-NGINX-Open-Source-Ingress-Controller

Deploying-and-configuring-the-F5-NGINX-Plus-Ingress-Controller

Before you begin

Important

When you switch to the enterprise edition of the F5 NGINX Ingress Controller, there will be approximately 30 minutes of downtime.

To switch to enterprise F5 NGINX Plus Ingress Controller

  1. The system administrator must update the F5 NGINX Plus Ingress Controller listening ports in the F5, HAProxy, or DNS box load balancer configurations. 

    Here is an example to update the F5 NGINX Plus Ingress Controller listening ports in the HAProxy load balancer configuration.

    1. To get the service port of the F5 NGINX Plus Ingress Controller, run the following command:

      kubectl get svc  -n  <F5 NGINX Plus Ingress Controller>

      Example:

      kubectl get svc  -n  nginx-ingress

      Sample output:

      NAME                      TYPE           CLUSTER-IP      EXTERNAL-IP   PORT(S)                      AGE
      nginx-ingress-daemonset   LoadBalancer   10.40.135.215   <pending>     80:32321/TCP,443:31805/TCP   26d
    2. Copy the service ports; for example:
      HTTP port - 32321
      HTTPs port - 31805
    3. Go to /etc/haproxy/haproxy.cfg.

    4. Edit the file and replace the HTTP and HTTPs ports.
      Sample output:

      backend  http_backend
         mode http
          balance     roundrobin
          server  vl-bmc-domdv123   173.19.121.123:32321 check
          server  vl-bmc-domdv456   173.19.121.456:32321 check
          server  vl-bmc-domdv789   173.19.120.789:32321 check

      backend  https_backend
         mode tcp
          balance     roundrobin
          server  vl-bmc-domdv123   173.19.121.123:31805 check
          server  vl-bmc-domdv456   173.19.121.456:31805 check
          server  vl-bmc-domdv789   173.19.120.789:31805 check

    5. To restart HAProxy, run the following command:

      systemctl restart haproxy

  2. To create a TLS s ec ret in the BMC Helix ITOM namespace , run the following command:

    kubectl create secret tls <name of the tls secret> --cert=/path/to/cert.pem --key=/path/to/privkey.pem -n <BMC Helix ITOM namespace>

    Example:

    kubectl create secret tls my-tls-secret --cert=/path/to/cert.pem --key=/path/to/privkey.pem -n itom

    Important

    The tls s ec ret gets deleted when you uninstall BMC Helix ITOM.

  3. To edit the helixingress-master in the BMC Helix ITOM namespace, run the following command:

    kubectl edit ing -n <BMC Helix ITOM namespace> helixingress-master -o yaml

    1. Add the following snippet under annotations:

      kubernetes.io/ingress.class: nginxplus
      nginx.ingress.kubernetes.io/server-alias: ""
      nginx.org/mergeable-ingress-type: master
      nginx.org/server-snippets: server_name <Tenant-URL>; 

      Replace <Tenant-URL> with the Tenant URL in the following format:   $TENANT_NAME-$TENANT_TYPE-$TENANT_ENVIRONMENT.$DOMAIN. 
      For example, purplekite-tyrion-dev-mydomain.bmc.com. In the example, purplekite is the TENANT_NAME, tyrion is the TENANT_TYPE, dev is the TENANT_ENVIRONMENT, mydomain.bmc.com is the DOMAIN.

    2.  Make sure the spec section includes the TLS entry:

      tls:
          - hosts:
            - <Tenant Host>
            secretName: nginx-tls-secret
  4. Go to the helix-on-prem-deployment-manager/configs /infra.config .
    • If you use a self-signed certificate, set the following parameters in the infra.config file:
      • INGRESS_CLASS=nginxplus
      • NGINX_CONTROLLER=NGINX_PLUS
      • INGRESS_TLS_SECRET_NAME=<The TLS secret that you created in the BMC Helix ITOM namespace; for example my-tls-secret. >
      • CUSTOM_CA_SIGNED_CERT_IN_USE=true
    • If you use a public CA certificate or are enabling TLS termination at the load balancer, set the following parameters in the infra.config file:
      • INGRESS_CLASS=nginxplus
      • NGINX_CONTROLLER=NGINX_PLUS
      • INGRESS_TLS_SECRET_NAME=
                 Leave this value blank.
      • CUSTOM_CA_SIGNED_CERT_IN_USE=false

  5. Go to /helix-on-prem-deployment-manager/utilities/migration/  and execute the following script to update the Ingress class from nginx to nginxplus in all Ingress deployed for BMC Helix ITOM 24.3 :

    ./update_ingress_class_tls.sh <nginxplus Ingress class name>

    Example:

    ./update_ingress_class_tls.sh nginxplus

    nginxplus is the parameter that you need to provide along with the script.

Confirm that the load balancer URLs are accessible to the applications through the F5 NGINX Plus Ingress Controller.



 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*