Deploying and configuring the F5 NGINX Plus Ingress Controller


Before deploying  BMC Helix IT Operations Management (BMC Helix ITOM, you must deploy and configure an NGINX Plus Ingress Controller. The Ingress Controller serves as a reverse proxy and load balancer in Kubernetes. It works by implementing a Kubernetes Ingress, which is an API object that defines rules for routing external traffic to services within the Kubernetes cluster. 

Starting with BMC Helix ITOMversion 24.3, we support the F5 NGINX Plus Ingress Controller. You can use either the enterprise version (F5 NGINX Plus Ingress Controller) or the open-source version.
To learn more about the F5 NGINX Plus Ingress Controller, see the NGINX Ingress Controller.

Perform the instructions on this topic if:

  • You want to install BMC Helix ITOM version 24.3 and use the F5 NGINX Plus Ingress Controller.
  • You want to upgrade to BMC Helix ITOM version 24.3 and switch to the F5 NGINX Plus Ingress Controller.

Important

Skip this topic if you have already configured the NGINX Open Source Ingress Controller and do not want to use the F5 NGINX Plus Ingress Controller.

 

Before you begin

Make sure you have obtained the required licenses to install the F5 NGINX Plus Ingress Controller.

 

To configure the F5 NGINX Plus Ingress Controller

Important

After obtaining the license, you can install the F5 NGINX Plus Ingress Controller by using the Helm charts, manifests, or the NGINX Ingress Operator.

For more information, see NGINX Ingress Controller.

Here, we give an example of installing the F5 NGINX Plus Ingress Controller using the Helm charts.

  1. Create a namespace called nginx-ingress.
  2. To create an image-registry secret to pull F5 NGINX Plus licensed images from the Docker hub, run the following command:

    kubectl create secret docker-registry img-secret --docker-server=<docker image registry> --docker-username=<docker username> --docker-password="<docker password>" -n nginx-ingress
  3. To deploy the F5 NGINX Plus Ingress Controller in the nginx-ingress namespace, run the following Helm command:

    helm install nginx-ingress oci://ghcr.io/nginxinc/charts/nginx-ingress --version <version> --set controller.image.repository=<image repository name> --set controller.nginxplus=true,controller.kind=daemonset,controller.name=daemonset,controller.service.type=LoadBalancer,controller.nginxDebug=true,controller.logLevel=3,controller.ingressClass.name=nginxplus,controller.ingressClass.create=true,controller.enableCustomResources=false,controller.enableSnippets=true,controller.serviceAccount.imagePullSecretName=img-secret -n nginx-ingress

    Replace <version> with the version of your F5 NGINX Plus Ingress Controller (for example, 1.0.2) and <image repository name> with the Docker repository name where you pushed the licensed F5 NGINX Plus Ingress Controller images.
    For more information, see Installation with Manifests  in the F5 NGINX Ingress Controller documentation.

  4. To edit the daemonset, run the following command:

    Important

    Here, we are deploying the F5 NGINX Plus Ingress Controller as a daemonset. You could also deploy it as a deployment.

    oc edit daemonset nginx-ingress-controller -n nginx-ingress
    1. In the daemonset, set the following parameters in the securityContext section:
      • securityContext.runAsNonRoot : false
      • securityContext.allowPrivilegeEscalation=true
    2. In the daemonset, make sure the following parameters are set in the args section :

      - args:
              - -nginx-plus=true
              - -nginx-configmaps=$(POD_NAMESPACE)/nginx-ingress
              - -ingress-class=nginxplus
              - -nginx-debug=true
              - -v=3
              - -external-service=nginx-ingress-daemonset
              - -enable-leader-election=true
              - -leader-election-lock-name=nginx-ingress-leader-election
              - -enable-custom-resources=false
              - -enable-snippets=true
              - -disable-ipv6=false
  5. To get the F5 NGINX Plus configmap, run the following command:

    oc get cm nginx-ingress-config -o yaml -n nginx-ingress
  6. Set the value of the following parameters in the NGINX Plus configmap:

    apiVersion: v1
    data:
      allow-snippet-annotations: "true"
      client-max-body-size: 250m
      enable-underscores-in-headers: "true"
      error-log-level: debug
      proxy-buffers: "128 4k"
      redirect-to-https: "True"
      server-name-hash-bucket-size: "1024"
      ssl-redirect: "false"
      use-forwarded-headers: "true"
      worker-processes: "40"
      large-client-header-buffers: "4 64k"
  7. To create a TLS secret in the BMC Helix ITOM namespace, run the following command:

    oc create secret tls <name of the tls secret> --cert=/path/to/cert.pem --key=/path/to/privkey.pem -n <BMC Helix ITOM namespace>

    Example:

    oc create secret tls my-tls-secret --cert=/path/to/cert.pem --key=/path/to/privkey.pem -n itom

    Important

    The tls secret gets deleted when you uninstall BMC Helix ITOM.

  8. Go to the helix-on-prem-deployment-manager/configs /infra.config.
    • If you use a self-signed certificate, set the following parameters in the infra.config file:
      • INGRESS_CLASS=nginxplus
      • NGINX_CONTROLLER=NGINX_PLUS
      • INGRESS_TLS_SECRET_NAME=<The TLS secret that you created in the BMC Helix ITOM namespace; for example my-tls-secret.>
      • CUSTOM_CA_SIGNED_CERT_IN_USE=true
    • If you use a public CA certificate or are enabling TLS termination at the load balancer, set the following parameters in the infra.config file:
      • INGRESS_CLASS=nginxplus
      • NGINX_CONTROLLER=NGINX_PLUS
      • INGRESS_TLS_SECRET_NAME=Leave this value blank.
      • CUSTOM_CA_SIGNED_CERT_IN_USE=false

When you run the deployment manager, the load balancer URLs become accessible to the applications through the F5 NGINX Plus Ingress Controller.

 

 

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*