Deploying and configuring the F5 NGINX Plus Ingress Controller
Before deploying BMC Helix IT Operations Management (BMC Helix ITOM, you must deploy and configure an NGINX Plus Ingress Controller. The Ingress Controller serves as a reverse proxy and load balancer in Kubernetes. It works by implementing a Kubernetes Ingress, which is an API object that defines rules for routing external traffic to services within the Kubernetes cluster.
Starting with BMC Helix ITOMversion 24.3, we support the F5 NGINX Plus Ingress Controller. You can use either the enterprise version (F5 NGINX Plus Ingress Controller) or the open-source version.
To learn more about the F5 NGINX Plus Ingress Controller, see the NGINX Ingress Controller.
Perform the instructions on this topic if:
- You want to install BMC Helix ITOM version 24.3 and use the F5 NGINX Plus Ingress Controller.
- You want to upgrade to BMC Helix ITOM version 24.3 and switch to the F5 NGINX Plus Ingress Controller.
Before you begin
Make sure you have obtained the required licenses to install the F5 NGINX Plus Ingress Controller.
To configure the F5 NGINX Plus Ingress Controller
- Create a namespace called nginx-ingress.
To create an image-registry secret to pull F5 NGINX Plus licensed images from the Docker hub, run the following command:
kubectl create secret docker-registry img-secret --docker-server=<docker image registry> --docker-username=<docker username> --docker-password="<docker password>" -n nginx-ingressTo deploy the F5 NGINX Plus Ingress Controller in the nginx-ingress namespace, run the following Helm command:
helm install nginx-ingress oci://ghcr.io/nginxinc/charts/nginx-ingress --version <version> --set controller.image.repository=<image repository name> --set controller.nginxplus=true,controller.kind=daemonset,controller.name=daemonset,controller.service.type=LoadBalancer,controller.nginxDebug=true,controller.logLevel=3,controller.ingressClass.name=nginxplus,controller.ingressClass.create=true,controller.enableCustomResources=false,controller.enableSnippets=true,controller.serviceAccount.imagePullSecretName=img-secret -n nginx-ingressReplace <version> with the version of your F5 NGINX Plus Ingress Controller (for example, 1.0.2) and <image repository name> with the Docker repository name where you pushed the licensed F5 NGINX Plus Ingress Controller images.
For more information, see Installation with Manifests in the F5 NGINX Ingress Controller documentation.To edit the daemonset, run the following command:
oc edit daemonset nginx-ingress-controller -n nginx-ingress- In the daemonset, set the following parameters in the securityContext section:
- securityContext.runAsNonRoot : false
- securityContext.allowPrivilegeEscalation=true
In the daemonset, make sure the following parameters are set in the args section :
- args:
- -nginx-plus=true
- -nginx-configmaps=$(POD_NAMESPACE)/nginx-ingress
- -ingress-class=nginxplus
- -nginx-debug=true
- -v=3
- -external-service=nginx-ingress-daemonset
- -enable-leader-election=true
- -leader-election-lock-name=nginx-ingress-leader-election
- -enable-custom-resources=false
- -enable-snippets=true
- -disable-ipv6=false
- In the daemonset, set the following parameters in the securityContext section:
To get the F5 NGINX Plus configmap, run the following command:
oc get cm nginx-ingress-config -o yaml -n nginx-ingressSet the value of the following parameters in the NGINX Plus configmap:
apiVersion: v1
data:
allow-snippet-annotations: "true"
client-max-body-size: 250m
enable-underscores-in-headers: "true"
error-log-level: debug
proxy-buffers: "128 4k"
redirect-to-https: "True"
server-name-hash-bucket-size: "1024"
ssl-redirect: "false"
use-forwarded-headers: "true"
worker-processes: "40"
large-client-header-buffers: "4 64k"To create a TLS secret in the BMC Helix ITOM namespace, run the following command:
oc create secret tls <name of the tls secret> --cert=/path/to/cert.pem --key=/path/to/privkey.pem -n <BMC Helix ITOM namespace>Example:
oc create secret tls my-tls-secret --cert=/path/to/cert.pem --key=/path/to/privkey.pem -n itom- Go to the helix-on-prem-deployment-manager/configs /infra.config.
- If you use a self-signed certificate, set the following parameters in the infra.config file:
- INGRESS_CLASS=nginxplus
- NGINX_CONTROLLER=NGINX_PLUS
- INGRESS_TLS_SECRET_NAME=<The TLS secret that you created in the BMC Helix ITOM namespace; for example my-tls-secret.>
- CUSTOM_CA_SIGNED_CERT_IN_USE=true
- If you use a public CA certificate or are enabling TLS termination at the load balancer, set the following parameters in the infra.config file:
- INGRESS_CLASS=nginxplus
- NGINX_CONTROLLER=NGINX_PLUS
- INGRESS_TLS_SECRET_NAME=Leave this value blank.
- CUSTOM_CA_SIGNED_CERT_IN_USE=false
- If you use a self-signed certificate, set the following parameters in the infra.config file:
When you run the deployment manager, the load balancer URLs become accessible to the applications through the F5 NGINX Plus Ingress Controller.