Control F5 load balancer config
An F5 to manage
You assign this to a node to manage an F5 devices
node['f5-bigip']['credentials']['databag']
- Databag with credentialsnode['f5-bigip']['credentials']['item']
- Databag Item with credentialsnode['f5-bigip']['credentials']['key']
- Key in Databag Item with credentialsnode['f5-bigip']['credentials']['host_is_key']
- Set to true to grab specific credentials for each f5 host based on f5 hostname being used as a key in the specified databag::itemnode['f5-bigip']['provisioner']['databag']
- Databag that contains an item for each f5 you want to manage withf5::provisioner
. Check test/integration/data_bags/f5-provisioner-* for sample data bag structures.
This definition is a wrapper for the f5_ltm_node
, f5_ltm_pool
and f5_ltm_virtual_server
LWPRs. It allows you to specify all the required info into the f5_vip
definition which will then be translated into the necessary LWRP declarations.
Attr | Default/Req? | Type | Description |
---|---|---|---|
f5 | REQUIRED | String | f5 to create the node on |
nodes | REQUIRED | Array[String] | Nodes (ip addresses) to load balance the VIP against |
pool | REQUIRED | String | Name to create node with |
lb_method | LB_METHOD_ROUND_ROBIN |
String | Load balancing method |
monitors | [] | Array[String] | Monitors to check that nodes are available |
virtual_server | resource's name | String | Name of virtual server to create on f5 |
destination_address | REQUIRED | String | Destination IP Address |
destination_port | 443 | Integer | Destination Port |
vlan_state | 'STATE_DISABLED' | String | Wether list of VLANs are disabled or enabled |
vlans | [] | Array[String] | List of VLANs to enabled or disable based on vlan_state |
profiles | [{ 'profile_context' => 'PROFILE_CONTEXT_TYPE_ALL', 'profile_name' => '/Common/tcp' }] |
Array[Hash] | Profiles to associate to virtual server |
snat_type | 'SRC_TRANS_NONE' | String | Snat type to set on virtual server |
snat_pool | '' | String | Snat pool to use if snat_type set to 'SRC_TRANS_SNATPOOL', otherwise ignored |
default_persistence_profile | '' | String | Default persistence profile to associate with virtual server |
fallback_persistence_profile | '' | String | Fallback persistence profile to associate with virtual server |
rules | [] | Array[String] | iRules to associate with virtual server |
The simplest VIP declartion that takes as many defaults as possible:
f5_vip 'testing.test.com' do
f5 'test-f5.test.com'
nodes ['10.10.10.10', '10.10.10.11']
pool 'test-pool'
destination_address '192.168.1.10'
end
It will create
- Two nodes, named after their ip addresses
- A pool referencing the nodes as members with no monitors
- A virtual server listening on
<destination_address>:443
A fully user defined VIP:
f5_vip 'testing.test.com' do
f5 'test-f5.test.com'
nodes ['10.10.10.10', '10.10.10.11']
member_port 4443
pool 'test-pool'
lb_method 'LB_METHOD_RATIO_MEMBER'
monitors ['/Common/https', '/Common/tcp']
destination_address '192.168.1.10'
destination_port 8443
profiles [
{ 'profile_context' => 'PROFILE_CONTEXT_TYPE_ALL', 'profile_name' => '/Common/tcp' },
{ 'profile_context' => 'PROFILE_CONTEXT_TYPE_ALL', 'profile_name' => '/Common/http' }
]
vlan_state 'STATE_ENABLED'
vlans ['/Common/vlan123', '/Common/vlan234']
snat_type 'SRC_TRANS_SNATPOOL'
snat_pool '/Common/snat_pool'
default_persistence_profile '/Common/test_persistence_profile'
fallback_persistence_profile '/Common/test2_persistence_profile'
rules ['/Common/_sys_auth_ldap', '/Common/_sys_auth_radius']
end
These LWRPs allow you to idempotently manage various F5 resources. This is accomplished by using a 'proxy' node that manages the F5 through the use of the F5's APIs.
f5_ltm_node
- Used to manage nodes.
Attr | Default/Req? | Type | Description |
---|---|---|---|
node_name | The resource name | String | Name to create node with |
address | node_name |
String | IP address to create node with |
f5 | REQUIRED | String | f5 to create the node on |
enabled | true |
true/false | State node should be in |
If the address
attribute is unset, the node_name
(which in turn defaults to the resource's name) will be used instead.
The following creates a node with name and address of 10.10.10.10
:
f5_ltm_node '10.10.10.10' do
f5 'f5-test.test.com'
enabled true
end
The following creates a node named test-node.test.com
with 10.10.10.10
as the ip address:
f5_ltm_node 'test-node.test.com' do
address '10.10.10.10'
f5 'f5-test.test.com'
enabled true
end
f5_ltm_pool
- Used to manage pools
Attr | Default/Req? | Type | Description |
---|---|---|---|
pool_name | The resource name | String | Name to create node with |
f5 | REQUIRED | String | f5 to create the node on |
lb_method | LB_METHOD_ROUND_ROBIN |
String | Load balancing method |
monitors | [] | Array[String] | Monitors to check that pool members are available |
members | [] | Array[Hash] | Members to add to the pool |
f5_ltm_pool 'test' do
f5 'f5-test.test.com'
lb_method 'LB_METHOD_ROUND_ROBIN'
monitors ['http']
members [
{
'address' => '10.10.10.10',
'port' => 80,
'enabled' => true
},
{
'address' => '10.10.10.11',
'port' => 80,
'enabled' => true
}
]
end
f5_ltm_monitor
- Used to manage monitors.
Attr | Default/Req? | Type | Description |
---|---|---|---|
monitor_name | resource's name | String | Name of monitor to create on f5 |
f5 | REQUIRED | String | f5 to create the node on |
parent | 'https' | String | Name of parent monitor |
interval | 5 | Integer | Monitor interval |
timeout | 16 | Integer | Monitor timeout |
dest_addr_type | 'ATYPE_STAR_ADDRESS_EXPLICIT_PORT' | String | Address types used to differentiate various node definitions |
dest_addr_ip | '0.0.0.0' | String | IP address |
dest_addr_port | 443 | Integer | Port |
user_values | {} | Hash | Hash of user specific values |
f5_ltm_monitor 'test' do
f5 'f5-test.test.com'
parent '/Common/new_https'
interval 20
timeout 40
end
f5_ltm_virtual_server
- Used to manage virtual servers
Attr | Default/Req? | Type | Description |
---|---|---|---|
vs_name | resource's name | String | Name of virtual server to create on f5 |
f5 | REQUIRED | String | f5 to create the node on |
destination_address | REQUIRED | String | Destination IP Address |
destination_port | REQUIRED | Integer | Destination Port |
default_pool | REQUIRED | String | Pool for virtual server to use |
vlan_state | 'STATE_DISABLED' | String | Wether list of VLANs are disabled or enabled |
vlans | [] | Array[String] | List of VLANs to enabled or disable based on vlan_state |
profiles | [{ 'profile_context' => 'PROFILE_CONTEXT_TYPE_ALL', 'profile_name' => '/Common/tcp' }] |
Array[Hash] | Profiles to associate to virtual server |
snat_type | 'SRC_TRANS_NONE' | String | Snat type to set on virtual server |
snat_pool | '' | String | Snat pool to use if snat_type set to 'SRC_TRANS_SNATPOOL', otherwise ignored |
default_persistence_profile | '' | String | Default persistence profile to associate with virtual server |
fallback_persistence_profile | '' | String | Fallback persistence profile to associate with virtual server |
rules | [] | Array[String] | iRules to associate with virtual server |
enabled | true | true/false | Enable or disable the virtual server |
f5_ltm_virtual_server 'vs_new' do
f5 'f5-test.test.com'
destination_address '10.11.10.10'
destination_port 80
default_pool 'new'
enabled true
end
f5-bigip::default
- install the required packages and gems required to interact with the F5 API.f5-bigip::provisioner
- Make the node that is assigned this recipe an f5 provisioner system. This recipe will dynamically define LWRPs to create the nodes, pools and virtual servers as defined by the databag valuenode['f5']['provisioner']['databag']
.- Each item in the databag represents an F5
- Basically lets you define your F5 with JSON
- Example @ test/integration/data_bags/f5-provisioner-1/test.json
Installing gems with bundler is a little different then normal in this case. The f5-icontrol gem supported by F5 is not on rubygems.org. There IS an f5-icontrol gem on rubygems.org that is not what we want that someone else created.
So for convenience the f5-icontrol gem from F5 is included with this cookbook. For spec testing the Gemfile references f5-icontrol. Using the :path
option to reference the local gem does not work per rubygems/bundler#2298. So I used the workaround described in the referenced issue.
bundle install --no-cache
Then run the tests!
bundle exec foodcritic -f any -f ~FC015 -X spec .
bundle exec rspec --color --format progress
bundle exec rubocop
This cookbook uses Vagrant combined with Virtualbox and chef-minitest for testing. It would be great to use test-kitchen instead. Unfortunately there are several reason Vagrant is a better solution for this cookbook:
- test-kitchen does not support multiple VMs natively
- test-kitchen does not support multiple converges
- test-kitchen creates/destroys the environment every run making testing take longer
- Testing for this cookbook can be done with Vagrant's 'provision' which leaves the VMs up and running. test-kitchen was taking about 5min per test run whereas Vagrant takes 45 seconds per test run.
To use Vagrant you'll first need to make sure you have the following vagrant plugins:
- vagrant-omnibus (1.4.1 tested)
- vagrant-berkshelf (3.0.1 tested)
You'll need to modify test/integration/data_bags/f5/creds.json with the correct username/password.
Then you'll need to update hostname
in test/integration/data_bags/f5-provisioner-1/test.json and test/integration/data_bags/f5-provisioner-2/test.json with the IP address of the F5 to connect to.
Finally, update any IPs in the minitest files with the IP of your F5: files/default/tests/minitest/create_test.rb, files/default/tests/minitest/provisioner_test.rb
Now you should be able to create an admin node AND run a test:
vagrant up admin
After the VM have been created subsequent testing can be done by doing:
vagrant provision admin
If you have access to an F5 VE Vagrant box
Create test environment AND run a test:
vagrant up
After the VMs have been created subsequent testing can be done by doing:
vagrant provision
Author:: Jacob McCann (jacob.mccann2@target.com)
Copyright:: 2013, Target Corporation
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.