diff --git a/README.md b/README.md index 700965c44..2334436f7 100644 --- a/README.md +++ b/README.md @@ -27,7 +27,7 @@ Support for Custom Resource Definitions [Documentation](https://github.com/F5Net Getting Help ------------ -We encourage you to use the cis-kubernetes channel in our [f5CloudSolutions Slack workspace](https://f5cloudsolutions.herokuapp.com/) for discussion and assistance on this +We encourage you to use the cis-kubernetes channel in our [f5CloudSolutions Slack workspace](https://f5cloudsolutions.slack.com/) for discussion and assistance on this controller. This channel is typically monitored Monday-Friday 9am-5pm MST by F5 employees who will offer best-effort support. diff --git a/docs/RELEASE-NOTES.rst b/docs/RELEASE-NOTES.rst index 94129d8ff..a5b23f434 100644 --- a/docs/RELEASE-NOTES.rst +++ b/docs/RELEASE-NOTES.rst @@ -7,38 +7,43 @@ Next Release Added Functionality ``````````````````` **What’s new:** - * Next generation routes preview. Refer `Documentation `_ for more details - * Support for health monitors using route annotations See `Examples `_ + * Next generation routes preview. Refer `Documentation `_ for more details. * Policy CR integration with extended ConfigMap - * Support for TLS profiles as K8S secrets in route annotations. See `Examples `_ - * Support Path based A/B deployment for Re-encrypt termination - * Support to create Health Monitor from the pod liveness probe that route exposes. Refer `Documentation `_ for more details + * EDNS CR integration with extended ConfigMap * Support for Default SSL profiles from baseRouteSpec in extended Configmap - * GSLB support for routes in AS3 mode + * Support Path based A/B deployment for Re-encrypt termination + * Support for TLS profiles as K8S secrets in route annotations. See `Examples `_ * Support for TLS profiles as route annotations. See `Examples `_ + * Support for health monitors using route annotations See `Examples `_ + * Support to create Health Monitor from the pod liveness probe for routes. Refer `Documentation `_ for more details * CRD * CIS configures GTM configuration in default partition * Pool reselect support for VS and TS - * :issues:`2469` Support for virtual server grouping by hostgroup across namespaces.From 2.11, hostGroup should be unique across namespaces.See `Examples `_ - * Support to provide the same VIP for TS and VS CRs using hostGroup. See `Examples `_ - * Support AS3 GTM Agent * Support for allowVlans with policy CR. - * Support for custom persistence profile. See `Examples `_ - * :issues:`2585` Support for multiple clientssl & serverssl profiles in TLS Profiles. See `Examples `_ + * Support for --cccl-gtm-agent deployment parameter to set the gtm agent + * Support to provide the same VIP for TS and VS CRs using hostGroup. See `Examples `_ * :issues:`2420` Support for nodeMemberLabel in Transport Server pool. See `Examples `_ + * :issues:`2469` Support for virtual server grouping by hostgroup across namespaces.From 2.11, hostGroup should be unique across namespaces.See `Examples `_ + * :issues:`2585` Support for multiple clientssl & serverssl profiles in TLS Profiles. See `Examples `_ + * :issues:`2637` Support for custom persistence profile. See `Examples `_ + * Ingress - * Support for sslProfile in HTTPS health monitors for ingress. `Examples `_ * Support for Translate Address annotation in ingress. + * Support for sslProfile in HTTPS health monitors for ingress. `Examples `_ Bug Fixes ```````````` - +* :issues:`2581` IPAM to provide the same IP for different TS * :issues:`2586` Update ExternalIP of associated services of Type LB for VS and IngressLink CR +* :issues:`2609` TargetPort support for string with NPL +* :issues:`2626` Process IngressLink on K8S node update * Fix to remove old ingress monitor when type gets modified * Fix to send AS3 declaration for the recreated domain after IPAM controller restart -* :issues:`2581` IPAM to provide the same IP for different TS -* :issues: `2609` TargetPort support for string with NPL -* :issues:`2626` Process IngressLink on K8S node update + +FIC Helm Chart Fixes +`````````````````````` +* :issues:`130` IPAM Helm Deployment strategy should be recreate + 2.10.1 ------------- diff --git a/docs/config_examples/next-gen-routes/README.md b/docs/config_examples/next-gen-routes/README.md index 7553411e6..e39e0ffce 100644 --- a/docs/config_examples/next-gen-routes/README.md +++ b/docs/config_examples/next-gen-routes/README.md @@ -5,36 +5,39 @@ This page documents the behaviour of NextGenController. This is a preview releas [Overview](#overview) -[Multiple VIP and Partition support for routes](#multiple-vip-and-partition-support-for-routes) - [Prerequisites](#prerequisites) [Configuration](#configuration) -[ExtendedSpecConfigmap](#extendedspecconfigmap) +[ExtendedSpecConfigMap](#extendedspecconfigmap) [Examples](#examples) [Known Issues](#known-issues) +[FAQ](#faq) + ## Overview -NextGenRoute Controller uses extendedConfigMap for extending the native resources (routes/ingress). Routes are extended using ConfigMap in this preview release. It also adds support for multi-partition and policy CR. +NextGen Controller uses extendedConfigMap for extending the native resources (routes). Routes are extended using ConfigMap in this release. NextGen Routes implementation also support for multi-partition, policy CR and externalDNS CR. -## Multiple VIP and Partition support for routes +### Multiple VIP and Partition support for routes * Current CIS implementation creates a single VIP and partition for all the routes configured. This is implemented to add support for creating multiple VIP in BIG-IP mapping to route groups created per namespace/namespaceLabel. -* All the routes in the namespace/namespaceLabel are treated as part of one routegroup in this preview release. -* One virtual server(VIP) is created for each routegroup and maps to each tenant on BIG-IP. +* All the routes in the namespace/namespaceLabel are treated as part of one routegroup in this implementation. +* One virtual server(VIP) is created for each routegroup and maps to defined/default tenant on BIG-IP. * CIS processes multiple tenant information and still sends the single unified declaration to BIG-IP to avoid multiple posts to BIG-IP. **Note**: AS3 post call is formed as mgmt/shared/appsvcs/declare/tenant1,tenant2. -## GSLB support for routes +### GSLB support for routes For every EDNS resource created, CIS will add VS having matching domain as the Wide IP pool member. -## Policy CR support for routes -Policy CR integration with nextGenRoutes extends so many BIG-IP features to the Openshift routes, i.e. snat, custom tcp, http and https profiles, irules, http2 profile, persistance profile, profileMultiplex, profileL4, logProfiles, waf, botDefense, firewallPolicy, dos, allowSourceRange, etc. +### Policy CR support for routes +Policy CR integration with nextGenRoutes extends so many BIG-IP features to the Openshift routes, i.e. snat, custom tcp, http and https profiles, irules, http2 profile, persistance profile, profileMultiplex, profileL4, logProfiles, waf, botDefense, firewallPolicy, dos, allowSourceRange, etc. + +### Support for Health Monitors from pod liveness probe +CIS uses the liveness probe of the pods to form the health monitors, whenever health annotations not provided in the route annotations, ## Prerequisites @@ -52,24 +55,24 @@ Policy CR integration with nextGenRoutes extends so many BIG-IP features to the ## Configuration -* Routegroup specific config for each namespace/namespaceLabel is provided as part of extendedSpec through Configmap. -* Global Configmap can be set using CIS deployment argument --route-spec-configmap="namespace/configmap-name" +* Routegroup specific config for each namespace/namespaceLabel is provided as part of extendedSpec through ConfigMap. +* Global ConfigMap can be set using CIS deployment argument --route-spec-configmap="namespace/configmap-name" * Controller mode should be set to Openshift to enable multiple VIP support(--controller-mode="openshift") -## ExtendedSpecConfigmap: +## Extended Spec ConfigMap: -* ExtendedSpecificConfimap is used to provide common config for routegroup like virtualservername, virtualserveraddress, policyCR, etc., which is applied to all routes in the group. -* Routegroup specific config for each namespace/namespaceLabel is provided as part of extendedRouteSpec in global configmap. +* Extended spec ConfigMap is used to provide common config for routegroup like virtualservername, virtualserveraddress, policyCR, etc., which is applied to all routes in the group. +* Routegroup specific config for each namespace/namespaceLabel is provided as part of extendedRouteSpec in global ConfigMap. -### Global Configmap +### Global ConfigMap -* Global configmap provides control to the admin to create and maintain the resource configuration centrally. -* RBAC can be used to restrict modification of global configmap by users with tenant level access. +* Global ConfigMap provides control to the admin to create and maintain the resource configuration centrally. +* RBAC can be used to restrict modification of global ConfigMap by users with tenant level access. * If any specific tenant requires modify access for routeconfig of their namespace, the admin can grant access by setting **allowOverride** to true in the extendedRouteSpec of the namespace. -* Base route configuration can be defined in Global ConfigMap. This cannot be overridden from local configmap. This is an alternative to CIS deployment arguments. +* Base route configuration can be defined in Global ConfigMap. This cannot be overridden from local ConfigMap. This is an alternative to CIS deployment arguments. -### Local Configmap +### Local ConfigMap * Local ConfigMap is used to specify route config for namespace and allows tenant users access to fine-tune the route config. It is processed by CIS only when allowOverride is set to true in global ConfigMap for this namespace. * Only one local ConfigMap is allowed per namespace. Local ConfigMap must have only one entry in the extendedRouteSpec list and that should be the current namespace only. @@ -83,30 +86,58 @@ Base route configuration can be defined in Global ConfigMap. This cannot be over | Parameter | Required | Description | Default | ConfigMap | |-------------|----------|---------------------------------------------------------------------------------------------------------------------------|---------| --------- | -| tlsCipher | Optional | Block to define TLS cipher parameters | N/A | Global configMap | -| tlsVersion | Optional | Configures TLS version to be enabled on BIG-IP. TLS 1.3 is only supported on TMOS version 14.0+. | 1.2 | Global configMap | -| ciphers | Optional | Configures a ciphersuite selection string. Cipher-group and ciphers are mutually exclusive; only use one. | DEFAULT | Global configMap | -| cipherGroup | Optional | Configures a cipher group in BIG-IP and references it here. Cipher group and ciphers are mutually exclusive; only use one. | /Common/f5-default | Global configMap | +| tlsCipher | Optional | Block to define TLS cipher parameters | N/A | Global ConfigMap | +| defaultTLS | Optional | Configures a cipher group in BIG-IP and references it here. Cipher group and ciphers are mutually exclusive; only use one. | /Common/f5-default | Global ConfigMap | - **Note**: 1. ciphers and cipherGroups are mutually exclusive. cipherGroup is considered for tls version 1.3 and ciphers for tls version 1.2. +``` + tlsCipher: + tlsVersion: 1.3 + cipherGroup: /Common/f5-default +``` + +**Note**: 1. ciphers and cipherGroups are mutually exclusive. cipherGroup is considered for tls version 1.3 and ciphers for tls version 1.2. + +#### tlsCipher Config Parameters +| Parameter | Required | Description | Default | ConfigMap | +|-------------|----------|---------------------------------------------------------------------------------------------------------------------------|---------| --------- | +| tlsVersion | Optional | Configures TLS version to be enabled on BIG-IP. TLS 1.3 is only supported on TMOS version 14.0+. | 1.2 | Global ConfigMap | +| ciphers | Optional | Configures a ciphersuite selection string. Cipher-group and ciphers are mutually exclusive; only use one. | DEFAULT | Global ConfigMap | +| cipherGroup | Optional | Configures a cipher group in BIG-IP and references it here. Cipher group and ciphers are mutually exclusive; only use one. | /Common/f5-default | Global ConfigMap | + +#### defaultTLS Config Parameters + +| Parameter | Required | Description | Default | ConfigMap | +| --------- | -------- | ----------- | ------- | --------- | +| clientSSL | Optional | client SSL profile | - | Global ConfigMap | +| serverSSL | Optional | server SSL profile | - | Global ConfigMap | +| reference | Mandatory | Profile Object type | - | Global ConfigMap | + +* defaultTLS schema: +``` + defaultTLS: + clientSSL: /Common/clientssl + serverSSL: /Common/serverssl + reference: bigip +``` ### Route Group Parameters | Parameter | Required | Description | Default | ConfigMap | | --------- | -------- | ----------- | ------- | --------- | -| allowOverride | Optional | Allow users to override the namespace config | - | Global configMap only | -| bigIpPartition | Optional | Partition for creating the virtual server | Partition which is defined in CIS deployment parameter | Global configMap only | -| namespaceLabel | Mandatory | namespace-label to group the routes* | - | Global configMap only | -| policyCR | Optional | Name of Policy CR to attach profiles/policies defined in it. | - | Local and Global configMap | -| namespace | Mandatory | namespace to group the routes | - | Local and Global configMap | -| vsAddress | Mandatory | BigIP Virtual Server IP Address | - | Local and Global configMap | -| vsName | Optional | Name of BigIP Virtual Server | auto | Local and Global configMap | +| allowOverride | Optional | Allow users to override the namespace config | - | Global ConfigMap only | +| bigIpPartition | Optional | Partition for creating the virtual server | Partition which is defined in CIS deployment parameter | Global ConfigMap only | +| namespaceLabel | Mandatory | namespace-label to group the routes* | - | Global ConfigMap only | +| policyCR | Optional | Name of Policy CR to attach profiles/policies defined in it. | - | Local and Global ConfigMap | +| namespace | Mandatory | namespace to group the routes | - | Local and Global ConfigMap | +| vsAddress | Mandatory | BigIP Virtual Server IP Address | - | Local and Global ConfigMap | +| vsName | Optional | Name of BigIP Virtual Server | auto | Local and Global ConfigMap | **Note**: 1. namespaceLabel is mutually exclusive with namespace parameter. - 2. --namespace-label parameter has to be defined in CIS deployment to use the namespaceLabel in extended configMap. + 2. --namespace-label parameter has to be defined in CIS deployment to use the namespaceLabel in extended ConfigMap. + ## Example Global & Local ConfigMap with namespace parameter -**Example: Global Configmap** +**Example: Global ConfigMap** ``` apiVersion: v1 data: @@ -128,7 +159,7 @@ metadata: name: global-cm namespace: default ``` -**Example: Local Configmap** +**Example: Local ConfigMap** ``` apiVersion: v1 data: @@ -145,7 +176,7 @@ metadata: namespace: tenant1 ``` -**Example: Global Configmap with Base Route Configuration** +**Example: Global ConfigMap with Base Route Configuration** ``` apiVersion: v1 data: @@ -365,7 +396,7 @@ spec: ![partition config](bigip-config3.png?raw=true "BIGIP config") ## Example Global ConfigMap with namespaceLabel parameter -**Example: Global Configmap** +**Example: Global ConfigMap** ``` apiVersion: v1 data: @@ -550,7 +581,7 @@ Please refer to the [examples](https://github.com/F5Networks/k8s-bigip-ctlr/tree ## Known issues * Route status is not updated when the service is deleted for NextGen Routes. -* CIS processes the latest local extended configMap when there are multiple extended local configMap. +* CIS processes the latest local extended ConfigMap when there are multiple extended local ConfigMap. * CIS allows insecure traffic if the URI path is included with CAPITAL letters for NextGen Routes. * CIS delays processing the changes in other tenants if any one of the tenant receives a 422 error (takes upto 60 seconds). * CIS is not detecting namespaceLabel update in global config map. @@ -562,26 +593,28 @@ Please refer to the [examples](https://github.com/F5Networks/k8s-bigip-ctlr/tree ### Is exteneded confiMap mandatory? Yes. CIS fails to start without `--route-spec-configmap` value provided. CIS logs `invalid value provided for --route-spec-configmap` and exits -### What happens if configMap is not created or deleted? -If referenced configmap with --route-spec-configmap is not created, CIS logs below error and doesn't process any routes. +### What happens if ConfigMap is not created or deleted? +If referenced ConfigMap with --route-spec-configmap is not created, CIS logs below error and doesn't process any routes. ``` -[ERROR] Unable to Get Extended Route Spec Config Map: default/global-cm, configmaps "global-cm" not found. +[ERROR] Unable to Get Extended Route Spec Config Map: default/global-cm, ConfigMaps "global-cm" not found. ``` -CIS uses cache to store extendedRouteSpec information. Even if configmap is deleted, the information loaded initially is thus used for route processing. -### Can I create multiple global extended configmap ? -CIS only uses configmap provided through --route-spec-configmap argument. -### Do I need to modify existing routes for extended configMap support? +CIS uses cache to store extendedRouteSpec information. Even if ConfigMap is deleted, the information loaded initially is thus used for route processing. +### Can I create multiple global extended ConfigMap ? +CIS only uses ConfigMap provided through --route-spec-configmap argument. +### Do I need to modify existing routes for extended ConfigMap support? No. ### What are the supported routes? Edge re-encrypt and passthrough routes are supported. ### What are the supported insecureEdgeTerminations? allow, redirect and none termination supported with edge routes, while re-encrypt routes supports redirect and none terminations. ### Do we support bigIP referenced SSL Profiles annotations on routes? -You can define SSL profiles in extended configMap. +Yes you can continue the SSL Profiles in route annotations. +### Do we support Kubernetes secrets in SSL Profiles annotations on routes? +Yes you can define the Kubernetes secret in route's SSL annotations. ### Can we configure health monitors using route annotations? -Yes you can continue the health monitors using route annotations. -### Which fields are optional in the extended configMap? +Yes you can continue using the health monitors in route annotations. +### Which fields are optional in the extended ConfigMap? iRules is optional values. ### Any changes in RBAC? No. diff --git a/docs/config_examples/next-gen-routes/configmap/extendedRouteConfigwithBaseConfig.yaml b/docs/config_examples/next-gen-routes/configmap/extendedRouteConfigwithBaseConfig.yaml index 79deeff83..c20cedf7d 100644 --- a/docs/config_examples/next-gen-routes/configmap/extendedRouteConfigwithBaseConfig.yaml +++ b/docs/config_examples/next-gen-routes/configmap/extendedRouteConfigwithBaseConfig.yaml @@ -19,6 +19,6 @@ data: vserverAddr: 10.8.0.4 vserverName: nextgenroutes allowOverride: true - - allowOverride: false - namespace: bar + - namespace: bar vserverAddr: 10.8.0.5 + allowOverride: false diff --git a/docs/config_examples/next-gen-routes/migration-guide.md b/docs/config_examples/next-gen-routes/migration-guide.md new file mode 100644 index 000000000..ba370cccf --- /dev/null +++ b/docs/config_examples/next-gen-routes/migration-guide.md @@ -0,0 +1,222 @@ +# Migrating to NextGen Routes(**For Preview Release only**) + +### Contents + +[Overview](#overview) + +[Prerequisites](#prerequisites) + +[Deprecated Annotations](#deprecated-annotations) + +[Example Migration to nextGen Routes](#example-migration-to-nextgen-routes) + + +## Overview +NextGenRoute Controller uses extendedConfigMap for extending the native resources (routes). All the routes are group by namespaces or namespace-labels into RouteGroups. Each RouteGroup shares the same vsAddress, vsName and policy CR which is specified in extendedConfigMap. +In order to migrate to nextGen we first need to create an extended ConfigMap and policy CR then modify the CIS deployment accordingly. Refer `NextGen Route Documentation `_ for more details + +## Prerequisites +Stop the running CIS. + +## Deprecated Annotations + +* "virtual-server.f5.com/allow-source-range" or "virtual-server.f5.com/whitelist-source-range" annotation is deprecate, you can define the allow-source-range in Policy CR. See Step-3 below. +* "virtual-server.f5.com/waf" - This annotation is deprecate, you can define the waf in Policy CR. See Step-3 below. + +**Note**: You can still keep the annotations in your routes. CIS will simply ignore to process these annotations. + +## Example Migration to nextGen Routes + +### Old Configuration + +Consider CIS configured to manage Routes with following configuration. + +CIS Deployment Arguments: + + ``` + args: [ + "--bigip-username=admin", + "--bigip-password=admin", + "--bigip-url=10.10.10.20", + "--bigip-partition=openshift", + "--pool-member-type=cluster", + "--openshift-sdn-name=/Common/openshift_vxlan", + "--manage-routes=true", + "--namespace=f5demo", + "--namespace=f5demo2", + "--route-vserver-addr=10.192.75.107", + "--log-level=DEBUG", + "--log-as3-response=true", + "--route-http-vserver=test_unsecure_vs", + "--route-https-vserver=test_secure_vs", + "--default-client-ssl=/Common/clientssl", + "--default-server-ssl=/Common/serverssl", + "--tls-version=1.3", + "--cipher-group=/Common/f5-default", + "--insecure=true", + "--route-label=f5type=systest", + ] + ``` + +Sample Route: + + ``` + apiVersion: route.openshift.io/v1 + kind: Route + metadata: + annotations: + virtual-server.f5.com/clientssl: /Common/bar-clientssl + virtual-server.f5.com/serverssl: /Common/bar-serverssl + virtual-server.f5.com/balance: least-connections-node + virtual-server.f5.com/allow-source-range: "1.2.3.4/32,2.2.2.0/24" + virtual-server.f5.com/waf: /Common/WAF_Policy + virtual-server.f5.com/health: | + [ + { + "path": "pytest-bar-1.com/", + "send": "HTTP GET /", + "interval": 5, + "timeout": 10 + } + ] + labels: + f5type: systest + name: svc-pytest-bar-1-com + namespace: f5demo + spec: + host: pytest-bar-1.com + path: / + tls: + termination: edge + to: + kind: Service + name: svc-pytest-bar-1-com + weight: 100 + wildcardPolicy: None + ``` + +### Migrating to NextGenRoutes +#### Step-1: Install the CRDs + - Install the F5 CRDs using following Commands: + + ```sh + kubectl create -f https://raw.githubusercontent.com/F5Networks/k8s-bigip-ctlr/master/docs/config_examples/customResourceDefinitions/customresourcedefinitions.yml + ``` + +#### Step-2 Grouping the routes using Namespace labels +* If CIS is watching all the namespaces or specific namespaces, customer/user needs to introduce the namespace-label parameter in CIS deployment and tag all the monitored namespaces with namespace-label. See Step-5. +* If CIS is watching namespaces using namespaceLabel, then no additional changes required in CIS deployment. + +You can use following command to add the label to a namespace + + ``` + oc label namespaces f5demo cis=true + oc label namespaces f5demo2 cis=true + ``` + +#### Step-3 Creating Extended ConfigMap + +Extended ConfigMap is a must to use the nextGen Route Controller. Refer `Documentation `_ for more details + +You can create an extended ConfigMap for given example as follows: +* You can define the vserverAddr same as "route-vserver-addr" parameter in CIS deployment. +* Use the namespace label created in step-2 to group the routes + + ``` + apiVersion: v1 + kind: ConfigMap + metadata: + name: global-spec-config + namespace: f5demo2 + data: + extendedSpec: | + baseRouteSpec: + tlsCipher: + tlsVersion: 1.3 + cipherGroup: /Common/f5-default + defaultTLS: + clientSSL: /Common/clientssl + serverSSL: /Common/serverssl + reference: bigip + extendedRouteSpec: + - namespaceLabel: cis=true + vserverAddr: 10.192.75.107 + vserverName: test_vs + policyCR: f5demo2/sample-policy + ``` + +**Note**: Make sure the namespace where we created the ConfigMap monitored by CIS. + +#### Step-4: Prepare the Policy CR +You can create the Policy CR as follows for WAF and AllowSourceRange annotations: + + ``` + apiVersion: cis.f5.com/v1 + kind: Policy + metadata: + labels: + f5cr: "true" + name: sample-policy + namespace: f5demo2 + spec: + l7Policies: + waf: /Common/WAF_Policy + l3Policies: + allowSourceRange: + - 1.2.3.4/32 + - 2.2.2.0/24 + ``` + +**Note**: + * You can use the Policy CR to extend the virtual server capabilities even more. [See Details](https://github.com/F5Networks/k8s-bigip-ctlr/tree/master/docs/config_examples/customResource/Policy). + * Make sure the namespace where we created the policy CR monitored by CIS. + +#### Step-5 Update the CIS deployment parameters and start +* Configure --controller-mode: openshift to use NextGen Route controller in CIS. + + ``` + - --controller-mode + - openshift + ``` + +* Configure extended ConfigMap and specify that in the CIS deployment parameter. + + ``` + - --route-spec-configmap + - f5demo2/global-spec-config + ``` + +* If CIS is watching all the namespaces or specific namespaces, customer needs to introduce the namespace-label parameter in CIS deployment and tag all the monitored namespaces with namespace-label. See Step-2 above. + + ``` + - --namespace-label=cis=true + ``` + +* Remove "route-vserver-addr" parameter from CIS deployment and define as vserverAddr in extendedConfigMap. + +* Remove "route-http-vserver" & "route-https-vserver" parameters from CIS deployment and define vserverName in extendedConfigMap. CIS will add suffix "_443" for secure virtual server. See Step-2 below. + +* Remove "default-client-ssl" & "default-server-ssl" parameters from CIS deployment and define them under "baseRouteSpec" in extendedConfigMap. See Step-2 below. + +* Remove "tls-version", "cipher-group" & "ciphers" parameters from CIS deployment and define them under "baseRouteSpec" in extendedConfigMap. See Step-2 below. + +* Remove "override-as3-declaration" parameter as it's no more supported with NextGen Routes. You can use the Policy CR to extend the virtual server capabilities. [See Example](https://github.com/F5Networks/k8s-bigip-ctlr/tree/master/docs/config_examples/customResource/Policy). + + ``` + args: [ + "--bigip-username=admin", + "--bigip-password=admin", + "--bigip-url=10.10.10.20", + "--bigip-partition=openshift", + "--pool-member-type=cluster", + "--openshift-sdn-name=/Common/openshift_vxlan", + "--controller-mode=openshift", + "--namespace-label=cis=true", + "--log-level=DEBUG", + "--log-as3-response=true", + "--route-spec-configmap=f5demo2/global-spec-config", + "--insecure=true", + "--route-label=f5type=systest", + ] + ``` +