{"id":18798741,"url":"https://github.com/f5networks/f5-ipam-controller","last_synced_at":"2025-07-10T12:42:23.325Z","repository":{"id":37095955,"uuid":"344080154","full_name":"F5Networks/f5-ipam-controller","owner":"F5Networks","description":"The F5 IPAM Controller runs in an orchestration environment like Kubernetes to allocate IP addresses from an IPAM system to BIG-IP Virtual Servers. The purpose is to abstract  complexity related to setting up BIG-IP from a networking perspective ","archived":false,"fork":false,"pushed_at":"2024-09-06T05:18:56.000Z","size":12452,"stargazers_count":10,"open_issues_count":21,"forks_count":17,"subscribers_count":13,"default_branch":"main","last_synced_at":"2025-02-28T10:54:02.327Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/F5Networks.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-03-03T10:01:21.000Z","updated_at":"2024-09-06T05:19:01.000Z","dependencies_parsed_at":"2024-04-09T03:33:21.653Z","dependency_job_id":"6a18fb56-5210-4479-9c80-a341e5a3630e","html_url":"https://github.com/F5Networks/f5-ipam-controller","commit_stats":null,"previous_names":[],"tags_count":12,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/F5Networks%2Ff5-ipam-controller","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/F5Networks%2Ff5-ipam-controller/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/F5Networks%2Ff5-ipam-controller/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/F5Networks%2Ff5-ipam-controller/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/F5Networks","download_url":"https://codeload.github.com/F5Networks/f5-ipam-controller/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243790988,"owners_count":20348385,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-07T22:12:51.408Z","updated_at":"2025-03-15T21:06:13.648Z","avatar_url":"https://github.com/F5Networks.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![Build Status](https://dev.azure.com/f5networks/CIS/_apis/build/status/F5Networks.f5-ipam-controller?branchName=main) ](https://dev.azure.com/f5networks/CIS/_build/latest?definitionId=7\u0026branchName=main) [![Coverage Status](https://coveralls.io/repos/github/F5Networks/f5-ipam-controller/badge.svg?branch=main)](https://coveralls.io/github/F5Networks/f5-ipam-controller?branch=main)\n\n# F5 IPAM Controller\n\nThe F5 IPAM Controller is a Docker container that runs in an orchestration environment and interfaces with an IPAM system.\nIt allocates IP addresses from an IPAM system’s address pool for hostnames in an orchestration environment.\nThe F5 IPAM Controller watches orchestration-specific resources and consumes the hostnames within each resource.\n\n# In this IPAM\n\nThe F5 IPAM Controller can allocate IP address from static IP address pool based on the CIDR mentioned in a Kubernetes resource The idea here is that we will support CRD, Type LB and probably also in the future route/ingress. We should make it more generic so that we don't have to update this later, F5 IPAM Controller decides to allocate the IP from the respective IP address pool for the hostname specified in the virtualserver custom resource.\n\nSupported kubernetes resource : \n| RESOURCES | MINIMUM VERSION SUPPORTED |\n| ------ | ------ |\n| VS CRD | CIS v2.2.2 | \n\n\n\n# Setup Diagram and Details\n\n### Architectural diagram of how F5-IPAM-Controller(FIC) fits in the environment\n\n![alt text](./image/img-1.png)\nThe F5 IPAM Controller acts as an interface to CIS to provide an IP address from a pool of IP's to each hostname provided in the virtual server CRD.\n\n### Flow Chart for CIS-FIC working \n![alt text](./image/img-2.png)\n\n### F5 IPAM Deploy Configuration Options\n\n**Deployment Options**\n\n| PARAMETER     | TYPE   | REQUIRED | DESCRIPTION                                                                                                                                                     |\n|---------------|--------|----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| orchestration | String | Required | The orchestration parameter holds the orchestration environment i.e. Kubernetes.                                                                                |\n| ipam-provider | String | Required | ipam-provider parameter holds the IP provider that holds the ownership of providing IP addresses such as infoblox, f5-ip-provider. Default is *f5-ip-provider*. |\n| log-level     | String | Optional | Log level parameter specify various logging level such as DEBUG, INFO, WARNING, ERROR, CRITICAL.                                                                |\n| namespace     | String | Optional | Kubernetes namespace(s) to watch. By default controller will watch only kube-system namespace. To specify multiple namespace, use multiple --namespace flags.   |\n\n**Deployment Options of Provider (f5-ip-provider)**\n\n| PARAMETER | TYPE | REQUIRED | DESCRIPTION |\n| ------ | ------ | ------ | ------ |\n| ip-range | String | Required |  ip-range parameter holds the IP address ranges and from this range, it creates a pool of IP address range which gets allocated to the corresponding hostname in the virtual server CRD |\n\n**Deployment Options of Provider (infoblox)**\n\n| PARAMETER             | TYPE   | REQUIRED | DESCRIPTION                                              |\n|-----------------------|--------|----------|----------------------------------------------------------|\n| infoblox-labels       | String | Required | infoblox labels holds the mappings for infoblox's CIDR   |\n| infoblox-grid-host    | String | Required | URL (or IP Address) of Infoblox Grid Host                |\n| infoblox-wapi-port    | String | Optional | Port that the Infoblox Server listens on. Default is 443 |\n| infoblox-wapi-version | String | Required | Web API version of Infoblox                              |\n| infoblox-username     | String | Required | Username of Infoblox User                                |\n| infoblox-password     | String | Required | Password of the given Infoblox User                      |\n| infoblox-netview      | String | Required | Netview from which IP addresses needs to be allocated    |\n| credentials-directory | String | Optional | Credentials can be mounted from k8s secrets              |\n\n\nNote: On how to configure these Configuration Options, please refer to IPAM Deployment YAML example in below.\n\n### Installation\n#### RBAC -  ServiceAccount, ClusterRole and ClusterRoleBindings for F5 IPAM Controller\n\n```\nkind: ClusterRole\napiVersion: rbac.authorization.k8s.io/v1\nmetadata:\n  name: ipam-ctlr-clusterrole\nrules:\n  - apiGroups: [\"fic.f5.com\"]\n    resources: [\"ipams\",\"ipams/status\"]\n    verbs: [\"get\", \"list\", \"watch\", \"update\", \"patch\"]\n---\nkind: ClusterRoleBinding\napiVersion: rbac.authorization.k8s.io/v1\nmetadata:\n  name: ipam-ctlr-clusterrole-binding\n  namespace: kube-system\nroleRef:\n  apiGroup: rbac.authorization.k8s.io\n  kind: ClusterRole\n  name: ipam-ctlr-clusterrole\nsubjects:\n  - apiGroup: \"\"\n    kind: ServiceAccount\n    name: ipam-ctlr\n    namespace: kube-system\n---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n  name: ipam-ctlr\n  namespace: kube-system\n```\n\nKubernetes supports a wide variety of storage options. Refer [link](https://kubernetes.io/docs/concepts/storage/volumes) for more details.\n\n###### _Note:_ Below example is just for demo purpose and is not suitable for production environment. Read through the limitations with each of the storage options and choose as per your production need. Please refer [cloudodcs](https://clouddocs.f5.com/containers/latest/userguide/ipam/) for more details.\n\n###### _Note:_  Local storage ties your application to a specific node as mentioned in nodeAffinity of PV yaml deployment.\n\n_Pre-requisite:_ Ensure mount directory (In below example, /tmp/cis_ipam) to be present on node.\n\n#### Example: F5 IPAM Controller Deployment YAML with Default Provider and localstorage PV mount using _securityContext_\n\n```\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n  labels:\n    name: f5-ipam-controller\n  name: f5-ipam-controller\n  namespace: kube-system\nspec:\n  replicas: 1\n  selector:\n    matchLabels:\n      app: f5-ipam-controller\n  template:\n    metadata:\n      labels:\n        app: f5-ipam-controller\n    spec:\n      containers:\n      - args:\n        - --orchestration\n        - kubernetes\n        - --ip-range\n        - '{\"Dev\":\"172.16.3.21-172.16.3.30\",\"Test\":\"172.16.3.31-172.16.3.40\",\"Production\":\"172.16.3.41-172.16.3.50\",\n          \"Default\":\"172.16.3.51-172.16.3.60,172.16.3.81-172.16.3.90\" } '\n        - --log-level\n        - DEBUG\n        command:\n        - /app/bin/f5-ipam-controller\n        image: f5networks/f5-ipam-controller:latest\n        imagePullPolicy: IfNotPresent\n        name: f5-ipam-controller\n        terminationMessagePath: /dev/termination-log\n        volumeMounts:\n        - mountPath: /app/ipamdb\n          name: samplevol\n      securityContext:\n        fsGroup: 1200\n        runAsGroup: 1200\n        runAsUser: 1200\n      serviceAccount: bigip-controller\n      serviceAccountName: bigip-controller\n      volumes:\n      - name: samplevol\n        persistentVolumeClaim:\n          claimName: pvc-local\n```\n\n#### Example: Persistent Volume using localstorage for IPAM controller deployment with default provider\n```\napiVersion: v1\nkind: PersistentVolume\nmetadata:\n  name: local-pv\nspec:\n  capacity:\n    storage: 1Gi\n  volumeMode: Filesystem\n  accessModes:\n  - ReadWriteOnce\n  storageClassName: local-storage\n  local:\n    path: /tmp/cis_ipam\n  nodeAffinity:\n    required:\n      nodeSelectorTerms:\n      - matchExpressions:\n        - key: kubernetes.io/hostname\n          operator: In\n          values:\n          - \u003cnode-name\u003e\n---\napiVersion: v1\nkind: PersistentVolumeClaim\nmetadata:\n  name: pvc-local\n  namespace: kube-system\nspec:\n  storageClassName: local-storage\n  accessModes:\n  - ReadWriteOnce\n  resources:\n    requests:\n      storage: 0.1Gi\n```\n\n#### Example: F5 IPAM Controller Deployment YAML with Infoblox Provider\n\n```\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n  labels:\n    name: f5-ipam-controller\n  name: f5-ipam-controller\n  namespace: kube-system\nspec:\n  replicas: 1\n  selector:\n    matchLabels:\n      app: f5-ipam-controller\n  template:\n    metadata:\n      labels:\n        app: f5-ipam-controller\n    spec:\n      containers:\n      - args:\n        - --orchestration=kubernetes\n        - --log-level=DEBUG\n        - --ipam-provider\n        - infoblox\n        - --infoblox-labels\n        - '{\"Dev\" :{\"cidr\": \"172.16.4.0/24\"},\"Test\" :{\"cidr\": \"172.16.5.0/24\"}}'\n        - --infoblox-grid-host\n        - 10.144.75.2\n        - --infoblox-wapi-port=443\n        - --infoblox-wapi-version\n        - 2.11.2\n        - --infoblox-username\n        - user\n        - --infoblox-password\n        - paswd\n        - --infoblox-netview\n        - default\n\n        command:\n        - /app/bin/f5-ipam-controller\n        image: f5networks/f5-ipam-controller\n        imagePullPolicy: IfNotPresent\n        name: f5-ipam-controller\n      serviceAccount: ipam-ctlr\n      serviceAccountName: ipam-ctlr\n```\n\n\n#### Deploying RBAC and F5 IPAM Controller \n\nUsing kubectl let's apply the above defined RBAC and Deployment definitions.\n\n```\nkubectl create -f f5-ipam-rbac.yaml\nkubectl create -f f5-ipam-deployment.yaml\n```\n\n\n### Configuring CIS to work with F5 IPAM Controller\n\nTo configure CIS to work with the F5 IPAM controller, the user needs to provide a parameter --ipam=true in the CIS deployment and also provide a parameter ipamLabel in the Kubernetes resource.\n\n#### Note: ipamLabel can have values as mentioned in the ip-range parameter in the deployment.\n\n#### Examples\n\n**Virtual Server CR**\n\n```\napiVersion: \"cis.f5.com/v1\"\nkind: VirtualServer\nmetadata:\n name: coffee-virtual-server\n labels:\n   f5cr: \"true\"\nspec:\n host: coffee.example.com\n ipamLabel: Dev\n pools:\n - path: /coffee\n   service: svc-2\n   servicePort: 80\n```\n\n\n**Tansport Server CR**\n\n```\n  apiVersion: cis.f5.com/v1\n  kind: TransportServer\n  metadata:\n    generation: 2\n    labels:\n      f5cr: \"true\"\n  spec:\n    ipamLabel: Test\n    mode: standard\n    pool:\n      monitor:\n        interval: 20\n        timeout: 10\n        type: tcp\n      service: test-svc\n      servicePort: 1344\n    snat: auto\n    type: tcp\n    virtualServerPort: 1344\n```\n\n**CIS Deployment with ipam enabled**\n\n```\napiVersion: extensions/v1beta1\nkind: Deployment\nmetadata:\n  name: k8s-bigip-ctlr-deployment\n  namespace: kube-system\nspec:\n  replicas: 1\n  template:\n    metadata:\n      name: k8s-bigip-ctlr\n      labels:\n        app: k8s-bigip-ctlr\n    spec:\n      serviceAccountName: bigip-ctlr\n      containers:\n        - name: k8s-bigip-ctlr\n          image: \"f5networks/k8s-bigip-ctlr\"\n          command: [\"/app/bin/k8s-bigip-ctlr\"]\n          args: [\n            \"--bigip-username=$(BIGIP_USERNAME)\",\n            \"--bigip-password=$(BIGIP_PASSWORD)\",\n            \"--bigip-url=\u003cip_address-or-hostname\u003e\",\n            \"--bigip-partition=\u003cname_of_partition\u003e\",\n            \"--pool-member-type=nodeport\",\n            \"--agent=as3\",\n            \"--ipam=true\", //Enable IPAM \n            ]\n      imagePullSecrets:\n        - name: f5-docker-images\n        - name: bigip-login\n```\n\n\n#### NOTE: \n- If the user provides the parameter --ipam=true in the CIS deployment, then CIS decides if it needs to retrieve an IP Address from the IPAM Controller or not \n\n- If a VirtualServer Address is specified in the Kubernetes resource, CIS will not leverage the IPAM Controller for IP address even if a ipamLabel parameter is specified.\n\n- If No VirtualServer Address is specified in the Kubernetes resource and ipamLabel parameter is specified, CIS will leverage the IPAM Controller for allocation of IP address.\n\n- While using IPAM controller with default provider, \n    - Regardless of storage option used, IPAM controller expects read and write permission for IPAM controller user (UID 1200) to mounted directory volume. To achieve this, localstorage PV example deployment uses _securityContext_.\n    - Be aware of limitations with each of storage options before choosing one for your production environment.\n\n### Known Issues\n\n- FIC does not allocate the last IP address specified in the ip     range.\n- Updating the --ip-range in FIC deployment is an issue.\n- Restarting FIC with infoblox ipam provider holds/allocate more ip addresses in infoblox.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ff5networks%2Ff5-ipam-controller","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ff5networks%2Ff5-ipam-controller","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ff5networks%2Ff5-ipam-controller/lists"}