TransportServer with TLS support #3637
Comments
|
Also, we're using the f5-ipam controller with InfoBlox configured for DNS. When configuring the |
|
@visokoo Could you provide more information on the tls profile. Do you want to attach the existing BIGIP ClientSSL and ServerSSL Profiles or you want to use Kubernetes secrets to provide the TLS information. |
|
Created [CONTCNTR-4970] for internal tracking. |
|
@visokoo Could you verify the Transport Server TLS functionality with this UBI9 image Examples: apiVersion: cis.f5.com/v1
kind: TransportServer
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"cis.f5.com/v1","kind":"TransportServer","metadata":{"annotations":{},"creationTimestamp":"2024-11-18T14:52:31Z","generation":2,"labels":{"f5cr":"true"},"name":"svc1-tcp-transport-server","namespace":"default","resourceVersion":"38870856","uid":"03c71fc6-7129-45d6-9b7a-3fecb0213038"},"spec":{"bigipRouteDomain":0,"mode":"standard","pool":{"monitor":{"interval":20,"timeout":10,"type":"tcp"},"name":"latte.pool-coffee.-ts","service":"pytest-svc-1","servicePort":443},"snat":"auto","tls":{"clientSSLs":["foo-secret","qa.foo-secret","stage.foo-secret"],"reference":"secret","serverSSLs":["foo-back-secret","qa.foo-back-secret","stage.foo-back-secret"]},"virtualServerAddress":"10.8.0.72","virtualServerName":"svc1-tcp-ts.coffee","virtualServerPort":443},"status":{"lastUpdated":"2024-11-18T15:00:37Z","status":"OK","vsAddress":"10.8.0.72"}}
creationTimestamp: "2024-11-19T05:26:00Z"
generation: 1
labels:
f5cr: "true"
name: svc1-tcp-transport-server
namespace: default
resourceVersion: "39104398"
uid: 2c795eb0-7d29-4ad5-b08d-4f914a7c4d16
spec:
bigipRouteDomain: 0
mode: standard
pool:
monitor:
interval: 20
timeout: 10
type: tcp
name: latte.pool-coffee.-ts
service: pytest-svc-1
servicePort: 443
snat: auto
tls:
clientSSLs:
- /Common/clientssl
reference: bigip
serverSSLs:
- /Common/serverssl
virtualServerAddress: 10.8.0.72
virtualServerName: svc1-tcp-ts.coffee
virtualServerPort: 443TLS Secret Reference: apiVersion: cis.f5.com/v1
kind: TransportServer
metadata:
annotations:
labels:
f5cr: "true"
name: svc1-tcp-transport-server
namespace: default
spec:
bigipRouteDomain: 0
mode: standard
pool:
monitor:
interval: 20
timeout: 10
type: tcp
name: latte.pool-coffee.-ts
service: pytest-svc-1
servicePort: 443
snat: auto
tls:
clientSSLs:
- foo-secret
- qa.foo-secret
- stage.foo-secret
reference: secret
serverSSLs:
- foo-back-secret
- qa.foo-back-secret
- stage.foo-back-secret
virtualServerAddress: 10.8.0.72
virtualServerName: svc1-tcp-ts.coffee
virtualServerPort: 443 |
* rebasing from the source * update resource config * fix uts
|
Hey @vidyasagar-m, Apologies for the delay in my response, I just got back from PTO. I'd like to be able to specify the TLSProfile like how we do in VirtualServers currently.
I know you created the image already, but is it possible to update it to reference it like how we do with VirtualServers for consistency? |
|
@visokoo Could you test the changes after applying the latest schema https://github.com/F5Networks/k8s-bigip-ctlr/blob/2.x-Multicluster-enhancements-stable/docs/config_examples/customResourceDefinitions/incubator/customresourcedefinitions.yml |
|
@visokoo , tlsProfile is supported with the VS CR only as it allows us to support the multiple domains using single Virtual server ip, along with various terminations like edge, passthrough and re-encrypt. Combining the TLSProfile with the Transport Server will also impact the overall performance of CIS. |
CIS does not create any DNS entry on the Infoblox server. It only requests the IP Address from the Infoblox and release the Ip address once the resource is deleted. |
|
Pardon my delay and thank you for the explanation in regards to |
|
@visokoo We are working on validating 2.19. 2.19 ETA ~ End of December'24. |
|
@visokoo CIS 2.19 is due this week. This issue is fixed in 2.19. |
* rebasing from the source * update resource config * fix uts
Setup Details
CIS Version : 2.17.1
Build: f5networks/k8s-bigip-ctlr:2.17.1
BIGIP Version:
BIG-IP 15.1.10.2 Build 0.44.2 Engineering Hotfix
AS3 Version: 3.44.0
Agent Mode: AS3
Orchestration: K8S
Orchestration Version: 1.27.15+rke2r1
Pool Mode: Nodeport
Additional Setup details:
Description
Hi there, we have a use case where we're trying to deploy a non-http service (nats) that runs on port
4222but we'd like to enable TLS with it. Looking at the documentation, it looks like we should be deploying aTransportServerto achieve what we want, however, looking at the CRDs, it doesn't look like we're able to specify aTLSProfilelike we can with aVirtualServerCRD. However, on the F5 UI itself, the option to select a TLSProfile is available and can be selected. We've tested manually selecting this on the F5 UI and have confirmed that TLS works, though we're also getting someIO timeoutissues as well.Steps To Reproduce
Expected Result
Ability to attach a TLSProfile like you would be able to with a VirtualServer
Actual Result
No option is available to do this.
If this is not the correct way to do it, would someone kindly advise a way forward for us?
The text was updated successfully, but these errors were encountered: