search

F5Networks / k8s-bigip-ctlr

Repository for F5 Container Ingress Services for Kubernetes & OpenShift.
Apache License 2.0
357 stars 195 forks source link

TLS/SSL profile from global cm Policy not used as default #3050

Closed alonsocamaro closed 7 months ago

alonsocamaro commented 1 year ago

Setup Details

Build: quay.io/f5networks/k8s-bigip-ctlr-devel:6acfa932091c518f87d3d71070501dd68fcebf33
BIGIP Version: Big IP 17 AS3 Version: 3.45
Agent Mode: AS3 Orchestration: OSCP
Orchestration Version: 4.12 Pool Mode: Cluster
Additional Setup details: OVN, multi-cluster

Description

When using the attached route route.txt which doesn´t contain or reference any SSL/TLS configuration CIS doesn´t apply the Profile specified SSL/TLS configuration:

apiVersion: cis.f5.com/v1
kind: Policy
metadata:
  labels:
    f5cr: "true"
  name: policy-default
spec:
  profiles:
    http: /Common/http-x-forwarded-for
    profileMultiplex: /Common/oneconnect
    persistenceProfile: /Common/source-address-32
    sslProfiles:
      clientProfiles:
        - /Common/clientssl
      serverProfiles:
        - /Common/serverssl

This actually triggers an error when defaultTLS is not specified baseRouteSpec:

apiVersion: v1
kind: ConfigMap
metadata:
    name: global-cm
    namespace: kube-system
    labels:
        f5nr: "true"
data:
    extendedSpec: |
      mode: ratio
      highAvailabilityCIS:
        primaryEndPoint: tcp://10.1.10.5:6443
        probeInterval: 30
        retryInterval: 3
        primaryCluster:
          clusterName: ocp1
          secret: kube-system/kubeconfig.ocp1
          ratio: 2
        secondaryCluster:
          clusterName: ocp2
          secret: kube-system/kubeconfig.ocp2
          ratio: 3
      extendedRouteSpec:
      - namespaceLabel: environment=test
        vserverAddr: 10.1.10.102
        vserverName: test
        allowOverride: true
        policyCR: kube-system/policy-default

See next the error:

[cloud-user@ocp-provisioner example-tls-and-nontls]$ ../run-clusters.sh oc -n eng-caas-nginx-app1 get route
Switched to context "default/api-ocp1-f5-udf-com:6443/f5admin".
NAME         HOST/PORT                  PATH   SERVICES     PORT   TERMINATION     WILDCARD
nginx-app1   ExtendedValidationFailed          nginx-app1   8080   edge/Redirect   None
Switched to context "default/api-ocp2-f5-udf-com:6443/f5admin".
NAME         HOST/PORT                  PATH   SERVICES     PORT   TERMINATION     WILDCARD
nginx-app1   ExtendedValidationFailed          nginx-app1   8080   edge/Redirect   None
Switching back to initial context default/api-ocp2-f5-udf-com:6443/f5admin
Switched to context "default/api-ocp2-f5-udf-com:6443/f5admin".

And next is the full error:

  status:
    ingress:
    - conditions:
      - lastTransitionTime: "2023-08-25T11:00:42Z"
        message: 'Missing certificate/key/SSL profile annotation/defaultSSL for route:
          nginx-app1'
        reason: ExtendedValidationFailed
        status: "False"
        type: Admitted
      host: nginx-app1.apps.f5-udf.com
      routerName: F5 BIG-IP
      wildcardPolicy: None

Somehow, after applying the Policy above the SSL profiles dissapear:

[cloud-user@ocp-provisioner example-tls-and-nontls]$ oc -n kube-system get policy policy-default -o yaml
apiVersion: cis.f5.com/v1
kind: Policy
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"cis.f5.com/v1","kind":"Policy","metadata":{"annotations":{},"labels":{"f5cr":"true"},"name":"policy-default","namespace":"kube-system"},"spec":{"profiles":{"http":"/Common/http-x-forwarded-for","persistenceProfile":"/Common/source-address-32","profileMultiplex":"/Common/oneconnect","sslProfiles":{"clientProfiles":["/Common/clientssl"],"serverProfiles":["/Common/serverssl"]}}}}
  creationTimestamp: "2023-08-25T10:56:29Z"
  generation: 1
  labels:
    f5cr: "true"
  name: policy-default
  namespace: kube-system
  resourceVersion: "7118792"
  uid: e3cba28c-f9ae-4b1a-ab0b-83f4658e4a4d
spec:
  profiles:
    http: /Common/http-x-forwarded-for
    persistenceProfile: /Common/source-address-32
    profileMultiplex: /Common/oneconnect

Applying the SSL profiles in the global config map fixes the issue:

      baseRouteSpec:
        defaultTLS:
          clientSSL: /Common/clientssl
          serverSSL: /Common/serverssl
          reference: bigip

Steps To Reproduce

1) Create a Route without an embedded SSL/TLS configuration or referencing any externally 2) Create a global configmap without baseRouteSpec (local configmap not used) but with a Policy referencing a SSL profile in the BIG-IP.

Expected Result

The Policy´s SSL configuration is applied

Actual Result

The Policy´s SSL configuration is not applied

trinaths commented 1 year ago

@alonsocamaro is this issue still existing with latest build ?

trinaths commented 7 months ago

Closed as completed.