search

F5Networks / k8s-bigip-ctlr

Repository for F5 Container Ingress Services for Kubernetes & OpenShift.
Apache License 2.0
349 stars 193 forks source link

Virtual Server Issue with PassThrough TLS profile #3398

Closed chiluintel49 closed 5 days ago

chiluintel49 commented 1 month ago

Setup Details

CIS Version : 2.15.1 Build: f5networks/k8s-bigip-ctlr:latest
BIGIP Version: BIG-IP 16.1.3.1 Build 0.0.11 Point Release 1
AS3 Version: 3.x
Agent Mode: AS3/CCCL
Orchestration: K8S/OSCP
Orchestration Version:
Pool Mode: Nodeport
Additional Setup details: <Platform/CNI Plugins/ cluster nodes/ etc>

Description

After creating a virtualserver using passthrough mode we intermittnly see that F5 tries to intercept the SSL traffic and display a certificate from default clientprofile(localdomain.localhost).

Steps To Reproduce

1) Create an application on kubernetes which has its own keystore with certs in it and accessibel via browser and exposed via nodeport 2)create a virtual server using passthrough tlsprofile(https://github.com/F5Networks/k8s-bigip-ctlr/blob/2.x-master/docs/config_examples/customResource/VirtualServerWithTLSProfile/passthrough/passthrough_tls.yaml 3)Constantly hit the URL by closing and reopening the URL

Expected Result

No SSL/TLS cert eror not even intermittently

Actual Result

Intermittenly we are seeing it.

Diagnostic Information

<Configuration files, error messages, logs>
Note: Sanitize the data. For example, be mindful of IPs, ports, application names and URLs
Note: The following F5 article outlines the information required when opening an issue.
https://support.f5.com/csp/article/K60974137

Observations (if any)

trinaths commented 1 month ago

@chiluintel49 Please share CIS configuration and error log, steps to reproduce this issue to automation_toolchain_pm automation_toolchain_pm@f5.com

trinaths commented 1 month ago

Created [CONTCNTR-4711] for internal tracking.

trinaths commented 1 week ago

@chiluintel49 /Common/clientssl is only added when there is only one passthrough VS with unique IP address as it is required by CIS traffic handling iRule and it doesn't impact any traffic flow in case of passthrough.

We verified with VS that a combination of passthrough, reencrypt, edge with the same IP address, we do not add any /Common/clientssl and everything works as expected.

trinaths commented 5 days ago

For Virtual Servers configured with passthrough termination, CIS adds a default client SSL profile, as AS3 schema requires a default client SSL profile for any HTTPS Virtual Server. Although BIG-IP does not use it to offload SSL for passthrough termination, it may use it intermittently.

chiluintel49 commented 4 days ago

@trinaths Thanks for the reply but your statement is little contradictory. Are saying virtual server with passthrough tlsprovile does not work when applied via CIS?

shawky90 commented 2 days ago

@trinaths would you please provide more details about the proposed workaround to avoid issue reproduction?