search

F5Networks / k8s-bigip-ctlr

Repository for F5 Container Ingress Services for Kubernetes & OpenShift.
Apache License 2.0
364 stars 195 forks source link

TransportServer with TLS support #3637

Open visokoo opened 2 weeks ago

visokoo commented 2 weeks ago

Setup Details

CIS Version : 2.17.1 Build: f5networks/k8s-bigip-ctlr:2.17.1 BIGIP Version: BIG-IP 15.1.10.2 Build 0.44.2 Engineering Hotfix AS3 Version: 3.44.0 Agent Mode: AS3 Orchestration: K8S Orchestration Version: 1.27.15+rke2r1 Pool Mode: Nodeport Additional Setup details:

Description

Hi there, we have a use case where we're trying to deploy a non-http service (nats) that runs on port 4222 but we'd like to enable TLS with it. Looking at the documentation, it looks like we should be deploying a TransportServer to achieve what we want, however, looking at the CRDs, it doesn't look like we're able to specify a TLSProfile like we can with a VirtualServer CRD. However, on the F5 UI itself, the option to select a TLSProfile is available and can be selected. We've tested manually selecting this on the F5 UI and have confirmed that TLS works, though we're also getting some IO timeout issues as well.

Steps To Reproduce

1) Deploy any service that's listening on a port that's not 80 or 443 2) Deploy a TLSProfile and a TransportServer

Expected Result

Ability to attach a TLSProfile like you would be able to with a VirtualServer

Actual Result

No option is available to do this.

If this is not the correct way to do it, would someone kindly advise a way forward for us?

visokoo commented 2 weeks ago

Also, we're using the f5-ipam controller with InfoBlox configured for DNS. When configuring the host field for the TransportServer, it doesn't seem to be updating anything in InfoBlox either. Adding the DNS entry manually works but is there no functionality for TransportServers?

vidyasagar-m commented 1 week ago

@visokoo Could you provide more information on the tls profile. Do you want to attach the existing BIGIP ClientSSL and ServerSSL Profiles or you want to use Kubernetes secrets to provide the TLS information.

trinaths commented 6 days ago

Created [CONTCNTR-4970] for internal tracking.

vidyasagar-m commented 2 days ago

@visokoo Could you verify the Transport Server TLS functionality with this UBI9 image quay.io/mvsr222/k8s-bigip-ctlr:transportServerTLS.

Examples: TLS BIGIP Reference:

apiVersion: cis.f5.com/v1
  kind: TransportServer
  metadata:
    annotations:
      kubectl.kubernetes.io/last-applied-configuration: |
        {"apiVersion":"cis.f5.com/v1","kind":"TransportServer","metadata":{"annotations":{},"creationTimestamp":"2024-11-18T14:52:31Z","generation":2,"labels":{"f5cr":"true"},"name":"svc1-tcp-transport-server","namespace":"default","resourceVersion":"38870856","uid":"03c71fc6-7129-45d6-9b7a-3fecb0213038"},"spec":{"bigipRouteDomain":0,"mode":"standard","pool":{"monitor":{"interval":20,"timeout":10,"type":"tcp"},"name":"latte.pool-coffee.-ts","service":"pytest-svc-1","servicePort":443},"snat":"auto","tls":{"clientSSLs":["foo-secret","qa.foo-secret","stage.foo-secret"],"reference":"secret","serverSSLs":["foo-back-secret","qa.foo-back-secret","stage.foo-back-secret"]},"virtualServerAddress":"10.8.0.72","virtualServerName":"svc1-tcp-ts.coffee","virtualServerPort":443},"status":{"lastUpdated":"2024-11-18T15:00:37Z","status":"OK","vsAddress":"10.8.0.72"}}
    creationTimestamp: "2024-11-19T05:26:00Z"
    generation: 1
    labels:
      f5cr: "true"
    name: svc1-tcp-transport-server
    namespace: default
    resourceVersion: "39104398"
    uid: 2c795eb0-7d29-4ad5-b08d-4f914a7c4d16
  spec:
    bigipRouteDomain: 0
    mode: standard
    pool:
      monitor:
        interval: 20
        timeout: 10
        type: tcp
      name: latte.pool-coffee.-ts
      service: pytest-svc-1
      servicePort: 443
    snat: auto
    tls:
      clientSSLs:
      - /Common/clientssl
      reference: bigip
      serverSSLs:
      - /Common/serverssl
    virtualServerAddress: 10.8.0.72
    virtualServerName: svc1-tcp-ts.coffee
    virtualServerPort: 443

TLS Secret Reference:

apiVersion: cis.f5.com/v1
  kind: TransportServer
  metadata:
    annotations:
    labels:
      f5cr: "true"
    name: svc1-tcp-transport-server
    namespace: default
  spec:
    bigipRouteDomain: 0
    mode: standard
    pool:
      monitor:
        interval: 20
        timeout: 10
        type: tcp
      name: latte.pool-coffee.-ts
      service: pytest-svc-1
      servicePort: 443
    snat: auto
    tls:
      clientSSLs:
      - foo-secret
      - qa.foo-secret
      - stage.foo-secret
      reference: secret
      serverSSLs:
      - foo-back-secret
      - qa.foo-back-secret
      - stage.foo-back-secret
    virtualServerAddress: 10.8.0.72
    virtualServerName: svc1-tcp-ts.coffee
    virtualServerPort: 443