New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NextGenRoute Controller to support TLS passthrough without SNI in client hello #3295
Comments
@leonseng We support defaultPool with VS CRD see https://github.com/F5Networks/k8s-bigip-ctlr/tree/2.x-master/docs/config_examples/customResource/VirtualServer/defaultpool |
The user prefers to use OpenShift Routes, hence the ask to support it in NextGenRoute controller. |
Created [CONTCNTR-4579] for internal tracking. |
@leonseng please test with dev build quay.io/f5networks/k8s-bigip-ctlr-devel:a9048f18b96e92e5f0d024c76cebe20752339c19 and provide your feedback latest crd schema to apply - https://github.com/F5Networks/k8s-bigip-ctlr/blob/2.x-master/docs/config_examples/customResourceDefinitions/incubator/customresourcedefinitions.yml set defaultPool via policy |
looks promising in my initial test. Let me run it past the end user to confirm This is my test config
iRule on BIG-IP
Resulting in a VS with the SNI iRule, but this time with a default pool Testing connection against Virtual Server returns server certificate from pod, not from the
|
Title
NextGenRoute Controller to support TLS passthrough without SNI in client hello
Description
When an OpenShift Route is configured with
spec.tls.termination: passthrough
, NextGenRoute Controller creates a VS with an iRule that load balances traffic to different pools based on the SNI presented in the TLS Client Hello message. The VS does NOT have a default pool defined.For clients which do not provide SNI in Client Hello, no pool can be selected, hence traffic is not passed to the pods in the OpenShift cluster.
Actual Problem
For applications hosting their own TLS certificates within the OpenShift clusters, clients which do not provide SNI in Client Hello are unable to access said applications in TLS passthrough mode.
Solution Proposed
Some toggle in the Route manifest to configure VS with pool member set to the backend pods without the need to select pools based on SNI in the iRules.
Alternatives
One suggestion is to remove the existing iRule with a Policy CR, but without a default pool defined, BIG-IP does not know where to send traffic to.
Maybe a way to configure default pool on the VS will be good.
Additional context
CIS Helm values
Extended Route spec
Policy to remove iRule from the VS
The text was updated successfully, but these errors were encountered: