Ability to select parent profile when using secret for TLSProfile

[pmilot]

Title

Ability to select parent profile when using secret for TLSProfile

Please closed issue #3372 and take this one in its place.

Description

I want to use cert-manager to manage certificates but I also need the ability to choose profiles other than the default clientssl or serverssl profiles.

Currently clientSSL: or serverSSL: can be either an ssl profile or a secret. If you choose to specify a profile, the profile must pre-exist on the F5 with the defined certificates/keys, etc.

However if you specify a secret, then the key/certificates stored in the secret are used to create a new profile, but the default /Common/clientssl profile is used. Thus we have little control on the ciphers suites and configuration of the profile.

Solution Proposed

1. make the clientSSL: or serverSSL: field always the bigip profile. If 'reference: bigip' is used then this shall be the profile used, if 'reference: secret' is used this shall be the parent profile used to build the new profile from using the secret.

2. if profileSecret: is specified as an additional clientSSLParams: then we use the secret to build the profile. Otherwise, if profileSecret is absent then we use the profile specified as we do when 'reference: bigip' is used.

3. Doing so makes the 'reference: bigip, secret, hybrid' obsolete.

Example:

spec:
  tls:
    termination: reencrypt
    clientSSL: /Common/clientssl-tls13-standard
      clientSSLParams:
        profileSecret: my-cert-manager-secret
    serverSSL: /Common/serverssl-tls13-standard
  hosts:
  - atlas.cluster.k.dev.example.com

For client SSL, the parent profile used would be clientssl-tls13-standard + my-cert-manager-secret and equivalent to 'reference: secret'

For the server SSL it would use /Common/serverssl-tls13-standard as the profile. Since no serverSSLParams are specified this would be equivalent to 'reference: bigip'

[trinaths]

Since CIS uses AS3 to manage object in BIG-IP, from F5Networks/f5-appsvcs-extension#275

We decided to stop exposing the parent profile property of newly added profiles because this causes a source of truth conflict between the BIG-IP and the AS3 declaration. It is best to fully define the properties you need in the AS3 configuration instead of using parent profiles.

Please raise an issue with AS3 to support this RFE so that CIS can use the declaration API to manage the profile in BIG-IP.

[pmilot]

@trinaths I didn't realize this was an AS3 limitation but I'm not why we closed the ticket without discussion. I think my use case is still valid.

I want to store my key/certificates in secrets managed with cert-manager/ACME. However I need a way to also implement strong ciphers/SSL options using CIS. Using weak ciphers from the default /Common/clientssl is not a viable option.

It looks as if I would need the ability to control ciphers groups and ssl options in TLSProfile CRD

[mdditt2000]

@trinaths reopening issue

We need to add TLS options to the tlsprofile CRD

for example

     tlsCipher:
         tlsVersion: 1.2
         ciphers: DEFAULT
         cipherGroup: /Common/f5-default 

AC -- Specify the following paramaters

• tlsVersion
• ciphers
• cipherGroup: /Common/f5-default. - Example "bigip": "/Common/Shared/tls13-standard"

Example

"insertEmptyFragmentsEnabled": false,
                "ssl3Enabled": false,
                "sslEnabled": false,
                "tls1_0Enabled": false,
                "tls1_1Enabled": false,
                "tls1_2Enabled": true,
                "tls1_3Enabled": true

[mdditt2000]

@trinaths please open a Jira task and assign to the upcoming sprint. Blocker!! Thanks!!

[trinaths]

ability to control ciphers groups and ssl options in TLSProfile CRD

Created [CONTCNTR-4709] for internal tracking.