-
Notifications
You must be signed in to change notification settings - Fork 193
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ability to select parent profile when using secret for TLSProfile #3378
Comments
Since CIS uses AS3 to manage object in BIG-IP, from F5Networks/f5-appsvcs-extension#275 We decided to stop exposing the parent profile property of newly added profiles because this causes a source of truth conflict between the BIG-IP and the AS3 declaration. It is best to fully define the properties you need in the AS3 configuration instead of using parent profiles. Please raise an issue with AS3 to support this RFE so that CIS can use the declaration API to manage the profile in BIG-IP. |
@trinaths I didn't realize this was an AS3 limitation but I'm not why we closed the ticket without discussion. I think my use case is still valid. I want to store my key/certificates in secrets managed with cert-manager/ACME. However I need a way to also implement strong ciphers/SSL options using CIS. Using weak ciphers from the default /Common/clientssl is not a viable option. It looks as if I would need the ability to control ciphers groups and ssl options in TLSProfile CRD |
@trinaths reopening issue We need to add TLS options to the tlsprofile CRD for example
AC -- Specify the following paramaters
Example
|
@trinaths please open a Jira task and assign to the upcoming sprint. Blocker!! Thanks!! |
Created [CONTCNTR-4709] for internal tracking. |
Title
Ability to select parent profile when using secret for TLSProfile
Please closed issue #3372 and take this one in its place.
Description
I want to use cert-manager to manage certificates but I also need the ability to choose profiles other than the default clientssl or serverssl profiles.
Currently clientSSL: or serverSSL: can be either an ssl profile or a secret. If you choose to specify a profile, the profile must pre-exist on the F5 with the defined certificates/keys, etc.
However if you specify a secret, then the key/certificates stored in the secret are used to create a new profile, but the default /Common/clientssl profile is used. Thus we have little control on the ciphers suites and configuration of the profile.
Solution Proposed
make the clientSSL: or serverSSL: field always the bigip profile. If 'reference: bigip' is used then this shall be the profile used, if 'reference: secret' is used this shall be the parent profile used to build the new profile from using the secret.
if profileSecret: is specified as an additional clientSSLParams: then we use the secret to build the profile. Otherwise, if profileSecret is absent then we use the profile specified as we do when 'reference: bigip' is used.
Doing so makes the 'reference: bigip, secret, hybrid' obsolete.
Example:
For client SSL, the parent profile used would be clientssl-tls13-standard + my-cert-manager-secret and equivalent to 'reference: secret'
For the server SSL it would use /Common/serverssl-tls13-standard as the profile. Since no serverSSLParams are specified this would be equivalent to 'reference: bigip'
The text was updated successfully, but these errors were encountered: