F5BigClientSslSetting

The F5BigClientSslSetting CR provides many options to fine-tune how Traffic Management Microkernel (TMM) handles ClientSsl connections. Once configured and installed, the F5BigClientSslSetting CR can be referenced by one of the CNF CRs listed in the Additional CRs section below.

This document guides you through understanding, configuring, and installing a F5BigClientSslSetting CR.

CR parameters

The following table describes the CR spec parameters:

Parameter	Description
enableTls13	Enables or disables the support of TLS 1.3 protocol.
enableTls12	Enables or disables the support of TLS 1.2 protocol.
enableTls11	Enables or disables the support of TLS 1.1 protocol.
ciphers	Specifies OpenSSL-style cipher string.
keyCertPairs	Specifies the list of certificate key pairs to use.
keyCertPairs.key	Specifies the private key. Embedded PEM, Vault Path, or File Path are the supported formats for this parameter.
keyCertPairs.cert	Specifies the content of certificate and intermediate CAs (if any). Embedded PEM or File Paths are the supported formats.
enableSessionTicket	Enables or disables the support of Session Ticket.
enableRenegotiation	Enables or disables the Renegotiation support.
renegotiationMode	Specifies the secure renegotiation mode. require, request and require-strict are the available options for this parameter.

Note: Refer the Managing certs and keys section before configuring the ClientSslSetting parameters.

CR Example

Following is an example F5BigClientSslSetting CR:

apiVersion: k8s.f5net.com/v1
kind: F5BigClientSslSetting
metadata:
  name: "cnf-clientssl-profile"
  namespace: "cnf-gateway"
spec:
  enableTls13: true
  enableRenegotiation: false
  renegotiationMode: "require"
  keyCertPairs:
    - key: 'file://ssl/tls.key'
      cert: 'file://ssl/tls.crt'

CR shortName

CR shortNames provide an easy way to view installed CRs, and their configuration parameters. The CR shortName can also be used to delete the CR instance. The F5BigClientSslSetting CR shortName is clientsslset.

View CR instance:

kubectl get clientsslset -n <namespace>

View CR configuration:

kubectl get clientsslset -n <namespace> -o yaml

Default profile

After installing the BIG-IP Controller, a default F5BigClientSslSetting CR is created in each new namespace. In this example, a default F5BigClientSslSetting CR exists in the cnf-gateway namespace:

kubectl get f5-big-clientssl-setting -n cnf-gateway

NAME         
sys-default-clientssl 

Managing Certs and Keys

Read this section carefully to ensure the SSL/TLS certificates and keys referenced by the F5BigDohApp CR are encoded and installed into the cluster properly.

Following are some of the cruical points to ensure:

• Set the tmm.tlsStore.enabled paramter to true, while installing the BIG-IP Controller.
• The SSL/TLS certificates and keys must be Base64 encoded, and stored in a tls-keys-certs-secret Secret.
• TMM mounts the Secret named tls-keys-certs-secret to the file://etc/ssl/tls-keys-certs/ file path.

Important: The tls-keys-certs-secret Secret must be created before the BIG-IP Controller is installed, otherwise the mount will fail and cause the TMM to enter a restart loop.

Use the steps below to generate a new SSL/TLS certficate and key, Base64 encode them, and then create the tls-keys-certs-secret Secret to store them in the cluster. F5 recommends using SSL/TLS certificates signed by a well-known certificate authority (CA) for production application traffic.

Note: Use steps 4 - 6 if you already have an existing SSL/TLS certificate and key pair.

1. Generate the CA signing certificate and key:

   openssl genrsa -out ca.key 4096
   

   openssl req -x509 -new -nodes -key ca.key -sha256 -days 365 -out ca.crt \
   -subj "/C=US/ST=WA/L=Seattle/O=F5/OU=Dev/CN=ca"
   

2. Generate the ClientSsl profile SSL/TLS certificate signing request (CSR):

   openssl genrsa -out client.key 4096
   

   openssl req -new -key client.key -out client.csr \
   -subj "/C=US/ST=WA/L=Seattle/O=F5/OU=PD/CN=client.com"
   

3. Sign the ClientSsl profile CSR with the CA:

   openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key \
   -set_serial 101 -outform PEM -out client.crt -extensions req_ext -days 365 -sha256
   

4. Base64 encode the SSL/TLS certificate and key:

   openssl base64 -A -in client.crt -out client-encode.crt
   openssl base64 -A -in client.key -out client-encode.key
   

5. Create the tls-keys-certs-secret Secret that stores the SSL/TLS certificate and key:

   echo "apiVersion: v1" > tls-keys-certs-secret.yaml
   echo "kind: Secret" >> tls-keys-certs-secret.yaml
   echo "metadata:" >> tls-keys-certs-secret.yaml
   echo " name: tls-keys-certs-secret" >> tls-keys-certs-secret.yaml
   echo "data:" >> tls-keys-certs-secret.yaml
   echo -n " client.crt: " >> tls-keys-certs-secret.yaml
   cat client-encode.crt >> tls-keys-certs-secret.yaml
   echo " " >> tls-keys-certs-secret.yaml
   echo -n " client.key: " >> tls-keys-certs-secret.yaml
   cat client-encode.key >> tls-keys-certs-secret.yaml
   

6. Install the Secret onto the BIG-IP Controller Project:

   kubectl apply -f tls-keys-certs-secret.yaml -n cnf-gateway
   

Requirements

Ensure you have:

• Installed the BIG-IP Controller
• A Linux based workstation

Installation

Following are the steps to install the F5BigClientSslSetting CR:

1. The example F5BigClientSslSetting CR modifies the enableTls13 sizes, enableRenegotiation and renegotiationMode parameters. Copy and paste the following example to a YAML file:

   apiVersion: k8s.f5net.com/v1
   kind: F5BigClientSslSetting
   metadata:
     name: "cnf-clientssl-profile"
     namespace: "cnf-gateway"
   spec:
     enableTls13: true
     enableRenegotiation: false
     renegotiationMode: "require"
   

2. Install the F5BigClientSslSetting CR:

   kubectl apply -f cnf-clientssl-cr.yaml
   

3. Following is an example F5BigDnsApp CR using the ClientSsl profile.

   apiVersion: "k8s.f5net.com/v1"
   kind: F5BigDnsApp
   metadata:
     name: "cnf-dohapp"
     namespace: "cnf-gateway"
   spec:
     ipProtocol: "http2"
     dohProtocol: "udp"
   destination:
     ipv6Address: "2002::192:168:100:202"
     port: 443
   dns:
     dnsCache: "cnf-dnscache"
     dns64Mode: "secondary"
     dns64Prefix: "64:ff9b::"
     dns64AdditionalSectionRewrite: "v4-only"
   clientSslSettings: "cnf-clientssl-profile"
   pool:
     members:
       - address: "2002::10:10:10:100"
       - address: "2002::10:10:10:101"
   

4. Install F5BigDnsApp CR, run the following command:

   kubectl apply -f f5-cnf-dohapp.yaml
   

   In this example, the BIG-IP Controller logs indicate the F5BigDnsApp CR was added/updated:

   I0202 12:00:00:12350    1 event.go:282] Event(v1.ObjectReference{Kind:"F5DnsApp", DnsApp cnf-gateway/cnf-dohapp was added/updated
   

5. The TMM Proxy Pod can now process application traffic using the F5BigClientSslSetting CR.

Additional CRs

The F5BigHttp2Setting CR can be referenced by the F5BigDnsApp (High-performance DNS resolution, caching, and DNS64 translations) CR.

Feedback

Provide feedback to improve this document by emailing cnfdocs@f5.com.