F5BigServerSslSetting¶
Overview¶
F5BigServerSslSetting is a namespaced Custom Resource in the k8s.f5net.com API group. It defines a server-side SSL/TLS profile used to control protocol versions, cipher settings, certificate verification behavior, renegotiation, session caching, forward-proxy options, and client-certificate constrained delegation (C3D).
CR Parameters¶
metadata¶
| Parameter | Type | Description |
|---|---|---|
name |
string | Unique name of the custom resource. |
namespace |
string | Namespace where the resource is created (because the CRD is namespaced). |
spec¶
spec defines the Server SSL profile settings.
| Parameter | Type | Description / Constraints | Default |
|---|---|---|---|
tenant |
string | Name of the Tenant that owns the virtual server. Max length 255. Pattern: ^$^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ |
"" |
namespace |
string | Tenant Namespace in which the virtual server was created. Max length 255. Pattern: ^[0-9a-zA-Z._-]*$ |
"" |
enableTls13 |
boolean | Enable/disable TLS 1.3. | true |
enableTls12 |
boolean | Enable/disable TLS 1.2. | true |
enableTls11 |
boolean | Enable/disable TLS 1.1. | false |
enableDtls12 |
boolean | Enable/disable DTLS 1.2. | false |
enableDtls10 |
boolean | Enable/disable DTLS 1.0. | false |
dhGroups |
string | Diffie-Hellman groups used to negotiate SSL/TLS connections. Max length 255. Pattern: ^.*$ |
"" |
signatureAlgorithms |
string | Signature algorithms used to negotiate SSL/TLS connections. Max length 255. Pattern: ^.*$ |
"" |
trustedCa |
string | File URI of root CAs used for server certificate verification. Max length 255. Pattern: ^.*$ |
"" |
authenticateDepth |
integer | Server certificate verification depth. Min 0, max 15. |
9 |
authenticateOnce |
boolean | If true, authenticate server once per SSL session. |
true |
crl |
string | File URI of the CRL used for server certificate verification. Max length 255. Pattern: ^.*$ |
"" |
crlAllowExpired |
boolean | Allow use of expired CRLs for server certificate verification. | false |
ciphers |
string | OpenSSL-style cipher string. Max length 1024. Pattern: ^.*$ |
'DEFAULT' |
keyCertPairs |
array(object) | Key/certificate pairs used by this profile. | [] |
keyCertPairs.key |
string | Private key. Supported formats: Embedded PEM, Vault Path, or File Path. Max length 1024. Pattern: ^.*$ |
"" |
keyCertPairs.cert |
string | Certificate + intermediates. Supported formats: Embedded PEM or File Path. Max length 1024. Pattern: ^.*$ |
"" |
enableSessionTicket |
boolean | Enable/disable Session Ticket support. | false |
enableRenegotiation |
boolean | Enable/disable renegotiation support on this profile. | true |
renegotiationMode |
string | Secure renegotiation mode (only meaningful when renegotiation is enabled). Enum: request, require, require-strict. |
"require-strict" |
enableServerAuthentication |
boolean | Enable/disable server certificate authentication. | false |
renegotiatePeriod |
integer | Renegotiate after N seconds; 0 disables time-based renegotiation. Min 0, max 4294967295. |
0 |
renegotiateSize |
integer | Renegotiate after N megabytes; 0 disables size-based renegotiation. Min 0, max 4294967295. |
0 |
fileWatchMode |
string | Watcher mode for SSL files. Enum includes: none, secret-store, shared-volume, SSL_FILE_WATCH_MODE_NONE, SSL_FILE_WATCH_MODE_KUBERNETES_SECRET_STORE, SSL_FILE_WATCH_MODE_FILES_IN_SHARED_VOLUME. |
"none" |
enableForwardProxy |
boolean | Enable/disable SSL forward proxy configuration. | false |
enableForwardProxyBypass |
boolean | Enable/disable bypass when SSL forward proxy is enabled. | false |
enableFwdProxyVerifiedHS |
boolean | Enable/disable verified handshake when SSL forward proxy is enabled. | true |
enableFwdProxyBypassOnHsFail |
boolean | Enable/disable forward proxy bypass on serverside handshake alert failures (handshake_failure, protocol_version, unsupported_extension). | false |
enableFwdProxyBypassOnCCFail |
boolean | Enable/disable forward proxy bypass when handshake fails due to inability to present client certificate to the server. | false |
dropExpiredCert |
string | Action if server certificate is expired. Enum: drop, ignore, mask. |
"drop" |
dropUntrustedCa |
string | Action if server CA is untrusted. Enum: drop, ignore, mask. |
"drop" |
dropRevokedCertStatus |
string | Action if server certificate is revoked. Enum: drop, ignore, mask. |
"drop" |
dropUnknownCertStatus |
string | Action if server certificate status is unknown. Enum: drop, ignore, mask. |
"ignore" |
authenticateName |
string | Common Name (CN) to verify against when authenticating a server. Empty disables CN verification. Max length 255. Pattern: ^.*$ |
"" |
handshakeTimeout |
integer | Seconds to attempt SSL connection establishment before halting. Min 0, max 4294967295. |
10 |
alertTimeout |
integer | Seconds to try to close SSL connection before resetting. Min -1, max 2147483647. |
-1 |
cacheSize |
integer | Number of sessions in the SSL session cache. Min 0, max 4294967295. |
262144 |
enableC3d |
boolean | Enable/disable SSL Client Certificate Constrained Delegation (C3D). | false |
c3dCertLifespan |
integer | Lifespan (hours) for certificates generated using C3D. Min 0, max 8760. |
24 |
c3dCertExtensions |
array(string) | Extensions to include in generated certificate. Each item enum: BasicConstraints, ExtendedKeyUsage, KeyUsage, SubjectAltName. |
["BasicConstraints", <br>"ExtendedKeyUsage", <br>"KeyUsage", <br>"SubjectAltName"] |
c3dCertExtensionCustomOids |
array(string) | Custom extension OIDs from client certs to include in generated certs. | [""] |
c3dCaKeyCertPairs |
array(object) | CA key/cert pair(s) used to sign generated certs. Max items 1. |
[] |
c3dCaKeyCertPairs.key |
string | CA private key. Supported formats: Embedded PEM, Vault Path, or File Path. Max length 1024. Pattern: ^.*$ |
"" |
c3dCaKeyCertPairs.cert |
string | CA certificate + intermediates. Supported formats: Embedded PEM or File Path. Max length 1024. Pattern: ^.*$ |
"" |
CR Example¶
apiVersion: k8s.f5net.com/v1
kind: F5BigServerSslSetting
metadata:
name: example-serverssl
namespace: cnf-gateway
spec:
tenant: "example-tenant"
namespace: "example-tenant-ns"
enableTls13: true
enableTls12: true
enableTls11: false
ciphers: "DEFAULT"
trustedCa: "file:///etc/ssl/certs/ca-bundle.crt"
authenticateDepth: 9
authenticateOnce: true
keyCertPairs:
- key: "file:///etc/ssl/private/tls.key"
cert: "file:///etc/ssl/certs/tls.crt"
enableSessionTicket: false
enableRenegotiation: true
renegotiationMode: "require-strict"
cacheSize: 262144