TLSProfile¶
TLSProfile is used to specify the TLS termination for a single/list of services in a VirtualServer Custom Resource. TLS termination relies on SNI. Any non-SNI traffic received on port 443 may result in connection issues. TLSProfile can be created either with certificates stored as k8s secrets or can be referenced by profiles existing in BIG-IP.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | apiVersion: cis.f5.com/v1 kind: TLSProfile metadata: name: reencrypt-tls labels: f5cr: "true" spec: tls: termination: reencrypt clientSSL: /Common/clientssl serverSSL: /Common/serverssl reference: bigip # --> reference profiles created in BIG-IP by User hosts: - coffee.example.com |
Important
CIS will only process custom resources with f5cr label set as true. See lines 5-6 above.
TLSProfile Components¶
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
| termination | String | Required | N/A | Termination on BIG-IP Virtual Server. Allowed options are edge, reencrypt, and passthrough. |
| clientSSL | String | Required | N/A | ClientSSL Profile on the BIG-IP. For example /Common/clientssl. |
| serverSSL | String | Optional | N/A | ServerSSL Profile on the BIG-IP. For example /Common/serverssl. |
| reference | String | Required | N/A | Describes the location of profile: BIG-IP, k8s Secrets or a mix of k8s Secrets and BIGIP-reference i.e serverssl from bigip refernce and clientssl from secret or vice-versa. Available options are bigip secret and hybrid. |
| clientSSLs | List of string | Required | N/A | Multiple ClientSSL Profiles on the BIG-IP OR list of Kubernetes secrets. |
| serverSSLs | List of string | Optional | N/A | Multiple ServerSSL Profiles on the BIG-IP OR list of Kubernetes secrets. |
| clientSSLParams | Object | Optional | N/A | ClientSSL Parameters to be set for the BIG-IP custom clientSSL profile created by CIS for the TLSProfile with reference secret. |
| serverSSLParams | Object | Optional | N/A | ServerSSL Parameters to be set for the BIG-IP custom serverSSL profile created by CIS for the TLSProfile with reference secret. |
| tlsCipher | Object | Optional | N/A | See tlsCipher Components |
ClientSSL Parameters¶
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
| renegotiationEnabled | Boolean | Optional | true | If false, disables renegotiation on custom clientSSL profile created by CIS for the TLSProfile with reference secret. |
| profileReference | String | Optional | N/A | Allowed values: [bigip, secret]. If reference in tls spec is set to hybrid, this parameter is used to define profile reference for clientSSL. |
ServerSSL Parameters¶
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
| renegotiationEnabled | Boolean | Optional | true | If false, disables renegotiation on custom serverSSL profile created by CIS for the TLSProfile with reference secret. |
| profileReference | String | Optional | N/A | Allowed values: [bigip, secret]. If reference in tls spec is set to hybrid, this parameter is used to define profile reference for serverSSL. |
tlsCipher Components¶
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
| tlsVersion | Boolean | Optional | 1.2 | Configures TLS version to be enabled on BIG-IP. TLS 1.3 is only supported on TMOS version 14.0+. |
| ciphers | String | Optional | DEFAULT | Configures a ciphersuite selection string. Cipher-group and ciphers are mutually exclusive; only use one. |
| cipherGroup | String | Optional | /Common/ f5-defau lt | Configures a cipher group in BIG-IP and references it here. Cipher group and ciphers are mutually exclusive; only use one. |
| disableTLSVersions | String | Optional | N/A | Configures to disable a particular version of TLS version on the bigip. Supported values are [“1.0”, “1.1”, “1.2”, “1.3”]. |
Example TLSProfile disabling tlsVersions¶
apiVersion: cis.f5.com/v1
kind: TLSProfile
metadata:
name: tlscipher-tls1.3
labels:
f5cr: "true"
spec:
tlsCipher:
tlsVersion: "1.3"
cipherGroup: /Common/f5-default
disableTLSVersions:
- "1.2"
tls:
termination: edge
clientSSL: /Common/clientssl
reference: bigip
hosts:
- coffee.example.com
Note
- CIS has a 1:1 mapping for a domain (CommonName) and BIG-IP-VirtualServer.
- You can create any number of custom resources for a single domain. For example, you are flexible to create 2 VirtualServers with different terminations (for the same domain), one with edge and another with re-encrypt. To do this you need to create two VirtualServers: one with edge TLSProfile and another with re-encrypt TLSProfile. Both the VirutalServers should be created with same virtualServerAddress.
- A single or group of VirtualServers (with the same virtualServerAddress) will be created as one common BIG-IP-VirtualServer.
- If you want to update a secure virtual (TLS Virtual) server to an insecure virtual (non-TLS server) server, you need to delete the secure virtual server first and create a new virtual server.
Examples Repository¶
Note
To provide feedback on Container Ingress Services or this documentation, please file a GitHub Issue.