Last updated on: 2023-11-16 10:03:22.

TLSProfile

TLSProfile is used to specify the TLS termination for a single/list of services in a VirtualServer Custom Resource. TLS termination relies on SNI. Any non-SNI traffic received on port 443 may result in connection issues. TLSProfile can be created either with certificates stored as k8s secrets or can be referenced by profiles existing in BIG-IP.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
 apiVersion: cis.f5.com/v1
 kind: TLSProfile
 metadata:
   name: reencrypt-tls
   labels:
     f5cr: "true"
 spec:
   tls:
     termination: reencrypt
     clientSSL: /Common/clientssl
     serverSSL: /Common/serverssl
     reference: bigip             # --> reference profiles created in BIG-IP by User
   hosts:
   - coffee.example.com

Important

CIS will only process custom resources with f5cr label set as true. See lines 5-6 above.

Open API Schema Validation

TLSProfile Components

Parameter Type Required Default Description
termination String Required N/A Termination on BIG-IP Virtual Server. Allowed options are edge, reencrypt, and passthrough.
clientSSL String Required N/A ClientSSL Profile on the BIG-IP. For example /Common/clientssl.
serverSSL String Optional N/A ServerSSL Profile on the BIG-IP. For example /Common/serverssl.
reference String Required N/A Describes the location of profile: BIG-IP, or k8s Secrets. CIS currently supports BIG-IP and secret references. Available options are bigip and secret.
clientSSLs List of string Required N/A Multiple ClientSSL Profiles on the BIG-IP OR list of Kubernetes secrets.
serverSSLs List of string Optional N/A Multiple ServerSSL Profiles on the BIG-IP OR list of Kubernetes secrets.

Note

  • CIS has a 1:1 mapping for a domain (CommonName) and BIG-IP-VirtualServer.
  • You can create any number of custom resources for a single domain. For example, you are flexible to create 2 VirtualServers with different terminations (for the same domain), one with edge and another with re-encrypt. To do this you need to create two VirtualServers: one with edge TLSProfile and another with re-encrypt TLSProfile. Both the VirutalServers should be created with same virtualServerAddress.
  • A single or group of VirtualServers (with the same virtualServerAddress) will be created as one common BIG-IP-VirtualServer.
  • If you want to update a secure virtual (TLS Virtual) server to an insecure virtual (non-TLS server) server, you need to delete the secure virtual server first and create a new virtual server.

View more examples on GitHub.


Note

To provide feedback on Container Ingress Services or this documentation, please file a GitHub Issue.