VirtualServer with TLSProfileΒΆ

VirtualServer with TLSProfile is used to specify the TLS termination. TLS termination relies on SNI. Any non-SNI traffic received on port 443 may result in connection issues. The example below shows how to attach a TLSProfile to a VirtualServer.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
 apiVersion: cis.f5.com/v1
 kind: VirtualServer
 metadata:
   name: coffee-virtual-server
   labels:
     f5cr: "true"
   namespace: default
 spec:
   host: coffee.example.com
   tlsProfileName: reencrypt-tls  # --> This will attach reencrypt-tls TLSProfile
   virtualServerAddress: "172.16.3.4"
   httptraffic: redirect
   pools:
     - path: /coffee
       service: svc
       servicePort: 80
  • CIS has a 1:1 mapping for a domain (CommonName) and BIG-IP-VirtualServer.
  • You can create any number of custom resources for a single domain. For example, you can create 2 VirtualServers with different terminations (for the same domain): one with edge and another with re-encrypt. To do this you need to create two VirtualServers: one with edge TLSProfile and another with re-encrypt TLSProfile. Both the VirutalServers should be created with same virtualServerAddress.
  • Single or Group of VirtualServers (with the same virtualServerAddress) will be created as one common BIG-IP-VirtualServer.
  • If you want to update secure virtual (TLS Virtual) server to insecure virtual (non-TLS server) server. You need to delete the secure virtual server first and create a new virtual server.
  • Configure behavior of HTTP virtual server with httpTraffic. The allowed values are: allow: Allows HTTP, none: Only HTTPS, redirect: redirects HTTP to HTTPS.

Note

To provide feedback on Container Ingress Services or this documentation, you can file a GitHub Issue.