Forum Discussion
AS3 configmap - the certificate generated by the K8S cert manager can not be used
Hello,
I would like to ask you for help.
For our customer we use a K8S controller with a AS3 configmap. We need take a certificate “created by K8S cert manager” and deploy it to F5. I am not able to find a way to achieved this.
Is it possible to configure it?
My configuration is bellow.
Thank you in advanced
Lukas
CONFIGMAP:
apiVersion: v1
kind: ConfigMap
metadata:
name: f5-as3-declaration-1
namespace: test-configmap
labels:
f5type: virtual-server
as3: "true"
data:
template: |
{
"class": "AS3",
.
.
.
"SSLPROFILE": {
"class": "TLS_Server",
"certificates": [
{
"certificate": "webcert"
}
]
},
"webcert": {
"class": "Certificate",
"remark": "in practice we recommend using a passphrase",
"certificate": "test-certificate",
"privateKey": "test-certificate"
},
DEPLOYMENT OF CERTIFICATES:
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: test-certificate
namespace: test-configmap
spec:
secretName: test-certificate
dnsNames:
- "test-configmap-hello1.test"
- "test-configmap-hello2.test"
issuerRef:
name: selfsigned-issuer
kind: ClusterIssuer
#kubectl get certificate -n test-configmap
NAME READY SECRET AGE
app1-cert-v1 True app01-cert-v1 134m
hello-kubernetes-tls True hello-kubernetes-tls 3h54m
test-certificate True test-certificate 138m
F5 response (unable to validate certificate, invalid x509 file ):
2021/07/20 22:02:19 [ERROR] [AS3] Raw response from Big-IP: map[code:207 declaration:map[ULT_K8S_partition:map[Shared:map[class:Application template:shared] class:Tenant defaultRouteDomain:40] class:ADC controls:map[archiveTimestamp:2021-07-20T22:02:17.079Z class:Controls userAgent:CIS/v2.4.1 K8S/v1.18.10] id:urn:uuid:85626792-9ee7-46bb-8fc8-4ba708cfdc1d label:CIS Declaration remark:Auto-generated by CIS schemaVersion:3.25.0 updateMode:selective] results:[map[code:200 host:localhost message:no change runTime:2610 tenant:ULT_K8S_partition] map[code:422 host:localhost message:declaration failed response:01070712:3: unable to validate certificate, invalid x509 file (/ULT_K8S_partition_app1/hello_kubernetes1_app/webcert.crt). runTime:5497 tenant:ULT_K8S_partition_app1]]]
DEPLOYMENT + SERVICE:
apiVersion: v1
kind: Namespace
metadata:
name: test-configmap
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: hello-kubernetes1
namespace: test-configmap
spec:
replicas: 3
selector:
matchLabels:
app: hello-kubernetes1
template:
metadata:
labels:
app: hello-kubernetes1
spec:
containers:
- name: hello-kubernetes2
image: paulbouwer/hello-kubernetes:1.8
ports:
- containerPort: 8080
---
---
apiVersion: v1
kind: Service
metadata:
name: hello-kubernetes1
namespace: test-configmap
labels:
app: hello-kubernetes1
cis.f5.com/as3-tenant: ULT_K8S_partition_app1
cis.f5.com/as3-app: hello_kubernetes1_app
cis.f5.com/as3-pool: hello_kubernetes1_pool
spec:
selector:
app: hello-kubernetes1
ports:
- protocol: TCP
name: hello-kubernetes1
port: 8080
targetPort: 8080
type: NodePort
kubectl get secret test-certificate -n test-configmap -o yaml
apiVersion: v1
data:
ca.crt: LS0tL.................0tCg==
tls.crt: LS0tLS1C.............Cg==
tls.key: LS0tLS1CR..................S0tLS0tCg==
kind: Secret
metadata:
annotations:
cert-manager.io/alt-names: test-configmap-hello1.test,test-configmap-hello2.test
cert-manager.io/certificate-name: test-certificate
cert-manager.io/common-name: ""
cert-manager.io/ip-sans: ""
cert-manager.io/issuer-group: ""
cert-manager.io/issuer-kind: ClusterIssuer
cert-manager.io/issuer-name: selfsigned-issuer
cert-manager.io/uri-sans: ""
creationTimestamp: "2021-07-20T19:42:44Z"
managedFields:
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:data:
.: {}
f:ca.crt: {}
f:tls.crt: {}
f:tls.key: {}
f:metadata:
f:annotations:
.: {}
f:cert-manager.io/alt-names: {}
f:cert-manager.io/certificate-name: {}
f:cert-manager.io/common-name: {}
f:cert-manager.io/ip-sans: {}
f:cert-manager.io/issuer-group: {}
f:cert-manager.io/issuer-kind: {}
f:cert-manager.io/issuer-name: {}
f:cert-manager.io/uri-sans: {}
f:type: {}
manager: controller
operation: Update
time: "2021-07-20T19:42:44Z"
name: test-certificate
namespace: test-configmap
resourceVersion: "86297610"
selfLink: /api/v1/namespaces/test-configmap/secrets/test-certificate
uid: ede01f93-6dd8-4843-9989-639b03485904
type: kubernetes.io/tls
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com