For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Lukas's avatar
Lukas
Icon for Nimbostratus rankNimbostratus
Jul 21, 2021

AS3 configmap - the certificate generated by the K8S cert manager can not be used

Hello,

 

I would like to ask you for help.

 

For our customer we use a K8S controller with a AS3 configmap. We need take a certificate “created by K8S cert manager” and deploy it to F5. I am not able to find a way to achieved this. 

 

Is it possible to configure it?

 

My configuration is bellow.

 

Thank you in advanced

 

Lukas

 

CONFIGMAP:

 

apiVersion: v1

kind: ConfigMap

metadata:

name: f5-as3-declaration-1

namespace: test-configmap

labels:

f5type: virtual-server

as3: "true"

data:

template: |

{

"class": "AS3",

.

.

.

"SSLPROFILE": {

"class": "TLS_Server",

"certificates": [

{

"certificate": "webcert"

}

]

},

"webcert": {

"class": "Certificate",

"remark": "in practice we recommend using a passphrase",

"certificate": "test-certificate",

"privateKey": "test-certificate"

},

 

DEPLOYMENT OF CERTIFICATES:

 

apiVersion: cert-manager.io/v1alpha2

kind: Certificate

metadata:

name: test-certificate

namespace: test-configmap

spec:

secretName: test-certificate

dnsNames:

- "test-configmap-hello1.test"

- "test-configmap-hello2.test"

issuerRef:

name: selfsigned-issuer

kind: ClusterIssuer

 

#kubectl get certificate -n test-configmap

NAME READY SECRET AGE

app1-cert-v1 True app01-cert-v1 134m

hello-kubernetes-tls True hello-kubernetes-tls 3h54m

test-certificate True test-certificate 138m

 

F5 response (unable to validate certificate, invalid x509 file ):

 

2021/07/20 22:02:19 [ERROR] [AS3] Raw response from Big-IP: map[code:207 declaration:map[ULT_K8S_partition:map[Shared:map[class:Application template:shared] class:Tenant defaultRouteDomain:40] class:ADC controls:map[archiveTimestamp:2021-07-20T22:02:17.079Z class:Controls userAgent:CIS/v2.4.1 K8S/v1.18.10] id:urn:uuid:85626792-9ee7-46bb-8fc8-4ba708cfdc1d label:CIS Declaration remark:Auto-generated by CIS schemaVersion:3.25.0 updateMode:selective] results:[map[code:200 host:localhost message:no change runTime:2610 tenant:ULT_K8S_partition] map[code:422 host:localhost message:declaration failed response:01070712:3: unable to validate certificate, invalid x509 file (/ULT_K8S_partition_app1/hello_kubernetes1_app/webcert.crt). runTime:5497 tenant:ULT_K8S_partition_app1]]]

 

DEPLOYMENT + SERVICE:

 

apiVersion: v1

kind: Namespace

metadata:

name: test-configmap

---

apiVersion: apps/v1

kind: Deployment

metadata:

name: hello-kubernetes1

namespace: test-configmap

spec:

replicas: 3

selector:

matchLabels:

app: hello-kubernetes1

template:

metadata:

labels:

app: hello-kubernetes1

spec:

containers:

- name: hello-kubernetes2

image: paulbouwer/hello-kubernetes:1.8

ports:

- containerPort: 8080

---

 

---

apiVersion: v1

kind: Service

metadata:

name: hello-kubernetes1

namespace: test-configmap

labels:

app: hello-kubernetes1

cis.f5.com/as3-tenant: ULT_K8S_partition_app1

cis.f5.com/as3-app: hello_kubernetes1_app

cis.f5.com/as3-pool: hello_kubernetes1_pool

spec:

selector:

app: hello-kubernetes1

ports:

- protocol: TCP

name: hello-kubernetes1

port: 8080

targetPort: 8080

type: NodePort

 

kubectl get secret test-certificate -n test-configmap -o yaml

apiVersion: v1

data:

 ca.crt: LS0tL.................0tCg==

 tls.crt: LS0tLS1C.............Cg==

 tls.key: LS0tLS1CR..................S0tLS0tCg==

kind: Secret

metadata:

 annotations:

  cert-manager.io/alt-names: test-configmap-hello1.test,test-configmap-hello2.test

  cert-manager.io/certificate-name: test-certificate

  cert-manager.io/common-name: ""

  cert-manager.io/ip-sans: ""

  cert-manager.io/issuer-group: ""

  cert-manager.io/issuer-kind: ClusterIssuer

  cert-manager.io/issuer-name: selfsigned-issuer

  cert-manager.io/uri-sans: ""

 creationTimestamp: "2021-07-20T19:42:44Z"

 managedFields:

 - apiVersion: v1

  fieldsType: FieldsV1

  fieldsV1:

   f:data:

    .: {}

    f:ca.crt: {}

    f:tls.crt: {}

    f:tls.key: {}

   f:metadata:

    f:annotations:

     .: {}

     f:cert-manager.io/alt-names: {}

     f:cert-manager.io/certificate-name: {}

     f:cert-manager.io/common-name: {}

     f:cert-manager.io/ip-sans: {}

     f:cert-manager.io/issuer-group: {}

     f:cert-manager.io/issuer-kind: {}

     f:cert-manager.io/issuer-name: {}

     f:cert-manager.io/uri-sans: {}

   f:type: {}

  manager: controller

  operation: Update

  time: "2021-07-20T19:42:44Z"

 name: test-certificate

 namespace: test-configmap

 resourceVersion: "86297610"

 selfLink: /api/v1/namespaces/test-configmap/secrets/test-certificate

 uid: ede01f93-6dd8-4843-9989-639b03485904

type: kubernetes.io/tls

 

 

 

 

 

BIG-IP
cloud
devops
iControl
No RepliesBe the first to reply