Forum Discussion
Kubernetes cert-manager + LetsEncrypt + F5
Hi there
I have a confession. I'm running a virtual F5 at home as a lab device and ingress controller but it does not have any legitimate management certificate.
<Pause for rotten tomatoes...>
However, I do run a Kubernetes kluster with cert-manager and it automates certificate signing via Let's Encrypt and GCP so I figured maybe it'd be nice to write some sort of K8s Webhook or BatchJob which manages certificates on F5 devices.
I know there are ACME scripts for this and code examples using ie. Python but I want to do this in my Kubernetes cluster.
My questions are:
Has anyone done this before? If so, want to share the code?
If not, would anyone be interested in using this?
Naturally it'd be published on GitHub like all the other things I do, if I do it.
Kind regards,
Patrik
Boy, that took waaaay longer than I thought but here it is:
https://github.com/net-utilities/f5-k8s-certs
Kind regards,
Patrik
7 Replies
- JRahm
Admin
you're wanting to have a process in your cluster to manage/automate the certs on BIG-IP for container ingress services? I'm not sure all the pieces are there, but Sebastian wrote up using vault and AS3 in that regard, maybe something in there helpful toward achieving that?
I've found as3 a bit challenging to use in cases with shared partitions as it seems like it has to manage the whole partition, but my experience is very limited so I hope I'm wrong.
In this case it'd be ad-hoc cert management with the following DoD:
- Certificates should be able to be managed in any partition, including common, and custom partitions
- The partitions can have other types of configuration, only the certificates would be managed
- Both Management and Traffic management certificates should be supported
Can I do this with AS3?
Kind regards,
Patrik
Made some progress. Now I have a script to manage the management certificate:
https://community.f5.com/t5/technical-forum/unable-to-update-device-cert/m-p/299470#M260842
Next step is to find a smart way to manage the certificates using Kubernetes. Leaning towards a configmap and a batchjob/webhook. Suggestions welcome!
Boy, that took waaaay longer than I thought but here it is:
https://github.com/net-utilities/f5-k8s-certs
Kind regards,
Patrik- JRahm
nice work!
- Nikoolayy1
MVP
After 3 years from my tests CIS still seems to not detect that cert manager has updated the secret holding the certificates . Patrik_Jonsson I think I am correct about this one as I just tested it?
JRahm if the cert manager creates the certs and then saves them to a secret needing to push them to Vault and then to BIG-IP seems complex. A cronjob can always be used that has a container with "curl" but I was hopping CIS to be able to monitor the secret for a change like Nginx Ingress monitors the secrets for it's certificates.
Nope, we currently use terraform which runs intermittently. It works but it'd be nice if CIS could do it!
