cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

AS3 configmap - the certificate generated by the K8S cert manager can not be used

Lukas
Nimbostratus
Nimbostratus

Hello,

 

I would like to ask you for help.

 

For our customer we use a K8S controller with a AS3 configmap. We need take a certificate “created by K8S cert manager” and deploy it to F5. I am not able to find a way to achieved this. 

 

Is it possible to configure it?

 

My configuration is bellow.

 

Thank you in advanced

 

Lukas

 

CONFIGMAP:

 

apiVersion: v1

kind: ConfigMap

metadata:

name: f5-as3-declaration-1

namespace: test-configmap

labels:

f5type: virtual-server

as3: "true"

data:

template: |

{

"class": "AS3",

.

.

.

"SSLPROFILE": {

"class": "TLS_Server",

"certificates": [

{

"certificate": "webcert"

}

]

},

"webcert": {

"class": "Certificate",

"remark": "in practice we recommend using a passphrase",

"certificate": "test-certificate",

"privateKey": "test-certificate"

},

 

DEPLOYMENT OF CERTIFICATES:

 

apiVersion: cert-manager.io/v1alpha2

kind: Certificate

metadata:

name: test-certificate

namespace: test-configmap

spec:

secretName: test-certificate

dnsNames:

- "test-configmap-hello1.test"

- "test-configmap-hello2.test"

issuerRef:

name: selfsigned-issuer

kind: ClusterIssuer

 

#kubectl get certificate -n test-configmap

NAME READY SECRET AGE

app1-cert-v1 True app01-cert-v1 134m

hello-kubernetes-tls True hello-kubernetes-tls 3h54m

test-certificate True test-certificate 138m

 

F5 response (unable to validate certificate, invalid x509 file 😞

 

2021/07/20 22:02:19 [ERROR] [AS3] Raw response from Big-IP: map[code:207 declaration:map[ULT_K8S_partition:map[Shared:map[class:Application template:shared] class:Tenant defaultRouteDomain:40] class:ADC controls:map[archiveTimestamp:2021-07-20T22:02:17.079Z class:Controls userAgent:CIS/v2.4.1 K8S/v1.18.10] id:urn:uuid:85626792-9ee7-46bb-8fc8-4ba708cfdc1d label:CIS Declaration remark:Auto-generated by CIS schemaVersion:3.25.0 updateMode:selective] results:[map[code:200 host:localhost message:no change runTime:2610 tenant:ULT_K8S_partition] map[code:422 host:localhost message:declaration failed response:01070712:3: unable to validate certificate, invalid x509 file (/ULT_K8S_partition_app1/hello_kubernetes1_app/webcert.crt). runTime:5497 tenant:ULT_K8S_partition_app1]]]

 

DEPLOYMENT + SERVICE:

 

apiVersion: v1

kind: Namespace

metadata:

name: test-configmap

---

apiVersion: apps/v1

kind: Deployment

metadata:

name: hello-kubernetes1

namespace: test-configmap

spec:

replicas: 3

selector:

matchLabels:

app: hello-kubernetes1

template:

metadata:

labels:

app: hello-kubernetes1

spec:

containers:

- name: hello-kubernetes2

image: paulbouwer/hello-kubernetes:1.8

ports:

- containerPort: 8080

---

 

---

apiVersion: v1

kind: Service

metadata:

name: hello-kubernetes1

namespace: test-configmap

labels:

app: hello-kubernetes1

cis.f5.com/as3-tenant: ULT_K8S_partition_app1

cis.f5.com/as3-app: hello_kubernetes1_app

cis.f5.com/as3-pool: hello_kubernetes1_pool

spec:

selector:

app: hello-kubernetes1

ports:

- protocol: TCP

name: hello-kubernetes1

port: 8080

targetPort: 8080

type: NodePort

 

kubectl get secret test-certificate -n test-configmap -o yaml

apiVersion: v1

data:

 ca.crt: LS0tL.................0tCg==

 tls.crt: LS0tLS1C.............Cg==

 tls.key: LS0tLS1CR..................S0tLS0tCg==

kind: Secret

metadata:

 annotations:

  cert-manager.io/alt-names: test-configmap-hello1.test,test-configmap-hello2.test

  cert-manager.io/certificate-name: test-certificate

  cert-manager.io/common-name: ""

  cert-manager.io/ip-sans: ""

  cert-manager.io/issuer-group: ""

  cert-manager.io/issuer-kind: ClusterIssuer

  cert-manager.io/issuer-name: selfsigned-issuer

  cert-manager.io/uri-sans: ""

 creationTimestamp: "2021-07-20T19:42:44Z"

 managedFields:

 - apiVersion: v1

  fieldsType: FieldsV1

  fieldsV1:

   f:data:

    .: {}

    f:ca.crt: {}

    f:tls.crt: {}

    f:tls.key: {}

   f:metadata:

    f:annotations:

     .: {}

     f:cert-manager.io/alt-names: {}

     f:cert-manager.io/certificate-name: {}

     f:cert-manager.io/common-name: {}

     f:cert-manager.io/ip-sans: {}

     f:cert-manager.io/issuer-group: {}

     f:cert-manager.io/issuer-kind: {}

     f:cert-manager.io/issuer-name: {}

     f:cert-manager.io/uri-sans: {}

   f:type: {}

  manager: controller

  operation: Update

  time: "2021-07-20T19:42:44Z"

 name: test-certificate

 namespace: test-configmap

 resourceVersion: "86297610"

 selfLink: /api/v1/namespaces/test-configmap/secrets/test-certificate

 uid: ede01f93-6dd8-4843-9989-639b03485904

type: kubernetes.io/tls

 

 

 

 

 

0 REPLIES 0