cancel
Showing results for 
Search instead for 
Did you mean: 

Kubernetes cert-manager + LetsEncrypt + F5

Hi there

I have a confession. I'm running a virtual F5 at home as a lab device and ingress controller but it does not have any legitimate management certificate.

<Pause for rotten tomatoes...>

However, I do run a Kubernetes kluster with cert-manager and it automates certificate signing via Let's Encrypt and GCP so I figured maybe it'd be nice to write some sort of K8s Webhook or BatchJob which manages certificates on F5 devices.

I know there are ACME scripts for this and code examples using ie. Python but I want to do this in my Kubernetes cluster.

My questions are:
Has anyone done this before? If so, want to share the code?
If not, would anyone be interested in using this?

Naturally it'd be published on GitHub like all the other things I do, if I do it.

Kind regards,
Patrik

1 ACCEPTED SOLUTION

Boy, that took waaaay longer than I thought but here it is:

https://github.com/net-utilities/f5-k8s-certs

Kind regards,
Patrik

View solution in original post

5 REPLIES 5

JRahm
Community Manager
Community Manager

you're wanting to have a process in your cluster to manage/automate the certs on BIG-IP for container ingress services? I'm not sure all the pieces are there, but Sebastian wrote up using vault and AS3 in that regard, maybe something in there helpful toward achieving that? 

https://maniakacademy.medium.com/using-hashicorp-vault-to-automate-certificate-lifecycle-management-...

I've found as3 a bit challenging to use in cases with shared partitions as it seems like it has to manage the whole partition, but my experience is very limited so I hope I'm wrong.

In this case it'd be ad-hoc cert management with the following DoD:

  • Certificates should be able to be managed in any partition, including common, and custom partitions
  • The partitions can have other types of configuration, only the certificates would be managed
  • Both Management and Traffic management certificates should be supported

Can I do this with AS3?

Kind regards,
Patrik

 

Made some progress. Now I have a script to manage the management certificate:

https://community.f5.com/t5/technical-forum/unable-to-update-device-cert/m-p/299470#M260842

Next step is to find a smart way to manage the certificates using Kubernetes. Leaning towards a configmap and a batchjob/webhook. Suggestions welcome!

Boy, that took waaaay longer than I thought but here it is:

https://github.com/net-utilities/f5-k8s-certs

Kind regards,
Patrik

nice work!