29-Jul-2022 07:48
Hi there
I have a confession. I'm running a virtual F5 at home as a lab device and ingress controller but it does not have any legitimate management certificate.
<Pause for rotten tomatoes...>
However, I do run a Kubernetes kluster with cert-manager and it automates certificate signing via Let's Encrypt and GCP so I figured maybe it'd be nice to write some sort of K8s Webhook or BatchJob which manages certificates on F5 devices.
I know there are ACME scripts for this and code examples using ie. Python but I want to do this in my Kubernetes cluster.
My questions are:
Has anyone done this before? If so, want to share the code?
If not, would anyone be interested in using this?
Naturally it'd be published on GitHub like all the other things I do, if I do it.
Kind regards,
Patrik
Solved! Go to Solution.
10-Aug-2022 12:33 - edited 10-Aug-2022 12:34
Boy, that took waaaay longer than I thought but here it is:
https://github.com/net-utilities/f5-k8s-certs
Kind regards,
Patrik
01-Aug-2022 21:35
you're wanting to have a process in your cluster to manage/automate the certs on BIG-IP for container ingress services? I'm not sure all the pieces are there, but Sebastian wrote up using vault and AS3 in that regard, maybe something in there helpful toward achieving that?
01-Aug-2022 23:26 - edited 01-Aug-2022 23:27
I've found as3 a bit challenging to use in cases with shared partitions as it seems like it has to manage the whole partition, but my experience is very limited so I hope I'm wrong.
In this case it'd be ad-hoc cert management with the following DoD:
Can I do this with AS3?
Kind regards,
Patrik
07-Aug-2022 02:00
Made some progress. Now I have a script to manage the management certificate:
https://community.f5.com/t5/technical-forum/unable-to-update-device-cert/m-p/299470#M260842
Next step is to find a smart way to manage the certificates using Kubernetes. Leaning towards a configmap and a batchjob/webhook. Suggestions welcome!
10-Aug-2022 12:33 - edited 10-Aug-2022 12:34
Boy, that took waaaay longer than I thought but here it is:
https://github.com/net-utilities/f5-k8s-certs
Kind regards,
Patrik
10-Aug-2022 13:36
nice work!