Bug 1434669
| Summary: | Need to configure manually for Reencrypt TLS termination based F5 Native Integration on OCP3.4 | ||||||
|---|---|---|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Daniel <doh> | ||||
| Component: | Networking | Assignee: | Ben Bennett <bbennett> | ||||
| Status: | CLOSED DUPLICATE | QA Contact: | Meng Bo <bmeng> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | 3.4.1 | CC: | aos-bugs, bmeng, erich, jokerman, mmccomas | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2017-03-28 15:36:30 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
*** This bug has been marked as a duplicate of bug 1431655 *** |
Created attachment 1265291 [details] screenshot of F5 configuration Description of problem: We have TLS termination routes in default, logging, infra projects and each TLS termination is defined as below. kibana, metrics : re-encrypt docker-registry, registry-console : passthrough In this case, I have some issues like below. When I add a CA to SSL Profile(Client) in F5, all edge, passthrough is working which means I can access registry-console url in web browser so I need to change all re-encrypt to passthrough in routes of kibana, metrics. However, when I add ssl profile(server) in F5 like attachment, only reencrypt routes are working. The issue is that all tls routes is registered in https-ose-vserver so I can only set tls termination as edge/passthrough or re-encrypt manually. We need to enhance this functionality as it automatically changes F5 configuration when we use all type of TLS termination with commercial certificate. Version-Release number of selected component (if applicable): 3.4.1 F5 Native Integration How reproducible: It's always happening when we use edge, passthrough, reencrypt TLS termination with commercial SSL certificate at the same time. Steps to Reproduce: 1.Create secured route with edge using commercial SSL certificate without adding & modifying F5 SSL profile, iRule 2.Create secured route with passthrough using commercial SSL certificate without adding & modifying F5 SSL profile, iRule 3.Create secured route with reencrypt using commercial SSL certificate without adding & modifying F5 SSL profile, iRule Actual results: Expected results: Additional info: Here is as example for manual configuration on F5 for this, 1.create the https VIP with a default server side ssl profile. 2.add a SSL::disable serverside as part of the iRule's when Client_Accepted statement. This disables the default server side ssl profile. 3.In the elseif statement for re-encrypt, add: a.set ssl_profile_enable "SSL::profile $ssl_profile" where ssl_profile is the client profile from a data group b.ssl:enable serverside (This will use the default server side ssl profile, you could do a mapping from a datag roup to increase the security) 4.In the last else statement, this seems to be for offload(edge) and you should set the client ssl profile. a.set ssl_profile_enable "SSL::profile $ssl_profile" where ssl_profile is the client profile from a datagroup