Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1434669

Summary: Need to configure manually for Reencrypt TLS termination based F5 Native Integration on OCP3.4
Product: OpenShift Container Platform Reporter: Daniel <doh>
Component: NetworkingAssignee: Ben Bennett <bbennett>
Status: CLOSED DUPLICATE QA Contact: Meng Bo <bmeng>
Severity: medium Docs Contact:
Priority: high    
Version: 3.4.1CC: aos-bugs, bmeng, erich, jokerman, mmccomas
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-03-28 15:36:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
screenshot of F5 configuration none

Description Daniel 2017-03-22 04:36:25 UTC
Created attachment 1265291 [details]
screenshot of F5 configuration

Description of problem:
We have TLS termination routes in default, logging, infra projects and each TLS termination is defined as below.
kibana, metrics : re-encrypt
docker-registry, registry-console : passthrough

In this case, I have some issues like below.
When I add a CA to SSL Profile(Client) in F5, all edge, passthrough is working which means I can access registry-console url in web browser so I need to change all re-encrypt to passthrough in routes of kibana, metrics.

However, when I add ssl profile(server) in F5 like attachment, only reencrypt routes are working.

The issue is that all tls routes is registered in https-ose-vserver so I can only set tls termination as edge/passthrough or re-encrypt manually.

We need to enhance this functionality as it automatically changes F5 configuration when we use all type of TLS termination with commercial certificate.

Version-Release number of selected component (if applicable):
3.4.1 F5 Native Integration 

How reproducible:
It's always happening when we use edge, passthrough, reencrypt TLS termination with commercial SSL certificate at the same time.

Steps to Reproduce:
1.Create secured route with edge using commercial SSL certificate without adding & modifying F5 SSL profile, iRule
2.Create secured route with passthrough using commercial SSL certificate without adding & modifying F5 SSL profile, iRule
3.Create secured route with reencrypt using commercial SSL certificate without adding & modifying F5 SSL profile, iRule

Actual results:


Expected results:


Additional info:
Here is as example for manual configuration on F5 for this,
1.create the https VIP with a default server side ssl profile.

2.add a SSL::disable serverside as part of the iRule's when Client_Accepted statement.  This disables the default server side ssl profile.

3.In the elseif statement for re-encrypt, add:

  a.set ssl_profile_enable "SSL::profile $ssl_profile" where ssl_profile is the client profile from a data group

  b.ssl:enable serverside (This will use the default server side ssl profile, you could do a mapping from a datag roup to increase the security)

4.In the last else statement, this seems to be for offload(edge) and you should set the client ssl profile.

  a.set ssl_profile_enable "SSL::profile $ssl_profile" where ssl_profile is the client profile from a datagroup

Comment 2 Ben Bennett 2017-03-28 15:36:30 UTC

*** This bug has been marked as a duplicate of bug 1431655 ***