1434669 – Need to configure manually for Reencrypt TLS termination based F5 Native Integration on OCP3.4

Bug 1434669 - Need to configure manually for Reencrypt TLS termination based F5 Native Integration on OCP3.4

Summary: Need to configure manually for Reencrypt TLS termination based F5 Native Inte...

Keywords:
Status:	CLOSED DUPLICATE of bug 1431655
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Networking
Sub Component:
Version:	3.4.1
Hardware:	All
OS:	Linux
Priority:	high
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Ben Bennett
QA Contact:	Meng Bo
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-03-22 04:36 UTC by Daniel
Modified:	2017-03-28 15:36 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-03-28 15:36:30 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
screenshot of F5 configuration (16.29 KB, image/png) 2017-03-22 04:36 UTC, Daniel	no flags	Details
View All

Description Daniel 2017-03-22 04:36:25 UTC

Created attachment 1265291 [details]
screenshot of F5 configuration

Description of problem:
We have TLS termination routes in default, logging, infra projects and each TLS termination is defined as below.
kibana, metrics : re-encrypt
docker-registry, registry-console : passthrough

In this case, I have some issues like below.
When I add a CA to SSL Profile(Client) in F5, all edge, passthrough is working which means I can access registry-console url in web browser so I need to change all re-encrypt to passthrough in routes of kibana, metrics.

However, when I add ssl profile(server) in F5 like attachment, only reencrypt routes are working.

The issue is that all tls routes is registered in https-ose-vserver so I can only set tls termination as edge/passthrough or re-encrypt manually.

We need to enhance this functionality as it automatically changes F5 configuration when we use all type of TLS termination with commercial certificate.

Version-Release number of selected component (if applicable):
3.4.1 F5 Native Integration 

How reproducible:
It's always happening when we use edge, passthrough, reencrypt TLS termination with commercial SSL certificate at the same time.

Steps to Reproduce:
1.Create secured route with edge using commercial SSL certificate without adding & modifying F5 SSL profile, iRule
2.Create secured route with passthrough using commercial SSL certificate without adding & modifying F5 SSL profile, iRule
3.Create secured route with reencrypt using commercial SSL certificate without adding & modifying F5 SSL profile, iRule

Actual results:


Expected results:


Additional info:
Here is as example for manual configuration on F5 for this,
1.create the https VIP with a default server side ssl profile.

2.add a SSL::disable serverside as part of the iRule's when Client_Accepted statement.  This disables the default server side ssl profile.

3.In the elseif statement for re-encrypt, add:

  a.set ssl_profile_enable "SSL::profile $ssl_profile" where ssl_profile is the client profile from a data group

  b.ssl:enable serverside (This will use the default server side ssl profile, you could do a mapping from a datag roup to increase the security)

4.In the last else statement, this seems to be for offload(edge) and you should set the client ssl profile.

  a.set ssl_profile_enable "SSL::profile $ssl_profile" where ssl_profile is the client profile from a datagroup

Comment 2 Ben Bennett 2017-03-28 15:36:30 UTC


*** This bug has been marked as a duplicate of bug 1431655 ***

Note You need to log in before you can comment on or make changes to this bug.