search

F5Networks / f5-ansible-bigip

Declarative Ansible collection for managing F5 BIG-IP/BIG-IQ.
37 stars 17 forks source link

bigip httpapi module does not renew X-F5-Auth-Token after it expired #66

Closed simonkowallik closed 1 year ago

simonkowallik commented 1 year ago
COMPONENT NAME

bigip httpapi module, version 2.1.0 and before.

Environment

ANSIBLE VERSION
2.14.1
BIGIP VERSION
16.1.3.4
CONFIGURATION
OS / ENVIRONMENT
SUMMARY

The bigip httpapi module uses provided credentials to request an X-F5-Auth-Token from iControl REST, which expires after 1200 seconds by default. When the X-F5-Auth-Token expires, the bigip httpapi module does not request a new token while signaling a transient error which has been resolved (aka. re-requesting an API token). Developing httpapi plugins -> Error handling

The ansible httpapi will fallback to basic authentication which will double the required API calls and will eventually fail due to race conditions.

The relevant code: https://github.com/F5Networks/f5-ansible-bigip/blob/df5d60134cd8f280eb1ed78182b44b28f744f9be/ansible_collections/f5networks/f5_bigip/plugins/httpapi/bigip.py#L104-L114

What is missing in the above code it part of the HttpApiBase class of ansible (basically calling self.login within the handle_httperror method):

https://github.com/ansible-collections/ansible.netcommon/blob/ae5b2747ff09a7751526dd9d5d079cf67bd2c8a7/plugins/plugin_utils/httpapi_base.py#L75-L86

STEPS TO REPRODUCE

Create 150 FAST applications using a loop in ansible will eventually trigger the above issue as it will take longer than 1200 seconds. It will eventually lead to API errors and therefore failures to deploy all FAST applications.

EXPECTED RESULTS

When the API returns a 401 and an API token (X-F5-Auth-Token) has been successfully acquired before, re-request a new API token.

ACTUAL RESULTS
G-gonzalezjimenez commented 1 year ago

Tracking internally with 1182

wojtek0806 commented 1 year ago

fixed in next release