search

F5Networks / f5-appsvcs-extension

F5 BIG-IP Application Services 3 Extension
Apache License 2.0
163 stars 52 forks source link

Policy_Action_Drop - additional events #826

Open kingb33 opened 1 month ago

kingb33 commented 1 month ago

Is your feature request related to a problem? Please describe.

A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] The Policy_Action_Drop does not have all the events available to it compared to the manual configuration in the GUI.

Relevant AS3 configuration:

{
  "class": "AS3",
  "action": "deploy",
  "persist": true,
  "declaration": {
    "class": "ADC",
    "schemaVersion": "3.50.2",
    "id": "id",
    "label": "WebApp",
    "OPENSHIFT": {
      "class": "Tenant",
      "Shared": {
        "class": "Application",
        "template":"shared"
      }, 
      "PREPROD": {
        "class": "Application",
        "api-int.ocpq1_vs": {
          "class": "Service_TCP", 
          "label": "****", 
          "persistenceMethods": [], 
          "policyEndpoint": "api-int.ocpq1_Policy", 
          "pool": "api-int.ocpq1_http_pool", 
          "profileTCP": {"egress": {"bigip": "/Common/f5-tcp-lan"}, "ingress": {"bigip": "/Common/f5-tcp-wan"}}, 
          "remark": "***", 
          "snat": "auto", 
          "virtualAddresses": ["***"], 
          "virtualPort": ****
        },  
        "api-int.ocpq1_http_pool": {
          "class": "Pool", 
          "label": "Pool for api-int.ocpq1_vs", 
          "members": [{"hostname": "***", "servicePort": ***, "addressDiscovery": "fqdn", "autoPopulate": true}, {"hostname": "***", "servicePort": ****, "addressDiscovery": "fqdn", "autoPopulate": true}, {"hostname": "***", "servicePort": ****, "addressDiscovery": "fqdn", "autoPopulate": true}, {"hostname": "***", "servicePort": ***, "addressDiscovery": "fqdn", "autoPopulate": true}], 
          "monitors": [{"bigip": "/Common/tcp_half_open"}], 
          "remark": "Pool for api-int.ocpq1_vs"
        },
        "api-int.ocpq1_allowList": {
          "class": "Data_Group", 
          "keyDataType": "ip", 
          "label": "Allow list for...", 
          "storageType": "internal", 
          "records": [{"key": "****"}, {"key": "****"}]
        }, 
        "api-int.ocpq1_Policy": {
          "class": "Endpoint_Policy", 
          "label": "Routing policy for...", 
          "remark": "Routing policy for...", 
          "rules": [{"name": "OpenshiftAllow", "remark": "Restrict access to api-int.ocpq1.stholdco.com", "actions": [{"type": "drop", "event": "client-accepted"}], "conditions": [{"type": "tcp", "event": "client-accepted", "address": {"operand": "does-not-match", "datagroup": {"use": "api-int.ocpq1_allowList"}}}]}], 
          "strategy": "all-match"
        }
      }
    }
  }
}

Error: fatal: [f5-viprion-regn10-4c-infra-qa.stholdco.com]: FAILED! => {"changed": false, "msg": "{'code': 422, 'errors': ['/OPENSHIFT/PREPROD/api-int.ocpq1_Policy/rules/0/actions/0/event: should be equal to one of the allowed values [\"proxy-request\",\"request\",\"ssl-client-hello\"]'], 'declarationFullId': '', 'message': 'declaration is invalid', 'declarationId': 'id'}"}

I am attempting to build a SERVICE_TCP virtual server that uses an Endpoint_Policy. The virtual server does not have an HTTP profile applied to it. Because "client-accepted" is not a valid event, I cannot use AS3 to manage it.

Describe the solution you'd like

A clear and concise description of what you want to happen. It would be Great if all the options in the GUI were available to the AS3 creation.

This includes: client accepted http proxy connect http proxy request http proxy response request response server connected etc.

Describe alternatives you've considered

There is no alternative. I cannot build the configuration via AS3 it the way it is built unless "client-accepted" is an accepted event.

ppieprzycki commented 4 weeks ago

Also interested with that feature for Service_TCP type virtual

RicharddeJong commented 3 weeks ago

We need this feature as well to create an ACL function on an SSL Passthrough virtual server.

mdditt2000 commented 2 weeks ago

@RicharddeJong @ppieprzycki @kingb33 please reach out to me to prioritize this feature for a upcoming sprint. Email to automation_toolchain_pm@f5.com - If i can all three names we can add to the next sprint!

pedrorouremalta commented 2 weeks ago

Also interested in using the "drop" action with "client-accepted" event. Needing this to be able to migrate an existent NetScaler config to AS3.

mdditt2000 commented 2 weeks ago

Add “client-accepted” value to "Policy_Action_Drop" object is in the current sprint and will be part the AS3 52 release posted in July.

mdditt2000 commented 5 days ago

AS3 3.52.0 build 2 is now available which adds support for “client-accepted” value under "Policy_Action_Drop". Reach out if you want to todo some early testing.