search

F5Networks / f5-azure-arm-templates-v2

Azure Resource Manager Templates for quickly deploying BIG-IP services in Azure
22 stars 45 forks source link

Azure ARM Deployment fails on BigIPTemplate #11

Closed JohanK82 closed 1 year ago

JohanK82 commented 2 years ago

Describe the bug

Using Location WEU (and EUS as well to test), it is impossible to deploy a working HA environment for a F5 VE (BYOL).

Expected behavior

Deployment succeeded; start configuration after deploying. When selecting a deployment directly from the Azure Marketplace with 1 instance and 2 boot locations, I have a working solution in about 10-15 minutes.

Current behavior

While deploying a HA solution to Azure via ARM. deployment fails on the bigipTemplate (01/02). Example of the error that we have faced: 2022-03-09T09:53:22.851Z [20234]: info: MAC adddress is not populated on 1.1 BIGIP interface. Trying to re-fecth interface data. Left attempts: 98\n2022-03-09T09:53:22.870Z [20234]: info: Interface:1.2\n2022-03-09T09:53:22.875Z [20234]: info: MAC adddress is not populated on 1.2 BIGIP interface. Trying to re-fecth interface data. Left attempts: 98\n2022-03-09T09:53:26.401Z [20234]: info: F5 Teem report was successfully sent for failure case.\n2022-03-09T09:53:26.402Z [20234]: info: AKV10032: Invalid issuer. Expected one of

Possible solution

Avoid stop error with adding a timeout or pause between the initial deployment of the resources and the initial configuration of the F5 devices.

Steps to reproduce

Use the "azuredeploy.json" template, or just deploy from the github; it both fails.

Context

As we are working on an onpremise-cloud architecture, we would like to create an equal environment in azure to avoid discrepancies between configuration onpremise and cloud.

Any other remarks that I have forgotten to add to help us to solve the issue, please let me know. Happy to provide you details about the deployment as well when this required/needed.

mikeshimkus commented 2 years ago

Hi @JohanK82, strictly speaking this would be an issue with F5 BIG-IP Runtime Init rather than the templates themselves, however I just ran a spot test in West Europe and was successful.

Runtime init will try for more than 15 minutes to fetch the interface MAC addresses. Seems like adding more time to that would not really help since if the instance metadata service is not up in 15 minutes, there may be something else wrong.

If you modified the runtime init configuration or the templates, can you share them with us? Otherwise, when this issue is occurring, can you verify that you can access the instance metadata by running this command on the BIG-IP and sending us the output:

curl -H Metadata:true --noproxy "*" "http://169.254.169.254/metadata/instance/network?api-version=2017-08-01" | jq .

mikeshimkus commented 2 years ago

Actually, looking more closely I see that the problem may be in accessing the Key Vault secret ("[20234]: info: AKV10032: Invalid issuer. Expected one of")

Can you confirm that the values you used for the bigIpPasswordSecretId parameter and BIGIP_PASSWORD in runtime init config follow the examples below? (You must create this key vault and secret prior to deploying.)

Template: bigIpPasswordSecretId: https://<your key vault name>.vault.azure.net/secrets/<your secret name>/<your secret id guid>

- name: BIGIP_PASSWORD
  type: secret
  secretProvider:
    type: KeyVault
    environment: azure
    vaultUrl: 'https://<your key vault name>.vault.azure.net/'
    secretId: <your secret name>
JohanK82 commented 2 years ago

Hi @mikeshimkus thanks for picking up my (our) struggle 👍 . I think I have overread the part to create a "personal" runtime init config as well (if this is a requirement to have a working HA deployment); I have added the keyvault configuration in the template itself as one of the required parameters so thought this was enough to have the deployment running (obviously not).. I'll have a look on the runtime init config, and will update you when this is (was) indeed the case.

depperson commented 2 years ago

In case it isn't entirely clear: the solution to this #11 is in #12:

"The runtime init configuration file needs to be updated to point to the ID of your secret (the same secret provided for bigIpPasswordSecretId in the template input params)."

The Azure Deploy button doesn't work with the default settings and the steps around that button do not make this abundantly clear.

shyawnkarim commented 1 year ago

Closing. Please open another issue if more assistance is needed.