Closed JeffGiroux closed 1 year ago
Thanks for reporting and for providing these details. We'll take a look into either fixing the order issue or documenting the order requirement. Tracked with internal ID ESECLDTPLT-3078.
If you ever validate bucket permissions from the BIG-IP, you can ssh to BIG-IP and run this locally.
curl -H "Authorization: Bearer $(curl -sf --retry 20 -H 'Metadata-Flavor: Google' http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token | jq --raw-output '.access_token')" https://storage.googleapis.com/storage/v1/b?project=$(curl -sf --retry 20 -H 'Metadata-Flavor: Google' http://169.254.169.254/computeMetadata/v1/project/project-id)
i am facing the above issue mentioned by you for one of my GCP cloud deployed vm. Here i am only using CFE but still getting the same error.So order of DO /AS3 is not applicable to my case. Also can you please help me edit below command as per my device data and execute. like which field i need to populate which data and then execute from F5 bash:-
curl -H "Authorization: Bearer $(curl -sf --retry 20 -H 'Metadata-Flavor: Google' http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token | jq --raw-output '.access_token')" https://storage.googleapis.com/storage/v1/b?project=$(curl -sf --retry 20 -H 'Metadata-Flavor: Google' http://169.254.169.254/computeMetadata/v1/project/project-id)
Closing. A fix for this is not possible due to a race condition on BIG-IP. Please follow the examples in our documentation. They have been tested and work.
Using runtime to install tool chain and declarations. I usually do install order of the following: DO > AS3 > CFE
I usually do service declaration in the following order: DO > AS3 > CFE
I have found lately that I fail onboarding with 500 errors and bucket problems. I had many issues in the past with CFE and buckets and/or ordering of declarations...similar to past ticket here https://github.com/F5Networks/f5-bigip-runtime-init/issues/34. During this time, there are absolutely NO logs hitting the GCP cloud API...and this tells me that CFE is not even trying to reach out. I have used a known working GDM template to deploy failover BIG-IPs to see the difference in API logs...and my terraform repo with DO > AS3 > CFE declaration order does not produce any API hits for storage/buckets.
Workaround
You must apply the declarations in the following order: DO > CFE > AS3
As soon as I change the order...instant magic! I ran my terraform job again and 100% success onboarding for both big-ip nodes. I see API hits in the GCP logging for my service account IAM user too and bucket/storage hits.
Errors
Here's sample error...
Troubleshooting
I have performs TONS of tshooting to narrow this down. I have checked routes, permissions, everything looks good. I can hop on SSH on the BIG-IP and run the manual CLI command to prove the IAM user can see buckets.