search

F5Networks / f5-declarative-onboarding

F5 BIG-IP Declarative Onboarding
Apache License 2.0
58 stars 22 forks source link

Allow for Lifecycle of Trusted Devices and HA clusters #142

Open hparr opened 4 years ago

hparr commented 4 years ago

Is your feature request related to a problem? Please describe.

Currently you can declare a device to be trusted with DO, but you cannot remove a device from the trust.

Describe the solution you'd like

A device trust declaration should allow for CRUD operations. You can remove a member from the sync group by reposting the declaration without it listed.

Original

{
    "schemaVersion": "1.0.0",
    "class": "Device",
    "async": true,
    "label": "Onboard BIG-IP into an HA Pair",
    "Common": {
        "class": "Tenant",
        "failoverGroup": {
           "class": "DeviceGroup",
           "type": "sync-failover",
           "members": ["10.0.1.51", "10.0.1.148"],
           "owner": "/Common/failoverGroup/members/0",
           "autoSync": true,
           "saveOnAutoSync": false,
           "networkFailover": true,
           "fullLoadOnSync": false,
           "asmSync": false
        },

Updated - 

{
    "schemaVersion": "1.0.0",
    "class": "Device",
    "async": true,
    "label": "Onboard BIG-IP into an HA Pair",
    "Common": {
        "class": "Tenant",
        "failoverGroup": {
           "class": "DeviceGroup",
           "type": "sync-failover",
           "members": ["10.0.1.51"],
           "owner": "/Common/failoverGroup/members/0",
           "autoSync": true,
           "saveOnAutoSync": false,
           "networkFailover": true,
           "fullLoadOnSync": false,
           "asmSync": false
        },

There does not appear to be a mechanism to remove a device from the trust

Per Schema we have these options:

"trust": {
            "class": "DeviceTrust",
            "localUsername": "admin",
            "localPassword": "password",
            "remoteHost": "10.0.1.148",
            "remoteUsername": "admin",
            "remotePassword": "password"
        }

Sending a declaration without the device IP listed does not remove it.

We need the ability to remove members from the sync-groups AND the trust. Perhaps 

"trust": {
            "class": "DeviceTrust",
            "localUsername": "admin",
            "localPassword": "password",
            "remoteHost": "10.0.1.148",
            "remoteUsername": "admin",
            "remotePassword": "password"
            **_"delete" : "false" / "true"_**
        }

Describe alternatives you've considered

While a user could update via imperative APIs, TMUI, or TMSH - we should not force them to change methods.

Additional context

Note that even once DO has been used to remove a device from the sync group, sending a new declaration for trust with a new peer IP devices does not lead to the device being added to the trust. To repro setup devices A and B. Use DO to establish trust and cluster between A and B. Then deploy device C. Try to replace B with C. Both full declaration (Trust and Cluster) and partial (Trust) sent to A fails to add device C

When attempting to replace devices in the Trust -

"Device is already part of a trust-domain.", "Device is already part of a trust-domain."

The item that we need to project is the programatic management of the cluster and HA model. The actual data plane components should be able to be ephemeral and replaceable.

dstokesf5 commented 3 years ago

Thank you for your feedback. I have added this to our internal product backlog as AUTOTOOL-2045.

jtylershaw commented 3 years ago

There is a command that can be run on any member that will stay in the group from tmsh:

modify /cm trust-domain devices delete { }

This syncs across the entire trust-domain. This command cannot remove itself from the trust domain and must be run from another device that will stay in the trust-domain.