Example - failover: error on getting secret for BIGIP_PASSWORD

[curtkersey]

Describe the bug

Once the deployment was completed, I was looking for password for BIG-IP devices. I could not find it any where - no new entry created in Secret Manager in GCP console. I was able to SSH into the BIG-IP, and I found an error in the bigIpRuntimeInit.log file:

2022-03-15T14:41:24.640Z [19216]: info: Configuration file: /config/cloud/runtime-init-conf.yaml 2022-03-15T14:41:24.667Z [19216]: info: Validating provided declaration 2022-03-15T14:41:24.663Z [19216]: info: Processing controls parameters 2022-03-15T14:41:24.790Z [19216]: info: Successfully validated declaration 2022-03-15T14:41:24.858Z [19216]: info: Resolving parameters 2022-03-15T14:41:26.187Z [19216]: error: Error getting secret from mySecretId Secret [projects/326061033782/secrets/mySecretId] not found or has no versions. 2022-03-15T14:41:26.188Z [19216]: info: Sending F5 Teem report for failure case. 2022-03-15T14:41:26.933Z [19216]: info: {"id":"a71fd2d5-c4fd-dc9c-f404bdbd31ef","product":"BIG-IP","cpuCount":8,"diskSize":81920,"memoryInMb":30160,"version":"16.1.0","nicCount":3,"regKey":"DIVTH-AGXAH-NWJPK-JIVCY-PFMWMHA","platformId":"Z100","hostname":"bigip1","management":"10.0.0.11/32","provisionedModules":{"ltm":"nominal"},"installedPackages":{},"environment":{"pythonVersion":"Python 2.7.5","pythonVersionDetailed":"2.7.5 (default, Jun 22 2021, 22:47:51) \n[GCC 4.8.5 20150623 (Red Hat 4.8.5-16)]","nodeVersion":"v6.9.1","libraries":{"ssh":"OpenSSH_7.4p1, OpenSSL 1.0.2u-fips 20 Dec 2019"}}} 2022-03-15T14:41:38.463Z [19216]: info: F5 Teem report was successfully sent for failure case. 2022-03-15T14:41:38.464Z [19216]: info: Error getting secret from mySecretId Secret [projects/326061033782/secrets/mySecretId] not found or has no versions.

Expected behavior

Create secret for BIG-IP password.

Current behavior

Error message regarding secret in log file -- see above.

Possible solution

TBD.

Steps to reproduce

will add YAML file that was used by deployments manager is below. I ran that via gcloud CLI command.

Context

Trying to deploy HA pair using templates.

Your Environment

Running gcloud CLI from generic Ubuntu 18.04LTS host.

[curtkersey]

---

yamllint disable rule:line-length

Copyright 2021 F5 Networks All rights reserved.

#

Version 2.0.0.0

#

NOTE: When filling out the parameter values for this deployment:

Deployments leverage .schema files to help enforce requirements/parameter typing and defaults.

'###' Will be used above each parameter and contain description of values required

REQUIRED parameters values are left empty and value MUST be entered.

OPTIONAL parameters contain defaults (same default from schema file). However, some are deployment specific and generally should be modified to match your environment.

#

CAUTION:

Use single quotes around strings when supplying special characters or list of values. Example: applicationPort '443 444 445'.

Required fields left empty or faulty values (ex. typos, incorrect timezone strings, etc.)

can result in various classes of failures, from template launch failures to silent BIG-IP deployment failures.

Use the Troubleshooting section at the bottom of this .yaml to understand if the template and BIG-IP deployed correctly.

imports:

• path: failover.py
• path: ../modules/access/access.py
• path: ../modules/application/application.py
• path: ../modules/bastion/bastion.py
• path: ../modules/bigip-standalone/bigip_standalone.py
• path: ../modules/dag/dag.py
• path: ../modules/network/network.py resources:
• name: failover-py properties:

  (OPTIONAL) The docker container you like to deploy for the demo application.

  appContainerName: f5devcentral/f5-demo-app:latest

  (OPTIONAL) Application label.

  application: f5app

  (OPTIONAL) External interface private IP address for bigip1.

  bigIpExternalSelfIp1: 10.0.1.11

  (OPTIONAL) External interface private IP address for bigip2.

  bigIpExternalSelfIp2: 10.0.1.12

  (OPTIONAL) Internal interface private IP address for bigip2.

  bigIpInternalSelfIp1: 10.0.2.11

  (OPTIONAL) Internal interface private IP address for bigip2.

  bigIpInternalSelfIp2: 10.0.2.12

  (OPTIONAL) Management interface private IP address for bigip2.

  bigIpMgmtSelfIp1: 10.0.0.11

  (OPTIONAL) Management interface private IP address for bigip2.

  bigIpMgmtSelfIp2: 10.0.0.12

  (OPTIONAL) The image name to deploy. If you would like to view all available images, run the following command from the gcloud command line: gcloud compute images list --project f5-7626-networks-public --filter="name~f5"

  bigIpImageName: f5-bigip-16-1-0-0-0-19-payg-best-25mbps-210623021328

  (OPTIONAL) Instance type assigned to BIG-IP, for example 'n1-standard-4'.

  bigIpInstanceType: n1-standard-8

  (OPTIONAL) Static self IP address of the remote host here. Leave empty if not configuring peering with a remote host on this device.

  bigIpPeerAddr: 10.0.1.11

  (OPTIONAL) Supply a URL to the bigip-runtime-init configuration file in YAML or JSON format

  bigIpRuntimeInitConfig01: >- https://raw.githubusercontent.com/F5Networks/f5-google-gdm-templates-v2/v2.0.0.0/examples/failover/bigip-configurations/runtime-init-conf-3nic-payg-instance01.yaml bigIpRuntimeInitConfig02: >- https://raw.githubusercontent.com/F5Networks/f5-google-gdm-templates-v2/v2.0.0.0/examples/failover/bigip-configurations/runtime-init-conf-3nic-payg-instance02.yaml

  (OPTIONAL) Supply a URL for the bigip-runtime-init package

  bigIpRuntimeInitPackageUrl: >- https://cdn.f5.com/product/cloudsolutions/f5-bigip-runtime-init/v1.3.2/dist/f5-bigip-runtime-init-1.3.2-1.gz.run

  (OPTIONAL) Cloud Failover deployment tag value.

  cfeTag: bigip_high_availability_solution

  (OPTIONAL) Cloud Failover storage bucket value.

  cfeBucket: cfe-storage

  (OPTIONAL) Cost Center label.

  cost: f5cost

  (OPTIONAL) Environment Center label.

  environment: f5env

  (OPTIONAL) Group label.

  group: f5group

  (OPTIONAL) Owner label.

  owner: f5owner

  (OPTIONAL) Provision Public IP addresses for the BIG-IP Management interface. By default, this is set to true. If set to false, the solution will deploy a bastion host instead in order to provide access.

  provisionPublicIp: true

  (REQUIRED) Enter the Google Region in which you want to deploy BIG-IP, for example 'us-west1'.

  region: us-east1

  (OPTIONAL) This field restricts web application access (ports 80 and 443) to a specific network or address. Enter an IP address or address range in CIDR notation. For example, '55.55.55.55/32'.

  The network address should be in array format.*

  restrictedSrcAddressApp:*

  0.0.0.0/0**

  restrictedSrcAddressApp:

  • 0.0.0.0/0

    (REQUIRED) This parameter restricts network access to the BIG-IP's management interface.

    Provide a yaml list of addresses or networks in CIDR notation, for example, '- 55.55.55.55/32' for a host, '- 10.0.0.0/8' for a network, etc.

    The network address should be in array format.

    NOTE: If using a Bastion Host (when ProvisionPublicIp = false), you must also include the Bastion's source network as in the example below (w/ RFC 1918 block).

    IMPORTANT: The VPC CIDR is automatically added for internal use (access via bastion host, clustering, etc.).

    Please restrict the IP address range to your client, for example '- X.X.X.X/32'. Production should never expose the BIG-IP Management interface to the Internet.

    restrictedSrcAddressMgmt:

  • 0.0.0.0/0

    (OPTIONAL) A prefix that will be used to name template resources. Because some resources require globally unique names, we recommend using a unique value.

    uniqueString: cker

    (OPTIONAL) Enter the Google availability zone where you want to deploy the BIG-IP VE instance, for example 'us-west1-a'.

    zone: us-east1-b type: failover.py

[f5-applebaum]

Created ESECLDTPLT-3024.

Creating Secret needs to be emphasized more, added to Pre-Req section (like have in AWS https://github.com/F5Networks/f5-aws-cloudformation-v2/tree/main/examples/failover#prerequisites)

https://cloud.google.com/secret-manager/docs/creating-and-accessing-secrets#create ex.

$ vim password.txt

$ gcloud secrets create mySecretId --data-file="password.txt"

[curtkersey]

I used the command to create the mySecretId secret, and it got further; however, it did not complete. BIG-IP devices are still in standalone state with no configuration. The password was also not set to the value of mySecretId. I ssh'ed into the instance to set it manually, and then I could login to TMUI.

Here is output of /var/log/cloud/bigIpRuntimeInit.log:

2022-03-16T14:47:37.362Z [19082]: info: Configuration file: /config/cloud/runtime-init-conf.yaml 2022-03-16T14:47:37.391Z [19082]: info: Validating provided declaration 2022-03-16T14:47:37.387Z [19082]: info: Processing controls parameters 2022-03-16T14:47:37.512Z [19082]: info: Successfully validated declaration 2022-03-16T14:47:37.604Z [19082]: info: Resolving parameters 2022-03-16T14:47:38.972Z [19082]: info: Executing install operations. 2022-03-16T14:47:38.985Z [19082]: info: Installing - do 1.27.0 2022-03-16T14:47:41.517Z [19082]: info: Validating - do extension is available. 2022-03-16T14:47:51.552Z [19082]: info: Installing - as3 3.34.0 2022-03-16T14:47:55.286Z [19082]: info: Validating - as3 extension is available. 2022-03-16T14:48:18.182Z [19082]: info: Installing - cf 1.10.0 2022-03-16T14:48:24.401Z [19082]: info: Validating - cf extension is available. 2022-03-16T14:48:37.443Z [19082]: info: Executing service operations. 2022-03-16T14:48:37.447Z [19082]: error: Unexpected token in JSON at position 778 2022-03-16T14:48:37.448Z [19082]: info: Sending F5 Teem report for failure case. 2022-03-16T14:48:38.109Z [19082]: info: {"id":"f27aafba-b112-1ed3-4e4dae55bd42","product":"BIG-IP","cpuCount":8,"diskSize":81920,"memoryInMb":30160,"version":"16.1.0","nicCount":3,"regKey":"DIVTH-AGXAH-NWJPK-JIVCY-PFMWMHA","platformId":"Z100","hostname":"bigip1","management":"10.0.0.11/32","provisionedModules":{"ltm":"nominal"},"installedPackages":{"f5-service-discovery-1.10.6-1.noarch":"1.10.6","f5-declarative-onboarding-1.27.0-6.noarch":"1.27.0","f5-cloud-failover-1.10.0-0.noarch":"1.10.0","f5-appsvcs-3.34.0-4.noarch":"3.34.0"},"environment":{"pythonVersion":"Python 2.7.5","pythonVersionDetailed":"2.7.5 (default, Jun 22 2021, 22:47:51) \n[GCC 4.8.5 20150623 (Red Hat 4.8.5-16)]","nodeVersion":"v6.9.1","libraries":{"ssh":"OpenSSH_7.4p1, OpenSSL 1.0.2u-fips 20 Dec 2019"}}} 2022-03-16T14:48:49.515Z [19082]: info: F5 Teem report was successfully sent for failure case. 2022-03-16T14:48:49.516Z [19082]: info: Unexpected token in JSON at position 778

After logging in and going thru the initial configuration via TMUI, I was able to confirm that AS3, DO, CFE, and Service Discovery were installed on the instance.

I will also attach the full log file: startup-script-post-swap-nic.log

[curtkersey]

When using the command above to set password via a file, password.txt, the editor (vi in this case) is adding a NEWLINE character to the end of the password. This causes an error when the BIG-IP runtime init is running since the password has the illegal character in it. To work around this problem, I set the secret via command line (see command below), and everything worked well:

% echo -n "MyPassw0rd" | gcloud secrets versions add mySecretId --data-file=-

Note: I used 'versions add' since I had already created mySecretId in the previous step.

[alexapplebaum]

Thanks for the notice re: newline. We will make sure we put a note to ensure there is no newline at the end of the file.

[KrithikaChidambaram]

This was fixed in the v2.2.0.0 release. Closing this.