Closed pmilot closed 4 months ago
Maybe I should have included the TLSProfile yaml
apiVersion: v1
name: reencrypt-tls
namespace: mynamespace
spec:
hosts:
- myapp.example.com.
tls:
clientSSL: /Common/Shared/my_ssl_profile
reference: bigip
serverSSL: /Common/Shared/my_serverssl_profile
termination: reencrypt
This problem appears to be fixed in 2.16.1. Is it possible to confirm ?
Created [CONTCNTR-4732] for internal tracking.
@trinaths We discovered today as we are trying to work around this bug that this bug affects more than the ssl profiles.
CIS is deleting ssl profiles, irules, logging profiles that are referenced from /Common/Shared.
@pmilot Please CIS configuration and logs to automation_toolchain_pm automation_toolchain_pm@f5.com
Closing the issue as it's fixed with #3427
@arzzon Any chance I can get a dev build with this fix ?
Thanks
@pmilot Please use the following CIS build generated from the build pipeline: quay.io/f5networks/k8s-bigip-ctlr-devel:6c771a457631bc7d16aa844b49f095c47ffeee5c
@arzzon We will test this today and report back. TY
@pmilot We found out that the issue is caused due to Virtual Server CR misconfiguration(Virtual server CRs created with partition set as Common), for which we have improved the CR validations. In case any VS CR is having partition set as Common, CIS will log error like: "[ERROR] VirtualServer xyz cannot be created in Common partition" Such Virtual Server CRs need to be removed.
@arzzon That is odd as we are not creating any VS in /Common. We are creating them in a dedicated partition for the cluster
apiVersion: cis.f5.com/v1
kind: VirtualServer
metadata:
labels:
f5cr: "true"
name: dummy-user-portal
namespace: dummy-user-portal
spec:
virtualServerAddress: 10.1.yyy.xxx
tlsProfileName: reencrypt-tls
host: myapp.example.com
iRules:
- /Common/Shared/k8s_ingress_sni_irule
policyName: dummy-user-portal-policy
persistenceProfile: none
pools:
- path: /
service: k8s-ingress
servicePort: 443
serviceNamespace: istio-system
extendedServiceReferences:
- clusterName: mycluster-1
namespace: istio-system
servicePort: 443
service: k8s-ingress
monitor:
type: tcp
interval: 10
timeout: 31
Command:
/app/bin/k8s-bigip-ctlr
Args:
--credentials-directory
/tmp/creds
--bigip-partition=mycluster-1
--bigip-url=https://10.1.yyy.xxx
--custom-resource-mode=true
--insecure=true
--ipam=false
--log-as3-response=true
--log-level=DEBUG
--namespace=dummy-user-portal
--namespace=istio-system
--pool-member-type=nodeport
@pmilot Thanks for the confirmation. If this is the case then you won't see the error message mentioned above. The shared CIS build has fixes to avoid posting declarations to Common partition.
@arzzon We've been running this build now for a week and I can confirm we have not lost our /Common objects since
Setup Details
CIS Version : 2.16
Description
CIS is posting unnecessarily to /Common tenant trying to delete a referenced ssl profile. I don't know what it is trying to do but it should not be trying to delete a referenced profile that it did not create ?
Also when the VS is deleted, CIS deletes the VIP and the ssl profile from the /Common partition that was referenced in the TLSProfile
This is very similar to a bug I reported last year.
https://github.com/F5Networks/k8s-bigip-ctlr/issues/2797
Steps To Reproduce
1) Create TLSprofile with a referenced bigip profile ex: /Common/Shared/my_ssl_profile 2) Create a VS with the SSL profile 3) The CIS goes into an endless loop trying to post to the /Common tennant
CIS LOG declaration failed response:01070265:3: The ClientSSL Profile (/Common/Shared/my_clientssl_profile) cannot be deleted because it is in use by a virtual server profile (/atlas/Shared/crd_10_10_10_177_443 /Common/Shared/my_clientssl_profile)). runTime:3821 tenant:Common]]]
BIGIP LOG May 8 19:00:19 QA-K8S-BIGIP-01.mydomain.local err mcpd[7723]: 01070265:3: The ClientSSL Profile (/Common/Shared/my_clientssl_profile) cannot be deleted because it is in use by a virtual server profile (/atlas/Shared/crd_10_10_10_177_443 /Common/Shared/my_clientssl_profile).
4) Delete the VS and CIS will delete the VIP and the SSL profile that was referenced
2024/05/08 19:04:15 [DEBUG] [AS3] Response from BIG-IP: code: 200 --- tenant:Common --- message: success 2024/05/08 19:04:15 [DEBUG] [AS3] Response from BIG-IP: code: 200 --- tenant:Common --- message: success
Expected Result
CIS should not be deleting or modifying referenced TLS profiles
Actual Result
referenced TLS profiles are actually deleted by CIS even though they were never created with CIS