F5Networks / k8s-bigip-ctlr

Repository for F5 Container Ingress Services for Kubernetes & OpenShift.
Apache License 2.0
359 stars 195 forks source link

Controller stops posting changes at runtime when some ingress path has the + character #3561

Open jmolinavizcaino opened 1 month ago

jmolinavizcaino commented 1 month ago

Setup Details

CIS Version : 2.16.1 Build: f5networks/k8s-bigip-ctlr:latest BIGIP Version: Big IP 15.1.8 Build 0.0.7 Final AS3 Version: 3.26.1 Agent Mode: AS3 Orchestration: K8S Orchestration Version: v1.23.8 Pool Mode: Cluster Additional Setup details: Calico v3.24.3

Description

When a K8s administrator configure an ingress resource where the path value has a + symbol, the controller stops posting any further runtime changes to the F5 Big-IP LTM showing the next error.

2024/09/18 10:53:54 [ERROR] [AS3] Template is not valid. see errors 2024/09/18 10:53:54 [ERROR] - (root): Must validate one and only one schema (oneOf)

2024/09/18 10:53:54 [ERROR] - declaration.Shared: Must validate "then" as "if" was valid

2024/09/18 10:53:54 [ERROR] - declaration.Shared.rules.1.name: Does not match pattern '^[a-zA-Z0-9_-.:%]+$'

2024/09/18 10:53:54 [ERROR] - declaration.Shared: Must validate all the schemas (allOf)

2024/09/18 10:53:54 [ERROR] - declaration.Shared: Must validate "then" as "if" was valid

2024/09/18 10:53:54 [ERROR] - declaration.Shared.rules.1.name: Does not match pattern '^[a-zA-Z0-9_-.:%]+$'

2024/09/18 10:53:54 [ERROR] - declaration.Shared: Must validate all the schemas (allOf)

2024/09/18 10:53:54 [ERROR] - declaration.Shared: Must validate all the schemas (allOf)

Steps To Reproduce

1) Create in K8s a ingress resource managed by the F5 controller where the key path value has a + character . Example:

apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: ingress.kubernetes.io/allow-http: "false" ingress.kubernetes.io/ssl-redirect: "true" kubernetes.io/ingress.class: test virtual-server.f5.com/balance: predictive-member virtual-server.f5.com/clientssl: '[ { "bigIpProfile": "/Common/clientssl"}]' virtual-server.f5.com/rewrite-app-root: nginx-prueba.pre.upc.edu=/tmp/ virtual-server.f5.com/whitelist-source-range: 10.0.0.0/24 name: nginx-ingress namespace: nginx-test spec: rules:

2) When the F5 controller try to make the changes in the F5 device reports the error showed previously,

Expected Result

The + symbol is a charecter valid in URI as is specifed in teh RFC https://datatracker.ietf.org/doc/html/rfc3986#page-12

The expected result is the F5 controller doesn't return the error and it should configure the rule in the policy.

Actual Result

In this situation, the F5 controller cannot make any changes futher changes in the F5 node until the ingress resource with the + symbol is deleted.

trinaths commented 2 weeks ago

@jmolinavizcaino CIS uses AS3 to configure objects in BIG-IP. Try this sample declaration in AS3 and share your findings to automation_toolchain_pm at f5 dot com.

jmolinavizcaino commented 1 week ago

@trinaths Sorry, but I don't understand your answer.

This error is reported before the CIS sends the AS3 configuration to the BIG-IP. It seems the controller has a validating process when it build the as3 schema that reports this error message.

I applied the same change with a AS3 definiton with postman and the BIG-IP applied the change without problem

jmolinavizcaino commented 1 week ago

I tried to make the change with AS3 definition with Postman and I arrive to this conclusion:

If I put the + symbol in the name of the rule, the BIG-IP reports an error { "code": 422, "errors": [ "/f5-dev-ie-dev/Shared/Ingress_A_B_C_D_443/rules/1/name: data \"ingress_nginx_prueba_pre_upcedu++resource++_ingress_nginx_prueba_nginx_ingress_nginx_svc80\" should match pattern \"^[a-zA-Z0-9\-.:%]+$\"" ], "declarationFullId": "", "message": "declaration is invalid" }

If I change the name without + but I maintain the + symbol in the rule condition, the change is applied:

"results": [
    {
        "code": 200,
        "message": "success",
        "lineCount": 30,
        "host": "localhost",
        "tenant": "f5-dev-ie-dev",
        "runTime": 2095
    }
],

I think the problem is how the F5 controller builds the name of the rule. It's necessary to overlook the + symbol when the name rule is builded by the controller.

I send this same comment to automation_toolchain_pm@f5.com .

trinaths commented 1 week ago

Created [CONTCNTR-4955] for internal tracking.