search

F5Networks / k8s-bigip-ctlr

Repository for F5 Container Ingress Services for Kubernetes & OpenShift.
Apache License 2.0
364 stars 195 forks source link

Rewrite-target-url annotation doesn't work when rewrites / #3616

Open jmolinavizcaino opened 3 weeks ago

jmolinavizcaino commented 3 weeks ago

Setup Details

CIS Version : 2.13.1 Build: f5networks/k8s-bigip-ctlr:2.13.1 BIGIP Version: Big IP 15.1.8 Build 0.0.7 Final AS3 Version: 3.26.1 Agent Mode: AS3 Orchestration: K8S Orchestration Version: v1.23.8 Pool Mode: Cluster Additional Setup details: Calico v3.24.3

Description

A K8s administrator needs to rewrite the requests to a web application to append a path prefix to the path send by the client. To implement it, the administrator use the virtual-server.f5.com/rewrite-target-url annotation but it doesn't works when it's configured to rewrite the / to another URI.

virtual-server.f5.com/rewrite-target-url: server.com/=server.com/tmp`

The BIG-IP returns a 422 Error and in the restnoded.log prints this error

`Mon, 28 Oct 2024 16:14:38 GMT - severe: [appsvcs] {"message":"Declaration failed: 01071709:3: Policy '/mycontainers_demoupc/Shared/Ingress_A_B_C_D_443', rule 'url_rewrite_rule_nginx_ie_des_upc_edu__nginx_ie_des_upc_edu_tmp'; operand 'http-uri' with condition 'equals' requires at least 1 value.","level":"error"}

The virtual-server.f5.com/rewrite-app-root is not an alternative because it configure a redirect and not a rewrite.

How can we implement this

Steps To Reproduce

Create in K8s a ingress resource managed by the F5 controller with the annotation . Example:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nginx-ingress
  namespace: nginx-prueba
  annotations:
    kubernetes.io/ingress.class: f5-ingress-class
    virtual-server.f5.com/balance: predictive-member
    virtual-server.f5.com/whitelist-source-range: 10.0.0.0/8
    ingress.kubernetes.io/allow-http: "false"
    ingress.kubernetes.io/ssl-redirect: "true"
    virtual-server.f5.com/clientssl: '[ { "bigIpProfile": "/Common/ssl_wildcard"}]'
    virtual-server.f5.com/health: '[{"path": "server.com/", "send":"GET /healthz HTTP/1.1", "interval": 5, "timeout": 10}]'
    virtual-server.f5.com/rewrite-target-url: server.com/=server.com/tmp
    virtual-server.f5.com/ip: A.B.C.D
spec:
  rules:
  - host: "server.com"
    http:
      paths:
        - path: /tmp
          pathType: Prefix
          backend:
            service:
              name: nginx-svc
              port:
                number: 80

When the F5 controller try to make the changes in the F5 device reports the error showed previously,

Expected Result

The expected result is the F5 controller doesn't return the error and it should configure the action policy rule with the tcl regsub expression

  1. Forward traffic to pool '/Partition1/Shared/ingress_nginx_prueba_nginx_svc' at request time.
  2. Replace HTTP Header named 'host' with value 'server.com at request time.
  3. Replace HTTP URI with value 'tcl:[regsub / [HTTP::uri] /tmp ]' at request time.

Actual Result

In this situation, the F5 controller cannot make any changes futher changes in the F5 node until the ingress resource with the rewrite-target-url annotation is deleted.

trinaths commented 2 weeks ago

Created [CONTCNTR-4973] for internal tracking.