Controller stops posting changes at runtime when some ingress path has the + character #3561
Comments
jmolinavizcaino
changed the title
|
@jmolinavizcaino CIS uses AS3 to configure objects in BIG-IP. Try this sample declaration in AS3 and share your findings to automation_toolchain_pm at f5 dot com. |
trinaths
added
awaiting response
|
@trinaths Sorry, but I don't understand your answer. This error is reported before the CIS sends the AS3 configuration to the BIG-IP. It seems the controller has a validating process when it build the as3 schema that reports this error message. I applied the same change with a AS3 definiton with postman and the BIG-IP applied the change without problem |
|
I tried to make the change with AS3 definition with Postman and I arrive to this conclusion: If I put the + symbol in the name of the rule, the BIG-IP reports an error If I change the name without + but I maintain the + symbol in the rule condition, the change is applied: I think the problem is how the F5 controller builds the name of the rule. It's necessary to overlook the + symbol when the name rule is builded by the controller. I send this same comment to [email protected] . |
|
Created [CONTCNTR-4955] for internal tracking. |
Setup Details
CIS Version : 2.16.1
Build: f5networks/k8s-bigip-ctlr:latest
BIGIP Version: Big IP 15.1.8 Build 0.0.7 Final
AS3 Version: 3.26.1
Agent Mode: AS3
Orchestration: K8S
Orchestration Version: v1.23.8
Pool Mode: Cluster
Additional Setup details:
Calico v3.24.3
Description
When a K8s administrator configure an ingress resource where the path value has a + symbol, the controller stops posting any further runtime changes to the F5 Big-IP LTM showing the next error.
2024/09/18 10:53:54 [ERROR] [AS3] Template is not valid. see errors
2024/09/18 10:53:54 [ERROR] - (root): Must validate one and only one schema (oneOf)
2024/09/18 10:53:54 [ERROR] - declaration.Shared: Must validate "then" as "if" was valid
2024/09/18 10:53:54 [ERROR] - declaration.Shared.rules.1.name: Does not match pattern '^[a-zA-Z0-9_-.:%]+$'
2024/09/18 10:53:54 [ERROR] - declaration.Shared: Must validate all the schemas (allOf)
2024/09/18 10:53:54 [ERROR] - declaration.Shared: Must validate "then" as "if" was valid
2024/09/18 10:53:54 [ERROR] - declaration.Shared.rules.1.name: Does not match pattern '^[a-zA-Z0-9_-.:%]+$'
2024/09/18 10:53:54 [ERROR] - declaration.Shared: Must validate all the schemas (allOf)
2024/09/18 10:53:54 [ERROR] - declaration.Shared: Must validate all the schemas (allOf)
Steps To Reproduce
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
ingress.kubernetes.io/allow-http: "false"
ingress.kubernetes.io/ssl-redirect: "true"
kubernetes.io/ingress.class: test
virtual-server.f5.com/balance: predictive-member
virtual-server.f5.com/clientssl: '[ { "bigIpProfile": "/Common/clientssl"}]'
virtual-server.f5.com/rewrite-app-root: nginx-prueba.pre.upc.edu=/tmp/
virtual-server.f5.com/whitelist-source-range: 10.0.0.0/24
name: nginx-ingress
namespace: nginx-test
spec:
rules:
http:
paths:
service:
name: nginx-svc
port:
number: 80
path: /++resource++
pathType: ImplementationSpecific
Expected Result
The + symbol is a charecter valid in URI as is specifed in teh RFC https://datatracker.ietf.org/doc/html/rfc3986#page-12
The expected result is the F5 controller doesn't return the error and it should configure the rule in the policy.
Actual Result
In this situation, the F5 controller cannot make any changes futher changes in the F5 node until the ingress resource with the + symbol is deleted.
The text was updated successfully, but these errors were encountered: