-
Notifications
You must be signed in to change notification settings - Fork 193
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CIS is deleting referenced SSL Profile it did not create #3414
Comments
Maybe I should have included the TLSProfile yaml
|
This problem appears to be fixed in 2.16.1. Is it possible to confirm ? |
Created [CONTCNTR-4732] for internal tracking. |
@trinaths We discovered today as we are trying to work around this bug that this bug affects more than the ssl profiles. CIS is deleting ssl profiles, irules, logging profiles that are referenced from /Common/Shared. |
@pmilot Please CIS configuration and logs to automation_toolchain_pm automation_toolchain_pm@f5.com |
Closing the issue as it's fixed with #3427 |
@arzzon Any chance I can get a dev build with this fix ? Thanks |
@pmilot Please use the following CIS build generated from the build pipeline: |
@arzzon We will test this today and report back. TY |
@pmilot We found out that the issue is caused due to Virtual Server CR misconfiguration(Virtual server CRs created with partition set as Common), for which we have improved the CR validations. In case any VS CR is having partition set as Common, CIS will log error like: |
@arzzon That is odd as we are not creating any VS in /Common. We are creating them in a dedicated partition for the cluster
|
@pmilot Thanks for the confirmation. If this is the case then you won't see the error message mentioned above. The shared CIS build has fixes to avoid posting declarations to Common partition. |
@arzzon We've been running this build now for a week and I can confirm we have not lost our /Common objects since |
Setup Details
CIS Version : 2.16
Description
CIS is posting unnecessarily to /Common tenant trying to delete a referenced ssl profile. I don't know what it is trying to do but it should not be trying to delete a referenced profile that it did not create ?
Also when the VS is deleted, CIS deletes the VIP and the ssl profile from the /Common partition that was referenced in the TLSProfile
This is very similar to a bug I reported last year.
#2797
Steps To Reproduce
CIS LOG
declaration failed response:01070265:3: The ClientSSL Profile (/Common/Shared/my_clientssl_profile) cannot be deleted because it is in use by a virtual server profile (/atlas/Shared/crd_10_10_10_177_443 /Common/Shared/my_clientssl_profile)). runTime:3821 tenant:Common]]]
BIGIP LOG
May 8 19:00:19 QA-K8S-BIGIP-01.mydomain.local err mcpd[7723]: 01070265:3: The ClientSSL Profile (/Common/Shared/my_clientssl_profile) cannot be deleted because it is in use by a virtual server profile (/atlas/Shared/crd_10_10_10_177_443 /Common/Shared/my_clientssl_profile).
2024/05/08 19:04:15 [DEBUG] [AS3] Response from BIG-IP: code: 200 --- tenant:Common --- message: success
2024/05/08 19:04:15 [DEBUG] [AS3] Response from BIG-IP: code: 200 --- tenant:Common --- message: success
Expected Result
CIS should not be deleting or modifying referenced TLS profiles
Actual Result
referenced TLS profiles are actually deleted by CIS even though they were never created with CIS
The text was updated successfully, but these errors were encountered: