CIS is deleting referenced SSL Profile it did not create

[pmilot]

Setup Details

CIS Version : 2.16

Description

CIS is posting unnecessarily to /Common tenant trying to delete a referenced ssl profile. I don't know what it is trying to do but it should not be trying to delete a referenced profile that it did not create ?

Also when the VS is deleted, CIS deletes the VIP and the ssl profile from the /Common partition that was referenced in the TLSProfile

This is very similar to a bug I reported last year.
#2797

Steps To Reproduce

1. Create TLSprofile with a referenced bigip profile ex: /Common/Shared/my_ssl_profile
2. Create a VS with the SSL profile
3. The CIS goes into an endless loop trying to post to the /Common tennant

CIS LOG
declaration failed response:01070265:3: The ClientSSL Profile (/Common/Shared/my_clientssl_profile) cannot be deleted because it is in use by a virtual server profile (/atlas/Shared/crd_10_10_10_177_443 /Common/Shared/my_clientssl_profile)). runTime:3821 tenant:Common]]]

BIGIP LOG
May 8 19:00:19 QA-K8S-BIGIP-01.mydomain.local err mcpd[7723]: 01070265:3: The ClientSSL Profile (/Common/Shared/my_clientssl_profile) cannot be deleted because it is in use by a virtual server profile (/atlas/Shared/crd_10_10_10_177_443 /Common/Shared/my_clientssl_profile).

4. Delete the VS and CIS will delete the VIP and the SSL profile that was referenced

2024/05/08 19:04:15 [DEBUG] [AS3] Response from BIG-IP: code: 200 --- tenant:Common --- message: success
2024/05/08 19:04:15 [DEBUG] [AS3] Response from BIG-IP: code: 200 --- tenant:Common --- message: success

Expected Result

CIS should not be deleting or modifying referenced TLS profiles

Actual Result

referenced TLS profiles are actually deleted by CIS even though they were never created with CIS

[pmilot]

Maybe I should have included the TLSProfile yaml

apiVersion: v1
    name: reencrypt-tls
    namespace: mynamespace
  spec:
    hosts:
    - myapp.example.com.
    tls:
      clientSSL: /Common/Shared/my_ssl_profile
      reference: bigip
      serverSSL: /Common/Shared/my_serverssl_profile
      termination: reencrypt

[pmilot]

This problem appears to be fixed in 2.16.1. Is it possible to confirm ?

[trinaths]

Created [CONTCNTR-4732] for internal tracking.

[pmilot]

@trinaths We discovered today as we are trying to work around this bug that this bug affects more than the ssl profiles.

CIS is deleting ssl profiles, irules, logging profiles that are referenced from /Common/Shared.

[trinaths]

@pmilot Please CIS configuration and logs to automation_toolchain_pm automation_toolchain_pm@f5.com

[arzzon]

Closing the issue as it's fixed with #3427

[pmilot]

@arzzon Any chance I can get a dev build with this fix ?

Thanks

[arzzon]

@pmilot Please use the following CIS build generated from the build pipeline:
quay.io/f5networks/k8s-bigip-ctlr-devel:6c771a457631bc7d16aa844b49f095c47ffeee5c

[pmilot]

@arzzon We will test this today and report back. TY

[arzzon]

@pmilot We found out that the issue is caused due to Virtual Server CR misconfiguration(Virtual server CRs created with partition set as Common), for which we have improved the CR validations. In case any VS CR is having partition set as Common, CIS will log error like:
"[ERROR] VirtualServer xyz cannot be created in Common partition"
Such Virtual Server CRs need to be removed.

[pmilot]

@arzzon That is odd as we are not creating any VS in /Common. We are creating them in a dedicated partition for the cluster

apiVersion: cis.f5.com/v1
kind: VirtualServer
metadata:
  labels:
    f5cr: "true"
  name: dummy-user-portal
  namespace: dummy-user-portal
spec:
  virtualServerAddress: 10.1.yyy.xxx
  tlsProfileName: reencrypt-tls
  host: myapp.example.com
  iRules: 
  -  /Common/Shared/k8s_ingress_sni_irule
  policyName: dummy-user-portal-policy
  persistenceProfile: none
  pools:
    - path: /
      service: k8s-ingress
      servicePort: 443
      serviceNamespace: istio-system
      extendedServiceReferences:
        - clusterName: mycluster-1
          namespace: istio-system
          servicePort: 443
          service: k8s-ingress
      monitor:
          type: tcp
          interval: 10
          timeout: 31

    Command:
      /app/bin/k8s-bigip-ctlr
    Args:
      --credentials-directory
      /tmp/creds
      --bigip-partition=mycluster-1
      --bigip-url=https://10.1.yyy.xxx
      --custom-resource-mode=true
      --insecure=true
      --ipam=false
      --log-as3-response=true
      --log-level=DEBUG
      --namespace=dummy-user-portal
      --namespace=istio-system
      --pool-member-type=nodeport

[arzzon]

@pmilot Thanks for the confirmation. If this is the case then you won't see the error message mentioned above. The shared CIS build has fixes to avoid posting declarations to Common partition.

[pmilot]

@arzzon We've been running this build now for a week and I can confirm we have not lost our /Common objects since