Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing allowVlans key #47

Closed
azahajkiewicz opened this issue Aug 20, 2021 · 3 comments
Closed

Missing allowVlans key #47

azahajkiewicz opened this issue Aug 20, 2021 · 3 comments
Labels
bug Something isn't working jira Jira created for this issue
Milestone
1.15

Comments

@azahajkiewicz
Copy link

Environment

  • Application Services Version: f5devcentral/f5-as3-config-converter:1.14.0
  • BIG-IP Version: 14.1.3

Summary

If virtual is enabled on a vlan: vlans { /Common/vlan_internal }, Charon does not convert the property allowVlans, instead it uses it's value as a key:

            "vlans": {
                "/Common/vlan_internal": ""
            },

Steps To Reproduce

Steps to reproduce the behavior:

  1. Convert following config:
ltm profile server-ssl /tenant_1/application_1/server_ssl_test {
    app-service none
    cert /Common/custom_ssl_cert_key
    defaults-from /Common/serverssl
    key /Common/custom_ssl_cert_key
    options { dont-insert-empty-fragments passive-close no-tlsv1.3 }
    passphrase $M$I4$Ftgl+XHx+VhP9W2VCi/97Q==
}
ltm profile client-ssl /tenant_1/application_1/client_ssl_test {
    app-service none
    cert-key-chain {
        custom_ssl_cert_key_0 {
            cert /Common/custom_ssl_cert_key
            key /Common/custom_ssl_cert_key
            passphrase $M$3e$P98aLvQuJRUt116g32xh5Q==
        }
    }
    defaults-from /Common/clientssl
    inherit-ca-certkeychain true
    inherit-certkeychain false
    options { dont-insert-empty-fragments no-tlsv1.3 tls-rollback-bug }
}
ltm virtual-address /tenant_1/application_1/10.144.18.33 {
    address 10.144.18.33
    arp enabled
    mask 255.255.255.255
    traffic-group /Common/traffic-group-1
}
ltm node /tenant_1/application_1/node_10.10.10.3 {
    address 10.10.10.3
}
ltm node /Common/node_10.10.10.5 {
    address 10.10.10.5
}
sys file ssl-cert /Common/custom_ssl_cert_key {
    cache-path /config/filestore/files_d/Common_d/certificate_d/:Common:custom_ssl_cert_key_253744_1
    revision 1
    source-path /var/run/key_mgmt/5xTWQ0/ssl.crt/custom_ssl_cert_key
}
ltm virtual /tenant_1/application_1/VS_https {
    creation-time 2021-08-12:06:48:20
    description "Standard Virtual enabled on 443 with ssl profiles and custom cert/key"
    destination /tenant_1/application_1/10.144.18.33:443
    ip-protocol tcp
    last-modified-time 2021-08-12:06:48:20
    mask 255.255.255.255
    pool /tenant_1/application_1/https_pool
    profiles {
        /tenant_1/application_1/client_ssl_test {
            context clientside
        }
        /Common/http { }
        /Common/httpcompression { }
        /tenant_1/application_1/server_ssl_test {
            context serverside
        }
        /Common/tcp { }
    }
    source 0.0.0.0/24
    translate-address enabled
    translate-port enabled
    vlans {
        /Common/vlan_internal
    }
}
ltm node /tenant_1/application_1/node_10.10.10.2 {
    address 10.10.10.2
}
sys file ssl-key /Common/custom_ssl_cert_key {
    cache-path /config/filestore/files_d/Common_d/certificate_key_d/:Common:custom_ssl_cert_key_253741_1
    revision 1
    source-path /var/run/key_mgmt/SvhNPi/ssl.key/custom_ssl_cert_key
}
ltm pool /tenant_1/application_1/https_pool {
    members {
        /tenant_1/application_1/node_10.10.10.2:443 {
            address 10.10.10.2
        }
        /tenant_1/application_1/node_10.10.10.3:443 {
            address 10.10.10.3
        }
        /Common/node_10.10.10.4:443 {
            address 10.10.10.4
        }
        /Common/node_10.10.10.5:443 {
            address 10.10.10.5
        }
    }
    monitor /Common/https
}
ltm node /Common/node_10.10.10.4 {
    address 10.10.10.4
}
  1. Observe the following error message:
{
    "code": 422,
    "message": "Invalid data property: /Common/vlan_internal"
}

Expected Behavior

Use allowVlans key with vlan name as a value.
@azahajkiewicz azahajkiewicz added the bug Something isn't working label Aug 20, 2021
@azahajkiewicz
Copy link
Author

azahajkiewicz commented Aug 20, 2021
edited
Loading

To clarify:
Virtual can be configured in three ways:

  1. Enabled on all vlans (no property in VS):
ltm virtual /Common/vs {
   creation-time 2021-08-20:07:45:22
   destination /Common/10.144.18.33:0
   ip-protocol tcp
   last-modified-time 2021-08-20:07:48:29
   mask 255.255.255.255
   profiles {
       /Common/tcp { }
   }
   source 0.0.0.0/24
   translate-address enabled
   translate-port disabled
}

-------> no vlan related property in AS3 declaration

  1. Enabled on a vlan(s):
ltm virtual /Common/vs {
    creation-time 2021-08-20:07:45:22
    destination /Common/10.144.18.33:0
    ip-protocol tcp
    last-modified-time 2021-08-20:07:48:29
    mask 255.255.255.255
    profiles {
        /Common/tcp { }
    }
    source 0.0.0.0/24
    translate-address enabled
    translate-port disabled
    vlans {
        /Common/vlan_internal
    }
    vlans-enabled
}

or

ltm virtual /Common/vs {
    creation-time 2021-08-20:07:45:22
    destination /Common/10.144.18.33:0
    ip-protocol tcp
    last-modified-time 2021-08-20:07:48:29
    mask 255.255.255.255
    profiles {
        /Common/tcp { }
    }
    source 0.0.0.0/24
    translate-address enabled
    translate-port disabled
    vlans-enabled
}

-------> allowVlans property in AS3 declaration (either list or empty list):
See #34 (comment) - I am not sure if Charon should not support it, BIG-IP accepts such configuration.

                "allowVlans": [
                    "/Common/vlan_internal"
                ],

or

                "allowVlans": [],
  1. Disabled on a vlan(s):
ltm virtual /Common/VS_http {
    creation-time 2021-08-12:06:09:23
    description "Performance HTTP Virtual"
    destination /Common/10.144.18.33:80
    ip-protocol tcp
    last-modified-time 2021-08-20:11:16:00
    mask 255.255.255.255
    pool /Common/http_pool
    profiles {
        /Common/fasthttp { }
    }
    source 0.0.0.0/24
    translate-address enabled
    translate-port enabled
    vlans {
        /Common/vlan_internal
    }
}

(vlans-disabled property is the default one, so not necessary needs to be listed explicitly)

or:

ltm virtual /Common/VS_http {
    creation-time 2021-08-12:06:09:23
    description "Performance HTTP Virtual"
    destination /Common/10.144.18.33:80
    ip-protocol tcp
    last-modified-time 2021-08-20:11:16:00
    mask 255.255.255.255
    pool /Common/http_pool
    profiles {
        /Common/fasthttp { }
    }
    source 0.0.0.0/24
    translate-address enabled
    translate-port enabled
    vlans-disabled
    vlans {
        /Common/vlan_internal
    }
}

-------> rejectVlans property in AS3 declaration (either list or empty list):

                "rejectVlans": [
                    "/Common/vlan_internal"
                ],

or

                "rejectVlans": [ ],

@mdditt2000
Copy link

Created Jira CHARON-445 for PM tracking

@mdditt2000 mdditt2000 added the jira Jira created for this issue label Sep 8, 2021
@mdditt2000
Copy link

Merge branch 'CHARON-445-allow-vlans' into 'develop' --- Closing

@mdditt2000 mdditt2000 added this to the 1.15 milestone Sep 13, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working jira Jira created for this issue
Projects
None yet
Milestone
1.15
Development

No branches or pull requests
2 participants
@mdditt2000 @azahajkiewicz