Forum Discussion
rahvee
Cirrus
CirrusAPI, SDK, AS3, oh my?
I am looking for the best long-term, easiest to support, way to automatically manage SSL certs in Big-IP.
I found f5-sdk, but it is no longer under active development, since May 30, 2021.
I found f5-sdk-python, which seems to be a different sdk. It's under "f5devcentral" instead of "f5networks," so I guess it's community supported rather than officially supported, although both are "copyright F5 Networks, Inc." so it's confusing. It doesn't have a "no longer actively developed" banner on it, but its last commit was Apr 16, 2020. Which makes me think it is actually no longer developed.
I found f5-cli, which is based on the above f5-sdk-python. So I think it's actually no longer developed.
I found lets-encrypt-python, whic is based on BIGREST, which is a wrapper around the `requests` module using the iControl REST API. It's specifically made to address the above problems with the sdk's being unmaintained, but users need to know the API url's. I've been running into difficulties using it, because of incomplete or inaccurate documentation about the API. Specifically, the url's that are used in lets-encrypt-python, and even in the `_connect()` method of BIGREST, don't exist on my Big-IP device, so I had to create an issue, and patch BIGREST, to make BIGREST functional with my device, but then the url's in lets-encrypt-python also don't exist on my device, so I'm left to figure out the API on my own. I'm not sure if the API changed between my version of Big-IP and the author's version of Big-IP, or if we have a different device, or different licensing, or what. The only thing I'm sure about is that some of the URL's they used don't exist for me.
The iControl REST API documentation has a banner at the top, more or less encouraging users not to use it, and instead recommending using AS3. When I ignore this banner and try to use it, I find the API documentation itself has a bunch of missing or inaccurate parts, so maybe it is best to use AS3. Or maybe I should keep working on the API some more, I'm not sure.
One of the requirements for AS3 is the user must have Administrator role, basically root, on the F5. This is contrary to our organization security policy, so if we need it, I'm going to have to raise meetings with management and include our infosec group to make it happen, so I don't want to push that direction unless I know it's the right direction for us to go.
Can anyone offer advice on the best long-term, most well supported path forward?
Thank you.
Hello Rahvee,
Besides what it states this AS3 requirements you provided, have you ever tried to run a certification renewal with user with role "Certificate Manager"?
AneshCirrostratus
Following are cons of using AS3
- Additional overhead of mainting the AS3 rpm during f5 TMOS upgrades and also test the compatibility of the as3 rpm with the TMOS version
- Due to imperarive model of AS3 , config pushes are slower in comparsion to using a REST API. As AS3 deploys the whole configuration on a tenant as opposed to changing only a specifc attribute in the JSON payload.
- there is no AS3 JSON available for deploying payloads for F5 ASM and APM, but the REST API has API's to work with both ASM and APM
I would use REST API over AS3 anyday!!!
