Forum Discussion
AltostratusCannot create tcp-only VirtualServer with bigip-controller
Im running Rancher and ingress-nginx and would like a simple solution to manage VIPs and have automatic update of the pool members, e.g passthru/tcp-only loadbalancing with TLS termination in ingress-niginx.
Installed the f5-bigip-ctlr helm chart with these values:
manage-ingress: false
pool_member_type: nodeport
custom-resource-mode: true
ingress-nginx is running on a nodeport.
Created a VIP CR with these settings:
apiVersion: "cis.f5.com/v1"
kind: VirtualServer
metadata:
name: labb101-https
namespace: ingress-nginx
labels:
f5cr: "true"
spec:
partition: k8s_lab
virtualServerAddress: "10.25.11.30"
virtualServerName: "labb101-k8s-mydomain-com"
virtualServerHTTPPort: 443
pools:
- path: /
service: ingress-nginx-labb101-controller
servicePort: 443
monitors:
- interval: 10
recv: a
send: /
targetPort: 443
timeout: 10
type: tcp
Most resources are created correct however I cant get a VIP created with HTTP Profile (Client) "None" (as represented in the GUI)
If I dont specify profile, it is set automatically to "http".
And if I set tlsProfileName to "" (just guessing this is the field) validation fails with error Invalid value: "": spec.tlsProfileName in body should match '^[a-zA-Z]+[-A-z0-9_.:]+[A-z0-9]+$'
Another weird behavior is that my VIP gets Default Persistence Profile: cookie for some reason although Im not specifying it in my VirtualServer. (this may be why HTTP Profile is set to http, no sure)
So it appears I should have read the manual better π
I was using the wrong CRD, the correct one to use when you need a tcp-only VIP is TransportServer: https://clouddocs.f5.com/containers/latest/userguide/crd/transportserver.html
4 Replies
- whisperer
MVP
These appear to be potential bug reports, not neccessarily questions on configuration or setup. Have you submitted support cases for these issues?
Also, I agree. If you are not performing any SSL termination, or inspecting modifying HTTP traffic in any way on the F5, then you should be able to setup a normal TCP virtual server. Maybe the logic auto-assumes that service port 80 or 443 will always be HTTP, which isnt true.
On another note, are you indeed hosting unencrypted traffic on 443? You are using 'virtualServerHTTPPort' instead of 'virtualServerHTTPSPort'.
gorantornqvist-srThanks for the quick reply.
There is some weird behavior, no its encrypted traffic on port 443 in ingress-nginx that I want to passthru to.If I set virtualServerHTTPSPort: 443
I get a VIP on port 80 instead.So the CIS controller doesnt seem to have a "Service Port" settings as the Web GUI has.
Using this reference: https://clouddocs.f5.com/containers/latest/userguide/crd/virtualserver.html#monitor-components.
And the docs lacks of any samples describing how a tcp-only VIP should be setup.
Im on the devops team and not the network team that has support info ...but I will probably contact them next week since Im stuck at the moment.- whisperer
You sound like the hell I was experiencing when the Ansible collections first came out from F5. I was also a power user in the beginning and finding bugs left and right. Heck, I still find bugs with just using TCL commands to re/deploy iApp templates in a special 'hacky' way where you modify the template and then redeploy, lol.
I would suggest the network team just give you access to the F5 support account. They can set you up with your own login, so that you can submit support, request for enhancement, and potential bugs. If you formally submit this, F5 is quick to work on the issue. Certain API stuff, like Ansible, does have its own github where you can submit issues and actual F5 developers work on these. DOES looks like k8s-bigip-ctlr is one of those projects π Take a look here:
Maybe submit the issue there, and if that has no movement, get Network team to put in a support ticket.
- gorantornqvist-sr
So it appears I should have read the manual better π
I was using the wrong CRD, the correct one to use when you need a tcp-only VIP is TransportServer: https://clouddocs.f5.com/containers/latest/userguide/crd/transportserver.html
