Forum Discussion
mihaic
MVP
MVPneed some help with a AS3 declaration
I have the declaration below. I get "│ Error: posting as3 config failed for tenants:(Tenant_01) with error: Tenant Creation failed"
I am trying to create 2 virtual servers one HTTP and one HTTPS that share 2 pools.
I had a working declaration that created the HTTP part.
Question. Can irules and other objects be shared between 2 virtual servers ?
For irules i use URL as the source, can I do the same for certificate and key?
{
"$schema": "https://raw.githubusercontent.com/F5Networks/f5-appsvcs-extension/master/schema/latest/as3-schema.json",
"class": "AS3",
"action": "deploy",
"persist": true,
"declaration": {
"class": "ADC",
"schemaVersion": "3.0.0",
"id": "${TENANT}-declaration",
"label": "${TENANT}",
"remark": "HTTP application",
"updateMode" :"selective",
"${TENANT}": {
"class": "Tenant",
"defaultRouteDomain": 0,
"Shared": {
"class": "Application",
"template": "shared",
"${POOL1}": {
"class": "Pool",
"loadBalancingMode":"${LB_MODE}",
"monitors": [
"${MONITOR}"
],
"members": [
{
"servicePort": ${SERVICEPORT},
"serverAddresses": ${MEMBERS_1}
}
]
},
"${POOL2}": {
"class": "Pool",
"loadBalancingMode":"${LB_MODE}",
"monitors": [
"${MONITOR}"
],
"members": [
{
"servicePort": ${SERVICEPORT},
"serverAddresses": ${MEMBERS_2}
}
]
}
},
"Application_1": {
"class": "Application",
"template": "Service_Generic",
"${VIP_NAME}": {
"class": "Service_HTTP",
"virtualAddresses": [
"${VIP}"
],
"virtualPort": 80,
"persistenceMethods": [
"${PERSISTANCE}"
],
"profileTCP": "normal",
"profileHTTP": {
"use": "${HTTP_PROFILE}"
},
"snat": "auto",
"iRules": [
"${IRULE_NAME}"
],
"pool": "/${TENANT}/Shared/${POOL1}"
},
"${HTTP_PROFILE}":{
"class": "HTTP_Profile",
"xForwardedFor": true
},
"${IRULE_NAME}": {
"class": "iRule",
"remark": "choose private pool based URI",
"iRule": {
"url": "${IRULE}"
}
},
"${VIP_NAME}": {
"class": "Service_HTTPS",
"virtualAddresses": [
"${VIP}"
],
"virtualPort": 443,
"persistenceMethods": [
"${PERSISTANCE}"
],
"profileTCP": "normal",
"profileHTTP": {
"use": "${HTTP_PROFILE}-secure"
},
"snat": "auto",
"iRules": [
"${IRULE_NAME}-secure"
],
"pool": "/${TENANT}/Shared/${POOL1}",
"serverTLS": "webtls"
},
"${HTTP_PROFILE}-secure":{
"class": "HTTP_Profile",
"xForwardedFor": true
},
"${IRULE_NAME}-secure": {
"class": "iRule",
"remark": "choose private pool based URI",
"iRule": {
"url": "${IRULE}"
}
},
"webtls": {
"class": "TLS_Server",
"certificates": [{
"certificate": "${VIP_NAME}-cert"
}]
},
"${VIP_NAME}-cert": {
"class": "Certificate",
"remark": "in practice using a passphrase is recommended",
"certificate": {
"url": "${CERT_URL}"
},
"privateKey": {
"url": "${KEY_URL}"
}
}
}
}
}
}
See the article below of how to declare objects in the shared as3 folder under the partition like pools:
Solved: AS3 referencing objects across applications - DevCentral (f5.com)
If the 2 apps/virtual servers are in the same tenant you can try the "use:" pointer to define the pool outside of the 2 virtual servers in the AS3 declaration
BIG-IP AS3 Declaration Purpose and Function (f5.com)
"persistenceMethods": [ {"use": "mypersist"} ] "mypersist": { "class": "Persist", "persistenceMethod": "cookie", "cookieName": "MYCOOKIE" }Other than that for certficates I have not tried using url but I saw:
"pkcs12_crt_key_encr_url": { "class": "Certificate", "remark": "saves encr key in openssl format", "passphrase": { "ciphertext": "cGFzc3dvcmQ=", "protected": "eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0", "ignoreChanges": true }, "pkcs12Options": { "keyImportFormat": "openssl-legacy" }, "pkcs12": { "url": "https://mycompany/certs/my_p12.p12" } }, "pkcs12_crt_key_bundle": { "class": "Certificate", "remark": "multiple certs, no passphrase, ignore change on redeploy", "pkcs12Options": { "keyImportFormat": "openssl-legacy", "ignoreChanges": true }, "pkcs12": { "url": "http://mycompany/certs/my_pfx.pfx" } }
- Nikoolayy1
See the article below of how to declare objects in the shared as3 folder under the partition like pools:
Solved: AS3 referencing objects across applications - DevCentral (f5.com)
If the 2 apps/virtual servers are in the same tenant you can try the "use:" pointer to define the pool outside of the 2 virtual servers in the AS3 declaration
BIG-IP AS3 Declaration Purpose and Function (f5.com)
"persistenceMethods": [ {"use": "mypersist"} ] "mypersist": { "class": "Persist", "persistenceMethod": "cookie", "cookieName": "MYCOOKIE" }Other than that for certficates I have not tried using url but I saw:
"pkcs12_crt_key_encr_url": { "class": "Certificate", "remark": "saves encr key in openssl format", "passphrase": { "ciphertext": "cGFzc3dvcmQ=", "protected": "eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0", "ignoreChanges": true }, "pkcs12Options": { "keyImportFormat": "openssl-legacy" }, "pkcs12": { "url": "https://mycompany/certs/my_p12.p12" } }, "pkcs12_crt_key_bundle": { "class": "Certificate", "remark": "multiple certs, no passphrase, ignore change on redeploy", "pkcs12Options": { "keyImportFormat": "openssl-legacy", "ignoreChanges": true }, "pkcs12": { "url": "http://mycompany/certs/my_pfx.pfx" } }
mihaicNikoolayy1 , thanks!
I've used "use" for the shared objects (pool,profile http, irule) and "url" for certs.
here is my template json:
https://github.com/czirakim/F5_AS3/blob/master/Tenant1/tenant_template.json
- JRahm
Admin
url works (here and for other things like policies) but keep in mind that when using url it is not idempotent. It'll run every time even without changes, which can make AS3 apply operations longer than needed and touch config you were not expecting, like if only adding a pool member IP.
H/T Matt Stovall on that nugget.
