on 23-Jun-2016 17:00
In the previous article in this series, we took a stock iApp shipped with the product and stripped it down to show how to modify an existing iApp. In this article, we’ll tackle creating a simple iApp from scratch.
You have a test environment where all your iRules are created and validated. You then send them off to other devices in test or stage environments, and finally, production. Wouldn’t it be nice to have a quick validation that the rules out there in the other environments match the ones in yours? This is possible by adding a checksum or signature to your iRules. You can do this in the GUI of course, and with checksums, you can do it all at the same time by checking all the iRules and clicking the Add Checksum box.
Now in list view, you’ll see that the verification has changed from None to Checksum Verified.
If you click into one of the iRules, you’ll see the checksum definition at the end of the iRule (I know, lamest “test” iRule ever!)
If you want to add signatures to all iRules simultaneously like you can with checksums though, well that doesn’t work.
It is this very situation that we will attempt to solve with an iApp!
Before beginning the iApp, let’s figure out what we actually need to do in tmsh since the implementation section will rely on this. For this iApp, it’s pretty simple. Take a list of iRules, and generate a signature or checksum. The tmsh commands are thus:
# Generate a signature tmsh generate ltm rule signature signing-key # Generate a checksum tmsh generate ltm rule checksum
So in the presentation section, we’re going to need to provide for the following to pass to the implementation:
If you recall from the previous articles in this series, the presentation section of the template is created with the APL language. Within the presentation, there is an area where your inputs are defined, and then an area where the text supporting those inputs are defined.
section basic_info { choice validation default "Checksum" { "Checksum", "Signature" } optional (validation == "Signature") { choice key tcl { set objs [tmsh::get_config /sys crypto key] foreach obj $objs { append results [tmsh::get_name $obj] append results "\n" } return $results } } multichoice rules tcl { set objs [tmsh::get_config /ltm rule] foreach obj $objs { append results [tmsh::get_name $obj] append results "\n" } return $results } } text { basic_info "Add Signature or Checksum to iRules" basic_info.validation "Please select Signature or Checksum." basic_info.key "Please select the key for iRule signature." basic_info.rules "Please select one or more iRules." }
First thing we’ll do is title the section basic_info (lines 1-21.) The first choice we’ll present, which we’ll name validation, is whether the user would like to apply a checksum or a signature to the iRules (line 2.) If that choice is a signature, we’ll run a tcl function to retrieve all the crypto keys on the system to present that in a choice object (lines 3-11,) storing those values in key. Next, we want to be able to select more than one iRule from the list, so we’ll use a multichoice instead of just a choice object. We’ll run a similar tcl function to retrieve the iRule names for display (lines 13-20,) storing those values in rules.
In the text section (lines 22-27) we use the names from above to apply the helper text to those objects. Each object within the section gets a name of section.object, so for the information that we have so far, that results in:
That’s it! With the presentation section of the template complete, we can move on to implementation.
For (most?) iApps, the presentation is the easy part. But that is not the case in this iApp. This implementation code is 12 lines long including braces, and it’s a single switch statement. Before we get to the code, however, a few points:
switch -exact $::basic_info__validation { "Checksum" { foreach obj $::basic_info__rules { exec "tmsh" "generate" "ltm" "rule" $obj "checksum" } } "Signature" { foreach obj $::basic_info__rules { exec "tmsh" "generate" "ltm" "rule" $obj "signature" "signing-key" $::basic_info__key } } }
As you can see from the code, a single switch statement (line 1) checks to see whether it matches Checksum (line 2) or Signature (line 7.) Given a match, it will loop through the iRules (lines 3, 😎 and then run the tmsh command to add the Checksum (line 4) or the Signature (line.)
This is the section where I punt. It’s just html, and I think we can all agree that is out of the scope of this article.
Now that we have our sections complete, we can actually create the iApp.
Final steps! Now we can create the application service. The original scenario described our problem: we want to apply a signature to all the iRules at once. So let’s do that.
Before clicking Finish, my application service looked like this:
No errors locally. Whew! The components view is not too exciting:
The reason for this is the iApp doesn’t own any components. It just acted on existing components, so there is nothing for it to own. However, we can see the results of its action by going to the iRules section to see if the verification column on test1 and test2 has changed from None (caveat…I did remove the checksums from earlier, you can’t apply a checksum and a signature, it’s one or the other.) Low and behold, we have signatures now!
This article covered the steps required to get to a functional template for deploying an application service. As demonstrated, iApps don’t necessarily have to be a configuration engine, they can be used for other purposes. The steps were purposefully kept very simple and uncluttered to make all the pieces clear. Obviously, iApps can get very complex and there are some best practices and lessons learned that we’ll cover in the next article in this series.
Hi Jason ,
I have a question: i created some virtual services using iworkflow so with some iapps. Now we need to upgrade our bigip devices. Usually we transfer the UCS file from old bigip to the new one. How does it work with services created with iapps, will i find the same services in the new bigip (discovering the device from iwrokflow) or i have to create all the services from scratch?