AS3
48 TopicsF5 - AS3 - BIGIQ / BIGIP SchemaVersion Missunderstanding
Dear community, I was wondering about the AS3 version currently used in order to deploy my AS3 on my BIG-IP target through BIG-IQ. BIG-IQ should install this current AS3 version on F5 BIG-IP target when deploying AS3 declaration. Checking on my BIG-IQ, 3.44.0 curl -sk -H "Content-Type: application/json" -H "X-F5-Auth-Token: $TOKEN" -X GET "https://$BIGIQ/mgmt/shared/appsvcs/info" {"version":"3.44.0","release":"3","schemaCurrent":"3.44.0","schemaMinimum":"3.0.0"} Checking on my F5 BIG-IP, v 3.44.0 #pwd /var/config/rest/iapps/f5-appsvcs # cat version 3.44.0-3 My current AS3 declaration (I'm manually forcing schemaVersion) through BIG-IQ : { "class": "AS3", "action": "patch", "schemaVersion": "3.44.0", "patchBody": [ { "class": "ADC", "schemaVersion": "3.44.0", "target": { "address": "X.X.X.X" }, "op": "add", "path": "/Automation/APP_TEST_1.2.12.140_446", "value": { "class": "Application", "remark": "REFERENCE : NULL_REFERENCE_20241109215237", "schemaOverlay": "AS3-F5-HTTPS-PASSTHROUGH-lb-template-big-iq", .... etc } Application Deployment logs from my BIG-IQ : At the bottom : "schemaVersion": "3.12.0" I don't understand why it's using this older schemaVersion, it should use the current 3.44.0. Is there any policy on BIG-IQ that can enforce this weird behavior ? { "id": "autogen_a4c95a0f-13e3-4078-92c3-3a8e6ea6f10c", "class": "ADC", "controls": { "class": "Controls", "userAgent": "BIG-IQ/8.3 Configured by API" }, "Automation": { "class": "Tenant", "APP_TEST_1.2.12.140_446": { "class": "Application", "remark": "REFERENCE : NULL_REFERENCE_20241109215237", "template": "tcp", "serviceMain": { "pool": "/Automation/APP_TEST_1.2.12.140_446/HTTPS_443_pool", "class": "Service_TCP", "enable": true, "profileTCP": { "use": "/Automation/APP_TEST_1.2.12.140_446/HTTPS_443_tcp_profile" }, "virtualPort": 446, "virtualAddresses": [ "1.2.12.140" ], "persistenceMethods": [ "source-address" ], "profileAnalyticsTcp": { "use": "/Automation/APP_TEST_1.2.12.140_446/Analytics_TCP_Profile" } }, "HTTPS_443_pool": { "class": "Pool", "members": [ { "adminState": "enable", "shareNodes": true, "servicePort": 443, "serverAddresses": [ "1.2.12.13" ] } ], "monitors": [ { "use": "/Automation/APP_TEST_1.2.12.140_446/HTTPS_443_monitor" } ], "loadBalancingMode": "least-connections-member" }, "HTTPS_443_monitor": { "send": "GET /\r\n", "class": "Monitor", "receive": "none", "targetPort": 443, "monitorType": "http", "adaptiveWindow": 180, "adaptiveLimitMilliseconds": 1000, "adaptiveDivergencePercentage": 100 }, "Analytics_TCP_Profile": { "class": "Analytics_TCP_Profile", "collectCity": false, "collectRegion": true, "collectCountry": true, "collectNexthop": false, "collectPostCode": false, "collectContinent": true, "collectRemoteHostIp": false, "collectedByClientSide": true, "collectedByServerSide": true, "collectRemoteHostSubnet": true }, "HTTPS_443_tcp_profile": { "class": "TCP_Profile", "synMaxRetrans": 3, "finWaitTimeout": 5 } } }, "updateMode": "selective", "schemaVersion": "3.12.0" } Thanks in advance for your help !31Views0likes0CommentsAS3 no new LTS Version?
The AS3 Support Cycle Document states that end of support for the latest LTS Version 3.46.2 is 31-Oct-2024 and that the next LTS release is on 30-Sep-2024. However the Release 3.53.0 from 30-Sep-2024 is not present in the AS3 Documentation. So my Question now is if there will be another minor Version like 3.46.1 which then will be the LTS Variant? And if so when will it be released?Solved35Views0likes1CommentCreating External Monitors via AS3
I am trying to create an external monitor via AS3 using a script that exists as part of a gitlab project. See: https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/latest/refguide/schema-reference.html#monitor-external F5 provides an examplehere. exert: "mNewExternalMonitorFile": { "class": "Monitor", "monitorType": "external", "interval": 5, "upInterval": 0, "timeUntilUp": 0, "timeout": 16, "expand": false, "script": { "url": "https://example.com/monitor.sh" }, "environmentVariables": { "USER": "example" } } I am able to do this exact thing with the url portion replaced with a local resource. However, I need to be able to provide authentication/authorization details to the resource. There are other resources in AS3 that use the propertyResource_URL. Unfortunately I can't use this because of the way Monitor_External is configured. Alternatively, is there a way for me to point to the local BigIP "/shared" directory and pull the script from there?15Views0likes0CommentsAS3 w/ certificates and renewals..
So, I found myself in a little bit of a quandary with the use AS3 declarations to deploy our F5 configurations for our services. So to create a virtual server with SSL certificate and profiles, and the nine-yards, you need to have as part of your AS3 declaration: SSL certificate (key and cert), that populate the profile, that then populates the profile section within the virtual server. So far so good... Now, the certificate has a TTL (if you will), and needs to be renewed. In the past, I had a Python script that goes through the F5 using REST API to find expiring certificates and get new certs and updates the configuration. That worked just fine, and I have adapted that to be used on our new F5s using partitions/tenants, and it works. Unfortunately is also breaks the one source of truth (AS3), so if I go make a change to an AS3 declaration to make pool member or other configuration changes, and I then redeploy the AS3 declaration, then the OLD certificate if put back into play (which could be expired) and the service goes down. Has not happened yet, because this FUBAR situation popped into my head. ..and that is my quandary... How do I redeploy configurations and have it ignore the certificate and profile stanzas in AS3 declaration - so it does not redeploy an old and possibly expired certificate? One may think .. well update the declaration with the updated certificate. Not as easy as one may think. I would have to do this for any declaration that I want to modify, not a easy task.. log-into the F5, fetch the new PEMdata for the certificate and key, update the declaration, and then deploy it. In some AS3 declarations, I am defining multiple environments for a service, and there might be up to 5 different certificate/key pairs that I would need to update prior to redeploying .. ugh! I am in a pickle. Thoughts? The only solution that I have been able to conjure up in my head is additional automation and scripting that would automatically update the AS3 declarations when a certificate is renewed, which makes sense .. just have no idea how to go about this just yet. Hoping there are other alternatives?!Solved228Views0likes6CommentsHTTP Host Header replacement using AS3
I am using L7 policy within AS3 to manage my sites. I have a requirement where I need to modify the Host header before forwarding the request to the pool. I know this is easy in the GUI in the action section where I can just use replace HTTP Host. However, I do not see an action "replace" for the "Policy_Action_HTTP_Header" in the AS3 schema. Has anybody done this header replacement using AS3 ? Note : I would rather not to use "tcl:.." & am looking native L7 syntax. Any help would be greatly appreciated.89Views0likes2CommentsAS3 GSLB_Pool - How to add members?
I am using AS3 to deploy LTM and DNS configs to a pair of standalone BIG-IPs in a DNS Sync Group. Everything works and I can add a virtual server to a GSLB_Pool if that virtual server is defined in this AS3 declaration. However, I need to add a virtual server to the pool that is in the other BIG-IP, configured as a server in a second data center. Auto discovery is configured but AS3 won't accept the second pool member saying that the object doesn't exist. See the snippet below. Obviously I haven't posted the whole thing but the red section is what fails. vs_prod_dc1 is defined in this declaration (redacted) but vs_prod_dc2 is defined in another declaration because it's for a different BIG-IP. What am I missing here? "DC1": { "class": "GSLB_Data_Center" }, "DC2": { "class": "GSLB_Data_Center" }, "F5-A": { "class": "GSLB_Server", "dataCenter": { "use": "DC1" }, "devices": [ { "address": "172.16.20.1" } ], "virtualServerDiscoveryMode": "enabled-no-delete" }, "F5-B": { "class": "GSLB_Server", "dataCenter": { "use": "DC2" }, "devices": [ { "address": "172.16.20.2" } ], "virtualServerDiscoveryMode": "enabled-no-delete" } "dns_pool_prod": { "class": "GSLB_Pool", "resourceRecordType": "A", "members": [ { "server": { "use": "/Common/Shared/F5-A" }, "virtualServer": { "use": "vs_prod_dc1" } }, { "server": { "use": "/Common/Shared/F5-B" }, "virtualServer": { "use": "vs_prod_dc2" } } ] }50Views0likes2CommentsAS3 Deployments (shared objects)
BIG-IP LTM: 17.1.1 AS3 Plugin: 3.49.0 We are migrating from older hardware to newer r5900 series hardware. In that process we are moving to configuration as code, using AS3. Working through all the hiccups and hurdles, came across a "need", that I was wondering if possible?! Can you have a "global" (or "shared") partition with configurations within that all partitions can reference? I inherited the previous configurations from a colleague, and everything is located within the Common partition, which has kinda worked out nicely, as we can share "objects" (iRules, profiles, etc..) between most configurations. This also has been beneficial when we need to make a global change (certificate chain change, for example) that allowed us to fix all configurations quickly by changing just the one object that was shared. Is this possible across partitions, or is that a hard silo division, and nothing can be shared between them?Solved307Views0likes5CommentsHow to Match Dynamic URI Segments in AS3
Hello Folks, I am working with F5 BIG-IP’s AS3 and I need to configure it to match and handle URI paths that include dynamic segments, specifically numbers following a certain path prefix (e.g., https://website.com/firstpart/{dynamic_number}). However, I need to ensure that the configuration does not match or include any URIs that extend beyond the specific pattern, such as https://website.com/firstpart/specific or https://website.com/firstpart/specific/evenmorespecific. Is there a way within AS3 itself to handle these kinds of dynamic URIs directly, or would I need to integrate iRules to achieve this level of pattern matching? Any advice or examples would be greatly appreciated! Thank you!48Views0likes0CommentsAS3 Monitoring multiple ports selectively
Hi, I have nodes listening on port 80, 81, 82, 83. the port 80 is mandatory and at least one out of the other 3 ports is mandatory. with manual configuration, I put the port 80 monitor at the node level and the other 3 ports at pool member level. with AS3, the node level monitoring does not exist. what are the other options given that all my deployments are based on AS3. thanks. OM28Views0likes0Comments