fortinet / fortiadc-ingress Goto Github PK
View Code? Open in Web Editor NEWLicense: Apache License 2.0
License: Apache License 2.0
FortiADCIngressController: 2.0.0 (fortinet/fortiadc-ingress:2.0.0)
FortiADC-2000F v7.4.0,build0308,230706 (GA)
Adding an ingress will remove all existing virtual servers and real server pools on the load balancer/vdom!
The ingress is using the POST /api/declarative API route and it appears it is declarative for the entire load balancer/vdom and as such will try to remove all existing entries.
Looking at the API calls, the result of those /api/declarative calls results various in "payload" errors, yet the load balancer is creating a working virtual server/content routing/real server pools. Other entries created by the ingress are not removed. Only the manually created entries are being removed. I captured a request when adding an ingress and manually ran the API call with the "async" option set to false (gives text errors) and got this payload:
{
"payload": [
"Failed to delete content routing 'test2_test2-ingress_service2_1': Entry is used.",
"Failed to delete content routing 'test2_test2-ingress_service1_2': Entry is used.",
"Failed to delete content routing 'test_verify-ingress_verify-purple-service': Entry is used.",
"Failed to delete content routing 'test_verify-ingress_verify-purple-service_1': Entry is used.",
"Failed to delete content routing 'test_verify-ingress_verify-green-service_2': Entry is used.",
"Failed to delete content routing 'test_verify-ingress_verify-blue-service_3': Entry is used.",
"Failed to delete content routing 'test3_test3-ingress_test3-kuard-service': Entry is used.",
"Failed to delete real server pool 'test2_service1': Entry is used.",
"Failed to delete real server pool 'test2_service2': Entry is used.",
"Failed to delete real server pool 'test_verify-purple-service': Entry is used.",
"Failed to delete real server pool 'test_verify-blue-service': Entry is used.",
"Failed to delete real server pool 'test_verify-green-service': Entry is used.",
"Failed to delete real server pool 'test3_test3-kuard-service': Entry is used."
]
}
So it appears it is actually trying to delete the other ingress created entries but is being denied by the load balancer due to the lb seeing them as being used.
This behavior removed about 30 virtual servers in root on a lab fortiadc 200 instance and dozen in a vdom on a lab fortiadc 2000 instance. I have further confirmed this behavior while rebuilding those.
Hello
is it possible to upload Intermediate certs?
In this documents
https://s3.amazonaws.com/fortinetweb/docs.fortinet.com/v2/attachments/85986864-2436-11e9-b20a-f8bc1258b856/fortiadc-v5.0.0-rest-api-reference.pdf
In function
/system_certificate_intermediate_ca
method POST exist but no examples:
"POST": {
"Response": {
"payload": -149
}
}
The api route /api/upload/certificate_local
requires the vdom url parameter to be specified in order to work for a user who does not have Global Admin privileges and instead only has Read-Write System privileges specified for their profile and assigned to given VDOM.
Logs:
------------------ Response start ------------------
{
"payload": -37
}
------------------ Response end ------------------
test2/nginx-ingress: Do POST url https://10.100.100.22/api/upload/certificate_local
test2/nginx-ingress: Do POST url https://10.100.100.22/api/system_certificate_local_cert_group?vdom=vdom1
------------------ Response start ------------------
{
"status": "Succeeded"
}
------------------ Response end ------------------
test2/nginx-ingress: Do POST url https://10.100.100.22/api/system_certificate_local_cert_group_child_group_member?vdom=vdom1&pkey=test2_nginx-ingress
------------------ Response start ------------------
{
"status": "Failed"
"payload": "Empty value is not allowed."
}
------------------ Response end ------------------
As you can see from the logs above the Ingress Controller is missing this "vdom" url parameter for /api/upload/certificate_local
. In our case it would need to look like
test2/nginx-ingress: Do POST url https://10.100.100.22/api/upload/certificate_local?vdom=vdom1
We confirmed this behavior on internal automation using the API for our 3 pairs of FortiADC-2000F and 2 pairs of FortiADC-200F running 6.2.5 - 7.1.1 . The vdom field in the json payload is also required, but I can't see that info in the logs - I assume that is also included.
FortiADCIngressController: 2.0.0 (fortinet/fortiadc-ingress:2.0.0)
FortiADC-2000F v7.4.0,build0308,230706 (GA)
The content routing created for a prefix path rule does not appear to be correct.
The the ingress spec of
spec:
ingressClassName: fadc-ingress-controller
rules:
- host: test3.lab.example.net
http:
paths:
- path: "/"
pathType: Prefix
backend:
service:
name: test3-kuard-service
port:
number: 80
Creates a Content Routing entry with a HTTP Request URL regex of ^()((/\w+)|/|)+$
and the problem with this is \w matches any word character - that excludes characters like _ . - ? - & etc... and as you can imagine this breaks all references to all files in the URL and any query parameters. Kinda important.
I would suggest changing the \w to simply a . to match any character. For example ^()((/.+)|/|)+$
.
Steps to reproduce:
Error updating ingress default/nginx-ingress rule: Operation cannot be fulfilled on ingresses.networking.k8s.io \"nginx-ingress\": the object has been modified; please apply your changes to the latest version and try again"
default/nginx-ingress: Do POST url https://192.168.1.2/api/load_balance_virtual_server?vdom=root
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.