fortinet / fortiadc-ingress Goto Github PK

FortiADCIngressController: 2.0.0 (fortinet/fortiadc-ingress:2.0.0)
FortiADC-2000F v7.4.0,build0308,230706 (GA)

Adding an ingress will remove all existing virtual servers and real server pools on the load balancer/vdom!

The ingress is using the POST /api/declarative API route and it appears it is declarative for the entire load balancer/vdom and as such will try to remove all existing entries.

Looking at the API calls, the result of those /api/declarative calls results various in "payload" errors, yet the load balancer is creating a working virtual server/content routing/real server pools. Other entries created by the ingress are not removed. Only the manually created entries are being removed. I captured a request when adding an ingress and manually ran the API call with the "async" option set to false (gives text errors) and got this payload:

{
    "payload": [
        "Failed to delete content routing 'test2_test2-ingress_service2_1': Entry is used.",
        "Failed to delete content routing 'test2_test2-ingress_service1_2': Entry is used.",
        "Failed to delete content routing 'test_verify-ingress_verify-purple-service': Entry is used.",
        "Failed to delete content routing 'test_verify-ingress_verify-purple-service_1': Entry is used.",
        "Failed to delete content routing 'test_verify-ingress_verify-green-service_2': Entry is used.",
        "Failed to delete content routing 'test_verify-ingress_verify-blue-service_3': Entry is used.",
        "Failed to delete content routing 'test3_test3-ingress_test3-kuard-service': Entry is used.",
        "Failed to delete real server pool 'test2_service1': Entry is used.",
        "Failed to delete real server pool 'test2_service2': Entry is used.",
        "Failed to delete real server pool 'test_verify-purple-service': Entry is used.",
        "Failed to delete real server pool 'test_verify-blue-service': Entry is used.",
        "Failed to delete real server pool 'test_verify-green-service': Entry is used.",
        "Failed to delete real server pool 'test3_test3-kuard-service': Entry is used."
    ]
}

So it appears it is actually trying to delete the other ingress created entries but is being denied by the load balancer due to the lb seeing them as being used.

This behavior removed about 30 virtual servers in root on a lab fortiadc 200 instance and dozen in a vdom on a lab fortiadc 2000 instance. I have further confirmed this behavior while rebuilding those.

Hello
is it possible to upload Intermediate certs?
In this documents
https://s3.amazonaws.com/fortinetweb/docs.fortinet.com/v2/attachments/85986864-2436-11e9-b20a-f8bc1258b856/fortiadc-v5.0.0-rest-api-reference.pdf
In function
/system_certificate_intermediate_ca
method POST exist but no examples:
"POST": {
"Response": {
"payload": -149
}
}

The api route /api/upload/certificate_local requires the vdom url parameter to be specified in order to work for a user who does not have Global Admin privileges and instead only has Read-Write System privileges specified for their profile and assigned to given VDOM.

Logs:

------------------ Response start ------------------
{
"payload": -37
}
------------------ Response end ------------------
test2/nginx-ingress: Do POST url https://10.100.100.22/api/upload/certificate_local
test2/nginx-ingress: Do POST url https://10.100.100.22/api/system_certificate_local_cert_group?vdom=vdom1
------------------ Response start ------------------
{
"status": "Succeeded"
}
------------------ Response end ------------------
test2/nginx-ingress: Do POST url https://10.100.100.22/api/system_certificate_local_cert_group_child_group_member?vdom=vdom1&pkey=test2_nginx-ingress
------------------ Response start ------------------
{
"status": "Failed"
"payload": "Empty value is not allowed."
}
------------------ Response end ------------------

As you can see from the logs above the Ingress Controller is missing this "vdom" url parameter for /api/upload/certificate_local. In our case it would need to look like

test2/nginx-ingress: Do POST url https://10.100.100.22/api/upload/certificate_local?vdom=vdom1

We confirmed this behavior on internal automation using the API for our 3 pairs of FortiADC-2000F and 2 pairs of FortiADC-200F running 6.2.5 - 7.1.1 . The vdom field in the json payload is also required, but I can't see that info in the logs - I assume that is also included.

FortiADCIngressController: 2.0.0 (fortinet/fortiadc-ingress:2.0.0)
FortiADC-2000F v7.4.0,build0308,230706 (GA)

The content routing created for a prefix path rule does not appear to be correct.

The the ingress spec of

spec:
  ingressClassName: fadc-ingress-controller
  rules:
  - host: test3.lab.example.net
    http:
      paths:
      - path: "/"
        pathType: Prefix
        backend:
          service:
            name: test3-kuard-service
            port:
              number: 80

Creates a Content Routing entry with a HTTP Request URL regex of ^()((/\w+)|/|)+$ and the problem with this is \w matches any word character - that excludes characters like _ . - ? - & etc... and as you can imagine this breaks all references to all files in the URL and any query parameters. Kinda important.

I would suggest changing the \w to simply a . to match any character. For example ^()((/.+)|/|)+$ .

Steps to reproduce:

1. Apply an ingress
2. edit the URL part of the ingress
3. re-apply
4. read log from the ingress controller:

Error updating ingress default/nginx-ingress rule: Operation cannot be fulfilled on ingresses.networking.k8s.io \"nginx-ingress\": the object has been modified; please apply your changes to the latest version and try again"
default/nginx-ingress: Do POST url https://192.168.1.2/api/load_balance_virtual_server?vdom=root