ingress https monitor not allowing send string to be set.

[mleklund]

Setup Details

CIS Version : 2.8.0
Build: f5networks/k8s-bigip-ctlr:2.8.0
BIGIP Version: Big IP 12.1.5.3 HotFix 0.16.5
AS3 Version: 3.19.0-4
Agent Mode: AS3
Orchestration: K8S
Orchestration Version: 1.20.14
Pool Mode: Nodeport

Description

Steps To Reproduce

Use ingress with health monitor set to type https and a send string HTTP GET /

Expected Result

send string to be HTTP GET /

Actual Result

send string is HEAD / HTTP/1.0\r\n\r\n.

Diagnostic Information

Ingress.yaml:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-production
    ingress.kubernetes.io/allow-http: "false"
    ingress.kubernetes.io/ssl-redirect: "true"
    virtual-server.f5.com/health: |
      [
        {
          "path": "secure.example.com/",
          "send": "HTTP GET / HTTP/1.0\r\n\r\n",
          "interval": 5,
          "timeout": 10,
          "type": "https"
        }
       ]
    virtual-server.f5.com/ip: 1.1.1.1
    virtual-server.f5.com/serverssl: /Common/serverssl
  labels:
    app-group: atl
    app.kubernetes.io/instance: xyz
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: web-secure-prod
    app.kubernetes.io/version: latest
    helm.sh/chart: web-secure-prod-0.1.0
  name: xyz-web-secure-prod
  namespace: web
spec:
  ingressClassName: f5
  rules:
  - host: secure.example.com
    http:
      paths:
      - backend:
          service:
            name: xyz-web-secure
            port:
              name: https
        path: /
        pathType: Prefix
  tls:
  - hosts:
    - secure.example.com
    secretName: xyz-web-secure-tls

TMSH result:

ltm monitor https /k8s/Shared/ingress_web_xyz_web_secure_0_https {
    adaptive disabled
    adaptive-limit 1000
    adaptive-sampling-timespan 180
    cipherlist DEFAULT
    compatibility enabled
    defaults-from /Common/https
    destination *:*
    interval 5
    ip-dscp 0
    recv HTTP/1.
    recv-disable none
    send "HEAD / HTTP/1.0\r\n\r\n"
    time-until-up 0
    timeout 10
}

Observations (if any)

If I set the monitor type to http, I get the proper send string.

ltm monitor http /k8s/Shared/ingress_web_xyz_web_secure_0_http {
    adaptive disabled
    adaptive-limit 1000
    adaptive-sampling-timespan 180
    defaults-from http
    destination *:*
    interval 5
    ip-dscp 0
    partition k8s
    recv none
    recv-disable none
    send "HTTP GET / HTTP/1.0\r\n\r\n"
    time-until-up 0
    timeout 10
}

[mleklund]

Further investigation of the AS3 config shows:

"ingress_web_xyz_web_secure_0_https": {
                "class": "Monitor",
                "interval": 5,
                "monitorType": "https",
                "targetAddress": "",
                "timeout": 10,
                "adaptive": false,
                "targetPort": 0
            },

And the default https AS3 send string is HEAD, so it looks like the AS3 generated for HTTPs checks is not setting the send string.

[mleklund]

AS3 monitor creation functions are different it these two code paths:
https://github.com/F5Networks/k8s-bigip-ctlr/blob/master/pkg/agent/as3/as3Common.go#L493
https://github.com/F5Networks/k8s-bigip-ctlr/blob/master/pkg/controller/backend.go#L959

based on the results I would guess that ingress runs through as3common.

[trinaths]

Created [CONTCNTR-3381] for internal tracking.

[trinaths]

Issue fixed in 2.10.1

[mdditt2000]

@mleklund we have resolved this issue in CIS 2.10.1. Please can you reach out to me automation_toolchain_pm@f5.com so i can prioritize other issues in future and that i am aware of who you are. Thanks CIS PM