f5-declarative-onboarding icon indicating copy to clipboard operation
f5-declarative-onboarding copied to clipboard

Published 20 hours ago verified publisher icon F5Networks

DO fails after SSLO module is initialized. DO fails to delete /Common/sslo-default-http-explicit-profile-dns-resolver

Open megamattzilla opened this issue 1 year ago • 0 comments

Environment

  • Declarative Onboarding Version: 1.38
  • BIG-IP Version: 15.1.x

Summary

After provisioning a Big-IP with DO, after provising the SSLO module you can no longer run DO to make changes.

Steps To Reproduce

Steps to reproduce the behavior:

  1. Submit the following declaration:
{
    "schemaVersion": "1.38.0",
    "class": "Device",
    "async": true,
    "label": "my BIG-IP declaration for declarative onboarding",
    "Common": {
        "class": "Tenant",
        "hostname": "bigip1.example.com",
        "myDns": {
            "class": "DNS",
            "nameServers": [
                "8.8.8.8"
            ]
        },
        "myNtp": {
            "class": "NTP",
            "servers": [
                "0.pool.ntp.org"
            ],
            "timezone": "UTC"
        },
        "myProvisioning": {
            
            "ltm": "nominal",
            "sslo": "nominal",
            "class": "Provision"
        }
    }
}

Declaration is Successful

  1. Click SSL Orchestrator in Big-IP GUI to initialize SSLO. No further configuration required to reproduce.
  2. Send the exact same DO declaration as step number 1
  3. Observe following error response from DO:
    "id": "38ec9ed8-7432-495a-bf5a-97e1ca74ccb7",
    "selfLink": "https://localhost/mgmt/shared/declarative-onboarding/task/38ec9ed8-7432-495a-bf5a-97e1ca74ccb7",
    "code": 422,
    "status": "ERROR",
    "message": "invalid config - rolled back",
    "errors": [
        "01070265:3: The DNS Resolver (/Common/sslo-default-http-explicit-profile-dns-resolver) cannot be deleted because it is in use by a HTTP Profile (/Common/sslo-default-http-explicit).",
        "01070265:3: The DNS Resolver (/Common/sslo-default-http-explicit-profile-dns-resolver) cannot be deleted because it is in use by a HTTP Profile (/Common/sslo-default-http-explicit)."
    ],
    "result": {
        "class": "Result",
        "code": 422,
        "status": "ERROR",
        "message": "invalid config - rolled back",
        "errors": [
            "01070265:3: The DNS Resolver (/Common/sslo-default-http-explicit-profile-dns-resolver) cannot be deleted because it is in use by a HTTP Profile (/Common/sslo-default-http-explicit).",
            "01070265:3: The DNS Resolver (/Common/sslo-default-http-explicit-profile-dns-resolver) cannot be deleted because it is in use by a HTTP Profile (/Common/sslo-default-http-explicit)."
        ]
    },

Expected Behavior

DO executes the declaration successfully and makes changes as needed.

Actual Behavior

DO fails with error message.

It seems that DO needs to ignore the things that SSLO configuration creates such as DNS resolvers. If we delete the DNS resolver and then run DO again, the declaration is successful.

megamattzilla avatar Jul 07 '23 19:07 megamattzilla