Rewrite-target-url annotation doesn't work when rewrites /

[jmolinavizcaino]

Setup Details

CIS Version : 2.13.1
Build: f5networks/k8s-bigip-ctlr:2.13.1
BIGIP Version: Big IP 15.1.8 Build 0.0.7 Final
AS3 Version: 3.26.1
Agent Mode: AS3
Orchestration: K8S
Orchestration Version: v1.23.8
Pool Mode: Cluster
Additional Setup details:
Calico v3.24.3

Description

A K8s administrator needs to rewrite the requests to a web application to append a path prefix to the path send by the client. To implement it, the administrator use the virtual-server.f5.com/rewrite-target-url annotation but it doesn't works when it's configured to rewrite the / to another URI.

virtual-server.f5.com/rewrite-target-url: server.com/=server.com/tmp`

The BIG-IP returns a 422 Error and in the restnoded.log prints this error

`Mon, 28 Oct 2024 16:14:38 GMT - severe: [appsvcs] {"message":"Declaration failed: 01071709:3: Policy '/mycontainers_demoupc/Shared/Ingress_A_B_C_D_443', rule 'url_rewrite_rule_nginx_ie_des_upc_edu__nginx_ie_des_upc_edu_tmp'; operand 'http-uri' with condition 'equals' requires at least 1 value.","level":"error"}

The virtual-server.f5.com/rewrite-app-root is not an alternative because it configure a redirect and not a rewrite.

How can we implement this

Steps To Reproduce

Create in K8s a ingress resource managed by the F5 controller with the annotation . Example:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nginx-ingress
  namespace: nginx-prueba
  annotations:
    kubernetes.io/ingress.class: f5-ingress-class
    virtual-server.f5.com/balance: predictive-member
    virtual-server.f5.com/whitelist-source-range: 10.0.0.0/8
    ingress.kubernetes.io/allow-http: "false"
    ingress.kubernetes.io/ssl-redirect: "true"
    virtual-server.f5.com/clientssl: '[ { "bigIpProfile": "/Common/ssl_wildcard"}]'
    virtual-server.f5.com/health: '[{"path": "server.com/", "send":"GET /healthz HTTP/1.1", "interval": 5, "timeout": 10}]'
    virtual-server.f5.com/rewrite-target-url: server.com/=server.com/tmp
    virtual-server.f5.com/ip: A.B.C.D
spec:
  rules:
  - host: "server.com"
    http:
      paths:
        - path: /tmp
          pathType: Prefix
          backend:
            service:
              name: nginx-svc
              port:
                number: 80

When the F5 controller try to make the changes in the F5 device reports the error showed previously,

Expected Result

The expected result is the F5 controller doesn't return the error and it should configure the action policy rule with the tcl regsub expression

1. Forward traffic to pool '/Partition1/Shared/ingress_nginx_prueba_nginx_svc' at request time.
2. Replace HTTP Header named 'host' with value 'server.com at request time.
3. Replace HTTP URI with value 'tcl:[regsub / [HTTP::uri] /tmp ]' at request time.

Actual Result

In this situation, the F5 controller cannot make any changes futher changes in the F5 node until the ingress resource with the rewrite-target-url annotation is deleted.

[trinaths]

Created [CONTCNTR-4973] for internal tracking.

[lavanya-f5]

@jmolinavizcaino could you please provide more details on the requirements to understand the use case better.
Regarding virtual-server.f5.com/rewrite-target-url: server.com/=server.com/tmp

is the expectation to redirect traffic just for url server.com/ or subpaths like server.com/foo, server.com/bar to server.com/tmp

since the actual backend path is /tmp and nothing on /, the app root is /tmp? is this understanding correct?

[jmolinavizcaino]

Hi @lavanya-f5

We expect that the F5 insert a rewrite rule to substitute the first / by /tmp. So that if the http client enters:

• https://server.com/ --> the path rewrites to https://server.com/tmp before to send the request to the server node.
• https://server.com/bar --> the path rewrites to https://server.com/tmp/bar before to send the request to the server node.
• https://server.com/foo --> the path rewrites to https://server.com/tmp/foo before to send the request to the server node.
• https://server.com/bar/foo --> the path rewrites to https://server.com/tmp/bar/foo before to send the request to the server node.

[trinaths]

Created [CONTCNTR-4983] for internal tracking.