LOG: misleading message when mismatching host in TLSProfile

[alonsocamaro]

Setup Details

CIS Version : 2.17.1
Build: f5networks/k8s-bigip-ctlr:2.17.1

Description

When using the following wrong configuration:

apiVersion: "cis.f5.com/v1"
kind: VirtualServer
metadata:
  name: route-b
  namespace: openshift-ingress
  labels:
    f5cr: "true"
spec:
  host: www.migration.com
  virtualServerAddress: "10.1.10.106"
  hostGroup: migration.com
  tlsProfileName: reencrypt-tls

and

apiVersion: cis.f5.com/v1
kind: TLSProfile
metadata:
  name: reencrypt-tls
  namespace: openshift-ingress
  labels:
    f5cr: "true"
spec:
  tls:
    termination: reencrypt
    clientSSL: /Common/example.com
    serverSSL: /Common/serverssl
    reference: bigip
  hosts:
  - www.example.com
  - account.example.com

The error message is:

2024/07/17 09:30:58 [ERROR] TLSProfile reencrypt-tls with host www.migration.com does not match with virtual server route-b host.

Where it should be the other way around, ie:

2024/07/17 09:30:58 [ERROR] TLSProfile reencrypt-tls with host www.example.com does not match with virtual server route-b host www.migration.com.

Steps To Reproduce

1. Create the above config with mismatching host names

Expected Result

• The proposed error message
• That the status of the VS is updated with an indicator of the error, the more precise the better (ie: BADTLS). At present the status field is just empty:

[cloud-user@ocp-provisioner routes-bigip]$ oc -n openshift-ingress get vs
NAME      HOST                TLSPROFILENAME   HTTPTRAFFIC   IPADDRESS     IPAMLABEL   IPAMVSADDRESS   STATUS   AGE
route-b   www.migration.com   reencrypt-tls                  10.1.10.106                                        7m30s

Actual Result

• wrong log error
• no status field update