Using MD5 is another method but without something in the iRule content to make it unique you won't be able to detect propagation if the iRule is redeployed unmodified. When the aim is propagation verification regardless of content each item has to be unique.
Either I don't understand you, or you don't understand me. Irules consists of characters, if even one character changes the whole MD5 sum changes. Fetching the irule definition via API from each of the LTMs is a legitimate way of validating that they're all running the same version of an iRule.
catoverflow Here's an example in Python3 without BigIPReport:
import requests, hashlib, urllib3, os
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
class F5rest:
def __init__(self, username: str, password: str, device: str, verify_ssl=False):
self.device = device
self.username = username
self.password = password
self.verify_ssl = verify_ssl
self._session = None
@property
def session(self):
if not self._session:
s = requests.Session()
body = {
'username': self.username,
'password': self.password,
'loginProviderName': 'tmos'
}
token_response = s.post(
f'https://{self.device}/mgmt/shared/authn/login',
verify=self.verify_ssl,
auth=(self.username, self.password), json=body) \
.json()
token = token_response['token']['token']
s.headers.update({'X-F5-Auth-Token': token})
s.verify = self.verify_ssl
self._session = s
return self._session
def get_irule(self, name: str):
response = self.session.get(f'https://{self.device}/mgmt/tm/ltm/rule/{name}')
return response.json()
username = os.environ.get('F5_USERNAME')
password = os.environ.get('F5_PASSWORD')
if not (username and password):
raise ValueError('Missing credentials in environment variables F5_USERNAME or F5_PASSWORD')
device_list = ['bigip.xip.se', 'bigip2.xip.se', 'bigip3.xip.se']
hash = None
for device in device_list:
f5 = F5rest(username, password, 'bigip.xip.se')
rule = f5.get_irule('encrypted_time')
rule_hash = hashlib.md5(rule['apiAnonymous'].encode('utf-8')).hexdigest()
if hash is None:
hash = rule_hash
if not hash == rule_hash:
# Post Slack webhook here or raise exception
raise Exception('Hashes does not match')
Now, there are multiple ways to skin the cat. You could also inject headers programmatically using your pipeline that shows the version of the iRule, using the iRule itself. Then read the headers in ie. Splunk/elastic and validate that it has changed by monitoring the traffic logs.
If you just want to know the version by manually logging in to each device and checking the irule with your own eyes then Kevins suggestion to put a version number / deploy time as a comment at the top would work too.
Hard to give an exact answer unless we know how you intend to use this. 🙂