F5 CIS breaks when connected to a big-ip device with DNS/GTM module but CIS does not have the config for DNS/GTM

[Nikoolayy1]

Setup Details

CIS Version (chart: f5-bigip-ctlr-0.0.36)
Build: f5networks/k8s-bigip-ctlr:latest
BIGIP Version: Big IP 17.1
AS3 Version: f5-appsvcs-3.54.2-4.noarch
Agent Mode: AS3
Orchestration: K8S
Orchestration Version:
Pool Mode: Cluster/Nodeport
Additional Setup details: <Platform/CNI Plugins/ cluster nodes/ etc>

I have no client use case for the DNS/GTM but I just saw this issue and wanted to share :)

Description

F5 CIS breaks when connected to a big-ip device with DNS/GTM module but CIS does not have the config for DNS/GTM.

I provisioned on my BIG-IP DNS/GTM and then CIS broke with the errors from CIS and F5

From F5 CIS:

kubectl logs f5-cis-f5-bigip-ctlr-789846bcb8-fk659 -n f5-cis

2025/11/12 13:25:31 [DEBUG] [BigIP] Posting GTM config to cccl agent: {ltmConfig:map[kubernetes:0xc00062bb90] shareNodes:false gtmConfig:map[] defaultRouteDomain:0 sharedDefaultRouteDomain:true reqMeta:{partitionMap:map[kubernetes:map[ingress-nginx/nginx-ingress:IngressLink]] id:9} poolMemberType:auto}

tail -f /var/log/restnoded/restnoded.log
Wed, 12 Nov 2025 13:11:50 GMT - finest: socket 509 closed
Wed, 12 Nov 2025 13:12:45 GMT - finest: socket 510 opened
Wed, 12 Nov 2025 13:12:46 GMT - warning: [appsvcs] {"status":422,"message":"declaration is invalid","errors":["/schemaVersion: data "" should match pattern "^3.($|[.][0-9]+$)""],"level":"warning"}
Wed, 12 Nov 2025 13:12:51 GMT - finest: socket 510 closed

The logs suggest that CIS autodetects DNS/GTM and tries to use CCCL that breaks the AS3.

After I configured CIS Helm chart with the DNS args everything started working!

Also why there is no option in the helm chart install like "bigip_login_secret" as to add the DNS/GTM credentials to a secret and then this to be used by CIS?

  - args:
    - --ingress-class=f5
    - --credentials-directory
    - /tmp/creds
    - --as3-validation=true
    - --bigip-partition=kubernetes
    - --bigip-url=xxxx
    - --custom-resource-mode=true
    - --gtm-bigip-password=xxxx
    - --gtm-bigip-url=https://xxx/
    - --gtm-bigip-username=xxx
    - --insecure=true
    - --load-balancer-class=f5
    - --log-as3-response=true
    - --log-level=DEBUG
    - --manage-load-balancer-class-only=true
    - --pool-member-type=auto

Steps To Reproduce

Already descibed

Expected Result

I expect CIS to ignore the DNS module when it is not configured to manage it.

Actual Result

Everything breaks and you get 422 errors from the AS3 on the F5 when CIS contacts it and this breaks the other working objects like VirtualServer / IngressLink CRD.