New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
httpproxy: crd validations don't enforce at least one service per route #2270
Comments
Unrelated, but that annotation doesn’t do anything in HTTPProxy objects.
On 22 Feb 2020, at 07:10, Ralph Bankston <notifications@github.com> wrote:
What steps did you take and what happened:
Invalid routes are allowed on an HTTPProxy and cause HTTP/2" 404 NR in the envoy logs but the httpproxy output shows as valid.
NAMESPACE NAME FQDN TLS SECRET STATUS STATUS DESCRIPTION
85028-sp-vfs-dev vfshttpproxy 00000-dev.apps.dev.home.vmw.example.com ingress-contour/ingress-contour-default-ssl-cert valid valid HTTPProxy
What did you expect to happen:
Would expect an invalid route to cause HTTPProxy to be listed as invalid when doing kubectl get httpproxy -A or manifest validation and rejection of the manifest
Anything else you would like to add:
https://kubernetes.slack.com/archives/C8XRH2R4J/p1582314181482900<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fkubernetes.slack.com%2Farchives%2FC8XRH2R4J%2Fp1582314181482900&data=02%7C01%7Ccheneyd%40vmware.com%7C4e325e742af24ae98c2708d7b70a246c%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637179126502435357&sdata=VmM9LLQkxQXogOiqsvHYUe%2B%2FMrwf2zr4ryQd7%2FzZc3I%3D&reserved=0> is the slack thread that found this bug. Adding valid and invalid yaml for testing purposes.
Invalid Yaml:
apiVersion: v1
items:
- apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
annotations:
ingress.kubernetes.io/force-ssl-redirect: "true"
name: vfshttpproxy
namespace: 85028-sp-vfs-dev
spec:
routes:
- conditions:
- prefix: /
services:
- name: vfs-service
port: 8080
- timeoutPolicy:
idle: 1800s
response: 1800s
virtualhost:
fqdn: 00000-dev.apps.dev.home.vmw.example.com
tls:
secretName: ingress-contour/ingress-contour-default-ssl-cert
kind: List
Valid Yaml:
apiVersion: v1
items:
- apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
annotations:
ingress.kubernetes.io/force-ssl-redirect: "true"
name: vfshttpproxy
namespace: 85028-sp-vfs-dev
spec:
routes:
- conditions:
- prefix: /
services:
- name: vfs-service
port: 8080
timeoutPolicy:
idle: 1800s
response: 1800s
virtualhost:
fqdn: 00000-dev.apps.dev.home.vmw.example.com
tls:
secretName: ingress-contour/ingress-contour-default-ssl-cert
kind: List
Environment:
* Contour version: 1.2
* Kubernetes version: (use kubectl version):v1.15.7
* Kubernetes installer & version: kubeadm 1.15.7
* Cloud provider or hardware configuration: VCP
* OS (e.g. from /etc/os-release):Ubuntu 18.04.3 LTS
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fprojectcontour%2Fcontour%2Fissues%2F2270%3Femail_source%3Dnotifications%26email_token%3DAAABYA2O3OKJQ3R4IXVZ7ATREAYMRA5CNFSM4KZJVUFKYY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4IPMWREA&data=02%7C01%7Ccheneyd%40vmware.com%7C4e325e742af24ae98c2708d7b70a246c%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637179126502445349&sdata=69W4r68Fr5Piaf%2BkyCl82ZnWojxVJkL1edR0Adkkr1M%3D&reserved=0>, or unsubscribe<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAAABYAZZLTXKMH3T74NNVI3REAYMRANCNFSM4KZJVUFA&data=02%7C01%7Ccheneyd%40vmware.com%7C4e325e742af24ae98c2708d7b70a246c%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637179126502445349&sdata=EHwG58aAwYcGMCHBJEbcjv0J%2FCHqU8tUlUGq0RPV7dU%3D&reserved=0>.
|
From reading yaml on my phone the invalid part is the misplaced timeoutPolicy stanza.
From contours point of view this information is invisible to contour as it is never deserialised from the api server. We rely on the crd schema validations. Did the validations we supplied with 1.2.0 catch this?
On 22 Feb 2020, at 07:10, Ralph Bankston <notifications@github.com> wrote:
What steps did you take and what happened:
Invalid routes are allowed on an HTTPProxy and cause HTTP/2" 404 NR in the envoy logs but the httpproxy output shows as valid.
NAMESPACE NAME FQDN TLS SECRET STATUS STATUS DESCRIPTION
85028-sp-vfs-dev vfshttpproxy 00000-dev.apps.dev.home.vmw.example.com ingress-contour/ingress-contour-default-ssl-cert valid valid HTTPProxy
What did you expect to happen:
Would expect an invalid route to cause HTTPProxy to be listed as invalid when doing kubectl get httpproxy -A or manifest validation and rejection of the manifest
Anything else you would like to add:
https://kubernetes.slack.com/archives/C8XRH2R4J/p1582314181482900<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fkubernetes.slack.com%2Farchives%2FC8XRH2R4J%2Fp1582314181482900&data=02%7C01%7Ccheneyd%40vmware.com%7C4e325e742af24ae98c2708d7b70a246c%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637179126502435357&sdata=VmM9LLQkxQXogOiqsvHYUe%2B%2FMrwf2zr4ryQd7%2FzZc3I%3D&reserved=0> is the slack thread that found this bug. Adding valid and invalid yaml for testing purposes.
Invalid Yaml:
apiVersion: v1
items:
- apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
annotations:
ingress.kubernetes.io/force-ssl-redirect: "true"
name: vfshttpproxy
namespace: 85028-sp-vfs-dev
spec:
routes:
- conditions:
- prefix: /
services:
- name: vfs-service
port: 8080
- timeoutPolicy:
idle: 1800s
response: 1800s
virtualhost:
fqdn: 00000-dev.apps.dev.home.vmw.example.com
tls:
secretName: ingress-contour/ingress-contour-default-ssl-cert
kind: List
Valid Yaml:
apiVersion: v1
items:
- apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
annotations:
ingress.kubernetes.io/force-ssl-redirect: "true"
name: vfshttpproxy
namespace: 85028-sp-vfs-dev
spec:
routes:
- conditions:
- prefix: /
services:
- name: vfs-service
port: 8080
timeoutPolicy:
idle: 1800s
response: 1800s
virtualhost:
fqdn: 00000-dev.apps.dev.home.vmw.example.com
tls:
secretName: ingress-contour/ingress-contour-default-ssl-cert
kind: List
Environment:
* Contour version: 1.2
* Kubernetes version: (use kubectl version):v1.15.7
* Kubernetes installer & version: kubeadm 1.15.7
* Cloud provider or hardware configuration: VCP
* OS (e.g. from /etc/os-release):Ubuntu 18.04.3 LTS
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fprojectcontour%2Fcontour%2Fissues%2F2270%3Femail_source%3Dnotifications%26email_token%3DAAABYA2O3OKJQ3R4IXVZ7ATREAYMRA5CNFSM4KZJVUFKYY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4IPMWREA&data=02%7C01%7Ccheneyd%40vmware.com%7C4e325e742af24ae98c2708d7b70a246c%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637179126502445349&sdata=69W4r68Fr5Piaf%2BkyCl82ZnWojxVJkL1edR0Adkkr1M%3D&reserved=0>, or unsubscribe<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAAABYAZZLTXKMH3T74NNVI3REAYMRANCNFSM4KZJVUFA&data=02%7C01%7Ccheneyd%40vmware.com%7C4e325e742af24ae98c2708d7b70a246c%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637179126502445349&sdata=EHwG58aAwYcGMCHBJEbcjv0J%2FCHqU8tUlUGq0RPV7dU%3D&reserved=0>.
|
Correct. Steve helped me out in slack and identified the timeoutPolicy bit.
I deployed latest today(2-21-2020) to work on replicate this issue (1.2.0 is in use) and the validations didn't catch this and HTTPProxy just said it was all valid |
What happened was Contour got a route that looked like this and that got passed off to Envoy, but its missing the cluster bits to match up:
I bet we could tweak the validations to possibly assist with validation, but ideally, Contour should also detect (and I'm surprised it didn't) that there are no services referenced and set the route and set the proxy to an error state. |
There are two bugs here
|
I have a fix for this |
Fixes projectcontour#2270 Signed-off-by: Dave Cheney <dave@cheney.net>
Fixes projectcontour#2270 Signed-off-by: Dave Cheney <dave@cheney.net>
Fixes projectcontour#2270 Signed-off-by: Dave Cheney <dave@cheney.net>
Fixes projectcontour#2270 Signed-off-by: Dave Cheney <dave@cheney.net>
Fixes #2270 Signed-off-by: Dave Cheney <dave@cheney.net>
What steps did you take and what happened:
Invalid routes are allowed on an HTTPProxy and cause HTTP/2" 404 NR in the envoy logs but the httpproxy output shows as valid.
What did you expect to happen:
Would expect an invalid route to cause HTTPProxy to be listed as invalid when doing
kubectl get httpproxy -A
or manifest validation and rejection of the manifestAnything else you would like to add:
https://kubernetes.slack.com/archives/C8XRH2R4J/p1582314181482900 is the slack thread that found this bug. Adding valid and invalid yaml for testing purposes.
Invalid Yaml:
Valid Yaml:
Environment:
kubectl version
):v1.15.7/etc/os-release
):Ubuntu 18.04.3 LTSThe text was updated successfully, but these errors were encountered: