Admission webhook: properly check that there is no overlapping ingress #9413
Conversation
k8s-ci-robot
added
cncf-cla: yes
|
Hi @dud225. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Can you add an e2e test for this case as well. one with overlapping ingress, to prove it catches it. It looks like there a single ingress with multiple rules here But not multiple ingress and same rules, which your change would catch. thank you, /triage accepted |
k8s-ci-robot
added
ok-to-test
k8s-ci-robot
added
area/docs
size/XL
Done. I found out that the Reached DIND check ELSE block, inside run-in-docker.sh
+ docker run --tty --rm -e DEBUG=true -e GOCACHE=/go/src/k8s.io/ingress-nginx/.cache -e GOMODCACHE=/go/src/k8s.io/ingress-nginx/.modcache -e DOCKER_IN_DOCKER_ENABLED=true -v /home/myuser/.kube:/home/myuser/.kube -v /home/myuser/Git/ingress-nginx:/go/src/k8s.io/ingress-nginx -v /home/myuser/Git/ingress-nginx/bin/amd64:/go/bin/linux_amd64 -v /var/run/docker.sock:/var/run/docker.sock -v /tmp/tmp.YNDf4QhEuy:/etc/ingress-controller/ -w /go/src/k8s.io/ingress-nginx registry.k8s.io/ingress-nginx/e2e-test-runner:v20221221-controller-v1.5.1-62-g6ffaef32a@sha256:8f025472964cd15ae2d379503aba150565a8d78eb36b41ddfc5f1e3b1ca81a8e /bin/bash -c 'MAC_OS= ginkgo build ./test/e2e'
Failed to compile e2e:
../../.modcache/golang.org/x/[email protected]/google/default.go:17:2: missing go.sum entry for module providing package cloud.google.com/go/compute/metadata (imported by golang.org/x/oauth2/google); to add:
go get golang.org/x/oauth2/[email protected]
ginkgo build failed
Failed to compile all testsReplacing the However I'm not quite sure |
|
Not sure I got it, could you please elaborate? |
|
others have observed go.mod and go.sum changing midway through tests. So if you have details of the change like diff or reasons for changes visible in diff, it will help. |
|
Here is the output when installing However the official instruction to set up Ginkgo mentions the command I'm not an experienced Go developer so I can't explain the reason nor comment the subtleties between I assume that this problem is mostly hidden by the fact that probably the majority of the developers on this project already have |
|
@dud225 thanks for the update. It helps. Basically ginkgo install is the visible event. But we have PRs merged that bump ginkgo in multiple places. The not-so-visible event is "other" indirect dependencies either getting newly installed or getting bumped. One of these days it will get in critical path and then new go.{mod,sum} will get committed/merged. Thanks |
k8s-ci-robot
added
size/XXL
|
I've revisited this PR to properly handle the case of a overlapping ingress having a canary annotation. Currently the condition that checks if there is any canary annotation among all the existing ingresses always fails because no canary ingress is ever present in the server slice, it only contains non-canary ingresses: ingress-nginx/internal/ingress/controller/controller.go Lines 1254 to 1257 in 5628f76 ingress-nginx/internal/ingress/controller/controller.go Lines 1329 to 1332 in 5628f76 I've added the relevant E2E test. @strongjz This PR is now ready to be merged. |
k8s-ci-robot
added
the
needs-rebase
k8s-ci-robot
removed
the
needs-rebase
k8s-ci-robot
added
the
needs-rebase
Fixes kubernetes#8972 Signed-off-by: Hervé Werner <[email protected]>
Signed-off-by: Hervé Werner <[email protected]>
Signed-off-by: Hervé Werner <[email protected]>
The existingIngresses slice never contains any canary ingress, indeed
this kind of ingresses are always excluded from the server slice:
func (n *NGINXController) createServers(data []*ingress.Ingress,
upstreams map[string]*ingress.Backend,
du *ingress.Backend) map[string]*ingress.Server {
[...]
if anns.Canary.Enabled {
klog.V(2).Infof("Ingress %v is marked as Canary, ignoring", ingKey)
continue
}
which means that the test aiming to compare a canary ingress with all
the other existing canary ingresses never succeeds.
This commit fixes the handling of conflicting canary ingresses.
Signed-off-by: Hervé Werner <[email protected]>
Signed-off-by: Hervé Werner <[email protected]>
Signed-off-by: Hervé Werner <[email protected]>
k8s-ci-robot
removed
the
needs-rebase
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: dud225 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
size/XL
k8s-ci-robot
added
the
needs-rebase
|
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@dud225: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
What this PR does / why we need it:
The admission webhook fails to detect a conflicting host+path when an ingress with more than one rule is involved.
Types of changes
Which issue/s this PR fixes
Fixes #8972
How Has This Been Tested?
Applying the following ingresses:
results in the following behaviour with the current codebase:
The ingress ing-a gets overwritten.
With this change, the admission controller properly detects the conflicting rule:
Checklist:
Does my pull request need a release note?
Additional comment
The code section that checks among the existing ingresses whether any of them pertains to a canary test seems flaky.
According to my tests there is no canary ingresses present in the server configuration, which means that the test always evaluates to false.
When looking closer I've observed that the canary mechanism is implemented from the Lua area and that there is no mention of it within the plain Nginx configuration, that would explain why this data isn't present from the Go area.
As this is my first contribution on the project I'm not super confident about this, so for now I've left it as is.