Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug]: If a VirtualServer is configured with an an incompatible listener (eg TCP, UDP), the VS ends up valid, and without a listen directive #6409

Open
1 task done
j1m-ryan opened this issue Sep 12, 2024 · 2 comments
Labels
backlog Pull requests/issues that are backlog items bug An issue reporting a potential bug

Comments

@j1m-ryan
Copy link

Version

edge

What Kubernetes platforms are you running on?

Minikube

What happened?

I added a UDP listener to a VirtualServer. This is not a valid configuration, I did this to test the error behaviour.
The VirtualServer ended up valid, and generated config did not have a listen directive.

Steps to reproduce

listeners:
     - name: http-listener
       port: 81 
       protocol: UDP 
     - name: https-listener
       port: 8443
       protocol: HTTP
       ssl: true

I made a GlobalConfiguration with the above config, the used these in the VirtualServer.

apiVersion: k8s.nginx.org/v1
kind: VirtualServer
metadata:
  name: cafe
spec:
  listener:
    http: http-listener 
    https: https-listener 
  host: cafe.example.com
  tls:
    secret: cafe-secret
  upstreams:
  - name: tea
    service: tea-svc
    port: 80
  - name: coffee
    service: coffee-svc
    port: 80
  routes:
  - path: /tea
    action:
      pass: tea
  - path: /coffee
    action:
      pass: coffee

The VS is valid

[] ➜  virtualserver git:(main) ✗ k get vs
NAME   STATE   HOST               IP    PORTS   AGE
cafe   Valid   cafe.example.com                 16s

This is the output in the nginx config

[] ➜  virtualserver git:(main) ✗ dev-sh
/ $ cat /etc/nginx/conf.d/vs_default_cafe.conf

upstream vs_default_cafe_coffee {zone vs_default_cafe_coffee 256k;
    random two least_conn;
    server 10.244.0.6:8080 max_fails=1 fail_timeout=10s max_conns=0;
    server 10.244.0.7:8080 max_fails=1 fail_timeout=10s max_conns=0;
}

upstream vs_default_cafe_tea {zone vs_default_cafe_tea 256k;
    random two least_conn;
    server 10.244.0.5:8080 max_fails=1 fail_timeout=10s max_conns=0;
}

server {


    server_name cafe.example.com;

    set $resource_type "virtualserver";
    set $resource_name "cafe";
    set $resource_namespace "default";
    listen 8443 ssl;
    listen [::]:8443 ssl;

    ssl_certificate $secret_dir_path/default-cafe-secret;
    ssl_certificate_key $secret_dir_path/default-cafe-secret;

    server_tokens "on";




    location /tea {
        set $service "tea-svc";


        set $default_connection_header close;
        proxy_connect_timeout 60s;
        proxy_read_timeout 60s;
        proxy_send_timeout 60s;
        client_max_body_size 1m;

        proxy_buffering on;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $vs_connection_header;
        proxy_pass_request_headers on;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Port $server_port;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host "$host";
        proxy_pass http://vs_default_cafe_tea;
        proxy_next_upstream error timeout;
        proxy_next_upstream_timeout 0s;
        proxy_next_upstream_tries 0;
    }
    location /coffee {
        set $service "coffee-svc";


        set $default_connection_header close;
        proxy_connect_timeout 60s;
        proxy_read_timeout 60s;
        proxy_send_timeout 60s;
        client_max_body_size 1m;

        proxy_buffering on;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $vs_connection_header;
        proxy_pass_request_headers on;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Port $server_port;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host "$host";
        proxy_pass http://vs_default_cafe_coffee;
        proxy_next_upstream error timeout;
        proxy_next_upstream_timeout 0s;
        proxy_next_upstream_tries 0;
    }


}
/ $

Expected behaviour

The VirtualServer is not valid

Kubectl Describe output

No response

Log output

No response

Contributing Guidelines

  • I confirm that I have read the Report a Bug section of the Contributing Guidelines
@j1m-ryan j1m-ryan added bug An issue reporting a potential bug ready for refinement An issue that was triaged and it is ready to be refined labels Sep 12, 2024
@shaun-nx shaun-nx added needs triage An issue that needs to be triaged and removed ready for refinement An issue that was triaged and it is ready to be refined labels Sep 17, 2024
@jjngx jjngx added backlog Pull requests/issues that are backlog items and removed needs triage An issue that needs to be triaged labels Sep 23, 2024
@shaun-nx shaun-nx added the needs triage An issue that needs to be triaged label Oct 21, 2024
@pdabelf5
Copy link
Collaborator

pdabelf5 commented Oct 21, 2024

Desired outcome: Fail VirtualServer deployment if no matching HTTP listener is found. Fail with Invalid VirtualServer state & remove VirtualServer from the NGINX config.

@pdabelf5 pdabelf5 removed the needs triage An issue that needs to be triaged label Oct 21, 2024
@lucacome lucacome moved this to Todo ☑ in NGINX Ingress Controller Jan 15, 2025
Copy link

This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 10 days.

@github-actions github-actions bot added the stale Pull requests/issues with no activity label Jan 20, 2025
@vepatel vepatel removed the stale Pull requests/issues with no activity label Jan 20, 2025
@shaun-nx shaun-nx moved this from Todo ☑ to Prioritized backlog in NGINX Ingress Controller Jan 22, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backlog Pull requests/issues that are backlog items bug An issue reporting a potential bug
Projects
Status: Prioritized backlog
Development

No branches or pull requests

5 participants