Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Confirm post-GWAPI 0.8 status of wildcard hostname HTTP(S) Listeners #4597

Closed
rainest opened this issue Aug 31, 2023 · 2 comments · Fixed by #4709
Closed

Confirm post-GWAPI 0.8 status of wildcard hostname HTTP(S) Listeners #4597

rainest opened this issue Aug 31, 2023 · 2 comments · Fixed by #4709
Assignees
@programmer04
Labels
area/gateway-api Relating to upstream Kubernetes SIG Networking Gateway API area/tests bug Something isn't working

Comments

@rainest
Copy link
Contributor

rainest commented Aug 31, 2023
edited
Loading

GWAPI 0.8.0 introduces CEL validation of various resource fields. Listeners now have a CRD-level rule that ensures that no pair of Listeners has identical Port, Hostname, and Protocol values.

This rule has an apparent bug handling Hostname-aware Listeners where one Listener has a set Hostname and one does not. The spec allows a single Listener with an unset Hostname on a given Port+Protocol. This Listener matches any Hostname if no more specific Hostname matches.

The CEL rule apparently requires an actual Hostname value to check if they are equal. Including both a nil Hostname and set Hostname in a Gateway fails:

10:54:33-0700 esenin $ cat /tmp/gw.yaml
apiVersion: gateway.networking.k8s.io/v1beta1
kind: Gateway
metadata:
  name: prod-web
spec:
  gatewayClassName: acme-lb
  listeners:
  - protocol: HTTP
    port: 80
    name: http
  - protocol: HTTP
    port: 80
    name: httphostname
    hostname: http.example
10:54:35-0700 esenin $ kubectl create -f /tmp/gw.yaml
The Gateway "prod-web" is invalid: spec.listeners: Invalid value: "array": Combination of port, protocol and hostname must be unique for each listener

Our existing GWAPI integration tests include one such Gateway. We need to confirm with upstream if blocking these is indeed intended. Based on my understanding of the spec, they should not be blocked: kubernetes-sigs/gateway-api#2369
@rainest rainest added bug Something isn't working area/tests area/gateway-api Relating to upstream Kubernetes SIG Networking Gateway API labels Aug 31, 2023
@rainest rainest mentioned this issue Aug 31, 2023
Merged
1 task
@pmalek
Copy link
Member

pmalek commented Sep 5, 2023

This seems to have been already addressed upstream and pending a release: kubernetes-sigs/gateway-api#2370 ?

@rainest
Copy link
Contributor Author

rainest commented Sep 5, 2023

Indeed, upstream has confirmed that CEL shouldn't do this and we should un-comment the blocks once 0.8.1 is out.

@programmer04 programmer04 mentioned this issue Sep 22, 2023
Merged
@programmer04 programmer04 self-assigned this Sep 22, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@programmer04 programmer04

Labels
area/gateway-api Relating to upstream Kubernetes SIG Networking Gateway API area/tests bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore(tests): re-enable gateway config (bug fixed in upstream) Kong/kubernetes-ingress-controller
3 participants
@rainest @pmalek @programmer04