Relax validation for expose.paths config (#10394)

Previously we would return an error if duplicate paths were specified. This could lead to problems in cases where a user has the same path, say /healthz, on two different ports. This validation was added to signal a potential misconfiguration. Instead we will only check for duplicate listener ports, since that is what would lead to ambiguity issues when generating xDS config. In the future we could look into using a single listener and creating distinct filter chains for each path/port.
hashicorp · Jun 14, 2021 · f6e3289 · f6e3289
1 parent 6de0cb7
commit f6e3289
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 24 deletions.
diff --git a/.changelog/10394.txt b/.changelog/10394.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+connect: allow exposing duplicate HTTP paths through a proxy instance.
+```
diff --git a/agent/structs/structs.go b/agent/structs/structs.go
@@ -1205,18 +1205,13 @@ func (s *NodeService) Validate() error {
 			}
 			bindAddrs[addr] = struct{}{}
 		}
-		var knownPaths = make(map[string]bool)
+
 		var knownListeners = make(map[int]bool)
 		for _, path := range s.Proxy.Expose.Paths {
 			if path.Path == "" {
 				result = multierror.Append(result, fmt.Errorf("expose.paths: empty path exposed"))
 			}
 
-			if seen := knownPaths[path.Path]; seen {
-				result = multierror.Append(result, fmt.Errorf("expose.paths: duplicate paths exposed"))
-			}
-			knownPaths[path.Path] = true
-
 			if seen := knownListeners[path.ListenerPort]; seen {
 				result = multierror.Append(result, fmt.Errorf("expose.paths: duplicate listener ports exposed"))
 			}

diff --git a/agent/structs/structs_test.go b/agent/structs/structs_test.go
@@ -574,38 +574,38 @@ func TestStructs_NodeService_ValidateExposeConfig(t *testing.T) {
 	}
 	cases := map[string]testCase{
 		"valid": {
-			func(x *NodeService) {},
-			"",
+			Modify: func(x *NodeService) {},
+			Err:    "",
 		},
 		"empty path": {
-			func(x *NodeService) { x.Proxy.Expose.Paths[0].Path = "" },
-			"empty path exposed",
+			Modify: func(x *NodeService) { x.Proxy.Expose.Paths[0].Path = "" },
+			Err:    "empty path exposed",
 		},
 		"invalid port negative": {
-			func(x *NodeService) { x.Proxy.Expose.Paths[0].ListenerPort = -1 },
-			"invalid listener port",
+			Modify: func(x *NodeService) { x.Proxy.Expose.Paths[0].ListenerPort = -1 },
+			Err:    "invalid listener port",
 		},
 		"invalid port too large": {
-			func(x *NodeService) { x.Proxy.Expose.Paths[0].ListenerPort = 65536 },
-			"invalid listener port",
+			Modify: func(x *NodeService) { x.Proxy.Expose.Paths[0].ListenerPort = 65536 },
+			Err:    "invalid listener port",
 		},
-		"duplicate paths": {
-			func(x *NodeService) {
-				x.Proxy.Expose.Paths[0].Path = "/metrics"
-				x.Proxy.Expose.Paths[1].Path = "/metrics"
+		"duplicate paths are allowed": {
+			Modify: func(x *NodeService) {
+				x.Proxy.Expose.Paths[0].Path = "/healthz"
+				x.Proxy.Expose.Paths[1].Path = "/healthz"
 			},
-			"duplicate paths exposed",
+			Err: "",
 		},
-		"duplicate ports": {
-			func(x *NodeService) {
+		"duplicate listener ports are not allowed": {
+			Modify: func(x *NodeService) {
 				x.Proxy.Expose.Paths[0].ListenerPort = 21600
 				x.Proxy.Expose.Paths[1].ListenerPort = 21600
 			},
-			"duplicate listener ports exposed",
+			Err: "duplicate listener ports exposed",
 		},
 		"protocol not supported": {
-			func(x *NodeService) { x.Proxy.Expose.Paths[0].Protocol = "foo" },
-			"protocol 'foo' not supported for path",
+			Modify: func(x *NodeService) { x.Proxy.Expose.Paths[0].Protocol = "foo" },
+			Err:    "protocol 'foo' not supported for path",
 		},
 	}