-
Notifications
You must be signed in to change notification settings - Fork 492
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GatewaySpec Listener CEL block empty Hostname if similar Listeners also present #2369
Comments
Edit: I was wrong here, the spec clearly states that an empty hostname can be combined with a specified hostname. Recommend skipping this and my next comment. In my opinion this example should be invalid. The spec currently states that the combination of Hostname, Protocol, and Port must be unique: gateway-api/apis/v1beta1/gateway_types.go Lines 72 to 73 in c21d0e4
Unfortunately the webhook validation did allow this to happen: gateway-api/apis/v1beta1/validation/gateway.go Lines 145 to 165 in ab03a59
For completeness, here's the corresponding CEL validation: gateway-api/apis/v1beta1/gateway_types.go Line 131 in c21d0e4
To me, this is/was a bug in validation. I recognize that if a bug exists long enough, it becomes a feature. I'm not sure if we've already crossed that line here. Would be interested in what others think. /cc @shaneutt @youngnick |
This feels conceptually similar to ParentRefs where we're also saying that for ParentRefs to be distinct, either SectionName or Port needs to be set to non-empty + distinct values, x-ref #2350. To avoid confusion here, I think we should do what we can to make sure the definitions of distinct here are as consistent as possible. |
Considering this invalid would severely limit the ability to use a catch-all wildcard hostname, since you couldn't use it in combination with any other Listeners on the same Port+Protocol. I don't think we'd want that, and the prose indicates that we do want the 0.7 behavior--it's "one Listener within a group [port and protocol combination] may omit Hostname" rather than "a Listener may omit Hostname and match any Hostname if it is the only Listener in the group)". We could require an explicit non-nil value for the catch-all (either IMO empty is fine so long as we can check it and confirm that there are no two Listeners both using it on the same Protocol+Port. Rather, for Hostname alone, the list Testing that in CEL may be another story, but I assume you can somehow work in a failure condition for |
This seems like a valid configuration to me. The missing hostname is unique, it essentially behaves like |
Yep, I think you're all right. I missed @rainest's reference to the spec in the original issue that very much settles this: gateway-api/apis/v1beta1/gateway_types.go Lines 105 to 107 in d031c16
Sorry for the noise here, this is indeed a bug in the CEL validation and we should fix it ASAP. /triage accepted |
@robscott: GuidelinesPlease ensure that the issue body includes answers to the following questions:
For more details on the requirements of such an issue, please see here and ensure that they are met. If this request no longer meets these requirements, the label can be removed In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
I'm no CEL expert, but it seems that the rule just needs to remove the has() part, so it will just check for duplicate hostnames, nil or not.
|
What happened:
0.8.0 does not allow a Gateway with two same Port, same Protocol Listeners where one Listener has Hostname set and the other does not. This violates a CEL rule that ensures Listeners have a unique Port/Protocol/Hostname combination.
What you expected to happen:
The Gateway passes validation. Per the above spec comment:
How to reproduce it (as minimally and precisely as possible):
With 0.8.0 installed:
Anything else we need to know?:
It looks like
requires a set value to compare if Hostname is equal.
Setting Hostname to
""
or"*"
does not work around this, as these values violate Hostname's'^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$'
validation regex.The text was updated successfully, but these errors were encountered: