Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not validate ingresses with unknown ingress class in admission webhook endpoint #8221

Merged
merged 1 commit into from
Feb 6, 2022
Merged

Do not validate ingresses with unknown ingress class in admission webhook endpoint #8221

merged 1 commit into from
Feb 6, 2022

Conversation

ElvinEfendi
Copy link
Member

@ElvinEfendi ElvinEfendi commented Feb 4, 2022
edited
Loading

What this PR does / why we need it:

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation only

Which issue/s this PR fixes

fixes #7546

How Has This Been Tested?

Checklist:

  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • I've read the CONTRIBUTION guide
  • I have added tests to cover my changes.
  • All new and existing tests passed.

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Feb 4, 2022
@k8s-ci-robot
Copy link
Contributor

@ElvinEfendi: This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added needs-kind Indicates a PR lacks a `kind/foo` label and requires one. needs-priority size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Feb 4, 2022
@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 4, 2022
@ElvinEfendi
Copy link
Member Author

/hold

I need to add e2e tests too, but please take a look and let me know if the approach makes sense.

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Feb 4, 2022
ElvinEfendi
ElvinEfendi commented Feb 4, 2022
View reviewed changes
internal/ingress/controller/controller.go
@@ -233,6 +233,10 @@ func (n *NGINXController) CheckIngress(ing *networking.Ingress) error {
return nil
}

if ingressClass, err := n.store.GetIngressClass(ing, n.cfg.IngressClassConfiguration); ingressClass == "" {
klog.Warningf("ignoring ingress %v in %v based on annotation %v: %v", ing.Name, ing.ObjectMeta.Namespace, ingressClass, err)

This comment was marked as resolved.

Sign in to view

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What if err != nil?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

GetIngressClass is kinda strange, err actually going to be != nil as long as ingressClass == ""

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

agreed, unless some day we change GetIngressClass and the function returns a strange value due to...reasons...and an error and as we are just validating the IngressClass we end into a panic :P

I agree with you that right now this is too much, I'm afraid of us in a future doing something that relies on this error, not checking and getting a BSOD in ingress controller

@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Feb 4, 2022
@ElvinEfendi
Copy link
Member Author

ElvinEfendi commented Feb 4, 2022
edited
Loading

pull-ingerss-nginx-test failure does not seem related to the changes here 🤔

--- FAIL: TestStoreSSLCertOnDisk (0.37s)
=== RUN   TestCACert
    ssl_test.go:125: unexpected error storing SSL certificate: could not create PEM certificate file /etc/ingress-controller/ssl/test-1643982508463021301.pem: open /etc/ingress-controller/ssl/test-1643982508463021301.pem: no such file or directory

EDIT: turned out to be related, I missed GetIngressClass mock implementation in fakeIngressStore interface. The error message does not help at all though.

@rikatz
Copy link
Contributor

rikatz commented Feb 6, 2022

/assign

rikatz
rikatz reviewed Feb 6, 2022
View reviewed changes
internal/ingress/controller/store/store.go
@@ -98,6 +98,9 @@ type Storer interface {

// Run initiates the synchronization of the controllers
Run(stopCh chan struct{})

// GetIngressClass validates given ingress against ingress class configuration and returns the ingress class.
GetIngressClass(ing *networkingv1.Ingress, icConfig *ingressclass.IngressClassConfiguration) (string, error)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

a bit afraid here of expanding the interface, but we gotta solve this :) so lgtm

@rikatz
Copy link
Contributor

rikatz commented Feb 6, 2022

/lgtm

The approach seems ok to me. My only request is that we don't ignore that error, even if it always returns nil right now :)

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Feb 6, 2022
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ElvinEfendi, rikatz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@ElvinEfendi
Copy link
Member Author

/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Feb 6, 2022
@k8s-ci-robot k8s-ci-robot merged commit 04035cc into kubernetes:main Feb 6, 2022
@ElvinEfendi ElvinEfendi deleted the fix-ing-validation-bug branch February 6, 2022 20:44
@tao12345666333 tao12345666333 mentioned this pull request Feb 27, 2022
Closed
rchshld pushed a commit to joomcode/ingress-nginx that referenced this pull request May 19, 2023
@ElvinEfendi @rchshld
Do not validate ingresses with unknown ingress class in admission web…
4b3836c 
…hook endpoint. (kubernetes#8221)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rikatz rikatz rikatz left review comments

@tao12345666333 tao12345666333 Awaiting requested review from tao12345666333

Assignees

@rikatz rikatz

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-kind Indicates a PR lacks a `kind/foo` label and requires one. needs-priority needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

validating webhook should ignore ingresses with a different ingressclass
3 participants
@ElvinEfendi @k8s-ci-robot @rikatz