Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ACL in haproxy not created correctly when an ingress has a single host rule #807

Closed
drf opened this issue Jan 12, 2018 · 2 comments

Comments

Projects
None yet
3 participants
@drf
Copy link
Collaborator

commented Jan 12, 2018

Version 5.0.0.rc11

Create an ingress like this one:

apiVersion: voyager.appscode.com/v1beta1
kind: Ingress
metadata:
  name: api-ingress
  annotations:
    ingress.appscode.com/type: NodePort
    ingress.appscode.com/keep-source-ip: "true"
    # Configure depending on the load
    ingress.appscode.com/replicas: '1'
    ingress.kubernetes.io/rewrite-target: /
    # HSTS
    ingress.kubernetes.io/hsts: "true"
    ingress.kubernetes.io/hsts-preload: "true"
    ingress.kubernetes.io/hsts-include-subdomains: "true"
    ingress.kubernetes.io/hsts-max-age: 100
    ingress.appscode.com/default-options: '{"forwardfor": "true", "dontlognull": "true"}'
spec:
  tls:
  - hosts:
    - test1.example.com
    ref:
      kind: Certificate
      name: examplecert
  rules:
  - host: test1.example.com
    http:
      paths:
      - path: /
        backend:
          serviceName: monitoring-grafana.kube-system
          servicePort: '80'

No default backend, only one host rule. The generated frontend for HTTP looks like this:

frontend http-0_0_0_0-80
	bind *:80 
	mode http
	option httplog
	option forwardfor
	acl is_proxy_https hdr(X-Forwarded-Proto) https
	acl url_acl_test1.example.com__ path_beg /
	redirect scheme https code 301 if ! is_proxy_https host_acl_test1.example.com url_acl_test1.example.com__

And of course the pod fails like this:

daemon.err: Jan 12 10:56:01 reloader: [ALERT] 011/105601 (51) : parsing [/etc/haproxy/haproxy.cfg:36] : error detected in frontend 'http-0_0_0_0-80' while parsing redirect rule : error in condition: no such ACL : 'host_acl_test1.example.com'.
daemon.err: Jan 12 10:56:01 reloader: [ALERT] 011/105601 (51) : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg
daemon.err: Jan 12 10:56:01 reloader: [ALERT] 011/105601 (51) : Fatal errors found in configuration.

The HTTPS frontend, instead, has the acl as it should be. Creating more than one host rules triggers the creation of the missing ACL for all HTTP frontends.

The bug is indeed when having only one host rule and no default backend.

@tamalsaha tamalsaha self-assigned this Jan 12, 2018

@tamalsaha

This comment has been minimized.

Copy link
Member

commented Feb 7, 2018

This was fixed in #786 , as part of other fixes.

We also tried with the master branch and the host_acl was working correctly.

@tamalsaha tamalsaha closed this Feb 7, 2018

@drf

This comment has been minimized.

Copy link
Collaborator Author

commented Feb 7, 2018

Yes, that was my impression as well. Good job!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.