Allow for binding HTTP or TCP ingress rules to specific addresses #649
Conversation
|
Tests are coming once this has gone though a first round of design review. |
|
Some design rationale: I initially wanted to allow for specifying a range of IPs, similar to how Overall the design here satisfies my needs: the ability to have a service expose itself on a single, specific address and port. Not sure if I should go the extra mile and potentially complicate the code unnecessarily, |
apis/voyager/v1beta1/validator.go
Outdated
| var wildcard = fmt.Sprintf("*:%d", port) | ||
| if address == "*" { | ||
| if _, ok := defined[wildcard]; !ok && len(defined) > 0 { | ||
| return fmt.Errorf("cannot define wildcard on same port as specific bind address") |
There was a problem hiding this comment.
Feel free to propose a better error message, not sure if this is self-explanatory enough.
There was a problem hiding this comment.
Can't use wildcard address for port %d, since ones or more rules define specific bind address.
apis/voyager/v1beta1/validator.go
Outdated
| func checkExclusiveWildcard(address string, port int, defined map[string]*address) error { | ||
| var wildcard = fmt.Sprintf("*:%d", port) | ||
| if address == "*" { | ||
| if _, ok := defined[wildcard]; !ok && len(defined) > 0 { |
There was a problem hiding this comment.
This should check for entries that have <non-*-addr>:port defined.
There was a problem hiding this comment.
Apologies if I'm misunderstanding the comment, but this is what this code does (unless, of course, I've botched it). Specifically, there's two cases:
If we're attempting to register a wildcard address, check whether there's an existing wildcard address registered for the same port. If not, check whether there's any other rules registered. If there are, we can assume they're specific addresses, and thus fail out.
If we're attempting to register a non-wildcard address, check whether there's an already-existing wildcard address. If there is, fail out.
Pretty sure this covers everything, right?
P.S.: I should probably add some comments here regardless of outcome.
There was a problem hiding this comment.
If not, check whether there's any other rules registered. If there are, we can assume they're specific addresses, and thus fail out.
This defined map will have rules for all other ports, too. So, I think you need to check the there are other rules for the same port but with specific bind address, right?
There was a problem hiding this comment.
Ah, correct, my mistake. I'll fix.
apis/voyager/v1beta1/validator.go
Outdated
| var wildcard = fmt.Sprintf("*:%d", port) | ||
| if address == "*" { | ||
| if _, ok := defined[wildcard]; !ok && len(defined) > 0 { | ||
| return fmt.Errorf("cannot define wildcard on same port as specific bind address") |
There was a problem hiding this comment.
Can't use wildcard address for port %d, since ones or more rules define specific bind address.
apis/voyager/v1beta1/validator.go
Outdated
| } | ||
| } else { | ||
| if _, ok := defined[wildcard]; ok { | ||
| return fmt.Errorf("cannot define specific bind address on same port as wildcard") |
There was a problem hiding this comment.
Can't use specific bind address for port %d, since ones or more rules use wildcard bind address.
|
Hey, any progress on this? |
|
Apologies for the delay, I was out last week and didn't have access to my test server. I'll fix the issues here and fix conflicts. Thanks for your patience. |
|
Pushed fixes for the comments, tests are still WIP (I'll need to set up E2E tests and see about implementation). |
|
@deuill can you please rebase master and squash your commits? If it is ok with you we can add the tests and merge the change so that your contribution is clear. |
|
@tamalsaha sure, no problem. Again, apologies for the lack of timely updates here, I appreciate you pushing this through! |
Currently, Voyager will allow (or enforce, in the case of TCP rules) specifying a specific port to
expose services against, regardless of their internal service port. This commit extends this
functionality by allowing for specifying an optional bind address (IPv4 or IPv6), which defaults to
a wildcard ('*'), which binds to all available addresses.
An example 'Ingress' definition might look like:
apiVersion: voyager.appscode.com/v1beta1
kind: Ingress
metadata:
name: ingress
namespace: default
labels:
app: voyager
annotations:
ingress.appscode.com/type: HostPort
spec:
rules:
- host: deuill.org
http:
address: 203.0.113.101
paths:
- backend:
serviceName: deuill.web
servicePort: 80
- host: mail.deuill.org
tcp:
address: 203.0.113.102
port: 25
backend:
serviceName: postfix.mail
servicePort: 25
Noted that wildcard and non-wildcard rules cannot be mixed for the same external port number, due to
how the underlying HAProxy configuration is set up. This essentially means that, if you have a
single HTTP host binding to a specific address, all other HTTP hosts must specify an address as
well.
Closes: #602
Currently, Voyager will allow (or enforce, in the case of TCP rules) specifying a specific port to
expose services against, regardless of their internal service port. This commit extends this
functionality by allowing for specifying an optional bind address (IPv4 or IPv6), which defaults to
a wildcard ('*'), which binds to all available addresses.
An example 'Ingress' definition might look like:
Noted that wildcard and non-wildcard rules cannot be mixed for the same external port number, due to
how the underlying HAProxy configuration is set up. This essentially means that, if you have a
single HTTP host binding to a specific address, all other HTTP hosts must specify an address as
well.