-
Notifications
You must be signed in to change notification settings - Fork 134
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow for binding HTTP or TCP ingress rules to specific addresses #649
Allow for binding HTTP or TCP ingress rules to specific addresses #649
Conversation
Tests are coming once this has gone though a first round of design review. |
Some design rationale: I initially wanted to allow for specifying a range of IPs, similar to how Overall the design here satisfies my needs: the ability to have a service expose itself on a single, specific address and port. Not sure if I should go the extra mile and potentially complicate the code unnecessarily, |
apis/voyager/v1beta1/validator.go
Outdated
var wildcard = fmt.Sprintf("*:%d", port) | ||
if address == "*" { | ||
if _, ok := defined[wildcard]; !ok && len(defined) > 0 { | ||
return fmt.Errorf("cannot define wildcard on same port as specific bind address") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Feel free to propose a better error message, not sure if this is self-explanatory enough.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can't use wildcard address for port %d, since ones or more rules define specific bind address.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @deuill . I think the overall design looks good to me. Added few comments.
apis/voyager/v1beta1/validator.go
Outdated
func checkExclusiveWildcard(address string, port int, defined map[string]*address) error { | ||
var wildcard = fmt.Sprintf("*:%d", port) | ||
if address == "*" { | ||
if _, ok := defined[wildcard]; !ok && len(defined) > 0 { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should check for entries that have <non-*-addr>:port
defined.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Apologies if I'm misunderstanding the comment, but this is what this code does (unless, of course, I've botched it). Specifically, there's two cases:
If we're attempting to register a wildcard address, check whether there's an existing wildcard address registered for the same port. If not, check whether there's any other rules registered. If there are, we can assume they're specific addresses, and thus fail out.
If we're attempting to register a non-wildcard address, check whether there's an already-existing wildcard address. If there is, fail out.
Pretty sure this covers everything, right?
P.S.: I should probably add some comments here regardless of outcome.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If not, check whether there's any other rules registered. If there are, we can assume they're specific addresses, and thus fail out.
This defined map will have rules for all other ports, too. So, I think you need to check the there are other rules for the same port but with specific bind address, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, correct, my mistake. I'll fix.
apis/voyager/v1beta1/validator.go
Outdated
var wildcard = fmt.Sprintf("*:%d", port) | ||
if address == "*" { | ||
if _, ok := defined[wildcard]; !ok && len(defined) > 0 { | ||
return fmt.Errorf("cannot define wildcard on same port as specific bind address") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can't use wildcard address for port %d, since ones or more rules define specific bind address.
apis/voyager/v1beta1/validator.go
Outdated
} | ||
} else { | ||
if _, ok := defined[wildcard]; ok { | ||
return fmt.Errorf("cannot define specific bind address on same port as wildcard") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can't use specific bind address for port %d, since ones or more rules use wildcard bind address.
Hey, any progress on this? |
Apologies for the delay, I was out last week and didn't have access to my test server. I'll fix the issues here and fix conflicts. Thanks for your patience. |
Pushed fixes for the comments, tests are still WIP (I'll need to set up E2E tests and see about implementation). |
@deuill can you please rebase master and squash your commits? If it is ok with you we can add the tests and merge the change so that your contribution is clear. |
@tamalsaha sure, no problem. Again, apologies for the lack of timely updates here, I appreciate you pushing this through! |
Currently, Voyager will allow (or enforce, in the case of TCP rules) specifying a specific port to expose services against, regardless of their internal service port. This commit extends this functionality by allowing for specifying an optional bind address (IPv4 or IPv6), which defaults to a wildcard ('*'), which binds to all available addresses. An example 'Ingress' definition might look like: apiVersion: voyager.appscode.com/v1beta1 kind: Ingress metadata: name: ingress namespace: default labels: app: voyager annotations: ingress.appscode.com/type: HostPort spec: rules: - host: deuill.org http: address: 203.0.113.101 paths: - backend: serviceName: deuill.web servicePort: 80 - host: mail.deuill.org tcp: address: 203.0.113.102 port: 25 backend: serviceName: postfix.mail servicePort: 25 Noted that wildcard and non-wildcard rules cannot be mixed for the same external port number, due to how the underlying HAProxy configuration is set up. This essentially means that, if you have a single HTTP host binding to a specific address, all other HTTP hosts must specify an address as well. Closes: #602
Currently, Voyager will allow (or enforce, in the case of TCP rules) specifying a specific port to
expose services against, regardless of their internal service port. This commit extends this
functionality by allowing for specifying an optional bind address (IPv4 or IPv6), which defaults to
a wildcard ('*'), which binds to all available addresses.
An example 'Ingress' definition might look like:
Noted that wildcard and non-wildcard rules cannot be mixed for the same external port number, due to
how the underlying HAProxy configuration is set up. This essentially means that, if you have a
single HTTP host binding to a specific address, all other HTTP hosts must specify an address as
well.