Skip to content

Commit

Permalink
envoy: Avoid duplicate domain name
Browse files Browse the repository at this point in the history 
There is validation of unique domain names in envoy v1.25.x, which causes
the below error in conformance test. This commit is to make sure that we
don't generate two virtual hosts with same domain names if enforce https
is enabled.

```
2023-04-01T06:08:08.710574289Z level=warning msg="NACK received for versions after  and up to 4; waiting for a version update before sending again" subsys=xds xdsAckedVersion= xdsClientNode="host~127.0.0.1~no-id~localdomain" xdsDetail="Only unique values for domains are permitted. Duplicate entry of domain foo.bar.com in route default/cilium-ingress-default-host-rules/listener-insecure" xdsNonce=4 xdsStreamID=9 xdsTypeURL=type.googleapis.com/envoy.config.route.v3.RouteConfiguration
```

Before

```json
  - '@type': type.googleapis.com/envoy.config.route.v3.RouteConfiguration
    name: listener-insecure
    virtualHosts:
    - domains:
      - foo.bar.com
      - foo.bar.com:*
      name: foo.bar.com
      routes:
      - match:
          safeRegex:
            regex: (/.*)?$
        redirect:
          httpsRedirect: true
    - domains:
      - '*.foo.com'
      - '*.foo.com:*'
      name: '*.foo.com'
      routes:
      - match:
          headers:
          - name: :authority
            stringMatch:
              safeRegex:
                regex: ^[^.]+[.]foo[.]com$
          safeRegex:
            regex: (/.*)?$
        route:
          cluster: default/wildcard-foo-com:8080
          maxStreamDuration:
            maxStreamDuration: 0s
    - domains:
      - foo.bar.com
      - foo.bar.com:*
      name: foo.bar.com
      routes:
      - match:
          safeRegex:
            regex: (/.*)?$
        route:
          maxStreamDuration:
            maxStreamDuration: 0s
          weightedClusters:
            clusters:
            - name: default/foo-bar-com:http
              weight: 1
            - name: default/foo-bar-com:http
              weight: 1
 ```

 After

 ```json
   - '@type': type.googleapis.com/envoy.config.route.v3.RouteConfiguration
     name: listener-insecure
     virtualHosts:
     - domains:
       - foo.bar.com
       - foo.bar.com:*
       name: foo.bar.com
       routes:
       - match:
           safeRegex:
             regex: (/.*)?$
         redirect:
           httpsRedirect: true
     - domains:
       - '*.foo.com'
       - '*.foo.com:*'
       name: '*.foo.com'
       routes:
       - match:
           headers:
           - name: :authority
             stringMatch:
               safeRegex:
                 regex: ^[^.]+[.]foo[.]com$
           safeRegex:
             regex: (/.*)?$
         route:
           cluster: default/wildcard-foo-com:8080
           maxStreamDuration:
             maxStreamDuration: 0s
 ```

Signed-off-by: Tam Mach <tam.mach@cilium.io>
  • Loading branch information
@sayboras
sayboras committed Apr 3, 2023
1 parent 4b05add commit 466ab24
Showing 1 changed file with 7 additions and 1 deletion.
8 changes: 7 additions & 1 deletion operator/pkg/model/translation/translator.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -156,15 +156,21 @@ func (i *defaultTranslator) getRouteConfiguration(m *model.Model) []ciliumv2.XDS
for port, hostNames := range portHostName {
var virtualhosts []*envoy_config_route_v3.VirtualHost

redirectedHost := map[string]struct{}{}
// Add HTTPs redirect virtual host for secure host
if port == insecureHost && i.enforceHTTPs {
for _, h := range unique(portHostName[secureHost]) {
vhs, _ := NewVirtualHostWithDefaults([]string{h}, true, i.hostNameSuffixMatch, hostNameRoutes[h])
virtualhosts = append(virtualhosts, vhs)
redirectedHost[h] = struct{}{}
}
}

for _, h := range unique(hostNames) {
if port == insecureHost {
if _, ok := redirectedHost[h]; ok {
continue
}
}
routes, exists := hostNameRoutes[h]
if !exists {
continue
Expand Down

0 comments on commit 466ab24

Please sign in to comment.