Virtual service routes ignored when httpsRedirect: true in port 443 section #27157
Comments
|
@ceastman-ibm thanks for discovering/reporting this. I imagine it can take you a few hours to track this down. @howardjohn @rshriram is this as designed, users should not be doing httpsredirect... and we should warn user properly on this? Seems good to fail at validation time except users may already have this (coming from 1.6 to 1.7), which they will need to run analyzer to discover it. cc @esnible |
|
I need to look into it a bit more but we can likely either fail in the webhook or add a warning if it's set. If we go with warning we should make the code just ignore it instead of break |
|
@linsun users should be able to do httsredirect. It just needs to be on port 80. I had it set on port 443 which was wrong (it just didn't fail in istio < 1.7 ) . Httpsredirect doesn't make sense on port 443 since that is already https so there is no need to redirect to 443. |
|
@ceastman-ibm Yes, agreed, only didn't make sense if it is already using https. |
|
I am happy to write an analyzer for this. I am uncertain what the exact triggering condition for the warning should be. Any Gateway with httpsRedirect AND port 443? |
|
Thanks Ed! Yes, pretty much any config like this where |
|
We shouldn't be so quick to write an analyzer IMO, lets first make sure we fully understand the problem and ensure Istiod is handling it correctly. |
|
HI @howardjohn @esnible - I am trying to understand what the "Analyzer" is related to this issue. Any pointer would be really useful. |
|
@pramodrj07 we are referring to https://istio.io/latest/docs/ops/diagnostic-tools/istioctl-analyze/. But I strongly encourage us to NOT just create an analyzer and close this, but rather fix the root issue. And I also recommend we do not write a new analyzer and just instead add a warning (like #27445) |
|
@howardjohn - Yes Definitely. I was trying to understand the issue and what the comments were about. Basically trying to learn. Thanks for the pointer. This helps. |
istio-policy-bot
added
the
lifecycle/stale
|
🚧 This issue or pull request has been closed due to not having had activity from an Istio team member since 2020-09-24. If you feel this issue or pull request deserves attention, please reopen the issue. Please see this wiki page for more information. Thank you for your contributions. Created by the issue and PR lifecycle manager. |
istio-policy-bot
added
the
lifecycle/automatically-closed
* Fixes istio#27315 * Fixes istio#27157 This partially reverts istio#24958. This PR did two things - allow using httpsRedirect without VirtualServices (good) and remove all routes when using httpsRedirect (bad). The latter breaks in two cases: when a user has an HTTPS server and they put httpsRedirect, it previously was silently ignored - after the PR, all the routes were dropped. With this change, these routes are added, and users will get a warning at validation time since the config is not useful. The other case is that a user can have an HTTP server but still "bypass" the httpsRedirect with X-Forward-Proto and num_trusted_hops, so removing the routes breaks this. Both of these cases have unit and integration tests. Additionally, the original PR indirectly caused httpsRedirect=true to take precedence during Gateway conflicts. Previously, the last gateway won, which caused weird behavior. I kept the behavior of the original PR here; during conflict we will keep the httpsRedirect. This isn't ideal, since it interferes with cert-manager ACME requests. Longer term we will want to make httpsRedirect per-route most likely. See istio#27643 (comment) for more info.
* Fix issues around tlsRedirect * Fixes #27315 * Fixes #27157 This partially reverts #24958. This PR did two things - allow using httpsRedirect without VirtualServices (good) and remove all routes when using httpsRedirect (bad). The latter breaks in two cases: when a user has an HTTPS server and they put httpsRedirect, it previously was silently ignored - after the PR, all the routes were dropped. With this change, these routes are added, and users will get a warning at validation time since the config is not useful. The other case is that a user can have an HTTP server but still "bypass" the httpsRedirect with X-Forward-Proto and num_trusted_hops, so removing the routes breaks this. Both of these cases have unit and integration tests. Additionally, the original PR indirectly caused httpsRedirect=true to take precedence during Gateway conflicts. Previously, the last gateway won, which caused weird behavior. I kept the behavior of the original PR here; during conflict we will keep the httpsRedirect. This isn't ideal, since it interferes with cert-manager ACME requests. Longer term we will want to make httpsRedirect per-route most likely. See #27643 (comment) for more info. * note * Fixes * fix lint * fix echo
* Fix issues around tlsRedirect * Fixes istio#27315 * Fixes istio#27157 This partially reverts istio#24958. This PR did two things - allow using httpsRedirect without VirtualServices (good) and remove all routes when using httpsRedirect (bad). The latter breaks in two cases: when a user has an HTTPS server and they put httpsRedirect, it previously was silently ignored - after the PR, all the routes were dropped. With this change, these routes are added, and users will get a warning at validation time since the config is not useful. The other case is that a user can have an HTTP server but still "bypass" the httpsRedirect with X-Forward-Proto and num_trusted_hops, so removing the routes breaks this. Both of these cases have unit and integration tests. Additionally, the original PR indirectly caused httpsRedirect=true to take precedence during Gateway conflicts. Previously, the last gateway won, which caused weird behavior. I kept the behavior of the original PR here; during conflict we will keep the httpsRedirect. This isn't ideal, since it interferes with cert-manager ACME requests. Longer term we will want to make httpsRedirect per-route most likely. See istio#27643 (comment) for more info. * note * Fixes * fix lint * fix echo (cherry picked from commit 56d740a)
* Fix issues around tlsRedirect * Fixes #27315 * Fixes #27157 This partially reverts #24958. This PR did two things - allow using httpsRedirect without VirtualServices (good) and remove all routes when using httpsRedirect (bad). The latter breaks in two cases: when a user has an HTTPS server and they put httpsRedirect, it previously was silently ignored - after the PR, all the routes were dropped. With this change, these routes are added, and users will get a warning at validation time since the config is not useful. The other case is that a user can have an HTTP server but still "bypass" the httpsRedirect with X-Forward-Proto and num_trusted_hops, so removing the routes breaks this. Both of these cases have unit and integration tests. Additionally, the original PR indirectly caused httpsRedirect=true to take precedence during Gateway conflicts. Previously, the last gateway won, which caused weird behavior. I kept the behavior of the original PR here; during conflict we will keep the httpsRedirect. This isn't ideal, since it interferes with cert-manager ACME requests. Longer term we will want to make httpsRedirect per-route most likely. See #27643 (comment) for more info. * note * Fixes * fix lint * fix echo (cherry picked from commit 56d740a)
(NOTE: This is used to report product bugs:
To report a security vulnerability, please visit https://istio.io/about/security-vulnerabilities/
To ask questions about how to use Istio, please visit https://discuss.istio.io
)
Bug description
Affected product area (please put an X in all that apply)
[ ] Docs
[ ] Installation
[X] Networking
[ ] Performance and Scalability
[ ] Extensions and Telemetry
[ ] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure
Affected features (please put an X in all that apply)
[ ] Multi Cluster
[ ] Virtual Machine
[ ] Multi Control Plane
Expected behavior
Don't ignore virtual service paths when https redirect is set (incorrectly on port 443). Just warn on the httpsredirect being set on port 443, since your already https you don.t need to redirect
Steps to reproduce the bug
probably related to #24958
in the gateway.yaml: have httpsRedirect:true on port 443
Version (include the output of
istioctl version --remoteandkubectl version --shortandhelm versionif you used Helm)istioctl version
client version: 1.7.0
control plane version: 1.7.0
data plane version: 1.7.0 (561 proxies), 1.6.8 (2 proxies)
kubectl version --short
Client Version: v1.17.7
Server Version: v1.17.11+IKS
How was Istio installed?
IBM managed istio
Environment where bug was observed (cloud vendor, OS, etc)
IBM Cloud
Additionally, please consider attaching a cluster state archive by attaching
the dump file to this issue.
The text was updated successfully, but these errors were encountered: