New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prohibit passthrough route with path #6037
Prohibit passthrough route with path #6037
Conversation
It is impossible to support paths with passthrough termination because the router cannot determine the path in the request without decrypting the connection.
…nd fix gofmt errors.
c36893c
to
52742df
Compare
@@ -32,6 +32,11 @@ func ValidateRoute(route *routeapi.Route) fielderrors.ValidationErrorList { | |||
result = append(result, fielderrors.NewFieldInvalid("path", route.Spec.Path, "path must begin with /")) | |||
} | |||
|
|||
if len(route.Spec.Path) > 0 && route.Spec.TLS != nil && | |||
route.Spec.TLS.Termination == routeapi.TLSTerminationPassthrough { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What will the system do with existing routes that don't validate?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will that break route status update?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@liggitt Not sure if I understood you correctly, there should be no changes vis-a-vis the fields - they should be converted from the old to the new schema.
If you mean for passthrough routes with paths, well those would have been redundant anyway - would have never worked ("cruft" in the datastore / etcd) as they would have just generated unused config. So this is actually indicating that those routes are invalid and it would log errors (and wouldn't try to add a route to the router).
And re: route status update - no, this is not called in the path via ValidateRouteStatusUpdate
, so it would not affect status update.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We have to be careful with tightening validation on things "that would never have worked"… we can do it as long as we're sure that no automated systems will be hot looping or logging thousands of events/validation failures if a previously "valid" persisted object suddenly doesn't pass validation after an upgrade
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well, that one's a doozy - can we ever be sure of that? What we don't know of could always exist on a different plane of existence (aka schrodinger's cat). There could well be a script out there that expects things that worked in v1beta1 to work now or in the future and are we absolutely certain that we can ever have a 100% temporal guarantee on that. IMHO, within a reasonable scheme/limit is good. And in this specific case, this is something that would not have worked in the first place. Just me tuppence.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm referring to things we have allowed through validation in supported releases
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That argument could be made for v1 to v2 to v3 as well, no. My point is, if someone was using this - it would have never worked + the docs do mention it as well ref: https://docs.openshift.org/latest/architecture/core_concepts/routes.html#path-based-routes
We could argue the reverse direction to say hey someone could well do that but that's would cover a lot of area (the different planes of existence above) we don't know about.
updated link
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not saying we can't tighten this, I'm just saying we have to be very careful, and we need to audit how existing routes (especially route status) are being updated/validated:
we can do it as long as we're sure that no automated systems will be hot looping or logging thousands of events/validation failures if a previously "valid" persisted object suddenly doesn't pass validation after an upgrade
We ran into this when validation around pod spec ports changed, and invalid replication controller data caused hundreds of thousands of pod creation failures and logged events.
@@ -32,6 +32,11 @@ func ValidateRoute(route *routeapi.Route) fielderrors.ValidationErrorList { | |||
result = append(result, fielderrors.NewFieldInvalid("path", route.Spec.Path, "path must begin with /")) | |||
} | |||
|
|||
if len(route.Spec.Path) > 0 && route.Spec.TLS != nil && | |||
route.Spec.TLS.Termination == routeapi.TLSTerminationPassthrough { | |||
result = append(result, fielderrors.NewFieldInvalid("path", route.Spec.Path, "paththrough termination does not support paths")) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/paththrough/passthrough/
@rajatchopra /bump Thx |
Agreed. If it never worked before and the controller won't fail on status updates because of this, I think its ok to tighten. I see this as another reason to check resource validity in @jwforres For your client-side validation. |
CC @spadgett |
Nevermind, the error in 6076 wasn't due to validation. I pulled this branch, rebased it on top of latest, cherry-picked the changes from #6092 and the unit tests work fine. Also couldn't find any validation in |
[merge] |
[Test]ing while waiting on the merge queue |
Evaluated for origin test up to f174dce |
continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/179/) |
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/merge_pull_requests_origin/4675/) (Image: devenv-rhel7_3192) |
#6738 flake [merge] |
Evaluated for origin merge up to f174dce |
Merged by openshift-bot
Newer version of PR #4282 - fixed up for new Spec.* fields.
@Miciah @rajatchopra PTAL thx