New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
single ingress path regex error breaks all other ingress objects processing #4191
Comments
with that path type (prefix) we should potentially not allow you to specify a regex, the meaning of
|
I think the action item here is to ensure prefix patch matches are validated as a plain path, if they have regex characters, reject them and log (we can look at incrementing a metric as well), since Ingress doesn't have a detail status field |
also what are you trying to match with e.g. |
Yeah, this is OR paths regex. But particular regex is not super important here. The main issue was that contour reconciliation loop was broken and other ingresses stoped being updated. |
yeah there are a couple main issues for contour here:
|
this code: contour/internal/dag/ingress_processor.go Line 252 in 09d0488
needs a bit of a re-examination bc it prevents one from using properly encoded url as a simple prefix, which should be allowed, e.g. path match type Envoy doesn't match requests to |
I think we'll also want to insert a |
still bandaids to fix the general NACK issue however ^ |
it appears we also just generally need to make sure a |
Thanks for investigating this @sunjayBhatia. Let's xref to #1176 to make sure we capture the NACK requirement. The actual breaking of the reconciliation loop is happening here because:
I agree that properly solving #1176 will also solve this, but that's a lot of work, so we should clean up this path handling as much as possible now. |
Also created #4196 after some experimentation, would love people's thoughts on this as well |
Ingress/HTTPRoute prefix matches now have an anchor to ensure long prefixes don't increase the program size. Should ensure they are not rejected by Envoy. In addition, add an anchor to regex path matches since they at least have to start with a literal / Updates: projectcontour#4191 Signed-off-by: Sunjay Bhatia <sunjayb@vmware.com>
Ingress/HTTPRoute prefix matches now have an anchor to ensure long prefixes don't increase the program size. Should ensure they are not rejected by Envoy. In addition, add an anchor to regex path matches since they at least have to start with a literal / Updates: #4191 Signed-off-by: Sunjay Bhatia <sunjayb@vmware.com>
The Contour project currently lacks enough contributors to adequately respond to all Issues. This bot triages Issues according to the following rules:
You can:
Please send feedback to the #contour channel in the Kubernetes Slack |
The Contour project currently lacks enough contributors to adequately respond to all Issues. This bot triages Issues according to the following rules:
You can:
Please send feedback to the #contour channel in the Kubernetes Slack |
What steps did you take and what happened:
If ingress path regex is broken (e.g. too long) it breaks all other ingress objects processing. It means that a single ingress object containing broken regex can break entire ingress controller. During that time all other ingress object are not updated, ingress changes are not reflected in envoy.
Example:
ingress:
Contour error message is generated:
What did you expect to happen:
Even if regex is broken in single ingress object contour should be able to still process all other ingresses.
Anything else you would like to add:
It would probably be useful to have some metric that could indicate that contour ingress object processing is broken. Otherwise it's difficult to detect such case when not looking at contour logs.
Environment:
kubectl version
):The text was updated successfully, but these errors were encountered: