New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ingress controller does not add a rule that matches the host and the port #3244
Comments
Note that some ingress controllers, such as Contour, do add an Envoy rule to mach host and port. |
Gloo in ingress mode adds an Envoy rule that matches a host specified in Ingress, but does not add a rule that matches a host and a port (80 or 443). This creates an issue for proxying GRPC services, because most of the standard GRPC clients (grpcurl, Go, Python) use GRPC endpoint for :authority header, if authority is not explicitly specified. This fixes bug solo-io#3244
* Ingress: add Envoy host with port rule Gloo in ingress mode adds an Envoy rule that matches a host specified in Ingress, but does not add a rule that matches a host and a port (80 or 443). This creates an issue for proxying GRPC services, because most of the standard GRPC clients (grpcurl, Go, Python) use GRPC endpoint for :authority header, if authority is not explicitly specified. This fixes bug #3244
Gloo in ingress mode adds an Envoy rule that matches a host specified in Ingress, but does not add a rule that matches a host and a port (80 or 443). This creates an issue for proxying GRPC services, because most of the standard GRPC clients (grpcurl, Go, Python) use GRPC endpoint for :authority header, if authority is not explicitly specified. This fixes bug solo-io#3244
* Backport: Ingress: add Envoy host with port rule Gloo in ingress mode adds an Envoy rule that matches a host specified in Ingress, but does not add a rule that matches a host and a port (80 or 443). This creates an issue for proxying GRPC services, because most of the standard GRPC clients (grpcurl, Go, Python) use GRPC endpoint for :authority header, if authority is not explicitly specified. This fixes bug #3244
This is still a valid issue with Gloo Edge 1.8.6. cc @pbchekin, @kdorosh I ran into this issue while following the Gloo Edge gRPC tutorial. The only difference between the tutorial steps and what I did was specifying the domain for the VirtualService.
Testing with grpcurl
If I drop the domain from the VirtualService config, then the envoy config looks like this and everything works (since now the domain is "*"):
Additional context
|
@lmakarov right, looks like a regression. Unfortunately the corresponding test was also updated and that regression was not identified. |
@lmakarov the gRPC tutorial you mentioned is not related to Ingress and also it explicitly states that you have to specify |
Describe the bug
Gloo in ingress mode adds an Envoy rule that matches a host specified in Ingress, but does not add a rule that matches a host and a port (80 or 443). This creates an issue for proxying GRPC services, because most of the standard GRPC clients (grpcurl, Go, Python) use GRPC endpoint for
:authority
header, ifauthority
is not explicitly specified.For example:
sends the corresponding request:
As a result, a GRPC request does not work with Gloo ingress-proxy (other methods fail with similar message):
As a workaround, every client needs to explicitly specify
authority
:sends the corresponding request:
Envoy has the following configuration:
To Reproduce
However it works when we specify
authority
:Expected behavior
While explicitly specifying
authority
for a GRPC client is a potential workaround, sometimes it not possible to modify 3rd party GRPC applications or libraries. For such cases, Gloo in ingress mode should support their default behavior.Gloo in ingress mode should add two Envoy rules: first for the Ingress host, second for the Ingress port and port.
The corresponding Envoy configuration must be:
Additional context
The text was updated successfully, but these errors were encountered: