Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

hostBinding not respected for TCP listeners #5732

Open
rgs1 opened this issue Aug 6, 2024 · 2 comments
Open

hostBinding not respected for TCP listeners #5732

rgs1 opened this issue Aug 6, 2024 · 2 comments
Labels
t:bug Something isn't working

Comments

@rgs1
Copy link

rgs1 commented Aug 6, 2024

For HTTP chains, hosts are properly filtered out if their namespace and selector don't match:

https://github.com/emissary-ingress/emissary/blob/master/python/ambassador/envoy/v3/v3listener.py#L790

However, for TCP chains all hosts are considered regardless:

https://github.com/emissary-ingress/emissary/blob/master/python/ambassador/envoy/v3/v3listener.py#L184

Filtering would have to happen here:

https://github.com/emissary-ingress/emissary/blob/master/python/ambassador/envoy/v3/v3listener.py#L184

Ideally hostBinding would apply to all mappings, otherwise you might end with the wrong certificate for some TCPMappings.

@rgs1 rgs1 changed the title hostBinding not respected for TCPMappings hostBinding not respected for TCP listeners Aug 6, 2024
@dosubot dosubot bot added the t:bug Something isn't working label Aug 6, 2024
@kflynn
Copy link
Member

kflynn commented Aug 7, 2024

Hmmmmmmm. @rgs1, do you have a minimal config to hand to reproduce this? There are some subtleties with TCPMappings; I want to make sure I'm looking at the scenario you're wrestling with.

@rgs1
Copy link
Author

rgs1 commented Aug 8, 2024

I think something like this should repro this (not tested):

---
apiVersion: getambassador.io/v3alpha1
kind: Host
metadata:
  name: a-host
spec:
  hostname: '*.domain.com'
  requestPolicy:
    insecure:
      action: Redirect
  tlsContext:
    name: tlscontext
  tlsSecret:
    name: secret
---
apiVersion: getambassador.io/v3alpha1
kind: Host
metadata:
  labels:
    redis: "yes"
  name: b-host
spec:
  hostname: '*.b.domain.com'
  metadata_labels:
    redis: "yes"
  requestPolicy:
    insecure:
      action: Redirect
  tlsContext:
    name: tlscontext-b
  tlsSecret:
    name: secret-b
---
apiVersion: getambassador.io/v3alpha1
kind: Listener
metadata:
  name: redis-listener
spec:
  hostBinding:
    selector:
      matchLabels:
        redis: "yes"
  port: 6379
  protocolStack:
  - TCP
  securityModel: XFP

If you apply this, you'll see that the listener gets assigned the TLS cert for the first hosts (hosts are sorted when they need to be looked up to be attached to a listener), instead of the one that should match the hostBinding.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
t:bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants