-
Notifications
You must be signed in to change notification settings - Fork 382
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
conformance: enable HTTPRouteRedirectPortAndScheme #1601
Conversation
Signed-off-by: Shawnh2 <shawnhxh@outlook.com>
Signed-off-by: Shawnh2 <shawnhxh@outlook.com>
internal/gatewayapi/testdata/httproute-with-redirect-filter-full-path-replace-https.out.yaml
Outdated
Show resolved
Hide resolved
Codecov Report
@@ Coverage Diff @@
## main #1601 +/- ##
==========================================
+ Coverage 64.88% 64.94% +0.05%
==========================================
Files 84 84
Lines 12192 12207 +15
==========================================
+ Hits 7911 7928 +17
+ Misses 3774 3773 -1
+ Partials 507 506 -1
|
This pull request has been automatically marked as stale because it has not had activity in the last 30 days. Please feel free to give a status update now, ping for review, when it's ready. Thank you for your contributions! |
Signed-off-by: sh2 <shawnhxh@outlook.com>
Signed-off-by: sh2 <shawnhxh@outlook.com>
/retest |
TL;DR the failed conformance test is all about `HTTPRouteRedirectPortAndScheme/http-listener-on-8080`, i suspect there is some wrong with this conformance test, causing routes to conflict somehow
the error shows:
which is wired. if i deply the gateway, deployment and svc myself in my local cluster, it works and does not have any errors:
so i suspect there is some wrong with this conformance test, causing routes to conflict somehow. |
cc @arkodg i think i found the reason, and it will be fixed in this PR. TL;DR two different gateway may end up with the same one IP address, causing route to conflictreproduce steps: make create-cluster && make kube-deploy
kubectl apply -f test/config/gatewayclass.yaml
go test -v -tags conformance ./test/conformance --gateway-class=envoy-gateway --debug=true --run TestGatewayAPIConformance/HTTPRouteRedirectPortAndScheme
so my request to this is caused by envoy-gateway, it trims the resource name if it is longer than 48. gateway/internal/provider/utils/utils.go Lines 35 to 37 in 07ab2ba
so kubectl get svc -n envoy-gateway-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
envoy-gateway ClusterIP 10.96.227.12 <none> 18000/TCP,18001/TCP 21m
envoy-gateway-conformance-infra-all-namespaces-67617465 LoadBalancer 10.96.129.24 172.16.255.201 80:31265/TCP 19m
envoy-gateway-conformance-infra-backend-namespaces-67617465 LoadBalancer 10.96.63.212 172.16.255.202 80:30822/TCP 19m
envoy-gateway-conformance-infra-same-namespace-67617465 LoadBalancer 10.96.107.229 172.16.255.200 80:30797/TCP 19m
envoy-gateway-conformance-infra-same-namespace-with-ht-67617465 LoadBalancer 10.96.21.67 172.16.255.203 443:31186/TCP 19m
envoy-gateway-metrics-service ClusterIP 10.96.168.31 <none> 8443/TCP 21m |
the k8s can only accept object's name that shorter than 63, and the name of envoy gateway resources is formatted as:
there is no way to increase the char number of gateway/internal/provider/utils/utils.go Lines 29 to 30 in 07ab2ba
and use |
Signed-off-by: sh2 <shawnhxh@outlook.com>
Signed-off-by: sh2 <shawnhxh@outlook.com>
Signed-off-by: sh2 <shawnhxh@outlook.com>
/retest |
@@ -197,12 +197,12 @@ func refsSecret(ref *gwapiv1b1.SecretObjectReference) bool { | |||
} | |||
|
|||
func infraServiceName(gateway *gwapiv1b1.Gateway) string { | |||
infraName := utils.GetHashedName(fmt.Sprintf("%s-%s", gateway.Namespace, gateway.Name)) | |||
infraName := utils.GetHashedName(fmt.Sprintf("%s/%s", gateway.Namespace, gateway.Name)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nice find :)
I understand this issue, which stems from
gateway/internal/gatewayapi/helpers.go
Line 412 in c0a619c
func irStringKey(gatewayNs, gatewayName string) string { |
func ExpectedResourceHashedName(name string) string { |
can we add a comment in here explaining why its this way or should we change
or instead of finding the deployment by its name which is done here
key := types.NamespacedName{ |
should we find the deployment based on the gateway labels
gateway/internal/gatewayapi/helpers.go
Line 292 in c0a619c
func GatewayOwnerLabels(namespace, name string) map[string]string { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i think the way we had is great.
and i have added some comments about func GetHashedName
in internal/provider/utils/utils.go#L26
: this function takes input which should be formatted as {Namespace}/{ResourceName}
func GetHashedName(nsName string) string { | ||
|
||
h := sha256.New() // Using sha256 instead of sha1 due to Blocklisted import crypto/sha1: weak cryptographic primitive (gosec) | ||
hSum := h.Sum([]byte(nsName)) | ||
hashedName := strings.ToLower(fmt.Sprintf("%x", hSum)) | ||
h.Write([]byte(nsName)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can you help elaborate why this is needed ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
here is a go playground example, may help you see why.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
cool thanks for highlighting this !
hey @shawnh2 thanks for digging deep and finding the culprit, reg your comment
trying to better understand how can the hash be the same for this case |
we originally use sha256.Sum() to compute hash directly, but method here is the effects
after:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great! Thanks
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM thanks !
What type of PR is this?
What this PR does / why we need it:
HTTPRouteRedirectPortAndScheme conformance test is related to kubernetes-sigs/gateway-api#1880
Which issue(s) this PR fixes:
Fixes #1441