Contour Fails to read TLSCertificateDelegation objects

[joshrosso]

To Reproduce

1. Bootstrap a new Kubernetes cluster with kubeadm.

2. Deploy contour

   kubectl apply -f https://j.hept.io/contour-deployment-rbac
   

3. Create an ingress-system namespace.

   kubectl create ns ingress-system
   

4. Add the TLS secret to the ingress-system namespace.

  apiVersion: v1
  kind: Secret
  type: Opaque
  data:
    tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM4VENDQWRtZ0F3SUJBZ0lVWk5nNFYvQ0ZwcmVGeUtCRUtJNDA0L3pGWDU0d0RRWUpLb1pJaHZjTkFRRUwKQlFBd0VURVBNQTBHQTFVRUF3d0diMk4wWlhSNk1DQVhEVEU1TURRd01qSXpNalV3TkZvWUR6SXlPVE13TVRFMQpNak15TlRBMFdqQVhNUlV3RXdZRFZRUUREQXdxTG05amRHVjBlaTVqYjIwd2dnRWlNQTBHQ1NxR1NJYjNEUUVCCkFRVUFBNElCRHdBd2dnRUtBb0lCQVFEV1VXUVJsSzBra01KRlErSDROVTFkTE1oWlFURGhMcWtjQTJMTU1OQTcKNWRNTTJWV2QzbnU3M3FJclI3a2lyQWxMTFA4Si9TTVB4dmRLcnVObXZJMVA1eWw1Snl0emlvUWJ6blE4YTdVLwpqUGhiMG5hTmFZamV0eEZCMnIwYms3OHBJZE1BYUJXamhjWEhNUTlmdXdMdnFRLzZ2djNRWDVoNUdYc2dUT3U5CkI0NnR2ZFpNQy9ONlY1aVNMVGRkT1lxRFJ3Y2ZLMkdqa3p0WHVpTWFTNVVjbnFESlNHK2JubWdqR2lhM2J0SHoKTnZGWkErLzUwb2pmR0F1VVl2aTY0b2xYNFEvM0l4MmpGRGcvS1RvRm8xL0VtS3A3Q2dEL2l4U2FRaXh5My9VTwpYbUd6b0Q2VFJScHpGYjZKVmxzd3N5VDBIcWh0UEVkbUgzK01NamJpcXY0ZkFnTUJBQUdqT1RBM01Ba0dBMVVkCkV3UUNNQUF3Q3dZRFZSMFBCQVFEQWdYZ01CMEdBMVVkSlFRV01CUUdDQ3NHQVFVRkJ3TUNCZ2dyQmdFRkJRY0QKQVRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQWdiRlh4VHpMMC9wSFFQclJ5UmRlMHdSUGdPWEJhYTVlS3k0eQo2ZTVuNDJwYStod0M0cmNHQXpXV1IzNHRzRVQyUDFZNkUydmgvZEVQcmlDQzdCS0x2SHRnQ0o1ZmRkVWozdUZICmpLdFpPRFJCclFFa0JxQWh5WXl4ZStKd2I0NVA0VjJNVEZ2R2dmMWYxY0xTTDVyaVBRWTlaTmtaSmRwWWNVbFAKTWVERDhWOUxOeVYvbE5nYUVnV0tabHFZQUdoM0NTZnVmWnlZSDJkZXU1TzRLQ2E4RWNoL1lWTzQ3SzdxMUFQUQpIYWZWdzFyUVY1c2FxMk00VzUxaWUvSktqYXFmdWtibWc3QWU0dXQ5MW02ZjF3dDd6ZWs2UjZJeTZjTTlWWUMyCkJmQ1JUd3FhTHdiQUJ6aXRtSzRZYllGWllQOTI2dnFpOUUxcFIxSTk4ckZBVFB6WVhBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBMWxGa0VaU3RKSkRDUlVQaCtEVk5YU3pJV1VFdzRTNnBIQU5pekREUU8rWFRETmxWCm5kNTd1OTZpSzBlNUlxd0pTeXovQ2YwakQ4YjNTcTdqWnJ5TlQrY3BlU2NyYzRxRUc4NTBQR3UxUDR6NFc5SjIKaldtSTNyY1JRZHE5RzVPL0tTSFRBR2dWbzRYRnh6RVBYN3NDNzZrUCtyNzkwRitZZVJsN0lFenJ2UWVPcmIzVwpUQXZ6ZWxlWWtpMDNYVG1LZzBjSEh5dGhvNU03VjdvakdrdVZISjZneVVodm01NW9JeG9tdDI3Ujh6YnhXUVB2CitkS0kzeGdMbEdMNHV1S0pWK0VQOXlNZG94UTRQeWs2QmFOZnhKaXFld29BLzRzVW1rSXNjdC8xRGw1aHM2QSsKazBVYWN4VytpVlpiTUxNazlCNm9iVHhIWmg5L2pESTI0cXIrSHdJREFRQUJBb0lCQVFESmwvbTNCOUR0eWpUVApEbzFwK2tseFVZU0xZR1RvREFvS1RhMExRUWMrc0dvYmRmdXc2ZXdkeGNkcFNxZjgwekpTd2xxTVBNNVVNdVcrCkhFL08vYUUyL2N2bktFOFkrYnhXbzVaMmx5SUFTMHY2b3pmY3dONThFRnR0UktJSlpLcTF1QmxRRXBmNEh3YncKM1ZjR3gxUjF0dU5QQzRTWUVyUExoWXBwMGJFVk5tS0htKzROQW5NL3FrY0FsV25rREsrYW1oTzdOVFVXK2FWdQpjb25TT1FnbDYxSDlIbzVZU3dseTFCbDBPaFRRMVNPTjZtM3lYZ1g0Vk5qUjhjdUJxRkI3WFZab0g0M0VJVXBnCmdheFArQ2tYUi9wQmNDc2IrTzdWTGI3MUdQTlphZjdmY3V5bnUvUmdlSUtXTlNyaStwYzlzSkxSTDhzOTZRckcKcjdJUkdzSUJBb0dCQVAzekNwWkdnaWFSQzhzVGZzSnRtakIwUWcreVFhck5LRkhGcFhnbVNvL0RqU2xDbG5weApCKzFxdXNaNFQ3MmlsdVdoZ1BFUUxnR0Q5QjZ5d1ZEZEtoYm1jU0lMSExiMjRWMTB6a3M1K2hzYWdVLzVsSXZUCklkMnhiOHNpaytPZ042azNUUlpvTjdLelM1N01iV2p2MUI0WnJuSDBsTWxkbWRPSFFRbWNFeXlCQW9HQkFOZ00KYkowRHBwNlE4OTZvb1hrc2pyTmpHdi9rUm9iYkkvQzRwS3JNN0ZKenZVWktGbmJ2b1RZTkRxTWMyTHBCTi93VwovL3hQU3kxS003blRBdUhNbENiSURrN0NCQm5VNUNJVjZQWWx1M1BzeWNQL0FMYXBZaXNJT3hINTVVTEw3RVAwCkkvOTM4MGkzMW1kRkpWYlpUZEFQa2IxcmVxNjBaUXVPOWZEcW5WcWZBb0dCQUw1bHFscGhJdE9uakNBRnpkUVkKT0xKN2Q4d3M2ZThWUWxXTXlqTDdBb3duSVg3OTNiU1BhbEltNDBKS2tmNnNHRmF5YitwTkp6RWJyYndXYWJvbgpGNWR6enY2bk5qQTNpV0I0WXZNajFORGRYbmFIdVVmY1ZGZlM0TzU4VGtVcnFvL0VWcGVtSzV4ZnNTS3VRcG1hCnRuNmE0cCt0c0tBSS9Yd0t2RWhvTERnQkFvR0FMR0R3OXBmSFpBNzJhU2hPY3V1YUxITVJHcnN6V1lRdUw4WmQKM00vWFEyQ080cDlaV2ZrRExtMGtNcEU4VzVZRi8veGhmTngwM3NxOU1WQ002UUR5OWJ4bVkvc3FpSHZZbUwvVAphS3g3Z3VhQzA0WFFDYlZsZXQxbjlOdFdJcEJzNmRCK2pIMkJOZEM5YzkwYVBHckt0eEJicVlNb1lqYWdBdTNNCnl6NEdNSlVDZ1lBWm51RnUrbmZmbWVaeXJ2Q2V6TnNVcDZ2M1lPM0pZUGlQT2NjcWZxZU9sVzdHbXR4T2IzMncKdEwzMFE5dk5tTDFuek9NaTI5NlRiUWVDRE5EbVRwYzFNN0dBdHhXUVhjZEh2MmtjT2FJN3BadFR6SDI3TWM4YQp3Sm4wSzFyblhxd1pmdnB5bmJFeFBneStWdVNwUmNscmFxY0xKajAwQXF6UzhwbmQ1SEEwdWc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
  metadata:
    name: octetz-tls
    namespace: mountains

1. Add the following TLSCertificateDelegation object

   apiVersion: contour.heptio.com/v1beta1
   kind: TLSCertificateDelegation
   metadata:
     name: octetz-tls
     namespace: ingress-system
   spec:
     delegations:
       secretName: octetz-tls
       targetNamespaces:
       - mountains
       - trails
   

2. Tail the logs for a contour pod.

   kubectl logs -n contour $(kubectl -n contour get pod -l app=contour -o jsonpath='{.items[0].metadata.name}') -c contour
   

   note that in my case I've deployed contour in the namespace contour.

3. Observe the watcher failing to decode slice.

   E0405 03:09:42.564058       1 reflector.go:205] github.com/heptio/contour/internal/k8s/watcher.go:73: Failed to list *v1beta1.TLSCertificateDelegation: v1beta1.TLSCertificateDelegationList.Items: []v1beta1.TLSCertificateDelegation: v1beta1.TLSCertificateDelegation.Spec: v1beta1.TLSCertificateDelegationSpec.Delegations: []v1beta1.CertificateDelegation: decode slice: expect [ or n, but found {, error found in #10 byte of ...|gations":{"secretNam|..., bigger context ...|0-11e9-96f7-5254002b90c2"},"spec":{"delegations":{"secretName":"octetz-tls","targetNamespaces":["mou|...
   
   

[davecheney]

Delegations is a list, I think you have a scalar there.

…

On 5 Apr 2019, at 14:12, joshrosso ***@***.***> wrote: To Reproduce Bootstrap a new Kubernetes cluster with kubeadm. Deploy contour kubectl apply -f https://j.hept.io/contour-deployment-rbac Create an ingress-system namespace. kubectl create ns ingress-system Add the following TLSCertificateDelegation object apiVersion: contour.heptio.com/v1beta1 kind: TLSCertificateDelegation metadata: name: octetz-tls namespace: ingress-system spec: delegations: secretName: octetz-tls targetNamespaces: - mountains - trails Tail the logs for a contour pod. kubectl logs -n contour $(kubectl -n contour get pod -l app=contour -o jsonpath='{.items[0].metadata.name}') -c contour note that in my case I've deployed contour in the namespace contour. Observe the watcher failing to decode slice. E0405 03:09:42.564058 1 reflector.go:205] github.com/heptio/contour/internal/k8s/watcher.go:73: Failed to list *v1beta1.TLSCertificateDelegation: v1beta1.TLSCertificateDelegationList.Items: []v1beta1.TLSCertificateDelegation: v1beta1.TLSCertificateDelegation.Spec: v1beta1.TLSCertificateDelegationSpec.Delegations: []v1beta1.CertificateDelegation: decode slice: expect [ or n, but found {, error found in #10 byte of ...|gations":{"secretNam|..., bigger context ...|0-11e9-96f7-5254002b90c2"},"spec":{"delegations":{"secretName":"octetz-tls","targetNamespaces":["mou|... — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

[joshrosso]

Got it, so perhaps we have a documentation issue on our hands then?

https://github.com/heptio/contour/blob/master/docs/ingressroute.md#tls-certificate-delegation

[davecheney]

Yup, my bad. Yet another place where we don't have tests of nuanced yaml.

…

On Fri, 5 Apr 2019 at 14:33, joshrosso ***@***.***> wrote: Got it, so perhaps we have a documentation issue on our hands then? https://github.com/heptio/contour/blob/master/docs/ingressroute.md#tls-certificate-delegation — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#977 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAAcAw1C5ZU0QsavQIYHNiEVPWrUqLr5ks5vdsQXgaJpZM4ceFQS> .

[joshrosso]

Got it, thanks for following up @davecheney.