From 45ea63be174e1a4f0e30c2286fd7499316654a1d Mon Sep 17 00:00:00 2001 From: Ryan Old Date: Thu, 14 Nov 2024 10:19:29 -0800 Subject: [PATCH] Increased validating webhook timeout in tests and added note to full envoy validation option --- .../solo-io/gloo/projects/gloo/api/v1/settings.proto.sk.md | 2 +- projects/gloo/api/v1/settings.proto | 4 ++++ projects/gloo/pkg/api/v1/settings.pb.go | 4 ++++ .../features/validation/validation_reject_invalid/suite.go | 4 ++-- .../e2e/tests/manifests/full-envoy-validation-helm.yaml | 2 ++ 5 files changed, 13 insertions(+), 3 deletions(-) diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/settings.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/settings.proto.sk.md index cc582853163..02c1dfa4b76 100644 --- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/settings.proto.sk.md +++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/settings.proto.sk.md @@ -948,7 +948,7 @@ options for configuring admission control / validation | `validationServerGrpcMaxSizeBytes` | [.google.protobuf.Int32Value](https://developers.google.com/protocol-buffers/docs/reference/csharp/class/google/protobuf/well-known-types/int-32-value) | By default, gRPC validation messages between gateway and gloo pods have a max message size of 100 MB. Setting this value sets the gRPC max message size in bytes for the gloo validation server. This should only be changed if necessary. If not included, the gRPC max message size will be the default of 100 MB. | | `serverEnabled` | [.google.protobuf.BoolValue](https://developers.google.com/protocol-buffers/docs/reference/csharp/class/google/protobuf/well-known-types/bool-value) | By providing the validation field (parent of this object) the user is implicitly opting into validation. This field allows the user to opt out of the validation server, while still configuring pre-existing fields such as `warn_route_short_circuiting` and `disable_transformation_validation`. If not included, the validation server will be enabled. | | `warnMissingTlsSecret` | [.google.protobuf.BoolValue](https://developers.google.com/protocol-buffers/docs/reference/csharp/class/google/protobuf/well-known-types/bool-value) | Allows configuring validation to report a missing TLS secret referenced by a SslConfig or UpstreamSslConfig as a warning instead of an error. This will allow for eventually consistent workloads, but will also permit the accidental deletion of secrets being referenced, which would cause disruption in traffic. | -| `fullEnvoyValidation` | [.google.protobuf.BoolValue](https://developers.google.com/protocol-buffers/docs/reference/csharp/class/google/protobuf/well-known-types/bool-value) | Configures the Gloo translation loop to send the final product of translation through Envoy validation mode. This has an negative impact on the total translation throughput, but it helps ensure the configuration will not be nacked when served to Envoy. This feature is disabled by default and is not recommended for production deployments unless the performance implications are well understood and acceptable. | +| `fullEnvoyValidation` | [.google.protobuf.BoolValue](https://developers.google.com/protocol-buffers/docs/reference/csharp/class/google/protobuf/well-known-types/bool-value) | Configures the Gloo translation loop to send the final product of translation through Envoy validation mode. This has an negative impact on the total translation throughput, but it helps ensure the configuration will not be nacked when served to Envoy. This feature is disabled by default and is not recommended for production deployments unless the performance implications are well understood and acceptable. Large configurations can take more than 10 seconds to validate, causing the validating webhook to timeout. When enabling this feature, consider increasing the timeout for the validating webhook (`.Values.gateway.validation.webhook.timeoutSeconds`). | diff --git a/projects/gloo/api/v1/settings.proto b/projects/gloo/api/v1/settings.proto index 31157ffade1..6f80712509d 100644 --- a/projects/gloo/api/v1/settings.proto +++ b/projects/gloo/api/v1/settings.proto @@ -918,6 +918,10 @@ message GatewayOptions { // // This feature is disabled by default and is not recommended for production deployments unless // the performance implications are well understood and acceptable. + // + // Large configurations can take more than 10 seconds to validate, causing the validating webhook to timeout. + // When enabling this feature, consider increasing the timeout for the validating webhook + // (`.Values.gateway.validation.webhook.timeoutSeconds`). google.protobuf.BoolValue full_envoy_validation = 14; } diff --git a/projects/gloo/pkg/api/v1/settings.pb.go b/projects/gloo/pkg/api/v1/settings.pb.go index 6de601552f2..fe13e544fff 100644 --- a/projects/gloo/pkg/api/v1/settings.pb.go +++ b/projects/gloo/pkg/api/v1/settings.pb.go @@ -3435,6 +3435,10 @@ type GatewayOptions_ValidationOptions struct { // // This feature is disabled by default and is not recommended for production deployments unless // the performance implications are well understood and acceptable. + // + // Large configurations can take more than 10 seconds to validate, causing the validating webhook to timeout. + // When enabling this feature, consider increasing the timeout for the validating webhook + // (`.Values.gateway.validation.webhook.timeoutSeconds`). FullEnvoyValidation *wrapperspb.BoolValue `protobuf:"bytes,14,opt,name=full_envoy_validation,json=fullEnvoyValidation,proto3" json:"full_envoy_validation,omitempty"` } diff --git a/test/kubernetes/e2e/features/validation/validation_reject_invalid/suite.go b/test/kubernetes/e2e/features/validation/validation_reject_invalid/suite.go index 510bcee937e..275d042bca8 100644 --- a/test/kubernetes/e2e/features/validation/validation_reject_invalid/suite.go +++ b/test/kubernetes/e2e/features/validation/validation_reject_invalid/suite.go @@ -221,13 +221,13 @@ func (s *testingSuite) TestRejectTransformation() { // this should be rejected output, err = s.testInstallation.Actions.Kubectl().ApplyFileWithOutput(s.ctx, validation.VSTransformationExtractors, "-n", s.testInstallation.Metadata.InstallNamespace) s.Assert().Error(err) - s.Assert().Contains(output, "envoy validation mode output: error initializing configuration '': Failed to parse response template: group 1 requested for regex with only 0 sub groups") + s.Assert().Contains(output, "Failed to parse response template: group 1 requested for regex with only 0 sub groups") // Single replace mode -- rejects invalid subgroup in transformation // note that the regex has no subgroups, but we are trying to extract the first subgroup // this should be rejected output, err = s.testInstallation.Actions.Kubectl().ApplyFileWithOutput(s.ctx, validation.VSTransformationSingleReplace, "-n", s.testInstallation.Metadata.InstallNamespace) s.Assert().Error(err) - s.Assert().Contains(output, "envoy validation mode output: error initializing configuration '': Failed to parse response template: group 1 requested for regex with only 0 sub groups") + s.Assert().Contains(output, "Failed to parse response template: group 1 requested for regex with only 0 sub groups") } diff --git a/test/kubernetes/e2e/tests/manifests/full-envoy-validation-helm.yaml b/test/kubernetes/e2e/tests/manifests/full-envoy-validation-helm.yaml index ba9010a1df2..7a0afeef60c 100644 --- a/test/kubernetes/e2e/tests/manifests/full-envoy-validation-helm.yaml +++ b/test/kubernetes/e2e/tests/manifests/full-envoy-validation-helm.yaml @@ -4,4 +4,6 @@ gateway: allowWarnings: true # These tests to not need to fail on warnings # transformation validation is disabled because full envoy validation is enabled. disableTransformationValidation: true + webhook: + timeoutSeconds: 30 # We are seeing Envoy take 10s of seconds to validate some of the larger configurations fullEnvoyValidation: true