Handle HTTPRoutes with invalid header filters #3119
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Update the HTTPRoute controller to determine if the HTTPRoute has problem conditions (misconfigurations that require a false Accepted condition). Add a problem condition checker for header filter misconfigurations. Not done: - Controller does not handle the problem condition present path, only the problem condition absent/accepted=true path. - Controller does not remove problem routes from the store. - Controller does not handle updating status with problem conditions.
|
Upstream is ended up validating in a webhook instead, though there's some ongoing discussion on how to handle environments that don't have the standard GWAPI webhook installed. FWIW, #3129 does add another validation that discards broken HTTPRoutes and such at the controller level, and that validation cannot use a webhook (it needs knowledge about which ports are available on the Gateway and needs retries as such). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What this PR does / why we need it:
Adds a controller mechanism to scan HTTPRoutes for misconfiguration. If the HTTPRoute is invalid, it is not added to the store (or is removed if it was already present) and is not converted to a Kong route. The controller adds a Condition to the HTTPRoute indicating the cause of the problem.
Adds a controller validation check to confirm that an HTTPRoute does not have a header filter that manipulates the same header twice.
Which issue this PR fixes:
Related to discussions in kubernetes-sigs/gateway-api#480. Written in advance of the actual spec change to demonstrate implementation viability.
Special notes for your reviewer:
This breaks the status quo for our resource processing. Our existing logic tends to be best-effort, with errors handled in the parser: we will add partial configuration for a resource if invalid sections do not break it entirely. For example, following this pattern for this case would have us create the Kong route for the HTTPRoute still, but we would omit the invalid header transformations.
GWAPI promotes the opposite approach: invalid configuration invalidates the entire resource. Sub-resource partial configuration generally violates the spec. We should move toward this approach, but we don't yet do it across the board and the mixture means we have inconsistent UX.
PR Readiness Checklist:
Complete these before marking the PR as
ready to review:CHANGELOG.mdrelease notes have been updated to reflect any significant (and particularly user-facing) changes introduced by this PR