Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix deletions for secrets #611

Merged
merged 1 commit into from
Oct 19, 2022
Merged

fix deletions for secrets #611

merged 1 commit into from
Oct 19, 2022

Conversation

arkodg
Copy link
Contributor

@arkodg arkodg commented Oct 19, 2022

Fixes: #588

Signed-off-by: Arko Dasgupta arko@tetrate.io

@arkodg
fix deletions for secrets
5db11a0 
Fixes: envoyproxy#588

Signed-off-by: Arko Dasgupta <arko@tetrate.io>
@arkodg arkodg requested a review from a team as a code owner October 19, 2022 06:21
@codecov-commenter
Copy link

Codecov Report

Merging #611 (5db11a0) into main (4d722b2) will decrease coverage by 0.14%.
The diff coverage is 18.18%.

@@            Coverage Diff             @@
##             main     #611      +/-   ##
==========================================
- Coverage   60.61%   60.47%   -0.15%     
==========================================
  Files          47       47              
  Lines        5721     5731      +10     
==========================================
- Hits         3468     3466       -2     
- Misses       2034     2044      +10     
- Partials      219      221       +2
Impacted Files Coverage Δ
internal/provider/kubernetes/gateway.go 50.85% <18.18%> (-0.90%) ⬇️
internal/provider/kubernetes/gatewayclass.go 73.18% <0.00%> (-2.18%) ⬇️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

@arkodg
Copy link
Contributor Author

arkodg commented Oct 19, 2022 

apiVersion: v1
items:
- apiVersion: gateway.networking.k8s.io/v1beta1
  kind: Gateway
  metadata:
    annotations:
      kubectl.kubernetes.io/last-applied-configuration: |
        {"apiVersion":"gateway.networking.k8s.io/v1beta1","kind":"Gateway","metadata":{"annotations":{},"name":"eg","namespace":"default"},"spec":{"gatewayClassName":"eg","listeners":[{"name":"https","port":8080,"protocol":"HTTPS","tls":{"certificateRefs":[{"group":"","kind":"Secret","name":"example-cert"}],"mode":"Terminate"}}]}}
    creationTimestamp: "2022-10-19T07:00:53Z"
    generation: 1
    name: eg
    namespace: default
    resourceVersion: "2076"
    uid: 59851661-7551-4d81-98bc-5c3cb3b01461
  spec:
    gatewayClassName: eg
    listeners:
    - allowedRoutes:
        namespaces:
          from: Same
      name: https
      port: 8080
      protocol: HTTPS
      tls:
        certificateRefs:
        - group: ""
          kind: Secret
          name: example-cert
        mode: Terminate
  status:
    addresses:
    - type: IPAddress
      value: 127.0.0.1
    - type: Hostname
      value: localhost
    conditions:
    - lastTransitionTime: "2022-10-19T07:00:53Z"
      message: The Gateway has been scheduled by Envoy Gateway
      observedGeneration: 1
      reason: Scheduled
      status: "True"
      type: Scheduled
    - lastTransitionTime: "2022-10-19T07:00:54Z"
      message: Address assigned to the Gateway, 1/1 envoy Deployment replicas available
      observedGeneration: 1
      reason: Ready
      status: "True"
      type: Ready
    listeners:
    - attachedRoutes: 1
      conditions:
      - lastTransitionTime: "2022-10-19T07:00:53Z"
        message: Listener is ready
        observedGeneration: 1
        reason: Ready
        status: "True"
        type: Ready
      name: https
      supportedKinds:
      - group: gateway.networking.k8s.io
        kind: HTTPRoute
kind: List
metadata:
  resourceVersion: ""

🐳 ~/go-workspace/src/github.com/envoyproxy/gateway$ kubectl delete secret example-cert
secret "example-cert" deleted
🐳 ~/go-workspace/src/github.com/envoyproxy/gateway$ kubectl get gateway -A -o yaml
apiVersion: v1
items:
- apiVersion: gateway.networking.k8s.io/v1beta1
  kind: Gateway
  metadata:
    annotations:
      kubectl.kubernetes.io/last-applied-configuration: |
        {"apiVersion":"gateway.networking.k8s.io/v1beta1","kind":"Gateway","metadata":{"annotations":{},"name":"eg","namespace":"default"},"spec":{"gatewayClassName":"eg","listeners":[{"name":"https","port":8080,"protocol":"HTTPS","tls":{"certificateRefs":[{"group":"","kind":"Secret","name":"example-cert"}],"mode":"Terminate"}}]}}
    creationTimestamp: "2022-10-19T07:00:53Z"
    generation: 1
    name: eg
    namespace: default
    resourceVersion: "2320"
    uid: 59851661-7551-4d81-98bc-5c3cb3b01461
  spec:
    gatewayClassName: eg
    listeners:
    - allowedRoutes:
        namespaces:
          from: Same
      name: https
      port: 8080
      protocol: HTTPS
      tls:
        certificateRefs:
        - group: ""
          kind: Secret
          name: example-cert
        mode: Terminate
  status:
    addresses:
    - type: IPAddress
      value: 127.0.0.1
    - type: Hostname
      value: localhost
    conditions:
    - lastTransitionTime: "2022-10-19T07:00:53Z"
      message: The Gateway has been scheduled by Envoy Gateway
      observedGeneration: 1
      reason: Scheduled
      status: "True"
      type: Scheduled
    - lastTransitionTime: "2022-10-19T07:04:02Z"
      message: Deployment replicas unavailable
      observedGeneration: 1
      reason: NoResources
      status: "False"
      type: Ready
    listeners:
    - attachedRoutes: 0
      conditions:
      - lastTransitionTime: "2022-10-19T07:04:02Z"
        message: Secret default/example-cert does not exist.
        observedGeneration: 1
        reason: InvalidCertificateRef
        status: "False"
        type: ResolvedRefs
      - lastTransitionTime: "2022-10-19T07:04:02Z"
        message: Listener is invalid, see other Conditions for details.
        observedGeneration: 1
        reason: Invalid
        status: "False"
        type: Ready
      name: https
      supportedKinds:
      - group: gateway.networking.k8s.io
        kind: HTTPRoute
kind: List
metadata:
  resourceVersion: ""

@arkodg arkodg added this to the 0.2.0 milestone Oct 19, 2022
@danehans
Copy link
Contributor

danehans commented Oct 19, 2022
edited
Loading

@arkodg please test to see if the HTTPS backend is reachable after deleting the secret and comment here.

@danehans
Copy link
Contributor

I tested this PR using #542 and the backend is not reachable when the secret is deleted:

$ kubectl get gateways  -o yaml
...
    - attachedRoutes: 1
      conditions:
      - lastTransitionTime: "2022-10-19T16:47:48Z"
        message: Secret default/example-cert does not exist.
        observedGeneration: 2
        reason: InvalidCertificateRef
        status: "False"
        type: ResolvedRefs
      - lastTransitionTime: "2022-10-19T16:47:48Z"
        message: Listener is invalid, see other Conditions for details.
        observedGeneration: 2
        reason: Invalid
        status: "False"
        type: Ready
      name: https
      supportedKinds:
      - group: gateway.networking.k8s.io
        kind: HTTPRoute
...

$ curl -v -HHost:www.example.com --resolve "www.example.com:8443:${GATEWAY_HOST}" \
--cacert example.com.crt https://www.example.com:8443/get
* Added www.example.com:8443:172.18.255.200 to DNS cache
* Hostname www.example.com was found in DNS cache
*   Trying 172.18.255.200:8443...
* connect to 172.18.255.200 port 8443 failed: Operation timed out
* Failed to connect to www.example.com port 8443 after 75002 ms: Operation timed out
* Closing connection 0
curl: (28) Failed to connect to www.example.com port 8443 after 75002 ms: Operation timed out

Alice-Lilith
Alice-Lilith approved these changes Oct 19, 2022
View reviewed changes
Copy link
Member

@Alice-Lilith Alice-Lilith left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome, thanks!

@arkodg arkodg merged commit 195e5b2 into envoyproxy:main Oct 19, 2022
danehans pushed a commit to danehans/gateway that referenced this pull request Nov 3, 2022
@arkodg @danehans
fix deletions for secrets (envoyproxy#611)
949fc4f 
Fixes: envoyproxy#588

Signed-off-by: Arko Dasgupta <arko@tetrate.io>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@danehans danehans danehans approved these changes

@Alice-Lilith Alice-Lilith Alice-Lilith approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.2.0
Development

Successfully merging this pull request may close these issues.

Gateway HTTPS Listener Status is not Being Updated
4 participants
@arkodg @codecov-commenter @danehans @Alice-Lilith