search

emissary-ingress / emissary

open source Kubernetes-native API gateway for microservices built on the Envoy Proxy
https://www.getambassador.io
Apache License 2.0
4.34k stars 681 forks source link

OAuth endpoints 404 when having one or more Hosts with SSL Cert #5407

Open dps-leemcneil opened 10 months ago

dps-leemcneil commented 10 months ago

I'm having a problem with URL paths such as /.ambassador/oauth2/multicookie (or anything /.ambassador) will return a 404 when I use a Host resource.

When the Host is removed, the .ambassador paths work again.

I am trying to setup the OAuth2 filter (Azure AAD), and have multiple Host resources (hostnames) pointing at different services. However whenever I add a Host, the .ambassador paths are no longer possible to reach.

Is it possible to add a Mapping to get the .ambassador URLs working within a Host?

To Reproduce Create Service and Mapping:

apiVersion: v1
kind: Service
metadata:
  name: web-frontend
spec:
  ports:
    - name: http
      port: 80
      targetPort: 80
  selector:
    app: web-frontend
---
apiVersion: getambassador.io/v3alpha1
kind: Mapping
metadata:
  name: web-frontend
  namespace: web-frontend
  labels:
    hostname: web-frontend.example.com
spec:
  hostname: web-frontend.example.com
  prefix: /
  service: web-frontend

This works and /.ambassador/oauth2/... endpoints are available.

If I now add a Host with or without a TLS cert, all /.ambassador/oauth2/... endpoints 404.

apiVersion: getambassador.io/v3alpha1
kind: Host
metadata:
  name: web-frontend.example.com
  namespace: web-frontend
spec:
  hostname: web-frontend.example.com
  mappingSelector:
    matchLabels:
      hostname: web-frontend.example.com
    acmeProvider:
      authority: 'https://acme-v02.api.letsencrypt.org/directory'
      email: email@example.com
    tlsSecret:
      name: web-frontend.example.com

Expected behavior Expecting that /.ambassador/oauth2/... endpoints are available on a defined Hostresource. Currently only on the default host, no Host resources (for example different hostnames with TLS certs).

Versions (please complete the following information):

Additional context Add any other context about the problem here.

dps-leemcneil commented 10 months ago

Attaching envoy.json after running kubectl cp -n ambassador edge-stack-6567f8c455-bc8cs:/ambassador/envoy/envoy.json envoy.json envoy.json

cindymullins-dw commented 9 months ago

Hi @dps-leemcneil , I think we confirmed you created a wildcard host - can you share that wildcard Host here? I wonder if it has an ambassador_id or some config issue such that it isn't getting recognized. I notice the virtual wildcard host in the envoy config is giving a 404. Screenshot 2023-11-09 at 11 16 14 AM Also, do you see your Hosts return a 'ready' state if you run kubectl get Hosts or even just checking one of them, ie kubectl get web-frontend.example.com?