Open dmaclaury opened 2 months ago
We notice you're using Rancher and there's a possibility might be altering the YAML, so that's something we'd like to check. Can you run a kubectl get mapping
for one of your Mappings here so we can take a look at that?
We see this in EKS as well, but here is the requested output from my Rancher test environment:
k get mapping -A
NAMESPACE NAME SOURCE HOST SOURCE PREFIX DEST SERVICE STATE REASON
default quote-backend-wildcard _skip_mapping_with_empty_host_ /backend/ quote
default quote-backend _skip_mapping_with_empty_host_ /backend/ quote
default quote-backend-host _skip_mapping_with_empty_host_ / quote
default quote-backend-host-splat _skip_mapping_with_empty_host_ /splat-only/ quote
k describe mapping -A
Name: quote-backend-wildcard
Namespace: default
Labels: hostKind=wildcard-host
Annotations: <none>
API Version: getambassador.io/v2
Kind: Mapping
Metadata:
Creation Timestamp: 2024-04-17T20:49:45Z
Generation: 1
Resource Version: 152376
UID: 405ec9da-6446-463c-bfdb-351aa40fb27f
Spec:
ambassador_id:
--apiVersion-v3alpha1-only--default
Docs:
Path: /.ambassador-internal/openapi-docs
Host: _skip_mapping_with_empty_host_
Prefix: /backend/
Service: quote
Events: <none>
Name: quote-backend
Namespace: default
Labels: hostKind=localhost2
Annotations: <none>
API Version: getambassador.io/v2
Kind: Mapping
Metadata:
Creation Timestamp: 2024-04-17T20:49:45Z
Generation: 1
Resource Version: 152377
UID: f1e4d716-3ee7-4fdd-b983-707f0913813b
Spec:
ambassador_id:
--apiVersion-v3alpha1-only--default
Docs:
Path: /.ambassador-internal/openapi-docs
Host: _skip_mapping_with_empty_host_
Prefix: /backend/
Service: quote
Events: <none>
Name: quote-backend-host
Namespace: default
Labels: hostKind=localhost2
Annotations: <none>
API Version: getambassador.io/v2
Kind: Mapping
Metadata:
Creation Timestamp: 2024-04-17T20:49:45Z
Generation: 1
Resource Version: 152378
UID: 5afd128d-ea07-4e91-860e-2a53ae367e31
Spec:
ambassador_id:
--apiVersion-v3alpha1-only--default
Docs:
Path: /.ambassador-internal/openapi-docs
Host: _skip_mapping_with_empty_host_
Prefix: /
Service: quote
Events: <none>
Name: quote-backend-host-splat
Namespace: default
Labels: hostKind=localhost-splat
Annotations: <none>
API Version: getambassador.io/v2
Kind: Mapping
Metadata:
Creation Timestamp: 2024-04-17T20:49:46Z
Generation: 1
Resource Version: 152379
UID: 7feb8cc0-53dc-4930-9ad9-22151ee90e24
Spec:
ambassador_id:
--apiVersion-v3alpha1-only--default
Docs:
Path: /.ambassador-internal/openapi-docs
Host: _skip_mapping_with_empty_host_
Prefix: /splat-only/
Service: quote
Events: <none>
Thanks, I think that looks ok. Can you try running this as well? kubectl get host wildcard-host -n ambassador -o yaml
Here are all the hosts, they are in default namespace, but listeners are configured for ALL
k get hosts.getambassador.io -o yaml
apiVersion: v1
items:
- apiVersion: getambassador.io/v2
kind: Host
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"getambassador.io/v3alpha1","kind":"Host","metadata":{"annotations":{},"name":"localhost2","namespace":"default"},"spec":{"hostname":"localhost2","mappingSelector":{"matchLabels":{"hostKind":"localhost2"}},"requestPolicy":{"insecure":{"action":"Route"}},"tlsSecret":{"name":"tls-cert"}}}
creationTimestamp: "2024-04-17T20:49:20Z"
generation: 1
name: localhost2
namespace: default
resourceVersion: "152364"
uid: 2d038cbe-6334-414d-928c-db845f18272a
spec:
ambassador_id:
- --apiVersion-v3alpha1-only--default
hostname: localhost2
requestPolicy:
insecure:
action: Route
selector:
matchLabels:
hostKind: localhost2
tlsSecret:
name: tls-cert
status: {}
- apiVersion: getambassador.io/v2
kind: Host
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"getambassador.io/v3alpha1","kind":"Host","metadata":{"annotations":{},"name":"localhost-splat","namespace":"default"},"spec":{"hostname":"*.localhost","mappingSelector":{"matchLabels":{"hostKind":"localhost-splat"}},"requestPolicy":{"insecure":{"action":"Route"}},"tlsSecret":{"name":"tls-cert"}}}
creationTimestamp: "2024-04-17T20:49:21Z"
generation: 1
name: localhost-splat
namespace: default
resourceVersion: "152365"
uid: 4f8ca933-1a20-43cb-baf2-22ceb7b89a6e
spec:
ambassador_id:
- --apiVersion-v3alpha1-only--default
hostname: '*.localhost'
requestPolicy:
insecure:
action: Route
selector:
matchLabels:
hostKind: localhost-splat
tlsSecret:
name: tls-cert
status: {}
- apiVersion: getambassador.io/v2
kind: Host
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"getambassador.io/v3alpha1","kind":"Host","metadata":{"annotations":{},"name":"wildcard-host","namespace":"default"},"spec":{"acmeProvider":{"authority":"none"},"hostname":"*","mappingSelector":{"matchLabels":{"hostKind":"wildcard-host"}},"requestPolicy":{"insecure":{"action":"Route"}},"tlsSecret":{"name":"tls-cert"}}}
creationTimestamp: "2024-04-18T21:40:14Z"
generation: 1
name: wildcard-host
namespace: default
resourceVersion: "153787"
uid: bf52ee0e-418d-4ef7-86f4-446f97fb8ca6
spec:
acmeProvider:
authority: none
ambassador_id:
- --apiVersion-v3alpha1-only--default
hostname: '*'
requestPolicy:
insecure:
action: Route
selector:
matchLabels:
hostKind: wildcard-host
tlsSecret:
name: tls-cert
status: {}
kind: List
metadata:
resourceVersion: ""
Thanks for that. I did some research, and this seems to be a known issue: when setting mappingSelector
on v3alpha1 CRDs, apiext
(an Ambassador extension which converts resources to the v2 storage version) incorrectly handles the translation and stores the resource with an invalid Selector:
field rather than mappingSelector
. I see this in your yaml output as well.
Our recommendations for now are
Describe the bug Through testing locally and on EKS 1.29 I have run into this same issue.
*
, a listener defined withprotocol: HTTPS
does not accept HTTPS/TLS connectionshostname: "*"
,mappingSelector
does not work on more specific hosts.To Reproduce Steps to reproduce the behavior:
qotm
test service from getting started guidedeployment.apps/quote created service/quote created
443
on the service to10443
locally)quote-backend-wildcard
mapping is effectivehost/wildcard-host
https
listener and we see a200
responseExpected behavior Either, the listener accepts HTTPS connections without a
*
host being created, or more specific routes can usemappingSelector
when a*
host is provided.In Step 7, all CURLs should have been
200
response. In step 9, we would expect a200
response, but instead get ssl errors In step 10, we would not expect200
response onhttp
when the host has a TLS-secret and we're using the HTTPS listenerVersions (please complete the following information):
3.9.1
, Helm version8.9.1
1.29.3
and EKS1.29
Additional context Add any other context about the problem here.