Omitting port on consul.hashicorp.com/connect-service-upstreams causes connect injector to panic

[tyler-domitrovich]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request. Searching for pre-existing feature requests helps us consolidate datapoints for identical requirements into a single place, thank you!
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Overview of the Issue

A static port must be specified in the consul.hashicorp.com/connect-service-upstreams annotation. A missing port should be caught by validation with a friendly error message. Currently the connect injector will panic.

Reproduction Steps

1. create a yaml containing a pod with the following annotation 'consul.hashicorp.com/connect-service-upstreams': '<svc-name>.svc'

Logs

2023-07-19T20:17:37.953Z        INFO    handler.connect received pod    {"name": "", "ns": "default"}
2023/07/19 20:17:37 http: panic serving 10.182.149.216:42634: runtime error: index out of range [1] with length 1
goroutine 10871 [running]:
net/http.(*conn).serve.func1()
        /opt/hostedtoolcache/go/1.20.4/x64/src/net/http/server.go:1854 +0xbf
panic({0x2700020, 0xc000ece6c0})
        /opt/hostedtoolcache/go/1.20.4/x64/src/runtime/panic.go:890 +0x263
github.com/hashicorp/consul-k8s/control-plane/connect-inject/webhook.(*MeshWebhook).containerEnvVars(_, {{{0xc00104da78, 0x3}, {0xc00104da7c, 0x2}}, {{0x0, 0x0}, {0xc000dcefe0, 0x1f}, {0xc00104da90, ...}, ...}, ...})
        /home/runner/work/consul-k8s/consul-k8s/control-plane/connect-inject/webhook/container_env.go:25 +0x4bb
github.com/hashicorp/consul-k8s/control-plane/connect-inject/webhook.(*MeshWebhook).Handle(_, {_, _}, {{{0xc000c71aa0, 0x24}, {{0x0, 0x0}, {0xc00104da08, 0x2}, {0xc00104da0a, ...}}, ...}})
        /home/runner/work/consul-k8s/consul-k8s/control-plane/connect-inject/webhook/mesh_webhook.go:272 +0xac5
sigs.k8s.io/controller-runtime/pkg/webhook/admission.(*Webhook).Handle(_, {_, _}, {{{0xc000c71aa0, 0x24}, {{0x0, 0x0}, {0xc00104da08, 0x2}, {0xc00104da0a, ...}}, ...}})
        /home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.14.6/pkg/webhook/admission/webhook.go:169 +0xfd
sigs.k8s.io/controller-runtime/pkg/webhook/admission.(*Webhook).ServeHTTP(0xc000650800, {0x7f55b56cfcd8?, 0xc0005c4550}, 0xc001310900)
        /home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.14.6/pkg/webhook/admission/http.go:98 +0xeb5
github.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerInFlight.func1({0x7f55b56cfcd8, 0xc0005c4550}, 0x2e7d100?)
        /home/runner/go/pkg/mod/github.com/prometheus/client_golang@v1.14.0/prometheus/promhttp/instrument_server.go:60 +0xd4
net/http.HandlerFunc.ServeHTTP(0x2e7d1a0?, {0x7f55b56cfcd8?, 0xc0005c4550?}, 0x729520?)
        /opt/hostedtoolcache/go/1.20.4/x64/src/net/http/server.go:2122 +0x2f
github.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerCounter.func1({0x2e7d1a0?, 0xc000e470a0?}, 0xc001310900)
        /home/runner/go/pkg/mod/github.com/prometheus/client_golang@v1.14.0/prometheus/promhttp/instrument_server.go:146 +0xb8
net/http.HandlerFunc.ServeHTTP(0xc000e470a0?, {0x2e7d1a0?, 0xc000e470a0?}, 0xc00107d480?)
        /opt/hostedtoolcache/go/1.20.4/x64/src/net/http/server.go:2122 +0x2f
github.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerDuration.func2({0x2e7d1a0, 0xc000e470a0}, 0xc001310900)
        /home/runner/go/pkg/mod/github.com/prometheus/client_golang@v1.14.0/prometheus/promhttp/instrument_server.go:108 +0xbf
net/http.HandlerFunc.ServeHTTP(0xc000e470a0?, {0x2e7d1a0?, 0xc000e470a0?}, 0x28cfea7?)
        /opt/hostedtoolcache/go/1.20.4/x64/src/net/http/server.go:2122 +0x2f
net/http.(*ServeMux).ServeHTTP(0xc000c71a7d?, {0x2e7d1a0, 0xc000e470a0}, 0xc001310900)
        /opt/hostedtoolcache/go/1.20.4/x64/src/net/http/server.go:2500 +0x149
net/http.serverHandler.ServeHTTP({0x2e6e0d8?}, {0x2e7d1a0, 0xc000e470a0}, 0xc001310900)
        /opt/hostedtoolcache/go/1.20.4/x64/src/net/http/server.go:2936 +0x316
net/http.(*conn).serve(0xc0012bb710, {0x2e7eb38, 0xc000a52090})
        /opt/hostedtoolcache/go/1.20.4/x64/src/net/http/server.go:1995 +0x612
created by net/http.(*Server).Serve
        /opt/hostedtoolcache/go/1.20.4/x64/src/net/http/server.go:3089 +0x5ed

Expected behavior

An error message should be logged or ideally the object should be rejected by the kube api.

Environment details

consul-k8s version: v1.2.0

Values.yaml:

global:
  enabled: false
  datacenter: app

externalServers:
  enabled: true
  hosts: [<server ips>]
  httpsPort: 8500

syncCatalog:
  enabled: true
  default: true
  k8sAllowNamespaces: ['*']

connectInject:
  enabled: true

Kubernetes versoin: v1.27.0 Running on EKS.

[komapa]

I think this should be taken one step further and have the ability to just generated random (sequential ports). I believe there was a similar request for Nomad side of things and it did not go far so I am not holding my breath here.