k8sgateway / k8sgateway

The Cloud-Native API Gateway and AI Gateway
https://k8sgateway.io/
Apache License 2.0
4.12k stars 449 forks source link

"conflicting matcher" message for VS #9462

Open htech7x opened 6 months ago

htech7x commented 6 months ago

Gloo Edge Product

Enterprise

Gloo Edge Version

1.16.8

Kubernetes Version

1.28.5

Describe the bug

After creating VS, "gloo check" complains about "conflicting matcher"

glooctl check
Checking deployments... OK
Checking pods... OK
Checking upstreams... OK
Checking upstream groups... OK
Checking auth configs... OK
Checking rate limit configs... OK
Checking VirtualHostOptions... OK
Checking RouteOptions... OK
Checking secrets... OK
Checking virtual services... 1 Errors!
Checking gateways... OK
Checking proxies... OK
Checking rate limit server... OK
Error: 1 error occurred:
    * Found virtual service with warnings by 'gloo-system': gloo-portal reproenv (Reason: warning:
  virtual host [gloo-portal.reproenv] has conflicting matcher: regex:"/org/[^/]+?"  methods:"GET"  methods:"OPTIONS"
virtual host [gloo-portal.reproenv] has conflicting matcher: regex:"/org/[^/]+?/children"  methods:"GET"  methods:"OPTIONS"
virtual host [gloo-portal.reproenv] has conflicting matcher: regex:"/org/[^/]+?/parents"  methods:"GET"  methods:"OPTIONS")

Expected Behavior

Validation works as expected

Steps to reproduce the bug

  1. Deploy Gloo EE and Gloo Portal

    $ helm list -A
    NAME        NAMESPACE   REVISION    UPDATED                                 STATUS      CHART               APP VERSION
    gloo        gloo-system 1           2024-05-06 12:13:32.154175 -0500 CDT    deployed    gloo-ee-1.16.8
    gloo-portal gloo-portal 1           2024-05-06 12:15:07.705303 -0500 CDT    deployed    gloo-portal-1.4.0
  2. Edit settings for Gloo EE

    kubectl edit settings default -n gloo-system
    ...
    gateway:
     validation:
       allowWarnings: false                                       # <-- change this line
       alwaysAccept: false                                        # <-- change this line
       disableTransformationValidation: false
       warnRouteShortCircuiting: true                     # <-- change this line
  3. Create API Doc according to the documentation using the following "swagger.json" swagger.json

  4. Create API Product and API Environment according to the documentation

  5. Run "gloo check" and check the message

    glooctl check
    Checking deployments... OK
    Checking pods... OK
    Checking upstreams... OK
    Checking upstream groups... OK
    Checking auth configs... OK
    Checking rate limit configs... OK
    Checking VirtualHostOptions... OK
    Checking RouteOptions... OK
    Checking secrets... OK
    Checking virtual services... 1 Errors!
    Checking gateways... OK
    Checking proxies... OK
    Checking rate limit server... OK
    Error: 1 error occurred:
    * Found virtual service with warnings by 'gloo-system': gloo-portal reproenv (Reason: warning:
    virtual host [gloo-portal.reproenv] has conflicting matcher: regex:"/org/[^/]+?"  methods:"GET"  methods:"OPTIONS"
    virtual host [gloo-portal.reproenv] has conflicting matcher: regex:"/org/[^/]+?/children"  methods:"GET"  methods:"OPTIONS"
    virtual host [gloo-portal.reproenv] has conflicting matcher: regex:"/org/[^/]+?/parents"  methods:"GET"  methods:"OPTIONS")

Additional Environment Detail

No response

Additional Context

No response

soloio-bot commented 6 months ago

Zendesk ticket #3552 has been linked to this issue.

nfuden commented 6 months ago

There seems to be 2 parts to this.

  1. Dev-portal issue: swagger types should be respected when making matchers. So instead of [^/]+? the 2 types of routes here the integer should be something like [\d]+
  2. Edge issue to improve warning's ux to include both matchers and not just the second matching matcher's context
DuncanDoyle commented 6 months ago

I can't reproduce this with the provided instructions ... The only way I can reproduce this is when I set:

gateway:
  validation:
    allowWarnings: true

If I set that value to false, the creation of the VirtualService gets blocked by the validating webhook .... In that case I get this in the status of my Environment:

reason: "routing error: 1 error occurred:\n\t* writing resource test-environment.gloo-portal.
    failed: admission webhook \"gloo.gloo-system.svc\" denied the request: resource
    incompatible with current Gloo snapshot: [Validating *v1.VirtualService failed:
    1 error occurred:\n\t* Validating *v1.VirtualService failed: validating *v1.VirtualService
    name:\"test-environment\"  namespace:\"gloo-portal\": 1 error occurred:\n\t* could
    not render proxy: 2 errors occurred:\n\t* invalid resource gloo-portal.test-environment\n\t*
    WARN: \n  [virtual host [gloo-portal.test-environment] has conflicting matcher:
    regex:\"/org/[^/]+?\"  methods:\"GET\"  methods:\"OPTIONS\" virtual host [gloo-portal.test-environment]
    has conflicting matcher: regex:\"/org/[^/]+?/children\"  methods:\"GET\"  methods:\"OPTIONS\"
    virtual host [gloo-portal.test-environment] has conflicting matcher: regex:\"/org/[^/]+?/parents\"
    \ methods:\"GET\"  methods:\"OPTIONS\"]\n\n\n\n\n\n]\n\n"
  state: Failed

Note that in n the original ZD ticket, the initial problem is that validation actually seems to get disabled:

validation is disabled due to an invalid resource which has been written to storage. Please correct any Rejected resources to re-enable validation.

You can reproduce this in the following way:

{"level":"error","ts":"2024-05-10T11:00:44.860Z","logger":"gloo-ee.v1.event_loop.setup","caller":"setup/setup_syncer.go:977","msg":"gloo main event loop","version":"1.16.8","error":"event_loop.gloo: 1 error occurred:\n\t validation is disabled due to an invalid resource which has been written to storage. Please correct any Rejected resources to re-enable validation.: 2 errors occurred:\n\t invalid resource gloo-portal.test-environment\n\t WARN: \n [virtual host [gloo-portal.test-environment] has conflicting matcher: regex:\"/org/[^/]+?\" methods:\"GET\" methods:\"OPTIONS\" virtual host [gloo-portal.test-environment] has conflicting matcher: regex:\"/org/[^/]+?/children\" methods:\"GET\" methods:\"OPTIONS\" virtual host [gloo-portal.test-environment] has conflicting matcher: regex:\"/org/[^/]+?/parents\" methods:\"GET\" methods:\"OPTIONS\"]\n\n\n\n","errorVerbose":"1 error occurred:\n\t validation is disabled due to an invalid resource which has been written to storage. Please correct any Rejected resources to re-enable validation.: 2 errors occurred:\n\t invalid resource gloo-portal.test-environment\n\t WARN: \n [virtual host [gloo-portal.test-environment] has conflicting matcher: regex:\"/org/[^/]+?\" methods:\"GET\" methods:\"OPTIONS\" virtual host [gloo-portal.test-environment] has conflicting matcher: regex:\"/org/[^/]+?/children\" methods:\"GET\" methods:\"OPTIONS\" virtual host [gloo-portal.test-environment] has conflicting matcher: regex:\"/org/[^/]+?/parents\" methods:\"GET\" methods:\"OPTIONS\"]\n\n\n\n\nevent_loop.gloo\ngithub.com/solo-io/go-utils/errutils.AggregateErrs\n\t/go/pkg/mod/github.com/solo-io/go-utils@v0.24.8/errutils/aggregate_errs.go:19\nruntime.goexit\n\t/usr/local/go/src/runtime/asm_amd64.s:1650","stacktrace":"github.com/solo-io/gloo/projects/gloo/pkg/syncer/setup.RunGlooWithExtensions.func10\n\t/go/pkg/mod/github.com/solo-io/gloo@v1.16.10/projects/gloo/pkg/syncer/setup/setup_syncer.go:977"}

To re-enable validation, we need to get rid of the invalid resource, which in our case is the VirtualService that was generated by the Environment. So we can simply delete the Environment, which will re-enable validation. When we now try to re-apply the Environment, the creation of the VirtualService will again be rejected and we will end up with the same error state in the Environment that we saw previously ....

DuncanDoyle commented 6 months ago

Reproducer: https://github.com/DuncanDoyle/ge-gloo-9462-portal-validation

Additional details in the readme of that repo.

DuncanDoyle commented 4 months ago

I checked the OpenAPI specification, and it seems that when using path templates, templated paths with the same hierarchy but different templated names must not exist.

From the spec:

The following paths are considered identical and invalid:

  /pets/{petId}
  /pets/{name}