search

solo-io / gloo

The Feature-rich, Kubernetes-native, Next-Generation API Gateway Built on Envoy
https://docs.solo.io/
Apache License 2.0
4.07k stars 434 forks source link

Webhook InvalidDestinationWarning with allowWarnings:false for Kubernetes service #6214

Open zf-roose opened 2 years ago

zf-roose commented 2 years ago

Gloo Edge Version

1.11.x (beta)

Kubernetes Version

1.20.x

Describe the bug

After setting gateway.validation.allowWarnings: false our helm deployments fail with a InvalidDestinationWarning admission webhook error:

upgrade.go:420: [debug] warning: Upgrade "xxx" failed: failed to create resource: admission webhook "gateway.gloo-system.svc" denied the request: resource incompatible with current Gloo snapshot: [Validating v1.VirtualService failed: validating *v1.VirtualService name:"xxx-service-internal" namespace:"xxx-584-val-22660": Route Warning: InvalidDestinationWarning. Reason: *v1.Upstream { xxx-584-val-22660.kube-svc:xxx-584-val-22660-c-c77767cb34a36075bdc47f165089a77 } not found]

The VirtualService object contains a single route using Kubernetes constructs (routeAction.single.kube) referring to the service.

VirtualService object spec:

apiVersion: gateway.solo.io/v1
kind: VirtualService
<snip>
spec:
  sslConfig:
    oneWayTls: true
    secretRef:
      name: xxx-service-internal-cert
      namespace: xxx-584-dev
    sniDomains:
    - xxx.com
  virtualHost:
    domains:
    - xxx.com
    routes:
    - matchers:
      - prefix: /
      name: all
      routeAction:
        single:
          kube:
            port: 80
            ref:
              name: xxx-service
              namespace: xxx-584-dev

Steps to reproduce the bug

Set gateway.validation.allowWarnings: false and deploy a VirtualService object with a routeAction to the Kubernetes service.

The webhook validation throws an InvalidDestinationWarning and blocks the deployment.

Set gateway.validation.allowWarnings: true and the deployment will work, the gateway-proxy adds the virtualhost and the API is reachable.

Expected Behavior

No InvalidDestinationWarning should be triggered as the service exists, the pod is running and working.

Additional Context

We can not use gateway.validation.allowWarnings: false for now as recommended for production workloads on https://docs.solo.io/gloo-edge/latest/operations/production_deployment/#more-validation-hooks

github-actions[bot] commented 3 months ago

This issue has been marked as stale because of no activity in the last 180 days. It will be closed in the next 180 days unless it is tagged "no stalebot" or other activity occurs.