soloio-bot
commented
6 months ago Zendesk ticket #3552 has been linked to this issue.
Open htech7x opened 6 months ago
soloio-bot
commented
6 months ago Zendesk ticket #3552 has been linked to this issue.
nfuden
commented
6 months ago There seems to be 2 parts to this.
DuncanDoyle
commented
6 months ago I can't reproduce this with the provided instructions ... The only way I can reproduce this is when I set:
gateway:
validation:
allowWarnings: trueIf I set that value to false, the creation of the VirtualService gets blocked by the validating webhook .... In that case I get this in the status of my Environment:
reason: "routing error: 1 error occurred:\n\t* writing resource test-environment.gloo-portal.
failed: admission webhook \"gloo.gloo-system.svc\" denied the request: resource
incompatible with current Gloo snapshot: [Validating *v1.VirtualService failed:
1 error occurred:\n\t* Validating *v1.VirtualService failed: validating *v1.VirtualService
name:\"test-environment\" namespace:\"gloo-portal\": 1 error occurred:\n\t* could
not render proxy: 2 errors occurred:\n\t* invalid resource gloo-portal.test-environment\n\t*
WARN: \n [virtual host [gloo-portal.test-environment] has conflicting matcher:
regex:\"/org/[^/]+?\" methods:\"GET\" methods:\"OPTIONS\" virtual host [gloo-portal.test-environment]
has conflicting matcher: regex:\"/org/[^/]+?/children\" methods:\"GET\" methods:\"OPTIONS\"
virtual host [gloo-portal.test-environment] has conflicting matcher: regex:\"/org/[^/]+?/parents\"
\ methods:\"GET\" methods:\"OPTIONS\"]\n\n\n\n\n\n]\n\n"
state: FailedNote that in n the original ZD ticket, the initial problem is that validation actually seems to get disabled:
validation is disabled due to an invalid resource which has been written to storage. Please correct any Rejected resources to re-enable validation.You can reproduce this in the following way:
allowWarnings: true, to allow resources that would end up in a "Warning" state to be accepted by the webhook.ApiDoc, ApiProduct and Environment as described in this ticket (will create an automated reproducer for this to make this a bit easier).kubectl get vs -A and observe that the VirtualService for the Environment has been created.status of the Environment is set to "Succeeded": kubectl -n gloo-portal get environment test-environment -o yamlSettings and set validation allowWarnings: false: kubectl -n gloo-system patch settings default --type='json' -p '[{"op": "replace", "path": "/spec/gateway/validation/allowWarnings", "value": false}]'kubectl -n gloo-system logs -f gloo-{pod-id}{"level":"error","ts":"2024-05-10T11:00:44.860Z","logger":"gloo-ee.v1.event_loop.setup","caller":"setup/setup_syncer.go:977","msg":"gloo main event loop","version":"1.16.8","error":"event_loop.gloo: 1 error occurred:\n\t validation is disabled due to an invalid resource which has been written to storage. Please correct any Rejected resources to re-enable validation.: 2 errors occurred:\n\t invalid resource gloo-portal.test-environment\n\t WARN: \n [virtual host [gloo-portal.test-environment] has conflicting matcher: regex:\"/org/[^/]+?\" methods:\"GET\" methods:\"OPTIONS\" virtual host [gloo-portal.test-environment] has conflicting matcher: regex:\"/org/[^/]+?/children\" methods:\"GET\" methods:\"OPTIONS\" virtual host [gloo-portal.test-environment] has conflicting matcher: regex:\"/org/[^/]+?/parents\" methods:\"GET\" methods:\"OPTIONS\"]\n\n\n\n","errorVerbose":"1 error occurred:\n\t validation is disabled due to an invalid resource which has been written to storage. Please correct any Rejected resources to re-enable validation.: 2 errors occurred:\n\t invalid resource gloo-portal.test-environment\n\t WARN: \n [virtual host [gloo-portal.test-environment] has conflicting matcher: regex:\"/org/[^/]+?\" methods:\"GET\" methods:\"OPTIONS\" virtual host [gloo-portal.test-environment] has conflicting matcher: regex:\"/org/[^/]+?/children\" methods:\"GET\" methods:\"OPTIONS\" virtual host [gloo-portal.test-environment] has conflicting matcher: regex:\"/org/[^/]+?/parents\" methods:\"GET\" methods:\"OPTIONS\"]\n\n\n\n\nevent_loop.gloo\ngithub.com/solo-io/go-utils/errutils.AggregateErrs\n\t/go/pkg/mod/github.com/solo-io/go-utils@v0.24.8/errutils/aggregate_errs.go:19\nruntime.goexit\n\t/usr/local/go/src/runtime/asm_amd64.s:1650","stacktrace":"github.com/solo-io/gloo/projects/gloo/pkg/syncer/setup.RunGlooWithExtensions.func10\n\t/go/pkg/mod/github.com/solo-io/gloo@v1.16.10/projects/gloo/pkg/syncer/setup/setup_syncer.go:977"}
To re-enable validation, we need to get rid of the invalid resource, which in our case is the VirtualService that was generated by the Environment. So we can simply delete the Environment, which will re-enable validation. When we now try to re-apply the Environment, the creation of the VirtualService will again be rejected and we will end up with the same error state in the Environment that we saw previously ....
DuncanDoyle
commented
6 months ago Reproducer: https://github.com/DuncanDoyle/ge-gloo-9462-portal-validation
Additional details in the readme of that repo.
DuncanDoyle
commented
4 months ago I checked the OpenAPI specification, and it seems that when using path templates, templated paths with the same hierarchy but different templated names must not exist.
From the spec:
The following paths are considered identical and invalid:
/pets/{petId}
/pets/{name}
Gloo Edge Product
Enterprise
Gloo Edge Version
1.16.8
Kubernetes Version
1.28.5
Describe the bug
After creating VS, "gloo check" complains about "conflicting matcher"
Expected Behavior
Validation works as expected
Steps to reproduce the bug
Deploy Gloo EE and Gloo Portal
Edit settings for Gloo EE
Create API Doc according to the documentation using the following "swagger.json" swagger.json
Create API Product and API Environment according to the documentation
Run "gloo check" and check the message
Additional Environment Detail
No response
Additional Context
No response