Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multiple Reference Grant for specific service in the same namespace didn't work as expected. #2149

Closed
ardikabs opened this issue Nov 1, 2023 · 4 comments · Fixed by #4008
Closed

Multiple Reference Grant for specific service in the same namespace didn't work as expected. #2149

ardikabs opened this issue Nov 1, 2023 · 4 comments · Fixed by #4008
Assignees
@ardikabs
Labels
help wanted Extra attention is needed kind/bug Something isn't working
Milestone
v1.2.0-rc1

Comments

@ardikabs
Copy link
Contributor

ardikabs commented Nov 1, 2023

Description:
If we separate HTTPRoute into a central namespace and place all related backends into their respective namespaces, this will necessitate the use of a ReferenceGrant. In our scenario, we include a ReferenceGrant as part of each application deployment, that refers to its Kubernetes Service.
Everything seems working fine, but as soon as we add another application deployment in the existing namespace (that is contains an existing application with its ReferenceGrant), HTTPRoute starts showing an inconsistent status that shows Backend ref to service <namespace>/<service_name> not permitted by any ReferenceGrant.

Initial Finding:

We think this is because of inconsistent steps between these line of code:

  • For finding the reference of ReferenceGrant for the associated service.

    gateway/internal/provider/kubernetes/controller.go

    Lines 496 to 504 in defed57

    for _, refGrant := range refGrants {
    if refGrant.Namespace == to.namespace {
    for _, src := range refGrant.Spec.From {
    if src.Kind == gwapiv1a2.Kind(from.kind) && string(src.Namespace) == from.namespace {
    return &refGrant, nil
    }
    }
    }
    }

  • For validating when referring to ReferenceGrant for the HTTPRoute.

    gateway/internal/gatewayapi/validate.go

    Lines 678 to 682 in defed57

    for _, refGrantTo := range referenceGrant.Spec.To {
    if string(refGrantTo.Group) == to.group && string(refGrantTo.Kind) == to.kind && (refGrantTo.Name == nil || *refGrantTo.Name == "" || string(*refGrantTo.Name) == to.name) {
    toAllowed = true
    break
    }

The filtering mechanism only checks after the From spec, meaning, the first match with its From will be used. While on validation, it will check thoroughly on the To spec.

Repro steps:
Assuming you have deployed 3 services of Echoserver in the testing namespace.

Apply these ReferenceGrant manifests:

apiVersion: gateway.networking.k8s.io/v1beta1
kind: ReferenceGrant
metadata:
  name: echoserver-1-rg
  namespace: testing
spec:
  from:
    - group: gateway.networking.k8s.io
      kind: HTTPRoute
      namespace: envoy-gateway-system
  to:
    - group: ""
      kind: Service
      name: echoserver-1
---
apiVersion: gateway.networking.k8s.io/v1beta1
kind: ReferenceGrant
metadata:
  name: echoserver-2-rg
  namespace: testing
spec:
  from:
    - group: gateway.networking.k8s.io
      kind: HTTPRoute
      namespace: envoy-gateway-system
  to:
    - group: ""
      kind: Service
      name: echoserver-2
---
apiVersion: gateway.networking.k8s.io/v1beta1
kind: ReferenceGrant
metadata:
  name: echoserver-3-rg
  namespace: testing
spec:
  from:
    - group: gateway.networking.k8s.io
      kind: HTTPRoute
      namespace: envoy-gateway-system
  to:
    - group: ""
      kind: Service
      name: echoserver-3

Apply these for HTTPRoute manifests,

apiVersion: gateway.networking.k8s.io/v1beta1
kind: HTTPRoute
metadata:
  name: sample-01
  namespace: envoy-gateway-system
spec:
  hostnames:
  - playground.internal
  parentRefs:
  - group: gateway.networking.k8s.io
    kind: Gateway
    name: default-gateway
    namespace: envoy-gateway-system
  rules:
  - backendRefs:
    - group: ""
      kind: Service
      name: echoserver-1
      namespace: testing
      port: 80
      weight: 1
    matches:
    - path:
        type: PathPrefix
        value: /echo1a
  - backendRefs:
    - group: ""
      kind: Service
      name: echoserver-2
      namespace: testing
      port: 80
      weight: 1
    matches:
    - path:
        type: PathPrefix
        value: /echo2
  - backendRefs:
    - group: ""
      kind: Service
      name: echoserver-3
      namespace: testing
      port: 80
      weight: 1
    matches:
    - path:
        type: PathPrefix
        value: /echo3

Environment:
v0.5.0 Envoy Gateway, but a similar code still exists in the recent version.
@ardikabs ardikabs added the kind/bug Something isn't working label Nov 1, 2023
@ardikabs
Copy link
Contributor Author

ardikabs commented Nov 1, 2023

Additional Question for Clarity:

Does the Reference Grant be limited to just one per namespace, or it can be created for each Kubernetes Service that serves as a backend?

Because from the upstream project (Gateway API), I couldn't find any reference for the approach of having a ReferenceGrant.

@github-actions GitHub Actions
Copy link

github-actions bot commented Dec 1, 2023

This issue has been automatically marked as stale because it has not had activity in the last 30 days.

@github-actions github-actions bot added the stale label Dec 1, 2023
@arkodg arkodg added help wanted Extra attention is needed and removed stale labels May 22, 2024
@arkodg arkodg added this to the v1.1.0-rc1 milestone May 22, 2024
@arkodg arkodg modified the milestones: v1.1.0-rc1, v1.1.0 Jul 3, 2024
@ReToCode
Copy link

ReToCode commented Jul 3, 2024

Same problem discovered here: knative-extensions/net-gateway-api#437, both configuration work as long as they are not applied at the same time:

(please ignore the expired cert error, our tests creates one that is only short-lived).

@ReToCode ReToCode mentioned this issue Jul 3, 2024
Open
@arkodg arkodg modified the milestones: v1.1.0, v1.2.0-rc1 Jul 31, 2024
@ardikabs
Copy link
Contributor Author

ardikabs commented Aug 5, 2024

/assign

This was referenced Aug 6, 2024
Merged
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ardikabs ardikabs

Labels
help wanted Extra attention is needed kind/bug Something isn't working
Projects
None yet
Milestone
v1.2.0-rc1
Development

Successfully merging a pull request may close this issue.

fix: multiple reference grants in same namespace ardikabs/envoy-gateway
3 participants
@arkodg @ardikabs @ReToCode