Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Listener is not created when there are multiple multiple listeners having same protocols and ports but different hostname #1861

Closed
mazzy89 opened this issue Sep 1, 2023 · 21 comments
Closed

Listener is not created when there are multiple multiple listeners having same protocols and ports but different hostname #1861

mazzy89 opened this issue Sep 1, 2023 · 21 comments
Assignees
@cnvergence
Labels
area/translator Issues related to Gateway's translation service, e.g. translating Gateway APIs into the IR. kind/bug Something isn't working road-to-ga
Milestone
v1.1.0-rc1

Comments

@mazzy89
Copy link

mazzy89 commented Sep 1, 2023
edited
Loading

Description:

apiVersion: gateway.networking.k8s.io/v1beta1
kind: Gateway
metadata:
  name: infra-gateway
spec:
  gatewayClassName: infra-gateway
  listeners:
    - name: grpc-https
      hostname: 'grpc.example.com'
      protocol: HTTPS
      port: 443
      allowedRoutes:
        namespaces:
          from: Same
      tls:
        certificateRefs:
          - group: ""
            kind: Secret
            name: infra-gateway-grpc-tls
        mode: Terminate
    - name: wildcard-https
      hostname: '*.example.com'
      protocol: HTTPS
      port: 443
      allowedRoutes:
        namespaces:
          from: Same
      tls:
        certificateRefs:
          - group: ""
            kind: Secret
            name: infra-gateway-wildcard-tls

Having the above configuration should create two different listeners. However it create only one listener grpc-https.

Repro steps:

Apply the above configuration and then run egctl and look for the wildcard listener. It won't be in place.

Environment:

envoy-gateway v0.6.0

A configuration like that it should be possible as recommended by cert-manager https://cert-manager.io/docs/usage/gateway/#two-listeners-with-the-same-secret-name

Also from upstream config https://gateway-api.sigs.k8s.io/v1alpha2/guides/tls/ it should be possible.
@mazzy89 mazzy89 added the kind/bug Something isn't working label Sep 1, 2023
@mazzy89 mazzy89 changed the title Listener is not created when there are Listener is not created when there are multiple multiple listeners having same protocols and ports but different hostname Sep 1, 2023
@arkodg arkodg added the help wanted Extra attention is needed label Sep 1, 2023
@arkodg arkodg added this to the 0.6.0-rc1 milestone Sep 1, 2023
@tanujd11
Copy link
Member

tanujd11 commented Sep 6, 2023

/assign

@arkodg arkodg added the area/translator Issues related to Gateway's translation service, e.g. translating Gateway APIs into the IR. label Oct 6, 2023
@arkodg arkodg removed the help wanted Extra attention is needed label Oct 19, 2023
@arkodg
Copy link
Contributor

arkodg commented Oct 19, 2023

hey @tanujd11 checking in to see if you still plan on working on this ?

@arkodg arkodg modified the milestones: 0.6.0-rc1, 0.6.0, Backlog Oct 26, 2023
@github-actions GitHub Actions
Copy link

github-actions bot commented Dec 2, 2023

This issue has been automatically marked as stale because it has not had activity in the last 30 days.

@github-actions github-actions bot added the stale label Dec 2, 2023
@arkodg
Copy link
Contributor

arkodg commented Jan 4, 2024

hey @tanujd11 still planning on working on this one ?

@arkodg arkodg added road-to-ga and removed stale labels Jan 4, 2024
@arkodg arkodg modified the milestones: Backlog, v1.0.0-rc1 Jan 4, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Feb 3, 2024

This issue has been automatically marked as stale because it has not had activity in the last 30 days.

@github-actions github-actions bot added the stale label Feb 3, 2024
@arkodg arkodg removed the stale label Feb 5, 2024
@arkodg arkodg added the help wanted Extra attention is needed label Feb 22, 2024
@arkodg arkodg modified the milestones: v1.0.0-rc1, v1.0.0 Feb 27, 2024
@cnvergence cnvergence self-assigned this Mar 7, 2024
@cnvergence cnvergence removed the help wanted Extra attention is needed label Mar 7, 2024
@cnvergence
Copy link
Member

I will take a look

@arkodg arkodg modified the milestones: v1.0.0, v1.1.0-rc1 Mar 28, 2024
@JuniorJPDJ
Copy link
Contributor

I'm having similar issue, but in my case problem is multiple TLS listeners with other mode and hostnames:

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  labels:
    argocd.argoproj.io/instance: cluster-config
  name: default
  namespace: envoy-gateway-system
spec:
  gatewayClassName: envoy-gateway
  listeners:
    - allowedRoutes:
        namespaces:
          from: All
      name: http-0
      port: 80
      protocol: HTTP
    - allowedRoutes:
        namespaces:
          from: All
      name: tls-pass-0
      port: 443
      protocol: TLS
      tls:
        mode: Passthrough
    - allowedRoutes:
        namespaces:
          from: All
      hostname: '*.p.<redacted>'
      name: https-0
      port: 443
      protocol: HTTPS
      tls:
        certificateRefs:
          - group: ''
            kind: Secret
            name: <redacted>
        mode: Terminate
    - allowedRoutes:
        namespaces:
          from: All
      hostname: ssh.<redacted>
      name: tls-term-0
      port: 443
      protocol: TLS
      tls:
        certificateRefs:
          - group: ''
            kind: Secret
            name: <redacted>
        mode: Terminate

tls-pass-0 is accepted, https-0 is accepted and tls-term-0 is not accepted, probably when adding more tls-terms or even httpses those won't be accepted too even with other hostnames

Status:

status:
  addresses:
    - type: IPAddress
      value: 192.168.64.209
  conditions:
    - lastTransitionTime: '2024-03-28T11:32:57Z'
      message: The Gateway has been scheduled by Envoy Gateway
      observedGeneration: 5
      reason: Accepted
      status: 'True'
      type: Accepted
    - lastTransitionTime: '2024-03-28T11:32:57Z'
      message: 'Address assigned to the Gateway, 1/1 envoy Deployment replicas available'
      observedGeneration: 5
      reason: Programmed
      status: 'True'
      type: Programmed
  listeners:
    - attachedRoutes: 3
      conditions:
        - lastTransitionTime: '2024-03-28T11:32:57Z'
          message: Sending translated listener configuration to the data plane
          observedGeneration: 5
          reason: Programmed
          status: 'True'
          type: Programmed
        - lastTransitionTime: '2024-03-28T11:32:57Z'
          message: Listener has been successfully translated
          observedGeneration: 5
          reason: Accepted
          status: 'True'
          type: Accepted
        - lastTransitionTime: '2024-03-28T11:32:57Z'
          message: Listener references have been resolved
          observedGeneration: 5
          reason: ResolvedRefs
          status: 'True'
          type: ResolvedRefs
      name: http-0
      supportedKinds:
        - group: gateway.networking.k8s.io
          kind: HTTPRoute
        - group: gateway.networking.k8s.io
          kind: GRPCRoute
    - attachedRoutes: 3
      conditions:
        - lastTransitionTime: '2024-03-28T11:32:57Z'
          message: Sending translated listener configuration to the data plane
          observedGeneration: 5
          reason: Programmed
          status: 'True'
          type: Programmed
        - lastTransitionTime: '2024-03-28T11:32:57Z'
          message: Listener has been successfully translated
          observedGeneration: 5
          reason: Accepted
          status: 'True'
          type: Accepted
        - lastTransitionTime: '2024-03-28T11:32:57Z'
          message: Listener references have been resolved
          observedGeneration: 5
          reason: ResolvedRefs
          status: 'True'
          type: ResolvedRefs
      name: tls-pass-0
      supportedKinds:
        - group: gateway.networking.k8s.io
          kind: TLSRoute
    - attachedRoutes: 0
      conditions:
        - lastTransitionTime: '2024-03-28T11:32:57Z'
          message: Sending translated listener configuration to the data plane
          observedGeneration: 5
          reason: Programmed
          status: 'True'
          type: Programmed
        - lastTransitionTime: '2024-03-28T11:32:57Z'
          message: Listener has been successfully translated
          observedGeneration: 5
          reason: Accepted
          status: 'True'
          type: Accepted
        - lastTransitionTime: '2024-03-28T11:32:57Z'
          message: Listener references have been resolved
          observedGeneration: 5
          reason: ResolvedRefs
          status: 'True'
          type: ResolvedRefs
      name: https-0
      supportedKinds:
        - group: gateway.networking.k8s.io
          kind: HTTPRoute
        - group: gateway.networking.k8s.io
          kind: GRPCRoute
    - attachedRoutes: 1
      conditions:
        - lastTransitionTime: '2024-03-28T11:32:57Z'
          message: Only one TCP/TLS listener is allowed in a given port
          observedGeneration: 5
          reason: ProtocolConflict
          status: 'True'
          type: Conflicted
        - lastTransitionTime: '2024-03-28T11:32:57Z'
          message: 'Listener is invalid, see other Conditions for details.'
          observedGeneration: 5
          reason: Invalid
          status: 'False'
          type: Programmed
        - lastTransitionTime: '2024-03-28T11:32:57Z'
          message: Listener references have been resolved
          observedGeneration: 5
          reason: ResolvedRefs
          status: 'True'
          type: ResolvedRefs
      name: tls-term-0
      supportedKinds:
        - group: gateway.networking.k8s.io
          kind: TCPRoute

@cnvergence
Copy link
Member

Seems like the same issue like here: #2964
I will have some time now to debug this

@cnvergence
Copy link
Member

cnvergence commented Apr 2, 2024
edited
Loading

I have tested it against the gateway with multiple listeners

apiVersion: gateway.networking.k8s.io/v1beta1
kind: Gateway
metadata:
  name: infra-gateway
spec:
  gatewayClassName: eg-internal
  listeners:
    - name: company-https
      hostname: '*.company.com'
      protocol: HTTPS
      port: 443
      allowedRoutes:
        namespaces:
          from: Same
      tls:
        certificateRefs:
        - group: ""
          kind: Secret
          name: company-tls
          namespace: envoy-gateway-system
        mode: Terminate
    - name: example-https
      hostname: www.example.com
      protocol: HTTPS
      port: 443
      allowedRoutes:
        namespaces:
          from: Same
      tls:
        certificateRefs:
          - group: ""
            kind: Secret
            name: example-tls
            namespace: envoy-gateway-system
        mode: Terminate

Without merged gateways, that has another bug related to infra provisioning, I could successfully test out this gateway with two different services. I have checked that XDS IR is translated properly to match different apps.

Company listener:

 curl -v -HHost:'*.company.com' --resolve "sub.company.com:443:172.18.255.200" \                                                                                      
--cacert rsa-cert-wildcard.pem  https://'sub.company.com'/get

* Added sub.company.com:443:172.18.255.200 to DNS cache
* Hostname sub.company.com was found in DNS cache
*   Trying 172.18.255.200:443...
* Connected to sub.company.com (172.18.255.200) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: rsa-cert-wildcard.pem
*  CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=Test Inc
*  start date: Mar 19 16:04:47 2024 GMT
*  expire date: Mar 19 16:04:47 2025 GMT
*  subjectAltName: host "sub.company.com" matched cert's "*.company.com"
*  issuer: CN=Test Inc
*  SSL certificate verify ok.
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://sub.company.com/get
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: *.company.com]
* [HTTP/2] [1] [:path: /get]
* [HTTP/2] [1] [user-agent: curl/8.4.0]
* [HTTP/2] [1] [accept: */*]
> GET /get HTTP/2
> Host:*.company.com
> User-Agent: curl/8.4.0
> Accept: */*
> 
< HTTP/2 200 
< content-type: application/json
< x-content-type-options: nosniff
< date: Fri, 29 Mar 2024 15:13:34 GMT
< content-length: 474
< 
{
 "path": "/get",
 "host": "*.company.com",
 "method": "GET",
 "proto": "HTTP/1.1",
 "headers": {
  "Accept": [
   "*/*"
  ],
  "User-Agent": [
   "curl/8.4.0"
  ],
  "X-Envoy-Internal": [
   "true"
  ],
  "X-Forwarded-For": [
   "172.18.0.3"
  ],
  "X-Forwarded-Proto": [
   "https"
  ],
  "X-Request-Id": [
   "da1adb99-00a7-401e-bc19-be3d0a1f5203"
  ]
 },
 "namespace": "envoy-gateway-system",
 "ingress": "",
 "service": "",
 "pod": "company-service-78d6759b89-kjp67"
* Connection #0 to host sub.company.com left intact
}

Example listener:

curl -v -HHost:www.example.com --resolve "www.example.com:443:172.18.255.200" \                                                                                       ✔  16:13:34  
--cacert www.example.com.crt https://www.example.com/get
* Added www.example.com:443:172.18.255.200 to DNS cache
* Hostname www.example.com was found in DNS cache
*   Trying 172.18.255.200:443...
* Connected to www.example.com (172.18.255.200) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: www.example.com.crt
*  CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=www.example.com; O=example organization
*  start date: Mar 19 16:13:34 2024 GMT
*  expire date: Mar 19 16:13:34 2025 GMT
*  common name: www.example.com (matched)
*  issuer: O=example Inc.; CN=example.com
*  SSL certificate verify ok.
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://www.example.com/get
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: www.example.com]
* [HTTP/2] [1] [:path: /get]
* [HTTP/2] [1] [user-agent: curl/8.4.0]
* [HTTP/2] [1] [accept: */*]
> GET /get HTTP/2
> Host:www.example.com
> User-Agent: curl/8.4.0
> Accept: */*
> 
< HTTP/2 200 
< content-type: application/json
< x-content-type-options: nosniff
< date: Fri, 29 Mar 2024 15:14:23 GMT
< content-length: 476
< 
{
 "path": "/get",
 "host": "www.example.com",
 "method": "GET",
 "proto": "HTTP/1.1",
 "headers": {
  "Accept": [
   "*/*"
  ],
  "User-Agent": [
   "curl/8.4.0"
  ],
  "X-Envoy-Internal": [
   "true"
  ],
  "X-Forwarded-For": [
   "172.18.0.3"
  ],
  "X-Forwarded-Proto": [
   "https"
  ],
  "X-Request-Id": [
   "47eea4cf-afb7-4336-9088-5998b8ab3ddc"
  ]
 },
 "namespace": "envoy-gateway-system",
 "ingress": "",
 "service": "",
 "pod": "example-service-55694dc865-wvn6c"
* Connection #0 to host www.example.com left intact
}

Please note that for the Infra IR there will be only one Infra IR listener for the multiple Gateway listeners configured with the same port value, as it is directly matched to k8s envoy infrastructure service port.
We are working on adding unified port naming for the Envoy infra and probably could consider to somehow extend Infra IR output to give more valuable information to the users on top, when dealing with such scenarios.

@github-actions GitHub Actions
Copy link

github-actions bot commented May 2, 2024

This issue has been automatically marked as stale because it has not had activity in the last 30 days.

@github-actions github-actions bot added the stale label May 2, 2024
@JuniorJPDJ
Copy link
Contributor

bump

@github-actions github-actions bot removed the stale label May 2, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Jun 2, 2024

This issue has been automatically marked as stale because it has not had activity in the last 30 days.

@github-actions github-actions bot added the stale label Jun 2, 2024
@JuniorJPDJ
Copy link
Contributor

not stale

@github-actions github-actions bot removed the stale label Jun 2, 2024
@arkodg
Copy link
Contributor

arkodg commented Jun 3, 2024

hey @cnvergence still looking into this one ?

@cnvergence
Copy link
Member

hey, I concluded my debugging here #1861 (comment)
I couldn't reproduce this issue, even with the same protocol and port but a different hostname, I could match proper backend service.
The outcome of it would be to find out if we can serve IR listeners on different ports in the service when they are duplicated

@arkodg
Copy link
Contributor

arkodg commented Jun 4, 2024

there are 2 configs provided by users
1)

apiVersion: gateway.networking.k8s.io/v1beta1
kind: Gateway
metadata:
  name: infra-gateway
spec:
  gatewayClassName: infra-gateway
  listeners:
    - name: grpc-https
      hostname: 'grpc.example.com'
      protocol: HTTPS
      port: 443
      allowedRoutes:
        namespaces:
          from: Same
      tls:
        certificateRefs:
          - group: ""
            kind: Secret
            name: infra-gateway-grpc-tls
        mode: Terminate
    - name: wildcard-https
      hostname: '*.example.com'
      protocol: HTTPS
      port: 443
      allowedRoutes:
        namespaces:
          from: Same
      tls:
        certificateRefs:
          - group: ""
            kind: Secret
            name: infra-gateway-wildcard-tls

and

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  labels:
    argocd.argoproj.io/instance: cluster-config
  name: default
  namespace: envoy-gateway-system
spec:
  gatewayClassName: envoy-gateway
  listeners:
    - allowedRoutes:
        namespaces:
          from: All
      name: http-0
      port: 80
      protocol: HTTP
    - allowedRoutes:
        namespaces:
          from: All
      name: tls-pass-0
      port: 443
      protocol: TLS
      tls:
        mode: Passthrough
    - allowedRoutes:
        namespaces:
          from: All
      hostname: '*.p.<redacted>'
      name: https-0
      port: 443
      protocol: HTTPS
      tls:
        certificateRefs:
          - group: ''
            kind: Secret
            name: <redacted>
        mode: Terminate
    - allowedRoutes:
        namespaces:
          from: All
      hostname: ssh.<redacted>
      name: tls-term-0
      port: 443
      protocol: TLS
      tls:
        certificateRefs:
          - group: ''
            kind: Secret
            name: <redacted>
        mode: Terminate

hey @cnvergence are we unable to repro 1. or 2. or both ?

@cnvergence
Copy link
Member

hey @arkodg, I tried both of them, like I said the traffic passed in my case properly to the correct backend.
But it might be that other folks want to have those listeners created as separate ports in the Kubernetes service, we don't support it currently, as we share ports (using 443 for all of them).
IMO, this is still something we could take a look at and create new ports on the service when there is a duplicate between listeners under the same gateway, I think Contour has something working for this case.

@arkodg
Copy link
Contributor

arkodg commented Jun 5, 2024
edited
Loading

@cnvergence did you try on v0.0.0-latest ? I think we made some refactors that improved/removed these constraints
#3271

      conditions:
        - lastTransitionTime: '2024-03-28T11:32:57Z'
          message: Only one TCP/TLS listener is allowed in a given port
          observedGeneration: 5
          reason: ProtocolConflict
          status: 'True'
          type: Conflicted
        - lastTransitionTime: '2024-03-28T11:32:57Z'
          message: 'Listener is invalid, see other Conditions for details.'
          observedGeneration: 5
          reason: Invalid
          status: 'False'
          type: Programmed

@JuniorJPDJ can you try with v0.0.0-latest to confirm that the issue you are facing is fixed ? the v1.1 minor release should be out in the coming weeks

@cnvergence
Copy link
Member

Oh, I did not see these in my example :)

@JuniorJPDJ
Copy link
Contributor

@arkodg it looks like updating to latest version of v0.0.0-latest fixed the issue.
I haven't tried attaching any routes yet, but listener is accepted now.

@arkodg
Copy link
Contributor

arkodg commented Jun 6, 2024

awesome thanks for confirming @JuniorJPDJ, there should be a stable image with the fix out soon

@arkodg arkodg closed this as completed Jun 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cnvergence cnvergence

Labels
area/translator Issues related to Gateway's translation service, e.g. translating Gateway APIs into the IR. kind/bug Something isn't working road-to-ga
Projects
No open projects
Envoy Gateway: The Road to GA
Status: Done
Milestone
v1.1.0-rc1
Development

No branches or pull requests
5 participants
@mazzy89 @JuniorJPDJ @arkodg @cnvergence @tanujd11