New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Listener not accepting HTTPS without a *
host being defined, but with a *
host, mappingSelector
do not work
#5626
Comments
We notice you're using Rancher and there's a possibility might be altering the YAML, so that's something we'd like to check. Can you run a |
We see this in EKS as well, but here is the requested output from my Rancher test environment: k get mapping -A
NAMESPACE NAME SOURCE HOST SOURCE PREFIX DEST SERVICE STATE REASON
default quote-backend-wildcard _skip_mapping_with_empty_host_ /backend/ quote
default quote-backend _skip_mapping_with_empty_host_ /backend/ quote
default quote-backend-host _skip_mapping_with_empty_host_ / quote
default quote-backend-host-splat _skip_mapping_with_empty_host_ /splat-only/ quote k describe mapping -A
Name: quote-backend-wildcard
Namespace: default
Labels: hostKind=wildcard-host
Annotations: <none>
API Version: getambassador.io/v2
Kind: Mapping
Metadata:
Creation Timestamp: 2024-04-17T20:49:45Z
Generation: 1
Resource Version: 152376
UID: 405ec9da-6446-463c-bfdb-351aa40fb27f
Spec:
ambassador_id:
--apiVersion-v3alpha1-only--default
Docs:
Path: /.ambassador-internal/openapi-docs
Host: _skip_mapping_with_empty_host_
Prefix: /backend/
Service: quote
Events: <none>
Name: quote-backend
Namespace: default
Labels: hostKind=localhost2
Annotations: <none>
API Version: getambassador.io/v2
Kind: Mapping
Metadata:
Creation Timestamp: 2024-04-17T20:49:45Z
Generation: 1
Resource Version: 152377
UID: f1e4d716-3ee7-4fdd-b983-707f0913813b
Spec:
ambassador_id:
--apiVersion-v3alpha1-only--default
Docs:
Path: /.ambassador-internal/openapi-docs
Host: _skip_mapping_with_empty_host_
Prefix: /backend/
Service: quote
Events: <none>
Name: quote-backend-host
Namespace: default
Labels: hostKind=localhost2
Annotations: <none>
API Version: getambassador.io/v2
Kind: Mapping
Metadata:
Creation Timestamp: 2024-04-17T20:49:45Z
Generation: 1
Resource Version: 152378
UID: 5afd128d-ea07-4e91-860e-2a53ae367e31
Spec:
ambassador_id:
--apiVersion-v3alpha1-only--default
Docs:
Path: /.ambassador-internal/openapi-docs
Host: _skip_mapping_with_empty_host_
Prefix: /
Service: quote
Events: <none>
Name: quote-backend-host-splat
Namespace: default
Labels: hostKind=localhost-splat
Annotations: <none>
API Version: getambassador.io/v2
Kind: Mapping
Metadata:
Creation Timestamp: 2024-04-17T20:49:46Z
Generation: 1
Resource Version: 152379
UID: 7feb8cc0-53dc-4930-9ad9-22151ee90e24
Spec:
ambassador_id:
--apiVersion-v3alpha1-only--default
Docs:
Path: /.ambassador-internal/openapi-docs
Host: _skip_mapping_with_empty_host_
Prefix: /splat-only/
Service: quote
Events: <none> |
Thanks, I think that looks ok. Can you try running this as well? |
Here are all the hosts, they are in default namespace, but listeners are configured for k get hosts.getambassador.io -o yaml
apiVersion: v1
items:
- apiVersion: getambassador.io/v2
kind: Host
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"getambassador.io/v3alpha1","kind":"Host","metadata":{"annotations":{},"name":"localhost2","namespace":"default"},"spec":{"hostname":"localhost2","mappingSelector":{"matchLabels":{"hostKind":"localhost2"}},"requestPolicy":{"insecure":{"action":"Route"}},"tlsSecret":{"name":"tls-cert"}}}
creationTimestamp: "2024-04-17T20:49:20Z"
generation: 1
name: localhost2
namespace: default
resourceVersion: "152364"
uid: 2d038cbe-6334-414d-928c-db845f18272a
spec:
ambassador_id:
- --apiVersion-v3alpha1-only--default
hostname: localhost2
requestPolicy:
insecure:
action: Route
selector:
matchLabels:
hostKind: localhost2
tlsSecret:
name: tls-cert
status: {}
- apiVersion: getambassador.io/v2
kind: Host
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"getambassador.io/v3alpha1","kind":"Host","metadata":{"annotations":{},"name":"localhost-splat","namespace":"default"},"spec":{"hostname":"*.localhost","mappingSelector":{"matchLabels":{"hostKind":"localhost-splat"}},"requestPolicy":{"insecure":{"action":"Route"}},"tlsSecret":{"name":"tls-cert"}}}
creationTimestamp: "2024-04-17T20:49:21Z"
generation: 1
name: localhost-splat
namespace: default
resourceVersion: "152365"
uid: 4f8ca933-1a20-43cb-baf2-22ceb7b89a6e
spec:
ambassador_id:
- --apiVersion-v3alpha1-only--default
hostname: '*.localhost'
requestPolicy:
insecure:
action: Route
selector:
matchLabels:
hostKind: localhost-splat
tlsSecret:
name: tls-cert
status: {}
- apiVersion: getambassador.io/v2
kind: Host
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"getambassador.io/v3alpha1","kind":"Host","metadata":{"annotations":{},"name":"wildcard-host","namespace":"default"},"spec":{"acmeProvider":{"authority":"none"},"hostname":"*","mappingSelector":{"matchLabels":{"hostKind":"wildcard-host"}},"requestPolicy":{"insecure":{"action":"Route"}},"tlsSecret":{"name":"tls-cert"}}}
creationTimestamp: "2024-04-18T21:40:14Z"
generation: 1
name: wildcard-host
namespace: default
resourceVersion: "153787"
uid: bf52ee0e-418d-4ef7-86f4-446f97fb8ca6
spec:
acmeProvider:
authority: none
ambassador_id:
- --apiVersion-v3alpha1-only--default
hostname: '*'
requestPolicy:
insecure:
action: Route
selector:
matchLabels:
hostKind: wildcard-host
tlsSecret:
name: tls-cert
status: {}
kind: List
metadata:
resourceVersion: "" |
Thanks for that. I did some research, and this seems to be a known issue: when setting Our recommendations for now are
|
Describe the bug
Through testing locally and on EKS 1.29 I have run into this same issue.
*
, a listener defined withprotocol: HTTPS
does not accept HTTPS/TLS connectionshostname: "*"
,mappingSelector
does not work on more specific hosts.To Reproduce
Steps to reproduce the behavior:
qotm
test service from getting started guideopenssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -subj '/CN=ambassador-cert' -nodes
443
on the service to10443
locally)https_with_wildcard_test.txt
But only the
quote-backend-wildcard
mapping is effectivehost/wildcard-host
https
listener and we see a200
responseExpected behavior
Either, the listener accepts HTTPS connections without a
*
host being created, or more specific routes can usemappingSelector
when a*
host is provided.In Step 7, all CURLs should have been
200
response.In step 9, we would expect a
200
response, but instead get ssl errorsIn step 10, we would not expect
200
response onhttp
when the host has a TLS-secret and we're using the HTTPS listenerVersions (please complete the following information):
3.9.1
, Helm version8.9.1
1.29.3
and EKS1.29
Additional context
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered: