Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Some update transitions terminally error out #221

Open
euank opened this issue May 11, 2023 · 0 comments
Open

Some update transitions terminally error out #221

euank opened this issue May 11, 2023 · 0 comments
Assignees
@jonstacks
Labels
area/controller Issues dealing with the controller bug Something isn't working priority/low

Comments

@euank
Copy link
Contributor

euank commented May 11, 2023
edited

What happened

There are a number of updates that do not work and result in the ingress being stuck in a broken state.

I'll list a few, but I expect there are quite a few more:

IPolicy duplicate-ish rules

Applying the following diff:

 apiVersion: ingress.k8s.ngrok.com/v1alpha1
 kind: IPPolicy
 metadata:
   name: test-policy
 spec:
   rules:
-  - action: allow
+  - action: deny
     cidr: 127.0.0.1/32

results in the terminal error:

2023-05-11T07:57:48Z	ERROR	Reconciler error	{"controller": "ippolicy", "controllerGroup": "ingress.k8s.ngrok.com", "controllerKind": "IPPolicy", "IPPolicy": {"name":"test-policy","namespace":"default"}, "namespace": "default", "name": "test-policy", "reconcileID": "3d692c18-9bd3-4275-b2d3-ed559c612093", "error": "HTTP 400: IP Policy Rule with CIDR '127.0.0.1/32' already exists [ERR_NGROK_1408]\n\nOperation ID: op_2PdfRGQmUcjcjXkqIRnvGASQQyr"}

even though the start and end states are both valid IP Policies.

OIDC->OAuth

Creating an edge with a valid OIDC config, and then deleting the OIDC config and replacing it with an OAuth config (in one kubectl apply) is a transition from a valid state to a valid state, but terminally errors out with:

2023-05-11T08:19:52Z	ERROR	Reconciler error	{"controller": "httpsedge", "controllerGroup": "ingress.k8s.ngrok.com", "controllerKind": "HTTPSEdge", "HTTPSEdge": {"name":"euank-test-ingress-ngrok-app","namespace":"default"}, "namespace": "default", "name": "euank-test-ingress-ngrok-app", "reconcileID": "35cc5666-885a-4215-acc2-0ac70ee6b893", "error": "HTTP 400: The edge specifies conflicting authentication modules. Only one of SAML, OIDC, or OAuth may be enabled. [ERR_NGROK_7079]\n\nOperation ID: op_2Pdi7YrFWhVcycMnDATcHy57itM"}

Changing route path-type

 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: test
 spec:
   ingressClassName: ngrok
   rules:
     - host: euank-test-ingress.ngrok.app
       http:
         paths:
           - path: /
-            pathType: Prefix
+            pathType: Exact
             backend:
               service:
                 name: test
                 port:
                   number: 80

The above is a transition from a valid state to a valid state, but applying that diff results in the terminal:

2023-05-11T08:27:19Z	ERROR	Reconciler error	{"controller": "httpsedge", "controllerGroup": "ingress.k8s.ngrok.com", "controllerKind": "HTTPSEdge", "HTTPSEdge": {"name":"euank-test-ingress-ngrok-app","namespace":"default"}, "namespace": "default", "name": "euank-test-ingress-ngrok-app", "reconcileID": "046c3afe-8063-495c-b0ec-e46b3794b7b7", "error": "HTTP 400: Route match expression '/' must be unique across all routes for HTTPS edge. [ERR_NGROK_7126]\n\nOperation ID: op_2Pdj1l1rOGnAAqEWlFdRWxsMjkd"}

What you think should happen instead

All of the above transitions are from a valid configuration to a valid configuration, so they should work.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jonstacks jonstacks

Labels
area/controller Issues dealing with the controller bug Something isn't working priority/low
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@euank @jonstacks @alex-bezek