Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Failed to update listener port of a Gateway CR #3111

Closed
modatwork opened this issue Apr 7, 2024 · 4 comments
Closed

Failed to update listener port of a Gateway CR #3111

modatwork opened this issue Apr 7, 2024 · 4 comments
Labels
triage

Comments

@modatwork
Copy link

Description:

After updating the Gateway listener’s port, Envoy should listen on the new port and stop listening on the old port.

Reproduction Steps:

  1. Set up the Envoy gateway and Custom Resources (CRs) by following the quickstart guide. Initial setup works fine.
  2. Update the listener port in the Gateway Custom Resource (CR) to change it from 80 to 8001. After applying the updated Gateway CR, Envoy is not ready on either port 80 or 8001.
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: eg
spec:
  gatewayClassName: eg
  listeners:
    - name: http
      protocol: HTTP
      port: 8001

Environment:

gateway version: gateway-dev:latest (imageID: docker-pullable://envoyproxy/gateway-dev@sha256:4a84a34a7955e4cf7fc276725957c11283c515b2f1e93684d753fa0582e540ba)

Logs:

2024-04-07T08:29:53.884Z        INFO    provider        kubernetes/controller.go:141    reconciling gateways    {"runner": "provider"}
2024-04-07T08:29:53.884Z        INFO    provider        kubernetes/controller.go:719    processing Gateway      {"runner": "provider", "namespace": "default", "name": "eg"}
2024-04-07T08:29:53.884Z        INFO    provider        kubernetes/routes.go:235        processing HTTPRoute    {"runner": "provider", "namespace": "default", "name": "backend"}
2024-04-07T08:29:53.884Z        INFO    provider        kubernetes/controller.go:493    processing OIDC HMAC Secret     {"runner": "provider", "namespace": "envoy-gateway-system", "name": "envoy-oidc-hmac"}
2024-04-07T08:29:53.884Z        INFO    provider        kubernetes/controller.go:316    processing Backend      {"runner": "provider", "kind": "Service", "namespace": "default", "name": "backend"}
2024-04-07T08:29:53.884Z        INFO    provider        kubernetes/controller.go:330    added Service to resource tree  {"runner": "provider", "namespace": "default", "name": "backend"}
2024-04-07T08:29:53.884Z        INFO    provider        kubernetes/controller.go:364    added EndpointSlice to resource tree    {"runner": "provider", "namespace": "default", "name": "backend-nphpz"}
2024-04-07T08:29:53.884Z        INFO    provider        kubernetes/controller.go:277    reconciled gateways successfully        {"runner": "provider"}
2024-04-07T08:29:53.884Z        INFO    provider        status/status.go:122    received a status update        {"runner": "provider", "namespace": "", "name": "eg"}
2024-04-07T08:29:53.884Z        INFO    gateway-api     runner/runner.go:56     received an update      {"runner": "gateway-api"}
2024-04-07T08:29:53.884Z        INFO    provider.eg     status/status.go:92     status unchanged, bypassing update      {"runner": "provider"}
2024-04-07T08:29:53.884Z        INFO    gateway-api     runner/runner.go:104    proxy:
  listeners:
  - address: null
    name: default/eg/http
    ports:
    - containerPort: 8001
      name: http
      protocol: HTTP
      servicePort: 8001
  metadata:
    labels:
      gateway.envoyproxy.io/owning-gateway-name: eg
      gateway.envoyproxy.io/owning-gateway-namespace: default
  name: default/eg
        {"runner": "gateway-api", "infra-ir": "default/eg"}
2024-04-07T08:29:53.884Z        INFO    infrastructure  runner/runner.go:78     received an update      {"runner": "infrastructure"}
2024-04-07T08:29:53.884Z        INFO    gateway-api     runner/runner.go:115    accessLog:
  text:
  - path: /dev/stdout
http:
- address: 0.0.0.0
  hostnames:
  - '*'
  isHTTP2: false
  name: default/eg/http
  path:
    escapedSlashesAction: UnescapeAndRedirect
    mergeSlashes: true
  port: 8001
  routes:
  - backendWeights:
      invalid: 0
      valid: 0
    destination:
      name: httproute/default/backend/rule/0
      settings:
      - addressType: IP
        endpoints:
        - host: 192.168.49.6
          port: 3000
        protocol: HTTP
        weight: 1
    hostname: '*'
    isHTTP2: false
    name: httproute/default/backend/rule/0/match/0/*
    pathMatch:
      distinct: false
      name: ""
      prefix: /
        {"runner": "gateway-api", "xds-ir": "default/eg"}
2024-04-07T08:29:53.885Z        INFO    xds-translator  runner/runner.go:55     received an update      {"runner": "xds-translator"}
2024-04-07T08:29:53.885Z        INFO    provider        status/status.go:122    received a status update        {"runner": "provider", "namespace": "default", "name": "backend"}
2024-04-07T08:29:53.885Z        INFO    provider.backend.default        status/status.go:92     status unchanged, bypassing update      {"runner": "provider"}
2024-04-07T08:29:53.885Z        INFO    provider        status/status.go:122    received a status update        {"runner": "provider", "namespace": "default", "name": "eg"}
2024-04-07T08:29:53.885Z        INFO    xds-server      runner/runner.go:141    received an update      {"runner": "xds-server"}
2024-04-07T08:29:53.889Z        INFO    v3/simple.go:569        open delta watch ID:8 for type.googleapis.com/envoy.config.listener.v3.Listener Resources:map[] from nodeID: "envoy-default-eg-e41e7b31-97946df66-vt6wz",  version "5"
2024-04-07T08:29:53.910Z        ERROR   infrastructure  runner/runner.go:94     failed to create new infra      {"runner": "infrastructure", "error": "failed to create or update deployment envoy-gateway-system/envoy-default-eg-e41e7b31: for Update: Deployment.extensions \"envoy-default-eg-e41e7b31\" is invalid: spec.template.spec.containers[0].ports[1].name: Duplicate value: \"http-e0603c49\""}
2024-04-07T08:29:53.911Z        ERROR   watchable       message/watchutil.go:56 observed an error       {"runner": "infrastructure", "error": "failed to create or update deployment envoy-gateway-system/envoy-default-eg-e41e7b31: for Update: Deployment.extensions \"envoy-default-eg-e41e7b31\" is invalid: spec.template.spec.containers[0].ports[1].name: Duplicate value: \"http-e0603c49\""}
@zirain
Copy link
Contributor

zirain commented Apr 7, 2024

seems related to #3034, @ardikabs can you take a look?

@ardikabs
Copy link
Contributor

ardikabs commented Apr 7, 2024

as far as I can find is this kubernetes/kubernetes#113246, it turned out that the mergeKey refers to containerPort instead of name. Thought @zirain?

@ardikabs
Copy link
Contributor

ardikabs commented Apr 7, 2024
edited
Loading

The solution would be moving Create to Patch as well, as per this comment

It is probably because you did not create the object using apply. Apply expects to manage the entire lifecycle of the object, so when you created independently, it had no record of the original applied content, so it didn't know your updated manifest should remove the old port.

Referred code:

gateway/internal/infrastructure/kubernetes/infra_client.go

Lines 32 to 35 in 29946b0

// Create if it does not exist.
if err := cli.Client.Create(ctx, specific); err != nil {
return fmt.Errorf("for Create: %w", err)
}

Just to let you know, I tested locally using Patch instead of Create on the above code, and it worked as intended (including changing the listener port).

@zirain
Copy link
Contributor

zirain commented Apr 8, 2024

can you send a fix and include a e2e test?

@arkodg arkodg mentioned this issue Apr 8, 2024
Merged
arkodg added a commit to arkodg/gateway that referenced this issue Apr 8, 2024
@arkodg
Use <proto>-<port> for naming service and container ports
245117b 
Takes inspiration from envoyproxy#2973
to name port, not off the listener but off the port-proto ensuring
that patch (during updates) also works

Fixes: envoyproxy#3111

Signed-off-by: Arko Dasgupta <[email protected]>
@arkodg arkodg mentioned this issue Apr 8, 2024
Merged
@ardikabs ardikabs mentioned this issue Apr 8, 2024
Merged
arkodg added a commit to arkodg/gateway that referenced this issue Apr 15, 2024
@arkodg
Use <proto>-<port> for naming service and container ports
318b7d9 
Takes inspiration from envoyproxy#2973
to name port, not off the listener but off the port-proto ensuring
that patch (during updates) also works

Fixes: envoyproxy#3111

Signed-off-by: Arko Dasgupta <[email protected]>
arkodg added a commit that referenced this issue Apr 17, 2024
@arkodg
Use <proto>-<port> for naming service and container ports (#3130)
c41247b 
* Use <proto>-<port> for naming service and container ports

Takes inspiration from #2973
to name port, not off the listener but off the port-proto ensuring
that patch (during updates) also works

Fixes: #3111

Signed-off-by: Arko Dasgupta <[email protected]>

* testdata

Signed-off-by: Arko Dasgupta <[email protected]>

* fix test

Signed-off-by: Arko Dasgupta <[email protected]>

* move to helper pkg

Signed-off-by: Arko Dasgupta <[email protected]>

* fix e2e

Signed-off-by: Arko Dasgupta <[email protected]>

* lint

Signed-off-by: Arko Dasgupta <[email protected]>

* fix e2e

Signed-off-by: Arko Dasgupta <[email protected]>

---------

Signed-off-by: Arko Dasgupta <[email protected]>
arkodg added a commit to arkodg/gateway that referenced this issue Jun 11, 2024
@arkodg
Use <proto>-<port> for naming service and container ports (envoyproxy…
1167834 
…#3130)

* Use <proto>-<port> for naming service and container ports

Takes inspiration from envoyproxy#2973
to name port, not off the listener but off the port-proto ensuring
that patch (during updates) also works

Fixes: envoyproxy#3111

Signed-off-by: Arko Dasgupta <[email protected]>

* testdata

Signed-off-by: Arko Dasgupta <[email protected]>

* fix test

Signed-off-by: Arko Dasgupta <[email protected]>

* move to helper pkg

Signed-off-by: Arko Dasgupta <[email protected]>

* fix e2e

Signed-off-by: Arko Dasgupta <[email protected]>

* lint

Signed-off-by: Arko Dasgupta <[email protected]>

* fix e2e

Signed-off-by: Arko Dasgupta <[email protected]>

---------

Signed-off-by: Arko Dasgupta <[email protected]>
(cherry picked from commit c41247b)
Signed-off-by: Arko Dasgupta <[email protected]>
arkodg added a commit to arkodg/gateway that referenced this issue Jun 12, 2024
@arkodg
Use <proto>-<port> for naming service and container ports (envoyproxy…
4b7dee4 
…#3130)

* Use <proto>-<port> for naming service and container ports

Takes inspiration from envoyproxy#2973
to name port, not off the listener but off the port-proto ensuring
that patch (during updates) also works

Fixes: envoyproxy#3111

Signed-off-by: Arko Dasgupta <[email protected]>

* testdata

Signed-off-by: Arko Dasgupta <[email protected]>

* fix test

Signed-off-by: Arko Dasgupta <[email protected]>

* move to helper pkg

Signed-off-by: Arko Dasgupta <[email protected]>

* fix e2e

Signed-off-by: Arko Dasgupta <[email protected]>

* lint

Signed-off-by: Arko Dasgupta <[email protected]>

* fix e2e

Signed-off-by: Arko Dasgupta <[email protected]>

---------

Signed-off-by: Arko Dasgupta <[email protected]>
(cherry picked from commit c41247b)
Signed-off-by: Arko Dasgupta <[email protected]>
Xunzhuo pushed a commit that referenced this issue Jun 12, 2024
@arkodg @liorokman
@ardikabs @aoledk @zetaab @eguzki @haoqixu @alexwo @guydc @phantooom
[release/v1.0] Cherry-pick fixes for v1.0.2 (#3593)
7ffa89f 
* Use <proto>-<port> for naming service and container ports (#3130)

* Use <proto>-<port> for naming service and container ports

Takes inspiration from #2973
to name port, not off the listener but off the port-proto ensuring
that patch (during updates) also works

Fixes: #3111

Signed-off-by: Arko Dasgupta <[email protected]>

* testdata

Signed-off-by: Arko Dasgupta <[email protected]>

* fix test

Signed-off-by: Arko Dasgupta <[email protected]>

* move to helper pkg

Signed-off-by: Arko Dasgupta <[email protected]>

* fix e2e

Signed-off-by: Arko Dasgupta <[email protected]>

* lint

Signed-off-by: Arko Dasgupta <[email protected]>

* fix e2e

Signed-off-by: Arko Dasgupta <[email protected]>

---------

Signed-off-by: Arko Dasgupta <[email protected]>
(cherry picked from commit c41247b)
Signed-off-by: Arko Dasgupta <[email protected]>

* bug: Tests are failing due to an expired certificate in one of the translator tests (#3476)

Replaced a certificate in the test that had expired.

The old certificate expired May 24 2024:

Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            ca:7c:5c:b7:25:5d:bb:f9
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: CN=test.example.com
        Validity
            Not Before: May 25 14:10:42 2023 GMT
            Not After : May 24 14:10:42 2024 GMT
        Subject: CN=test.example.com
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (384 bit)
                pub:
                    04:78:cb:47:0b:78:48:7a:ad:90:b1:d9:2d:4a:2f:
                    d9:35:1f:cc:28:d6:af:4a:6d:c7:36:7e:ed:1a:88:
                    1f:a9:aa:a7:f0:04:a0:1c:86:bb:c9:45:3e:f8:fb:
                    28:0c:3e:a4:7f:ef:82:7b:bb:ac:77:49:90:3b:54:
                    a7:75:82:16:8f:64:0b:88:8c:f4:35:91:fc:07:f4:
                    2b:e2:2e:c9:d0:82:b0:b1:09:54:9e:e9:d9:aa:fe:
                    4a:63:d4:cb:41:ad:27
                ASN1 OID: secp384r1
                NIST CURVE: P-384
    Signature Algorithm: ecdsa-with-SHA256
    Signature Value:
        30:65:02:31:00:86:4e:33:e4:86:37:4c:26:a7:be:57:51:44:
        8e:6c:88:ea:3c:03:58:00:a3:5e:7a:53:9e:2c:54:b3:ab:82:
        25:fe:4c:e4:be:4d:8c:56:e2:da:d8:de:d2:20:ca:13:55:02:
        30:0c:2a:27:a7:fd:2b:a9:87:4f:06:ea:4e:2d:cc:48:4d:9d:
        d7:cf:73:88:6d:98:54:18:83:6d:e5:a9:c3:84:75:c9:ee:c6:
        0d:1a:15:a2:8c:68:86:88:83:17:b9:7a:9b

The new certificate is good for 10 years.

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            42:29:94:01:e1:cb:32:dc:f8:b4:64:6d:9e:1e:28:8d:7b:5a:53:3b
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: CN=test.example.com
        Validity
            Not Before: May 25 09:11:37 2024 GMT
            Not After : May 23 09:11:37 2034 GMT
        Subject: CN=test.example.com
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (384 bit)
                pub:
                    04:78:cb:47:0b:78:48:7a:ad:90:b1:d9:2d:4a:2f:
                    d9:35:1f:cc:28:d6:af:4a:6d:c7:36:7e:ed:1a:88:
                    1f:a9:aa:a7:f0:04:a0:1c:86:bb:c9:45:3e:f8:fb:
                    28:0c:3e:a4:7f:ef:82:7b:bb:ac:77:49:90:3b:54:
                    a7:75:82:16:8f:64:0b:88:8c:f4:35:91:fc:07:f4:
                    2b:e2:2e:c9:d0:82:b0:b1:09:54:9e:e9:d9:aa:fe:
                    4a:63:d4:cb:41:ad:27
                ASN1 OID: secp384r1
                NIST CURVE: P-384
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                DA:49:EA:13:99:CA:DE:10:D2:70:2B:27:E2:60:AA:E0:F4:7B:EA:50
            X509v3 Authority Key Identifier:
                DA:49:EA:13:99:CA:DE:10:D2:70:2B:27:E2:60:AA:E0:F4:7B:EA:50
            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: ecdsa-with-SHA256
    Signature Value:
        30:65:02:30:6d:4e:25:4f:84:f4:38:7e:c4:de:c8:d1:55:0c:
        af:4b:e4:c0:a1:f3:59:de:fb:48:0a:96:07:65:29:9f:fe:7c:
        3c:ee:f0:c9:ca:17:bc:cd:bd:a4:31:38:24:4f:c6:e5:02:31:
        00:e6:9a:ce:52:60:4b:b8:0e:e7:23:6d:8a:69:a0:21:e5:d1:
        bb:e8:e9:09:6a:32:d6:8c:58:49:f4:76:86:e6:c1:b8:24:d3:
        44:08:fa:1c:ef:34:70:c1:24:76:a9:35:8f

Signed-off-by: Lior Okman <[email protected]>
(cherry picked from commit c2c9b43)
Signed-off-by: Arko Dasgupta <[email protected]>

* fix: use Patch API for infra-client (#3034)

* fix(infrastructure): use Patch API instead

Signed-off-by: Ardika Bagus <[email protected]>

* chore: add interceptor for ApplyPatch on fake client

Signed-off-by: Ardika Bagus <[email protected]>

* chore: trigger make generate

Signed-off-by: Ardika Bagus <[email protected]>

* chore: remove update verb

Signed-off-by: Ardika Bagus <[email protected]>

* chore: SetUID no longer needed

Signed-off-by: Ardika Bagus <[email protected]>

---------

Signed-off-by: Ardika Bagus <[email protected]>
(cherry picked from commit cc01bf5)
Signed-off-by: Arko Dasgupta <[email protected]>

* refactor: infra client CreateOrUpdate to ServerSideApply (#3134)

* refactor(infra-client): CreateOrUpdate to ServerSideApply

Signed-off-by: Ardika Bagus <[email protected]>

* test(infra-client): add e2e test for ServerSideApply

Signed-off-by: Ardika Bagus <[email protected]>

* chore: remove comment

Signed-off-by: Ardika Bagus <[email protected]>

* chore: fix linter

Signed-off-by: Ardika Bagus <[email protected]>

---------

Signed-off-by: Ardika Bagus <[email protected]>
(cherry picked from commit 81108f2)
Signed-off-by: Arko Dasgupta <[email protected]>

* fix: duplicated xroutes are added to gatewayapi.Resources (#3282)

fix duplicated xroutes

Signed-off-by: Dingkang Li <[email protected]>
(cherry picked from commit 32c6876)
Signed-off-by: Arko Dasgupta <[email protected]>

* fix: add proxy protocol always as first listenerFilter (#3332)

* add proxy protocol always as first listenerFilter

Signed-off-by: Jesse Haka <[email protected]>

* add test

Signed-off-by: Jesse Haka <[email protected]>

---------

Signed-off-by: Jesse Haka <[email protected]>
(cherry picked from commit 6d8f2dc)
Signed-off-by: Arko Dasgupta <[email protected]>

* fix: security policy reference grant from field type (#3386)

fix: security policy reference grant from field

Signed-off-by: Eguzki Astiz Lezaun <[email protected]>
(cherry picked from commit bd72474)
Signed-off-by: Arko Dasgupta <[email protected]>

* bug: Route extension filters with different types but the same name and namespace aren't correctly cached (#3388)

* Route extension filters are unstructured.Unstructured instances, so
caching them should be done with both the name and type as a key.

Signed-off-by: Lior Okman <[email protected]>

* Moved NamespacedNameAndType to the Kubernetes helpers, and renamed it to
be clearer about what it has.

Signed-off-by: Lior Okman <[email protected]>

* Also renamed the helper function.

Signed-off-by: Lior Okman <[email protected]>

* Moved to the 'utils' package to be beside NamespacedName.

Signed-off-by: Lior Okman <[email protected]>

* Renamed structure according to review, and updated the comments

Signed-off-by: Lior Okman <[email protected]>

---------

Signed-off-by: Lior Okman <[email protected]>
(cherry picked from commit 95e2e35)
Signed-off-by: Arko Dasgupta <[email protected]>

* fix(translator): set ignoreCase for header matchers in extAuth (#3420)

fix: set ignoreCase for header matchers in extAuth

Signed-off-by: haoqixu <[email protected]>
(cherry picked from commit 8206e11)
Signed-off-by: Arko Dasgupta <[email protected]>

* fix secrets/configmap updates do not trigger a controller reconcile (#3499)

* ensure both secrets and config map reconcile upon changes

ensure secret/config map changes trigger a reconcile

Signed-off-by: Alex Volchok <[email protected]>

* Update controller.go

Signed-off-by: Alex Volchok <[email protected]>

* Update controller.go

Signed-off-by: Alex Volchok <[email protected]>

---------

Signed-off-by: Alex Volchok <[email protected]>
(cherry picked from commit ff2c598)
Signed-off-by: Arko Dasgupta <[email protected]>

* feat: backend TLS SAN validation (#3507)

* BTLS: enforce SAN validation

Signed-off-by: Guy Daich <[email protected]>

* use dedicated cert for ext-proc e2e test

Signed-off-by: Guy Daich <[email protected]>

* fix ext-proc server client tls settings

Signed-off-by: Guy Daich <[email protected]>

---------

Signed-off-by: Guy Daich <[email protected]>
(cherry picked from commit dc201ba)
Signed-off-by: Arko Dasgupta <[email protected]>

* fix: ReplaceFullPath not working for root path (/) (#3530)

* fix: ReplaceFullPath not working for root path (/)

Takes #2817 forward

Signed-off-by: Arko Dasgupta <[email protected]>
(cherry picked from commit 8f83c3d)
Signed-off-by: Arko Dasgupta <[email protected]>

* chore: Remove namespace restriction for EnvoyProxy parametersRef reso… (#3544)

chore: Remove namespace restriction for EnvoyProxy parametersRef resource
(cherry picked from commit b870e39)
Signed-off-by: Arko Dasgupta <[email protected]>

* fix test

rm invalid diff related to #3134

Signed-off-by: Arko Dasgupta <[email protected]>

* fix GatewayInfraResourceTest

Signed-off-by: Arko Dasgupta <[email protected]>

---------

Signed-off-by: Arko Dasgupta <[email protected]>
Signed-off-by: Lior Okman <[email protected]>
Signed-off-by: Ardika Bagus <[email protected]>
Signed-off-by: Dingkang Li <[email protected]>
Signed-off-by: Jesse Haka <[email protected]>
Signed-off-by: Eguzki Astiz Lezaun <[email protected]>
Signed-off-by: haoqixu <[email protected]>
Signed-off-by: Alex Volchok <[email protected]>
Signed-off-by: Guy Daich <[email protected]>
Co-authored-by: Lior Okman <[email protected]>
Co-authored-by: Ardika <[email protected]>
Co-authored-by: Dingkang Li <[email protected]>
Co-authored-by: Jesse Haka <[email protected]>
Co-authored-by: Eguzki Astiz Lezaun <[email protected]>
Co-authored-by: xu0o0 <[email protected]>
Co-authored-by: Alex Volchok <[email protected]>
Co-authored-by: Guy Daich <[email protected]>
Co-authored-by: zou rui <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@zirain @ardikabs @modatwork