Detect unconditional redirects and ignore any rules defined afterwards #1162
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
|
Welcome @tomfotherby! |
|
Hi @tomfotherby. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
needs-ok-to-test
|
/assign @bigkraig |
tomfotherby
force-pushed
the
ignore_following_unconditionalRedirect
branch
from
2120eb4 to
9274a84
Compare
|
We have been running a ALB ingress controller that uses the code in this PR at https://peopleperhour.com in production successfully. It freed up > 40 ALB rules for us. The ALB gets about 110 requests per second:
|
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
|
would you help fix the lint..i'll clean up some vpcs in our test account to make e2e pass :D |
Yes, I'll fix this. If I have understood it correctly, I should have used |
Detect unconditional redirects and ignore any rules defined afterwards
tomfotherby
force-pushed
the
ignore_following_unconditionalRedirect
branch
from
9274a84 to
0a176e4
Compare
|
I pushed a fix which I hope will pass the linter because I used |
|
thanks 🤣 |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: M00nF1sh, tomfotherby The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
Thanks so much for this @tomfotherby and for merging it @M00nF1sh. We're really keen to use this and just wondering if there is a target date for the next release containing it? Thanks! |
|
I just tried v1.1.6 with this fix. Is this intended to work across multiple hosts? For example: spec:
rules:
- http:
paths:
- path: /*
backend:
serviceName: ssl-redirect
servicePort: use-annotation
- host: hostA
http:
paths:
- path: /pathA/*
backend:
serviceName: serviceA
servicePort: 80
- host: hostB
http:
paths:
- path: /*
backend:
serviceName: serviceB
servicePort: 80I believe that if the redirect rule does not have host specified, it should be considered as unconditional redirect as well. So in this case |
|
@AndrewBoklashko - Good point. I agree with you. Alas, currently the controller processes each rule in turn and the short circuit mechanism that avoids unneeded rules only operates in the scope of the individual rule. In my understanding, but please correct me if I'm wrong, the bug you found isn't causing active harm, i.e. it's not causing needed rules to go missing, but it's not operating as well as it could (i.e. it's not doing what it says on the tin). Is that correct? I appologise for this mistake. I hadn't considered "hostless rules" even though I see the example does not have a host specified. Thanks for bringing it up - I will work on a patch because we would also benefit from this. I can't promise speed though, I think it will be a level-up in complexity from the current solution and there's rather a lot going on presently... |
That is correct.
All good, thanks for the follow up. Will be looking to try a patch, but no rush - we can live with how it works now too. |
|
hi @tomfotherby, @AndrewBoklashko, I just thought I'd follow up and see if either you got any further on the above ^^ Is this being tracked under #853? If not, would you like me to create a new issue for it? |
|
@tdmalone - At my company we don't currently use "hostless rules" in our ALB ingress spec. So to set expectations, I'm not going to be working on an enhancement for the foreseeable future. I would find it hard to test things without a real use-case in my aws account. My PR unfortunately had a bug (raised in #1274 and fixed in #1286) which revealed to me the sharp edges and how important it would be to test well. With any luck, other folk will get involved.
I would say #853 tracks it. |
|
No worries @tomfotherby, thanks for the reply. I might see if I can refactor to hostless rules and/or try to dig into the code here to see if I can make something work (not a Go programmer, but I could take a stab!) |
|
resolved to version 1.16 #1274 |
…lowing_unconditionalRedirect Detect unconditional redirects and ignore any rules defined afterwards
(this is my first PR for GoLang code and for Kubernetes-related projects, so bear with me if I make mistakes or faux pas)
ALBs only support 100 rules and we have hit the limit in our project - we are looking for a way to reduce rules and have identified that the aws alb controller is creating some unneeded ALB rules.
We use a annotation to redirect port 80 requests to port 443. This is the annotation documentation: https://github.com/kubernetes-sigs/aws-alb-ingress-controller/blob/master/docs/guide/tasks/ssl_redirect.md
If a unconditional redirect rule is present in the configuration then all following rules within the same listener are not needed. This PR changes things so they are skipped thereby conserving rules.
For the biggest benefit, it is best to define the redirect rule first in the config. Because only subsequent rules are skipped. This is in line with the ssl-redirect annotation which says:
I have tested on our project, with success. But please let me know if I can make any improvements.
If this is not something that fits with the direction of the project, no problem, please close this PR. I only created it in case it's useful - I'm 100% happy to close if not the case.
Relvant GitHub issue #853 (comment)