Uploaded image for project: 'Maistra'
  1. Maistra
  2. MAISTRA-1906

IOR doesn't update existing Route when Gateway is changed

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Obsolete
    • Icon: Major Major
    • maistra-1.1.x
    • maistra-1.1.x
    • ior
    • None
    • False
    • False
    • +
    • Undefined

      Versions: OCP v4.5, RHSM v1.1.x (have encountered this since 1.1.0 until the latest 1.1.9)

      It appears that Maistra's IOR is not able to handle any updates to a Gateway after the Gateway has already been created.

      Reproducing steps:

      1. Install an SMCP with ".spec.istio.gateways.istio-ingressgateway.ior_enabled=true"
      2. Create a Gateway

      apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: test-gateway
spec:
  selector:
    istio: ingressgateway
  servers:
    - port:
        number: 443
        name: https
        protocol: HTTPS
      tls:
        mode: SIMPLE
        serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
        privateKey: /etc/istio/ingressgateway-certs/tls.key
      hosts:
        - test-service.apps.my-cluster.example.com

      3. Watch for IOR to create the Route based on this Gateway:

      ---
kind: Route
apiVersion: route.openshift.io/v1
metadata:
  generateName: mdh-test-gateway-
  annotations:
    maistra.io/original-host: test-service.apps.my-cluster.example.com
  name: mdh-test-gateway-s57vp
  namespace: istio-system
  labels:
    maistra.io/gateway-name: test-gateway
    maistra.io/gateway-namespace: mdh
    maistra.io/generated-by: ior
spec:
  host: test-service.apps.my-cluster.example.com
  to:
    kind: Service
    name: istio-ingressgateway
    weight: 100
  port:
    targetPort: https
  tls:
    termination: passthrough
  wildcardPolicy: None

      4. Apply an updated Gateway (add port 80 which should redirect to 443)

      ---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: test-gateway
  namespace: mdh
spec:
  selector:
    istio: ingressgateway
  servers:
    - port:
        number: 80
        name: http
        protocol: HTTP
      tls:
        httpsRedirect: true
      hosts:
        - test-service.apps.my-cluster.example.com
    - port:
        number: 443
        name: https
        protocol: HTTPS
      tls:
        mode: SIMPLE
        serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
        privateKey: /etc/istio/ingressgateway-certs/tls.key
      hosts:
        - test-service.apps.my-cluster.example.com

      5. Route generated by IOR remains unchanged (the same as above).

      I would expect that it should be updated by IOR to look like this (spec.tls.insecureEdgeTerminationPolicy field should be added):

      ---
kind: Route
apiVersion: route.openshift.io/v1
metadata:
  generateName: mdh-test-gateway-
  annotations:
    maistra.io/original-host: test-service.apps.my-cluster.example.com
  name: mdh-test-gateway-s57vp
  namespace: istio-system
  labels:
    maistra.io/gateway-name: test-gateway
    maistra.io/gateway-namespace: mdh
    maistra.io/generated-by: ior
spec:
  host: test-service.apps.my-cluster.example.com
  to:
    kind: Service
    name: istio-ingressgateway
    weight: 100
  port:
    targetPort: https
  tls:
    insecureEdgeTerminationPolicy: Redirect
    termination: passthrough
  wildcardPolicy: None

       

      My current workaround whenever updating a Gateway is to delete the Gateway entirely, wait for IOR to delete the Route, then re-apply the new GW config which IOR will correctly pick up and create the new Route from. Obviously this isn't ideal, as we should be able update Routes via Gateways/IOR without deleting them

              Unassigned Unassigned
              cool-fz338 Chris O'Brien (Inactive)
              Votes:
              1 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: