Add ingress option #774
Add ingress option #774
Conversation
- Update BATS to run with latest bats config
thisisnotashwin
requested review from
kschoche,
a team and
lkysow
and removed request for
a team
test/unit/ui-ingress.bats
Outdated
| [ "${actual}" = "foo.com" ] | ||
| } | ||
|
|
||
| @test "ui/Ingress: port 80 when global.tls.enabled=false enables http port" { |
There was a problem hiding this comment.
I'm finding these test descriptions a bit hard to grok. Maybe "exposes single backed on port 80 when global.tls.enabled=false" and "exposes backends on ports 80 and 443 when ..."?
There was a problem hiding this comment.
omg i just read the test names and i admit they are horrible. copy-pasting with proof-reading. this is why we review!
| # tls is a list of hosts and secret name in an Ingress | ||
| # which tells the Ingress controller to secure the channel. |
There was a problem hiding this comment.
Should we tell them what secret to use? Do they need to use passthrough TLS if consul tls is enabled?
There was a problem hiding this comment.
So i realized in my tinkering that i hadn't tested the only TLS (https only enabled) options. ie, the 80 port was always open on the service. the ingress resource always performs TLS termination so we cant point traffic to 443 as the request that reached the service will always be HTTP. I guess it doesnt make sense for this PR to support port 443 in that case, and ill make the requisite changes.
|
@lkysow re version: I can switch over to version |
thisisnotashwin
force-pushed
the
add-ingress-option
branch
4 times, most recently
from
09aa9da to
84c20f8
Compare
templates/ui-ingress.yaml
Outdated
| - host: {{ .host | quote }} | ||
| http: | ||
| paths: | ||
| {{- if (or (not $global.tls.enabled) (not $global.tls.httpsOnly)) }} |
There was a problem hiding this comment.
The only difference I'm seeing between L27-32 and L35-49 is the servicePort. So why not just make that the conditional instead of the entire block?
There was a problem hiding this comment.
I guess the only motivation there would be in a situation when TLS is enabled but both HTTP and HTTPs traffic is allowed, we would need both the blocks. I can look at DRY-ing this up though.
There was a problem hiding this comment.
I see your point from a what's allowed perspective, but not sure why someone would create an Ingress and allow port 80 traffic, if 443 is available for the UI. I would think that the primary reason for having 80 and 443 enabled on consul is because they are migrating from 80 to 443 and havent finished shoring up the clients still using 80.
There was a problem hiding this comment.
And in the case where they are both enabled how does the ingress know which backend to send to if they are defined the exact same way but with different servicePort? This is just a general curiousity question, if the path were different, I could see how it would work. But I'd almost think this would be an invalid configuration for an Ingress.
There was a problem hiding this comment.
In case the Ingress controller does not support TLS passthrough, only supporting port 443 will not work. In the case when both ports are exposed, the controller multiplexes the requests across the ports and responds with whichever response is successful.
That is a really good questions though. I tested it with both ports open without the passthrough and it worked like a treat.
There was a problem hiding this comment.
This allows for maximum flexibility but ensures the ability to expose just the one port (443) if that is so desired. Did I understand your question correctly?
thisisnotashwin
force-pushed
the
add-ingress-option
branch
from
84c20f8 to
2ddc2fd
Compare
lkysow
force-pushed
the
add-ingress-option
branch
from
2ddc2fd to
00435b5
Compare
thisisnotashwin
force-pushed
the
add-ingress-option
branch
from
00435b5 to
2ddc2fd
Compare
Changes proposed in this PR:
global.tls.enabledis true andglobal.tls.httpsOnlyisfalse.The ingress resource always performs TLS termination at the point of ingress and can only communicate with the Consul server over the HTTP port. This can be avoided by certain ingress controllers that have the option of allowing ssl pass-through. Added a note to ensure that users have an ingress controller that can passthrough SSL and have it enabled if they want to enable TLS on Consul.
How I've tested this PR:
How I expect reviewers to test this PR:
Checklist: