Skip to content
This repository was archived by the owner on Jul 11, 2023. It is now read-only.

fix(demo): remove host headers in SMI policies#3644

Merged
nojnhuh merged 1 commit intoopenservicemesh:mainfrom
nojnhuh:host-headers
Jun 23, 2021
Merged

fix(demo): remove host headers in SMI policies#3644
nojnhuh merged 1 commit intoopenservicemesh:mainfrom
nojnhuh:host-headers

Conversation

@nojnhuh
Copy link
Contributor

@nojnhuh nojnhuh commented Jun 22, 2021
edited
Loading

Description:
fix(demo): remove host headers in SMI policies

The :authority header sent by the bookbuyer to the bookstore is
actually bookstore.bookstore:14001 where the bookstore's
HTTPRouteGroup used in the manual demo specified a host header match
of bookstore.bookstore, resulting in

"response_code_details": "route_not_found"

in the bookstore's logs for requests from the bookbuyer.

This change removes the host header matches all of the demo manifests.

Fixes #3616

Affected area:

Functional Area
New Functionality [ ]
Documentation [ ]
Install [ ]
CLI Tool [ ]
Certificate Management [ ]
Control Plane [ ]
Ingress [ ]
Egress [ ]
Networking [ ]
Observability [ ]
SMI Policy [ ]
Sidecar Injection [ ]
Security [ ]
Upgrade [ ]
Tests [ ]
CI System [ ]
Demo [X]
Performance [ ]
Other [ ]

Please answer the following questions with yes/no.

  1. Does this change contain code from or inspired by another project? No

    • Did you notify the maintainers and provide attribution?

  2. Is this a breaking change? No

@nojnhuh nojnhuh requested a review from a team as a code owner June 22, 2021 22:26
shashankram
shashankram suggested changes Jun 22, 2021
View reviewed changes
Copy link
Member

@shashankram shashankram left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nojnhuh the change looks correct, although I don't think we should incorporate this into our demo given it opens the door for misconfiguration like the one seen in #3616. Specifying the host header in the route literally provides no benefit at the moment, given it won't even come into effect if the correct host header is not programmed in virtual_hosts.domains[].

I suggest removing it instead of updating it.

docs/example/manifests/access/traffic-access-v1.yaml Outdated
Comment on lines 37 to 45
- host: "bookstore.bookstore:14001"
- "user-agent": ".*-http-client/*.*"
- "client-app": "bookbuyer"
- name: buy-a-book
pathRegex: ".*a-book.*new"
methods:
- GET
headers:
- host: "bookstore.bookstore"
- host: "bookstore.bookstore:14001"
Copy link
Member

@shashankram shashankram Jun 22, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rather than specifying this, I suggest removing it entirely because host header matching is already enforced using virtual_host.domains[].
@snehachhabria added plumbing for this, but specifying host headers here is just going to mislead users to think they can specify whatever they want, when in fact this has to explicitly be a service FQDN:port combination that is already programmed in virtual_hosts.domains[].

More details in #2369 (comment).

Specifying host headers here serves no real purpose in our existing implementation.

Copy link
Contributor

@snehachhabria snehachhabria Jun 22, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree with @shashankram, there is no real purpose of this in our current implementation given that it has to be the service FQDN:port, which is provided by default in the domains.

Copy link
Contributor Author

@nojnhuh nojnhuh Jun 23, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense. I see the bookwarehouse HTTPRouteGroup also has a host header match (which doesn't appear to be causing any issues. Should I remove that too?

Copy link
Member

@shashankram shashankram Jun 23, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes we should remove that as well.

Copy link
Member

@shashankram shashankram Jun 23, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see the bookwarehouse HTTPRouteGroup also has a host header match (which doesn't appear to be causing any issues.

I had discussed the removal of this with @snehachhabria a month or so ago, and the only reason I suspect this works is because maestro doesn't fail if requests from the bookstore -> bookwarehouse fail.

Regardless, we should fix this.

@shashankram
Copy link
Member

shashankram commented Jun 23, 2021

FYI change that broke the manual demo: openservicemesh/osm-docs#121
The previous fix openservicemesh/osm-docs#110 was made to the docs when the configs were inlined, but after openservicemesh/osm-docs#121 the docs started referencing the yaml files in the osm repo, which was not patched.

@nojnhuh
fix(demo): remove host headers in SMI policies
9d9d893 
The `:authority` header sent by the bookbuyer to the bookstore is
actually `bookstore.bookstore:14001` where the bookstore's
HTTPRouteGroup used in the manual demo specified a `host` header match
of `bookstore.bookstore`, resulting in

    "response_code_details": "route_not_found"

in the bookstore's logs for requests from the bookbuyer.

This change removes the `host` header matches all of the demo manifests.

Fixes #3616

Signed-off-by: Jon Huhn <johuhn@microsoft.com>
@nojnhuh nojnhuh changed the title fix(demo): use correct host headers in SMI policies fix(demo): remove host headers in SMI policies Jun 23, 2021
shashankram
shashankram approved these changes Jun 23, 2021
View reviewed changes
Copy link
Member

@shashankram shashankram left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @nojnhuh. Please backport to release-v0.9 as well.

@codecov-commenter
Copy link

codecov-commenter commented Jun 23, 2021

Codecov Report

Merging #3644 (9d9d893) into main (50d4426) will increase coverage by 0.02%.
The diff coverage is n/a.

Impacted file tree graph

@@            Coverage Diff             @@
##             main    #3644      +/-   ##
==========================================
+ Coverage   67.04%   67.07%   +0.02%     
==========================================
  Files         179      179              
  Lines        8704     8705       +1     
==========================================
+ Hits         5836     5839       +3     
+ Misses       2837     2835       -2     
  Partials       31       31
Flag Coverage Δ
unittests 67.07% <ø> (+0.02%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
pkg/injector/webhook.go 79.16% <0.00%> (+0.10%) ⬆️
pkg/kubernetes/announcement_handlers.go 77.14% <0.00%> (+5.71%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 50d4426...9d9d893. Read the comment docs.

@nojnhuh nojnhuh merged commit 3d2ec16 into openservicemesh:main Jun 23, 2021
@nojnhuh nojnhuh deleted the host-headers branch June 23, 2021 17:00
@nojnhuh nojnhuh mentioned this pull request Jun 23, 2021
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

2 more reviewers

@shashankram shashankram shashankram approved these changes

@snehachhabria snehachhabria snehachhabria approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Demo: Bookbuyer refused by bookstore with HTTP 404

4 participants

@nojnhuh @shashankram @codecov-commenter @snehachhabria