application-gateway-kubernetes-ingress icon indicating copy to clipboard operation
application-gateway-kubernetes-ingress copied to clipboard

Published 20 hours ago verified publisher icon Azure

Version `1.7` annotation `rule-priority` is not compatible with `ssl-redirect:true` and causes "Priority must be unique" error

Open bamarch opened this issue 1 year ago • 4 comments

Describe the bug

When testing with 1.7.0-rc1 I saw this error whenever I set a rule-priority annotation

"...is duplicated. Priority must be unique across all the routing rules"

I realised the issue is because I also had ssl-redirect:true on the same Ingress as rule-priority.

The ssl-redirect:true annotation causes two listeners to be created (a redirect for http 80 and a backend pool for https 443).

The rule-priority: N annotation will try to apply the same priority N to both listener routing rules (http and https) and so it will always fail because the priorities are duplicated across the two.

To Reproduce Steps to reproduce the behavior:

  • use 1.7.0-rc1

  • create an Ingress with both an annotation for rule-priority: "20000" (or another number) and one for ssl-redirect: "true"

I'm not sure what the best way to resolve this is... maybe have another annotation that lets you set the priority for the redirect listener rule? I.e. add "rule-priority-redirect" or "rule-priority-http" annotation perhaps

The current error message is also not very explicit, would be great if it called out the cause of the failure in the message

Thanks

bamarch avatar Feb 28 '23 15:02 bamarch

The same commit for 1.7.0-rc1 has been released as 1.7.0 so this applies equally to that release as well as the release-candidate

bamarch avatar Apr 03 '23 15:04 bamarch

We are facing the same problem. Would it be possible to somehow configure the ssl-redirect as a distinct ingress resource, so I could give it a different priority? Or, as the OP suggested, provide some means to specify a different priority for the redirect. I would personally also be fine with some kind of convention that simply adds + 1 to the priority for that redirect, but of course that could lead to problems as it's not really obvious - and it might not suffice for everyone.

Phrow avatar May 08 '23 14:05 Phrow

The issue still persist in 1.7.2.

"managed-by-k8s-ingress": "1.7.2/5361cbbd/2023-07-19-18:29T+0000"

BTW, rule-priority also didn't support Ingress with multi rules for host. Should there be better for rule-priority-starts:19900

2743d2 avatar Nov 02 '23 03:11 2743d2

This has still not been addressed and means that we cannot use ssl-redirect with rule-priority. Please fix this. Some possible solutions:

  • Add ssl-redirect-rule-priority to set rule-priority for http redirect rule
  • Move/Add the rule priority to the rule spec. (though this would also require a potential change to the main kubernetes ingress resource)
  • While searching for a way to make this work, AI gave me the following incorrect example, but might be worth adapting:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: example-ingress
  annotations:
    appgw.ingress.kubernetes.io/request-routing-rules: |
      - name: rule1
        priority: 100
        backendPool: pool1
        backendHTTPSettings: settings1
        httpListeners:
          - listener1
      - name: rule2
        priority: 200
        backendPool: pool2
        backendHTTPSettings: settings2
        httpListeners:
          - listener2
spec:
  rules:
    - host: example.com
      http:
        paths:
          - path: /app1
            pathType: Prefix
            backend:
              service:
                name: app1-service
                port:
                  number: 80
          - path: /app2
            pathType: Prefix
            backend:
              service:
                name: app2-service
                port:
                  number: 80

martinisaksen avatar Aug 12 '24 21:08 martinisaksen