"conflicting matcher" message for VS

[htech7x]

Gloo Edge Product

Enterprise

Gloo Edge Version

1.16.8

Kubernetes Version

1.28.5

Describe the bug

After creating VS, "gloo check" complains about "conflicting matcher"

glooctl check
Checking deployments... OK
Checking pods... OK
Checking upstreams... OK
Checking upstream groups... OK
Checking auth configs... OK
Checking rate limit configs... OK
Checking VirtualHostOptions... OK
Checking RouteOptions... OK
Checking secrets... OK
Checking virtual services... 1 Errors!
Checking gateways... OK
Checking proxies... OK
Checking rate limit server... OK
Error: 1 error occurred:
	* Found virtual service with warnings by 'gloo-system': gloo-portal reproenv (Reason: warning:
  virtual host [gloo-portal.reproenv] has conflicting matcher: regex:"/org/[^/]+?"  methods:"GET"  methods:"OPTIONS"
virtual host [gloo-portal.reproenv] has conflicting matcher: regex:"/org/[^/]+?/children"  methods:"GET"  methods:"OPTIONS"
virtual host [gloo-portal.reproenv] has conflicting matcher: regex:"/org/[^/]+?/parents"  methods:"GET"  methods:"OPTIONS")

Expected Behavior

Validation works as expected

Steps to reproduce the bug

1. Deploy Gloo EE and Gloo Portal

$ helm list -A
NAME       	NAMESPACE  	REVISION	UPDATED                             	STATUS  	CHART            	APP VERSION
gloo       	gloo-system	1       	2024-05-06 12:13:32.154175 -0500 CDT	deployed	gloo-ee-1.16.8
gloo-portal	gloo-portal	1       	2024-05-06 12:15:07.705303 -0500 CDT	deployed	gloo-portal-1.4.0

2. Edit settings for Gloo EE

   kubectl edit settings default -n gloo-system
   ...
   gateway:
     validation:
       allowWarnings: false                                       # <-- change this line
       alwaysAccept: false                                        # <-- change this line
       disableTransformationValidation: false
       warnRouteShortCircuiting: true                     # <-- change this line

3. Create API Doc according to the documentation using the following "swagger.json" swagger.json
4. Create API Product and API Environment according to the documentation
5. Run "gloo check" and check the message

glooctl check
Checking deployments... OK
Checking pods... OK
Checking upstreams... OK
Checking upstream groups... OK
Checking auth configs... OK
Checking rate limit configs... OK
Checking VirtualHostOptions... OK
Checking RouteOptions... OK
Checking secrets... OK
Checking virtual services... 1 Errors!
Checking gateways... OK
Checking proxies... OK
Checking rate limit server... OK
Error: 1 error occurred:
	* Found virtual service with warnings by 'gloo-system': gloo-portal reproenv (Reason: warning:
  virtual host [gloo-portal.reproenv] has conflicting matcher: regex:"/org/[^/]+?"  methods:"GET"  methods:"OPTIONS"
virtual host [gloo-portal.reproenv] has conflicting matcher: regex:"/org/[^/]+?/children"  methods:"GET"  methods:"OPTIONS"
virtual host [gloo-portal.reproenv] has conflicting matcher: regex:"/org/[^/]+?/parents"  methods:"GET"  methods:"OPTIONS")

Additional Environment Detail

No response

Additional Context

No response

[soloio-bot]

Zendesk ticket #3552 has been linked to this issue.

[nfuden]

There seems to be 2 parts to this.

1. Dev-portal issue: swagger types should be respected when making matchers. So instead of [^/]+? the 2 types of routes here the integer should be something like [\d]+
2. Edge issue to improve warning's ux to include both matchers and not just the second matching matcher's context

[DuncanDoyle]

I can't reproduce this with the provided instructions ... The only way I can reproduce this is when I set:

gateway:
  validation:
    allowWarnings: true

If I set that value to false, the creation of the VirtualService gets blocked by the validating webhook .... In that case I get this in the status of my Environment:

reason: "routing error: 1 error occurred:\n\t* writing resource test-environment.gloo-portal.
    failed: admission webhook \"gloo.gloo-system.svc\" denied the request: resource
    incompatible with current Gloo snapshot: [Validating *v1.VirtualService failed:
    1 error occurred:\n\t* Validating *v1.VirtualService failed: validating *v1.VirtualService
    name:\"test-environment\"  namespace:\"gloo-portal\": 1 error occurred:\n\t* could
    not render proxy: 2 errors occurred:\n\t* invalid resource gloo-portal.test-environment\n\t*
    WARN: \n  [virtual host [gloo-portal.test-environment] has conflicting matcher:
    regex:\"/org/[^/]+?\"  methods:\"GET\"  methods:\"OPTIONS\" virtual host [gloo-portal.test-environment]
    has conflicting matcher: regex:\"/org/[^/]+?/children\"  methods:\"GET\"  methods:\"OPTIONS\"
    virtual host [gloo-portal.test-environment] has conflicting matcher: regex:\"/org/[^/]+?/parents\"
    \ methods:\"GET\"  methods:\"OPTIONS\"]\n\n\n\n\n\n]\n\n"
  state: Failed

Note that in n the original ZD ticket, the initial problem is that validation actually seems to get disabled:

validation is disabled due to an invalid resource which has been written to storage. Please correct any Rejected resources to re-enable validation.

You can reproduce this in the following way:

• Set validation allowWarnings: true, to allow resources that would end up in a "Warning" state to be accepted by the webhook.
• Deploy the ApiDoc, ApiProduct and Environment as described in this ticket (will create an automated reproducer for this to make this a bit easier).
• Run kubectl get vs -A and observe that the VirtualService for the Environment has been created.
• Observe that the status of the Environment is set to "Succeeded": kubectl -n gloo-portal get environment test-environment -o yaml
• Now, change the Gloo Settings and set validation allowWarnings: false: kubectl -n gloo-system patch settings default --type='json' -p '[{"op": "replace", "path": "/spec/gateway/validation/allowWarnings", "value": false}]'
• Observe the log of the Gloo pod and notice that it now states that validation has been disabled: kubectl -n gloo-system logs -f gloo-{pod-id}

{"level":"error","ts":"2024-05-10T11:00:44.860Z","logger":"gloo-ee.v1.event_loop.setup","caller":"setup/setup_syncer.go:977","msg":"gloo main event loop","version":"1.16.8","error":"event_loop.gloo: 1 error occurred:\n\t* validation is disabled due to an invalid resource which has been written to storage. Please correct any Rejected resources to re-enable validation.: 2 errors occurred:\n\t* invalid resource gloo-portal.test-environment\n\t* WARN: \n [virtual host [gloo-portal.test-environment] has conflicting matcher: regex:"/org/[^/]+?" methods:"GET" methods:"OPTIONS" virtual host [gloo-portal.test-environment] has conflicting matcher: regex:"/org/[^/]+?/children" methods:"GET" methods:"OPTIONS" virtual host [gloo-portal.test-environment] has conflicting matcher: regex:"/org/[^/]+?/parents" methods:"GET" methods:"OPTIONS"]\n\n\n\n","errorVerbose":"1 error occurred:\n\t* validation is disabled due to an invalid resource which has been written to storage. Please correct any Rejected resources to re-enable validation.: 2 errors occurred:\n\t* invalid resource gloo-portal.test-environment\n\t* WARN: \n [virtual host [gloo-portal.test-environment] has conflicting matcher: regex:"/org/[^/]+?" methods:"GET" methods:"OPTIONS" virtual host [gloo-portal.test-environment] has conflicting matcher: regex:"/org/[^/]+?/children" methods:"GET" methods:"OPTIONS" virtual host [gloo-portal.test-environment] has conflicting matcher: regex:"/org/[^/]+?/parents" methods:"GET" methods:"OPTIONS"]\n\n\n\n\nevent_loop.gloo\ngithub.com/solo-io/go-utils/errutils.AggregateErrs\n\t/go/pkg/mod/github.com/solo-io/[email protected]/errutils/aggregate_errs.go:19\nruntime.goexit\n\t/usr/local/go/src/runtime/asm_amd64.s:1650","stacktrace":"github.com/solo-io/gloo/projects/gloo/pkg/syncer/setup.RunGlooWithExtensions.func10\n\t/go/pkg/mod/github.com/solo-io/[email protected]/projects/gloo/pkg/syncer/setup/setup_syncer.go:977"}

To re-enable validation, we need to get rid of the invalid resource, which in our case is the VirtualService that was generated by the Environment. So we can simply delete the Environment, which will re-enable validation. When we now try to re-apply the Environment, the creation of the VirtualService will again be rejected and we will end up with the same error state in the Environment that we saw previously ....

[DuncanDoyle]

Reproducer: https://github.com/DuncanDoyle/ge-gloo-9462-portal-validation

Additional details in the readme of that repo.

[DuncanDoyle]

I checked the OpenAPI specification, and it seems that when using path templates, templated paths with the same hierarchy but different templated names must not exist.

From the spec:

The following paths are considered identical and invalid:

  /pets/{petId}
  /pets/{name}