Admission Webhooks (Validation) #1768
Description
Description
When a single Ingress resource has configuration errors, AGIC stops programming the AppGW for subsequent Ingress resources even though they are valid, because of the error thrown by a previous Ingress config.
We had this issue recently, with an Ingress that had port 443 set by appgw.ingress.kubernetes.io/override-frontend-port: 443 but with an invalid appgw.ingress.kubernetes.io/appgw-ssl-certificate
AGIC threw an error for that Ingress and subsequent Ingress resources in AGIC processing order stopped functioning, which worked before.
Feature Request
Option 1:
Ship AGIC with Admission hooks, that validate AppGw targeted Ingress resources and rejects for known config errors. In the above scenario, that would be for example:
- if TLS binding for listener specified (by port 443 override or `appgw.ingress.kubernetes.io/ssl-redirect: "true")
- valid tls config must exist
TLS validation:
- reject if none is set (manual tls, appgw installed cert)
- reject if appgw installed cert selected by annotation, but cert does not exist in appgw
Of course the Admission based validation, when provided by AGIC would involve many other known validation checks:
Option 2:
Introduce a config flag for the controller, eg: skip-on-reconcile-error: <bool>
This way, at least previously configured Ingress resources keep working, by making sure they are continued to be reconciled and mapped to meanwhile updated endpoints, while the problematic Ingress resource was still deployed in the cluster.