Router cannot create resource Ingresses

[sergeykorablin]

Fission/Kubernetes version

$ fission version
client:
  fission/core:
    BuildDate: "2024-01-14T15:43:35Z"
    GitCommit: 7e8d5dd7
    Version: v1.20.1
server:
  fission/core:
    BuildDate: "2024-01-14T15:43:35Z"
    GitCommit: 7e8d5dd7
    Version: v1.20.1

$ kubectl version
Client Version: v1.28.2
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.29.1+k3s2

Kubernetes platform (e.g. Google Kubernetes Engine)

• Self-hosted k3s

Describe the bug

{
  "level":"error",
  "ts":"2024-02-17T19:03:27.056Z",
  "logger":"triggerset.http_trigger_set",
  "caller":"router/ingress.go:48",
  "msg":"failed to create ingress",
  "error":"ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:fission:fission-router\" cannot create resource \"ingresses\" in API group \"networking.k8s.io\" in the namespace \"fission\"","stacktrace":"github.com/fission/fission/pkg/router.createIngress\n\tpkg/router/ingress.go:48"
}

fission-router has access to create ingress in default namespace, but it try to create it in fission namespace.

k describe role fission-router
Name:         fission-router
Labels:       app.kubernetes.io/managed-by=Helm
Annotations:  meta.helm.sh/release-name: fission
              meta.helm.sh/release-namespace: fission
PolicyRule:
  Resources                                       Non-Resource URLs  Resource Names  Verbs
  ---------                                       -----------------  --------------  -----
  ingresses.networking.k8s.io                     []                 []              [create get list watch update patch delete]
  customresourcedefinitions.apiextensions.k8s.io  []                 []              [get list watch]

To Reproduce

fission route create --name hello --url "/hello" --function hello-js --createingress --ingressrule "my.fqdn.com=/hello"

Expected result

Ingress in default namespace

Actual result

Screenshots/Dump file

$ fission support dump

Additional context

[ChevronTango]

I'm also seeing this. I was expecting the ingress to be created in the same namespace as the HttpTrigger, but instead it's being added to the fission namespace. Looking at the CRD there seems to be no way of specifying the ingress namespace.

Can the default be changed to match the namespace of the HttpTrigger, and also an option be added to the CRD for overriding?

[jrhunger]

As a workaround, it seems you can apply the below after helm install, which is just the fission-all/templates/router/role-kubernetes.yaml from the helm chart, with the namespace on each object changed from default to fission. The ingresses get created in fission namespace but they do work.

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: "fission-router"
  namespace: fission
rules:
- apiGroups:
  - networking.k8s.io
  resources:
  - ingresses
  verbs:
  - create
  - get
  - list
  - watch
  - update
  - patch
  - delete
- apiGroups:
  - apiextensions.k8s.io
  resources:
  - customresourcedefinitions
  verbs:
  - get
  - list
  - watch
---
# Source: fission-all/templates/router/role-kubernetes.yaml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: "fission-router"
  namespace: fission
subjects:
  - kind: ServiceAccount
    name: "fission-router"
    namespace: fission
roleRef:
  kind: Role
  name: "fission-router"
  apiGroup: rbac.authorization.k8s.io