Kubernetes RuleSet resource is not unloaded by heimdall on `authClassName` change
dadrus opened this issue · comments
Preflight checklist
- I agree to follow this project's Code of Conduct.
- I have read and am following this repository's Contribution Guidelines."
- I could not find a solution in the existing issues, docs, nor discussions.
Describe the bug
Background:
There is an option to define a class_name
in heimdall's kubernetes provider configuration. This option allows operating multiple heimdall deployments in a cluster responsible for different RuleSets. To make use of this option, a RuleSet must have an authClassName
set. This way only those RuleSets will be loaded/used by a heimdall instance, which authClassName
matches the configured auth_class
.
Issue Description:
If a RuleSet has been loaded by a heimdall instance (thanks to the matching option described above), it will not be unloaded/dropped if a new version/generation of the RuleSet with a different authClassName
is deployed. That update is ignored.
The expected behavior is: heimdall should unload/drop the previously loaded RuleSet if it doesn't feel responsible for it (based on the authClassName
mismatch) anymore.
Criticality
Since multiple heimdall deployments make only sense, if
- There are multiple ingress controller integrated with heimdall
- heimdall is used in proxy mode in front of an application
that issues should practically not be an issue at all in sense of overall functionality as in both cases these heimdall instances would receive traffic for completely different routes. And that means, the still loaded RuleSet would not be used as it would never be matched.
How can the bug be reproduced
- Deploy a RuleSet with an
authClassName
matching theauth_class
of a heimdall deployment. You can see in the logs, that heimdall has loaded it. - Change the
authClassName
in the RuleSet from step 1 to some value, which should not match theauth_class
of the heimdall deployment. - Deploy the RuleSet again
- Observe the logs of heimdall. You'll see a log statement, that the RuleSet has been ignored but there is not log statement that the previously loaded version has been dropped.
- Send a request which would result in a rule match from that changed RuleSet and take a look into the heimdall logs. you'll see, the rule is executed. If it were unloaded/dropped, there would be no match.
Relevant log output
No response
Relevant configuration
No response
Version
v0.11.1-alpha
On which operating system are you observing this issue?
Linux
In which environment are you deploying?
Kubernetes
Additional Context
No response