Giters

solo-io / gloo

The Feature-rich, Kubernetes-native, Next-Generation API Gateway Built on Envoy

Home Page:https://docs.solo.io/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

AuthConfig and malformed secrets causing rejection of all secrets

htech7x opened this issue · comments

commented

Gloo Edge Product

Enterprise

Gloo Edge Version

1.16

Kubernetes Version

1.28.5

Describe the bug

During creating of an AuthConfig object if one of the secrets used in AuthConfig is malformed, all secrets will be rejected

Expected Behavior

Gloo should only reject malformed secrets and accept good ones

Steps to reproduce the bug

  1. Create 2 secrets with the same "label":
    one with valid data for "api-key" and the other with empty data for "api-key"

infra-apikey.yaml

apiVersion: v1
data:
  api-key: TjJZd01ESXhaVEV0TkdVek5TMWpOemd6TFRSa1lqQXRZakUyWXpSa1pHVm1OamN5      # <--- GOOD
kind: Secret
metadata:
  labels:
    team: infrastructure
  name: infra-apikey
  namespace: gloo-system
type: extauth.solo.io/apikey

infra-apikey-bad.yaml

apiVersion: v1
data:
  api-key: ""                 # <--- NOT GOOD
kind: Secret
metadata:
  labels:
    team: infrastructure
  name: infra-apikey-bad
  namespace: gloo-system
type: extauth.solo.io/apikey
  1. Verify that the secrets were created successfully and have the same label:
kubectl get secret -l team=infrastructure -A                                                                                                 
NAMESPACE     NAME               TYPE                     DATA   AGE
gloo-system   infra-apikey       extauth.solo.io/apikey   1      25m
gloo-system   infra-apikey-bad   extauth.solo.io/apikey   1      22m
  1. Create "AuthConfig" with the following specs:
    auth_config.yaml
apiVersion: enterprise.gloo.solo.io/v1
kind: AuthConfig
metadata:
  name: apikey-auth
  namespace: gloo-system
spec:
  configs:
  - apiKeyAuth:
      headerName: api-key
      labelSelector:
        team: infrastructure
  1. Check the status of the authconfig object:
kubectl get authconfig -n gloo-system
NAME          AGE
apikey-auth   27m

kubectl describe authconfig -n gloo-system
Name:         apikey-auth
Namespace:    gloo-system
Labels:       <none>
Annotations:  <none>
API Version:  enterprise.gloo.solo.io/v1
Kind:         AuthConfig
Metadata:
  Creation Timestamp:  2024-03-29T18:23:25Z
  Generation:          4
  Resource Version:    176230
  UID:                 e0772bdd-a8d3-4605-a23e-e6bfa0d70f9f
Spec:
  Configs:
    API Key Auth:
      Header Name:  api-key
      Label Selector:
        Team:  infrastructure
Status:
  Statuses:
    Gloo - System:
      Reason:  1 error occurred:
               * failed to translate ext auth config: 1 error occurred:
               * no API key found on API key secret [gloo-system.infra-apikey-bad]


      Reported By:  gloo
      State:        Rejected
Events:             <none>

The impact is that, even with at least one valid secret, all authenticated calls will fail with a 403 UAEX, since extauth will report "Auth Server does not contain auth configuration with the given ID" for the respective authconfig.

Is this expected or Gloo EE should have rejected just the malformed secret and accept the others ?

Additional Environment Detail

No response

Additional Context

No response

commented

Zendesk ticket #3458 has been linked to this issue.