AuthConfig and malformed secrets causing rejection of all secrets
htech7x opened this issue · comments
Gloo Edge Product
Enterprise
Gloo Edge Version
1.16
Kubernetes Version
1.28.5
Describe the bug
During creating of an AuthConfig object if one of the secrets used in AuthConfig is malformed, all secrets will be rejected
Expected Behavior
Gloo should only reject malformed secrets and accept good ones
Steps to reproduce the bug
- Create 2 secrets with the same "label":
one with valid data for "api-key" and the other with empty data for "api-key"
infra-apikey.yaml
apiVersion: v1
data:
api-key: TjJZd01ESXhaVEV0TkdVek5TMWpOemd6TFRSa1lqQXRZakUyWXpSa1pHVm1OamN5 # <--- GOOD
kind: Secret
metadata:
labels:
team: infrastructure
name: infra-apikey
namespace: gloo-system
type: extauth.solo.io/apikey
infra-apikey-bad.yaml
apiVersion: v1
data:
api-key: "" # <--- NOT GOOD
kind: Secret
metadata:
labels:
team: infrastructure
name: infra-apikey-bad
namespace: gloo-system
type: extauth.solo.io/apikey
- Verify that the secrets were created successfully and have the same label:
kubectl get secret -l team=infrastructure -A
NAMESPACE NAME TYPE DATA AGE
gloo-system infra-apikey extauth.solo.io/apikey 1 25m
gloo-system infra-apikey-bad extauth.solo.io/apikey 1 22m
- Create "AuthConfig" with the following specs:
auth_config.yaml
apiVersion: enterprise.gloo.solo.io/v1
kind: AuthConfig
metadata:
name: apikey-auth
namespace: gloo-system
spec:
configs:
- apiKeyAuth:
headerName: api-key
labelSelector:
team: infrastructure
- Check the status of the authconfig object:
kubectl get authconfig -n gloo-system
NAME AGE
apikey-auth 27m
kubectl describe authconfig -n gloo-system
Name: apikey-auth
Namespace: gloo-system
Labels: <none>
Annotations: <none>
API Version: enterprise.gloo.solo.io/v1
Kind: AuthConfig
Metadata:
Creation Timestamp: 2024-03-29T18:23:25Z
Generation: 4
Resource Version: 176230
UID: e0772bdd-a8d3-4605-a23e-e6bfa0d70f9f
Spec:
Configs:
API Key Auth:
Header Name: api-key
Label Selector:
Team: infrastructure
Status:
Statuses:
Gloo - System:
Reason: 1 error occurred:
* failed to translate ext auth config: 1 error occurred:
* no API key found on API key secret [gloo-system.infra-apikey-bad]
Reported By: gloo
State: Rejected
Events: <none>
The impact is that, even with at least one valid secret, all authenticated calls will fail with a 403 UAEX, since extauth will report "Auth Server does not contain auth configuration with the given ID" for the respective authconfig.
Is this expected or Gloo EE should have rejected just the malformed secret and accept the others ?
Additional Environment Detail
No response
Additional Context
No response
Zendesk ticket #3458 has been linked to this issue.