Open zalejus opened 1 year ago
a-hilaly
commented
1 year ago Thank you for opening this ticket @zalejus. We'll put this in out bucket. These resources can be generated and we can quickly support at least the create/delete operations. Are you interested in contributing to the apigateway controller?
orubel
commented
1 year ago if you are creating domain/controller in gateway, its no longer a 'gateway'; it's now the api app.
You'll now need to Remove load balancer then and abstract other components to a proxy. :)
Literally... you will now need a load balancer in front of your load balancer/proxy because you have turned it into the api app instead of abstracting it!
barlevalon
commented
1 year ago Hi, I'm interested in this as well and I'd be interested in contributing. Could you point me in the right direction to get started?
a-hilaly
commented
1 year ago Hello and thank you @barlevalon! :) we have documentation for contributors here https://aws-controllers-k8s.github.io/community/docs/contributor-docs/overview/. This should help you re-generate the controller and add the DomainName and APIMapping resources. We are also available on #aws-controllers-k8s channel in the Kubernetes slack - feel free to reach out to us if you have any questions!
a-hilaly
commented
1 year ago If you already have installed everything locally and you're able to generate the controller you can start by commenting the config that ignores DomainName and APIMapping resources example https://github.com/aws-controllers-k8s/apigatewayv2-controller/blob/main/generator.yaml#L4 and re-generate the controller
barlevalon
commented
1 year ago Thanks! I managed to re-generate the controller with DomainName and APIMapping.
Now attempting to run the e2e tests. I'm assuming I'll have to add tests to https://github.com/aws-controllers-k8s/apigatewayv2-controller/tree/main/test/e2e.
a-hilaly
commented
1 year ago @barlevalon correct. You'll have to write e2e tests similar to https://github.com/aws-controllers-k8s/apigatewayv2-controller/blob/main/test/e2e/tests/test_api.py
barlevalon
commented
1 year ago For visibility, linking to the working thread in slack: https://kubernetes.slack.com/archives/C0402D8JJS1/p1674659557584879
jaypipes
commented
1 year ago @A-Hilaly would you mind editing the GH issue title to say this is the APIGatewayV2 controller?
orubel
commented
1 year ago so how are you planning to handle internal redirects/forwards? https://youtu.be/sH68MnmnblE
ack-bot
commented
1 year ago Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/aws-controllers-k8s/community.
/lifecycle stale
orubel
commented
1 year ago so don't see how are you planning to handle internal redirects/forwards? This was addressed in CVE-2022–31692 and directly impacts any abstraction of security from the API application such as API gateways
jaypipes
commented
1 year ago @orubel I'm having a tough time following your comments. The ACK controller for Amazon APIGatewayV2 simply calls the Amazon APIGatewayV2 APIs. It does not provide another abstraction over top of that API.
orubel
commented
1 year ago @jaypipes the HTTP protocol allows for web servers to handle internal redirects (aka a forward in Java) or redirects which drop a thread and go outside the DMZ. When you abstract security to the API Gateway, any 'internal redirect' will automatically bypass ALL security at the gateway because it will route to the other API endpoint internally using the front controller of the API application (see CVE-2022-31692 - https://nvd.nist.gov/vuln/detail/CVE-2022-31692)
This is NOT Java specific as this is part of the HTTP protocol and part of EVERY web server.
jaypipes
commented
1 year ago @orubel I have no idea what your comment has to do with this project (ACK). We don't use Java and ACK is not a web server.
orubel
commented
1 year ago @jaypipes As I said, this is not Java specific.
Per your statement "The ACK controller for Amazon APIGatewayV2 simply calls the Amazon APIGatewayV2 APIs"... hence you are vulnerable. Hence any internal redirect (see the HTTP protocol) in your controller will bypass security in the API Gateway
jaypipes
commented
1 year ago @orubel you don't understand what this project is. Please don't use this project's GH issues as click-bait to get views on your videos and articles. This is your first and last warning.
orubel
commented
1 year ago @jaypipes this is not clickbait as I have avoided putting any personal links in here. I am advising on a known issue.
You are choosing to ignore security advise. I am screenshotting this discussion.
jaypipes
commented
1 year ago You are choosing to ignore security advise.
No, I am not. The security advice you are offering has nothing to do with our project. The AWS Controllers for Kubernetes (ACK) project is a set of custom controllers that communicates with the control plane APIs of AWS APIs. You are talking about the data plane APIs of a specific AWS service, Amazon APIGatewayV2. The apigatewayv2-controller ACK binary does not make calls against an API Gateway. It makes calls to the Amazon APIGatewayV2 control plane APIs (CreateApi, CreateStage, ImportApi, etc). Please stop commenting on this issue as it is a distraction.
orubel
commented
1 year ago The issue was for 'Generate DomainName and APIMapping'
I am addressing the issue of APIMapping of 'controllers' to call an API Gateway. Since your code is open source, I can generate my own mapping which can overwrite your mappings for controllers. I can then route however I need for my own custom business logic.
mapete94
commented
1 year ago Any headway on implementing this, I'd be willing to lend a hand or pick up where someone left off if the work got dropped? Don't want to start fresh if someone else is already working on it.
barlevalon
commented
1 year ago I didn't get any further than generating the code. Most of the work should be in the e2e test. Feel free to give this a go.
ack-bot
commented
8 months ago Issues go stale after 180d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 60d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/aws-controllers-k8s/community.
/lifecycle stale
ack-bot
commented
2 months ago Issues go stale after 180d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 60d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/aws-controllers-k8s/community.
/lifecycle stale
ack-bot
commented
1 week ago Stale issues rot after 60d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 60d of inactivity.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/aws-controllers-k8s/community.
/lifecycle rotten
Describe the solution you'd like
Could you add DomainName and APIMapping resources for HTTP APIs? It seems to me incomplete without these two elements. I tested it and all works fine for me, but it is useless without these two parts.