Open buixor opened 1 month ago
@buixor: Thanks for opening an issue, it is currently awaiting triage.
In the meantime, you can:
@buixor: There are no 'kind' label on this issue. You need a 'kind' label to start the triage process.
/kind feature
/kind enhancement
/kind refactoring
/kind bug
/kind packaging
HI~ Is there any related fix plan for this issue? I am currently using multi-agent mode in ingress-nginx and there will be problems when updating in stream mode.
I think it should be related to this. I haven't found a way to use helm deployment to allow each agent to have a different api key.
HI~ Is there any related fix plan for this issue? I am currently using multi-agent mode in ingress-nginx and there will be problems when updating in stream mode.
I think it should be related to this. I haven't found a way to use helm deployment to allow each agent to have a different api key.
Hey 👋🏻 Yes we have floated some ideas internally around how we can move forward on this issue (we added them above in the proposed solutions) and yes the reason behind the issue was when we helping enterprise clients on a k8s environments without moving them over to mTLS authentication it currently does not allow stream mode with the API key.
What would you like to be added?
Currently, bouncer sharing the same API key cannot reliably use the stream mode.
What happens
When a bouncer queries
/decisions/stream
withstartup
not set to true, we rely onbouncerInfo.LastPull
timestamp to know when the bouncer last pulled and know which data should be returned. thebouncerInfo
is fetched from the DB and only relies on the API key provided by the bouncer.Problem
However, this is problematic when several bouncer instances (ie. nginx-ingress / kube) share the same API key and want to use stream mode: they get inconsistent data as they all share the same entry in the DB and thus
LastPull
.Proposed change
The proposed change is the following:
/decisions/stream
withstartup
not set to true, we rely on the Api key + IP combo to select the relevant row, so that each bouncer instance get its ownLastPull
Why is this needed?
Allow several bouncers to share the same API key and use stream mode.