search

kubeshop / kusk-gateway

Kusk-gateway is an OpenAPI-driven API Gateway for Kubernetes
https://kubeshop.github.io/kusk-gateway/
MIT License
253 stars 21 forks source link

APIs protected by Cloudentity return 404s #1054

Open mzerko-cloudentity opened 10 months ago

mzerko-cloudentity commented 10 months ago

I have tried to test this integration using following script:

#!/usr/bin/env bash

set -ex

export kusk_VERSION=v1.5.4
curl -sSLf https://raw.githubusercontent.com/kubeshop/kusk-gateway/main/cmd/kusk/scripts/install.sh | bash
kind delete cluster
kind create cluster
kusk cluster install --no-dashboard --no-api
helm repo add acp https://charts.cloudentity.io
helm repo update
helm upgrade --install cloudentity-authorizer acp/standalone-authorizer \
    --set clientCredentials.clientID=3684dcbe5d8d4515bdafd86a16cb9a01 \
    --set clientCredentials.clientSecret=GE006FvxNKgN6xVTexO_AQHeYPz9GTMIcBWL69c4yl8 \
    --set issuerURL=https://mzerko-2023-08-28.eu.authz.cloudentity.io/mzerko-2023-08-28/system \
    --namespace kusk-system
kusk deploy -i api.yaml
sleep 10
kubectl port-forward svc/kusk-gateway-envoy-fleet -n kusk-system 8080:80

And with following api:

openapi: 3.0.0
info:
  title: simple-api
  version: 0.1.0
x-kusk:
  cors:
    origins:
      - "*"
    methods:
      - GET
      - POST
  mocking:
    enabled: true
  auth:
    cloudentity:
      host:
        hostname: cloudentity-authorizer-standalone-authorizer.kusk-system # default authorizer service, change in case your authorizer is installed differently
        port: 9004
paths:
  /hello:
    get:
      responses:
        "200":
          description: "A simple hello world"
          content:
            application/json:
              schema:
                type: object
                properties:
                  message:
                    type: string
              example:
                message: Hello from a mocked response!
  /validated:
    post:
      requestBody:
        description: ""
        required: true
        content:
          application/json:
            schema:
              required:
                - name
              type: object
              properties:
                name:
                  type: string
      responses:
        "200":
          description: ""
          content:
            text/plain:
              schema:
                type: string
              example: Hello mocked Kusk

But every time I try to call this API I get 404s. The only interesting log message I can see is coming from kusk-gateway-envoy-fleet: 

{
  "request_id":"14e6acb2-8520-46da-af47-bdf00a5de1ee",
  "route_name":null,
  "requested_server_name":null,
  "bytes_received":0,
  "response_flags":"UAEX",
  "upstream_host":null,
  "path":"/hello",
  "upstream_local_address":null,
  "downstream_local_address":"127.0.0.1:8080",
  "upstream_cluster":null,
  "duration":0,
  "connection_termination_details":null,
  "start_time":"2023-08-29 T11:37:40.999Z",
  "response_code":404,
  "user_agent":"curl/7.88.1",
  "upstream_transport_failure_reason":null,
  "authority":"localhost:8080",
  "downstream_remote_address":"127.0.0.1:57064",
  "bytes_sent":1504,
  "upstream_service_time":"0",
  "x_forwarded_for":null,
  "response_code_details":"ext_authz_denied",
  "method":"GET",
  "protocol":"HTTP/1.1"
}

I have tried several Kusk versions, and it was working up until v1.3.21, so I guess it has something to do with this PR: https://github.com/kubeshop/kusk-gateway/pull/947, as version v1.3.20 is working fine, and it was only change that was introduced there.