Open werdes72 opened 1 month ago
Description
Setting up separate JWT and noAuth APIRules on the same service, breaks up the noAuth access.
Expected result
curl should return 200
200
Actual result
HTTP/2 403 content-length: 19 content-type: text/plain date: Tue, 28 May 2024 07:51:19 GMT server: istio-envoy x-envoy-upstream-service-time: 4 RBAC: access denied
Steps to reproduce Apply APIRules as follows:
cat <<EOF | kubectl apply -f - apiVersion: gateway.kyma-project.io/v1beta2 kind: APIRule metadata: name: httpbin namespace: test spec: hosts: - jwt.ps-test.goatz.shoot.canary.k8s-hana.ondemand.com service: name: httpbin namespace: test port: 8000 gateway: kyma-system/kyma-gateway rules: - path: /headers methods: ["GET"] jwt: authentications: - issuer: "https://kymagoattest.accounts400.ondemand.com" jwksUri: "https://kymagoattest.accounts400.ondemand.com/oauth2/certs" EOF
Second APIRule:
cat <<EOF | kubectl apply -f - apiVersion: gateway.kyma-project.io/v1beta2 kind: APIRule metadata: name: httpbin2 namespace: test spec: hosts: - na.ps-test.goatz.shoot.canary.k8s-hana.ondemand.com service: name: httpbin namespace: test port: 8000 gateway: kyma-system/kyma-gateway rules: - path: /ip methods: ["GET"] noAuth: true EOF
Test it with curl: curl -ik -X GET https://na.ps-test.goatz.shoot.canary.k8s-hana.ondemand.com/ip
curl -ik -X GET https://na.ps-test.goatz.shoot.canary.k8s-hana.ondemand.com/ip
Troubleshooting It works when both rules are in the same APIRule, but it's not possible to set separate hosts this way:
APIRule
cat <<EOF | kubectl apply -f - apiVersion: gateway.kyma-project.io/v1beta2 kind: APIRule metadata: name: httpbin namespace: test spec: hosts: - jwt.ps-test.goatz.shoot.canary.k8s-hana.ondemand.com service: name: httpbin namespace: test port: 8000 gateway: kyma-system/kyma-gateway rules: - path: /headers methods: ["GET"] jwt: authentications: - issuer: "https://kymagoattest.accounts400.ondemand.com" jwksUri: "https://kymagoattest.accounts400.ondemand.com/oauth2/certs" - path: /ip methods: ["GET"] noAuth: true EOF
Description
Setting up separate JWT and noAuth APIRules on the same service, breaks up the noAuth access.
Expected result
curl should return
200Actual result
Steps to reproduce Apply APIRules as follows:
Second APIRule:
Test it with curl:
curl -ik -X GET https://na.ps-test.goatz.shoot.canary.k8s-hana.ondemand.com/ipTroubleshooting It works when both rules are in the same
APIRule, but it's not possible to set separate hosts this way: