search

solo-io / gloo

The Feature-rich, Kubernetes-native, Next-Generation API Gateway Built on Envoy
https://docs.solo.io/
Apache License 2.0
4.08k stars 437 forks source link

AuthConfig and malformed secrets causing rejection of all secrets #9300

Open htech7x opened 6 months ago

htech7x commented 6 months ago

Gloo Edge Product

Enterprise

Gloo Edge Version

1.16

Kubernetes Version

1.28.5

Describe the bug

During creating of an AuthConfig object if one of the secrets used in AuthConfig is malformed, all secrets will be rejected

Expected Behavior

Gloo should only reject malformed secrets and accept good ones

Steps to reproduce the bug

  1. Create 2 secrets with the same "label": one with valid data for "api-key" and the other with empty data for "api-key"

infra-apikey.yaml

apiVersion: v1
data:
  api-key: TjJZd01ESXhaVEV0TkdVek5TMWpOemd6TFRSa1lqQXRZakUyWXpSa1pHVm1OamN5      # <--- GOOD
kind: Secret
metadata:
  labels:
    team: infrastructure
  name: infra-apikey
  namespace: gloo-system
type: extauth.solo.io/apikey

infra-apikey-bad.yaml

apiVersion: v1
data:
  api-key: ""                 # <--- NOT GOOD
kind: Secret
metadata:
  labels:
    team: infrastructure
  name: infra-apikey-bad
  namespace: gloo-system
type: extauth.solo.io/apikey

  1. Verify that the secrets were created successfully and have the same label:

    kubectl get secret -l team=infrastructure -A                                                                                                 
NAMESPACE     NAME               TYPE                     DATA   AGE
gloo-system   infra-apikey       extauth.solo.io/apikey   1      25m
gloo-system   infra-apikey-bad   extauth.solo.io/apikey   1      22m

  2. Create "AuthConfig" with the following specs: auth_config.yaml

    apiVersion: enterprise.gloo.solo.io/v1
kind: AuthConfig
metadata:
name: apikey-auth
namespace: gloo-system
spec:
configs:
- apiKeyAuth:
  headerName: api-key
  labelSelector:
    team: infrastructure

  3. Check the status of the authconfig object:

    
kubectl get authconfig -n gloo-system
NAME          AGE
apikey-auth   27m

kubectl describe authconfig -n gloo-system Name: apikey-auth Namespace: gloo-system Labels: Annotations: API Version: enterprise.gloo.solo.io/v1 Kind: AuthConfig Metadata: Creation Timestamp: 2024-03-29T18:23:25Z Generation: 4 Resource Version: 176230 UID: e0772bdd-a8d3-4605-a23e-e6bfa0d70f9f Spec: Configs: API Key Auth: Header Name: api-key Label Selector: Team: infrastructure Status: Statuses: Gloo - System: Reason: 1 error occurred:

The impact is that, even with at least one valid secret, all authenticated calls will fail with a 403 UAEX, since extauth will report "Auth Server does not contain auth configuration with the given ID" for the respective authconfig.

Is this expected or Gloo EE should have rejected just the malformed secret and accept the others ?

Additional Environment Detail

No response

Additional Context

No response

soloio-bot commented 6 months ago

Zendesk ticket #3458 has been linked to this issue.