Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Endless loop of reconciliation of AuthConfig #354

Closed
guicassolato opened this issue Dec 4, 2023 · 0 comments · Fixed by #356
Closed

Endless loop of reconciliation of AuthConfig #354

guicassolato opened this issue Dec 4, 2023 · 0 comments · Fixed by #356
Assignees
@guicassolato
Labels
kind/bug Something isn't working
Milestone
v0.5.0

Comments

@guicassolato
Copy link
Contributor

guicassolato commented Dec 4, 2023
edited
Loading

Some AuthPolicies can cause the operator to go into an endless loop of reconciliation of the corresponding AuthConfigs, where the operator detects a difference in the spec of the AuthConfig when comparing existing vs desired state, and thus updates the resource. Authorino picks up the change of generation, reconciles the resource, updates its status stanza, which triggers the operator again.

This issue was first described in #341, related to #303.

Example of "safe" AuthPolicy (i.e. does not activate the bug)

apiVersion: kuadrant.io/v1beta2
kind: AuthPolicy
metadata:
  name: toystore
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: toystore
  rules:
    authentication:
      "api-key-authn":
        apiKey:
          selector: {}
        credentials:
          authorizationHeader:
            prefix: APIKEY
    authorization:
      "only-admins":
        opa:
          rego: |
            groups := split(object.get(input.auth.identity.metadata.annotations, "kuadrant.io/groups", ""), ",")
            allow { groups[_] == "admins" }
        routeSelectors:
        - matches:
          - path:
              type: PathPrefix
              value: "/admin"

Example of "unsafe" AuthPolicy (i.e. activates the bug)

apiVersion: kuadrant.io/v1beta2
kind: AuthPolicy
metadata:
  name: toystore
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: toystore
  rules:
    metadata:
      foo:
        http:
          contentType: application/x-www-form-urlencoded
          headers:
            Accept:
              value: application/json
          method: GET
          url: http://toystore:3000
@guicassolato guicassolato added kind/bug Something isn't working target/current labels Dec 4, 2023
@guicassolato guicassolato self-assigned this Dec 4, 2023
@guicassolato guicassolato moved this to In Progress in Kuadrant Dec 4, 2023
@alexsnaps alexsnaps modified the milestones: v0.6.0, v0.5.0 Dec 4, 2023
@guicassolato guicassolato mentioned this issue Dec 4, 2023
Merged
@github-project-automation github-project-automation bot moved this from In Progress to Done in Kuadrant Dec 4, 2023
@guicassolato guicassolato mentioned this issue Dec 5, 2023
Closed
@eguzki eguzki mentioned this issue Oct 7, 2024
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@guicassolato guicassolato

Labels
kind/bug Something isn't working
Projects
Kuadrant
Archived in project
Kuadrant Service Protection
Status: To test
Milestone
v0.5.0
Development

Successfully merging a pull request may close this issue.

Dry-run resource update before comparing changes Kuadrant/kuadrant-operator
2 participants
@alexsnaps @guicassolato