Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

kic webhook - cannot set oauth2 Secret with empty redirect_uris #6902

Open
1 task done
vmignot opened this issue Dec 24, 2024 · 0 comments
Open
1 task done

kic webhook - cannot set oauth2 Secret with empty redirect_uris #6902

vmignot opened this issue Dec 24, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@vmignot
Copy link

vmignot commented Dec 24, 2024

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

Hi,
Since ingress helm chart 0.15.1, we are using kong helm chart 2.44.0 release.

This release add the following change:

Added admission webhook objectSelector for:

  • secrets.credentials.validation.ingress-controller.konghq.com

What happens since then is that I cannot apply a Secret for Credentials without specifying the field redirect_uris. In my case, I'm not planning on using redirect_uris, as I'm doing machine-to-machine.

Expected Behavior

The Admission Webhook should accept Credential Secret without redirect_uris.

Steps To Reproduce

kind: Secret
apiVersion: v1
type: generic
metadata:
  labels:
    konghq.com/credential: oauth2
  name: test-api-oauth2
data:
  client_id: XXXXbase64_strXXXX
  client_secret: XXXXbase64_strXXXX
  kongCredType: XXXXbase64_strXXXX   # => oauth2
  name: XXXXbase64_strXXXX

will result with the following error message:
unable to update secret test-oauth2-bapi: admission webhook \"secrets.credentials.validation.ingress-controller.konghq.com\" denied the request: consumer credential failed validation: missing required field(s): redirect_uris","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...[]).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:316\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...[]).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:263\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...[]).Start.func2.2\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:224"

I have tried:

  • setting the field to an empty value: same error as previous
  • setting the field to "[]", secret is created, BUT the kong-controller errors: schema violation (redirect_uris.1: cannot parse '[]')\")
  • setting the field to "null", secret is created, BUT the kong-controller errors: schema violation (redirect_uris.1: cannot parse 'null')\")
  • setting the field to ",", secret is created, BUT the kong-controller errors: (redirect_uris.1: length must be at least 1; redirect_uris.2: length must be at least 1)\")", "error": "object failed to apply"}
  • setting the field to "http://fake" works just fine BUT this is not a satisfactory workaround

I ended up going to the admin UI and there, I can save Credentials without redirect_uris.

The temporary fix that I have currently in place to make it work is to set controller.ingressController.admissionWebhook.filterSecrets to true in the values.yaml to go back to the behaviour prior to kong helm release 2.44.0.



### Kong Ingress Controller version

```shell
{ "version": "3.9.0.0", "tagline": "Welcome to kong", "hostname": "ingress-kong-gateway-7474449596-mbbhp", "lua_version": "LuaJIT 2.1.0-20231117.1" }

Kubernetes version

{
  "clientVersion": {
    "major": "1",
    "minor": "29",
    "gitVersion": "v1.29.6",
    "gitCommit": "062798d53d83265b9e05f14d85198f74362adaca",
    "gitTreeState": "clean",
    "buildDate": "2024-06-11T20:23:31Z",
    "goVersion": "go1.21.11",
    "compiler": "gc",
    "platform": "darwin/arm64"
  },
  "kustomizeVersion": "v5.0.4-0.20230601165947-6ce0bf390ce3",
  "serverVersion": {
    "major": "1",
    "minor": "29+",
    "gitVersion": "v1.29.10-eks-7f9249a",
    "gitCommit": "d06fe5fa1c524ee5eb5d16bb9edc4dda6075f6c3",
    "gitTreeState": "clean",
    "buildDate": "2024-10-23T23:40:34Z",
    "goVersion": "go1.22.8",
    "compiler": "gc",
    "platform": "linux/amd64"
  }
}

Anything else?

No response

@vmignot vmignot added the bug Something isn't working label Dec 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

1 participant