Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Limiting requests based on keycloak username problem #415

Open
averevki opened this issue Feb 11, 2025 · 1 comment
Open

Limiting requests based on keycloak username problem #415

averevki opened this issue Feb 11, 2025 · 1 comment

Comments

@averevki
Copy link

Since 2024-12-17 nightly kuadrant-operator-catalog image, we have our test that should limit requests based on the keycloak user username failing. It doesn't limit requests for users anymore. Setup is similar with one of the kuadrant user-guides but without the kubernetes identity. Can you please help me to understand what's wrong with ours?

There could have been a change in structure we are not aware of, but I didn't find any new commits around this date. I did some research, and from docs it seems like the RLP counter value might be something different. Something like metadata.filter_metadata.envoy\.filters\.http\.ext_authz.identity.user to fetch dynamic metadata, but I wasn't been able to make limitador parse this value.

Also, for the future debugging, is there a method to check what dynamic metadata is actually parsed? Thank you

Kuadrant operator image: nightly-11-02-2025
Limitador image: c31e42f370bc1fec921a422777a120478b8a319a
Authorino image: v0.20.0
Wasm image: abe70bb1251bf9c0db3ee86f52759b11b5dedbe3
Red Had Build of Keycloak operator version: 26.0.9-opr.1

AuthPolicy 
spec:
  rules:
    authentication:
      default:
        credentials:
          authorizationHeader:
            prefix: Bearer
        jwt:
          issuerUrl: 'http://1.2.3.4:8080/realms/realm-averevki--maic'
          ttl: 0
        metrics: false
        priority: 0
    response:
      success:
        filters:
          identity:
            json:
              properties:
                user:
                  selector: auth.identity.preferred_username
            metrics: false
            priority: 0
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: route-averevki--1gdn
RateLimitPolicy 
spec:
  limits:
    basic:
      counters:
        - expression: auth.identity.user
      rates:
        - limit: 5
          window: 60s
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: route-averevki--1gdn
Gateway 
spec:
  gatewayClassName: istio
  listeners:
    - allowedRoutes:
        namespaces:
          from: Same
      hostname: '*.apps.kua.redhat.com'
      name: api
      port: 80
      protocol: HTTP
HTTPRoute 
spec:
  hostnames:
    - hostname-averevki--bpa-kuadrant.apps.kua.redhat.com
  parentRefs:
    - group: gateway.networking.k8s.io
      kind: Gateway
      name: gw-averevki--nlej
  rules:
    - backendRefs:
        - group: ''
          kind: Service
          name: httpbin-averevki--j5ge
          namespace: kuadrant
          port: 8080
          weight: 1
      matches:
        - path:
            type: PathPrefix
            value: /
@alexsnaps
Copy link
Member

Unsure whether this is duplicate of this issue here

But in any case, the AuthPolicy isn't selecting the user tho... ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
Kuadrant
Status: No status
Milestone
No milestone
Development

No branches or pull requests
2 participants
@alexsnaps @averevki