fix(konnect) avoid colliding redacted values

When generating sanitized configuration for Konnect, use random values to redact unique fields. Internally, go-database-reconciler builds an in-memory database with certain fields as primary keys. Using static redacted values for these results in collisions in that database.
Kong · May 3, 2024 · 36538e8 · 36538e8
1 parent 755e2ce
commit 36538e8
Show file tree

Hide file tree

Showing 6 changed files with 36 additions and 4 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -138,6 +138,8 @@ Adding a new version? You'll need three changes:
   `parentRefs`'s group/kind is not `gateway.network.k8s.io/Gateway`, the item
   is seen as a parent other than the controller and ignored in parentRef check.
   [#5919](https://github.com/Kong/kubernetes-ingress-controller/pull/5919)
+- Redacted values no longer cause collisions in configuration reported to Konnect.
+  [5964](https://github.com/Kong/kubernetes-ingress-controller/pull/5964)
 
 ### Changed
 

diff --git a/internal/dataplane/kongstate/consumer_test.go b/internal/dataplane/kongstate/consumer_test.go
@@ -1,8 +1,10 @@
 package kongstate
 
 import (
+	"math/rand"
 	"testing"
 
+	"github.com/google/uuid"
 	"github.com/kong/go-kong/kong"
 	"github.com/stretchr/testify/assert"
 
@@ -14,6 +16,8 @@ func int64Ptr(i int64) *int64 {
 }
 
 func TestConsumer_SanitizedCopy(t *testing.T) {
+	// this needs a static random seed because some auths generate random values
+	uuid.SetRand(rand.New(rand.NewSource(1)))
 	for _, tt := range []struct {
 		name string
 		in   Consumer
@@ -50,7 +54,7 @@ func TestConsumer_SanitizedCopy(t *testing.T) {
 					Tags:      []*string{kong.String("5.1"), kong.String("5.2")},
 				},
 				Plugins:    []kong.Plugin{{ID: kong.String("1")}},
-				KeyAuths:   []*KeyAuth{{kong.KeyAuth{ID: kong.String("1"), Key: redactedString}}},
+				KeyAuths:   []*KeyAuth{{kong.KeyAuth{ID: kong.String("1"), Key: randRedactedString()}}},
 				HMACAuths:  []*HMACAuth{{kong.HMACAuth{ID: kong.String("1"), Secret: redactedString}}},
 				JWTAuths:   []*JWTAuth{{kong.JWTAuth{ID: kong.String("1"), Secret: redactedString}}},
 				BasicAuths: []*BasicAuth{{kong.BasicAuth{ID: kong.String("1"), Password: redactedString}}},
@@ -63,6 +67,8 @@ func TestConsumer_SanitizedCopy(t *testing.T) {
 			},
 		},
 	} {
+		// this needs a static random seed because some auths generate random values
+		uuid.SetRand(rand.New(rand.NewSource(1)))
 		t.Run(tt.name, func(t *testing.T) {
 			got := *tt.in.SanitizedCopy()
 			assert.Equal(t, tt.want, got)

diff --git a/internal/dataplane/kongstate/credentials.go b/internal/dataplane/kongstate/credentials.go
@@ -3,6 +3,7 @@ package kongstate
 import (
 	"fmt"
 
+	"github.com/google/uuid"
 	"github.com/kong/go-kong/kong"
 	"github.com/mitchellh/mapstructure"
 )
@@ -12,6 +13,13 @@ import (
 // to pass a valid key or a vault URI).
 var redactedString = kong.String("{vault://redacted-value}")
 
+// randRedactedString is used to redact sensitive values in the KongState when the value must be random to avoid
+// collisions.
+func randRedactedString() *string {
+	s := fmt.Sprintf("{vault://%s}", uuid.NewString())
+	return &s
+}
+
 // KeyAuth represents a key-auth credential.
 type KeyAuth struct {
 	kong.KeyAuth
@@ -158,7 +166,7 @@ func (c *KeyAuth) SanitizedCopy() *KeyAuth {
 			// Consumer field omitted
 			CreatedAt: c.CreatedAt,
 			ID:        c.ID,
-			Key:       redactedString,
+			Key:       randRedactedString(),
 			Tags:      c.Tags,
 		},
 	}

diff --git a/internal/dataplane/kongstate/credentials_test.go b/internal/dataplane/kongstate/credentials_test.go
@@ -1,13 +1,17 @@
 package kongstate
 
 import (
+	"math/rand"
 	"testing"
 
+	"github.com/google/uuid"
 	"github.com/kong/go-kong/kong"
 	"github.com/stretchr/testify/assert"
 )
 
 func TestKeyAuth_SanitizedCopy(t *testing.T) {
+	// this needs a static random seed because some auths generate random values
+	uuid.SetRand(rand.New(rand.NewSource(1)))
 	for _, tt := range []struct {
 		name string
 		in   KeyAuth
@@ -25,11 +29,13 @@ func TestKeyAuth_SanitizedCopy(t *testing.T) {
 			want: KeyAuth{kong.KeyAuth{
 				CreatedAt: kong.Int(1),
 				ID:        kong.String("2"),
-				Key:       redactedString,
+				Key:       randRedactedString(),
 				Tags:      []*string{kong.String("4.1"), kong.String("4.2")},
 			}},
 		},
 	} {
+		// this needs a static random seed because some auths generate random values
+		uuid.SetRand(rand.New(rand.NewSource(1)))
 		t.Run(tt.name, func(t *testing.T) {
 			got := *tt.in.SanitizedCopy()
 			assert.Equal(t, tt.want, got)

diff --git a/internal/dataplane/kongstate/kongstate_test.go b/internal/dataplane/kongstate/kongstate_test.go
@@ -2,6 +2,7 @@ package kongstate
 
 import (
 	"fmt"
+	"math/rand"
 	"reflect"
 	"strconv"
 	"strings"
@@ -11,6 +12,7 @@ import (
 	"github.com/go-logr/logr"
 	"github.com/go-logr/logr/testr"
 	"github.com/go-logr/zapr"
+	"github.com/google/uuid"
 	"github.com/kong/go-kong/kong"
 	"github.com/samber/lo"
 	"github.com/stretchr/testify/assert"
@@ -45,6 +47,8 @@ var serviceTypeMeta = metav1.TypeMeta{
 
 func TestKongState_SanitizedCopy(t *testing.T) {
 	testedFields := sets.New[string]()
+	// this needs a static random seed because some auths generate random values
+	uuid.SetRand(rand.New(rand.NewSource(1)))
 	for _, tt := range []struct {
 		name string
 		in   KongState
@@ -86,7 +90,7 @@ func TestKongState_SanitizedCopy(t *testing.T) {
 					Plugin:              kong.Plugin{ID: kong.String("1"), Config: kong.Configuration{"secret": *redactedString}},
 				}},
 				Consumers: []Consumer{{
-					KeyAuths: []*KeyAuth{{kong.KeyAuth{ID: kong.String("1"), Key: redactedString}}},
+					KeyAuths: []*KeyAuth{{kong.KeyAuth{ID: kong.String("1"), Key: randRedactedString()}}},
 				}},
 				Licenses: []License{{kong.License{ID: kong.String("1"), Payload: redactedString}}},
 				ConsumerGroups: []ConsumerGroup{{
@@ -102,6 +106,8 @@ func TestKongState_SanitizedCopy(t *testing.T) {
 			},
 		},
 	} {
+		// this needs a static random seed because some auths generate random values
+		uuid.SetRand(rand.New(rand.NewSource(1)))
 		t.Run(tt.name, func(t *testing.T) {
 			testedFields.Insert(extractNotEmptyFieldNames(tt.in)...)
 			got := *tt.in.SanitizedCopy()

diff --git a/internal/dataplane/kongstate/plugin_test.go b/internal/dataplane/kongstate/plugin_test.go
@@ -1,8 +1,10 @@
 package kongstate
 
 import (
+	"math/rand"
 	"testing"
 
+	"github.com/google/uuid"
 	"github.com/kong/go-kong/kong"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -767,6 +769,8 @@ func TestKongPluginFromK8SPlugin(t *testing.T) {
 }
 
 func TestPlugin_SanitizedCopy(t *testing.T) {
+	// this needs a static random seed because some auths generate random values
+	uuid.SetRand(rand.New(rand.NewSource(1)))
 	testCases := []struct {
 		name                    string
 		config                  kong.Configuration