Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Run validation on secrets if it is used for plugin config to prevent dataplane stuck #5190

Closed
2 tasks done
randmonkey opened this issue Nov 17, 2023 · 0 comments · Fixed by #5203
Closed
2 tasks done

Run validation on secrets if it is used for plugin config to prevent dataplane stuck #5190

randmonkey opened this issue Nov 17, 2023 · 0 comments · Fixed by #5203
Assignees
@randmonkey
Labels
area/admission area/feature New feature or request area/ingress-controller release/highlight This part of the release is worth bragging about.
Milestone
KIC v3.1.x

Comments

@randmonkey
Copy link
Contributor

randmonkey commented Nov 17, 2023
edited
Loading

Is there an existing issue for this?

  • I have searched the existing issues

Problem Statement

FTI-5314, Also part of #2195
When a secret is used as configuration of KongPlugin or KongClusterPlugin (in ConfigFrom or ConfigPatches), we need to check if it will generate invalid configuration of kong plugin after the secret is applied when the secret is created or updated. This could prevent from generating invalid configuration of plugin when translating to kong state and then make the dataplane lock up.

Proposed Solution

  • Update the admission webhook for checking secrets, when a secret is used as part of plugin configuration, reject it if the "new" value will generate an invalid one

Additional information

No response

Acceptance Criteria

  • Updating Secret that will generate invalid kong plugin configuration will get rejected on the webhook.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@randmonkey randmonkey

Labels
area/admission area/feature New feature or request area/ingress-controller release/highlight This part of the release is worth bragging about.
Projects
None yet
Milestone
KIC v3.1.x
Development

Successfully merging a pull request may close this issue.

feat: add validation on secrets on generated plugin cofigs Kong/kubernetes-ingress-controller
2 participants
@mflendrich @randmonkey