-
Notifications
You must be signed in to change notification settings - Fork 7.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Istio admission webhook fails when time formatting with odd number %
#42749
Comments
Just to clarify, are you 100% sure it is valid in envoy? And escaping via |
100% sure, once I've disabled the validation hook it works as expected @howardjohn. |
how can you use that on http headers? |
@zirain just like that X-SSL-Client-Cert-Exp: '%DOWNSTREAM_PEER_CERT_V_END(%b %d %H:%M:%S %Y %Z)%' |
yeah, I got what you wanted. |
the following lines need improved istio/pkg/config/validation/validation.go Line 381 in 066f4b4
|
%
%
%
Bug Description
Hi,
when trying to reformat a certificate expiration date I use format sting to create a new date format.
seen here:
https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-start-time
and using the sting formats seen here:
https://en.cppreference.com/w/cpp/io/manip/put_time
here is an example of my configuration:
But when saving the configuration Istio admission webhook fails the configuration with the following error:
could not be patched: admission webhook "validation.istio.io" denied the request: configuration is invalid: single % not allowed. Escape by doubling to %% or encase Envoy variable name in pair of %
function code can be found here:
https://github.com/istio/istio/blob/master/pkg/config/validation/validation.go
detailed explanation can be found here:
https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers.html#custom-request-response-headers
from what I can tell is that this validation is required for space within a URL phrase but should not be enforced on a time format as seen above
Thank you for taking a look at this
Version
Additional Information
No response
The text was updated successfully, but these errors were encountered: