-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(plugins/acme): username/password is a valid authentication method #13496
Conversation
5ae44a9
to
2501475
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me! 👍
@fffonion can you take another look at the PR, please? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
one comment about changelog, otherwise lgtm
@@ -0,0 +1,3 @@ | |||
message: "**ACME**: Fixed an issue where username and password were not accepted as valid authentication methods." | |||
type: bugfix | |||
scope: Plugin |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we probably need an addtional changelog for the bumped dependency, as I
heard from @AndyZhang0707
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done in 004627a
also note the tests failed in spec/02-integration/09-hybrid_mode/09-config-compat_spec.lua:340 |
@@ -43,6 +43,21 @@ local compatible_checkers = { | |||
function (config_table, dp_version, log_suffix) | |||
local has_update | |||
for _, plugin in ipairs(config_table.plugins or {}) do | |||
if plugin.name == 'acme' then | |||
local config = plugin.config | |||
if config.storage_config.redis.username ~= nil then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @fffonion. The test failure in spec/02-integration/09-hybrid_mode/09-config-compat_spec.lua:340 was actually eye-opening. It revealed that removing the new username/password fields will cause issues to older DPs. Therefore I'm going with the safest option which is to not do anything (just log the warning instead). I'd like some input from @nowNick here as well.
This is the updated log warning in the CP side when we create acme plugin and have DP 3.6.1:
kong-cp | 2024/08/15 22:21:38 [warn] 1811#0: *1294 [lua] checkers.lua:20: log_warn_message(): [clustering] Kong Gateway v3.8.0 configures acme plugin with redis username which is incompatible with dataplane version 3.6.1 and will not work in this release.. [id: e79130ba-32cb-456d-a541-9a159d072142, host: 0c0d4012bade, ip: 172.18.0.8, version: 3.6.1], client: 172.18.0.8, server: kong_cluster_listener, request: "GET /v1/outlet?node_id=e79130ba-32cb-456d-a541-9a159d072142&node_hostname=0c0d4012bade&node_version=3.6.1 HTTP/1.1", host: "kong-cp:8005"
kong-cp | 2024/08/15 22:21:38 [warn] 1811#0: *1294 [lua] checkers.lua:20: log_warn_message(): [clustering] Kong Gateway v3.8.0 configures acme plugin with redis password which is incompatible with dataplane version 3.6.1 and will not work in this release. Please use redis.auth config instead.. [id: e79130ba-32cb-456d-a541-9a159d072142, host: 0c0d4012bade, ip: 172.18.0.8, version: 3.6.1], client: 172.18.0.8, server: kong_cluster_listener, request: "GET /v1/outlet?node_id=e79130ba-32cb-456d-a541-9a159d072142&node_hostname=0c0d4012bade&node_version=3.6.1 HTTP/1.1", host: "kong-cp:8005"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we do not remove it via
config.storage_config.redis.username = nil
config.storage_config.redis.password = nil
The config will be refused by DP. A log warning may be not enough.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It doesn't get refused. Added a test to prove it: 3ff5eb8
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is interesting. How can the older schema validate the storage_config
if it has unknown fields in it? This might be a sign of something else being wrong. E.g. sub-record validation does not work or something?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the test here is probably wrong that send @gruceo to wrong direction.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@bungle I think it's because some of the storage_config
fields like username and password are actually supported in some older versions, it's just that the acme plugin didn't use it. I added this extra test: 8f1cb44
As you can see, username and password are supported until 3.6.1 but not in 3.5.0. In a 3.8.x CP pushing unkwnon fields to a 3.5.0 DP, the config reverts to older schema here: https://github.com/Kong/kong/blob/master/kong/clustering/compat/checkers.lua#L141-L162
kong-cp | 2024/08/19 10:57:34 [warn] 536#0: *1296 [lua] checkers.lua:20: log_warn_message(): [clustering] Kong Gateway v3.8.0 configures acme plugin with redis username which is incompatible with dataplane version 3.5.0 and will not work in this release. [id: df7ec872-23ac-4180-8f5b-1b810efadfcb, host: 0bfb8a368e8d, ip: 172.18.0.7, version: 3.5.0], client: 172.18.0.7, server: kong_cluster_listener, request: "GET /v1/outlet?node_id=df7ec872-23ac-4180-8f5b-1b810efadfcb&node_hostname=0bfb8a368e8d&node_version=3.5.0 HTTP/1.1", host: "kong-cp:8005"
kong-cp | 2024/08/19 10:57:34 [warn] 536#0: *1296 [lua] checkers.lua:20: log_warn_message(): [clustering] Kong Gateway v3.8.0 configures acme plugin with redis password which is incompatible with dataplane version 3.5.0 and will not work in this release. Please use redis.auth config instead. [id: df7ec872-23ac-4180-8f5b-1b810efadfcb, host: 0bfb8a368e8d, ip: 172.18.0.7, version: 3.5.0], client: 172.18.0.7, server: kong_cluster_listener, request: "GET /v1/outlet?node_id=df7ec872-23ac-4180-8f5b-1b810efadfcb&node_hostname=0bfb8a368e8d&node_version=3.5.0 HTTP/1.1", host: "kong-cp:8005"
kong-cp | 2024/08/19 10:57:34 [warn] 536#0: *1296 [lua] checkers.lua:20: log_warn_message(): [clustering] Kong Gateway v3.8.0 adapts acme plugin redis configuration to older version which is incompatible with dataplane version 3.5.0 and will revert to older schema. [id: df7ec872-23ac-4180-8f5b-1b810efadfcb, host: 0bfb8a368e8d, ip: 172.18.0.7, version: 3.5.0], client: 172.18.0.7, server: kong_cluster_listener, request: "GET /v1/outlet?node_id=df7ec872-23ac-4180-8f5b-1b810efadfcb&node_hostname=0bfb8a368e8d&node_version=3.5.0 HTTP/1.1", host: "kong-cp:8005"
cc @nowNick
@@ -43,6 +43,21 @@ local compatible_checkers = { | |||
function (config_table, dp_version, log_suffix) | |||
local has_update | |||
for _, plugin in ipairs(config_table.plugins or {}) do | |||
if plugin.name == 'acme' then | |||
local config = plugin.config | |||
if config.storage_config.redis.username ~= nil then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we do not remove it via
config.storage_config.redis.username = nil
config.storage_config.redis.password = nil
The config will be refused by DP. A log warning may be not enough.
Fixed an issue where username and password were not accepted as a valid authentication method. This is already accepted as valid authentication method in other plugins that use the shared Redis library such as the rate-limiting plugin. Depends on this PR of lua-resty-acme: fffonion/lua-resty-acme#121 Fix FTI-6143
Fixed an issue where username and password were not accepted as valid authentication methods.
Depends on this PR of lua-resty-acme: fffonion/lua-resty-acme#121
Fix FTI-6143
Summary
Checklist
changelog/unreleased/kong
orskip-changelog
label added on PR if changelog is unnecessary. README.mdIssue reference
Fix FTI-6143