Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DB-less config apply relies on flatten_errors url param: attempt to index local 'entity' #10767

Closed
1 task done
pmalek opened this issue Apr 28, 2023 · 1 comment · Fixed by #10896
Closed
1 task done

DB-less config apply relies on flatten_errors url param: attempt to index local 'entity' #10767

pmalek opened this issue Apr 28, 2023 · 1 comment · Fixed by #10896
Assignees
@flrgh
Labels
bug

Comments

@pmalek
Copy link
Member

pmalek commented Apr 28, 2023
edited
Loading

Is there an existing issue for this?

  • I have searched the existing issues

Kong version ($ kong version)

3.2

Current Behavior

When applying the following config to DB-less Kong:

{
  "_format_version": "3.0",
  "services": [
    {
      "connect_timeout": 60000,
      "host": "nginx-sample-1.default.80.svc",
      "id": "8c17ab3e-b6bd-51b2-b5ec-878b4d608b9d",
      "name": "default.nginx-sample-1.nginx-sample-1.80",
      "path": "/",
      "port": 80,
      "protocol": "http",
      "read_timeout": 60000,
      "retries": 5,
      "write_timeout": 60000,
      "tags": [
        "k8s-name:nginx-sample-1",
        "k8s-namespace:default",
        "k8s-kind:Service",
        "k8s-uid:f7cc87f4-d5f7-41f8-b4e3-70608017e588",
        "k8s-version:v1"
      ],
      "routes": [
        {
          "id": "84d45463-1faa-55cf-8ef6-4285007b715e",
          "name": "default.nginx-sample-1.nginx-sample-1..80",
          "methods": [
            "GET"
          ],
          "paths": [
            "/sample/1"
          ],
          "path_handling": "v0",
          "preserve_host": true,
          "protocols": [
            "http",
            "https"
          ],
          "regex_priority": 0,
          "strip_path": false,
          "tags": [
            "k8s-name:nginx-sample-1",
            "k8s-namespace:default",
            "k8s-kind:Ingress",
            "k8s-uid:916a6e5a-eebe-4527-a78d-81963eb3e043",
            "k8s-group:networking.k8s.io",
            "k8s-version:v1"
          ],
          "https_redirect_status_code": 426,
          "request_buffering": true,
          "response_buffering": true
        }
      ]
    }
  ],
  "consumers": [
    {
      "id": "68d5de9f-2211-5ed8-b827-22f57a492d0f",
      "username": "774f8446-6427-43f9-9962-ce7ab8097fe4",
      "tags": [
        "k8s-name:app",
        "k8s-namespace:default",
        "k8s-kind:KongConsumer",
        "k8s-uid:7ee19bea-72d5-402b-bf0f-f57bf81032bf",
        "k8s-group:configuration.konghq.com",
        "k8s-version:v1"
      ],
      "basicauth_credentials": [
        {
          "username": "774f8446-6427-43f9-9962-ce7ab8097fe4",
          "password": "6ef728de-ba68-4e59-acb9-6e502c28ae0b",
          "tags": [
            "k8s-name:app-cred",
            "k8s-namespace:default",
            "k8s-kind:Secret",
            "k8s-uid:aadd4598-2969-49ea-82ac-6ab5159e2f2e",
            "k8s-version:v1"
          ]
        }
      ],
      "acls": [
        {
          "group": "app",
          "tags": [
            "k8s-name:app-acl",
            "k8s-namespace:default",
            "k8s-kind:Secret",
            "k8s-uid:f1c5661c-a087-4c4b-b545-2d8b3870d661",
            "k8s-version:v1"
          ]
        }
      ]
    }
  ],
  "plugins": [
    {
      "name": "rate-limiting",
      "config": {
        "error_code": 429,
        "error_message": "API rate limit exceeded",
        "fault_tolerant": true,
        "hide_client_headers": false,
        "limit_by": "consumer",
        "policy": "local",
        "redis_database": 0,
        "redis_port": 6379,
        "redis_ssl": false,
        "redis_ssl_verify": false,
        "redis_timeout": 2000,
        "second": 2000
      },
      "consumer": "774f8446-6427-43f9-9962-ce7ab8097fe4",
      "enabled": true,
      "protocols": [
        "grpc",
        "grpcs",
        "http",
        "https"
      ],
      "tags": [
        "k8s-name:nginx-sample-1-rate",
        "k8s-namespace:default",
        "k8s-kind:KongPlugin",
        "k8s-uid:5163972c-543d-48ae-b0f6-21701c43c1ff",
        "k8s-group:configuration.konghq.com",
        "k8s-version:v1"
      ]
    },
    {
      "name": "rate-limiting",
      "config": {
        "error_code": 429,
        "error_message": "API rate limit exceeded",
        "fault_tolerant": true,
        "hide_client_headers": false,
        "limit_by": "consumer",
        "policy": "local",
        "redis_database": 0,
        "redis_port": 6379,
        "redis_ssl": false,
        "redis_ssl_verify": false,
        "redis_timeout": 2000,
        "second": 2000
      },
      "consumer": "774f8446-6427-43f9-9962-ce7ab8097fe4",
      "enabled": true,
      "protocols": [
        "grpc",
        "grpcs",
        "http",
        "https"
      ],
      "tags": [
        "k8s-name:nginx-sample-2-rate",
        "k8s-namespace:default",
        "k8s-kind:KongPlugin",
        "k8s-uid:89fa1cd1-78da-4c3e-8c3b-32be1811535a",
        "k8s-group:configuration.konghq.com",
        "k8s-version:v1"
      ]
    },
    {
      "name": "acl",
      "config": {
        "allow": [
          "nginx-sample-1",
          "app"
        ],
        "hide_groups_header": false
      },
      "service": "default.nginx-sample-1.nginx-sample-1.80",
      "enabled": true,
      "protocols": [
        "grpc",
        "grpcs",
        "http",
        "https"
      ],
      "tags": [
        "k8s-name:nginx-sample-1",
        "k8s-namespace:default",
        "k8s-kind:KongPlugin",
        "k8s-uid:b9373482-32e1-4ac3-bd2a-8926ab728700",
        "k8s-group:configuration.konghq.com",
        "k8s-version:v1"
      ]
    }
  ],
  "upstreams": [
    {
      "name": "nginx-sample-1.default.80.svc",
      "algorithm": "round-robin",
      "tags": [
        "k8s-name:nginx-sample-1",
        "k8s-namespace:default",
        "k8s-kind:Service",
        "k8s-uid:f7cc87f4-d5f7-41f8-b4e3-70608017e588",
        "k8s-version:v1"
      ],
      "targets": [
        {
          "target": "nginx-sample-1.default.svc:80"
        }
      ]
    }
  ]
}

the returned response and return code relies on the flatten_errors url param.

  • with flatten_errors=0 or unset

    {
  "name": "invalid declarative configuration",
  "fields": {
    "plugins": [
      {
        "consumer": {
          "id": "missing primary key"
        }
      }
    ]
  },
  "message": "declarative config is invalid: {plugins={{consumer={id=\"missing primary key\"}}}}",
  "code": 14
}

  • with flatten_errors=1

    {
  "message": "An unexpected error occurred"
}

    and the following stack trace in logs

    2023/04/28 08:29:29 [error] 1204#0: *1464 [lua] api_helpers.lua:516: handle_error(): /usr/local/share/lua/5.1/lapis/application.lua:424: /usr/local/share/lua/5.1/kong/db/errors.lua:790: attempt to index local 'entity' (a string value)
stack traceback:
 /usr/local/share/lua/5.1/kong/db/errors.lua: in function 'add_entity_errors'
 /usr/local/share/lua/5.1/kong/db/errors.lua:797: in function 'add_entity_errors'
 /usr/local/share/lua/5.1/kong/db/errors.lua:853: in function 'flatten_errors'
 /usr/local/share/lua/5.1/kong/db/errors.lua:970: in function 'declarative_config_flattened'
 /usr/local/share/lua/5.1/kong/api/routes/config.lua:136: in function 'fn'
 /usr/local/share/lua/5.1/kong/api/api_helpers.lua:287: in function </usr/local/share/lua/5.1/kong/api/api_helpers.lua:270>
stack traceback:
 [C]: in function 'error'
 /usr/local/share/lua/5.1/lapis/application.lua:424: in function 'handler'
 /usr/local/share/lua/5.1/lapis/application.lua:146: in function 'resolve'
 /usr/local/share/lua/5.1/lapis/application.lua:183: in function </usr/local/share/lua/5.1/lapis/application.lua:181>
 [C]: in function 'xpcall'
 /usr/local/share/lua/5.1/lapis/application.lua:189: in function 'dispatch'
 /usr/local/share/lua/5.1/lapis/nginx.lua:231: in function 'serve'
 /usr/local/share/lua/5.1/kong/init.lua:1572: in function 'admin_content'
 content_by_lua(nginx-kong.conf:320):2: in main chunk, client: 10.244.0.10, server: kong_admin, request: "POST /config?flatten_errors=1 HTTP/2.0", host: "gw-kong-admin.kong.svc.cluster.local:8444"

Expected Behavior

No 500 with flatten_errors=1

Steps To Reproduce

  1. Spin up Gateway version 3.2

  2. Apply the above mentioned config via e.g. curl

    curl -sk -XPOST https://<ADMIN_API_ADDRESS>:8444/config?flatten_errors=1 -d @j.json

  3. Observe 500 status code returned and stack trace in kong logs

Anything else?

This was observed when running in conjunction with KIC using the following set of kubernetes manifests Kong/kubernetes-ingress-controller#3928 :

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: nginx
  name: nginx-sample-1
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx-sample-1
  template:
    metadata:
      labels:
        app: nginx-sample-1
    spec:
      containers:
      - image: nginx
        name: nginx-sample-1
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 80
          name: http
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    konghq.com/methods: GET
    kubernetes.io/ingress.class: kong
  name: nginx-sample-1
  namespace: default
spec:
  rules:
  - http:
      paths:
      - backend:
          service:
            name: nginx-sample-1
            port:
              number: 80
        path: /sample/1
        pathType: ImplementationSpecific
---
apiVersion: v1
kind: Service
metadata:
  annotations:
    ingress.kubernetes.io/service-upstream: 'true'
    konghq.com/plugins: nginx-sample-1 #,nginx-sample-1-rate # removing this breaks Kong but it does not validate on webhook
  name: nginx-sample-1
  namespace: default
spec:
  ports:
  - name: http
    port: 80
    protocol: TCP
    targetPort: 80
  selector:
    app: nginx-sample-1
---
apiVersion: configuration.konghq.com/v1
config:
  allow:
  - nginx-sample-1
  - app
  hide_groups_header: false
kind: KongPlugin
metadata:
  name: nginx-sample-1
  namespace: default
plugin: acl
---
apiVersion: configuration.konghq.com/v1
config:
  allow:
  - nginx-sample-2
  - app
  hide_groups_header: false
kind: KongPlugin
metadata:
  name: nginx-sample-2
  namespace: default
plugin: acl
---
apiVersion: configuration.konghq.com/v1
config:
  fault_tolerant: true
  hide_client_headers: false
  limit_by: consumer
  policy: local
  second: 2000
kind: KongPlugin
metadata:
  name: nginx-sample-1-rate
  namespace: default
plugin: rate-limiting
---
apiVersion: v1
data:
  kongCredType: YmFzaWMtYXV0aA==
  password: NmVmNzI4ZGUtYmE2OC00ZTU5LWFjYjktNmU1MDJjMjhhZTBi
  username: Nzc0Zjg0NDYtNjQyNy00M2Y5LTk5NjItY2U3YWI4MDk3ZmU0
kind: Secret
metadata:
  name: app-cred
  namespace: default
---
apiVersion: v1
data:
  group: YXBw
  kongCredType: YWNs
kind: Secret
metadata:
  name: app-acl
  namespace: default
---
apiVersion: configuration.konghq.com/v1
config:
  fault_tolerant: true
  hide_client_headers: false
  limit_by: consumer
  policy: local
  second: 2000
kind: KongPlugin
metadata:
  name: nginx-sample-2-rate
  namespace: default
plugin: rate-limiting
---
apiVersion: configuration.konghq.com/v1
credentials:
- app-acl
- app-cred
kind: KongConsumer
metadata:
  annotations:
    kubernetes.io/ingress.class: kong
    konghq.com/plugins: nginx-sample-1-rate,nginx-sample-2-rate # This is necessary for nginx-sample-1 Service to break Kong's config
  name: app
  namespace: default
username: 774f8446-6427-43f9-9962-ce7ab8097fe4
---
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
  name: kong
spec:
  controller: ingress-controllers.konghq.com/kong
@pmalek pmalek added the bug label Apr 28, 2023
@pmalek pmalek mentioned this issue Apr 28, 2023
Closed
1 task
@pmalek
Copy link
Member Author

pmalek commented May 10, 2023

Tracked internally under KAG-1519

@flrgh flrgh self-assigned this May 18, 2023
@flrgh flrgh mentioned this issue May 19, 2023
Merged
3 tasks
flrgh added a commit that referenced this issue May 22, 2023
@flrgh
fix(dbless): handle unexpected types when flattening errors
d2e3d81 
fixes #10767

This fixes error-flattening for a case where the declarative validation
yields really odd results.
gszr pushed a commit that referenced this issue May 26, 2023
@flrgh @gszr
fix(dbless): handle unexpected types when flattening errors
f014956 
fixes #10767

This fixes error-flattening for a case where the declarative validation
yields really odd results.
flrgh added a commit that referenced this issue May 26, 2023
@flrgh
fix(dbless): handle unexpected types when flattening errors
9da4e8d 
fixes #10767

This fixes error-flattening for a case where the declarative validation
yields really odd results.
flrgh added a commit that referenced this issue May 26, 2023
@flrgh
fix(dbless): handle unexpected types when flattening errors
5b092e1 
fixes #10767

This fixes error-flattening for a case where the declarative validation
yields really odd results.
flrgh added a commit that referenced this issue May 26, 2023
@flrgh
fix(dbless): handle unexpected types when flattening errors
4abb999 
fixes #10767

This fixes error-flattening for a case where the declarative validation
yields really odd results.
flrgh added a commit that referenced this issue May 26, 2023
@flrgh
fix(dbless): handle unexpected types when flattening errors
5170d34 
fixes #10767

This fixes error-flattening for a case where the declarative validation
yields really odd results.
lhanjian pushed a commit that referenced this issue Dec 23, 2024
@AndyZhang0707
tests(dao): ignore updated_at field during comparison of the update a…
fa0ad5f 
…nd upsert operations (#10767)

* tests(dao): ignore updated_at field during comparison of the update and upsert operations

* tests(dao): verify updated_at for update and upsert operations
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@flrgh flrgh

Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(dbless): handle unexpected types when flattening errors Kong/kong
2 participants
@pmalek @flrgh