fix(plugins/acme): username/password is a valid authentication method #13496
Conversation
github-actions
bot
added
plugins/acme
cherry-pick kong-ee
github-actions
bot
added
the
chore
gruceo
force-pushed
the
acme-username
branch
3 times, most recently
from
5ae44a9
to
2501475
Compare
gruceo
changed the title
|
@fffonion can you take another look at the PR, please? |
| @@ -0,0 +1,3 @@ | |||
| message: "**ACME**: Fixed an issue where username and password were not accepted as valid authentication methods." | |||
| type: bugfix | |||
| scope: Plugin | |||
There was a problem hiding this comment.
we probably need an addtional changelog for the bumped dependency, as I
heard from @AndyZhang0707
|
also note the tests failed in spec/02-integration/09-hybrid_mode/09-config-compat_spec.lua:340 |
| @@ -43,6 +43,21 @@ local compatible_checkers = { | |||
| function (config_table, dp_version, log_suffix) | |||
| local has_update | |||
| for _, plugin in ipairs(config_table.plugins or {}) do | |||
| if plugin.name == 'acme' then | |||
| local config = plugin.config | |||
| if config.storage_config.redis.username ~= nil then | |||
There was a problem hiding this comment.
Thanks @fffonion. The test failure in spec/02-integration/09-hybrid_mode/09-config-compat_spec.lua:340 was actually eye-opening. It revealed that removing the new username/password fields will cause issues to older DPs. Therefore I'm going with the safest option which is to not do anything (just log the warning instead). I'd like some input from @nowNick here as well.
This is the updated log warning in the CP side when we create acme plugin and have DP 3.6.1:
kong-cp | 2024/08/15 22:21:38 [warn] 1811#0: *1294 [lua] checkers.lua:20: log_warn_message(): [clustering] Kong Gateway v3.8.0 configures acme plugin with redis username which is incompatible with dataplane version 3.6.1 and will not work in this release.. [id: e79130ba-32cb-456d-a541-9a159d072142, host: 0c0d4012bade, ip: 172.18.0.8, version: 3.6.1], client: 172.18.0.8, server: kong_cluster_listener, request: "GET /v1/outlet?node_id=e79130ba-32cb-456d-a541-9a159d072142&node_hostname=0c0d4012bade&node_version=3.6.1 HTTP/1.1", host: "kong-cp:8005"
kong-cp | 2024/08/15 22:21:38 [warn] 1811#0: *1294 [lua] checkers.lua:20: log_warn_message(): [clustering] Kong Gateway v3.8.0 configures acme plugin with redis password which is incompatible with dataplane version 3.6.1 and will not work in this release. Please use redis.auth config instead.. [id: e79130ba-32cb-456d-a541-9a159d072142, host: 0c0d4012bade, ip: 172.18.0.8, version: 3.6.1], client: 172.18.0.8, server: kong_cluster_listener, request: "GET /v1/outlet?node_id=e79130ba-32cb-456d-a541-9a159d072142&node_hostname=0c0d4012bade&node_version=3.6.1 HTTP/1.1", host: "kong-cp:8005"
There was a problem hiding this comment.
If we do not remove it via
config.storage_config.redis.username = nil
config.storage_config.redis.password = nilThe config will be refused by DP. A log warning may be not enough.
There was a problem hiding this comment.
It doesn't get refused. Added a test to prove it: 3ff5eb8
There was a problem hiding this comment.
This is interesting. How can the older schema validate the storage_config if it has unknown fields in it? This might be a sign of something else being wrong. E.g. sub-record validation does not work or something?
There was a problem hiding this comment.
I think the test here is probably wrong that send @gruceo to wrong direction.
There was a problem hiding this comment.
@bungle I think it's because some of the storage_config fields like username and password are actually supported in some older versions, it's just that the acme plugin didn't use it. I added this extra test: 8f1cb44
As you can see, username and password are supported until 3.6.1 but not in 3.5.0. In a 3.8.x CP pushing unkwnon fields to a 3.5.0 DP, the config reverts to older schema here: https://github.com/Kong/kong/blob/master/kong/clustering/compat/checkers.lua#L141-L162
kong-cp | 2024/08/19 10:57:34 [warn] 536#0: *1296 [lua] checkers.lua:20: log_warn_message(): [clustering] Kong Gateway v3.8.0 configures acme plugin with redis username which is incompatible with dataplane version 3.5.0 and will not work in this release. [id: df7ec872-23ac-4180-8f5b-1b810efadfcb, host: 0bfb8a368e8d, ip: 172.18.0.7, version: 3.5.0], client: 172.18.0.7, server: kong_cluster_listener, request: "GET /v1/outlet?node_id=df7ec872-23ac-4180-8f5b-1b810efadfcb&node_hostname=0bfb8a368e8d&node_version=3.5.0 HTTP/1.1", host: "kong-cp:8005"
kong-cp | 2024/08/19 10:57:34 [warn] 536#0: *1296 [lua] checkers.lua:20: log_warn_message(): [clustering] Kong Gateway v3.8.0 configures acme plugin with redis password which is incompatible with dataplane version 3.5.0 and will not work in this release. Please use redis.auth config instead. [id: df7ec872-23ac-4180-8f5b-1b810efadfcb, host: 0bfb8a368e8d, ip: 172.18.0.7, version: 3.5.0], client: 172.18.0.7, server: kong_cluster_listener, request: "GET /v1/outlet?node_id=df7ec872-23ac-4180-8f5b-1b810efadfcb&node_hostname=0bfb8a368e8d&node_version=3.5.0 HTTP/1.1", host: "kong-cp:8005"
kong-cp | 2024/08/19 10:57:34 [warn] 536#0: *1296 [lua] checkers.lua:20: log_warn_message(): [clustering] Kong Gateway v3.8.0 adapts acme plugin redis configuration to older version which is incompatible with dataplane version 3.5.0 and will revert to older schema. [id: df7ec872-23ac-4180-8f5b-1b810efadfcb, host: 0bfb8a368e8d, ip: 172.18.0.7, version: 3.5.0], client: 172.18.0.7, server: kong_cluster_listener, request: "GET /v1/outlet?node_id=df7ec872-23ac-4180-8f5b-1b810efadfcb&node_hostname=0bfb8a368e8d&node_version=3.5.0 HTTP/1.1", host: "kong-cp:8005"
cc @nowNick
| @@ -43,6 +43,21 @@ local compatible_checkers = { | |||
| function (config_table, dp_version, log_suffix) | |||
| local has_update | |||
| for _, plugin in ipairs(config_table.plugins or {}) do | |||
| if plugin.name == 'acme' then | |||
| local config = plugin.config | |||
| if config.storage_config.redis.username ~= nil then | |||
There was a problem hiding this comment.
If we do not remove it via
config.storage_config.redis.username = nil
config.storage_config.redis.password = nilThe config will be refused by DP. A log warning may be not enough.
Fixed an issue where username and password were not accepted as a valid authentication method. This is already accepted as valid authentication method in other plugins that use the shared Redis library such as the rate-limiting plugin. Depends on this PR of lua-resty-acme: fffonion/lua-resty-acme#121 Fix FTI-6143
gruceo
removed
the
cherry-pick kong-ee
Fixed an issue where username and password were not accepted as valid authentication methods.
Depends on this PR of lua-resty-acme: fffonion/lua-resty-acme#121
Fix FTI-6143
Summary
Checklist
changelog/unreleased/kongorskip-changeloglabel added on PR if changelog is unnecessary. README.mdIssue reference
Fix FTI-6143