fix(acme): sanity test can work with "kong" storage in Hybrid mode #10852
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Currently, there is a technical limitation in hybrid mode, that is, the
DP side cannot perform any write database operation. However, when the
sanity test is executed and the account identifier information is needed
to write to storage, we will skip this operation (after a private
discussion with @wangchong) and return 200 directly in this
situation. This will not have any substantial impact on the
functionality.
ms2008
force-pushed
the
fix/acme-sanity-test
branch
from
1086eb1
to
a46604d
Compare
kong/plugins/acme/handler.lua
Outdated
| -- creating account through proxy side with "kong" storage in Hybrid mode is not supported | ||
| -- if this is just a sanity test, we always return 200 status | ||
| if captures[1] == "x" and kong.configuration.role == "data_plane" and conf.storage == "kong" then | ||
| return kong.response.exit(200, { message = "ok" }) |
There was a problem hiding this comment.
If it's impossible to go through the process, should we instead return 422 or something?
There was a problem hiding this comment.
@fffonion I believe we got it wrong yesterday. The correct fix should be to always return 404 instead of 200.
ms2008
force-pushed
the
fix/acme-sanity-test
branch
2 times, most recently
from
dcd73e3
to
0285e36
Compare
| -- creating account through proxy side with "kong" storage in Hybrid mode is not supported | ||
| -- if this is just a sanity test, we always return 404 status | ||
| if captures[1] == "x" and kong.configuration.role == "data_plane" and conf.storage == "kong" then | ||
| return kong.response.exit(404, "Not found\n") |
There was a problem hiding this comment.
Actually, we do not need to include a reason phrase here(it's added automatically) and the second arg is the response body.
Suggested change
| return kong.response.exit(404, "Not found\n") | |
| return kong.response.exit(404) |
There was a problem hiding this comment.
actually we need that body as well, since we check it in our sanity test
https://github.com/Kong/kong/blob/master/kong/plugins/acme/api.lua#L103
fffonion
approved these changes
May 12, 2023
ms2008
force-pushed
the
fix/acme-sanity-test
branch
from
0285e36
to
3801192
Compare
|
merge on green |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Currently, there is a technical limitation in hybrid mode, that is, the DP side cannot perform any write database operation. However, when the sanity test is executed and the account identifier information is needed to write to storage, we will skip this operation (after a private discussion with @fffonion) and always return 404 directly with all storages. This will not have any substantial impact on the functionality.
Checklist
Full changelog
Issue reference
Fix FTI-4909