-
Notifications
You must be signed in to change notification settings - Fork 591
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The response-transformer plugin continuously detects outdated configuration to synchronize #102
Comments
@jaygorrell Could you please try the following? apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: add-security-headers
config:
add:
headers: "X-Xss-Protection:1; mode=block" |
I tried the string formatted values instead of a list but didn't have any luck, but I did get this worked out. Looking at
It iterates over each k/v in the config map, making sure the
The value of the Changing my
It's also interesting and worth noting that the empty data structure in Kong is a map, while a populated value is a list. That's a little unintuitive but unrelated to Kong Ingress -- aside from how you need to match the values. I think there's still an issue to be addressed here in code for a better way to compare the objects but if you think this is acceptable, feel free to close the issue. |
I tried rolling out this temporary fix but hit another snag. Basically the order of the This means you would need to create the |
@jaygorrell Thank you for your detailed debugging and sharing the results. Like you already said, there are two separate issues at play here:
|
This issue should be fixed now with #106 merged in. Closing this, please re-open if needed. |
Summary
This has specifically been observed with the
response-transformer
plugin but may extend to others as well.In these cases, the
KongPlugin
resource is created (and attached to an Ingress), resulting in the entry correctly being added to Kong with a plugin associated to the route. The issue is that by watching the ingress-controller logs, you can see that the plugin is repeatedly trying to be updated.The larger risk here is that it may trigger things like Kong/kong#3423 this when many plugins are used.
Kong Ingress controller version
0.1.0
Kubernetes version
1.9.3
Environment
RDS Postgresql Kong Database
What happened
The
KongPlugin
was created and the Kong configuration was created, but the ingress-controller logs show that it thinks the two are out of sync and tries to persist the changes every 10 minutes.Immediately after saving a new configuration I can sometimes get a "up to date" message but on the next synchronization check (10 minutes?) it's back to being "outdated".
Expected behvaior
Updates are not attempted against Kong when the KongPlugin and Kong database appear to be in sync.
Steps To Reproduce
Attach this plugin to an Ingress using
response-transformer.plugin.konghq.com: add-security-headers
Tail the
ingress-controller
container logs filtered foradd-security-headers
Observe similar to the following logs that repeat regularly
Other Information
I spent a bit of time trying to further isolate this without much success. I did try specifying all components of the response-transformer plugin (remove/append/replace) with empty lists/maps with no success. I'm having trouble determining what exactly is causing it to think the values are mismatched.
The text was updated successfully, but these errors were encountered: