Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AuthService no longer recognized tls options #1202

Closed
HT154 opened this issue Feb 11, 2019 · 3 comments · Fixed by #1229
Closed

AuthService no longer recognized tls options #1202

HT154 opened this issue Feb 11, 2019 · 3 comments · Fixed by #1229
Assignees
@kflynn
Milestone
0.50.2

Comments

@HT154
Copy link

HT154 commented Feb 11, 2019

Describe the bug
v1 AuthService throws an error when specifying the tls property.

auth-web.default.1: not a valid AuthService: Additional properties are not allowed ('tls' was unexpected) Failed validating 'additionalProperties' in schema: {'$schema': 'http://json-schema.org/schema#', 'additionalProperties': False, 'id': 'https://getambassador.io/schemas/mapping.json', 'properties': {'allow_request_body': {'type': 'boolean'}, 'allowed_authorization_headers': {'items': {'type': 'string'}, 'type': 'array'}, 'allowed_request_headers': {'items': {'type': 'string'}, 'type': 'array'}, 'ambassador_id': {'anyOf': [{'type': 'string'}, {'items': {'type': 'string'}, 'type': 'array'}]}, 'apiVersion': {'enum': ['ambassador/v1']}, 'auth_service': {'type': 'string'}, 'kind': {'type': 'string'}, 'name': {'type': 'string'}, 'path_prefix': {'type': 'string'}, 'proto': {'oneOf': [{'enum': ['http']}, {'enum': ['grpc']}]}, 'timeout_ms': {'type': 'integer'}}, 'required': ['apiVersion', 'kind', 'name', 'auth_service'], 'type': 'object'} On instance: {'apiVersion': 'ambassador/v1', 'auth_service': 'auth-web:443', 'kind': 'AuthService', 'name': 'auth-service', 'tls': True}

To Reproduce

"apiVersion": "ambassador/v1"
"auth_service": "auth-web:443"
"kind": "AuthService"
"name": "auth-service"
"tls": true

Expected behavior
The AuthService annotation continues to support the tls flag with the same semantics as before.

Versions (please complete the following information):

  • Ambassador: 0.50.0
  • Kubernetes environment: On-prem (kubeadm)
  • Version: v1.11.5
@LiVe
Copy link
Contributor

LiVe commented Feb 12, 2019

we're currently facing the same issue. we'd like to specify the tls context to use a service in our istio mesh to handle auth.
e.g.:
tls: upstream

@iNoahNothing
Copy link
Contributor

It appears the tls: attribute was dropped from the v1 AuthService config. This should be corrected so we can support @LiVe's use case of having Istio secure the traffic between Ambassador and the external auth service.

@HT154 In the mean time, enabling https to the external auth service is still supported by specifying it in the auth_service attribute e.g.

"apiVersion": "ambassador/v1"
"auth_service": "https://auth-web:443"
"kind": "AuthService"
"name": "auth-service"

@kflynn kflynn self-assigned this Feb 15, 2019
@kflynn kflynn added this to the 0.50.2 milestone Feb 15, 2019
kflynn pushed a commit that referenced this issue Feb 15, 2019
Fix #1202. Note that you can't mix and match HTTP auth services and H…
cbe55ec 
…TTPS auth services. Hmmmm.
@kflynn kflynn mentioned this issue Feb 15, 2019
Merged
@kflynn kflynn reopened this Feb 15, 2019
@richarddli
Copy link
Contributor

Fixed in 0.50.2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kflynn kflynn

Labels
None yet
Projects
None yet
Milestone
0.50.2
Development

Successfully merging a pull request may close this issue.

Allow TLS context in AuthService emissary-ingress/emissary
5 participants
@HT154 @LiVe @kflynn @richarddli @iNoahNothing