-
Notifications
You must be signed in to change notification settings - Fork 41
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUGFIX] Plugins should be valid when StatusOK is returned by the kong API #81
[BUGFIX] Plugins should be valid when StatusOK is returned by the kong API #81
Conversation
Codecov Report
@@ Coverage Diff @@
## main #81 +/- ##
==========================================
- Coverage 43.06% 37.68% -5.39%
==========================================
Files 41 41
Lines 3641 3641
==========================================
- Hits 1568 1372 -196
- Misses 1769 2017 +248
+ Partials 304 252 -52
Flags with carried forward coverage won't be shown. Click here to find out more.
Continue to review full report at Codecov.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, not really sure where we got this from. https://github.com/Kong/kong/blame/f95f755864589ff2884aa7f4f6f3da7e40063980/kong/api/routes/kong.lua#L157 indicates that it's always been 200. The original KIC version apparently only failed on errors, so I'm guessing 400s were considered errors even though it's a valid HTTP response--kinda weird but whatever.
The StatusCreated
check isn't necessary, but I suppose there's no harm keeping it in case there is some weird legacy reason we had that. https://github.com/Kong/kubernetes-ingress-controller/blame/v1.2.0/internal/admission/validator.go#L99 indicates it had been like that forever, without any explanation.
@rainest thanks! nvm, just noticed your new PR to bump the version. |
When go-kong calls the kong API
schemas/plugins/validate
endpoint as part ofValidate
, it only returnstrue
if the statusCode isStatusCreated
but the kong API returns a 200 (StatusOK
). As far as I can tell, earlier versions of the kong API returned a 200 as well.This means that when a valid plugin is checked by the validatingwebhook in the kong-ingress-controller the webhook will block the resource from being created. It's also hard to understand why the webhook blocked it as there is no error returned back (rightfully so in this case as the plugin is valid). For example it results in an error like this:
It seems possible that when this code was ported out of the kong-ingress-controller it tried copying some of the same logic over (which did include a check for status == 201) and maybe why this came about. This PR in the kong-ingress-controller could help explain why that logic exist here and shows that the old logic allowed all status codes to be considered valid.
Again I've not been able to find a reference in the existing kong API (or previous versions) that would indicate a 201 was ever returned as a result of this API call, but I've left it here in case there is some context that I've missed somewhere.