[BUGFIX] Plugins should be valid when StatusOK is returned by the kong API

[zackrobichaud]

When go-kong calls the kong API schemas/plugins/validate endpoint as part of Validate, it only returns true if the statusCode is StatusCreated but the kong API returns a 200 (StatusOK). As far as I can tell, earlier versions of the kong API returned a 200 as well.

This means that when a valid plugin is checked by the validatingwebhook in the kong-ingress-controller the webhook will block the resource from being created. It's also hard to understand why the webhook blocked it as there is no error returned back (rightfully so in this case as the plugin is valid). For example it results in an error like this:

Error from server: error when creating "xyz.yaml": admission webhook "validations.kong.konghq.com" denied the request without explanation

It seems possible that when this code was ported out of the kong-ingress-controller it tried copying some of the same logic over (which did include a check for status == 201) and maybe why this came about. This PR in the kong-ingress-controller could help explain why that logic exist here and shows that the old logic allowed all status codes to be considered valid.

Again I've not been able to find a reference in the existing kong API (or previous versions) that would indicate a 201 was ever returned as a result of this API call, but I've left it here in case there is some context that I've missed somewhere.

[CLAassistant]

All committers have signed the CLA.

[codecov-commenter]

Codecov Report

Merging #81 (c9142c6) into main (3d56b18) will decrease coverage by 5.38%.
The diff coverage is 0.00%.

@@            Coverage Diff             @@
##             main      #81      +/-   ##
==========================================
- Coverage   43.06%   37.68%   -5.39%     
==========================================
  Files          41       41              
  Lines        3641     3641              
==========================================
- Hits         1568     1372     -196     
- Misses       1769     2017     +248     
+ Partials      304      252      -52     

Flag	Coverage Δ
2.0.5	37.68% <0.00%> (ø)
2.1.4	37.48% <0.00%> (ø)
2.2.2	37.48% <0.00%> (ø)
2.3.3	37.48% <0.00%> (ø)
2.4.0	37.48% <0.00%> (ø)
community	37.68% <0.00%> (ø)
enterprise	?
enterprise-1.5.0.11	?
enterprise-2.1.4.6	?
enterprise-2.2.1.3	?
enterprise-2.3.3.2	?
integration	37.68% <0.00%> (-5.39%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
kong/plugin_service.go	50.72% <0.00%> (ø)
kong/mtls_auth_service.go	0.00% <0.00%> (-63.74%)	⬇️
kong/workspace_service.go	0.00% <0.00%> (-53.58%)	⬇️
kong/admin_service.go	0.00% <0.00%> (-19.12%)	⬇️
kong/credentials.go	85.71% <0.00%> (-14.29%)	⬇️
kong/utils.go	75.60% <0.00%> (-3.66%)	⬇️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 3d56b18...c9142c6. Read the comment docs.

[rainest]

Yeah, not really sure where we got this from. https://github.com/Kong/kong/blame/f95f755864589ff2884aa7f4f6f3da7e40063980/kong/api/routes/kong.lua#L157 indicates that it's always been 200. The original KIC version apparently only failed on errors, so I'm guessing 400s were considered errors even though it's a valid HTTP response--kinda weird but whatever.

The StatusCreated check isn't necessary, but I suppose there's no harm keeping it in case there is some weird legacy reason we had that. https://github.com/Kong/kubernetes-ingress-controller/blame/v1.2.0/internal/admission/validator.go#L99 indicates it had been like that forever, without any explanation.

[zackrobichaud]

@rainest thanks! Do y'all have a general timeline that you'll push new releases of this out. In our case we'll still have to wait for the changes here to make their way into the KIC as thats where we faced this issues. For now we've just disabled the webhook but curious so that we can re-enable once things are updated.

nvm, just noticed your new PR to bump the version.