Merge 2.8.x into master #8899
Closed
Merge 2.8.x into master #8899
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Fix some bugs and warts in the aws-lambda plugin: * Fix broken proxying by always using `https_proxy` with resty.http * Deprecate `proxy_scheme` config param Some minimal test coverage for proxying was added, and some defunct test cases were removed.
Bump plugin versions of rate-limiting and response-ratelimiting (2.8.x)
* Update Admin API note * [DOCU-2140] Admin API: rm wording about cannot delete/mod
### Summary Previously we used `ngx.IS_CLI` to determine whether we want config secret or a process secret, that is: - should we look database for entity prefix - should we look our vault implementations by name We decided (with Joshua) that talking about process secrets / config secrets is confusing to users, so I changed the detection algorithm to: We look for implementation by name when: 1. name is one of the bundled vaults or specified in ´KONG_VAULTS=...` 2. OR kong and kong.db is uninitialized Otherwise, we look for database prefix. This PR also disallows configuring Vault entity prefix with value that is a name of one of the bundled vaults or specified in `KONG_VAULTS`. I also added admin API tests with this.
### Summary
When auto-dereferencing secrets fail, we have two options:
1. keep the value (which means the value is actually a reference such as: `{vault://env/cert-1/key}`
2. set value to `nil`
In both cases the error is also logged.
Original implementation followed 1. but this commit changes it to 2.
Reason being that reference strings can leak to secrets, which they are not meant to.
For example session plugin has secret. If you set secret to `{vault://env/session-secret}`
and the dereferencing fails, the secret becomes `{vault://env/session-secret}`. This
can lead to potential leak of secret on a system that does not resolve secrets correctly.
Or at least it is not good idea that references can become secrets. This commit
changes it so that on failure (we log the warning) and also set the value to `nil`.
…its name ### Summary This will just convert possible `-` in strategy name with `_` when loading its configuration for process secrets.
### Summary This will just convert possible `-` in resource name with `_` when looking up for an environment variable.
### Summary See: https://github.com/leafo/pgmoon/releases/tag/v1.14.0 ### Issues Resolved Fix #8259
* fix(declarative) initialize hash for empty config * docs(CHANGELOG) feature description
### Summary This fixes the vault to fill default values for configuration based on a config field schema in case the field is required and has a default value, when there is no configuration for the field already.
### Summary It was reported that when Kong OAuth 2.0 plugin is configured together with some other authentication plugin with `conf.anonymous` (logical OR), the OAuth 2.0 plugin does not clear `X-Authenticated-UserId` and `X-Authenticated-Scope` headers that it normally only sets on successful authentication (aka when plugin runs). This can lead to potential issue on upstream if upstream rely on these headers and trust that they came from OAuth 2.0 plugin. This change makes OAuth 2.0 plugin to clear such headers in logical OR scenario. It is to be noted that Kong itself worked as expected, it is just about the expectations that upstream service may have made. It is probably harmless to remove these headers when OAuth 2.0 plugin is configured in logical OR.
The properties `go_pluginserver_exe` and `go_pluginserver` are deprecated in favor of new multi-pluginservers implementation. Compatibility code will remain in place until 3.0, when it will be removed.
### Summary Adds "autogen" docs to vault_beta entity. Co-authored-by: Joshua Schmid <jaiks@posteo.de>
* feat(prometheus) add nginx timer metrics This adds gauges to track ngx.timer.running_count() and ngx.timer.pending_count() as requested in #7670. * style(prometheus) rename metrics from current timers to just timers Per suggestion, to avoid confusion. * fix(prometheus) fix timer tests failing The tests were accidentally matching in plain mode so '%d+' was not understood. * perf(prometheus) localize ngx timer functions
Co-authored-by: Guilherme Salazar <gsz@acm.org>
### Summary See the code, it is obvious bug.
This reverts commit cd9dbb1.
Co-authored-by: lena-larionova <54370747+lena-larionova@users.noreply.github.com>
…g-function chore(scripts) add missing update_docker function in release/2.8.x
Fixed a bug in the c_rehash script which was not properly sanitising shell metacharacters to prevent command injection ([CVE-2022-1292](https://www.openssl.org/news/vulnerabilities.html#CVE-2022-1292)).
Bump openssl 1.1.1o (backport 2.8)
github-actions
bot
added
changelog
chore
locao
pushed a commit
that referenced
this pull request
Apr 24, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.