gloo
gloo copied to clipboard
solo-io
Provide webhook validation for all Gloo resources
Ideally, the existing validating webhook should provide validation for some of the resources defined in the gloo.solo.io api group.
Validation could be useful for:
- [ ]
upstreamgroups.gloo.solo.io - [x]
upstreams.gloo.solo.io(https://github.com/solo-io/gloo/issues/5173) - [ ]
settings.gloo.solo.io(Possibly?) - [ ]
enterprise.gloo.solo.io - [x] Secrets (https://github.com/solo-io/gloo/pull/5470)
- [ ] ConfigMaps
- [ ] https://github.com/solo-io/gloo/issues/5636
- [ ] https://github.com/solo-io/gloo/issues/5810
This means that incorrect rate limit settings being applied can bring down the control plane
Edited the initial issue to include the enterprise.gloo.solo.io api group, mainly to perform validation on AuthConfig resources.
For example, this could prevent an existing issue with malformed AuthConfigs causing segfaults (although we should fix that issue as well, but validation will still be useful)
Part 1, Upstreams: https://github.com/solo-io/gloo/issues/5173 (completed)
Part 2, Secrets: https://github.com/solo-io/gloo/issues/5366 (completed)
State of ConfigMap Validation:
ConfigMaps are referenced within extauth by OpaAuth. ConfigMap delete validation was not implemented along with secrets due to a disconnect between our Sync() behavior and the validation server's Validate() behavior. Sync translates envoy, followed by extensions (ratelimit, extauth). The Validate function only translates envoy config, it does not handle extensions. The goal is for Validate to almost mirror the behavior of Sync, so we need support for extensions in Validate in order to validate AuthConfigs, and thus detect the deletion of a ConfigMap that's still being referenced.
Hi, there is this issue, related with the topic of this milestone but not covered by the requirements.
https://github.com/solo-io/gloo/issues/5636
Should it be part of this? Thanks you
further considerations:
- requires helm hook on upgrade to ensure valid with both new and old gloo validation loops
- users may find webhook preventing deletion of k8s services not acceptable?
- we can add feature to require label on svcs to be seen (and validated) by gloo to limit impact here
as part of https://github.com/solo-io/gloo/issues/5721#issuecomment-1069500839
ratelimiting config and routeaction are most important ones that have come up recently.
Invalid data in secret referenced by an apiKeyAuth AuthConfig could prevent the Extauth Service from becoming ready. Logs the following:
{"level":"error","ts":"2022-08-29T20:17:45.022Z","caller":"runner/xds.go:162","msg":"failed to start xDS client","version":"1.10.29","error":"rpc error: code = Unknown desc = string field contains invalid UTF-8","stacktrace":"github.com/solo-io/solo-projects/projects/extauth/pkg/runner.(*configSource).Run.func1\n\t/go/src/github.com/solo-io/solo-projects/projects/extauth/pkg/runner/xds.go:162\ngithub.com/solo-io/go-utils/contextutils.(*exponentialBackoff).Backoff\n\t/go/pkg/mod/github.com/solo-io/[email protected]/contextutils/backoff.go:70\ngithub.com/solo-io/solo-projects/projects/extauth/pkg/runner.(*configSource).Run\n\t/go/src/github.com/solo-io/solo-projects/projects/extauth/pkg/runner/xds.go:169\ngithub.com/solo-io/ext-auth-service/pkg/server.Server.Run.func2\n\t/go/pkg/mod/github.com/solo-io/[email protected]/pkg/server/server.go:149"}
Related issue. Validation becomes slow at scale https://github.com/solo-io/solo-projects/issues/4031
This issue has been marked as stale because of no activity in the last 180 days. It will be closed in the next 180 days unless it is tagged "no stalebot" or other activity occurs.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}