kubernetes-ingress icon indicating copy to clipboard operation
kubernetes-ingress copied to clipboard

Published 20 hours ago verified publisher icon nginxinc

[Bug]: When deleting or changing Api Key name NGINX Breaks/refuses update.

Open benshalev849 opened this issue 9 months ago • 13 comments

Version

3.7.0

What Kubernetes platforms are you running on?

Openshift

Steps to reproduce

Creating the following secret:

apiVersion: v1
kind: Secret
metadata:
  name: apikey-secret
type: nginx.org/apikey
stringData:
  client1: "demo"
  client2: "showcase"

Then attaching it to a policy:

apiVersion: k8s.nginx.org/v1
kind: Policy
metadata:
  name: apikey-policy
spec:
  apiKey:
    clientSecret: apikey-secret
    suppliedIn:
      header:
        - x-api-key

When deleting an api key using oc apply the object does not update, when deleting via OCP UI it deletes.

In addition when changing the name of a client the configuration will break and remove the api key authentication from the config file.

Only way that i have managed to delete/change name of API Keys is to completely delete the secret and re-create it.

benshalev849 avatar Feb 19 '25 13:02 benshalev849

Hi @benshalev849 thanks for reporting!

Be sure to check out the docs and the Contributing Guidelines while you wait for a human to take a look at this :slightly_smiling_face:

Cheers!

github-actions[bot] avatar Feb 19 '25 13:02 github-actions[bot]

@benshalev849 could you please check what HTTP request OCP UI sends to delete the API key? What is the output of oc apply run in verbose mode? Are the requests send via oc cli and oc UI the same?

jjngx avatar Feb 19 '25 14:02 jjngx

@benshalev849 we will verify the behaviour using kubectl and local K8s cluster

jjngx avatar Feb 24 '25 16:02 jjngx

@jjngx Okay, ty! IF you need anything else let me know :)

benshalev849 avatar Mar 05 '25 14:03 benshalev849

@jjngx Okay, ty! IF you need anything else let me know :)

https://github.com/nginx/kubernetes-ingress/issues/7384#issuecomment-2668764341

jjngx avatar Mar 05 '25 15:03 jjngx

@benshalev849 can you please provide us with above info

vepatel avatar Mar 11 '25 16:03 vepatel

@jjngx @vepatel

Hey, i am sorry for the late response, been a busy few weeks...

We are an on prem deployment in a closed envrionment, copying the command to github is not really possible, when running it though i have not seen anything that may suggest it is related or broken.

Have you been able to replicate it locally with k8s?

Especially the change of name of the api key which just removes the api key config.

benshalev849 avatar Mar 12 '25 15:03 benshalev849

@benshalev849 we tried to repro this but unfortunately couldn't. Would you be able to give us an failing example and partial conf please, one from the api-key example in this repo should be okay as well.

vepatel avatar Mar 24 '25 16:03 vepatel

@benshalev849 I tried changing the keys in data field of api-key-client-secret using kubectl apply and nginx seems to have picked up the changes. Can you try changing stringData to Data since keys are expected to be base64 encoded

vepatel avatar Mar 27 '25 13:03 vepatel

@vepatel

The problem persists when:

You delete a key and value (e.g deleting completetly client1 and the vlaue for it and applying.)

And when you change the key, for example changing clienttests to demo will break it, not the value demo, changing only the value and not the key itself works.

And we will try changing to Data from stringData, it's just easier to configure like that when you see the api key itself.

benshalev849 avatar Apr 06 '25 14:04 benshalev849

I tried to reproduce this with our example in a local k8s cluster with kubectl apply but I also did not encounter the issue.

By default, the api-key-secret.yaml is

apiVersion: v1
kind: Secret
metadata:
  name: api-key-client-secret
type: nginx.org/apikey
data:
    client1: cGFzc3dvcmQ= # password
    client2: YW5vdGhlci1wYXNzd29yZA== # another-password

and the map in the generated NGINX config is

map $apikey_auth_token $apikey_auth_client_name_default_cafe_api_key_policy {
    default "";
    "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8" "client1";
    "5b6cb866b79cfaffe4162718f97eacafa6732e3d340622fcbda84582840eb9ec" "client2";
}

Then I renamed the key from client1 to client1b, i.e.

apiVersion: v1
kind: Secret
metadata:
  name: api-key-client-secret
type: nginx.org/apikey
data:
    client1b: cGFzc3dvcmQ= # password
    client2: YW5vdGhlci1wYXNzd29yZA== # another-password

the NGINX config becomes:

map $apikey_auth_token $apikey_auth_client_name_default_cafe_api_key_policy {
    default "";
    "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8" "client1b";
    "5b6cb866b79cfaffe4162718f97eacafa6732e3d340622fcbda84582840eb9ec" "client2";
}

And if I delete client1

apiVersion: v1
kind: Secret
metadata:
  name: api-key-client-secret
type: nginx.org/apikey
data:
    client2: YW5vdGhlci1wYXNzd29yZA== # another-password

it is gone from the NGINX config as well

map $apikey_auth_token $apikey_auth_client_name_default_cafe_api_key_policy {
    default "";
    "5b6cb866b79cfaffe4162718f97eacafa6732e3d340622fcbda84582840eb9ec" "client2";
}

Are these the operation you were trying to perform at the OpenShift cluster? Since we could not reproduce the issue, I wonder if it could be an environment or configuration related issue?

haywoodsh avatar Apr 29 '25 18:04 haywoodsh

@benshalev849 It seems to be an issue with permissions in the service account that you are using to apply the changes. Could you check if the permissions are correct?

danielnginx avatar Jun 03 '25 15:06 danielnginx

@benshalev849 any updates on this?

vepatel avatar Jun 16 '25 15:06 vepatel

Hello, sorry for not responding, due to the current state here we did not get a chance to test this.

Once we test it we will let you know, thank you for the responses

benshalev849 avatar Jun 18 '25 15:06 benshalev849

We are closing this issue. If you have updates, please open a new issue.

danielnginx avatar Aug 25 '25 15:08 danielnginx