Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

KubernetesEndpointResolver works with the name "endpoint" only #1497

Closed
ankurpshah opened this issue May 6, 2019 · 1 comment
Closed

KubernetesEndpointResolver works with the name "endpoint" only #1497

ankurpshah opened this issue May 6, 2019 · 1 comment
Assignees
@kflynn
Milestone
pedrera

Comments

@ankurpshah
Copy link

Describe the bug
KubernetesEndpointResolver works with the name endpoint only. An override doesn't work.

To Reproduce
Following configuration doesn't work:

      ---
      apiVersion: ambassador/v1
      kind: KubernetesEndpointResolver
      name: my_endpoint
      ---
      apiVersion: ambassador/v1
      kind: Module
      name: ambassador
      ambassador_id: ambassador-80
      config:
        service_port: 8080
        resolver: my_endpoint

But this works:

      ---
      apiVersion: ambassador/v1
      kind: KubernetesEndpointResolver
      name: endpoint
      ---
      apiVersion: ambassador/v1
      kind: Module
      name: ambassador
      ambassador_id: ambassador-80
      config:
        service_port: 8080
        resolver: endpoint

Expected behavior
KubernetesEndpointResolver should work with name override.

Versions (please complete the following information):

  • Ambassador: 0.60.3
  • Kubernetes environment: AWS KOPS
  • Version 1.14.1
@kflynn kflynn added this to the parc-güell milestone May 9, 2019
@kflynn kflynn changed the title KubernetesEndpointResolver works with the name endpoint only KubernetesEndpointResolver works with the name "endpoint" only May 10, 2019
@kflynn kflynn modified the milestones: parc-güell, pedrera May 20, 2019
@kflynn kflynn assigned kflynn and unassigned gsagula Jun 5, 2019
@kflynn
Copy link
Member

kflynn commented Jun 5, 2019

This worked with annotations, but CRDs had some issues around what was a legal name (see also #1562) and around Resolver CRDs with no spec.

@kflynn kflynn closed this as completed Jun 6, 2019
alexgervais pushed a commit that referenced this issue Jul 10, 2020
(from AES) Merge pull request #1497 from datawire/ark3/epc-kill-all-s…
fced767 
…essions

[Pen Test] Allow Log Out of All EPC Sessions

Adds a mechanism to invalidate all outstanding JWTs for the Edge Policy Console. The JWT's Subject field holds an optional nonce that must match the nonce stored in Redis.

- The original token from edgectl login does not have the nonce
  - This is accepted by the auth check
  - This token expires so we don't need to worry about it
- Any user activity refreshes the token, which adds the nonce
  - This is _the way_ we refresh tokens; there's no way to avoid this
  - The auth check requires this nonce to match the one in redis
- Clearing the nonce in redis causes a new one to be generated
  - The new nonce will be different (it's based on the clock)
  - So all old tokens will be invalid because the nonce won't match

Also adds a button in the Debugging page to log out of all sessions and an associated endpoint to clear/regenerate the nonce to achieve that.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kflynn kflynn

Labels
None yet
Projects
None yet
Milestone
pedrera
Development

No branches or pull requests
3 participants
@ankurpshah @gsagula @kflynn