-
Notifications
You must be signed in to change notification settings - Fork 335
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(kuma-dp): tolerate endline in token file #5591
Conversation
The problem was that Envoy is very strict about this token format and it's failing with "cryptic" message. That's why we were trying to be strict in kuma-dp to instruct user how to solve this. Did you see a case where this change helps? |
ok, not sure about Envoy behavior here
So to me it seems that the overly restrictive policy is causing more trouble than not having it and trimming seems to solve the most common problem |
Let me try to rephrase my question. Did you see a case where this validation was too restrictive? Meaning, if kuma-dp validation was gone, Envoy would have no problem with the token? What I think may happened in the meantime before we created this validation and now is that by default we switched from Google gRPC to Envoy gRPC. I think that because we are embedding the token in metadata, all invalid characters are gone. I think it was Google gRPC that was the most restrictive part. However, we still let user use Google gRPC when |
I totally agree with Jakub here.
Maybe we could have some test with Envoy and "mode=validate" to see if lifting this validation would cause problems with Envoy? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As said in the thread, I'm ok with approving this if there is a test case showing that lifting the newline check at the end does not cause any trouble.
I'll check again but from my local tests the endline wasn't a problem for envoy |
I've checked removing the validation the error is only on the CP and shows:
What's shown here is really that the token is validated as an header. So I've added the same regex and I also trim the token for validation and when we send it that way people can still have endlines in their token file. |
This is overly strict validation is causing more problems than it is solving. We now simply trim the token data because envoy won't support tokens with spaces Fix kumahq#4567 Signed-off-by: Charly Molter <charly.molter@konghq.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've checked removing the validation the error is only on the CP
If it's only in CP then 👍 from my side.
This is overly strict validation is causing more problems than it is solving. We now simply trim the token data
Fix #4567
Signed-off-by: Charly Molter charly.molter@konghq.com
Checklist prior to review
syscall.Mkfifo
have equivalent implementation on the other OS --UPGRADE.md
? --> Changelog:
entry here or add aci/
label to run fewer/more tests?