Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Mjz 283 #11459

Closed
wants to merge 81 commits into from
Closed

Mjz 283 #11459

wants to merge 81 commits into from

Conversation

AndyZhang0707
Copy link
Collaborator

Summary

Checklist

Full changelog

  • [Implement ...]

Issue reference

Fix #[issue number]

flrgh and others added 30 commits February 16, 2022 10:28
Fix some bugs and warts in the aws-lambda plugin:

* Fix broken proxying by always using `https_proxy` with resty.http
* Deprecate `proxy_scheme` config param

Some minimal test coverage for proxying was added, and some defunct test cases were removed.
Bump plugin versions of rate-limiting and response-ratelimiting (2.8.x)
* Update Admin API note

* [DOCU-2140] Admin API: rm wording about cannot delete/mod
### Summary

Previously we used `ngx.IS_CLI` to determine whether we want config secret or
a process secret, that is:
- should we look database for entity prefix
- should we look our vault implementations by name

We decided (with Joshua) that talking about process secrets / config
secrets is confusing to users, so I changed the detection algorithm to:

We look for implementation by name when:
1. name is one of the bundled vaults or specified in ´KONG_VAULTS=...`
2. OR kong and kong.db is uninitialized

Otherwise, we look for database prefix.

This PR also disallows configuring Vault entity prefix with value
that is a name of one of the bundled vaults or specified in `KONG_VAULTS`.

I also added admin API tests with this.
### Summary

When auto-dereferencing secrets fail, we have two options:

1. keep the value (which means the value is actually a reference such as: `{vault://env/cert-1/key}`
2. set value to `nil`

In both cases the error is also logged.

Original implementation followed 1. but this commit changes it to 2.

Reason being that reference strings can leak to secrets, which they are not meant to.

For example session plugin has secret. If you set secret to `{vault://env/session-secret}`
and the dereferencing fails, the secret becomes `{vault://env/session-secret}`. This
can lead to potential leak of secret on a system that does not resolve secrets correctly.
Or at least it is not good idea that references can become secrets. This commit
changes it so that on failure (we log the warning) and also set the value to `nil`.
…its name

### Summary

This will just convert possible `-` in strategy name with `_` when loading its
configuration for process secrets.
### Summary

This will just convert possible `-` in resource name with `_` when looking
up for an environment variable.
* fix(declarative) initialize hash for empty config

* docs(CHANGELOG) feature description
### Summary

This fixes the vault to fill default values for configuration based on
a config field schema in case the field is required and has a default
value, when there is no configuration for the field already.
### Summary

It was reported that when Kong OAuth 2.0 plugin is configured together
with some other authentication plugin with `conf.anonymous` (logical OR),
the OAuth 2.0 plugin does not clear `X-Authenticated-UserId` and
`X-Authenticated-Scope` headers that it normally only sets on successful
authentication (aka when plugin runs).

This can lead to potential issue on upstream if upstream rely on these
headers and trust that they came from OAuth 2.0 plugin. This change makes
OAuth 2.0 plugin to clear such headers in logical OR scenario.

It is to be noted that Kong itself worked as expected, it is just about
the expectations that upstream service may have made. It is probably
harmless to remove these headers when OAuth 2.0 plugin is configured
in logical OR.
The properties `go_pluginserver_exe` and `go_pluginserver` are
deprecated in favor of new multi-pluginservers implementation.
Compatibility code will remain in place until 3.0, when it will be
removed.
### Summary

Adds "autogen" docs to vault_beta entity.

Co-authored-by: Joshua Schmid <[email protected]>
* feat(prometheus) add nginx timer metrics

This adds gauges to track ngx.timer.running_count() and ngx.timer.pending_count() as requested in #7670.

* style(prometheus) rename metrics from current timers to just timers

Per suggestion, to avoid confusion.

* fix(prometheus) fix timer tests failing

The tests were accidentally matching in plain mode so '%d+' was not
understood.

* perf(prometheus) localize ngx timer functions
### Summary

See the code, it is obvious bug.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment