Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RequestAuthentication is Created Only for the Last Mentioned Service in APIRule #1702

Open
abhinavvsinghh opened this issue Jan 31, 2025 · 1 comment
Open

RequestAuthentication is Created Only for the Last Mentioned Service in APIRule #1702

abhinavvsinghh opened this issue Jan 31, 2025 · 1 comment
Assignees
@strekm

Comments

@abhinavvsinghh
Copy link

Description

When defining multiple services under a single APIRule (v2alpha1) in Kyma, only the last mentioned service has a RequestAuthentication resource created. Other services listed earlier in the APIRule do not get their corresponding RequestAuthentication resources, leading to authentication failures when trying to access their endpoints.

Expected result

Each service defined in the APIRule should have its own corresponding RequestAuthentication resource, ensuring all services are properly

Actual result

Only the last service listed in the APIRule has a RequestAuthentication resource created. The other services do not have their authentication configurations applied, making their endpoints inaccessible due to missing authentication.

Steps to reproduce

  1. Define an APIRule with multiple services (under same host with JWT auth).
apiVersion: gateway.kyma-project.io/v2alpha1
kind: APIRule
metadata:
  name: {APIRULE_NAME}
  namespace: {APIRULE_NAMESPACE}
spec:
  hosts:
    - {SUBDOMAIN}.{DOMAIN_NAME}
  gateway: {GATEWAY_NAMESPACE}/{GATEWAY_NAME}
  rules:
  - path: /api/service1/create
    methods: ["POST"]
    jwtAuth:
      authentications:
        - issuer: {JWT_ISSUER}
          jwksUri: {JWKS_URI}
    service:
      name: {FIRST_SERVICE_NAME}
      port: {FIRST_SERVICE_PORT}
  - path: /api/service2/create
    methods: ["POST"]
    jwtAuth:
      authentications:
        - issuer: {JWT_ISSUER}
          jwksUri: {JWKS_URI}
    service:
      name: {SECOND_SERVICE_NAME}
      port: {SECOND_SERVICE_PORT}
  1. Apply the APIRule to the Kyma cluster.
  2. Check the created RequestAuthentication resources.
  3. Observe that only the last mentioned service in the APIRule has a corresponding RequestAuthentication resource.
  4. Attempt to access an endpoint of an earlier-listed service, and notice authentication failures.

Troubleshooting

Manually creating a RequestAuthentication resource for the missing services resolves the issue, and authentication works as expected.
@strekm strekm transferred this issue from kyma-project/kyma Feb 13, 2025
@barchw
Copy link
Contributor

barchw commented Feb 13, 2025

Hello @abhinavvsinghh I couldn't reproduce your issue unfortunately, as for the following APIRule:

apiVersion: gateway.kyma-project.io/v2alpha1
kind: APIRule
metadata:
  name: aaa
  namespace: sidecar-enabled
spec:
  gateway: kyma-system/kyma-gateway
  hosts:
  - aaaa
  rules:
  - jwt:
      authentications:
      - issuer: https://example.com
        jwksUri: https://example.com/headers
    methods:
    - POST
    path: /api/service1/create
    service:
      name: httpbin4
      port: 8000
  - jwt:
      authentications:
      - issuer: https://example.com
        jwksUri: https://example.com/headers
    methods:
    - POST
    path: /api/service2/create
    service:
      name: httpbin3
      port: 8000

I get two RequestAuthentication resources. If you would like us to investigate further, please provide your exact case.
By the way, it seems you are using jwtAuth instead of jwt.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@strekm strekm

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@strekm @abhinavvsinghh @barchw