lkoniecz opened a new issue, #2379:
URL: https://github.com/apache/apisix-ingress-controller/issues/2379
### Current Behavior
If both the namespace and the consumer have hyphens, plugin does not work at
all, for instance: namespace `kube-system` and comsumer `jack-sparrow` result
in the following entry:
```
"list": [
{
"createdIndex": 266984,
"modifiedIndex": 266984,
"key": "/apisix/consumers/kube_system_jack_sparrow",
"value": {
"create_time": 1743951405,
"labels": {
"managed-by": "apisix-ingress-controller"
},
"plugins": {
"key-auth": {
"key": "v1-api-key"
}
},
"username": "kube_system_jack_sparrow",
"desc": "Created by apisix-ingress-controller, DO NOT modify
it manually",
"update_time": 1743951405
}
}
```
every request is rejected with 401, `{"message":"The consumer_name is
forbidden."}`
On top of that, APISIX currently flattens consumer names by replacing
hyphens with underscores. However, this implementation doesn't properly handle
hyphenated namespace names, leading to potential naming conflicts. For example,
consider these two valid consumers:
1. Consumer consumer1 in namespace foo-bar becomes foo_bar_consumer1
2. Consumer bar-consumer1 in namespace foo would also become
foo_bar_consumer1
The controller does not reject it, but blindly reconciles the consumer
updating the entry even though the data comes from a different custom resource
There are few issues related to the problem:
- https://github.com/apache/apisix-ingress-controller/issues/1656
- https://github.com/apache/apisix-ingress-controller/issues/1254
- https://github.com/apache/apisix/issues/7825
however no real solution was provided
### Expected Behavior
I expect the first scenario to work normally. I cannot control namespaces
names, so the only workaround I found is to use consumer names without an
underscore in its name.
For the second issue I would expect the controller not to reconcile the
other ApisixConsumer as it would conflict with existing one.
### Error Logs
_No response_
### Steps to Reproduce
```
apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
name: my-route
namespace: my-namespace
spec:
http:
- name: some-route
match:
hosts:
- localhost
paths:
- /api/v1
backends:
- serviceName: simple-http-server
servicePort: 80
authentication:
enable: true
type: keyAuth
keyAuth:
header: x-api-key
plugins:
- name: consumer-restriction
enable: true
config:
whitelist:
- my_namespace_some_consumer
---
apiVersion: apisix.apache.org/v2
kind: ApisixConsumer
metadata:
name: some-consumer
namespace: my-namespace
spec:
authParameter:
keyAuth:
value:
key: some-api-key
```
just kubectl apply -f this and notice 401s
### Environment
- APISIX Ingress controller version 1.8
- Kubernetes cluster version 1.30
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
