bug: Proxy APIExport identity validation is incorrect. #2918

mjudeikis · 2023-03-24T10:23:52Z

Describe the bug

When creating "proxy" apiExport (root to custom workspace), I made a mistake with bootstrapper and ended up with APIExport as below:

[mjudeikis@unknown2 faros]$ k get apiexport compute.faros.sh -o yaml
apiVersion: apis.kcp.io/v1alpha1               
kind: APIExport                                
metadata:                                      
  annotations:                                 
    kcp.io/cluster: nu66to0aor944bum           
    kcp.io/path: root:faros:service:controllers
  creationTimestamp: "2023-03-24T09:46:07Z"
  generation: 8                            
  name: compute.faros.sh                   
  resourceVersion: "8573"                  
  uid: fc7c3bae-63bf-42da-acab-aab8782357ef
spec:                       
  identity:                 
    secretRef:                                                                                                                                      
      name: compute.faros.sh                                                                                                                        
      namespace: kcp-system                                                                                                                         
  permissionClaims:                                                                                                                                 
  - all: true                                                                                                                                       
    group: workload.kcp.io                                                                                                                          
    identityHash: random-prefix-97d7c56385241358fbd0c4d0e461e15ba1449b1a7fbbb88112cd094e10eb2eb4-random-string-suffix
    resource: synctargets                     
status:                                       
  conditions:                                 
  - lastTransitionTime: "2023-03-24T09:46:07Z"                                                                                                      
    status: "True"                                                                                                                                  
    type: IdentityValid                                                                                                                             
  - lastTransitionTime: "2023-03-24T09:46:07Z"                                                                                                      
    status: "True"                                                                                                                                  
    type: VirtualWorkspaceURLsReady                                                                                                                 
  identityHash: 2baf09807a4c861b04815ed6cd2f773ad1c819901fe21133f3c5d80489fce3a2                                                                    
  virtualWorkspaces:                                                                                                                                
  - url: https://kcp.dev.faros.sh:443/services/apiexport/nu66to0aor944bum/compute.faros.sh

And still got valid status, where identityHash is not valid.

Steps To Reproduce

Create APIExport for 3rd party resource.
Add the wrong identityhash
observe resources

Expected Behaviour

Fail on identityhash validation

Additional Context

No response

The text was updated successfully, but these errors were encountered:

ncdc · 2023-03-27T18:50:05Z

Is this a duplicate of #2152?

mjudeikis · 2023-03-28T17:43:42Z

Need to read code to understand better :/ might be similar or same. Not clear from the first glimpse. WIll try to clarify bit later

kcp-ci-bot · 2024-04-16T08:31:08Z

Issues go stale after 90d of inactivity.
After a furter 30 days, they will turn rotten.
Mark the issue as fresh with /remove-lifecycle stale.

If this issue is safe to close now please do so with /close.

/lifecycle stale

kcp-ci-bot · 2024-05-16T08:32:24Z

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

/lifecycle rotten

mjudeikis added the kind/bug Categorizes issue or PR as related to a bug. label Mar 24, 2023

embik added area/apiexports priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. labels Jul 6, 2023

kcp-ci-bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Apr 16, 2024

kcp-ci-bot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels May 16, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

bug: Proxy APIExport identity validation is incorrect. #2918

bug: Proxy APIExport identity validation is incorrect. #2918

mjudeikis commented Mar 24, 2023

ncdc commented Mar 27, 2023

mjudeikis commented Mar 28, 2023

kcp-ci-bot commented Apr 16, 2024

kcp-ci-bot commented May 16, 2024

bug: Proxy APIExport identity validation is incorrect. #2918

bug: Proxy APIExport identity validation is incorrect. #2918

Comments

mjudeikis commented Mar 24, 2023

Describe the bug

Steps To Reproduce

Expected Behaviour

Additional Context

ncdc commented Mar 27, 2023

mjudeikis commented Mar 28, 2023

kcp-ci-bot commented Apr 16, 2024

kcp-ci-bot commented May 16, 2024