The response-transformer plugin continuously detects outdated configuration to synchronize about kubernetes-ingress-controller HOT 5 CLOSED

@jaygorrell
I'm reading the documentation for this plugin and it seems like, it doesn't accept an array of header.

Could you please try the following?

apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: add-security-headers
config:
  add:
    headers: "X-Xss-Protection:1; mode=block"

from kubernetes-ingress-controller.

I tried the string formatted values instead of a list but didn't have any luck, but I did get this worked out.

Looking at pluginDeepEqual here:

It iterates over each k/v in the config map, making sure the KongPlugin config items are in Kong and with the same value. For most plugins this is straightforward but the transformer plugins have a nested structure that this method doesn't account for that -- so in my case it just compares the add key as a whole. Using my example above, in Kong, the structure is this:

                "add": {
                    "headers": [
                        "X-Xss-Protection:1; mode=block"
                    ],
                    "json": {}
                },
                "append": {
                    "headers": {},
                    "json": {}
                },
                "remove": {
                    "headers": {},
                    "json": {}
                },
                "replace": {
                    "headers": {},
                    "json": {}
                }

The value of the add key also contains the empty json dict, which causes the check to fail.

Changing my KongPlugin to this fixes the issue:

apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: $((basename))-upside-add-security-headers
config:
  add:
    headers:
      - "X-Xss-Protection:1; mode=block"
    json: {}

It's also interesting and worth noting that the empty data structure in Kong is a map, while a populated value is a list. That's a little unintuitive but unrelated to Kong Ingress -- aside from how you need to match the values.

I think there's still an issue to be addressed here in code for a better way to compare the objects but if you think this is acceptable, feel free to close the issue.

from kubernetes-ingress-controller.

I tried rolling out this temporary fix but hit another snag. Basically the order of the headers and json keys can vary in how they get persisted in Kong, regardless which order they appear in the KongPlugin. In my above example, many of the json keys are coming back before the headers key.

This means you would need to create the KongPlugin, query Kong to see the order, then adjust the configuration order to match.

from kubernetes-ingress-controller.

@jaygorrell Thank you for your detailed debugging and sharing the results.

Like you already said, there are two separate issues at play here:

• An empty JSON array ("array": []) showing up as an empty JSON object ("array": {}). This is an issue with lua-cjson, the serialization library that Kong uses, as reported in Kong/kong#3166 and Ingress Controller can't fix that issue.

• The other issue, which I expected we would run into sooner or later when you first opened this ticket was ordering of elements in an array. reflect.DeepEqual from Go's stdlib can compare JSONs so we should use that and fix the bug. We will open up a PR to fix it.

from kubernetes-ingress-controller.

This issue should be fixed now with #106 merged in.
The other issue is with the plugin as noted in Kong/kong#3166.

Closing this, please re-open if needed.

from kubernetes-ingress-controller.