kic webhook - cannot set oauth2 Secret with empty redirect_uris

[vmignot]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

Hi,
Since ingress helm chart 0.15.1, we are using kong helm chart 2.44.0 release.

This release add the following change:

Added admission webhook objectSelector for:

• secrets.credentials.validation.ingress-controller.konghq.com

What happens since then is that I cannot apply a Secret for Credentials without specifying the field redirect_uris. In my case, I'm not planning on using redirect_uris, as I'm doing machine-to-machine.

Expected Behavior

The Admission Webhook should accept Credential Secret without redirect_uris.

Steps To Reproduce

kind: Secret
apiVersion: v1
type: generic
metadata:
  labels:
    konghq.com/credential: oauth2
  name: test-api-oauth2
data:
  client_id: XXXXbase64_strXXXX
  client_secret: XXXXbase64_strXXXX
  kongCredType: XXXXbase64_strXXXX   # => oauth2
  name: XXXXbase64_strXXXX

will result with the following error message:
unable to update secret test-api-oauth2: admission webhook \"secrets.credentials.validation.ingress-controller.konghq.com\" denied the request: consumer credential failed validation: missing required field(s): redirect_uris","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...[]).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:316\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...[]).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:263\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...[]).Start.func2.2\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:224"

I have tried:

• setting the field to an empty value: same error as previous
• setting the field to "[]", secret is created, BUT the kong-controller errors: schema violation (redirect_uris.1: cannot parse '[]')\")
• setting the field to "null", secret is created, BUT the kong-controller errors: schema violation (redirect_uris.1: cannot parse 'null')\")
• setting the field to ",", secret is created, BUT the kong-controller errors: (redirect_uris.1: length must be at least 1; redirect_uris.2: length must be at least 1)\")", "error": "object failed to apply"}
• setting the field to "http://fake" works just fine BUT this is not a satisfactory workaround

I ended up going to the admin UI and there, I can save Credentials without redirect_uris.

The temporary fix that I have currently in place to make it work is to set controller.ingressController.admissionWebhook.filterSecrets to true in the values.yaml to go back to the behaviour prior to kong helm release 2.44.0.

Kong Ingress Controller version

{ "version": "3.9.0.0", "tagline": "Welcome to kong", "hostname": "ingress-kong-gateway-7474449596-mbbhp", "lua_version": "LuaJIT 2.1.0-20231117.1" }

Kubernetes version

{
  "clientVersion": {
    "major": "1",
    "minor": "29",
    "gitVersion": "v1.29.6",
    "gitCommit": "062798d53d83265b9e05f14d85198f74362adaca",
    "gitTreeState": "clean",
    "buildDate": "2024-06-11T20:23:31Z",
    "goVersion": "go1.21.11",
    "compiler": "gc",
    "platform": "darwin/arm64"
  },
  "kustomizeVersion": "v5.0.4-0.20230601165947-6ce0bf390ce3",
  "serverVersion": {
    "major": "1",
    "minor": "29+",
    "gitVersion": "v1.29.10-eks-7f9249a",
    "gitCommit": "d06fe5fa1c524ee5eb5d16bb9edc4dda6075f6c3",
    "gitTreeState": "clean",
    "buildDate": "2024-10-23T23:40:34Z",
    "goVersion": "go1.22.8",
    "compiler": "gc",
    "platform": "linux/amd64"
  }
}

Anything else?

No response

[pmalek]

👋 @vmignot

https://docs.konghq.com/hub/kong-inc/oauth2/#create-an-application lists the possible fields that can be set on an OAuth2 application credentials and it does not mark redirect_uris as optional. The field description even says:

An array with **one or more** URLs in your app where users will be sent after authorization ([RFC 6742 Section 3.1.2](https://tools.ietf.org/html/rfc6749#section-3.1.2))

Having said that I'm not sure we can allow to not provide this field.

Leaving this open as there might be something that I'm missing here.

[vmignot]

Hello @pmalek and thanks you for your reply!

To put it another way, there is a different behavior between the "kubernetes declarative way" (interpreted by KIC) and the "admin-api way".

Here is a screenshot from the API: I can create an oauth2 Consumer with no redirect_uris.

This field is marked as required: false in the schema

GET http://localhost:8001/default/schemas/oauth2_credentials

{
    "entity_checks": [],
    "fields": [
        {
            "id": {
                "description": "A string representing a UUID (universally unique identifier).",
                "uuid": true,
                "auto": true,
                "type": "string",
                "len_min": 1
            }
        },
....
        {
            "redirect_uris": {
                "required": false,
                "type": "array",
                "elements": {
                    "type": "string"
                }
            }
        },
        ...
    ]
}

Yet, when creating a consumer with a Kubernetes Secret, the redirect_uris are mandatories. So, either the admin-api or the KIC is implementing an incorrect behavior.