Regression: Filter/FilterPolicy seems broken in v2.1.0

[blakebarnett]

Describe the bug
Filters that worked in 2.0.5 seem to no longer do anything with 2.1.0. Specifically the filter examples for Keycloak from the website. Downgrading to 2.0.5 makes the filters start working again.

I see this in the logs when modifying/updating a filter:
level=error msg="0 filters configured" func="github.com/datawire/apro/v2/cmd/amb-sidecar/filters/controller.(*Controller).Watch.func1" file="github.com/datawire/apro/v2/cmd/amb-sidecar/filters/controller/controller.go:154" CMD=amb-sidecar PID=16 THREAD=/auth_controller

Expected behavior
The filters should intercept all requests and go through the oauth2/OIDC flow.

Versions (please complete the following information):

• Ambassador: AES or Emissary
• Kubernetes environment: k8s v1.22.4 via Kops 1.22.2 on AWS, NLB ingress
• Version: 2.1.0

Additional context
In this case Keycloak is running in the same cluster. As a side note I'm not able to make this work without Keycloak having a separate inbound path -- it's own NLB and/or separate ingress-controller. We'd very much like to have this work with Keycloak behind Ambassador to keep things simple, the examples and documentation seem to imply that this is possible...

2.0.5 working config:

apiVersion: v1
items:
- apiVersion: getambassador.io/v3alpha1
  kind: Filter
  metadata:
    name: keycloak-filter
    namespace: ambassador
  spec:
    OAuth2:
      audience: ambassador
      authorizationURL: https://keycloak.foo.example.com/auth/realms/ambassador
      clientID: ambassador
      protectedOrigins:
      - includeSubdomains: true
        origin: https://foo.example.com/
      secret: client-secret

apiVersion: getambassador.io/v3alpha1
kind: FilterPolicy
metadata:
  name: keycloak-policy
  namespace: ambassador
spec:
  rules:
  - filters:
    - arguments:
        scope:
        - offline_access
      name: keycloak-filter
    host: '*'
    path: '*'

apiVersion: getambassador.io/v3alpha1
kind: Listener
metadata:
  name: https-listener
  namespace: ambassador
spec:
  hostBinding:
    namespace:
      from: ALL
  port: 8443
  protocol: HTTPS
  securityModel: XFP

apiVersion: getambassador.io/v3alpha1
kind: Listener
metadata:
  name: http-listener
  namespace: ambassador
spec:
  hostBinding:
    namespace:
      from: ALL
  port: 8080
  protocol: HTTPS
  securityModel: XFP

apiVersion: getambassador.io/v3alpha1
kind: Host
metadata:
  name: default-host
  namespace: ambassador
spec:
  hostname: foo.example.com
  requestPolicy:
    insecure:
      action: Redirect
      additionalPort: 8080
  tlsSecret:
    name: ambassador-default-cert

apiVersion: getambassador.io/v3alpha1
kind: Host
metadata:
  name: wildcard-host
  namespace: ambassador
spec:
  hostname: '*.foo.example.com'
  requestPolicy:
    insecure:
      action: Redirect
      additionalPort: 8080
  tlsSecret:
    name: ambassador-default-cert

[danielnazareth89]

Also facing this on a new installation of the edge-stack, version 2.1.0.Filters and filter policies are simply not picked or respected. Anyone have any ideas?

[khussey]

@danielnazareth89 we are working on a fix for the issue and will be shipping a release to address it ASAP.

[khussey]

This is fixed in AES 2.1.1, which is now available.