Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RequestAuthentication is Created Only for the Last Mentioned Service in APIRule #18776

Open
abhinavvsinghh opened this issue Jan 31, 2025 · 0 comments
Open

RequestAuthentication is Created Only for the Last Mentioned Service in APIRule #18776

abhinavvsinghh opened this issue Jan 31, 2025 · 0 comments

Comments

@abhinavvsinghh
Copy link

Description

When defining multiple services under a single APIRule (v2alpha1) in Kyma, only the last mentioned service has a RequestAuthentication resource created. Other services listed earlier in the APIRule do not get their corresponding RequestAuthentication resources, leading to authentication failures when trying to access their endpoints.

Expected result

Each service defined in the APIRule should have its own corresponding RequestAuthentication resource, ensuring all services are properly

Actual result

Only the last service listed in the APIRule has a RequestAuthentication resource created. The other services do not have their authentication configurations applied, making their endpoints inaccessible due to missing authentication.

Steps to reproduce

  1. Define an APIRule with multiple services (under same host with JWT auth).
apiVersion: gateway.kyma-project.io/v2alpha1
kind: APIRule
metadata:
  name: {APIRULE_NAME}
  namespace: {APIRULE_NAMESPACE}
spec:
  hosts:
    - {SUBDOMAIN}.{DOMAIN_NAME}
  gateway: {GATEWAY_NAMESPACE}/{GATEWAY_NAME}
  rules:
  - path: /api/service1/create
    methods: ["POST"]
    jwtAuth:
      authentications:
        - issuer: {JWT_ISSUER}
          jwksUri: {JWKS_URI}
    service:
      name: {FIRST_SERVICE_NAME}
      port: {FIRST_SERVICE_PORT}
  - path: /api/service2/create
    methods: ["POST"]
    jwtAuth:
      authentications:
        - issuer: {JWT_ISSUER}
          jwksUri: {JWKS_URI}
    service:
      name: {SECOND_SERVICE_NAME}
      port: {SECOND_SERVICE_PORT}
  1. Apply the APIRule to the Kyma cluster.
  2. Check the created RequestAuthentication resources.
  3. Observe that only the last mentioned service in the APIRule has a corresponding RequestAuthentication resource.
  4. Attempt to access an endpoint of an earlier-listed service, and notice authentication failures.

Troubleshooting

Manually creating a RequestAuthentication resource for the missing services resolves the issue, and authentication works as expected.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@abhinavvsinghh